BASELINE: Update Chromium to 80.0.3987.136

Change-Id: I98e1649aafae85ba3a83e67af00bb27ef301db7b Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-03-11 11:32:04 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2020-03-18 13:40:17 +0000
commit: 31ccca0778db85c159634478b4ec7997f6704860 (patch)
tree: 3d33fc3afd9d5ec95541e1bbe074a9cf8da12a0e /chromium/net
parent: 248b70b82a40964d5594eb04feca0fa36716185d (diff)
download: qtwebengine-chromium-31ccca0778db85c159634478b4ec7997f6704860.tar.gz
989 files changed, 42778 insertions, 28971 deletions
diff --git a/chromium/net/BUILD.gn b/chromium/net/BUILD.gn
index 5a1c6241b98..34a223c59e7 100644
--- a/chromium/net/BUILD.gn
+++ b/chromium/net/BUILD.gn
@@ -14,7 +14,6 @@ import("//third_party/icu/config.gni")
 import("//third_party/protobuf/proto_library.gni")
 import("//tools/grit/grit_rule.gni")
 import("//url/features.gni")
-import("//v8/gni/v8.gni")
 
 if (is_android) {
   import("//build/config/android/config.gni")
@@ -30,7 +29,6 @@ if (is_android) {
 # So enable it for x86 only for now.
 posix_avoid_mmap = is_android && current_cpu != "x86"
 
-use_v8_in_net = !is_ios
 enable_built_in_dns = !is_ios
 
 # Unix sockets are not supported on iOS or NaCl.
@@ -109,6 +107,12 @@ if (is_linux) {
   net_configs += [ "//build/config/linux:libresolv" ]
 }
 
+# Reset sources_assignment_filter for the BUILD.gn file to prevent
+# regression during the migration of Chromium away from the feature.
+# See build/no_sources_assignment_filter.md for more information.
+# TODO(crbug.com/1018739): Remove this when migration is done.
+set_sources_assignment_filter([])
+
 source_set("constants") {
   sources = [
     "base/trace_constants.h",
@@ -250,8 +254,8 @@ component("net") {
     "cert/ocsp_revocation_status.h",
     "cert/ocsp_verify_result.cc",
     "cert/ocsp_verify_result.h",
-    "cert/pem_tokenizer.cc",
-    "cert/pem_tokenizer.h",
+    "cert/pem.cc",
+    "cert/pem.h",
     "cert/sct_status_flags.cc",
     "cert/sct_status_flags.h",
     "cert/signed_certificate_timestamp.cc",
@@ -344,8 +348,6 @@ component("net") {
     "socket/stream_socket.h",
     "ssl/client_cert_identity.cc",
     "ssl/client_cert_identity.h",
-    "ssl/client_cert_identity_mac.cc",
-    "ssl/client_cert_identity_mac.h",
     "ssl/openssl_ssl_util.cc",
     "ssl/openssl_ssl_util.h",
     "ssl/ssl_cert_request_info.cc",
@@ -375,7 +377,6 @@ component("net") {
     "third_party/uri_template/uri_template.cc",
     "third_party/uri_template/uri_template.h",
   ]
-  net_unfiltered_sources = []
 
   if (is_posix || is_fuchsia) {
     sources += [ "base/net_errors_posix.cc" ]
@@ -412,30 +413,12 @@ component("net") {
     "//net/http:transport_security_state_generated_files",
   ]
 
+  if (is_nacl) {
+    sources += [ "base/network_interfaces_nacl.cc" ]
+  }
+
   if (!is_nacl) {
     sources += [
-      "android/android_http_util.cc",
-      "android/cellular_signal_strength.cc",
-      "android/cellular_signal_strength.h",
-      "android/cert_verify_result_android.cc",
-      "android/cert_verify_result_android.h",
-      "android/gurl_utils.cc",
-      "android/http_auth_negotiate_android.cc",
-      "android/http_auth_negotiate_android.h",
-      "android/keystore.cc",
-      "android/keystore.h",
-      "android/network_change_notifier_android.cc",
-      "android/network_change_notifier_android.h",
-      "android/network_change_notifier_delegate_android.cc",
-      "android/network_change_notifier_delegate_android.h",
-      "android/network_change_notifier_factory_android.cc",
-      "android/network_change_notifier_factory_android.h",
-      "android/network_library.cc",
-      "android/network_library.h",
-      "android/traffic_stats.cc",
-      "android/traffic_stats.h",
-      "base/address_tracker_linux.cc",
-      "base/address_tracker_linux.h",
       "base/backoff_entry.cc",
       "base/backoff_entry.h",
       "base/backoff_entry_serializer.cc",
@@ -454,7 +437,6 @@ component("net") {
       "base/file_stream.h",
       "base/file_stream_context.cc",
       "base/file_stream_context.h",
-      "base/file_stream_context_win.cc",
       "base/filename_util.cc",
       "base/filename_util.h",
       "base/filename_util_internal.cc",
@@ -476,38 +458,19 @@ component("net") {
       "base/mime_sniffer.h",
       "base/mime_util.cc",
       "base/mime_util.h",
-      "base/net_errors_win.cc",
       "base/net_info_source_list.h",
       "base/network_activity_monitor.cc",
       "base/network_activity_monitor.h",
       "base/network_change_notifier.cc",
       "base/network_change_notifier.h",
       "base/network_change_notifier_factory.h",
-      "base/network_change_notifier_linux.cc",
-      "base/network_change_notifier_linux.h",
-      "base/network_change_notifier_mac.cc",
-      "base/network_change_notifier_mac.h",
-      "base/network_change_notifier_win.cc",
-      "base/network_change_notifier_win.h",
-      "base/network_config_watcher_mac.cc",
-      "base/network_config_watcher_mac.h",
       "base/network_delegate.cc",
       "base/network_delegate.h",
       "base/network_delegate_impl.cc",
       "base/network_delegate_impl.h",
-      "base/network_interfaces_linux.cc",
-      "base/network_interfaces_linux.h",
-      "base/network_interfaces_nacl.cc",
-      "base/network_interfaces_win.cc",
-      "base/network_interfaces_win.h",
       "base/network_isolation_key.cc",
       "base/network_isolation_key.h",
-      "base/network_notification_thread_mac.cc",
-      "base/network_notification_thread_mac.h",
       "base/platform_mime_util.h",
-      "base/platform_mime_util_linux.cc",
-      "base/platform_mime_util_mac.mm",
-      "base/platform_mime_util_win.cc",
       "base/prioritized_dispatcher.cc",
       "base/prioritized_dispatcher.h",
       "base/prioritized_task_runner.cc",
@@ -516,7 +479,6 @@ component("net") {
       "base/proxy_delegate.h",
       "base/proxy_server.cc",
       "base/proxy_server.h",
-      "base/proxy_server_mac.cc",
       "base/request_priority.cc",
       "base/request_priority.h",
       "base/static_cookie_policy.cc",
@@ -532,28 +494,13 @@ component("net") {
       "base/upload_file_element_reader.cc",
       "base/upload_file_element_reader.h",
       "base/upload_progress.h",
-      "base/winsock_init.cc",
-      "base/winsock_init.h",
-      "base/winsock_util.cc",
-      "base/winsock_util.h",
       "cert/caching_cert_verifier.cc",
       "cert/caching_cert_verifier.h",
-      "cert/cert_database_mac.cc",
       "cert/cert_net_fetcher.h",
       "cert/cert_verify_proc.cc",
       "cert/cert_verify_proc.h",
-      "cert/cert_verify_proc_android.cc",
-      "cert/cert_verify_proc_android.h",
       "cert/cert_verify_proc_builtin.cc",
       "cert/cert_verify_proc_builtin.h",
-      "cert/cert_verify_proc_ios.cc",
-      "cert/cert_verify_proc_ios.h",
-      "cert/cert_verify_proc_mac.cc",
-      "cert/cert_verify_proc_mac.h",
-      "cert/cert_verify_proc_nss.cc",
-      "cert/cert_verify_proc_nss.h",
-      "cert/cert_verify_proc_win.cc",
-      "cert/cert_verify_proc_win.h",
       "cert/coalescing_cert_verifier.cc",
       "cert/coalescing_cert_verifier.h",
       "cert/ct_log_response_parser.cc",
@@ -574,21 +521,10 @@ component("net") {
       "cert/ev_root_ca_metadata.h",
       "cert/internal/system_trust_store.cc",
       "cert/internal/system_trust_store.h",
-      "cert/internal/system_trust_store_nss.h",
-      "cert/internal/trust_store_mac.cc",
-      "cert/internal/trust_store_mac.h",
-      "cert/internal/trust_store_nss.cc",
-      "cert/internal/trust_store_nss.h",
       "cert/jwk_serializer.cc",
       "cert/jwk_serializer.h",
       "cert/known_roots.cc",
       "cert/known_roots.h",
-      "cert/known_roots_mac.cc",
-      "cert/known_roots_mac.h",
-      "cert/known_roots_nss.cc",
-      "cert/known_roots_nss.h",
-      "cert/known_roots_win.cc",
-      "cert/known_roots_win.h",
       "cert/merkle_audit_proof.cc",
       "cert/merkle_audit_proof.h",
       "cert/merkle_consistency_proof.cc",
@@ -599,36 +535,11 @@ component("net") {
       "cert/multi_log_ct_verifier.h",
       "cert/multi_threaded_cert_verifier.cc",
       "cert/multi_threaded_cert_verifier.h",
-      "cert/nss_cert_database.cc",
-      "cert/nss_cert_database.h",
-      "cert/nss_cert_database_chromeos.cc",
-      "cert/nss_cert_database_chromeos.h",
-      "cert/nss_profile_filter_chromeos.cc",
-      "cert/nss_profile_filter_chromeos.h",
       "cert/root_cert_list_generated.h",
-      "cert/test_keychain_search_list_mac.cc",
-      "cert/test_keychain_search_list_mac.h",
       "cert/test_root_certs.cc",
       "cert/test_root_certs.h",
-      "cert/test_root_certs_android.cc",
-      "cert/test_root_certs_mac.cc",
-      "cert/test_root_certs_nss.cc",
-      "cert/test_root_certs_win.cc",
-      "cert/x509_util_android.cc",
-      "cert/x509_util_ios.cc",
-      "cert/x509_util_ios.h",
-      "cert/x509_util_ios_and_mac.cc",
-      "cert/x509_util_ios_and_mac.h",
-      "cert/x509_util_mac.cc",
-      "cert/x509_util_mac.h",
-      "cert/x509_util_nss.cc",
-      "cert/x509_util_nss.h",
-      "cert/x509_util_win.cc",
-      "cert/x509_util_win.h",
-      "cert_net/cert_net_fetcher_impl.cc",
-      "cert_net/cert_net_fetcher_impl.h",
-      "cert_net/nss_ocsp.cc",
-      "cert_net/nss_ocsp.h",
+      "cert_net/cert_net_fetcher_url_request.cc",
+      "cert_net/cert_net_fetcher_url_request.h",
       "cookies/canonical_cookie.cc",
       "cookies/canonical_cookie.h",
       "cookies/cookie_access_delegate.cc",
@@ -675,10 +586,8 @@ component("net") {
       "disk_cache/blockfile/file.cc",
       "disk_cache/blockfile/file.h",
       "disk_cache/blockfile/file_block.h",
-      "disk_cache/blockfile/file_ios.cc",
       "disk_cache/blockfile/file_lock.cc",
       "disk_cache/blockfile/file_lock.h",
-      "disk_cache/blockfile/file_win.cc",
       "disk_cache/blockfile/histogram_macros.h",
       "disk_cache/blockfile/in_flight_backend_io.cc",
       "disk_cache/blockfile/in_flight_backend_io.h",
@@ -686,7 +595,6 @@ component("net") {
       "disk_cache/blockfile/in_flight_io.h",
       "disk_cache/blockfile/mapped_file.cc",
       "disk_cache/blockfile/mapped_file.h",
-      "disk_cache/blockfile/mapped_file_win.cc",
       "disk_cache/blockfile/rankings.cc",
       "disk_cache/blockfile/rankings.h",
       "disk_cache/blockfile/sparse_control.cc",
@@ -700,7 +608,6 @@ component("net") {
       "disk_cache/blockfile/trace.h",
       "disk_cache/cache_util.cc",
       "disk_cache/cache_util.h",
-      "disk_cache/cache_util_win.cc",
       "disk_cache/disk_cache.cc",
       "disk_cache/disk_cache.h",
       "disk_cache/memory/mem_backend_impl.cc",
@@ -709,6 +616,8 @@ component("net") {
       "disk_cache/memory/mem_entry_impl.h",
       "disk_cache/net_log_parameters.cc",
       "disk_cache/net_log_parameters.h",
+      "disk_cache/simple/post_doom_waiter.cc",
+      "disk_cache/simple/post_doom_waiter.h",
       "disk_cache/simple/simple_backend_impl.cc",
       "disk_cache/simple/simple_backend_impl.h",
       "disk_cache/simple/simple_backend_version.h",
@@ -727,14 +636,12 @@ component("net") {
       "disk_cache/simple/simple_index_delegate.h",
       "disk_cache/simple/simple_index_file.cc",
       "disk_cache/simple/simple_index_file.h",
-      "disk_cache/simple/simple_index_file_win.cc",
       "disk_cache/simple/simple_net_log_parameters.cc",
       "disk_cache/simple/simple_net_log_parameters.h",
       "disk_cache/simple/simple_synchronous_entry.cc",
       "disk_cache/simple/simple_synchronous_entry.h",
       "disk_cache/simple/simple_util.cc",
       "disk_cache/simple/simple_util.h",
-      "disk_cache/simple/simple_util_win.cc",
       "disk_cache/simple/simple_version_upgrade.cc",
       "disk_cache/simple/simple_version_upgrade.h",
       "filter/filter_source_stream.cc",
@@ -774,18 +681,13 @@ component("net") {
       "http/http_auth_handler_digest.h",
       "http/http_auth_handler_factory.cc",
       "http/http_auth_handler_factory.h",
-      "http/http_auth_handler_negotiate.cc",
-      "http/http_auth_handler_negotiate.h",
       "http/http_auth_handler_ntlm.cc",
       "http/http_auth_handler_ntlm.h",
-      "http/http_auth_handler_ntlm_portable.cc",
-      "http/http_auth_handler_ntlm_win.cc",
+      "http/http_auth_mechanism.h",
       "http/http_auth_multi_round_parse.cc",
       "http/http_auth_multi_round_parse.h",
       "http/http_auth_preferences.cc",
       "http/http_auth_preferences.h",
-      "http/http_auth_sspi_win.cc",
-      "http/http_auth_sspi_win.h",
       "http/http_basic_state.cc",
       "http/http_basic_state.h",
       "http/http_basic_stream.cc",
@@ -802,7 +704,6 @@ component("net") {
       "http/http_chunked_decoder.h",
       "http/http_content_disposition.cc",
       "http/http_content_disposition.h",
-      "http/http_negotiate_auth_system.h",
       "http/http_network_layer.cc",
       "http/http_network_layer.h",
       "http/http_network_session.cc",
@@ -849,7 +750,6 @@ component("net") {
       "http/transport_security_persister.h",
       "http/url_security_manager.cc",
       "http/url_security_manager.h",
-      "http/url_security_manager_win.cc",
       "http/webfonts_histogram.cc",
       "http/webfonts_histogram.h",
       "http2/platform/impl/http2_arraysize_impl.h",
@@ -863,7 +763,6 @@ component("net") {
       "http2/platform/impl/http2_logging_impl.h",
       "http2/platform/impl/http2_macros_impl.h",
       "http2/platform/impl/http2_optional_impl.h",
-      "http2/platform/impl/http2_ptr_util_impl.h",
       "http2/platform/impl/http2_reconstruct_object_impl.h",
       "http2/platform/impl/http2_string_impl.h",
       "http2/platform/impl/http2_string_piece_impl.h",
@@ -912,24 +811,8 @@ component("net") {
       "nqe/throughput_analyzer.cc",
       "nqe/throughput_analyzer.h",
       "nqe/weighted_observation.h",
-      "ntlm/ntlm.cc",
-      "ntlm/ntlm.h",
-      "ntlm/ntlm_buffer_reader.cc",
-      "ntlm/ntlm_buffer_reader.h",
-      "ntlm/ntlm_buffer_writer.cc",
-      "ntlm/ntlm_buffer_writer.h",
-      "ntlm/ntlm_client.cc",
-      "ntlm/ntlm_client.h",
-      "ntlm/ntlm_constants.cc",
-      "ntlm/ntlm_constants.h",
-      "proxy_resolution/dhcp_pac_file_adapter_fetcher_win.cc",
-      "proxy_resolution/dhcp_pac_file_adapter_fetcher_win.h",
       "proxy_resolution/dhcp_pac_file_fetcher.cc",
       "proxy_resolution/dhcp_pac_file_fetcher.h",
-      "proxy_resolution/dhcp_pac_file_fetcher_win.cc",
-      "proxy_resolution/dhcp_pac_file_fetcher_win.h",
-      "proxy_resolution/dhcpcsvc_init_win.cc",
-      "proxy_resolution/dhcpcsvc_init_win.h",
       "proxy_resolution/multi_threaded_proxy_resolver.cc",
       "proxy_resolution/multi_threaded_proxy_resolver.h",
       "proxy_resolution/network_delegate_error_observer.cc",
@@ -941,9 +824,6 @@ component("net") {
       "proxy_resolution/pac_file_fetcher.h",
       "proxy_resolution/pac_file_fetcher_impl.cc",
       "proxy_resolution/pac_file_fetcher_impl.h",
-      "proxy_resolution/pac_js_library.h",
-      "proxy_resolution/pac_library.cc",
-      "proxy_resolution/pac_library.h",
       "proxy_resolution/polling_proxy_config_service.cc",
       "proxy_resolution/polling_proxy_config_service.h",
       "proxy_resolution/proxy_bypass_rules.cc",
@@ -951,18 +831,8 @@ component("net") {
       "proxy_resolution/proxy_config.cc",
       "proxy_resolution/proxy_config.h",
       "proxy_resolution/proxy_config_service.h",
-      "proxy_resolution/proxy_config_service_android.cc",
-      "proxy_resolution/proxy_config_service_android.h",
       "proxy_resolution/proxy_config_service_fixed.cc",
       "proxy_resolution/proxy_config_service_fixed.h",
-      "proxy_resolution/proxy_config_service_ios.cc",
-      "proxy_resolution/proxy_config_service_ios.h",
-      "proxy_resolution/proxy_config_service_linux.cc",
-      "proxy_resolution/proxy_config_service_linux.h",
-      "proxy_resolution/proxy_config_service_mac.cc",
-      "proxy_resolution/proxy_config_service_mac.h",
-      "proxy_resolution/proxy_config_service_win.cc",
-      "proxy_resolution/proxy_config_service_win.h",
       "proxy_resolution/proxy_config_with_annotation.cc",
       "proxy_resolution/proxy_config_with_annotation.h",
       "proxy_resolution/proxy_info.cc",
@@ -976,10 +846,6 @@ component("net") {
       "proxy_resolution/proxy_resolver_error_observer.h",
       "proxy_resolution/proxy_resolver_factory.cc",
       "proxy_resolution/proxy_resolver_factory.h",
-      "proxy_resolution/proxy_resolver_mac.cc",
-      "proxy_resolution/proxy_resolver_mac.h",
-      "proxy_resolution/proxy_resolver_winhttp.cc",
-      "proxy_resolution/proxy_resolver_winhttp.h",
       "proxy_resolution/proxy_retry_info.h",
       "quic/address_utils.h",
       "quic/bidirectional_stream_quic_impl.cc",
@@ -999,7 +865,6 @@ component("net") {
       "quic/platform/impl/quic_chromium_clock.h",
       "quic/platform/impl/quic_client_stats_impl.h",
       "quic/platform/impl/quic_containers_impl.h",
-      "quic/platform/impl/quic_endian_impl.h",
       "quic/platform/impl/quic_error_code_wrappers_impl.h",
       "quic/platform/impl/quic_estimate_memory_usage_impl.h",
       "quic/platform/impl/quic_export_impl.h",
@@ -1057,6 +922,8 @@ component("net") {
       "quic/quic_connection_logger.h",
       "quic/quic_connectivity_probing_manager.cc",
       "quic/quic_connectivity_probing_manager.h",
+      "quic/quic_context.cc",
+      "quic/quic_context.h",
       "quic/quic_crypto_client_config_handle.cc",
       "quic/quic_crypto_client_config_handle.h",
       "quic/quic_crypto_client_stream_factory.cc",
@@ -1078,8 +945,9 @@ component("net") {
       "quic/quic_stream_factory.h",
       "quic/quic_utils_chromium.cc",
       "quic/quic_utils_chromium.h",
+      "quiche/common/platform/impl/quiche_endian_impl.h",
+      "quiche/common/platform/impl/quiche_export_impl.h",
       "quiche/common/platform/impl/quiche_logging_impl.h",
-      "quiche/common/platform/impl/quiche_ptr_util_impl.h",
       "quiche/common/platform/impl/quiche_unordered_containers_impl.h",
       "socket/client_socket_factory.cc",
       "socket/client_socket_factory.h",
@@ -1119,8 +987,6 @@ component("net") {
       "socket/tcp_server_socket.cc",
       "socket/tcp_server_socket.h",
       "socket/tcp_socket.h",
-      "socket/tcp_socket_win.cc",
-      "socket/tcp_socket_win.h",
       "socket/transport_client_socket.cc",
       "socket/transport_client_socket.h",
       "socket/transport_client_socket_pool.cc",
@@ -1134,8 +1000,6 @@ component("net") {
       "socket/udp_server_socket.cc",
       "socket/udp_server_socket.h",
       "socket/udp_socket.h",
-      "socket/udp_socket_win.cc",
-      "socket/udp_socket_win.h",
       "socket/websocket_endpoint_lock_manager.cc",
       "socket/websocket_endpoint_lock_manager.h",
       "socket/websocket_transport_client_socket_pool.cc",
@@ -1203,33 +1067,17 @@ component("net") {
       "spdy/spdy_write_queue.cc",
       "spdy/spdy_write_queue.h",
       "ssl/client_cert_store.h",
-      "ssl/client_cert_store_mac.cc",
-      "ssl/client_cert_store_mac.h",
-      "ssl/client_cert_store_nss.cc",
-      "ssl/client_cert_store_nss.h",
-      "ssl/client_cert_store_win.cc",
-      "ssl/client_cert_store_win.h",
       "ssl/ssl_config_service_defaults.cc",
       "ssl/ssl_config_service_defaults.h",
       "ssl/ssl_key_logger_impl.cc",
       "ssl/ssl_key_logger_impl.h",
-      "ssl/ssl_platform_key_android.cc",
-      "ssl/ssl_platform_key_android.h",
-      "ssl/ssl_platform_key_mac.cc",
-      "ssl/ssl_platform_key_mac.h",
-      "ssl/ssl_platform_key_nss.cc",
-      "ssl/ssl_platform_key_nss.h",
       "ssl/ssl_platform_key_util.cc",
       "ssl/ssl_platform_key_util.h",
-      "ssl/ssl_platform_key_win.cc",
       "ssl/threaded_ssl_private_key.cc",
       "ssl/threaded_ssl_private_key.h",
-      "third_party/mozilla_security_manager/nsNSSCertificateDB.cpp",
-      "third_party/mozilla_security_manager/nsNSSCertificateDB.h",
-      "third_party/mozilla_security_manager/nsPKCS12Blob.cpp",
-      "third_party/mozilla_security_manager/nsPKCS12Blob.h",
+      "third_party/quiche/src/common/platform/api/quiche_endian.h",
+      "third_party/quiche/src/common/platform/api/quiche_export.h",
       "third_party/quiche/src/common/platform/api/quiche_logging.h",
-      "third_party/quiche/src/common/platform/api/quiche_ptr_util.h",
       "third_party/quiche/src/common/platform/api/quiche_unordered_containers.h",
       "third_party/quiche/src/common/simple_linked_hash_map.h",
       "third_party/quiche/src/http2/decoder/decode_buffer.cc",
@@ -1325,12 +1173,23 @@ component("net") {
       "third_party/quiche/src/http2/platform/api/http2_logging.h",
       "third_party/quiche/src/http2/platform/api/http2_macros.h",
       "third_party/quiche/src/http2/platform/api/http2_optional.h",
-      "third_party/quiche/src/http2/platform/api/http2_ptr_util.h",
       "third_party/quiche/src/http2/platform/api/http2_reconstruct_object.h",
       "third_party/quiche/src/http2/platform/api/http2_string_piece.h",
       "third_party/quiche/src/http2/platform/api/http2_string_utils.h",
       "third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.cc",
       "third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.h",
+      "third_party/quiche/src/quic/core/congestion_control/bbr2_drain.cc",
+      "third_party/quiche/src/quic/core/congestion_control/bbr2_drain.h",
+      "third_party/quiche/src/quic/core/congestion_control/bbr2_misc.cc",
+      "third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h",
+      "third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.cc",
+      "third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.h",
+      "third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.cc",
+      "third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.h",
+      "third_party/quiche/src/quic/core/congestion_control/bbr2_sender.cc",
+      "third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h",
+      "third_party/quiche/src/quic/core/congestion_control/bbr2_startup.cc",
+      "third_party/quiche/src/quic/core/congestion_control/bbr2_startup.h",
       "third_party/quiche/src/quic/core/congestion_control/bbr_sender.cc",
       "third_party/quiche/src/quic/core/congestion_control/bbr_sender.h",
       "third_party/quiche/src/quic/core/congestion_control/cubic_bytes.cc",
@@ -1521,10 +1380,11 @@ component("net") {
       "third_party/quiche/src/quic/core/legacy_quic_stream_id_manager.cc",
       "third_party/quiche/src/quic/core/legacy_quic_stream_id_manager.h",
       "third_party/quiche/src/quic/core/packet_number_indexed_queue.h",
+      "third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h",
+      "third_party/quiche/src/quic/core/proto/crypto_server_config_proto.h",
+      "third_party/quiche/src/quic/core/proto/source_address_token_proto.h",
       "third_party/quiche/src/quic/core/qpack/qpack_blocking_manager.cc",
       "third_party/quiche/src/quic/core/qpack/qpack_blocking_manager.h",
-      "third_party/quiche/src/quic/core/qpack/qpack_constants.cc",
-      "third_party/quiche/src/quic/core/qpack/qpack_constants.h",
       "third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.cc",
       "third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.h",
       "third_party/quiche/src/quic/core/qpack/qpack_decoder.cc",
@@ -1547,6 +1407,8 @@ component("net") {
       "third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.h",
       "third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.cc",
       "third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h",
+      "third_party/quiche/src/quic/core/qpack/qpack_instructions.cc",
+      "third_party/quiche/src/quic/core/qpack/qpack_instructions.h",
       "third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.cc",
       "third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.h",
       "third_party/quiche/src/quic/core/qpack/qpack_receive_stream.cc",
@@ -1559,7 +1421,6 @@ component("net") {
       "third_party/quiche/src/quic/core/qpack/qpack_static_table.h",
       "third_party/quiche/src/quic/core/qpack/qpack_stream_receiver.h",
       "third_party/quiche/src/quic/core/qpack/qpack_stream_sender_delegate.h",
-      "third_party/quiche/src/quic/core/qpack/qpack_utils.h",
       "third_party/quiche/src/quic/core/qpack/value_splitting_header_list.cc",
       "third_party/quiche/src/quic/core/qpack/value_splitting_header_list.h",
       "third_party/quiche/src/quic/core/quic_ack_listener_interface.cc",
@@ -1575,6 +1436,9 @@ component("net") {
       "third_party/quiche/src/quic/core/quic_buffer_allocator.h",
       "third_party/quiche/src/quic/core/quic_buffered_packet_store.cc",
       "third_party/quiche/src/quic/core/quic_buffered_packet_store.h",
+      "third_party/quiche/src/quic/core/quic_circular_deque.h",
+      "third_party/quiche/src/quic/core/quic_coalesced_packet.cc",
+      "third_party/quiche/src/quic/core/quic_coalesced_packet.h",
       "third_party/quiche/src/quic/core/quic_config.cc",
       "third_party/quiche/src/quic/core/quic_config.h",
       "third_party/quiche/src/quic/core/quic_connection.cc",
@@ -1615,14 +1479,11 @@ component("net") {
       "third_party/quiche/src/quic/core/quic_one_block_arena.h",
       "third_party/quiche/src/quic/core/quic_packet_creator.cc",
       "third_party/quiche/src/quic/core/quic_packet_creator.h",
-      "third_party/quiche/src/quic/core/quic_packet_generator.cc",
-      "third_party/quiche/src/quic/core/quic_packet_generator.h",
       "third_party/quiche/src/quic/core/quic_packet_number.cc",
       "third_party/quiche/src/quic/core/quic_packet_number.h",
       "third_party/quiche/src/quic/core/quic_packet_writer.h",
       "third_party/quiche/src/quic/core/quic_packets.cc",
       "third_party/quiche/src/quic/core/quic_packets.h",
-      "third_party/quiche/src/quic/core/quic_pending_retransmission.h",
       "third_party/quiche/src/quic/core/quic_received_packet_manager.cc",
       "third_party/quiche/src/quic/core/quic_received_packet_manager.h",
       "third_party/quiche/src/quic/core/quic_sent_packet_manager.cc",
@@ -1652,6 +1513,7 @@ component("net") {
       "third_party/quiche/src/quic/core/quic_tag.h",
       "third_party/quiche/src/quic/core/quic_time.cc",
       "third_party/quiche/src/quic/core/quic_time.h",
+      "third_party/quiche/src/quic/core/quic_time_accumulator.h",
       "third_party/quiche/src/quic/core/quic_transmission_info.cc",
       "third_party/quiche/src/quic/core/quic_transmission_info.h",
       "third_party/quiche/src/quic/core/quic_types.cc",
@@ -1686,10 +1548,8 @@ component("net") {
       "third_party/quiche/src/quic/platform/api/quic_clock.cc",
       "third_party/quiche/src/quic/platform/api/quic_clock.h",
       "third_party/quiche/src/quic/platform/api/quic_containers.h",
-      "third_party/quiche/src/quic/platform/api/quic_endian.h",
       "third_party/quiche/src/quic/platform/api/quic_error_code_wrappers.h",
       "third_party/quiche/src/quic/platform/api/quic_estimate_memory_usage.h",
-      "third_party/quiche/src/quic/platform/api/quic_export.h",
       "third_party/quiche/src/quic/platform/api/quic_exported_stats.h",
       "third_party/quiche/src/quic/platform/api/quic_fallthrough.h",
       "third_party/quiche/src/quic/platform/api/quic_file_utils.cc",
@@ -1728,9 +1588,12 @@ component("net") {
       "third_party/quiche/src/quic/platform/api/quic_uint128.h",
       "third_party/quiche/src/quic/quic_transport/quic_transport_client_session.cc",
       "third_party/quiche/src/quic/quic_transport/quic_transport_client_session.h",
+      "third_party/quiche/src/quic/quic_transport/quic_transport_protocol.h",
       "third_party/quiche/src/quic/quic_transport/quic_transport_server_session.cc",
       "third_party/quiche/src/quic/quic_transport/quic_transport_server_session.h",
       "third_party/quiche/src/quic/quic_transport/quic_transport_session_interface.h",
+      "third_party/quiche/src/quic/quic_transport/quic_transport_stream.cc",
+      "third_party/quiche/src/quic/quic_transport/quic_transport_stream.h",
       "third_party/quiche/src/spdy/core/fifo_write_scheduler.h",
       "third_party/quiche/src/spdy/core/hpack/hpack_constants.cc",
       "third_party/quiche/src/spdy/core/hpack/hpack_constants.h",
@@ -1791,8 +1654,6 @@ component("net") {
       "third_party/quiche/src/spdy/platform/api/spdy_string_piece.h",
       "third_party/quiche/src/spdy/platform/api/spdy_string_utils.h",
       "third_party/quiche/src/spdy/platform/api/spdy_unsafe_arena.h",
-      "url_request/data_protocol_handler.cc",
-      "url_request/data_protocol_handler.h",
       "url_request/redirect_info.cc",
       "url_request/redirect_info.h",
       "url_request/redirect_util.cc",
@@ -1812,8 +1673,6 @@ component("net") {
       "url_request/url_fetcher_impl.h",
       "url_request/url_fetcher_response_writer.cc",
       "url_request/url_fetcher_response_writer.h",
-      "url_request/url_range_request_job.cc",
-      "url_request/url_range_request_job.h",
       "url_request/url_request.cc",
       "url_request/url_request.h",
       "url_request/url_request_context.cc",
@@ -1825,15 +1684,12 @@ component("net") {
       "url_request/url_request_context_getter_observer.h",
       "url_request/url_request_context_storage.cc",
       "url_request/url_request_context_storage.h",
-      "url_request/url_request_data_job.cc",
-      "url_request/url_request_data_job.h",
       "url_request/url_request_error_job.cc",
       "url_request/url_request_error_job.h",
       "url_request/url_request_filter.cc",
       "url_request/url_request_filter.h",
       "url_request/url_request_http_job.cc",
       "url_request/url_request_http_job.h",
-      "url_request/url_request_http_job_histogram.h",
       "url_request/url_request_intercepting_job_factory.cc",
       "url_request/url_request_intercepting_job_factory.h",
       "url_request/url_request_interceptor.cc",
@@ -1850,8 +1706,6 @@ component("net") {
       "url_request/url_request_netlog_params.h",
       "url_request/url_request_redirect_job.cc",
       "url_request/url_request_redirect_job.h",
-      "url_request/url_request_simple_job.cc",
-      "url_request/url_request_simple_job.h",
       "url_request/url_request_status.cc",
       "url_request/url_request_status.h",
       "url_request/url_request_test_job.cc",
@@ -1907,8 +1761,174 @@ component("net") {
       ]
     }
 
-    if (!use_kerberos) {
-      sources -= [
+    if (is_android) {
+      sources += [
+        "android/android_http_util.cc",
+        "android/cellular_signal_strength.cc",
+        "android/cellular_signal_strength.h",
+        "android/cert_verify_result_android.cc",
+        "android/cert_verify_result_android.h",
+        "android/gurl_utils.cc",
+        "android/http_auth_negotiate_android.cc",
+        "android/http_auth_negotiate_android.h",
+        "android/keystore.cc",
+        "android/keystore.h",
+        "android/network_change_notifier_android.cc",
+        "android/network_change_notifier_android.h",
+        "android/network_change_notifier_delegate_android.cc",
+        "android/network_change_notifier_delegate_android.h",
+        "android/network_change_notifier_factory_android.cc",
+        "android/network_change_notifier_factory_android.h",
+        "android/network_library.cc",
+        "android/network_library.h",
+        "android/traffic_stats.cc",
+        "android/traffic_stats.h",
+        "cert/cert_verify_proc_android.cc",
+        "cert/cert_verify_proc_android.h",
+        "cert/test_root_certs_android.cc",
+        "cert/x509_util_android.cc",
+        "proxy_resolution/proxy_config_service_android.cc",
+        "proxy_resolution/proxy_config_service_android.h",
+        "ssl/ssl_platform_key_android.cc",
+        "ssl/ssl_platform_key_android.h",
+      ]
+    }
+
+    if (is_chromeos && use_nss_certs) {
+      sources += [
+        "cert/nss_cert_database_chromeos.cc",
+        "cert/nss_cert_database_chromeos.h",
+        "cert/nss_profile_filter_chromeos.cc",
+        "cert/nss_profile_filter_chromeos.h",
+      ]
+    }
+
+    if (is_ios) {
+      sources += [
+        "cert/cert_verify_proc_ios.cc",
+        "cert/cert_verify_proc_ios.h",
+        "cert/x509_util_ios.cc",
+        "cert/x509_util_ios.h",
+        "disk_cache/blockfile/file_ios.cc",
+        "proxy_resolution/proxy_config_service_ios.cc",
+        "proxy_resolution/proxy_config_service_ios.h",
+      ]
+    }
+
+    if (is_linux) {
+      sources += [
+        "base/network_change_notifier_linux.cc",
+        "base/network_change_notifier_linux.h",
+        "proxy_resolution/proxy_config_service_linux.cc",
+        "proxy_resolution/proxy_config_service_linux.h",
+      ]
+    }
+
+    if (is_linux || is_android) {
+      sources += [
+        "base/address_tracker_linux.cc",
+        "base/address_tracker_linux.h",
+        "base/network_interfaces_linux.cc",
+        "base/network_interfaces_linux.h",
+        "base/platform_mime_util_linux.cc",
+      ]
+    }
+
+    if (is_mac) {
+      sources += [
+        "base/network_notification_thread_mac.cc",
+        "base/network_notification_thread_mac.h",
+        "cert/cert_database_mac.cc",
+        "cert/cert_verify_proc_mac.cc",
+        "cert/cert_verify_proc_mac.h",
+        "cert/internal/trust_store_mac.cc",
+        "cert/internal/trust_store_mac.h",
+        "cert/known_roots_mac.cc",
+        "cert/known_roots_mac.h",
+        "cert/test_keychain_search_list_mac.cc",
+        "cert/test_keychain_search_list_mac.h",
+        "cert/x509_util_mac.cc",
+        "cert/x509_util_mac.h",
+        "proxy_resolution/proxy_config_service_mac.cc",
+        "proxy_resolution/proxy_config_service_mac.h",
+        "ssl/client_cert_identity_mac.cc",
+        "ssl/client_cert_identity_mac.h",
+        "ssl/client_cert_store_mac.cc",
+        "ssl/client_cert_store_mac.h",
+        "ssl/ssl_platform_key_mac.cc",
+        "ssl/ssl_platform_key_mac.h",
+      ]
+    }
+
+    if (is_ios || is_mac) {
+      sources += [
+        "base/mac/url_conversions.h",
+        "base/mac/url_conversions.mm",
+        "base/network_change_notifier_mac.cc",
+        "base/network_change_notifier_mac.h",
+        "base/network_config_watcher_mac.cc",
+        "base/network_config_watcher_mac.h",
+        "base/platform_mime_util_mac.mm",
+        "base/proxy_server_mac.cc",
+        "cert/test_root_certs_mac.cc",
+        "cert/x509_util_ios_and_mac.cc",
+        "cert/x509_util_ios_and_mac.h",
+        "proxy_resolution/proxy_resolver_mac.cc",
+        "proxy_resolution/proxy_resolver_mac.h",
+      ]
+    }
+
+    if (is_win) {
+      sources += [
+        "base/file_stream_context_win.cc",
+        "base/net_errors_win.cc",
+        "base/network_change_notifier_win.cc",
+        "base/network_change_notifier_win.h",
+        "base/network_interfaces_win.cc",
+        "base/network_interfaces_win.h",
+        "base/platform_mime_util_win.cc",
+        "base/winsock_init.cc",
+        "base/winsock_init.h",
+        "base/winsock_util.cc",
+        "base/winsock_util.h",
+        "cert/cert_verify_proc_win.cc",
+        "cert/cert_verify_proc_win.h",
+        "cert/known_roots_win.cc",
+        "cert/known_roots_win.h",
+        "cert/test_root_certs_win.cc",
+        "cert/x509_util_win.cc",
+        "cert/x509_util_win.h",
+        "disk_cache/blockfile/file_win.cc",
+        "disk_cache/blockfile/mapped_file_win.cc",
+        "disk_cache/cache_util_win.cc",
+        "disk_cache/simple/simple_index_file_win.cc",
+        "disk_cache/simple/simple_util_win.cc",
+        "http/http_auth_handler_ntlm_win.cc",
+        "http/http_auth_sspi_win.cc",
+        "http/http_auth_sspi_win.h",
+        "http/url_security_manager_win.cc",
+        "proxy_resolution/dhcp_pac_file_adapter_fetcher_win.cc",
+        "proxy_resolution/dhcp_pac_file_adapter_fetcher_win.h",
+        "proxy_resolution/dhcp_pac_file_fetcher_win.cc",
+        "proxy_resolution/dhcp_pac_file_fetcher_win.h",
+        "proxy_resolution/dhcpcsvc_init_win.cc",
+        "proxy_resolution/dhcpcsvc_init_win.h",
+        "proxy_resolution/proxy_config_service_win.cc",
+        "proxy_resolution/proxy_config_service_win.h",
+        "proxy_resolution/proxy_resolver_winhttp.cc",
+        "proxy_resolution/proxy_resolver_winhttp.h",
+        "socket/tcp_socket_win.cc",
+        "socket/tcp_socket_win.h",
+        "socket/udp_socket_win.cc",
+        "socket/udp_socket_win.h",
+        "ssl/client_cert_store_win.cc",
+        "ssl/client_cert_store_win.h",
+        "ssl/ssl_platform_key_win.cc",
+      ]
+    }
+
+    if (use_kerberos) {
+      sources += [
         "http/http_auth_handler_negotiate.cc",
         "http/http_auth_handler_negotiate.h",
       ]
@@ -1919,7 +1939,6 @@ component("net") {
         "base/file_stream_context_posix.cc",
         "base/network_interfaces_posix.cc",
         "base/network_interfaces_posix.h",
-        "disk_cache/blockfile/file_posix.cc",
         "disk_cache/cache_util_posix.cc",
         "disk_cache/simple/simple_index_file_posix.cc",
         "disk_cache/simple/simple_util_posix.cc",
@@ -1931,6 +1950,9 @@ component("net") {
         "socket/udp_socket_posix.cc",
         "socket/udp_socket_posix.h",
       ]
+      if (!is_ios) {
+        sources += [ "disk_cache/blockfile/file_posix.cc" ]
+      }
       if (posix_avoid_mmap) {
         sources += [ "disk_cache/blockfile/mapped_file_avoid_mmap_posix.cc" ]
       } else {
@@ -1945,8 +1967,9 @@ component("net") {
       ]
     }
 
-    if (is_win) {
-      sources -= [
+    if (!is_win) {
+      sources += [
+        "http/http_auth_handler_ntlm_portable.cc",
         "ntlm/ntlm.cc",
         "ntlm/ntlm.h",
         "ntlm/ntlm_buffer_reader.cc",
@@ -1955,6 +1978,7 @@ component("net") {
         "ntlm/ntlm_buffer_writer.h",
         "ntlm/ntlm_client.cc",
         "ntlm/ntlm_client.h",
+        "ntlm/ntlm_constants.cc",
         "ntlm/ntlm_constants.h",
       ]
     }
@@ -1966,10 +1990,6 @@ component("net") {
       ]
     }
 
-    if (!is_nacl) {
-      sources -= [ "base/network_interfaces_nacl.cc" ]
-    }
-
     # Use getifaddrs() on POSIX platforms, except Linux and Android.
     if (is_posix && !is_linux && !is_android) {
       sources += [
@@ -1978,8 +1998,8 @@ component("net") {
       ]
     }
 
-    if (!use_nss_certs) {
-      sources -= [
+    if (use_nss_certs) {
+      sources += [
         "cert/internal/system_trust_store_nss.h",
         "cert/internal/trust_store_nss.cc",
         "cert/internal/trust_store_nss.h",
@@ -1987,103 +2007,31 @@ component("net") {
         "cert/known_roots_nss.h",
         "cert/nss_cert_database.cc",
         "cert/nss_cert_database.h",
-        "ssl/client_cert_store_nss.cc",
-        "ssl/client_cert_store_nss.h",
         "third_party/mozilla_security_manager/nsNSSCertificateDB.cpp",
         "third_party/mozilla_security_manager/nsNSSCertificateDB.h",
         "third_party/mozilla_security_manager/nsPKCS12Blob.cpp",
         "third_party/mozilla_security_manager/nsPKCS12Blob.h",
-      ]
-      if (is_chromeos) {
-        # These were already removed on non-ChromeOS.
-        sources -= [
-          "cert/nss_cert_database_chromeos.cc",
-          "cert/nss_cert_database_chromeos.h",
-          "cert/nss_profile_filter_chromeos.cc",
-          "cert/nss_profile_filter_chromeos.h",
-        ]
-      }
-      sources -= [ "ssl/ssl_platform_key_nss.cc" ]
-    } else {
-      sources += [
         "third_party/nss/ssl/cmpcert.cc",
         "third_party/nss/ssl/cmpcert.h",
-      ]
-    }
 
-    if (!use_nss_certs) {
-      # These files are part of the partial implementation of NSS for
-      # cert verification, so keep them in that case.
-      sources -= [
+        # These files are part of the partial implementation of NSS for
+        # cert verification, so keep them in that case.
         "cert/cert_verify_proc_nss.cc",
         "cert/cert_verify_proc_nss.h",
         "cert/test_root_certs_nss.cc",
         "cert/x509_util_nss.cc",
+        "cert/x509_util_nss.h",
         "cert_net/nss_ocsp.cc",
         "cert_net/nss_ocsp.h",
       ]
-    }
-
-    if (is_chromecast && use_nss_certs) {
-      sources -= [
-        "ssl/client_cert_store_nss.cc",
-        "ssl/client_cert_store_nss.h",
-        "ssl/ssl_platform_key_nss.cc",
-      ]
-    }
-
-    if (is_win) {
-      sources -= [ "http/http_auth_handler_ntlm_portable.cc" ]
-    } else {  # !is_win
-      sources -= [
-        "base/winsock_init.cc",
-        "base/winsock_init.h",
-        "base/winsock_util.cc",
-        "base/winsock_util.h",
-        "proxy_resolution/proxy_resolver_winhttp.cc",
-        "proxy_resolution/proxy_resolver_winhttp.h",
-      ]
-    }
-
-    if (is_ios) {
-      # Add back some sources that were otherwise filtered out.
-      # iOS needs some Mac files.
-      net_unfiltered_sources += [
-        "base/mac/url_conversions.h",
-        "base/mac/url_conversions.mm",
-        "base/network_change_notifier_mac.cc",
-        "base/network_change_notifier_mac.h",
-        "base/network_config_watcher_mac.cc",
-        "base/network_config_watcher_mac.h",
-        "base/platform_mime_util_mac.mm",
-        "base/proxy_server_mac.cc",
-        "cert/test_root_certs_mac.cc",
-        "cert/x509_util_ios_and_mac.cc",
-        "cert/x509_util_ios_and_mac.h",
-        "proxy_resolution/proxy_resolver_mac.cc",
-        "proxy_resolution/proxy_resolver_mac.h",
-      ]
-
-      sources -= [ "disk_cache/blockfile/file_posix.cc" ]
-    }
-
-    if (is_ios || is_mac) {
-      sources += [
-        "base/mac/url_conversions.h",
-        "base/mac/url_conversions.mm",
-      ]
-    }
-
-    if (is_android) {
-      # Add some Linux sources that were excluded by the filter, but which
-      # are needed.
-      net_unfiltered_sources += [
-        "base/address_tracker_linux.cc",
-        "base/address_tracker_linux.h",
-        "base/network_interfaces_linux.cc",
-        "base/network_interfaces_linux.h",
-        "base/platform_mime_util_linux.cc",
-      ]
+      if (!is_chromecast) {
+        sources += [
+          "ssl/client_cert_store_nss.cc",
+          "ssl/client_cert_store_nss.h",
+          "ssl/ssl_platform_key_nss.cc",
+          "ssl/ssl_platform_key_nss.h",
+        ]
+      }
     }
 
     if (is_fuchsia) {
@@ -2114,11 +2062,6 @@ component("net") {
     ]
   }
 
-  # Add back some sources that were otherwise filtered out.
-  set_sources_assignment_filter([])
-  sources += net_unfiltered_sources
-  set_sources_assignment_filter(sources_assignment_filter)
-
   cflags = []
 
   if (is_mac) {
@@ -2314,6 +2257,7 @@ source_set("net_deps") {
     ":net_resources",
     ":preload_decoder",
     "//base",
+    "//base/util/type_safety:type_safety",
     "//net/base/registry_controlled_domains",
     "//third_party/protobuf:protobuf_lite",
     "//url:buildflags",
@@ -2337,8 +2281,8 @@ source_set("net_deps") {
 
     if (is_fuchsia) {
       public_deps += [
-        "//third_party/fuchsia-sdk/sdk:hardware_ethernet",
-        "//third_party/fuchsia-sdk/sdk:netstack",
+        "//third_party/fuchsia-sdk/sdk:fuchsia-hardware-ethernet",
+        "//third_party/fuchsia-sdk/sdk:fuchsia-netstack",
         "//third_party/fuchsia-sdk/sdk:sys_cpp",
       ]
     }
@@ -2578,12 +2522,15 @@ bundle_data("test_support_bundle_data") {
     "data/ssl/certificates/common_name_only.pem",
     "data/ssl/certificates/comodo-chain.pem",
     "data/ssl/certificates/crit-codeSigning-chain.pem",
+    "data/ssl/certificates/crlset_blocked_interception_by_intermediate.raw",
+    "data/ssl/certificates/crlset_blocked_interception_by_root.raw",
     "data/ssl/certificates/crlset_by_intermediate_serial.raw",
     "data/ssl/certificates/crlset_by_leaf_spki.raw",
     "data/ssl/certificates/crlset_by_leaf_subject_no_spki.raw",
     "data/ssl/certificates/crlset_by_root_serial.raw",
     "data/ssl/certificates/crlset_by_root_subject.raw",
     "data/ssl/certificates/crlset_by_root_subject_no_spki.raw",
+    "data/ssl/certificates/crlset_known_interception_by_root.raw",
     "data/ssl/certificates/cross-signed-leaf.pem",
     "data/ssl/certificates/cross-signed-root-md5.pem",
     "data/ssl/certificates/cross-signed-root-sha256.pem",
@@ -2694,6 +2641,7 @@ bundle_data("test_support_bundle_data") {
     "data/ssl/certificates/start_after_expiry.pem",
     "data/ssl/certificates/subjectAltName_sanity_check.pem",
     "data/ssl/certificates/subjectAltName_www_example_com.pem",
+    "data/ssl/certificates/test_names.pem",
     "data/ssl/certificates/thawte.single.pem",
     "data/ssl/certificates/tls_feature_extension.pem",
     "data/ssl/certificates/treadclimber.pem",
@@ -2781,8 +2729,6 @@ static_library("test_support") {
     "nqe/network_quality_estimator_test_util.h",
     "proxy_resolution/mock_pac_file_fetcher.cc",
     "proxy_resolution/mock_pac_file_fetcher.h",
-    "proxy_resolution/mock_proxy_host_resolver.cc",
-    "proxy_resolution/mock_proxy_host_resolver.h",
     "proxy_resolution/mock_proxy_resolver.cc",
     "proxy_resolution/mock_proxy_resolver.h",
     "proxy_resolution/proxy_config_service_common_unittest.cc",
@@ -2805,7 +2751,6 @@ static_library("test_support") {
     "test/cert_builder.h",
     "test/cert_test_util.cc",
     "test/cert_test_util.h",
-    "test/cert_test_util_nss.cc",
     "test/ct_test_util.cc",
     "test/ct_test_util.h",
     "test/embedded_test_server/controllable_http_response.cc",
@@ -2829,8 +2774,6 @@ static_library("test_support") {
     "test/gtest_util.h",
     "test/key_util.cc",
     "test/key_util.h",
-    "test/keychain_test_util_mac.cc",
-    "test/keychain_test_util_mac.h",
     "test/net_test_suite.cc",
     "test/net_test_suite.h",
     "test/quic_simple_test_server.cc",
@@ -2859,6 +2802,13 @@ static_library("test_support") {
     "url_request/url_request_test_util.h",
   ]
 
+  if (is_mac) {
+    sources += [
+      "test/keychain_test_util_mac.cc",
+      "test/keychain_test_util_mac.h",
+    ]
+  }
+
   configs += [ "//build/config:precompiled_headers" ]
 
   public_deps = [
@@ -2938,12 +2888,8 @@ static_library("test_support") {
     ]
   }
 
-  if (use_v8_in_net) {
-    public_deps += [ ":net_with_v8" ]
-  }
-
-  if (!use_nss_certs) {
-    sources -= [ "test/cert_test_util_nss.cc" ]
+  if (use_nss_certs) {
+    sources += [ "test/cert_test_util_nss.cc" ]
   }
 
   if (!disable_file_support) {
@@ -2971,36 +2917,6 @@ static_library("test_support") {
   }
 }
 
-if (use_v8_in_net) {
-  component("net_with_v8") {
-    sources = [
-      "proxy_resolution/proxy_host_resolver.h",
-      "proxy_resolution/proxy_resolver_v8.cc",
-      "proxy_resolution/proxy_resolver_v8.h",
-      "proxy_resolution/proxy_resolver_v8_tracing.cc",
-      "proxy_resolution/proxy_resolver_v8_tracing.h",
-    ]
-
-    defines = [ "NET_IMPLEMENTATION" ]
-
-    configs += [
-      "//build/config/compiler:wexit_time_destructors",
-      "//v8:external_startup_data",
-    ]
-
-    public_deps = [
-      ":constants",
-      ":net",
-    ]
-    deps = [
-      "//base",
-      "//gin",
-      "//url",
-      "//v8",
-    ]
-  }
-}
-
 if (!is_ios && !is_android) {
   executable("cert_verify_tool") {
     testonly = true
@@ -3067,19 +2983,16 @@ if (!is_ios && !is_android) {
     ]
   }
 
-  if (use_v8_in_net) {
-    executable("net_watcher") {
-      testonly = true
-      sources = [
-        "tools/net_watcher/net_watcher.cc",
-      ]
-      deps = [
-        ":net",
-        ":net_with_v8",
-        "//base",
-        "//build/win:default_exe_manifest",
-      ]
-    }
+  executable("net_watcher") {
+    testonly = true
+    sources = [
+      "tools/net_watcher/net_watcher.cc",
+    ]
+    deps = [
+      ":net",
+      "//base",
+      "//build/win:default_exe_manifest",
+    ]
   }
 
   executable("run_testserver") {
@@ -3394,6 +3307,8 @@ source_set("quic_test_tools") {
     "quic/mock_decrypter.h",
     "quic/mock_encrypter.cc",
     "quic/mock_encrypter.h",
+    "quic/mock_quic_context.cc",
+    "quic/mock_quic_context.h",
     "quic/platform/impl/quic_epoll_test_tools_impl.h",
     "quic/platform/impl/quic_expect_bug_impl.h",
     "quic/platform/impl/quic_mock_log_impl.h",
@@ -3409,14 +3324,6 @@ source_set("quic_test_tools") {
     "quic/platform/impl/quic_test_output_impl.h",
     "quic/test_task_runner.cc",
     "quic/test_task_runner.h",
-    "third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.cc",
-    "third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.h",
-    "third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.cc",
-    "third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h",
-    "third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.cc",
-    "third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h",
-    "third_party/quiche/src/quic/core/qpack/qpack_test_utils.cc",
-    "third_party/quiche/src/quic/core/qpack/qpack_test_utils.h",
     "third_party/quiche/src/quic/core/quic_trace_visitor.cc",
     "third_party/quiche/src/quic/core/quic_trace_visitor.h",
     "third_party/quiche/src/quic/platform/api/quic_epoll_test_tools.h",
@@ -3446,10 +3353,18 @@ source_set("quic_test_tools") {
     "third_party/quiche/src/quic/test_tools/mock_quic_spdy_client_stream.h",
     "third_party/quiche/src/quic/test_tools/mock_random.cc",
     "third_party/quiche/src/quic/test_tools/mock_random.h",
-    "third_party/quiche/src/quic/test_tools/qpack_encoder_peer.cc",
-    "third_party/quiche/src/quic/test_tools/qpack_encoder_peer.h",
-    "third_party/quiche/src/quic/test_tools/qpack_header_table_peer.cc",
-    "third_party/quiche/src/quic/test_tools/qpack_header_table_peer.h",
+    "third_party/quiche/src/quic/test_tools/qpack/qpack_decoder_test_utils.cc",
+    "third_party/quiche/src/quic/test_tools/qpack/qpack_decoder_test_utils.h",
+    "third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_peer.cc",
+    "third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_peer.h",
+    "third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_test_utils.cc",
+    "third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_test_utils.h",
+    "third_party/quiche/src/quic/test_tools/qpack/qpack_header_table_peer.cc",
+    "third_party/quiche/src/quic/test_tools/qpack/qpack_header_table_peer.h",
+    "third_party/quiche/src/quic/test_tools/qpack/qpack_offline_decoder.cc",
+    "third_party/quiche/src/quic/test_tools/qpack/qpack_offline_decoder.h",
+    "third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.cc",
+    "third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h",
     "third_party/quiche/src/quic/test_tools/quic_buffered_packet_store_peer.cc",
     "third_party/quiche/src/quic/test_tools/quic_buffered_packet_store_peer.h",
     "third_party/quiche/src/quic/test_tools/quic_client_promised_info_peer.cc",
@@ -3468,8 +3383,6 @@ source_set("quic_test_tools") {
     "third_party/quiche/src/quic/test_tools/quic_framer_peer.h",
     "third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.cc",
     "third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.h",
-    "third_party/quiche/src/quic/test_tools/quic_packet_generator_peer.cc",
-    "third_party/quiche/src/quic/test_tools/quic_packet_generator_peer.h",
     "third_party/quiche/src/quic/test_tools/quic_sent_packet_manager_peer.cc",
     "third_party/quiche/src/quic/test_tools/quic_sent_packet_manager_peer.h",
     "third_party/quiche/src/quic/test_tools/quic_server_session_base_peer.h",
@@ -3495,6 +3408,7 @@ source_set("quic_test_tools") {
     "third_party/quiche/src/quic/test_tools/quic_test_utils.h",
     "third_party/quiche/src/quic/test_tools/quic_time_wait_list_manager_peer.cc",
     "third_party/quiche/src/quic/test_tools/quic_time_wait_list_manager_peer.h",
+    "third_party/quiche/src/quic/test_tools/quic_transport_test_tools.h",
     "third_party/quiche/src/quic/test_tools/quic_unacked_packet_map_peer.cc",
     "third_party/quiche/src/quic/test_tools/quic_unacked_packet_map_peer.h",
     "third_party/quiche/src/quic/test_tools/rtt_stats_peer.cc",
@@ -3503,6 +3417,8 @@ source_set("quic_test_tools") {
     "third_party/quiche/src/quic/test_tools/simple_data_producer.h",
     "third_party/quiche/src/quic/test_tools/simple_quic_framer.cc",
     "third_party/quiche/src/quic/test_tools/simple_quic_framer.h",
+    "third_party/quiche/src/quic/test_tools/simple_session_cache.cc",
+    "third_party/quiche/src/quic/test_tools/simple_session_cache.h",
     "third_party/quiche/src/quic/test_tools/simple_session_notifier.cc",
     "third_party/quiche/src/quic/test_tools/simple_session_notifier.h",
     "third_party/quiche/src/quic/test_tools/simulator/actor.cc",
@@ -3519,6 +3435,8 @@ source_set("quic_test_tools") {
     "third_party/quiche/src/quic/test_tools/simulator/queue.h",
     "third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.cc",
     "third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.h",
+    "third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_base.cc",
+    "third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_base.h",
     "third_party/quiche/src/quic/test_tools/simulator/simulator.cc",
     "third_party/quiche/src/quic/test_tools/simulator/simulator.h",
     "third_party/quiche/src/quic/test_tools/simulator/switch.cc",
@@ -3616,6 +3534,10 @@ source_set("simple_quic_tools") {
     "third_party/quiche/src/quic/tools/quic_spdy_client_base.cc",
     "third_party/quiche/src/quic/tools/quic_spdy_client_base.h",
     "third_party/quiche/src/quic/tools/quic_spdy_server_base.h",
+    "third_party/quiche/src/quic/tools/quic_transport_simple_server_dispatcher.cc",
+    "third_party/quiche/src/quic/tools/quic_transport_simple_server_dispatcher.h",
+    "third_party/quiche/src/quic/tools/quic_transport_simple_server_session.cc",
+    "third_party/quiche/src/quic/tools/quic_transport_simple_server_session.h",
     "third_party/quiche/src/quic/tools/quic_url.cc",
     "third_party/quiche/src/quic/tools/quic_url.h",
     "tools/quic/quic_client_message_loop_network_helper.cc",
@@ -3632,6 +3554,10 @@ source_set("simple_quic_tools") {
     "tools/quic/quic_simple_server_packet_writer.h",
     "tools/quic/quic_simple_server_session_helper.cc",
     "tools/quic/quic_simple_server_session_helper.h",
+    "tools/quic/quic_simple_server_socket.cc",
+    "tools/quic/quic_simple_server_socket.h",
+    "tools/quic/quic_transport_simple_server.cc",
+    "tools/quic/quic_transport_simple_server.h",
     "tools/quic/synchronous_host_resolver.cc",
     "tools/quic/synchronous_host_resolver.h",
   ]
@@ -3677,6 +3603,19 @@ if (!is_ios) {
       "//third_party/protobuf:protobuf_lite",
     ]
   }
+  executable("quic_transport_simple_server") {
+    sources = [
+      "tools/quic/quic_transport_simple_server_bin.cc",
+    ]
+    deps = [
+      ":net",
+      ":simple_quic_tools",
+      "//base",
+      "//build/win:default_exe_manifest",
+      "//third_party/boringssl",
+      "//third_party/protobuf:protobuf_lite",
+    ]
+  }
   executable("quic_packet_printer") {
     sources = [
       "third_party/quiche/src/quic/tools/quic_packet_printer_bin.cc",
@@ -3720,7 +3659,7 @@ if (!is_ios) {
   executable("qpack_offline_decoder") {
     testonly = true
     sources = [
-      "third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder_bin.cc",
+      "third_party/quiche/src/quic/core/qpack/qpack_offline_decoder_bin.cc",
     ]
     deps = [
       ":net",
@@ -3977,6 +3916,20 @@ bundle_data("net_unittests_bundle_data") {
     "data/ov_name_constraints/nc-int-permit-o1.pem",
     "data/ov_name_constraints/nc-int-permit-o2-o1-o3.pem",
     "data/ov_name_constraints/root.pem",
+    "data/parse_certificate_unittest/authority_key_identifier/empty_sequence.pem",
+    "data/parse_certificate_unittest/authority_key_identifier/extra_contents_after_extension_sequence.pem",
+    "data/parse_certificate_unittest/authority_key_identifier/extra_contents_after_issuer_and_serial.pem",
+    "data/parse_certificate_unittest/authority_key_identifier/invalid_contents.pem",
+    "data/parse_certificate_unittest/authority_key_identifier/invalid_issuer.pem",
+    "data/parse_certificate_unittest/authority_key_identifier/invalid_key_identifier.pem",
+    "data/parse_certificate_unittest/authority_key_identifier/invalid_serial.pem",
+    "data/parse_certificate_unittest/authority_key_identifier/issuer_and_serial.pem",
+    "data/parse_certificate_unittest/authority_key_identifier/issuer_only.pem",
+    "data/parse_certificate_unittest/authority_key_identifier/key_identifier.pem",
+    "data/parse_certificate_unittest/authority_key_identifier/key_identifier_and_issuer_and_serial.pem",
+    "data/parse_certificate_unittest/authority_key_identifier/serial_only.pem",
+    "data/parse_certificate_unittest/authority_key_identifier/url_issuer_and_serial.pem",
+    "data/parse_certificate_unittest/authority_key_identifier_not_sequence.pem",
     "data/parse_certificate_unittest/bad_key_usage.pem",
     "data/parse_certificate_unittest/bad_policy_qualifiers.pem",
     "data/parse_certificate_unittest/bad_signature_algorithm_oid.pem",
@@ -4034,6 +3987,7 @@ bundle_data("net_unittests_bundle_data") {
     "data/parse_certificate_unittest/signature_algorithm_null.pem",
     "data/parse_certificate_unittest/subject_alt_name.pem",
     "data/parse_certificate_unittest/subject_blank_subjectaltname_not_critical.pem",
+    "data/parse_certificate_unittest/subject_key_identifier_not_octet_string.pem",
     "data/parse_certificate_unittest/subject_not_ascii.pem",
     "data/parse_certificate_unittest/subject_not_printable_string.pem",
     "data/parse_certificate_unittest/subject_printable_string_containing_utf8_client_cert.pem",
@@ -4066,6 +4020,29 @@ bundle_data("net_unittests_bundle_data") {
     "data/parse_certificate_unittest/tbs_validity_utc_time_and_generalized_time.pem",
     "data/parse_certificate_unittest/v1_explicit_version.pem",
     "data/parse_certificate_unittest/v3_certificate_template.pk8",
+    "data/path_builder_unittest/key_id_name_and_serial_prioritization/int_match_name_only.pem",
+    "data/path_builder_unittest/key_id_name_and_serial_prioritization/int_matching.pem",
+    "data/path_builder_unittest/key_id_name_and_serial_prioritization/int_mismatch.pem",
+    "data/path_builder_unittest/key_id_name_and_serial_prioritization/root.pem",
+    "data/path_builder_unittest/key_id_name_and_serial_prioritization/root2.pem",
+    "data/path_builder_unittest/key_id_name_and_serial_prioritization/target.pem",
+    "data/path_builder_unittest/key_id_prioritization/int_different_ski_a.pem",
+    "data/path_builder_unittest/key_id_prioritization/int_different_ski_b.pem",
+    "data/path_builder_unittest/key_id_prioritization/int_different_ski_c.pem",
+    "data/path_builder_unittest/key_id_prioritization/int_matching_ski_a.pem",
+    "data/path_builder_unittest/key_id_prioritization/int_matching_ski_b.pem",
+    "data/path_builder_unittest/key_id_prioritization/int_matching_ski_c.pem",
+    "data/path_builder_unittest/key_id_prioritization/int_no_ski_a.pem",
+    "data/path_builder_unittest/key_id_prioritization/int_no_ski_b.pem",
+    "data/path_builder_unittest/key_id_prioritization/int_no_ski_c.pem",
+    "data/path_builder_unittest/key_id_prioritization/root.pem",
+    "data/path_builder_unittest/key_id_prioritization/target.pem",
+    "data/path_builder_unittest/validity_date_prioritization/int_ac.pem",
+    "data/path_builder_unittest/validity_date_prioritization/int_ad.pem",
+    "data/path_builder_unittest/validity_date_prioritization/int_bc.pem",
+    "data/path_builder_unittest/validity_date_prioritization/int_bd.pem",
+    "data/path_builder_unittest/validity_date_prioritization/root.pem",
+    "data/path_builder_unittest/validity_date_prioritization/target.pem",
     "data/test.html",
     "data/trial_comparison_cert_verifier_unittest/target-multiple-policies/chain.pem",
     "data/url_request_unittest/308-without-location-header",
@@ -4169,6 +4146,8 @@ bundle_data("net_unittests_bundle_data") {
     "data/verify_certificate_chain_unittest/intermediate-unknown-critical-extension/main.test",
     "data/verify_certificate_chain_unittest/intermediate-unknown-non-critical-extension/chain.pem",
     "data/verify_certificate_chain_unittest/intermediate-unknown-non-critical-extension/main.test",
+    "data/verify_certificate_chain_unittest/intermediate-wrong-signature-no-authority-key-identifier/chain.pem",
+    "data/verify_certificate_chain_unittest/intermediate-wrong-signature-no-authority-key-identifier/main.test",
     "data/verify_certificate_chain_unittest/issuer-and-subject-not-byte-for-byte-equal/anchor.pem",
     "data/verify_certificate_chain_unittest/issuer-and-subject-not-byte-for-byte-equal/anchor.test",
     "data/verify_certificate_chain_unittest/issuer-and-subject-not-byte-for-byte-equal/target.pem",
@@ -4352,6 +4331,8 @@ bundle_data("net_unittests_bundle_data") {
     "data/verify_certificate_chain_unittest/target-signed-with-md5/main.test",
     "data/verify_certificate_chain_unittest/target-unknown-critical-extension/chain.pem",
     "data/verify_certificate_chain_unittest/target-unknown-critical-extension/main.test",
+    "data/verify_certificate_chain_unittest/target-wrong-signature-no-authority-key-identifier/chain.pem",
+    "data/verify_certificate_chain_unittest/target-wrong-signature-no-authority-key-identifier/main.test",
     "data/verify_certificate_chain_unittest/target-wrong-signature/chain.pem",
     "data/verify_certificate_chain_unittest/target-wrong-signature/main.test",
     "data/verify_certificate_chain_unittest/unknown-critical-policy-qualifier/chain.pem",
@@ -5063,16 +5044,8 @@ bundle_data("net_unittests_bundle_data") {
 
 test("net_unittests") {
   sources = [
-    "android/cellular_signal_strength_unittest.cc",
-    "android/dummy_spnego_authenticator.cc",
-    "android/dummy_spnego_authenticator.h",
-    "android/http_auth_negotiate_android_unittest.cc",
-    "android/network_change_notifier_android_unittest.cc",
-    "android/network_library_unittest.cc",
-    "android/traffic_stats_unittest.cc",
     "base/address_family_unittest.cc",
     "base/address_list_unittest.cc",
-    "base/address_tracker_linux_unittest.cc",
     "base/backoff_entry_serializer_unittest.cc",
     "base/backoff_entry_unittest.cc",
     "base/chunked_upload_data_stream_unittest.cc",
@@ -5098,10 +5071,7 @@ test("net_unittests") {
     "base/net_string_util_unittest.cc",
     "base/network_activity_monitor_unittest.cc",
     "base/network_change_notifier_unittest.cc",
-    "base/network_change_notifier_win_unittest.cc",
-    "base/network_interfaces_linux_unittest.cc",
     "base/network_interfaces_unittest.cc",
-    "base/network_interfaces_win_unittest.cc",
     "base/network_isolation_key_unittest.cc",
     "base/parse_number_unittest.cc",
     "base/port_util_unittest.cc",
@@ -5118,10 +5088,7 @@ test("net_unittests") {
     "base/url_util_unittest.cc",
     "cert/caching_cert_verifier_unittest.cc",
     "cert/cert_verifier_unittest.cc",
-    "cert/cert_verify_proc_android_unittest.cc",
     "cert/cert_verify_proc_builtin_unittest.cc",
-    "cert/cert_verify_proc_ios_unittest.cc",
-    "cert/cert_verify_proc_mac_unittest.cc",
     "cert/cert_verify_proc_unittest.cc",
     "cert/coalescing_cert_verifier_unittest.cc",
     "cert/crl_set_unittest.cc",
@@ -5151,12 +5118,9 @@ test("net_unittests") {
     "cert/internal/revocation_util_unittest.cc",
     "cert/internal/signature_algorithm_unittest.cc",
     "cert/internal/simple_path_builder_delegate_unittest.cc",
-    "cert/internal/system_trust_store_nss_unittest.cc",
     "cert/internal/test_helpers.cc",
     "cert/internal/test_helpers.h",
     "cert/internal/trust_store_collection_unittest.cc",
-    "cert/internal/trust_store_mac_unittest.cc",
-    "cert/internal/trust_store_nss_unittest.cc",
     "cert/internal/verify_certificate_chain_pkits_unittest.cc",
     "cert/internal/verify_certificate_chain_typed_unittest.h",
     "cert/internal/verify_certificate_chain_unittest.cc",
@@ -5168,20 +5132,14 @@ test("net_unittests") {
     "cert/merkle_tree_leaf_unittest.cc",
     "cert/multi_log_ct_verifier_unittest.cc",
     "cert/multi_threaded_cert_verifier_unittest.cc",
-    "cert/nss_cert_database_chromeos_unittest.cc",
-    "cert/nss_cert_database_unittest.cc",
-    "cert/nss_profile_filter_chromeos_unittest.cc",
-    "cert/pem_tokenizer_unittest.cc",
+    "cert/pem_unittest.cc",
     "cert/signed_certificate_timestamp_unittest.cc",
     "cert/symantec_certs_unittest.cc",
     "cert/test_root_certs_unittest.cc",
     "cert/x509_cert_types_unittest.cc",
     "cert/x509_certificate_unittest.cc",
-    "cert/x509_util_ios_and_mac_unittest.cc",
-    "cert/x509_util_nss_unittest.cc",
     "cert/x509_util_unittest.cc",
-    "cert_net/cert_net_fetcher_impl_unittest.cc",
-    "cert_net/nss_ocsp_unittest.cc",
+    "cert_net/cert_net_fetcher_url_request_unittest.cc",
     "cookies/canonical_cookie_unittest.cc",
     "cookies/cookie_constants_unittest.cc",
     "cookies/cookie_deletion_info_unittest.cc",
@@ -5210,18 +5168,8 @@ test("net_unittests") {
     "disk_cache/simple/simple_util_unittest.cc",
     "disk_cache/simple/simple_version_upgrade_unittest.cc",
     "extras/sqlite/sqlite_persistent_cookie_store_unittest.cc",
-    "filter/brotli_source_stream_unittest.cc",
     "filter/filter_source_stream_unittest.cc",
     "filter/gzip_source_stream_unittest.cc",
-    "ftp/ftp_auth_cache_unittest.cc",
-    "ftp/ftp_ctrl_response_buffer_unittest.cc",
-    "ftp/ftp_directory_listing_parser_ls_unittest.cc",
-    "ftp/ftp_directory_listing_parser_unittest.cc",
-    "ftp/ftp_directory_listing_parser_unittest.h",
-    "ftp/ftp_directory_listing_parser_vms_unittest.cc",
-    "ftp/ftp_directory_listing_parser_windows_unittest.cc",
-    "ftp/ftp_network_transaction_unittest.cc",
-    "ftp/ftp_util_unittest.cc",
     "http/alternative_service_unittest.cc",
     "http/bidirectional_stream_unittest.cc",
     "http/broken_alternative_services_unittest.cc",
@@ -5234,12 +5182,9 @@ test("net_unittests") {
     "http/http_auth_handler_factory_unittest.cc",
     "http/http_auth_handler_mock.cc",
     "http/http_auth_handler_mock.h",
-    "http/http_auth_handler_negotiate_unittest.cc",
-    "http/http_auth_handler_ntlm_portable_unittest.cc",
     "http/http_auth_handler_unittest.cc",
     "http/http_auth_multi_round_parse_unittest.cc",
     "http/http_auth_preferences_unittest.cc",
-    "http/http_auth_sspi_win_unittest.cc",
     "http/http_auth_unittest.cc",
     "http/http_basic_state_unittest.cc",
     "http/http_byte_range_unittest.cc",
@@ -5269,8 +5214,6 @@ test("net_unittests") {
     "http/http_vary_data_unittest.cc",
     "http/mock_allow_http_auth_preferences.cc",
     "http/mock_allow_http_auth_preferences.h",
-    "http/mock_sspi_library_win.cc",
-    "http/mock_sspi_library_win.h",
     "http/transport_security_persister_unittest.cc",
     "http/transport_security_state_unittest.cc",
     "http/url_security_manager_unittest.cc",
@@ -5295,28 +5238,15 @@ test("net_unittests") {
     "nqe/observation_buffer_unittest.cc",
     "nqe/socket_watcher_unittest.cc",
     "nqe/throughput_analyzer_unittest.cc",
-    "ntlm/ntlm_buffer_reader_unittest.cc",
-    "ntlm/ntlm_buffer_writer_unittest.cc",
-    "ntlm/ntlm_client_unittest.cc",
-    "ntlm/ntlm_test_data.h",
-    "ntlm/ntlm_unittest.cc",
-    "proxy_resolution/dhcp_pac_file_adapter_fetcher_win_unittest.cc",
-    "proxy_resolution/dhcp_pac_file_fetcher_win_unittest.cc",
     "proxy_resolution/multi_threaded_proxy_resolver_unittest.cc",
     "proxy_resolution/network_delegate_error_observer_unittest.cc",
     "proxy_resolution/pac_file_decider_unittest.cc",
     "proxy_resolution/pac_file_fetcher_impl_unittest.cc",
-    "proxy_resolution/pac_library_unittest.cc",
     "proxy_resolution/proxy_bypass_rules_unittest.cc",
-    "proxy_resolution/proxy_config_service_android_unittest.cc",
-    "proxy_resolution/proxy_config_service_linux_unittest.cc",
-    "proxy_resolution/proxy_config_service_win_unittest.cc",
     "proxy_resolution/proxy_config_unittest.cc",
     "proxy_resolution/proxy_info_unittest.cc",
     "proxy_resolution/proxy_list_unittest.cc",
     "proxy_resolution/proxy_resolution_service_unittest.cc",
-    "proxy_resolution/proxy_resolver_v8_tracing_unittest.cc",
-    "proxy_resolution/proxy_resolver_v8_unittest.cc",
     "proxy_resolution/proxy_server_unittest.cc",
     "quic/bidirectional_stream_quic_impl_unittest.cc",
     "quic/crypto/proof_test_chromium.cc",
@@ -5400,21 +5330,14 @@ test("net_unittests") {
     "spdy/spdy_stream_unittest.cc",
     "spdy/spdy_write_queue_unittest.cc",
     "ssl/client_cert_identity_unittest.cc",
-    "ssl/client_cert_store_mac_unittest.cc",
-    "ssl/client_cert_store_nss_unittest.cc",
     "ssl/client_cert_store_unittest-inl.h",
-    "ssl/client_cert_store_win_unittest.cc",
     "ssl/ssl_cipher_suite_names_unittest.cc",
     "ssl/ssl_client_auth_cache_unittest.cc",
     "ssl/ssl_client_session_cache_unittest.cc",
     "ssl/ssl_config_service_unittest.cc",
     "ssl/ssl_config_unittest.cc",
     "ssl/ssl_connection_status_flags_unittest.cc",
-    "ssl/ssl_platform_key_android_unittest.cc",
-    "ssl/ssl_platform_key_mac_unittest.cc",
-    "ssl/ssl_platform_key_nss_unittest.cc",
     "ssl/ssl_platform_key_util_unittest.cc",
-    "ssl/ssl_platform_key_win_unittest.cc",
     "test/embedded_test_server/embedded_test_server_unittest.cc",
     "test/embedded_test_server/http_request_unittest.cc",
     "test/embedded_test_server/http_response_unittest.cc",
@@ -5498,6 +5421,10 @@ test("net_unittests") {
     "third_party/quiche/src/http2/tools/random_util.cc",
     "third_party/quiche/src/http2/tools/random_util.h",
     "third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler_test.cc",
+
+    # TODO(rch): Re-enable once the SLOW_TEST annotation is added.
+    # "third_party/quiche/src/quic/core/congestion_control/bbr2_simulator_test.cc",
+    "third_party/quiche/src/common/platform/api/quiche_endian_test.cc",
     "third_party/quiche/src/quic/core/congestion_control/bbr_sender_test.cc",
     "third_party/quiche/src/quic/core/congestion_control/cubic_bytes_test.cc",
     "third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm_test.cc",
@@ -5576,6 +5503,8 @@ test("net_unittests") {
     "third_party/quiche/src/quic/core/quic_arena_scoped_ptr_test.cc",
     "third_party/quiche/src/quic/core/quic_bandwidth_test.cc",
     "third_party/quiche/src/quic/core/quic_buffered_packet_store_test.cc",
+    "third_party/quiche/src/quic/core/quic_circular_deque_test.cc",
+    "third_party/quiche/src/quic/core/quic_coalesced_packet_test.cc",
     "third_party/quiche/src/quic/core/quic_config_test.cc",
     "third_party/quiche/src/quic/core/quic_connection_id_test.cc",
     "third_party/quiche/src/quic/core/quic_connection_test.cc",
@@ -5595,7 +5524,6 @@ test("net_unittests") {
     "third_party/quiche/src/quic/core/quic_lru_cache_test.cc",
     "third_party/quiche/src/quic/core/quic_one_block_arena_test.cc",
     "third_party/quiche/src/quic/core/quic_packet_creator_test.cc",
-    "third_party/quiche/src/quic/core/quic_packet_generator_test.cc",
     "third_party/quiche/src/quic/core/quic_packet_number_test.cc",
     "third_party/quiche/src/quic/core/quic_packets_test.cc",
     "third_party/quiche/src/quic/core/quic_received_packet_manager_test.cc",
@@ -5611,9 +5539,11 @@ test("net_unittests") {
     "third_party/quiche/src/quic/core/quic_stream_test.cc",
     "third_party/quiche/src/quic/core/quic_sustained_bandwidth_recorder_test.cc",
     "third_party/quiche/src/quic/core/quic_tag_test.cc",
+    "third_party/quiche/src/quic/core/quic_time_accumulator_test.cc",
     "third_party/quiche/src/quic/core/quic_time_test.cc",
     "third_party/quiche/src/quic/core/quic_time_wait_list_manager_test.cc",
     "third_party/quiche/src/quic/core/quic_trace_visitor_test.cc",
+    "third_party/quiche/src/quic/core/quic_types_test.cc",
     "third_party/quiche/src/quic/core/quic_unacked_packet_map_test.cc",
     "third_party/quiche/src/quic/core/quic_utils_test.cc",
     "third_party/quiche/src/quic/core/quic_version_manager_test.cc",
@@ -5623,7 +5553,6 @@ test("net_unittests") {
     "third_party/quiche/src/quic/core/uber_quic_stream_id_manager_test.cc",
     "third_party/quiche/src/quic/core/uber_received_packet_manager_test.cc",
     "third_party/quiche/src/quic/platform/api/quic_containers_test.cc",
-    "third_party/quiche/src/quic/platform/api/quic_endian_test.cc",
     "third_party/quiche/src/quic/platform/api/quic_hostname_utils_test.cc",
     "third_party/quiche/src/quic/platform/api/quic_ip_address_test.cc",
     "third_party/quiche/src/quic/platform/api/quic_mem_slice_span_test.cc",
@@ -5635,7 +5564,9 @@ test("net_unittests") {
     "third_party/quiche/src/quic/platform/api/quic_string_utils_test.cc",
     "third_party/quiche/src/quic/platform/api/quic_text_utils_test.cc",
     "third_party/quiche/src/quic/quic_transport/quic_transport_client_session_test.cc",
+    "third_party/quiche/src/quic/quic_transport/quic_transport_integration_test.cc",
     "third_party/quiche/src/quic/quic_transport/quic_transport_server_session_test.cc",
+    "third_party/quiche/src/quic/quic_transport/quic_transport_stream_test.cc",
     "third_party/quiche/src/quic/test_tools/crypto_test_utils_test.cc",
     "third_party/quiche/src/quic/test_tools/mock_quic_time_wait_list_manager.cc",
     "third_party/quiche/src/quic/test_tools/mock_quic_time_wait_list_manager.h",
@@ -5695,14 +5626,11 @@ test("net_unittests") {
     "url_request/url_fetcher_response_writer_unittest.cc",
     "url_request/url_request_context_builder_unittest.cc",
     "url_request/url_request_context_unittest.cc",
-    "url_request/url_request_data_job_unittest.cc",
     "url_request/url_request_filter_unittest.cc",
-    "url_request/url_request_ftp_job_unittest.cc",
     "url_request/url_request_http_job_unittest.cc",
     "url_request/url_request_job_factory_impl_unittest.cc",
     "url_request/url_request_job_unittest.cc",
     "url_request/url_request_quic_unittest.cc",
-    "url_request/url_request_simple_job_unittest.cc",
     "url_request/url_request_throttler_simulation_unittest.cc",
     "url_request/url_request_throttler_test_support.cc",
     "url_request/url_request_throttler_test_support.h",
@@ -5710,7 +5638,67 @@ test("net_unittests") {
     "url_request/url_request_unittest.cc",
     "url_request/view_cache_helper_unittest.cc",
   ]
-  net_unfiltered_sources = []
+
+  if (is_android) {
+    sources += [
+      "android/cellular_signal_strength_unittest.cc",
+      "android/dummy_spnego_authenticator.cc",
+      "android/dummy_spnego_authenticator.h",
+      "android/http_auth_negotiate_android_unittest.cc",
+      "android/network_change_notifier_android_unittest.cc",
+      "android/network_library_unittest.cc",
+      "android/traffic_stats_unittest.cc",
+      "cert/cert_verify_proc_android_unittest.cc",
+      "proxy_resolution/proxy_config_service_android_unittest.cc",
+      "ssl/ssl_platform_key_android_unittest.cc",
+    ]
+  }
+
+  if (is_chromeos && use_nss_certs) {
+    sources += [
+      "cert/nss_cert_database_chromeos_unittest.cc",
+      "cert/nss_profile_filter_chromeos_unittest.cc",
+    ]
+  }
+
+  if (is_ios) {
+    sources += [ "cert/cert_verify_proc_ios_unittest.cc" ]
+  }
+
+  if (is_linux) {
+    sources += [
+      "base/address_tracker_linux_unittest.cc",
+      "base/network_interfaces_linux_unittest.cc",
+    ]
+    if (!is_chromeos) {
+      sources += [ "proxy_resolution/proxy_config_service_linux_unittest.cc" ]
+    }
+  }
+
+  if (is_mac) {
+    sources += [
+      "cert/cert_verify_proc_mac_unittest.cc",
+      "cert/internal/trust_store_mac_unittest.cc",
+      "cert/x509_util_ios_and_mac_unittest.cc",
+      "ssl/client_cert_store_mac_unittest.cc",
+      "ssl/ssl_platform_key_mac_unittest.cc",
+    ]
+  }
+
+  if (is_win) {
+    sources += [
+      "base/network_change_notifier_win_unittest.cc",
+      "base/network_interfaces_win_unittest.cc",
+      "http/http_auth_sspi_win_unittest.cc",
+      "http/mock_sspi_library_win.cc",
+      "http/mock_sspi_library_win.h",
+      "proxy_resolution/dhcp_pac_file_adapter_fetcher_win_unittest.cc",
+      "proxy_resolution/dhcp_pac_file_fetcher_win_unittest.cc",
+      "proxy_resolution/proxy_config_service_win_unittest.cc",
+      "ssl/client_cert_store_win_unittest.cc",
+      "ssl/ssl_platform_key_win_unittest.cc",
+    ]
+  }
 
   # Disable building Quartc tests on iOS as they appear to be flaky there.
   if (!is_ios) {
@@ -5763,7 +5751,6 @@ test("net_unittests") {
       "third_party/quiche/src/quic/quartc/test/random_packet_filter.h",
     ]
   }
-
   configs += [ "//build/config:precompiled_headers" ]
   defines = []
 
@@ -5810,6 +5797,7 @@ test("net_unittests") {
 
   if (enable_reporting) {
     sources += [
+      "extras/sqlite/sqlite_persistent_reporting_and_nel_store_unittest.cc",
       "network_error_logging/mock_persistent_nel_store_unittest.cc",
       "network_error_logging/network_error_logging_service_unittest.cc",
       "reporting/mock_persistent_reporting_store_unittest.cc",
@@ -5825,12 +5813,6 @@ test("net_unittests") {
     ]
   }
 
-  if (enable_reporting) {
-    sources += [
-      "extras/sqlite/sqlite_persistent_reporting_and_nel_store_unittest.cc",
-    ]
-  }
-
   data = []
   data_deps = [
     "third_party/nist-pkits/",
@@ -5894,16 +5876,8 @@ test("net_unittests") {
     libs = [ "Security.framework" ]
   }
 
-  if (is_chromeos) {
-    sources -= [ "proxy_resolution/proxy_config_service_linux_unittest.cc" ]
-  }
-
-  if (v8_use_external_startup_data) {
-    deps += [ "//gin" ]
-  }
-
-  if (is_win) {
-    sources -= [
+  if (!is_win) {
+    sources += [
       "http/http_auth_handler_ntlm_portable_unittest.cc",
       "ntlm/ntlm_buffer_reader_unittest.cc",
       "ntlm/ntlm_buffer_writer_unittest.cc",
@@ -5921,24 +5895,23 @@ test("net_unittests") {
     use_test_server = true
     deps += [
       "//third_party/fuchsia-sdk/sdk:fidl_cpp",
-      "//third_party/fuchsia-sdk/sdk:netstack",
+      "//third_party/fuchsia-sdk/sdk:fuchsia-netstack",
     ]
     sources += [ "base/network_change_notifier_fuchsia_unittest.cc" ]
   }
 
-  if (!use_nss_certs) {
-    sources -= [
+  if (use_nss_certs) {
+    sources += [
       "cert/internal/system_trust_store_nss_unittest.cc",
       "cert/internal/trust_store_nss_unittest.cc",
       "cert/nss_cert_database_unittest.cc",
       "cert/x509_util_nss_unittest.cc",
-      "ssl/client_cert_store_nss_unittest.cc",
-      "ssl/ssl_platform_key_nss_unittest.cc",
+      "cert_net/nss_ocsp_unittest.cc",
     ]
-    if (is_chromeos) {  # Already removed for all non-ChromeOS builds.
-      sources -= [
-        "cert/nss_cert_database_chromeos_unittest.cc",
-        "cert/nss_profile_filter_chromeos_unittest.cc",
+    if (!is_chromecast) {
+      sources += [
+        "ssl/client_cert_store_nss_unittest.cc",
+        "ssl/ssl_platform_key_nss_unittest.cc",
       ]
     }
   }
@@ -5955,13 +5928,8 @@ test("net_unittests") {
     ]
   }
 
-  if (!use_kerberos) {
-    sources -= [ "http/http_auth_handler_negotiate_unittest.cc" ]
-  }
-
-  if (!use_nss_certs) {
-    # Only include this test when using NSS for cert verification.
-    sources -= [ "cert_net/nss_ocsp_unittest.cc" ]
+  if (use_kerberos) {
+    sources += [ "http/http_auth_handler_negotiate_unittest.cc" ]
   }
 
   if (enable_websockets) {
@@ -6000,8 +5968,8 @@ test("net_unittests") {
     ]
   }
 
-  if (disable_ftp_support) {
-    sources -= [
+  if (!disable_ftp_support) {
+    sources += [
       "ftp/ftp_auth_cache_unittest.cc",
       "ftp/ftp_ctrl_response_buffer_unittest.cc",
       "ftp/ftp_directory_listing_parser_ls_unittest.cc",
@@ -6019,15 +5987,6 @@ test("net_unittests") {
     sources += [ "url_request/http_with_dns_over_https_unittest.cc" ]
   }
 
-  if (use_v8_in_net) {
-    deps += [ ":net_with_v8" ]
-  } else {
-    sources -= [
-      "proxy_resolution/proxy_resolver_v8_tracing_unittest.cc",
-      "proxy_resolution/proxy_resolver_v8_unittest.cc",
-    ]
-  }
-
   if (is_ios) {
     sources -= [
       # TODO(droger): The following tests are disabled because the
@@ -6040,13 +5999,13 @@ test("net_unittests") {
       "spdy/fuzzing/hpack_fuzz_util_test.cc",
 
       # Need TestServer.
-      "cert_net/cert_net_fetcher_impl_unittest.cc",
+      "cert_net/cert_net_fetcher_url_request_unittest.cc",
       "proxy_resolution/pac_file_fetcher_impl_unittest.cc",
       "socket/ssl_client_socket_unittest.cc",
       "url_request/url_fetcher_impl_unittest.cc",
       "url_request/url_request_context_builder_unittest.cc",
     ]
-    net_unfiltered_sources += [ "cert/x509_util_ios_and_mac_unittest.cc" ]
+    sources += [ "cert/x509_util_ios_and_mac_unittest.cc" ]
 
     bundle_deps = [ ":net_unittests_bundle_data" ]
   }
@@ -6069,7 +6028,6 @@ test("net_unittests") {
       "base/filename_util_unittest.cc",
       "base/url_util_unittest.cc",
       "cert/x509_certificate_unittest.cc",
-      "proxy_resolution/proxy_resolver_v8_unittest.cc",
       "url_request/url_request_job_unittest.cc",
     ]
     deps += [ "//url:url_java" ]
@@ -6094,9 +6052,8 @@ test("net_unittests") {
     ]
   }
 
-  # Exclude brotli test if the support for brotli is disabled.
-  if (disable_brotli_filter) {
-    sources -= [ "filter/brotli_source_stream_unittest.cc" ]
+  if (!disable_brotli_filter) {
+    sources += [ "filter/brotli_source_stream_unittest.cc" ]
   }
 
   if (is_android) {
@@ -6113,15 +6070,12 @@ test("net_unittests") {
       # TODO(mmenke):  This depends on test_support_base, which depends on
       #                icu.  Figure out a way to remove that dependency.
       "//testing/android/native_test:native_test_native_code",
-      "//v8:v8_external_startup_data_assets",
     ]
     android_manifest = "//net/android/unittest_support/AndroidManifest.xml"
-    set_sources_assignment_filter([])
     sources += [
       "base/address_tracker_linux_unittest.cc",
       "base/network_interfaces_linux_unittest.cc",
     ]
-    set_sources_assignment_filter(sources_assignment_filter)
     shard_timeout = 300
   }
 
@@ -6132,13 +6086,6 @@ test("net_unittests") {
     ]
   }
 
-  if (is_chromecast && use_nss_certs) {
-    sources -= [
-      "ssl/client_cert_store_nss_unittest.cc",
-      "ssl/ssl_platform_key_nss_unittest.cc",
-    ]
-  }
-
   if (trial_comparison_cert_verifier_supported) {
     sources += [ "cert/trial_comparison_cert_verifier_unittest.cc" ]
   }
@@ -6150,11 +6097,6 @@ test("net_unittests") {
       "//net/tools/transport_security_state_generator:transport_security_state_generator_test_sources",
     ]
   }
-
-  # Add back some sources that were otherwise filtered out.
-  set_sources_assignment_filter([])
-  sources += net_unfiltered_sources
-  set_sources_assignment_filter(sources_assignment_filter)
 }
 
 # !is_android && !is_win && !is_mac
@@ -6253,9 +6195,9 @@ fuzzer_test("disk_cache_lpm_fuzzer") {
   ]
 }
 
-fuzzer_test("net_data_job_fuzzer") {
+fuzzer_test("net_data_url_fuzzer") {
   sources = [
-    "url_request/url_request_data_job_fuzzer.cc",
+    "base/data_url_fuzzer.cc",
   ]
   deps = [
     ":net_fuzzer_test_support",
@@ -6263,6 +6205,10 @@ fuzzer_test("net_data_job_fuzzer") {
     "//base",
     "//net",
   ]
+  dict = "data/fuzzer_dictionaries/net_data_url_fuzzer.dict"
+
+  # IsTokenChar() and ToLowerASCII() are surprisingly slow in instrumented builds.
+  libfuzzer_options = [ "max_len=100000" ]
 }
 
 fuzzer_test("net_mime_sniffer_fuzzer") {
@@ -6326,18 +6272,6 @@ fuzzer_test("net_parse_proxy_rules_fuzzer") {
   dict = "data/fuzzer_dictionaries/net_parse_proxy_bypass_rules_fuzzer.dict"
 }
 
-fuzzer_test("net_parse_data_url_fuzzer") {
-  sources = [
-    "base/parse_data_url_fuzzer.cc",
-  ]
-  deps = [
-    ":net_fuzzer_test_support",
-    "//base",
-    "//net",
-  ]
-  dict = "data/fuzzer_dictionaries/net_parse_data_url_fuzzer.dict"
-}
-
 fuzzer_test("net_parse_ip_pattern_fuzzer") {
   sources = [
     "base/parse_ip_pattern_fuzzer.cc",
@@ -6491,6 +6425,17 @@ fuzzer_test("net_cert_ocsp_parse_ocsp_response_fuzzer") {
   ]
 }
 
+fuzzer_test("net_cert_parse_authority_key_identifier_fuzzer") {
+  sources = [
+    "cert/internal/parse_authority_key_identifier_fuzzer.cc",
+  ]
+  seed_corpus = "data/fuzzer_data/parse_authority_key_identifier_fuzzer"
+  deps = [
+    "//base",
+    "//net",
+  ]
+}
+
 fuzzer_test("net_cert_parse_certificate_fuzzer") {
   sources = [
     "cert/internal/parse_certificate_fuzzer.cc",
@@ -6697,6 +6642,30 @@ fuzzer_test("net_http_chunked_decoder_fuzzer") {
   dict = "data/fuzzer_dictionaries/http_chunked_decoder_fuzzer.dict"
 }
 
+fuzzer_test("net_http_auth_handler_basic_fuzzer") {
+  sources = [
+    "http/http_auth_handler_basic_fuzzer.cc",
+  ]
+  dict = "data/fuzzer_dictionaries/net_http_auth_handler_basic_fuzzer.dict"
+  deps = [
+    ":net_fuzzer_test_support",
+    "//net",
+    "//net/dns:test_support",
+  ]
+}
+
+fuzzer_test("net_http_auth_handler_digest_fuzzer") {
+  sources = [
+    "http/http_auth_handler_digest_fuzzer.cc",
+  ]
+  dict = "data/fuzzer_dictionaries/net_http_auth_handler_digest_fuzzer.dict"
+  deps = [
+    ":net_fuzzer_test_support",
+    "//net",
+    "//net/dns:test_support",
+  ]
+}
+
 fuzzer_test("net_http_content_disposition_fuzzer") {
   sources = [
     "http/http_content_disposition_fuzzer.cc",
@@ -6935,6 +6904,20 @@ fuzzer_test("net_quic_framer_fuzzer") {
   ]
 }
 
+fuzzer_test("net_quic_framer_process_data_packet_fuzzer") {
+  sources = [
+    "third_party/quiche/src/quic/test_tools/fuzzing/quic_framer_process_data_packet_fuzzer.cc",
+  ]
+
+  deps = [
+    ":net_fuzzer_test_support",
+    ":quic_test_tools",
+    ":test_support",
+    "//net",
+    "//net/data/ssl/certificates:generate_fuzzer_cert_includes",
+  ]
+}
+
 fuzzer_test("net_uri_template_fuzzer") {
   sources = [
     "third_party/uri_template/uri_template_fuzzer.cc",
diff --git a/chromium/net/DEPS b/chromium/net/DEPS
index 9fa5d14fc27..ba7ae884f07 100644
--- a/chromium/net/DEPS
+++ b/chromium/net/DEPS
@@ -1,6 +1,5 @@
 include_rules = [
   "+crypto",
-  "+gin",
   "+mojo/public",
   "+net/net_jni_headers",
   "+third_party/apple_apsl",
@@ -8,7 +7,6 @@ include_rules = [
   "+third_party/nss",
   "+third_party/protobuf/src/google/protobuf",
   "+third_party/zlib",
-  "+v8",
 
   # Most of net should not depend on icu, and brotli to keep size down when
   # built as a library.
diff --git a/chromium/net/android/http_auth_negotiate_android.cc b/chromium/net/android/http_auth_negotiate_android.cc
index 4beca169464..818dd2c36ba 100644
--- a/chromium/net/android/http_auth_negotiate_android.cc
+++ b/chromium/net/android/http_auth_negotiate_android.cc
@@ -13,6 +13,7 @@
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/base/auth.h"
 #include "net/base/net_errors.h"
+#include "net/http/http_auth.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/http_auth_multi_round_parse.h"
 #include "net/http/http_auth_preferences.h"
@@ -86,10 +87,11 @@ HttpAuth::AuthorizationResult HttpAuthNegotiateAndroid::ParseChallenge(
     net::HttpAuthChallengeTokenizer* tok) {
   if (first_challenge_) {
     first_challenge_ = false;
-    return net::ParseFirstRoundChallenge("negotiate", tok);
+    return net::ParseFirstRoundChallenge(HttpAuth::AUTH_SCHEME_NEGOTIATE, tok);
   }
   std::string decoded_auth_token;
-  return net::ParseLaterRoundChallenge("negotiate", tok, &server_auth_token_,
+  return net::ParseLaterRoundChallenge(HttpAuth::AUTH_SCHEME_NEGOTIATE, tok,
+                                       &server_auth_token_,
                                        &decoded_auth_token);
 }
 
diff --git a/chromium/net/android/http_auth_negotiate_android.h b/chromium/net/android/http_auth_negotiate_android.h
index 78e29a1bdc2..e998b55adc8 100644
--- a/chromium/net/android/http_auth_negotiate_android.h
+++ b/chromium/net/android/http_auth_negotiate_android.h
@@ -17,7 +17,7 @@
 #include "net/base/completion_once_callback.h"
 #include "net/base/net_export.h"
 #include "net/http/http_auth.h"
-#include "net/http/http_negotiate_auth_system.h"
+#include "net/http/http_auth_mechanism.h"
 
 namespace base {
 class TaskRunner;
@@ -64,8 +64,7 @@ class NET_EXPORT_PRIVATE JavaNegotiateResultWrapper {
 // provides a bridge to the Java code, and hence to the service. See
 // https://drive.google.com/open?id=1G7WAaYEKMzj16PTHT_cIYuKXJG6bBcrQ7QQBQ6ihOcQ&authuser=1
 // for the full details.
-class NET_EXPORT_PRIVATE HttpAuthNegotiateAndroid
-    : public HttpNegotiateAuthSystem {
+class NET_EXPORT_PRIVATE HttpAuthNegotiateAndroid : public HttpAuthMechanism {
  public:
   // Creates an object for one negotiation session. |prefs| are the
   // authentication preferences. In particular they include the Android account
@@ -73,7 +72,7 @@ class NET_EXPORT_PRIVATE HttpAuthNegotiateAndroid
   explicit HttpAuthNegotiateAndroid(const HttpAuthPreferences* prefs);
   ~HttpAuthNegotiateAndroid() override;
 
-  // HttpNegotiateAuthSystem implementation:
+  // HttpAuthMechanism implementation:
   bool Init(const NetLogWithSource& net_log) override;
   bool NeedsIdentity() const override;
   bool AllowsExplicitCredentials() const override;
diff --git a/chromium/net/android/network_change_notifier_android.cc b/chromium/net/android/network_change_notifier_android.cc
index 4cf89f9f0d2..29d4ddbc8ad 100644
--- a/chromium/net/android/network_change_notifier_android.cc
+++ b/chromium/net/android/network_change_notifier_android.cc
@@ -65,7 +65,6 @@
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/macros.h"
-#include "base/message_loop/message_loop.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/sequenced_task_runner.h"
 #include "base/task/post_task.h"
diff --git a/chromium/net/android/network_library.cc b/chromium/net/android/network_library.cc
index c7c76442207..acd6c3106e9 100644
--- a/chromium/net/android/network_library.cc
+++ b/chromium/net/android/network_library.cc
@@ -90,12 +90,6 @@ bool GetMimeTypeFromExtension(const std::string& extension,
   return true;
 }
 
-std::string GetTelephonyNetworkCountryIso() {
-  return base::android::ConvertJavaStringToUTF8(
-      Java_AndroidNetworkLibrary_getNetworkCountryIso(
-          base::android::AttachCurrentThread()));
-}
-
 std::string GetTelephonyNetworkOperator() {
   return base::android::ConvertJavaStringToUTF8(
       Java_AndroidNetworkLibrary_getNetworkOperator(
diff --git a/chromium/net/android/network_library.h b/chromium/net/android/network_library.h
index 56572b21cc1..6f5841c2269 100644
--- a/chromium/net/android/network_library.h
+++ b/chromium/net/android/network_library.h
@@ -55,10 +55,6 @@ bool HaveOnlyLoopbackAddresses();
 bool GetMimeTypeFromExtension(const std::string& extension,
                               std::string* result);
 
-// Returns the ISO country code equivalent of the current MCC (mobile country
-// code).
-NET_EXPORT std::string GetTelephonyNetworkCountryIso();
-
 // Returns MCC+MNC (mobile country code + mobile network code) as
 // the numeric name of the current registered operator.
 NET_EXPORT std::string GetTelephonyNetworkOperator();
diff --git a/chromium/net/base/OWNERS b/chromium/net/base/OWNERS
index db67407252a..104d756e8bc 100644
--- a/chromium/net/base/OWNERS
+++ b/chromium/net/base/OWNERS
@@ -2,6 +2,4 @@ per-file *_fuchsia*=file://build/fuchsia/OWNERS
 
 # For security review of MIME sniffing to avoid introducing security bugs
 per-file mime_sniffer*=set noparent
-per-file mime_sniffer*=rsleevi@chromium.org
-per-file mime_sniffer*=asanka@chromium.org
-per-file mime_sniffer*=mmenke@chromium.org
+per-file mime_sniffer*=file://net/base/SECURITY_OWNERS
diff --git a/chromium/net/base/SECURITY_OWNERS b/chromium/net/base/SECURITY_OWNERS
new file mode 100644
index 00000000000..dcc8eb1bf36
--- /dev/null
+++ b/chromium/net/base/SECURITY_OWNERS
@@ -0,0 +1,3 @@
+rsleevi@chromium.org
+asanka@chromium.org
+mmenke@chromium.org
diff --git a/chromium/net/base/address_list.cc b/chromium/net/base/address_list.cc
index 428210645a1..047b8164232 100644
--- a/chromium/net/base/address_list.cc
+++ b/chromium/net/base/address_list.cc
@@ -8,6 +8,7 @@
 
 #include "base/bind.h"
 #include "base/callback.h"
+#include "base/containers/flat_map.h"
 #include "base/logging.h"
 #include "base/values.h"
 #include "net/base/sys_addrinfo.h"
@@ -19,6 +20,8 @@ AddressList::AddressList() = default;
 
 AddressList::AddressList(const AddressList&) = default;
 
+AddressList& AddressList::operator=(const AddressList&) = default;
+
 AddressList::~AddressList() = default;
 
 AddressList::AddressList(const IPEndPoint& endpoint) {
@@ -86,4 +89,24 @@ base::Value AddressList::NetLogParams() const {
   return dict;
 }
 
+void AddressList::Deduplicate() {
+  if (size() > 1) {
+    std::vector<std::pair<IPEndPoint, int>> make_me_into_a_map(size());
+    for (auto& addr : *this)
+      make_me_into_a_map.emplace_back(addr, 0);
+    base::flat_map<IPEndPoint, int> inserted(std::move(make_me_into_a_map));
+
+    std::vector<IPEndPoint> deduplicated_addresses;
+    deduplicated_addresses.reserve(inserted.size());
+    for (const auto& addr : *this) {
+      int& count = inserted[addr];
+      if (!count) {
+        deduplicated_addresses.push_back(addr);
+        ++count;
+      }
+    }
+    endpoints_.swap(deduplicated_addresses);
+  }
+}
+
 }  // namespace net
diff --git a/chromium/net/base/address_list.h b/chromium/net/base/address_list.h
index 1baf593701d..507866f28aa 100644
--- a/chromium/net/base/address_list.h
+++ b/chromium/net/base/address_list.h
@@ -28,6 +28,7 @@ class NET_EXPORT AddressList {
  public:
   AddressList();
   AddressList(const AddressList&);
+  AddressList& operator=(const AddressList&);
   ~AddressList();
 
   // Creates an address list for a single IP literal.
@@ -59,6 +60,9 @@ class NET_EXPORT AddressList {
   // inclusion in a NetLog.
   base::Value NetLogParams() const;
 
+  // Deduplicates the stored addresses while otherwise preserving their order.
+  void Deduplicate();
+
   using iterator = std::vector<IPEndPoint>::iterator;
   using const_iterator = std::vector<IPEndPoint>::const_iterator;
 
diff --git a/chromium/net/base/address_list_unittest.cc b/chromium/net/base/address_list_unittest.cc
index 08326902c59..93c973f2644 100644
--- a/chromium/net/base/address_list_unittest.cc
+++ b/chromium/net/base/address_list_unittest.cc
@@ -10,8 +10,11 @@
 #include "net/base/ip_address.h"
 #include "net/base/sockaddr_storage.h"
 #include "net/base/sys_addrinfo.h"
+#include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
+using ::testing::ElementsAre;
+
 namespace net {
 namespace {
 
@@ -136,5 +139,39 @@ TEST(AddressListTest, CreateFromIPAddressList) {
   EXPECT_EQ(base::size(tests), test_list.size());
 }
 
+TEST(AddressListTest, DeduplicatesEmptyAddressList) {
+  AddressList empty;
+  empty.Deduplicate();
+  EXPECT_EQ(empty.size(), 0u);
+}
+
+TEST(AddressListTest, DeduplicatesSingletonAddressList) {
+  AddressList singleton;
+  singleton.push_back(IPEndPoint());
+  singleton.Deduplicate();
+  EXPECT_THAT(singleton.endpoints(), ElementsAre(IPEndPoint()));
+}
+
+TEST(AddressListTest, DeduplicatesLongerAddressList) {
+  AddressList several;
+  several.endpoints() = {IPEndPoint(IPAddress(0, 0, 0, 1), 0),
+                         IPEndPoint(IPAddress(0, 0, 0, 2), 0),
+                         IPEndPoint(IPAddress(0, 0, 0, 2), 0),
+                         IPEndPoint(IPAddress(0, 0, 0, 3), 0),
+                         IPEndPoint(IPAddress(0, 0, 0, 2), 0),
+                         IPEndPoint(IPAddress(0, 0, 0, 1), 0),
+                         IPEndPoint(IPAddress(0, 0, 0, 2), 0),
+                         IPEndPoint(IPAddress(0, 0, 0, 3), 0),
+                         IPEndPoint(IPAddress(0, 0, 0, 2), 0)};
+  several.Deduplicate();
+
+  // Deduplication should preserve the order of the first instances
+  // of the unique addresses.
+  EXPECT_THAT(several.endpoints(),
+              ElementsAre(IPEndPoint(IPAddress(0, 0, 0, 1), 0),
+                          IPEndPoint(IPAddress(0, 0, 0, 2), 0),
+                          IPEndPoint(IPAddress(0, 0, 0, 3), 0)));
+}
+
 }  // namespace
 }  // namespace net
diff --git a/chromium/net/base/address_tracker_linux.cc b/chromium/net/base/address_tracker_linux.cc
index 5c2558857e5..888281e8baf 100644
--- a/chromium/net/base/address_tracker_linux.cc
+++ b/chromium/net/base/address_tracker_linux.cc
@@ -8,6 +8,7 @@
 #include <linux/if.h>
 #include <stdint.h>
 #include <sys/ioctl.h>
+#include <utility>
 
 #include "base/bind_helpers.h"
 #include "base/files/scoped_file.h"
@@ -26,9 +27,7 @@ namespace {
 // Some kernel functions such as wireless_send_event and rtnetlink_ifinfo_prep
 // may send spurious messages over rtnetlink. RTM_NEWLINK messages where
 // ifi_change == 0 and rta_type == IFLA_WIRELESS should be ignored.
-bool IgnoreWirelessChange(const struct nlmsghdr* header,
-                          const struct ifinfomsg* msg) {
-  size_t length = IFLA_PAYLOAD(header);
+bool IgnoreWirelessChange(const struct ifinfomsg* msg, int length) {
   for (const struct rtattr* attr = IFLA_RTA(msg); RTA_OK(attr, length);
        attr = RTA_NEXT(attr, length)) {
     if (attr->rta_type == IFLA_WIRELESS && msg->ifi_change == 0)
@@ -39,13 +38,20 @@ bool IgnoreWirelessChange(const struct nlmsghdr* header,
 
 // Retrieves address from NETLINK address message.
 // Sets |really_deprecated| for IPv6 addresses with preferred lifetimes of 0.
+// Precondition: |header| must already be validated with NLMSG_OK.
 bool GetAddress(const struct nlmsghdr* header,
+                int header_length,
                 IPAddress* out,
                 bool* really_deprecated) {
   if (really_deprecated)
     *really_deprecated = false;
+
+  // Extract the message and update |header_length| to be the number of
+  // remaining bytes.
   const struct ifaddrmsg* msg =
-      reinterpret_cast<struct ifaddrmsg*>(NLMSG_DATA(header));
+      reinterpret_cast<const struct ifaddrmsg*>(NLMSG_DATA(header));
+  header_length -= NLMSG_HDRLEN;
+
   size_t address_length = 0;
   switch (msg->ifa_family) {
     case AF_INET:
@@ -64,22 +70,36 @@ bool GetAddress(const struct nlmsghdr* header,
   // have the IFA_LOCAL attribute.
   uint8_t* address = NULL;
   uint8_t* local = NULL;
-  size_t length = IFA_PAYLOAD(header);
+  int length = IFA_PAYLOAD(header);
+  if (length > header_length) {
+    LOG(ERROR) << "ifaddrmsg length exceeds bounds";
+    return false;
+  }
   for (const struct rtattr* attr =
            reinterpret_cast<const struct rtattr*>(IFA_RTA(msg));
-       RTA_OK(attr, length);
-       attr = RTA_NEXT(attr, length)) {
+       RTA_OK(attr, length); attr = RTA_NEXT(attr, length)) {
     switch (attr->rta_type) {
       case IFA_ADDRESS:
-        DCHECK_GE(RTA_PAYLOAD(attr), address_length);
+        if (RTA_PAYLOAD(attr) < address_length) {
+          LOG(ERROR) << "attr does not have enough bytes to read an address";
+          return false;
+        }
         address = reinterpret_cast<uint8_t*>(RTA_DATA(attr));
         break;
       case IFA_LOCAL:
-        DCHECK_GE(RTA_PAYLOAD(attr), address_length);
+        if (RTA_PAYLOAD(attr) < address_length) {
+          LOG(ERROR) << "attr does not have enough bytes to read an address";
+          return false;
+        }
         local = reinterpret_cast<uint8_t*>(RTA_DATA(attr));
         break;
       case IFA_CACHEINFO: {
-        const struct ifa_cacheinfo *cache_info =
+        if (RTA_PAYLOAD(attr) < sizeof(struct ifa_cacheinfo)) {
+          LOG(ERROR)
+              << "attr does not have enough bytes to read an ifa_cacheinfo";
+          return false;
+        }
+        const struct ifa_cacheinfo* cache_info =
             reinterpret_cast<const struct ifa_cacheinfo*>(RTA_DATA(attr));
         if (really_deprecated)
           *really_deprecated = (cache_info->ifa_prefered == 0);
@@ -96,6 +116,16 @@ bool GetAddress(const struct nlmsghdr* header,
   return true;
 }
 
+// SafelyCastNetlinkMsgData<T> performs a bounds check before casting |header|'s
+// data to a |T*|. When the bounds check fails, returns nullptr.
+template <typename T>
+T* SafelyCastNetlinkMsgData(const struct nlmsghdr* header, int length) {
+  DCHECK(NLMSG_OK(header, static_cast<__u32>(length)));
+  if (length <= 0 || static_cast<size_t>(length) < NLMSG_HDRLEN + sizeof(T))
+    return nullptr;
+  return reinterpret_cast<const T*>(NLMSG_DATA(header));
+}
+
 }  // namespace
 
 // static
@@ -314,30 +344,40 @@ void AddressTrackerLinux::ReadMessages(bool* address_changed,
 }
 
 void AddressTrackerLinux::HandleMessage(const char* buffer,
-                                        size_t length,
+                                        int length,
                                         bool* address_changed,
                                         bool* link_changed,
                                         bool* tunnel_changed) {
   DCHECK(buffer);
+  // Note that NLMSG_NEXT decrements |length| to reflect the number of bytes
+  // remaining in |buffer|.
   for (const struct nlmsghdr* header =
            reinterpret_cast<const struct nlmsghdr*>(buffer);
-       NLMSG_OK(header, length); header = NLMSG_NEXT(header, length)) {
+       length >= 0 && NLMSG_OK(header, static_cast<__u32>(length));
+       header = NLMSG_NEXT(header, length)) {
+    // The |header| pointer should never precede |buffer|.
+    DCHECK_LE(buffer, reinterpret_cast<const char*>(header));
     switch (header->nlmsg_type) {
       case NLMSG_DONE:
         return;
       case NLMSG_ERROR: {
         const struct nlmsgerr* msg =
-            reinterpret_cast<struct nlmsgerr*>(NLMSG_DATA(header));
+            SafelyCastNetlinkMsgData<const struct nlmsgerr>(header, length);
+        if (msg == nullptr)
+          return;
         LOG(ERROR) << "Unexpected netlink error " << msg->error << ".";
       } return;
       case RTM_NEWADDR: {
         IPAddress address;
         bool really_deprecated;
-        struct ifaddrmsg* msg =
-            reinterpret_cast<struct ifaddrmsg*>(NLMSG_DATA(header));
+        const struct ifaddrmsg* msg =
+            SafelyCastNetlinkMsgData<const struct ifaddrmsg>(header, length);
+        if (msg == nullptr)
+          return;
         if (IsInterfaceIgnored(msg->ifa_index))
           break;
-        if (GetAddress(header, &address, &really_deprecated)) {
+        if (GetAddress(header, length, &address, &really_deprecated)) {
+          struct ifaddrmsg msg_copy = *msg;
           AddressTrackerAutoLock lock(*this, address_map_lock_);
           // Routers may frequently (every few seconds) output the IPv6 ULA
           // prefix which can cause the linux kernel to frequently output two
@@ -347,15 +387,15 @@ void AddressTrackerLinux::HandleMessage(const char* buffer,
           // messages by setting the deprecated flag based on the preferred
           // lifetime also.  http://crbug.com/268042
           if (really_deprecated)
-            msg->ifa_flags |= IFA_F_DEPRECATED;
+            msg_copy.ifa_flags |= IFA_F_DEPRECATED;
           // Only indicate change if the address is new or ifaddrmsg info has
           // changed.
           auto it = address_map_.find(address);
           if (it == address_map_.end()) {
-            address_map_.insert(it, std::make_pair(address, *msg));
+            address_map_.insert(it, std::make_pair(address, msg_copy));
             *address_changed = true;
-          } else if (memcmp(&it->second, msg, sizeof(*msg))) {
-            it->second = *msg;
+          } else if (memcmp(&it->second, &msg_copy, sizeof(msg_copy))) {
+            it->second = msg_copy;
             *address_changed = true;
           }
         }
@@ -363,10 +403,12 @@ void AddressTrackerLinux::HandleMessage(const char* buffer,
       case RTM_DELADDR: {
         IPAddress address;
         const struct ifaddrmsg* msg =
-            reinterpret_cast<struct ifaddrmsg*>(NLMSG_DATA(header));
+            SafelyCastNetlinkMsgData<const struct ifaddrmsg>(header, length);
+        if (msg == nullptr)
+          return;
         if (IsInterfaceIgnored(msg->ifa_index))
           break;
-        if (GetAddress(header, &address, NULL)) {
+        if (GetAddress(header, length, &address, nullptr)) {
           AddressTrackerAutoLock lock(*this, address_map_lock_);
           if (address_map_.erase(address))
             *address_changed = true;
@@ -374,10 +416,12 @@ void AddressTrackerLinux::HandleMessage(const char* buffer,
       } break;
       case RTM_NEWLINK: {
         const struct ifinfomsg* msg =
-            reinterpret_cast<struct ifinfomsg*>(NLMSG_DATA(header));
+            SafelyCastNetlinkMsgData<const struct ifinfomsg>(header, length);
+        if (msg == nullptr)
+          return;
         if (IsInterfaceIgnored(msg->ifi_index))
           break;
-        if (IgnoreWirelessChange(header, msg)) {
+        if (IgnoreWirelessChange(msg, IFLA_PAYLOAD(header))) {
           VLOG(2) << "Ignoring RTM_NEWLINK message";
           break;
         }
@@ -400,7 +444,9 @@ void AddressTrackerLinux::HandleMessage(const char* buffer,
       } break;
       case RTM_DELLINK: {
         const struct ifinfomsg* msg =
-            reinterpret_cast<struct ifinfomsg*>(NLMSG_DATA(header));
+            SafelyCastNetlinkMsgData<const struct ifinfomsg>(header, length);
+        if (msg == nullptr)
+          return;
         if (IsInterfaceIgnored(msg->ifi_index))
           break;
         AddressTrackerAutoLock lock(*this, online_links_lock_);
@@ -468,8 +514,7 @@ void AddressTrackerLinux::UpdateCurrentConnectionType() {
   current_connection_type_ = type;
 }
 
-int AddressTrackerLinux::GetThreadsWaitingForConnectionTypeInitForTesting()
-{
+int AddressTrackerLinux::GetThreadsWaitingForConnectionTypeInitForTesting() {
   AddressTrackerAutoLock lock(*this, connection_type_lock_);
   return threads_waiting_for_connection_type_initialization_;
 }
diff --git a/chromium/net/base/address_tracker_linux.h b/chromium/net/base/address_tracker_linux.h
index f3d38fc1a60..a2c11162818 100644
--- a/chromium/net/base/address_tracker_linux.h
+++ b/chromium/net/base/address_tracker_linux.h
@@ -13,6 +13,8 @@
 #include <stddef.h>
 
 #include <map>
+#include <memory>
+#include <string>
 #include <unordered_set>
 
 #include "base/callback.h"
@@ -120,7 +122,7 @@ class NET_EXPORT_PRIVATE AddressTrackerLinux {
   // to true if |online_links_| changed with regards to a tunnel interface while
   // reading the message from |buffer|.
   void HandleMessage(const char* buffer,
-                     size_t length,
+                     int length,
                      bool* address_changed,
                      bool* link_changed,
                      bool* tunnel_changed);
diff --git a/chromium/net/base/data_url.cc b/chromium/net/base/data_url.cc
index 90b0bb68647..ec051a85665 100644
--- a/chromium/net/base/data_url.cc
+++ b/chromium/net/base/data_url.cc
@@ -15,12 +15,12 @@
 #include "base/strings/string_util.h"
 #include "net/base/escape.h"
 #include "net/base/mime_util.h"
+#include "net/http/http_response_headers.h"
 #include "net/http/http_util.h"
 #include "url/gurl.h"
 
 namespace net {
 
-// static
 bool DataURL::Parse(const GURL& url,
                     std::string* mime_type,
                     std::string* charset,
@@ -30,6 +30,7 @@ bool DataURL::Parse(const GURL& url,
 
   DCHECK(mime_type->empty());
   DCHECK(charset->empty());
+  DCHECK(!data || data->empty());
 
   std::string content = url.GetContent();
 
@@ -45,9 +46,12 @@ bool DataURL::Parse(const GURL& url,
       base::SplitStringPiece(base::StringPiece(begin, comma), ";",
                              base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL);
 
+  // These are moved to |mime_type| and |charset| on success.
+  std::string mime_type_value;
+  std::string charset_value;
   auto iter = meta_data.cbegin();
   if (iter != meta_data.cend()) {
-    *mime_type = base::ToLowerASCII(*iter);
+    mime_type_value = base::ToLowerASCII(*iter);
     ++iter;
   }
 
@@ -59,84 +63,128 @@ bool DataURL::Parse(const GURL& url,
     if (!base64_encoded &&
         base::EqualsCaseInsensitiveASCII(*iter, kBase64Tag)) {
       base64_encoded = true;
-    } else if (charset->empty() &&
+    } else if (charset_value.empty() &&
                base::StartsWith(*iter, kCharsetTag,
                                 base::CompareCase::INSENSITIVE_ASCII)) {
-      *charset = std::string(iter->substr(kCharsetTag.size()));
+      charset_value = iter->substr(kCharsetTag.size()).as_string();
       // The grammar for charset is not specially defined in RFC2045 and
       // RFC2397. It just needs to be a token.
-      if (!HttpUtil::IsToken(*charset))
+      if (!HttpUtil::IsToken(charset_value))
         return false;
     }
   }
 
-  if (mime_type->empty()) {
+  if (mime_type_value.empty()) {
     // Fallback to the default if nothing specified in the mediatype part as
     // specified in RFC2045. As specified in RFC2397, we use |charset| even if
     // |mime_type| is empty.
-    mime_type->assign("text/plain");
-    if (charset->empty())
-      charset->assign("US-ASCII");
-  } else if (!ParseMimeTypeWithoutParameter(*mime_type, nullptr, nullptr)) {
+    mime_type_value = "text/plain";
+    if (charset_value.empty())
+      charset_value = "US-ASCII";
+  } else if (!ParseMimeTypeWithoutParameter(mime_type_value, nullptr,
+                                            nullptr)) {
     // Fallback to the default as recommended in RFC2045 when the mediatype
     // value is invalid. For this case, we don't respect |charset| but force it
     // set to "US-ASCII".
-    mime_type->assign("text/plain");
-    charset->assign("US-ASCII");
+    mime_type_value = "text/plain";
+    charset_value = "US-ASCII";
   }
 
   // The caller may not be interested in receiving the data.
-  if (!data)
-    return true;
-
-  // Preserve spaces if dealing with text or xml input, same as mozilla:
-  //   https://bugzilla.mozilla.org/show_bug.cgi?id=138052
-  // but strip them otherwise:
-  //   https://bugzilla.mozilla.org/show_bug.cgi?id=37200
-  // (Spaces in a data URL should be escaped, which is handled below, so any
-  // spaces now are wrong. People expect to be able to enter them in the URL
-  // bar for text, and it can't hurt, so we allow it.)
-  //
-  // TODO(mmenke): Is removing all spaces reasonable? GURL removes trailing
-  // spaces itself, anyways. Should we just trim leading spaces instead?
-  // Allowing random intermediary spaces seems unnecessary.
-
-  base::StringPiece raw_body(comma + 1, end);
-
-  // For base64, we may have url-escaped whitespace which is not part
-  // of the data, and should be stripped. Otherwise, the escaped whitespace
-  // could be part of the payload, so don't strip it.
-  if (base64_encoded) {
-    std::string unescaped_body = UnescapeBinaryURLComponent(raw_body);
-
-    // Strip spaces, which aren't allowed in Base64 encoding.
-    base::EraseIf(unescaped_body, base::IsAsciiWhitespace<char>);
-
-    size_t length = unescaped_body.length();
-    size_t padding_needed = 4 - (length % 4);
-    // If the input wasn't padded, then we pad it as necessary until we have a
-    // length that is a multiple of 4 as required by our decoder. We don't
-    // correct if the input was incorrectly padded. If |padding_needed| == 3,
-    // then the input isn't well formed and decoding will fail with or without
-    // padding.
-    if ((padding_needed == 1 || padding_needed == 2) &&
-        unescaped_body[length - 1] != '=') {
-      unescaped_body.resize(length + padding_needed, '=');
+  if (data) {
+    // Preserve spaces if dealing with text or xml input, same as mozilla:
+    //   https://bugzilla.mozilla.org/show_bug.cgi?id=138052
+    // but strip them otherwise:
+    //   https://bugzilla.mozilla.org/show_bug.cgi?id=37200
+    // (Spaces in a data URL should be escaped, which is handled below, so any
+    // spaces now are wrong. People expect to be able to enter them in the URL
+    // bar for text, and it can't hurt, so we allow it.)
+    //
+    // TODO(mmenke): Is removing all spaces reasonable? GURL removes trailing
+    // spaces itself, anyways. Should we just trim leading spaces instead?
+    // Allowing random intermediary spaces seems unnecessary.
+
+    base::StringPiece raw_body(comma + 1, end);
+
+    // For base64, we may have url-escaped whitespace which is not part
+    // of the data, and should be stripped. Otherwise, the escaped whitespace
+    // could be part of the payload, so don't strip it.
+    if (base64_encoded) {
+      std::string unescaped_body = UnescapeBinaryURLComponent(raw_body);
+
+      // Strip spaces, which aren't allowed in Base64 encoding.
+      base::EraseIf(unescaped_body, base::IsAsciiWhitespace<char>);
+
+      size_t length = unescaped_body.length();
+      size_t padding_needed = 4 - (length % 4);
+      // If the input wasn't padded, then we pad it as necessary until we have a
+      // length that is a multiple of 4 as required by our decoder. We don't
+      // correct if the input was incorrectly padded. If |padding_needed| == 3,
+      // then the input isn't well formed and decoding will fail with or without
+      // padding.
+      if ((padding_needed == 1 || padding_needed == 2) &&
+          unescaped_body[length - 1] != '=') {
+        unescaped_body.resize(length + padding_needed, '=');
+      }
+      if (!base::Base64Decode(unescaped_body, data))
+        return false;
+    } else {
+      // Strip whitespace for non-text MIME types.
+      std::string temp;
+      if (!(mime_type_value.compare(0, 5, "text/") == 0 ||
+            mime_type_value.find("xml") != std::string::npos)) {
+        temp = raw_body.as_string();
+        base::EraseIf(temp, base::IsAsciiWhitespace<char>);
+        raw_body = temp;
+      }
+
+      *data = UnescapeBinaryURLComponent(raw_body);
     }
-    return base::Base64Decode(unescaped_body, data);
-  }
-
-  // Strip whitespace for non-text MIME types.
-  std::string temp;
-  if (!(mime_type->compare(0, 5, "text/") == 0 ||
-        mime_type->find("xml") != std::string::npos)) {
-    temp = raw_body.as_string();
-    base::EraseIf(temp, base::IsAsciiWhitespace<char>);
-    raw_body = temp;
   }
 
-  *data = UnescapeBinaryURLComponent(raw_body);
+  *mime_type = std::move(mime_type_value);
+  *charset = std::move(charset_value);
   return true;
 }
 
+Error DataURL::BuildResponse(const GURL& url,
+                             base::StringPiece method,
+                             std::string* mime_type,
+                             std::string* charset,
+                             std::string* data,
+                             scoped_refptr<HttpResponseHeaders>* headers) {
+  DCHECK(data);
+  DCHECK(!*headers);
+
+  if (!DataURL::Parse(url, mime_type, charset, data))
+    return ERR_INVALID_URL;
+
+  // |mime_type| set by DataURL::Parse() is guaranteed to be in
+  //     token "/" token
+  // form. |charset| can be an empty string.
+  DCHECK(!mime_type->empty());
+
+  // "charset" in the Content-Type header is specified explicitly to follow
+  // the "token" ABNF in the HTTP spec. When the DataURL::Parse() call is
+  // successful, it's guaranteed that the string in |charset| follows the
+  // "token" ABNF.
+  std::string content_type = *mime_type;
+  if (!charset->empty())
+    content_type.append(";charset=" + *charset);
+  // The terminal double CRLF isn't needed by TryToCreate().
+  *headers = HttpResponseHeaders::TryToCreate(
+      "HTTP/1.1 200 OK\r\n"
+      "Content-Type:" +
+      content_type);
+  // Above line should always succeed - TryToCreate() only fails when there are
+  // nulls in the string, and DataURL::Parse() can't return nulls in anything
+  // but the |data| argument.
+  DCHECK(*headers);
+
+  if (base::EqualsCaseInsensitiveASCII(method, "HEAD"))
+    data->clear();
+
+  return OK;
+}
+
 }  // namespace net
diff --git a/chromium/net/base/data_url.h b/chromium/net/base/data_url.h
index ee9c6d31dbf..2daf6de014c 100644
--- a/chromium/net/base/data_url.h
+++ b/chromium/net/base/data_url.h
@@ -7,12 +7,18 @@
 
 #include <string>
 
+#include "base/compiler_specific.h"
+#include "base/memory/scoped_refptr.h"
+#include "base/strings/string_piece.h"
+#include "net/base/net_errors.h"
 #include "net/base/net_export.h"
 
 class GURL;
 
 namespace net {
 
+class HttpResponseHeaders;
+
 // See RFC 2397 for a complete description of the 'data' URL scheme.
 //
 // Briefly, a 'data' URL has the form:
@@ -31,6 +37,11 @@ class NET_EXPORT DataURL {
  public:
   // This method can be used to parse a 'data' URL into its component pieces.
   //
+  // |mime_type| and |charset| must be non-null and point to empty strings.
+  //
+  // If |data| is null, then the <data> section will not be parsed or validated.
+  // If non-null, it must point to an empty string.
+  //
   // The resulting mime_type is normalized to lowercase.  The data is the
   // decoded data (e.g.., if the data URL specifies base64 encoding, then the
   // returned data is base64 decoded, and any %-escaped bytes are unescaped).
@@ -50,16 +61,25 @@ class NET_EXPORT DataURL {
   // false.
   //
   // If there's any other grammar violation in the URL, then this method will
-  // return false. Output variables may be changed and contain invalid data. On
-  // success, true is returned.
-  //
-  // OPTIONAL: If |data| is NULL, then the <data> section will not be parsed
-  //           or validated.
-  //
+  // return false, and all passed in pointers will be unmodified. On success,
+  // true is returned.
   static bool Parse(const GURL& url,
                     std::string* mime_type,
                     std::string* charset,
-                    std::string* data);
+                    std::string* data) WARN_UNUSED_RESULT;
+
+  // Similar to parse, except that it also generates a bogus set of response
+  // headers, with Content-Type populated, and takes a method. Only the "HEAD"
+  // method modifies the response, resulting in a 0-length body. All arguments
+  // except must be non-null. All std::string pointers must point to empty
+  // strings, and |*headers| must be nullptr. Returns net::OK on success.
+  static Error BuildResponse(const GURL& url,
+                             base::StringPiece method,
+                             std::string* mime_type,
+                             std::string* charset,
+                             std::string* data,
+                             scoped_refptr<HttpResponseHeaders>* headers)
+      WARN_UNUSED_RESULT;
 };
 
 }  // namespace net
diff --git a/chromium/net/base/data_url_fuzzer.cc b/chromium/net/base/data_url_fuzzer.cc
new file mode 100644
index 00000000000..237c794f16d
--- /dev/null
+++ b/chromium/net/base/data_url_fuzzer.cc
@@ -0,0 +1,41 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/data_url.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <fuzzer/FuzzedDataProvider.h>
+
+#include <string>
+
+#include "base/logging.h"
+#include "base/memory/ref_counted.h"
+#include "net/base/net_errors.h"
+#include "net/http/http_response_headers.h"
+#include "url/gurl.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  FuzzedDataProvider provider(data, size);
+  std::string method = provider.ConsumeRandomLengthString(256);
+  // Don't restrict to data URLs.
+  GURL url(provider.ConsumeRemainingBytesAsString());
+
+  std::string mime_type;
+  std::string charset;
+  std::string body;
+
+  std::string mime_type2;
+  std::string charset2;
+  std::string body2;
+  scoped_refptr<net::HttpResponseHeaders> headers;
+
+  // Run the URL through DataURL::Parse() and DataURL::BuildResponse(). They
+  // should succeed and fail in exactly the same cases.
+  CHECK_EQ(net::DataURL::Parse(url, &mime_type, &charset, &body),
+           net::OK == net::DataURL::BuildResponse(url, method, &mime_type2,
+                                                  &charset2, &body2, &headers));
+  return 0;
+}
diff --git a/chromium/net/base/data_url_unittest.cc b/chromium/net/base/data_url_unittest.cc
index 80d267153de..7471393aa11 100644
--- a/chromium/net/base/data_url_unittest.cc
+++ b/chromium/net/base/data_url_unittest.cc
@@ -3,6 +3,11 @@
 // found in the LICENSE file.
 
 #include "net/base/data_url.h"
+
+#include "base/memory/ref_counted.h"
+#include "net/base/net_errors.h"
+#include "net/http/http_response_headers.h"
+#include "net/http/http_version.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
 
@@ -15,7 +20,7 @@ struct ParseTestData {
   bool is_valid;
   const char* mime_type;
   const char* charset;
-  const char* data;
+  const std::string data;
 };
 
 }  // namespace
@@ -131,21 +136,173 @@ TEST(DataURLTest, Parse) {
       {"data:text/plain,this/is/a/test/%23include/#dontinclude", true,
        "text/plain", "", "this/is/a/test/#include/"},
 
-      // TODO(darin): add more interesting tests
+      // More unescaping tests and tests with nulls.
+      {"data:%00text/plain%41,foo", true, "%00text/plain%41", "", "foo"},
+      {"data:text/plain;charset=%00US-ASCII%41,foo", true, "text/plain",
+       "%00US-ASCII%41", "foo"},
+      {"data:text/plain,%00_%41", true, "text/plain", "",
+       std::string("\x00_A", 3)},
+      {"data:text/plain;base64,AA//", true, "text/plain", "",
+       std::string("\x00\x0F\xFF", 3)},
+      // "%62ase64" unescapes to base64, but should not be treated as such.
+      {"data:text/plain;%62ase64,AA//", true, "text/plain", "", "AA//"},
   };
 
   for (const auto& test : tests) {
+    SCOPED_TRACE(test.url);
+
     std::string mime_type;
     std::string charset;
     std::string data;
     bool ok = DataURL::Parse(GURL(test.url), &mime_type, &charset, &data);
     EXPECT_EQ(ok, test.is_valid);
-    if (test.is_valid) {
-      EXPECT_EQ(test.mime_type, mime_type);
-      EXPECT_EQ(test.charset, charset);
-      EXPECT_EQ(test.data, data);
-    }
+    EXPECT_EQ(test.mime_type, mime_type);
+    EXPECT_EQ(test.charset, charset);
+    EXPECT_EQ(test.data, data);
   }
 }
 
+TEST(DataURLTest, BuildResponseSimple) {
+  std::string mime_type;
+  std::string charset;
+  std::string data;
+  scoped_refptr<HttpResponseHeaders> headers;
+
+  ASSERT_EQ(OK, DataURL::BuildResponse(GURL("data:,Hello"), "GET", &mime_type,
+                                       &charset, &data, &headers));
+
+  EXPECT_EQ("text/plain", mime_type);
+  EXPECT_EQ("US-ASCII", charset);
+  EXPECT_EQ("Hello", data);
+
+  ASSERT_TRUE(headers);
+  const HttpVersion& version = headers->GetHttpVersion();
+  EXPECT_EQ(1, version.major_value());
+  EXPECT_EQ(1, version.minor_value());
+  EXPECT_EQ("OK", headers->GetStatusText());
+  std::string value;
+  EXPECT_TRUE(headers->GetNormalizedHeader("Content-Type", &value));
+  EXPECT_EQ(value, "text/plain;charset=US-ASCII");
+  value.clear();
+}
+
+TEST(DataURLTest, BuildResponseHead) {
+  for (const char* method : {"HEAD", "head", "hEaD"}) {
+    SCOPED_TRACE(method);
+
+    std::string mime_type;
+    std::string charset;
+    std::string data;
+    scoped_refptr<HttpResponseHeaders> headers;
+    ASSERT_EQ(OK,
+              DataURL::BuildResponse(GURL("data:,Hello"), method, &mime_type,
+                                     &charset, &data, &headers));
+
+    EXPECT_EQ("text/plain", mime_type);
+    EXPECT_EQ("US-ASCII", charset);
+    EXPECT_EQ("", data);
+
+    ASSERT_TRUE(headers);
+    HttpVersion version = headers->GetHttpVersion();
+    EXPECT_EQ(1, version.major_value());
+    EXPECT_EQ(1, version.minor_value());
+    EXPECT_EQ("OK", headers->GetStatusText());
+    std::string content_type;
+    EXPECT_TRUE(headers->GetNormalizedHeader("Content-Type", &content_type));
+    EXPECT_EQ(content_type, "text/plain;charset=US-ASCII");
+  }
+}
+
+TEST(DataURLTest, BuildResponseInput) {
+  std::string mime_type;
+  std::string charset;
+  std::string data;
+  scoped_refptr<HttpResponseHeaders> headers;
+
+  ASSERT_EQ(ERR_INVALID_URL,
+            DataURL::BuildResponse(GURL("bogus"), "GET", &mime_type, &charset,
+                                   &data, &headers));
+  EXPECT_FALSE(headers);
+  EXPECT_TRUE(mime_type.empty());
+  EXPECT_TRUE(charset.empty());
+  EXPECT_TRUE(data.empty());
+}
+
+TEST(DataURLTest, BuildResponseInvalidMimeType) {
+  std::string mime_type;
+  std::string charset;
+  std::string data;
+  scoped_refptr<HttpResponseHeaders> headers;
+
+  // MIME type contains delimiters. Must be accepted but Content-Type header
+  // should be generated as if the mediatype was text/plain.
+  ASSERT_EQ(OK, DataURL::BuildResponse(GURL("data:f(o/b)r,test"), "GET",
+                                       &mime_type, &charset, &data, &headers));
+
+  ASSERT_TRUE(headers);
+  std::string value;
+  EXPECT_TRUE(headers->GetNormalizedHeader("Content-Type", &value));
+  EXPECT_EQ(value, "text/plain;charset=US-ASCII");
+}
+
+TEST(DataURLTest, InvalidCharset) {
+  std::string mime_type;
+  std::string charset;
+  std::string data;
+  scoped_refptr<HttpResponseHeaders> headers;
+
+  // MIME type contains delimiters. Must be rejected.
+  ASSERT_EQ(ERR_INVALID_URL, DataURL::BuildResponse(
+                                 GURL("data:text/html;charset=(),test"), "GET",
+                                 &mime_type, &charset, &data, &headers));
+  EXPECT_FALSE(headers);
+  EXPECT_TRUE(mime_type.empty());
+  EXPECT_TRUE(charset.empty());
+  EXPECT_TRUE(data.empty());
+}
+
+// Test a slightly larger data URL.
+TEST(DataURLTest, Image) {
+  // Use our nice little Chrome logo.
+  GURL image_url(
+      "data:image/png;base64,"
+      "iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAADVklEQVQ4jX2TfUwUB"
+      "BjG3w1y+HGcd9dxhXR8T4awOccJGgOSWclHImznLkTlSw0DDQXkrmgYgbUYnlQTqQ"
+      "xIEVxitD5UMCATRA1CEEg+Qjw3bWDxIauJv/5oumqs39/P827vnucRmYN0gyF01GI"
+      "5MpCVdW0gO7tvNC+vqSEtbZefk5NuLv1jdJ46p/zw0HeH4+PHr3h7c1mjoV2t5rKz"
+      "Mx1+fg9bAgK6zHq9cU5z+LpA3xOtx34+vTeT21onRuzssC3zxbbSwC13d/pFuC7Ck"
+      "IMDxQpF7r/MWq12UctI1dWWm99ypqSYmRUBdKem8MkrO/kgaTt1O7YzlpzE5GIVd0"
+      "WYUqt57yWf2McHTObYPbVD+ZwbtlLTVMZ3BW+TnLyXLaWtmEq6WJVbT3HBh3Svj2H"
+      "QQcm43XwmtoYM6vVKleh0uoWvnzW3v3MpidruPTQPf0bia7sJOtBM0ufTWNvus/nk"
+      "DFHF9ZS+uYVjRUasMeHUmyLYtcklTvzWGFZnNOXczThvpKIzjcahSqIzkvDLayDq6"
+      "D3eOjtBbNUEIZYyqsvj4V4wY92eNJ4IoyhTbxXX1T5xsV9tm9r4TQwHLiZw/pdDZJ"
+      "ea8TKmsmR/K0uLh/GwnCHghTja6lPhphezPfO5/5MrVvMzNaI3+ERHfrFzPKQukrQ"
+      "GI4d/3EFD/3E2mVNYvi4at7CXWREaxZGD+3hg28zD3gVMd6q5c8GdosynKmSeRuGz"
+      "pjyl1/9UDGtPR5HeaKT8Wjo17WXk579BXVUhN64ehF9fhRtq/uxxZKzNiZFGD0wRC"
+      "3NFROZ5mwIPL/96K/rKMMLrIzF9uhHr+/sYH7DAbwlgC4J+R2Z7FUx1qLnV7MGF40"
+      "smVSoJ/jvHRfYhQeUJd/SnYtGWhPHR0Sz+GE2F2yth0B36Vcz2KpnufBJbsysjjW4"
+      "kblBUiIjiURUWqJY65zxbnTy57GQyH58zgy0QBtTQv5gH15XMdKkYu+TGaJMnlm2O"
+      "34uI4b9tflqp1+QEFGzoW/ulmcofcpkZCYJhDfSpme7QcrHa+Xfji8paEQkTkSfmm"
+      "oRWRNZr/F1KfVMjW+IKEnv2FwZfKdzt0BQR6lClcZR0EfEXEfv/G6W9iLiIyCoReV"
+      "5EnhORIBHx+ufPj/gLB/zGI/G4Bk0AAAAASUVORK5CYII=");
+
+  std::string mime_type;
+  std::string charset;
+  std::string data;
+  scoped_refptr<HttpResponseHeaders> headers;
+
+  EXPECT_EQ(OK, DataURL::BuildResponse(image_url, "GET", &mime_type, &charset,
+                                       &data, &headers));
+
+  EXPECT_EQ(911u, data.size());
+  EXPECT_EQ("image/png", mime_type);
+  EXPECT_TRUE(charset.empty());
+
+  ASSERT_TRUE(headers);
+  std::string value;
+  EXPECT_EQ(headers->GetStatusLine(), "HTTP/1.1 200 OK");
+  EXPECT_TRUE(headers->GetNormalizedHeader("Content-Type", &value));
+  EXPECT_EQ(value, "image/png");
+}
+
 }  // namespace net
diff --git a/chromium/net/base/features.cc b/chromium/net/base/features.cc
index 8746d275d6b..8519a03c03f 100644
--- a/chromium/net/base/features.cc
+++ b/chromium/net/base/features.cc
@@ -10,11 +10,6 @@ namespace features {
 const base::Feature kAcceptLanguageHeader{"AcceptLanguageHeader",
                                           base::FEATURE_ENABLED_BY_DEFAULT};
 
-const base::Feature kCapRefererHeaderLength = {
-    "CapRefererHeaderLength", base::FEATURE_ENABLED_BY_DEFAULT};
-const base::FeatureParam<int> kMaxRefererHeaderLength = {
-    &kCapRefererHeaderLength, "MaxRefererHeaderLength", 4096};
-
 const base::Feature kEnableTLS13EarlyData{"EnableTLS13EarlyData",
                                           base::FEATURE_DISABLED_BY_DEFAULT};
 
@@ -24,6 +19,9 @@ const base::Feature kNetworkQualityEstimator{"NetworkQualityEstimator",
 const base::Feature kSplitCacheByNetworkIsolationKey{
     "SplitCacheByNetworkIsolationKey", base::FEATURE_DISABLED_BY_DEFAULT};
 
+const base::Feature kSplitHostCacheByNetworkIsolationKey{
+    "SplitHostCacheByNetworkIsolationKey", base::FEATURE_DISABLED_BY_DEFAULT};
+
 const base::Feature kPartitionConnectionsByNetworkIsolationKey{
     "PartitionConnectionsByNetworkIsolationKey",
     base::FEATURE_DISABLED_BY_DEFAULT};
@@ -45,6 +43,19 @@ const base::Feature kPostQuantumCECPQ2{"PostQuantumCECPQ2",
 const base::Feature kNetUnusedIdleSocketTimeout{
     "NetUnusedIdleSocketTimeout", base::FEATURE_DISABLED_BY_DEFAULT};
 
+const base::Feature kRequestEsniDnsRecords{"RequestEsniDnsRecords",
+                                           base::FEATURE_DISABLED_BY_DEFAULT};
+base::TimeDelta EsniDnsMaxAbsoluteAdditionalWait() {
+  DCHECK(base::FeatureList::IsEnabled(kRequestEsniDnsRecords));
+  return base::TimeDelta::FromMilliseconds(
+      kEsniDnsMaxAbsoluteAdditionalWaitMilliseconds.Get());
+}
+const base::FeatureParam<int> kEsniDnsMaxAbsoluteAdditionalWaitMilliseconds{
+    &kRequestEsniDnsRecords, "EsniDnsMaxAbsoluteAdditionalWaitMilliseconds",
+    10};
+const base::FeatureParam<int> kEsniDnsMaxRelativeAdditionalWaitPercent{
+    &kRequestEsniDnsRecords, "EsniDnsMaxRelativeAdditionalWaitPercent", 5};
+
 const base::Feature kSameSiteByDefaultCookies{
     "SameSiteByDefaultCookies", base::FEATURE_DISABLED_BY_DEFAULT};
 
@@ -54,15 +65,44 @@ const base::Feature kCookiesWithoutSameSiteMustBeSecure{
 const base::Feature kShortLaxAllowUnsafeThreshold{
     "ShortLaxAllowUnsafeThreshold", base::FEATURE_DISABLED_BY_DEFAULT};
 
+const base::Feature kSameSiteDefaultChecksMethodRigorously{
+    "SameSiteDefaultChecksMethodRigorously", base::FEATURE_DISABLED_BY_DEFAULT};
+
+const base::Feature kRecentHttpSameSiteAccessGrantsLegacyCookieSemantics{
+    "RecentHttpSameSiteAccessGrantsLegacyCookieSemantics",
+    base::FEATURE_DISABLED_BY_DEFAULT};
+const base::FeatureParam<int>
+    kRecentHttpSameSiteAccessGrantsLegacyCookieSemanticsMilliseconds{
+        &kRecentHttpSameSiteAccessGrantsLegacyCookieSemantics,
+        "RecentHttpSameSiteAccessGrantsLegacyCookieSemanticsMilliseconds", 0};
+
+const base::Feature kRecentCreationTimeGrantsLegacyCookieSemantics{
+    "RecentCreationTimeGrantsLegacyCookieSemantics",
+    base::FEATURE_DISABLED_BY_DEFAULT};
+const base::FeatureParam<int>
+    kRecentCreationTimeGrantsLegacyCookieSemanticsMilliseconds{
+        &kRecentCreationTimeGrantsLegacyCookieSemantics,
+        "RecentCreationTimeGrantsLegacyCookieSemanticsMilliseconds", 0};
+
 #if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
-const base::Feature kCertVerifierBuiltinFeature{
-    "CertVerifierBuiltin", base::FEATURE_DISABLED_BY_DEFAULT};
+const base::Feature kCertVerifierBuiltinFeature {
+  "CertVerifierBuiltin",
+#if defined(OS_CHROMEOS)
+      base::FEATURE_ENABLED_BY_DEFAULT
+#else
+      base::FEATURE_DISABLED_BY_DEFAULT
+#endif
+};
 #endif
 
 const base::Feature kAppendFrameOriginToNetworkIsolationKey{
     "AppendFrameOriginToNetworkIsolationKey",
     base::FEATURE_DISABLED_BY_DEFAULT};
 
+const base::Feature kUseRegistrableDomainInNetworkIsolationKey{
+    "UseRegistrableDomainInNetworkIsolationKey",
+    base::FEATURE_DISABLED_BY_DEFAULT};
+
 const base::Feature kTurnOffStreamingMediaCaching{
     "TurnOffStreamingMediaCaching", base::FEATURE_DISABLED_BY_DEFAULT};
 
diff --git a/chromium/net/base/features.h b/chromium/net/base/features.h
index 58c80c4b38c..974b93febd9 100644
--- a/chromium/net/base/features.h
+++ b/chromium/net/base/features.h
@@ -17,11 +17,6 @@ namespace features {
 // https://github.com/WICG/lang-client-hint proposes that we deprecate.
 NET_EXPORT extern const base::Feature kAcceptLanguageHeader;
 
-// Caps the length of the `referer` header to 4k, which should be enough for
-// anyone.
-NET_EXPORT extern const base::Feature kCapRefererHeaderLength;
-NET_EXPORT extern const base::FeatureParam<int> kMaxRefererHeaderLength;
-
 // Enables TLS 1.3 early data.
 NET_EXPORT extern const base::Feature kEnableTLS13EarlyData;
 
@@ -29,10 +24,15 @@ NET_EXPORT extern const base::Feature kEnableTLS13EarlyData;
 // quality estimator (NQE).
 NET_EXPORT extern const base::Feature kNetworkQualityEstimator;
 
-// Splits cache entries by the request's network isolation key if one is
+// Splits cache entries by the request's NetworkIsolationKey if one is
 // available.
 NET_EXPORT extern const base::Feature kSplitCacheByNetworkIsolationKey;
 
+// Splits host cache entries by the DNS request's NetworkIsolationKey if one is
+// available. Also prevents merging live DNS lookups when there is a NIK
+// mismatch.
+NET_EXPORT extern const base::Feature kSplitHostCacheByNetworkIsolationKey;
+
 // Partitions connections based on the NetworkIsolationKey associated with a
 // request.
 NET_EXPORT extern const base::Feature
@@ -63,11 +63,33 @@ NET_EXPORT extern const base::Feature kPostQuantumCECPQ2;
 // Changes the timeout after which unused sockets idle sockets are cleaned up.
 NET_EXPORT extern const base::Feature kNetUnusedIdleSocketTimeout;
 
+// Enables the built-in resolver requesting ESNI (TLS 1.3 Encrypted
+// Server Name Indication) records alongside IPv4 and IPv6 address records
+// during DNS over HTTPS (DoH) host resolution.
+NET_EXPORT extern const base::Feature kRequestEsniDnsRecords;
+// Returns a TimeDelta of value kEsniDnsMaxAbsoluteAdditionalWaitMilliseconds
+// milliseconds (see immediately below).
+NET_EXPORT base::TimeDelta EsniDnsMaxAbsoluteAdditionalWait();
+// The following two parameters specify the amount of extra time to wait for a
+// long-running ESNI DNS transaction after the successful conclusion of
+// concurrent A and AAAA transactions. This timeout will have value
+// min{kEsniDnsMaxAbsoluteAdditionalWaitMilliseconds,
+//     (100% + kEsniDnsMaxRelativeAdditionalWaitPercent)
+//       * max{time elapsed for the concurrent A query,
+//             time elapsed for the concurrent AAAA query}}.
+NET_EXPORT extern const base::FeatureParam<int>
+    kEsniDnsMaxAbsoluteAdditionalWaitMilliseconds;
+NET_EXPORT extern const base::FeatureParam<int>
+    kEsniDnsMaxRelativeAdditionalWaitPercent;
+
 // When enabled, makes cookies without a SameSite attribute behave like
 // SameSite=Lax cookies by default, and requires SameSite=None to be specified
 // in order to make cookies available in a third-party context. When disabled,
 // the default behavior for cookies without a SameSite attribute specified is no
 // restriction, i.e., available in a third-party context.
+// The "Lax-allow-unsafe" mitigation allows these cookies to be sent on
+// top-level cross-site requests with an unsafe (e.g. POST) HTTP method, if the
+// cookie is no more than 2 minutes old.
 NET_EXPORT extern const base::Feature kSameSiteByDefaultCookies;
 
 // When enabled, cookies without SameSite restrictions that don't specify the
@@ -85,6 +107,36 @@ NET_EXPORT extern const base::Feature kCookiesWithoutSameSiteMustBeSecure;
 // threshold, but which would not be practical to run for 2 minutes.
 NET_EXPORT extern const base::Feature kShortLaxAllowUnsafeThreshold;
 
+// When enabled, the SameSite by default feature does not add the
+// "Lax-allow-unsafe" behavior. Any cookies that do not specify a SameSite
+// attribute will be treated as Lax only, i.e. POST and other unsafe HTTP
+// methods will not be allowed at all for top-level cross-site navigations.
+// This only has an effect if the cookie defaults to SameSite=Lax.
+NET_EXPORT extern const base::Feature kSameSiteDefaultChecksMethodRigorously;
+
+// If this is set and has a non-zero param value, any access to a cookie will be
+// granted Legacy access semantics if the last access to a cookie with the same
+// (name, domain, path) from a context that is same-site and permits
+// HttpOnly access occurred less than (param value) milliseconds ago. The last
+// eligible access must have occurred in the current browser session (i.e. it
+// does not persist across sessions). This feature does nothing if
+// kCookiesWithoutSameSiteMustBeSecure is not enabled.
+NET_EXPORT extern const base::Feature
+    kRecentHttpSameSiteAccessGrantsLegacyCookieSemantics;
+NET_EXPORT extern const base::FeatureParam<int>
+    kRecentHttpSameSiteAccessGrantsLegacyCookieSemanticsMilliseconds;
+
+// Recently created cookies are granted legacy access semantics. If this is set
+// and has a non-zero integer param value, then for the first (param value)
+// milliseconds after the cookie is created, the cookie will behave as if it
+// were "legacy" i.e. not handled according to SameSiteByDefaultCookies/
+// CookiesWithoutSameSiteMustBeSecure rules.
+// This does nothing if SameSiteByDefaultCookies is not enabled.
+NET_EXPORT extern const base::Feature
+    kRecentCreationTimeGrantsLegacyCookieSemantics;
+NET_EXPORT extern const base::FeatureParam<int>
+    kRecentCreationTimeGrantsLegacyCookieSemanticsMilliseconds;
+
 #if BUILDFLAG(BUILTIN_CERT_VERIFIER_FEATURE_SUPPORTED)
 // When enabled, use the builtin cert verifier instead of the platform verifier.
 NET_EXPORT extern const base::Feature kCertVerifierBuiltinFeature;
@@ -92,6 +144,9 @@ NET_EXPORT extern const base::Feature kCertVerifierBuiltinFeature;
 
 NET_EXPORT extern const base::Feature kAppendFrameOriginToNetworkIsolationKey;
 
+NET_EXPORT extern const base::Feature
+    kUseRegistrableDomainInNetworkIsolationKey;
+
 // Turns off streaming media caching to disk.
 NET_EXPORT extern const base::Feature kTurnOffStreamingMediaCaching;
 
diff --git a/chromium/net/base/filename_util.cc b/chromium/net/base/filename_util.cc
index 642b4122a81..883899bd64d 100644
--- a/chromium/net/base/filename_util.cc
+++ b/chromium/net/base/filename_util.cc
@@ -17,6 +17,7 @@
 #include "net/base/escape.h"
 #include "net/base/filename_util_internal.h"
 #include "net/base/net_string_util.h"
+#include "net/base/url_util.h"
 #include "net/http/http_content_disposition.h"
 #include "url/gurl.h"
 
@@ -69,6 +70,10 @@ bool FileURLToFilePath(const GURL& url, base::FilePath* file_path) {
   if (!url.is_valid())
     return false;
 
+  // We may want to change this to a CHECK in the future.
+  if (!url.SchemeIsFile())
+    return false;
+
 #if defined(OS_WIN)
   std::string path;
   std::string host = url.host();
@@ -89,10 +94,13 @@ bool FileURLToFilePath(const GURL& url, base::FilePath* file_path) {
   }
   std::replace(path.begin(), path.end(), '/', '\\');
 #else  // defined(OS_WIN)
-  // Firefox seems to ignore the "host" of a file url if there is one. That is,
-  // file://foo/bar.txt maps to /bar.txt.
-  // TODO(dhg): This should probably take into account UNCs which could
-  // include a hostname other than localhost or blank
+  // On POSIX, there's no obvious interpretation of file:// URLs with a host.
+  // Usually, remote mounts are still mounted onto the local filesystem.
+  // Therefore, we discard all URLs that are not obviously local to prevent
+  // spoofing attacks using file:// URLs. See crbug.com/881675.
+  if (!url.host().empty() && !net::IsLocalhost(url)) {
+    return false;
+  }
   std::string path = url.path();
 #endif  // !defined(OS_WIN)
 
diff --git a/chromium/net/base/filename_util.h b/chromium/net/base/filename_util.h
index 5956827fcd2..d6b33cc9976 100644
--- a/chromium/net/base/filename_util.h
+++ b/chromium/net/base/filename_util.h
@@ -29,9 +29,9 @@ NET_EXPORT GURL FilePathToFileURL(const base::FilePath& path);
 // invalid or the file path cannot be extracted from |url|.
 // On failure, *file_path will be empty.
 //
-// It is not a requirement that |url| have a file scheme as other URLs may
-// still convert to a file path. One example is on the Windows platform where
-// https://hostname/path/to/file.txt will return \\hostname\path\to\file.txt.
+// Do not call this with a |url| that doesn't have a file:// scheme.
+// The implementation is specific to the platform filesystem, and not
+// applicable to other schemes.
 NET_EXPORT bool FileURLToFilePath(const GURL& url, base::FilePath* file_path);
 
 // Generates a filename using the first successful method from the following (in
diff --git a/chromium/net/base/filename_util_unittest.cc b/chromium/net/base/filename_util_unittest.cc
index 7504279258b..9ad798cbb85 100644
--- a/chromium/net/base/filename_util_unittest.cc
+++ b/chromium/net/base/filename_util_unittest.cc
@@ -232,6 +232,9 @@ TEST(FilenameUtilTest, FileURLConversion) {
 
   // Test that various file: URLs get decoded into the correct file type
   FileCase url_cases[] = {
+    {nullptr, "http://foo/bar.txt"},
+    {nullptr, "http://localhost/foo/bar.txt"},
+    {nullptr, "https://localhost/foo/bar.txt"},
 #if defined(OS_WIN)
     {L"C:\\foo\\bar.txt", "file:c|/foo\\bar.txt"},
     {L"C:\\foo\\bar.txt", "file:/c:/foo/bar.txt"},
@@ -240,7 +243,6 @@ TEST(FilenameUtilTest, FileURLConversion) {
     {L"\\\\foo\\bar.txt", "file:////foo\\bar.txt"},
     {L"\\\\foo\\bar.txt", "file:/foo/bar.txt"},
     {L"\\\\foo\\bar.txt", "file://foo\\bar.txt"},
-    {L"\\\\foo\\bar.txt", "http://foo/bar.txt"},
     {L"C:\\foo\\bar.txt", "file:\\\\\\c:/foo/bar.txt"},
     // %2F ('/') should fail, because it might otherwise be interpreted as a
     // path separator on Windows.
@@ -256,13 +258,15 @@ TEST(FilenameUtilTest, FileURLConversion) {
     {L"C:\\foo\\a=$b.txt", "file:///c:/foo/a%3D%24b.txt"},  // Reserved.
     // Make sure that '+' isn't converted into ' '.
     {L"C:\\foo\\romeo+juliet.txt", "file:/c:/foo/romeo+juliet.txt"},
+    // SAMBA share case.
+    {L"\\\\computername\\ShareName\\Path\\Foo.txt",
+     "file://computername/ShareName/Path/Foo.txt"},
 #elif defined(OS_POSIX) || defined(OS_FUCHSIA)
     {L"/c:/foo/bar.txt", "file:/c:/foo/bar.txt"},
     {L"/c:/foo/bar.txt", "file:///c:/foo/bar.txt"},
     {L"/foo/bar.txt", "file:/foo/bar.txt"},
     {L"/c:/foo/bar.txt", "file:\\\\\\c:/foo/bar.txt"},
     {L"/foo/bar.txt", "file:foo/bar.txt"},
-    {L"/bar.txt", "file://foo/bar.txt"},
     {L"/foo/bar.txt", "file:///foo/bar.txt"},
     {L"/foo/bar.txt", "file:////foo/bar.txt"},
     {L"/foo/bar.txt", "file:////foo//bar.txt"},
@@ -282,9 +286,19 @@ TEST(FilenameUtilTest, FileURLConversion) {
     // Make sure that '+' isn't converted into ' '.
     {L"/foo/romeo+juliet.txt", "file:///foo/romeo+juliet.txt"},
     // Backslashes in a file URL are normalized as forward slashes.
-    {L"/bar.txt", "file://foo\\bar.txt"},
+    {L"/bar.txt", "file://\\bar.txt"},
     {L"/c|/foo/bar.txt", "file:c|/foo\\bar.txt"},
     {L"/foo/bar.txt", "file:////foo\\bar.txt"},
+    // Accept obviously-local file URLs.
+    {L"/foo/bar.txt", "file:///foo/bar.txt"},
+    {L"/foo/bar.txt", "file://localhost/foo/bar.txt"},
+    {L"/foo/bar.txt", "file://127.0.0.1/foo/bar.txt"},
+    {L"/foo/bar.txt", "file://[::1]/foo/bar.txt"},
+    // Reject non-local file URLs.
+    {nullptr, "file://foo/bar.txt"},
+    {nullptr, "file://example.com/bar.txt"},
+    {nullptr, "file://192.168.1.1/foo/bar.txt"},
+    {nullptr, "file://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]/foo/bar.txt"},
 #endif
   };
   for (const auto& test_case : url_cases) {
diff --git a/chromium/net/base/hex_utils.cc b/chromium/net/base/hex_utils.cc
index f6efcbefe16..03a3c2ad977 100644
--- a/chromium/net/base/hex_utils.cc
+++ b/chromium/net/base/hex_utils.cc
@@ -5,22 +5,11 @@
 #include "net/base/hex_utils.h"
 
 #include <algorithm>
-#include <cstdint>
-#include <vector>
 
-#include "base/strings/string_number_conversions.h"
 #include "base/strings/stringprintf.h"
 
 namespace net {
 
-std::string HexDecode(base::StringPiece input) {
-  std::vector<uint8_t> output;
-  std::string result;
-  if (base::HexStringToBytes(input, &output))
-    result.assign(reinterpret_cast<const char*>(&output[0]), output.size());
-  return result;
-}
-
 std::string HexDump(base::StringPiece input) {
   const int kBytesPerLine = 16;  // Maximum bytes dumped per line.
   int offset = 0;
diff --git a/chromium/net/base/hex_utils.h b/chromium/net/base/hex_utils.h
index 3343d6d214c..b09be9b880b 100644
--- a/chromium/net/base/hex_utils.h
+++ b/chromium/net/base/hex_utils.h
@@ -12,11 +12,6 @@
 
 namespace net {
 
-// Return a std::string of binary data represented by the hex string |input|.
-// For example, HexDecode("48656c6c6f20776f726c6421") == "Hello world!"
-// This is the inverse function of base::HexEncode().
-NET_EXPORT_PRIVATE std::string HexDecode(base::StringPiece input);
-
 // Return a std::string containing hex and ASCII representations of the binary
 // buffer |input|, with offsets at the beginning of each line, in the style of
 // hexdump.  Non-printable characters will be shown as '.' in the ASCII output.
diff --git a/chromium/net/base/hex_utils_test.cc b/chromium/net/base/hex_utils_test.cc
index bdf27526cb7..a812be1d2b3 100644
--- a/chromium/net/base/hex_utils_test.cc
+++ b/chromium/net/base/hex_utils_test.cc
@@ -9,13 +9,6 @@ namespace net {
 
 namespace test {
 
-TEST(HexUtilsTest, HexDecode) {
-  EXPECT_EQ("", HexDecode(""));
-  EXPECT_EQ("a", HexDecode("61"));
-  // Mixed case input.
-  EXPECT_EQ("Hello world!", HexDecode("48656c6C6F20776f726C6421"));
-}
-
 TEST(HexUtilsTest, HexDump) {
   EXPECT_EQ("", HexDump(""));
   EXPECT_EQ("0x0000:  4865 6c6c 6f20 776f 726c 6421            Hello.world!\n",
@@ -26,11 +19,11 @@ TEST(HexUtilsTest, HexDump) {
       HexDump("PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n"));
   // Verify that 0x21 and 0x7e are printable, 0x20 and 0x7f are not.
   EXPECT_EQ("0x0000:  2021 7e7f                                .!~.\n",
-            HexDump(HexDecode("20217e7f")));
+            HexDump("\x20\x21\x7e\x7f"));
   // Verify that values above numeric_limits<unsigned char>::max() are cast
   // properly on platforms where char is unsigned.
   EXPECT_EQ("0x0000:  90aa ff                                  ...\n",
-            HexDump(HexDecode("90aaff")));
+            HexDump("\x90\xaa\xff"));
 }
 
 }  // namespace test
diff --git a/chromium/net/base/mime_sniffer_perftest.cc b/chromium/net/base/mime_sniffer_perftest.cc
index fc35efdd9bb..69b483f835c 100644
--- a/chromium/net/base/mime_sniffer_perftest.cc
+++ b/chromium/net/base/mime_sniffer_perftest.cc
@@ -72,7 +72,7 @@ const char kRepresentativePlainText[] =
 void RunLooksLikeBinary(const std::string& plaintext, size_t iterations) {
   bool looks_like_binary = false;
   for (size_t i = 0; i < iterations; ++i) {
-    if (LooksLikeBinary(&plaintext[0], plaintext.size()))
+    if (LooksLikeBinary(plaintext.data(), plaintext.size()))
       looks_like_binary = true;
   }
   CHECK(!looks_like_binary);
diff --git a/chromium/net/base/mime_sniffer_unittest.cc b/chromium/net/base/mime_sniffer_unittest.cc
index 9227535c55f..1b42a50c4d1 100644
--- a/chromium/net/base/mime_sniffer_unittest.cc
+++ b/chromium/net/base/mime_sniffer_unittest.cc
@@ -50,7 +50,6 @@ TEST(MimeSnifferTest, SniffableSchemes) {
     {url::kFileScheme, true},
     {url::kFileSystemScheme, true},
     {url::kFtpScheme, false},
-    {url::kGopherScheme, false},
     {url::kHttpScheme, true},
     {url::kHttpsScheme, true},
     {url::kJavaScriptScheme, false},
diff --git a/chromium/net/base/net_error_list.h b/chromium/net/base/net_error_list.h
index 9a36c9780f1..ac7254c31e3 100644
--- a/chromium/net/base/net_error_list.h
+++ b/chromium/net/base/net_error_list.h
@@ -539,13 +539,17 @@ NET_ERROR(CERT_SYMANTEC_LEGACY, -215)
 // -216 was QUIC_CERT_ROOT_NOT_KNOWN which has been renumbered to not be in the
 // certificate error range.
 
+// The certificate is known to be used for interception by an entity other
+// the device owner.
+NET_ERROR(CERT_KNOWN_INTERCEPTION_BLOCKED, -217)
+
 // Add new certificate error codes here.
 //
 // Update the value of CERT_END whenever you add a new certificate error
 // code.
 
 // The value immediately past the last certificate error code.
-NET_ERROR(CERT_END, -217)
+NET_ERROR(CERT_END, -218)
 
 // The URL is invalid.
 NET_ERROR(INVALID_URL, -300)
@@ -850,8 +854,8 @@ NET_ERROR(ADD_USER_CERT_FAILED, -503)
 // An error occurred while handling a signed exchange.
 NET_ERROR(INVALID_SIGNED_EXCHANGE, -504)
 
-// An error occurred while handling a bundled-exchanges source.
-NET_ERROR(INVALID_BUNDLED_EXCHANGES, -505)
+// An error occurred while handling a Web Bundle source.
+NET_ERROR(INVALID_WEB_BUNDLE, -505)
 
 // *** Code -600 is reserved (was FTP_PASV_COMMAND_FAILED). ***
 
@@ -965,5 +969,7 @@ NET_ERROR(DNS_SEARCH_EMPTY, -805)
 // Failed to sort addresses according to RFC3484.
 NET_ERROR(DNS_SORT_ERROR, -806)
 
-// Failed to resolve over HTTP, fallback to legacy
-NET_ERROR(DNS_HTTP_FAILED, -807)
+// Error -807 was removed (DNS_HTTP_FAILED)
+
+// Failed to resolve the hostname of a DNS-over-HTTPS server.
+NET_ERROR(DNS_SECURE_RESOLVER_HOSTNAME_RESOLUTION_FAILED, -808)
diff --git a/chromium/net/base/net_errors_unittest.cc b/chromium/net/base/net_errors_unittest.cc
index 5d9e2f74bc3..10553d4841b 100644
--- a/chromium/net/base/net_errors_unittest.cc
+++ b/chromium/net/base/net_errors_unittest.cc
@@ -28,6 +28,7 @@ TEST(NetErrorsTest, IsCertificateError) {
   EXPECT_TRUE(IsCertificateError(ERR_CERT_WEAK_KEY));
   EXPECT_TRUE(IsCertificateError(ERR_CERT_WEAK_SIGNATURE_ALGORITHM));
   EXPECT_TRUE(IsCertificateError(ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN));
+  EXPECT_TRUE(IsCertificateError(ERR_CERT_KNOWN_INTERCEPTION_BLOCKED));
 
   // Negative tests.
   EXPECT_FALSE(IsCertificateError(ERR_SSL_PROTOCOL_ERROR));
@@ -41,7 +42,7 @@ TEST(NetErrorsTest, IsCertificateError) {
 
   // Trigger a failure whenever ERR_CERT_END is changed, forcing developers to
   // update this test.
-  EXPECT_EQ(ERR_CERT_END, -217)
+  EXPECT_EQ(ERR_CERT_END, -218)
       << "It looks like you added a new certificate error code ("
       << ErrorToString(ERR_CERT_END + 1)
       << ").\n"
diff --git a/chromium/net/base/network_change_notifier.cc b/chromium/net/base/network_change_notifier.cc
index c1336da885f..ac1b3e0ecb9 100644
--- a/chromium/net/base/network_change_notifier.cc
+++ b/chromium/net/base/network_change_notifier.cc
@@ -118,6 +118,7 @@ class NetworkChangeNotifier::NetworkChangeCalculator
   // NetworkChangeNotifier::IPAddressObserver implementation.
   void OnIPAddressChanged() override {
     DCHECK(thread_checker_.CalledOnValidThread());
+    pending_connection_type_ = GetConnectionType();
     base::TimeDelta delay = last_announced_connection_type_ == CONNECTION_NONE
         ? params_.ip_address_offline_delay_ : params_.ip_address_online_delay_;
     // Cancels any previous timer.
@@ -176,20 +177,8 @@ class NetworkChangeNotifier::SystemDnsConfigObserver
   virtual ~SystemDnsConfigObserver() = default;
 
   void OnSystemDnsConfigChanged(base::Optional<DnsConfig> config) override {
-    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
-
-    if (initial_config_received_) {
-      NotifyObserversOfDNSChange();
-    } else {
-      initial_config_received_ = true;
-      NotifyObserversOfInitialDNSConfigRead();
-    }
+    NotifyObserversOfDNSChange();
   }
-
- private:
-  bool initial_config_received_ = false;
-
-  SEQUENCE_CHECKER(sequence_checker_);
 };
 
 void NetworkChangeNotifier::ClearGlobalPointer() {
@@ -673,12 +662,6 @@ void NetworkChangeNotifier::NotifyObserversOfNetworkChangeForTests(
 }
 
 // static
-void NetworkChangeNotifier::NotifyObserversOfInitialDNSConfigReadForTests() {
-  if (g_network_change_notifier)
-    g_network_change_notifier->NotifyObserversOfInitialDNSConfigReadImpl();
-}
-
-// static
 void NetworkChangeNotifier::NotifyObserversOfMaxBandwidthChangeForTests(
     double max_bandwidth_mbps,
     ConnectionType type) {
@@ -827,14 +810,6 @@ void NetworkChangeNotifier::NotifyObserversOfDNSChange() {
 }
 
 // static
-void NetworkChangeNotifier::NotifyObserversOfInitialDNSConfigRead() {
-  if (g_network_change_notifier &&
-      !NetworkChangeNotifier::test_notifications_only_) {
-    g_network_change_notifier->NotifyObserversOfInitialDNSConfigReadImpl();
-  }
-}
-
-// static
 void NetworkChangeNotifier::NotifyObserversOfSpecificNetworkChange(
     NetworkChangeType type,
     NetworkHandle network) {
@@ -876,11 +851,6 @@ void NetworkChangeNotifier::NotifyObserversOfDNSChangeImpl() {
   resolver_state_observer_list_->Notify(FROM_HERE, &DNSObserver::OnDNSChanged);
 }
 
-void NetworkChangeNotifier::NotifyObserversOfInitialDNSConfigReadImpl() {
-  resolver_state_observer_list_->Notify(FROM_HERE,
-                                        &DNSObserver::OnInitialDNSConfigRead);
-}
-
 void NetworkChangeNotifier::NotifyObserversOfMaxBandwidthChangeImpl(
     double max_bandwidth_mbps,
     ConnectionType type) {
@@ -923,7 +893,4 @@ NetworkChangeNotifier::DisableForTest::~DisableForTest() {
   g_network_change_notifier = network_change_notifier_;
 }
 
-void NetworkChangeNotifier::DNSObserver::OnInitialDNSConfigRead() {
-}
-
 }  // namespace net
diff --git a/chromium/net/base/network_change_notifier.h b/chromium/net/base/network_change_notifier.h
index 575e7e04fff..69e01efa2d0 100644
--- a/chromium/net/base/network_change_notifier.h
+++ b/chromium/net/base/network_change_notifier.h
@@ -146,10 +146,6 @@ class NET_EXPORT NetworkChangeNotifier {
    public:
     // Will be called when the DNS settings of the system may have changed.
     virtual void OnDNSChanged() = 0;
-    // Will be called when DNS settings of the system have been loaded.
-    // NOTE(pauljensen): This will not be called if the initial DNS config
-    // has already been read before this observer is registered.
-    virtual void OnInitialDNSConfigRead();
 
    protected:
     DNSObserver();
@@ -448,7 +444,6 @@ class NET_EXPORT NetworkChangeNotifier {
       ConnectionType type);
   static void NotifyObserversOfDNSChangeForTests();
   static void NotifyObserversOfNetworkChangeForTests(ConnectionType type);
-  static void NotifyObserversOfInitialDNSConfigReadForTests();
   static void NotifyObserversOfMaxBandwidthChangeForTests(
       double max_bandwidth_mbps,
       ConnectionType type);
@@ -547,7 +542,6 @@ class NET_EXPORT NetworkChangeNotifier {
   static void NotifyObserversOfIPAddressChange();
   static void NotifyObserversOfConnectionTypeChange();
   static void NotifyObserversOfDNSChange();
-  static void NotifyObserversOfInitialDNSConfigRead();
   static void NotifyObserversOfNetworkChange(ConnectionType type);
   static void NotifyObserversOfMaxBandwidthChange(double max_bandwidth_mbps,
                                                   ConnectionType type);
@@ -578,7 +572,6 @@ class NET_EXPORT NetworkChangeNotifier {
   void NotifyObserversOfIPAddressChangeImpl();
   void NotifyObserversOfConnectionTypeChangeImpl(ConnectionType type);
   void NotifyObserversOfDNSChangeImpl();
-  void NotifyObserversOfInitialDNSConfigReadImpl();
   void NotifyObserversOfNetworkChangeImpl(ConnectionType type);
   void NotifyObserversOfMaxBandwidthChangeImpl(double max_bandwidth_mbps,
                                                ConnectionType type);
diff --git a/chromium/net/base/network_change_notifier_fuchsia.cc b/chromium/net/base/network_change_notifier_fuchsia.cc
index 6a7398a96e3..a6d67e35f42 100644
--- a/chromium/net/base/network_change_notifier_fuchsia.cc
+++ b/chromium/net/base/network_change_notifier_fuchsia.cc
@@ -50,7 +50,9 @@ NetworkChangeNotifierFuchsia::NetworkChangeNotifierFuchsia(
   std::vector<fuchsia::netstack::RouteTableEntry> routes;
   status = sync_netstack->GetRouteTable(&routes);
   ZX_CHECK(status == ZX_OK, status) << "synchronous GetInterfaces()";
-  OnRouteTableReceived(std::move(interfaces), std::move(routes), false);
+  // This will Notify internal observers like the NetworkChangeCalculator
+  // to be properly updated.
+  OnRouteTableReceived(std::move(interfaces), std::move(routes));
 
   // Re-wrap Netstack back into an asynchronous pointer.
   netstack_.Bind(sync_netstack.Unbind());
@@ -83,15 +85,13 @@ void NetworkChangeNotifierFuchsia::ProcessInterfaceList(
   netstack_->GetRouteTable(
       [this, interfaces = std::move(interfaces)](
           std::vector<fuchsia::netstack::RouteTableEntry> route_table) mutable {
-        OnRouteTableReceived(std::move(interfaces), std::move(route_table),
-                             true);
+        OnRouteTableReceived(std::move(interfaces), std::move(route_table));
       });
 }
 
 void NetworkChangeNotifierFuchsia::OnRouteTableReceived(
     std::vector<fuchsia::netstack::NetInterface> interfaces,
-    std::vector<fuchsia::netstack::RouteTableEntry> route_table,
-    bool notify_observers) {
+    std::vector<fuchsia::netstack::RouteTableEntry> route_table) {
   // Create a set of NICs that have default routes (ie 0.0.0.0).
   base::flat_set<uint32_t> default_route_ids;
   for (const auto& route : route_table) {
@@ -142,14 +142,12 @@ void NetworkChangeNotifierFuchsia::OnRouteTableReceived(
 
   if (addresses != cached_addresses_) {
     std::swap(cached_addresses_, addresses);
-    if (notify_observers)
-      NotifyObserversOfIPAddressChange();
+    NotifyObserversOfIPAddressChange();
   }
 
   if (connection_type != cached_connection_type_) {
     base::subtle::Release_Store(&cached_connection_type_, connection_type);
-    if (notify_observers)
-      NotifyObserversOfConnectionTypeChange();
+    NotifyObserversOfConnectionTypeChange();
   }
 }
 
diff --git a/chromium/net/base/network_change_notifier_fuchsia.h b/chromium/net/base/network_change_notifier_fuchsia.h
index 7fddead7682..c7301983da5 100644
--- a/chromium/net/base/network_change_notifier_fuchsia.h
+++ b/chromium/net/base/network_change_notifier_fuchsia.h
@@ -51,8 +51,7 @@ class NET_EXPORT_PRIVATE NetworkChangeNotifierFuchsia
   // connection type changes are detected.
   void OnRouteTableReceived(
       std::vector<fuchsia::netstack::NetInterface> interfaces,
-      std::vector<fuchsia::netstack::RouteTableEntry> table,
-      bool notify_observers);
+      std::vector<fuchsia::netstack::RouteTableEntry> table);
 
   // Bitmap of required features for an interface to be taken into account. The
   // features are defined in fuchsia::hardware::ethernet.
diff --git a/chromium/net/base/network_change_notifier_fuchsia_unittest.cc b/chromium/net/base/network_change_notifier_fuchsia_unittest.cc
index 7c07a3264a1..6a1d59bc98e 100644
--- a/chromium/net/base/network_change_notifier_fuchsia_unittest.cc
+++ b/chromium/net/base/network_change_notifier_fuchsia_unittest.cc
@@ -201,6 +201,12 @@ class MockIPAddressObserver : public NetworkChangeNotifier::IPAddressObserver {
   MOCK_METHOD0(OnIPAddressChanged, void());
 };
 
+class MockNetworkChangeObserver
+    : public NetworkChangeNotifier::NetworkChangeObserver {
+ public:
+  MOCK_METHOD1(OnNetworkChanged, void(NetworkChangeNotifier::ConnectionType));
+};
+
 }  // namespace
 
 class NetworkChangeNotifierFuchsiaTest : public testing::Test {
@@ -253,6 +259,8 @@ class NetworkChangeNotifierFuchsiaTest : public testing::Test {
       base::test::SingleThreadTaskEnvironment::MainThreadType::IO};
   testing::StrictMock<MockConnectionTypeObserver> observer_;
   testing::StrictMock<MockIPAddressObserver> ip_observer_;
+  testing::StrictMock<MockNetworkChangeObserver> network_change_observer_;
+
   fuchsia::netstack::NetstackPtr netstack_ptr_;
   FakeNetstackAsync netstack_;
 
@@ -273,6 +281,32 @@ TEST_F(NetworkChangeNotifierFuchsiaTest, InitialState) {
             notifier_->GetCurrentConnectionType());
 }
 
+TEST_F(NetworkChangeNotifierFuchsiaTest, NotifyNetworkChangeOnInitialIPChange) {
+  netstack_.PushInterface(
+      CreateNetInterface(kDefaultNic, fuchsia::netstack::NetInterfaceFlagUp,
+                         fuchsia::hardware::ethernet::INFO_FEATURE_WLAN,
+                         CreateIPv4Address(169, 254, 0, 1),
+                         CreateIPv4Address(255, 255, 255, 0), {}));
+  CreateNotifier();
+  // Add and remove network_change_observer_ since it's only used in this method
+  // gtest gives warnings on unused mocks if put into setup/teardown.
+  NetworkChangeNotifier::AddNetworkChangeObserver(&network_change_observer_);
+  EXPECT_CALL(network_change_observer_,
+              OnNetworkChanged(NetworkChangeNotifier::CONNECTION_NONE));
+  EXPECT_CALL(network_change_observer_,
+              OnNetworkChanged(NetworkChangeNotifier::CONNECTION_WIFI));
+  EXPECT_CALL(ip_observer_, OnIPAddressChanged());
+  // Changing the IP address will now trigger network change as well since it is
+  // currently out of sync
+  netstack_.PushInterface(CreateNetInterface(
+      kDefaultNic, fuchsia::netstack::NetInterfaceFlagUp,
+      fuchsia::hardware::ethernet::INFO_FEATURE_WLAN,
+      CreateIPv4Address(10, 0, 0, 1), CreateIPv4Address(255, 255, 0, 0), {}));
+  NetstackNotifyInterfacesAndWaitForGetRouteTable();
+
+  NetworkChangeNotifier::RemoveNetworkChangeObserver(&network_change_observer_);
+}
+
 TEST_F(NetworkChangeNotifierFuchsiaTest, NoChange) {
   netstack_.PushInterface(
       CreateNetInterface(kDefaultNic, fuchsia::netstack::NetInterfaceFlagUp, 0,
diff --git a/chromium/net/base/network_change_notifier_linux.cc b/chromium/net/base/network_change_notifier_linux.cc
index 9fae1e4692b..abc274249d9 100644
--- a/chromium/net/base/network_change_notifier_linux.cc
+++ b/chromium/net/base/network_change_notifier_linux.cc
@@ -8,7 +8,6 @@
 #include "base/bind_helpers.h"
 #include "base/compiler_specific.h"
 #include "base/macros.h"
-#include "base/message_loop/message_loop.h"
 #include "base/sequenced_task_runner.h"
 #include "base/task/post_task.h"
 #include "base/task/task_traits.h"
diff --git a/chromium/net/base/network_change_notifier_mac.cc b/chromium/net/base/network_change_notifier_mac.cc
index c082e84822e..91cf418ef43 100644
--- a/chromium/net/base/network_change_notifier_mac.cc
+++ b/chromium/net/base/network_change_notifier_mac.cc
@@ -9,7 +9,6 @@
 
 #include "base/bind.h"
 #include "base/macros.h"
-#include "base/message_loop/message_loop.h"
 #include "base/sequenced_task_runner.h"
 #include "base/task/post_task.h"
 #include "base/task/task_traits.h"
diff --git a/chromium/net/base/network_change_notifier_posix_unittest.cc b/chromium/net/base/network_change_notifier_posix_unittest.cc
index ac9dc3f5571..de4dad832a5 100644
--- a/chromium/net/base/network_change_notifier_posix_unittest.cc
+++ b/chromium/net/base/network_change_notifier_posix_unittest.cc
@@ -109,8 +109,6 @@ class TestDnsObserver : public NetworkChangeNotifier::DNSObserver {
  public:
   void OnDNSChanged() override { dns_changes_++; }
 
-  void OnInitialDNSConfigRead() override { dns_changes_++; }
-
   int dns_changes() const { return dns_changes_; }
 
  private:
diff --git a/chromium/net/base/network_change_notifier_unittest.cc b/chromium/net/base/network_change_notifier_unittest.cc
index 2f472102c3c..8cf9e95b074 100644
--- a/chromium/net/base/network_change_notifier_unittest.cc
+++ b/chromium/net/base/network_change_notifier_unittest.cc
@@ -201,8 +201,6 @@ class TestDnsObserver : public NetworkChangeNotifier::DNSObserver {
  public:
   void OnDNSChanged() override { ++dns_changed_calls_; }
 
-  void OnInitialDNSConfigRead() override { ++dns_changed_calls_; }
-
   int dns_changed_calls() const { return dns_changed_calls_; }
 
  private:
diff --git a/chromium/net/base/network_delegate.cc b/chromium/net/base/network_delegate.cc
index cecc0fb62d8..d8ffe8bf396 100644
--- a/chromium/net/base/network_delegate.cc
+++ b/chromium/net/base/network_delegate.cc
@@ -61,14 +61,15 @@ int NetworkDelegate::NotifyHeadersReceived(
     const HttpResponseHeaders* original_response_headers,
     scoped_refptr<HttpResponseHeaders>* override_response_headers,
     const IPEndPoint& endpoint,
-    GURL* allowed_unsafe_redirect_url) {
+    base::Optional<GURL>* preserve_fragment_on_redirect_url) {
   TRACE_EVENT0(NetTracingCategory(), "NetworkDelegate::NotifyHeadersReceived");
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK(original_response_headers);
   DCHECK(!callback.is_null());
+  DCHECK(!preserve_fragment_on_redirect_url->has_value());
   return OnHeadersReceived(request, std::move(callback),
                            original_response_headers, override_response_headers,
-                           endpoint, allowed_unsafe_redirect_url);
+                           endpoint, preserve_fragment_on_redirect_url);
 }
 
 void NetworkDelegate::NotifyResponseStarted(URLRequest* request,
diff --git a/chromium/net/base/network_delegate.h b/chromium/net/base/network_delegate.h
index fc35ecc4f06..514c121c2c7 100644
--- a/chromium/net/base/network_delegate.h
+++ b/chromium/net/base/network_delegate.h
@@ -11,6 +11,7 @@
 #include <string>
 
 #include "base/callback.h"
+#include "base/optional.h"
 #include "base/strings/string16.h"
 #include "base/threading/thread_checker.h"
 #include "net/base/auth.h"
@@ -68,7 +69,7 @@ class NET_EXPORT NetworkDelegate {
       const HttpResponseHeaders* original_response_headers,
       scoped_refptr<HttpResponseHeaders>* override_response_headers,
       const IPEndPoint& remote_endpoint,
-      GURL* allowed_unsafe_redirect_url);
+      base::Optional<GURL>* preserve_fragment_on_redirect_url);
   void NotifyBeforeRedirect(URLRequest* request,
                             const GURL& new_location);
   void NotifyResponseStarted(URLRequest* request, int net_error);
@@ -169,9 +170,9 @@ class NET_EXPORT NetworkDelegate {
   // to new values, that should be considered as overriding
   // |original_response_headers|.
   // If the response is a redirect, and the Location response header value is
-  // identical to |allowed_unsafe_redirect_url|, then the redirect is never
-  // blocked and the reference fragment is not copied from the original URL
-  // to the redirection target.
+  // identical to |preserve_fragment_on_redirect_url|, then the redirect is
+  // never blocked and the reference fragment is not copied from the original
+  // URL to the redirection target.
   //
   // Returns OK to continue with the request, ERR_IO_PENDING if the result is
   // not ready yet, and any other status code to cancel the request. If
@@ -179,15 +180,15 @@ class NET_EXPORT NetworkDelegate {
   // however, that a pending operation may be cancelled by
   // OnURLRequestDestroyed. Once cancelled, |request|,
   // |original_response_headers|, |override_response_headers|, and
-  // |allowed_unsafe_redirect_url| become invalid and |callback| may not be
-  // called.
+  // |preserve_fragment_on_redirect_url| become invalid and |callback| may not
+  // be called.
   virtual int OnHeadersReceived(
       URLRequest* request,
       CompletionOnceCallback callback,
       const HttpResponseHeaders* original_response_headers,
       scoped_refptr<HttpResponseHeaders>* override_response_headers,
       const IPEndPoint& remote_endpoint,
-      GURL* allowed_unsafe_redirect_url) = 0;
+      base::Optional<GURL>* preserve_fragment_on_redirect_url) = 0;
 
   // Called right after a redirect response code was received. |new_location| is
   // only valid for the duration of the call.
diff --git a/chromium/net/base/network_delegate_impl.cc b/chromium/net/base/network_delegate_impl.cc
index 398fb5f1efa..c50ed3dc206 100644
--- a/chromium/net/base/network_delegate_impl.cc
+++ b/chromium/net/base/network_delegate_impl.cc
@@ -33,7 +33,7 @@ int NetworkDelegateImpl::OnHeadersReceived(
     const HttpResponseHeaders* original_response_headers,
     scoped_refptr<HttpResponseHeaders>* override_response_headers,
     const IPEndPoint& endpoint,
-    GURL* allowed_unsafe_redirect_url) {
+    base::Optional<GURL>* preserve_fragment_on_redirect_url) {
   return OK;
 }
 
diff --git a/chromium/net/base/network_delegate_impl.h b/chromium/net/base/network_delegate_impl.h
index 857fb29ec9e..5f7bf903420 100644
--- a/chromium/net/base/network_delegate_impl.h
+++ b/chromium/net/base/network_delegate_impl.h
@@ -9,6 +9,7 @@
 
 #include <set>
 
+#include "base/optional.h"
 #include "base/strings/string16.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/net_export.h"
@@ -54,7 +55,7 @@ class NET_EXPORT NetworkDelegateImpl : public NetworkDelegate {
       const HttpResponseHeaders* original_response_headers,
       scoped_refptr<HttpResponseHeaders>* override_response_headers,
       const IPEndPoint& endpoint,
-      GURL* allowed_unsafe_redirect_url) override;
+      base::Optional<GURL>* preserve_fragment_on_redirect_url) override;
 
   void OnBeforeRedirect(URLRequest* request, const GURL& new_location) override;
 
diff --git a/chromium/net/base/network_interfaces_posix.cc b/chromium/net/base/network_interfaces_posix.cc
index cb7c61c9a88..9f7681d8acd 100644
--- a/chromium/net/base/network_interfaces_posix.cc
+++ b/chromium/net/base/network_interfaces_posix.cc
@@ -4,7 +4,6 @@
 
 #include "net/base/network_interfaces_posix.h"
 
-#include <net/if.h>
 #include <netinet/in.h>
 #include <sys/types.h>
 
diff --git a/chromium/net/base/network_isolation_key.cc b/chromium/net/base/network_isolation_key.cc
index 0d88dbf9c6e..e53a7ca5b6d 100644
--- a/chromium/net/base/network_isolation_key.cc
+++ b/chromium/net/base/network_isolation_key.cc
@@ -5,9 +5,13 @@
 #include <string>
 
 #include "base/feature_list.h"
+#include "base/values.h"
 #include "net/base/features.h"
 #include "net/base/network_isolation_key.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "url/gurl.h"
+#include "url/origin.h"
+#include "url/url_constants.h"
 
 namespace net {
 
@@ -17,15 +21,52 @@ std::string GetOriginDebugString(const base::Optional<url::Origin>& origin) {
   return origin ? origin->GetDebugString() : "null";
 }
 
+// If |origin| has a value and represents an HTTP or HTTPS scheme, replace its
+// host with its registerable domain if possible, and replace its port with the
+// standard port for its scheme. Otherwise, does nothing. WS and WSS origins are
+// not modified, as they shouldn't be used meaningfully for NIKs, though trying
+// to navigate to a WS URL may generate such a NIK.
+void SwitchToRegistrableDomainAndRemovePort(
+    base::Optional<url::Origin>* origin) {
+  if (!origin->has_value())
+    return;
+
+  if ((*origin)->scheme() != url::kHttpsScheme &&
+      (*origin)->scheme() != url::kHttpScheme) {
+    return;
+  }
+
+  // scheme() returns the empty string for opaque origins.
+  DCHECK(!(*origin)->opaque());
+
+  std::string registrable_domain = GetDomainAndRegistry(
+      (*origin)->host(),
+      net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
+  // GetDomainAndRegistry() returns an empty string for IP literals and
+  // effective TLDs.
+  if (registrable_domain.empty())
+    registrable_domain = (*origin)->host();
+  *origin = url::Origin::CreateFromNormalizedTuple(
+      (*origin)->scheme(), registrable_domain,
+      url::DefaultPortForScheme((*origin)->scheme().c_str(),
+                                (*origin)->scheme().length()));
+}
+
 }  // namespace
 
 NetworkIsolationKey::NetworkIsolationKey(const url::Origin& top_frame_origin,
                                          const url::Origin& frame_origin)
     : use_frame_origin_(base::FeatureList::IsEnabled(
           net::features::kAppendFrameOriginToNetworkIsolationKey)),
-      top_frame_origin_(top_frame_origin) {
+      top_frame_origin_(top_frame_origin),
+      original_top_frame_origin_(top_frame_origin) {
   if (use_frame_origin_) {
     frame_origin_ = frame_origin;
+    original_frame_origin_ = frame_origin;
+  }
+  if (base::FeatureList::IsEnabled(
+          net::features::kUseRegistrableDomainInNetworkIsolationKey)) {
+    ReplaceOriginsWithRegistrableDomains();
   }
 }
 
@@ -44,6 +85,18 @@ NetworkIsolationKey& NetworkIsolationKey::operator=(
 NetworkIsolationKey& NetworkIsolationKey::operator=(
     NetworkIsolationKey&& network_isolation_key) = default;
 
+NetworkIsolationKey NetworkIsolationKey::CreateTransient() {
+  url::Origin opaque_origin;
+  return NetworkIsolationKey(opaque_origin, opaque_origin);
+}
+
+NetworkIsolationKey NetworkIsolationKey::CreateWithNewFrameOrigin(
+    const url::Origin& new_frame_origin) const {
+  if (!top_frame_origin_)
+    return NetworkIsolationKey();
+  return NetworkIsolationKey(top_frame_origin_.value(), new_frame_origin);
+}
+
 std::string NetworkIsolationKey::ToString() const {
   if (IsTransient())
     return "";
@@ -99,7 +152,7 @@ bool NetworkIsolationKey::FromValue(
   if (value.type() != base::Value::Type::LIST)
     return false;
 
-  base::span<const base::Value> list = value.GetList();
+  base::Value::ConstListView list = value.GetList();
   if (list.empty()) {
     *network_isolation_key = NetworkIsolationKey();
     return true;
@@ -143,4 +196,9 @@ bool NetworkIsolationKey::IsEmpty() const {
   return !top_frame_origin_.has_value() && !frame_origin_.has_value();
 }
 
+void NetworkIsolationKey::ReplaceOriginsWithRegistrableDomains() {
+  SwitchToRegistrableDomainAndRemovePort(&top_frame_origin_);
+  SwitchToRegistrableDomainAndRemovePort(&frame_origin_);
+}
+
 }  // namespace net
diff --git a/chromium/net/base/network_isolation_key.h b/chromium/net/base/network_isolation_key.h
index 9fde9c53a7a..488860702f1 100644
--- a/chromium/net/base/network_isolation_key.h
+++ b/chromium/net/base/network_isolation_key.h
@@ -7,6 +7,7 @@
 
 #include <string>
 
+#include "base/gtest_prod_util.h"
 #include "base/macros.h"
 #include "base/optional.h"
 #include "base/values.h"
@@ -35,6 +36,23 @@ class NET_EXPORT NetworkIsolationKey {
       const NetworkIsolationKey& network_isolation_key);
   NetworkIsolationKey& operator=(NetworkIsolationKey&& network_isolation_key);
 
+  // Creates a transient non-empty NetworkIsolationKey by creating an opaque
+  // origin. This prevents the NetworkIsolationKey from sharing data with other
+  // NetworkIsolationKeys. Data for transient NetworkIsolationKeys is not
+  // persisted to disk.
+  static NetworkIsolationKey CreateTransient();
+
+  // Creates a new key using |top_frame_origin_| and |new_frame_origin|.
+  NetworkIsolationKey CreateWithNewFrameOrigin(
+      const url::Origin& new_frame_origin) const;
+
+  // Intended for temporary use in locations that should be using a non-empty
+  // NetworkIsolationKey(), but are not yet. This both reduces the chance of
+  // accidentally copying the lack of a NIK where one should be used, and
+  // provides a reasonable way of locating callsites that need to have their
+  // NetworkIsolationKey filled in.
+  static NetworkIsolationKey Todo() { return NetworkIsolationKey(); }
+
   // Compare keys for equality, true if all enabled fields are equal.
   bool operator==(const NetworkIsolationKey& other) const {
     return top_frame_origin_ == other.top_frame_origin_ &&
@@ -70,13 +88,20 @@ class NET_EXPORT NetworkIsolationKey {
   // disk related to it (e.g., disk cache).
   bool IsTransient() const;
 
-  // APIs for serialization to and from the mojo structure.
+  // Getters for the original top frame and frame origins used as inputs to
+  // construct |this|. This could return different values from what the
+  // isolation key eventually uses based on whether the NIK uses eTLD+1 or not.
+  // WARNING(crbug.com/1032081): Note that these might not return the correct
+  // value associated with a request if the NIK on which this is called is from
+  // a component using multiple requests mapped to the same NIK.
   const base::Optional<url::Origin>& GetTopFrameOrigin() const {
-    return top_frame_origin_;
+    DCHECK_EQ(original_top_frame_origin_.has_value(),
+              top_frame_origin_.has_value());
+    return original_top_frame_origin_;
   }
-
   const base::Optional<url::Origin>& GetFrameOrigin() const {
-    return frame_origin_;
+    DCHECK_EQ(original_frame_origin_.has_value(), frame_origin_.has_value());
+    return original_frame_origin_;
   }
 
   // Returns true if all parts of the key are empty.
@@ -96,14 +121,25 @@ class NET_EXPORT NetworkIsolationKey {
       WARN_UNUSED_RESULT;
 
  private:
+  FRIEND_TEST_ALL_PREFIXES(NetworkIsolationKeyWithFrameOriginTest,
+                           UseRegistrableDomain);
+
+  void ReplaceOriginsWithRegistrableDomains();
+
   // Whether or not to use the |frame_origin_| as part of the key.
   bool use_frame_origin_;
 
-  // The origin of the top frame of the page making the request.
+  // The origin/etld+1 of the top frame of the page making the request.
   base::Optional<url::Origin> top_frame_origin_;
 
-  // The origin of the frame that initiates the request.
+  // The original top frame origin sent to the constructor of this request.
+  base::Optional<url::Origin> original_top_frame_origin_;
+
+  // The origin/etld+1 of the frame that initiates the request.
   base::Optional<url::Origin> frame_origin_;
+
+  // The original frame origin sent to the constructor of this request.
+  base::Optional<url::Origin> original_frame_origin_;
 };
 
 }  // namespace net
diff --git a/chromium/net/base/network_isolation_key_unittest.cc b/chromium/net/base/network_isolation_key_unittest.cc
index 295c755ee3e..43b3f19cde7 100644
--- a/chromium/net/base/network_isolation_key_unittest.cc
+++ b/chromium/net/base/network_isolation_key_unittest.cc
@@ -11,10 +11,15 @@
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
 #include "url/origin.h"
+#include "url/url_util.h"
 
 namespace net {
 
 TEST(NetworkIsolationKeyTest, EmptyKey) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndDisableFeature(
+      features::kAppendFrameOriginToNetworkIsolationKey);
+
   NetworkIsolationKey key;
   EXPECT_FALSE(key.IsFullyPopulated());
   EXPECT_EQ(std::string(), key.ToString());
@@ -23,6 +28,10 @@ TEST(NetworkIsolationKeyTest, EmptyKey) {
 }
 
 TEST(NetworkIsolationKeyTest, NonEmptyKey) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndDisableFeature(
+      features::kAppendFrameOriginToNetworkIsolationKey);
+
   url::Origin origin = url::Origin::Create(GURL("http://a.test/"));
   NetworkIsolationKey key(origin, origin);
   EXPECT_TRUE(key.IsFullyPopulated());
@@ -114,23 +123,11 @@ TEST(NetworkIsolationKeyTest, UniqueOriginOperators) {
   EXPECT_TRUE(!(key1 < key2) || !(key2 < key1));
 }
 
-TEST(NetworkIsolationKeyTest, WithFrameOrigin) {
-  const auto kOriginA = url::Origin::Create(GURL("http://a.test"));
-  const auto kOriginB = url::Origin::Create(GURL("http://b.test"));
-  NetworkIsolationKey key1(kOriginB, kOriginB);
-  NetworkIsolationKey key2(kOriginB, kOriginA);
-  EXPECT_TRUE(key2.IsFullyPopulated());
-  EXPECT_FALSE(key2.IsTransient());
-  EXPECT_EQ("http://b.test", key2.ToString());
-  EXPECT_EQ("http://b.test", key2.ToDebugString());
-
-  EXPECT_TRUE(key1 == key2);
-  EXPECT_FALSE(key1 != key2);
-  EXPECT_FALSE(key1 < key2);
-  EXPECT_FALSE(key2 < key1);
-}
+TEST(NetworkIsolationKeyTest, KeyWithOpaqueFrameOrigin) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndDisableFeature(
+      features::kAppendFrameOriginToNetworkIsolationKey);
 
-TEST(NetworkIsolationKeyTest, OpaqueOriginKeyWithFrameOrigin) {
   url::Origin origin_data =
       url::Origin::Create(GURL("data:text/html,<body>Hello World</body>"));
 
@@ -169,7 +166,7 @@ TEST(NetworkIsolationKeyTest, ValueRoundTripEmpty) {
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
-      net::features::kAppendFrameOriginToNetworkIsolationKey);
+      features::kAppendFrameOriginToNetworkIsolationKey);
 
   NetworkIsolationKey frame_origin_key;
   base::Value frame_origin_value;
@@ -185,6 +182,9 @@ TEST(NetworkIsolationKeyTest, ValueRoundTripEmpty) {
 }
 
 TEST(NetworkIsolationKeyTest, ValueRoundTripNoFrameOrigin) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndDisableFeature(
+      features::kAppendFrameOriginToNetworkIsolationKey);
   const url::Origin kJunkOrigin =
       url::Origin::Create(GURL("data:text/html,junk"));
 
@@ -198,9 +198,9 @@ TEST(NetworkIsolationKeyTest, ValueRoundTripNoFrameOrigin) {
   EXPECT_TRUE(NetworkIsolationKey::FromValue(value, &key2));
   EXPECT_EQ(key1, key2);
 
-  base::test::ScopedFeatureList feature_list;
+  feature_list.Reset();
   feature_list.InitAndEnableFeature(
-      net::features::kAppendFrameOriginToNetworkIsolationKey);
+      features::kAppendFrameOriginToNetworkIsolationKey);
 
   // Loading should fail when frame origins are enabled.
   EXPECT_FALSE(NetworkIsolationKey::FromValue(value, &key2));
@@ -212,7 +212,7 @@ TEST(NetworkIsolationKeyTest, ValueRoundTripFrameOrigin) {
 
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
-      net::features::kAppendFrameOriginToNetworkIsolationKey);
+      features::kAppendFrameOriginToNetworkIsolationKey);
 
   NetworkIsolationKey key1(url::Origin::Create(GURL("https://foo.test/")),
                            url::Origin::Create(GURL("https://foo.test/")));
@@ -225,6 +225,8 @@ TEST(NetworkIsolationKeyTest, ValueRoundTripFrameOrigin) {
   EXPECT_EQ(key1, key2);
 
   feature_list.Reset();
+  feature_list.InitAndDisableFeature(
+      features::kAppendFrameOriginToNetworkIsolationKey);
 
   // Loading should fail when frame origins are disabled.
   EXPECT_FALSE(NetworkIsolationKey::FromValue(value, &key2));
@@ -239,7 +241,7 @@ TEST(NetworkIsolationKeyTest, ToValueTransientOrigin) {
     base::test::ScopedFeatureList feature_list;
     if (use_frame_origins) {
       feature_list.InitAndEnableFeature(
-          net::features::kAppendFrameOriginToNetworkIsolationKey);
+          features::kAppendFrameOriginToNetworkIsolationKey);
     }
 
     NetworkIsolationKey key1(kTransientOrigin, kTransientOrigin);
@@ -276,7 +278,7 @@ TEST(NetworkIsolationKeyTest, FromValueBadData) {
     base::test::ScopedFeatureList feature_list;
     if (use_frame_origins) {
       feature_list.InitAndEnableFeature(
-          net::features::kAppendFrameOriginToNetworkIsolationKey);
+          features::kAppendFrameOriginToNetworkIsolationKey);
     }
 
     for (const auto& test_case : kTestCases) {
@@ -288,11 +290,34 @@ TEST(NetworkIsolationKeyTest, FromValueBadData) {
   }
 }
 
+TEST(NetworkIsolationKeyTest, UseRegistrableDomain) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitWithFeatures(
+      {features::kUseRegistrableDomainInNetworkIsolationKey},
+      {features::kAppendFrameOriginToNetworkIsolationKey});
+
+  // Both origins are non-opaque.
+  url::Origin origin_a = url::Origin::Create(GURL("http://a.foo.test:80"));
+  url::Origin origin_b = url::Origin::Create(GURL("https://b.foo.test:2395"));
+
+  // Resultant NIK should have the same scheme as the initial origin and
+  // default port. Note that frame_origin will be empty as triple keying is not
+  // enabled.
+  url::Origin expected_domain_a = url::Origin::Create(GURL("http://foo.test"));
+  NetworkIsolationKey key(origin_a, origin_b);
+  EXPECT_EQ(origin_a, key.GetTopFrameOrigin().value());
+  EXPECT_FALSE(key.GetFrameOrigin().has_value());
+  EXPECT_EQ(expected_domain_a.Serialize(), key.ToString());
+
+  // More tests for using registrable domain are in
+  // NetworkIsolationKeyWithFrameOriginTest.UseRegistrableDomain.
+}
+
 class NetworkIsolationKeyWithFrameOriginTest : public testing::Test {
  public:
   NetworkIsolationKeyWithFrameOriginTest() {
     feature_list_.InitAndEnableFeature(
-        net::features::kAppendFrameOriginToNetworkIsolationKey);
+        features::kAppendFrameOriginToNetworkIsolationKey);
   }
 
  private:
@@ -373,4 +398,160 @@ TEST_F(NetworkIsolationKeyWithFrameOriginTest, OpaqueOriginKeyBoth) {
   EXPECT_EQ("", key3.ToString());
 }
 
+TEST_F(NetworkIsolationKeyWithFrameOriginTest, UseRegistrableDomain) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitWithFeatures(
+      {features::kAppendFrameOriginToNetworkIsolationKey,
+       features::kUseRegistrableDomainInNetworkIsolationKey},
+      {});
+
+  // Both origins are non-opaque.
+  url::Origin origin_a = url::Origin::Create(GURL("http://a.foo.test:80"));
+  url::Origin origin_b = url::Origin::Create(GURL("https://b.foo.test:2395"));
+
+  // Resultant NIK should have the same schemes as the initial origins and
+  // default port.
+  url::Origin expected_domain_a = url::Origin::Create(GURL("http://foo.test"));
+  url::Origin expected_domain_b = url::Origin::Create(GURL("https://foo.test"));
+  NetworkIsolationKey key(origin_a, origin_b);
+  EXPECT_EQ(origin_a, key.GetTopFrameOrigin().value());
+  EXPECT_EQ(origin_b, key.GetFrameOrigin().value());
+  EXPECT_EQ(expected_domain_a.Serialize() + " " + expected_domain_b.Serialize(),
+            key.ToString());
+
+  // Top frame origin is opaque but not the frame origin.
+  url::Origin origin_data =
+      url::Origin::Create(GURL("data:text/html,<body>Hello World</body>"));
+  key = NetworkIsolationKey(origin_data, origin_b);
+  EXPECT_TRUE(key.top_frame_origin_->opaque());
+  EXPECT_TRUE(key.ToString().empty());
+  EXPECT_EQ(origin_data, key.top_frame_origin_.value());
+  EXPECT_EQ(expected_domain_b, key.frame_origin_.value());
+
+  // Top frame origin is non-opaque but frame origin is opaque.
+  key = NetworkIsolationKey(origin_a, origin_data);
+  EXPECT_EQ(expected_domain_a, key.top_frame_origin_.value());
+  EXPECT_TRUE(key.ToString().empty());
+  EXPECT_EQ(origin_data, key.GetFrameOrigin().value());
+  EXPECT_TRUE(key.frame_origin_->opaque());
+
+  // Empty NIK stays empty.
+  NetworkIsolationKey empty_key;
+  EXPECT_TRUE(key.ToString().empty());
+
+  // IPv4 and IPv6 origins should not be modified, except for removing their
+  // ports.
+  url::Origin origin_ipv4 = url::Origin::Create(GURL("http://127.0.0.1:1234"));
+  url::Origin origin_ipv6 = url::Origin::Create(GURL("https://[::1]"));
+  key = NetworkIsolationKey(origin_ipv4, origin_ipv6);
+  EXPECT_EQ(url::Origin::Create(GURL("http://127.0.0.1")),
+            key.top_frame_origin_.value());
+  EXPECT_EQ(origin_ipv6, key.frame_origin_.value());
+
+  // Nor should TLDs, recognized or not.
+  url::Origin origin_tld = url::Origin::Create(GURL("http://com"));
+  url::Origin origin_tld_unknown =
+      url::Origin::Create(GURL("https://bar:1234"));
+  key = NetworkIsolationKey(origin_tld, origin_tld_unknown);
+  EXPECT_EQ(origin_tld, key.top_frame_origin_.value());
+  EXPECT_EQ(url::Origin::Create(GURL("https://bar")),
+            key.frame_origin_.value());
+
+  // Check for two-part TLDs.
+  url::Origin origin_two_part_tld = url::Origin::Create(GURL("http://co.uk"));
+  url::Origin origin_two_part_tld_with_prefix =
+      url::Origin::Create(GURL("https://a.b.co.uk"));
+  key =
+      NetworkIsolationKey(origin_two_part_tld, origin_two_part_tld_with_prefix);
+  EXPECT_EQ(origin_two_part_tld, key.top_frame_origin_.value());
+  EXPECT_EQ(url::Origin::Create(GURL("https://b.co.uk")),
+            key.frame_origin_.value());
+
+  // Two keys with different origins but same etld+1.
+  // Also test the getter APIs.
+  url::Origin origin_a_foo = url::Origin::Create(GURL("http://a.foo.com"));
+  url::Origin foo = url::Origin::Create(GURL("http://foo.com"));
+  url::Origin origin_b_foo = url::Origin::Create(GURL("http://b.foo.com"));
+  NetworkIsolationKey key1 = NetworkIsolationKey(origin_a_foo, origin_a_foo);
+  NetworkIsolationKey key2 = NetworkIsolationKey(origin_b_foo, origin_b_foo);
+  EXPECT_EQ(key1, key2);
+  EXPECT_EQ(foo.Serialize() + " " + foo.Serialize(), key1.ToString());
+  EXPECT_EQ(foo.Serialize() + " " + foo.Serialize(), key2.ToString());
+  EXPECT_EQ(origin_a_foo, key1.GetTopFrameOrigin());
+  EXPECT_EQ(origin_a_foo, key1.GetFrameOrigin());
+  EXPECT_EQ(origin_b_foo, key2.GetTopFrameOrigin());
+  EXPECT_EQ(origin_b_foo, key2.GetFrameOrigin());
+
+  // Copying one key to another should also copy the original origins.
+  url::Origin origin_bar = url::Origin::Create(GURL("http://a.bar.com"));
+  NetworkIsolationKey key_bar = NetworkIsolationKey(origin_bar, origin_bar);
+  NetworkIsolationKey key_copied = key_bar;
+  EXPECT_EQ(key_copied.GetTopFrameOrigin(), key_bar.GetTopFrameOrigin());
+  EXPECT_EQ(key_copied.GetFrameOrigin(), key_bar.GetFrameOrigin());
+  EXPECT_EQ(key_copied, key_bar);
+}
+
+// Make sure that kUseRegistrableDomainInNetworkIsolationKey does not affect the
+// host when using a non-standard scheme.
+TEST(NetworkIsolationKeyTest, UseRegistrableDomainWithNonStandardScheme) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      features::kUseRegistrableDomainInNetworkIsolationKey);
+
+  // Have to register the scheme, or url::Origin::Create() will return an opaque
+  // origin.
+  url::AddStandardScheme("foo", url::SCHEME_WITH_HOST);
+
+  url::Origin origin = url::Origin::Create(GURL("foo://a.foo.com"));
+  ASSERT_FALSE(origin.opaque());
+  ASSERT_EQ(origin.scheme(), "foo");
+  ASSERT_EQ(origin.host(), "a.foo.com");
+
+  net::NetworkIsolationKey key(origin, origin);
+  EXPECT_EQ(origin, key.GetTopFrameOrigin());
+  EXPECT_FALSE(key.GetTopFrameOrigin()->opaque());
+  EXPECT_EQ(key.GetTopFrameOrigin()->scheme(), "foo");
+  EXPECT_EQ(key.GetTopFrameOrigin()->host(), "a.foo.com");
+  EXPECT_EQ(origin.Serialize(), key.ToString());
+}
+
+TEST_F(NetworkIsolationKeyWithFrameOriginTest, CreateWithNewFrameOrigin) {
+  url::Origin origin_a = url::Origin::Create(GURL("http://a.com"));
+  url::Origin origin_b = url::Origin::Create(GURL("http://b.com"));
+  url::Origin origin_c = url::Origin::Create(GURL("http://c.com"));
+
+  net::NetworkIsolationKey key(origin_a, origin_b);
+  NetworkIsolationKey key_c = key.CreateWithNewFrameOrigin(origin_c);
+  EXPECT_EQ(origin_c, key_c.GetFrameOrigin());
+  EXPECT_EQ(origin_a, key_c.GetTopFrameOrigin());
+}
+
+TEST(NetworkIsolationKeyTest, CreateTransient) {
+  for (bool append_frame_origin : {false, true}) {
+    base::test::ScopedFeatureList feature_list;
+    if (append_frame_origin) {
+      feature_list.InitAndEnableFeature(
+          features::kAppendFrameOriginToNetworkIsolationKey);
+    } else {
+      feature_list.InitAndDisableFeature(
+          features::kAppendFrameOriginToNetworkIsolationKey);
+    }
+
+    NetworkIsolationKey transient_key = NetworkIsolationKey::CreateTransient();
+    EXPECT_TRUE(transient_key.IsFullyPopulated());
+    EXPECT_TRUE(transient_key.IsTransient());
+    EXPECT_FALSE(transient_key.IsEmpty());
+    EXPECT_EQ(transient_key, transient_key);
+
+    // Transient values can't be saved to disk.
+    base::Value value;
+    EXPECT_FALSE(transient_key.ToValue(&value));
+
+    // Make sure that subsequent calls don't return the same NIK.
+    for (int i = 0; i < 1000; ++i) {
+      EXPECT_NE(transient_key, NetworkIsolationKey::CreateTransient());
+    }
+  }
+}
+
 }  // namespace net
diff --git a/chromium/net/base/parse_data_url_fuzzer.cc b/chromium/net/base/parse_data_url_fuzzer.cc
deleted file mode 100644
index f91b691df8c..00000000000
--- a/chromium/net/base/parse_data_url_fuzzer.cc
+++ /dev/null
@@ -1,19 +0,0 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "net/base/data_url.h"
-#include "url/gurl.h"
-
-// Entry point for LibFuzzer.
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  std::string input(data, data + size);
-  std::string mime_type;
-  std::string charset;
-  std::string urldata;
-  net::DataURL::Parse(GURL(input), &mime_type, &charset, &urldata);
-  return 0;
-}
diff --git a/chromium/net/base/parse_number_unittest.cc b/chromium/net/base/parse_number_unittest.cc
index 45d0adffb63..47cce60e29e 100644
--- a/chromium/net/base/parse_number_unittest.cc
+++ b/chromium/net/base/parse_number_unittest.cc
@@ -13,21 +13,12 @@
 namespace net {
 namespace {
 
-template <typename T>
-std::string ToString(T number) {
-  // TODO(eroman): Just use std::to_string() instead (Currently chromium's
-  // C++11 guide hasn't taken a stance on it).
-  std::stringstream s;
-  s << number;
-  return s.str();
-}
-
 // Returns a decimal string that is one larger than the maximum value that type
 // T can represent.
 template <typename T>
 std::string CreateOverflowString() {
   const T value = std::numeric_limits<T>::max();
-  std::string result = ToString(value);
+  std::string result = base::NumberToString(value);
   EXPECT_NE('9', result.back());
   result.back()++;
   return result;
@@ -39,7 +30,7 @@ template <typename T>
 std::string CreateUnderflowString() {
   EXPECT_TRUE(std::numeric_limits<T>::is_signed);
   const T value = std::numeric_limits<T>::min();
-  std::string result = ToString(value);
+  std::string result = base::NumberToString(value);
   EXPECT_EQ('-', result.front());
   EXPECT_NE('9', result.back());
   result.back()++;
@@ -149,7 +140,7 @@ void TestParseIntUsingFormat(ParseFunc func, ParseIntFormat format) {
   // Test parsing the largest possible value for output type.
   {
     const T value = std::numeric_limits<T>::max();
-    ExpectParseIntSuccess<T>(func, ToString(value), format, value);
+    ExpectParseIntSuccess<T>(func, base::NumberToString(value), format, value);
   }
 
   // Test parsing a number one larger than the output type can accomodate
@@ -161,8 +152,9 @@ void TestParseIntUsingFormat(ParseFunc func, ParseIntFormat format) {
   // garbage at the end. This exercises an interesting internal quirk of
   // base::StringToInt*(), in that its result cannot distinguish this case
   // from overflow.
-  ExpectParseIntFailure<T>(func, ToString(std::numeric_limits<T>::max()) + " ",
-                           format, ParseIntError::FAILED_PARSE);
+  ExpectParseIntFailure<T>(
+      func, base::NumberToString(std::numeric_limits<T>::max()) + " ", format,
+      ParseIntError::FAILED_PARSE);
 
   ExpectParseIntFailure<T>(func, CreateOverflowString<T>() + " ", format,
                            ParseIntError::FAILED_PARSE);
@@ -171,7 +163,7 @@ void TestParseIntUsingFormat(ParseFunc func, ParseIntFormat format) {
   // test for unsigned types since the smallest number 0 is tested elsewhere.
   if (std::numeric_limits<T>::is_signed) {
     const T value = std::numeric_limits<T>::min();
-    std::string str_value = ToString(value);
+    std::string str_value = base::NumberToString(value);
 
     // The minimal value is necessarily negative, since this function is
     // testing only signed output types.
diff --git a/chromium/net/base/platform_mime_util_mac.mm b/chromium/net/base/platform_mime_util_mac.mm
index a510c87ea7d..5188bba546c 100644
--- a/chromium/net/base/platform_mime_util_mac.mm
+++ b/chromium/net/base/platform_mime_util_mac.mm
@@ -18,16 +18,6 @@
 #include <CoreServices/CoreServices.h>
 #endif  // defined(OS_IOS)
 
-#if !defined(OS_IOS)
-// SPI declaration; see the commentary in GetPlatformExtensionsForMimeType.
-// iOS must not use any private API, per Apple guideline.
-
-@interface NSURLFileTypeMappings : NSObject
-+ (NSURLFileTypeMappings*)sharedMappings;
-- (NSArray*)extensionsForMIMEType:(NSString*)mimeType;
-@end
-#endif  // !defined(OS_IOS)
-
 namespace net {
 
 bool PlatformMimeUtil::GetPlatformMimeTypeFromExtension(
@@ -40,7 +30,7 @@ bool PlatformMimeUtil::GetPlatformMimeTypeFromExtension(
   if (!ext_ref)
     return false;
   base::ScopedCFTypeRef<CFStringRef> uti(UTTypeCreatePreferredIdentifierForTag(
-      kUTTagClassFilenameExtension, ext_ref, NULL));
+      kUTTagClassFilenameExtension, ext_ref, nullptr));
   if (!uti)
     return false;
   base::ScopedCFTypeRef<CFStringRef> mime_ref(
@@ -60,7 +50,7 @@ bool PlatformMimeUtil::GetPlatformPreferredExtensionForMimeType(
   if (!mime_ref)
     return false;
   base::ScopedCFTypeRef<CFStringRef> uti(UTTypeCreatePreferredIdentifierForTag(
-      kUTTagClassMIMEType, mime_ref, NULL));
+      kUTTagClassMIMEType, mime_ref, nullptr));
   if (!uti)
     return false;
   base::ScopedCFTypeRef<CFStringRef> ext_ref(
@@ -75,22 +65,21 @@ bool PlatformMimeUtil::GetPlatformPreferredExtensionForMimeType(
 void PlatformMimeUtil::GetPlatformExtensionsForMimeType(
     const std::string& mime_type,
     std::unordered_set<base::FilePath::StringType>* extensions) const {
-#if defined(OS_IOS)
-  NSArray* extensions_list = nil;
-#else
-  // There is no API for this that uses UTIs. The WebKitSystemInterface call
-  // WKGetExtensionsForMIMEType() is a thin wrapper around
-  // [[NSURLFileTypeMappings sharedMappings] extensionsForMIMEType:], which is
-  // used by Firefox as well.
-  //
-  // See:
-  // http://mxr.mozilla.org/mozilla-central/search?string=extensionsForMIMEType
-  // http://www.openradar.me/11384153
-  // rdar://11384153
-  NSArray* extensions_list =
-      [[NSURLFileTypeMappings sharedMappings]
-          extensionsForMIMEType:base::SysUTF8ToNSString(mime_type)];
-#endif  // defined(OS_IOS)
+  base::ScopedCFTypeRef<CFArrayRef> exts_ref;
+
+  base::ScopedCFTypeRef<CFStringRef> mime_ref(
+      base::SysUTF8ToCFStringRef(mime_type));
+  if (mime_ref) {
+    base::ScopedCFTypeRef<CFStringRef> uti(
+        UTTypeCreatePreferredIdentifierForTag(kUTTagClassMIMEType, mime_ref,
+                                              nullptr));
+    if (uti) {
+      exts_ref.reset(
+          UTTypeCopyAllTagsWithClass(uti, kUTTagClassFilenameExtension));
+    }
+  }
+
+  NSArray* extensions_list = base::mac::CFToNSCast(exts_ref);
 
   if (extensions_list) {
     for (NSString* extension in extensions_list)
diff --git a/chromium/net/base/registry_controlled_domains/effective_tld_names.dat b/chromium/net/base/registry_controlled_domains/effective_tld_names.dat
index f81cc8046b8..5cbad8f2016 100644
--- a/chromium/net/base/registry_controlled_domains/effective_tld_names.dat
+++ b/chromium/net/base/registry_controlled_domains/effective_tld_names.dat
@@ -244,6 +244,8 @@ vic.au
 wa.au
 // 3LDs
 act.edu.au
+catholic.edu.au
+eq.edu.au
 nsw.edu.au
 nt.edu.au
 qld.edu.au
@@ -259,6 +261,9 @@ sa.gov.au
 tas.gov.au
 vic.gov.au
 wa.gov.au
+// 4LDs
+education.tas.edu.au
+schools.nsw.edu.au
 
 // aw : https://en.wikipedia.org/wiki/.aw
 aw
@@ -1367,7 +1372,7 @@ it
 gov.it
 edu.it
 // Reserved geo-names (regions and provinces):
-// http://www.nic.it/sites/default/files/docs/Regulation_assignation_v7.1.pdf
+// https://www.nic.it/sites/default/files/archivio/docs/Regulation_assignation_v7.1.pdf
 // Regions
 abr.it
 abruzzo.it
@@ -4338,8 +4343,6 @@ niepce.museum
 norfolk.museum
 north.museum
 nrw.museum
-nuernberg.museum
-nuremberg.museum
 nyc.museum
 nyny.museum
 oceanographic.museum
@@ -5887,14 +5890,9 @@ gov.rs
 in.rs
 org.rs
 
-// ru : https://cctld.ru/en/domains/domens_ru/reserved/
+// ru : https://cctld.ru/files/pdf/docs/en/rules_ru-rf.pdf
+// Submitted by George Georgievsky <gug@cctld.ru>
 ru
-ac.ru
-edu.ru
-gov.ru
-int.ru
-mil.ru
-test.ru
 
 // rw : https://www.ricta.org.rw/sites/default/files/resources/registry_registrar_contract_0.pdf
 rw
@@ -6039,15 +6037,28 @@ org.sn
 perso.sn
 univ.sn
 
-// so : http://www.soregistry.com/
+// so : http://sonic.so/policies/
 so
 com.so
+edu.so
+gov.so
+me.so
 net.so
 org.so
 
 // sr : https://en.wikipedia.org/wiki/.sr
 sr
 
+// ss : https://registry.nic.ss/
+// Submitted by registry <technical@nic.ss>
+ss
+biz.ss
+com.ss
+edu.ss
+gov.ss
+net.ss
+org.ss
+
 // st : http://www.nic.st/html/policyrules/
 st
 co.st
@@ -6790,6 +6801,9 @@ yt
 // xn--e1a4c ("eu", Cyrillic) : EU
 ею
 
+// xn--mgbah1a3hjkrd ("Mauritania", Arabic) : MR
+موريتانيا
+
 // xn--node ("ge", Georgian Mkhedruli) : GE
 გე
 
@@ -6943,7 +6957,8 @@ yt
 ак.срб
 
 // xn--p1ai ("rf", Russian-Cyrillic) : RU
-// http://www.cctld.ru/en/docs/rulesrf.php
+// https://cctld.ru/files/pdf/docs/en/rules_ru-rf.pdf
+// Submitted by George Georgievsky <gug@cctld.ru>
 рф
 
 // xn--wgbl6a ("Qatar", Arabic) : QA
@@ -7016,7 +7031,7 @@ xxx
 // ye : http://www.y.net.ye/services/domain_name.htm
 *.ye
 
-// za : http://www.zadna.org.za/content/page/domain-information
+// za : https://www.zadna.org.za/content/page/domain-information/
 ac.za
 agric.za
 alt.za
@@ -7028,6 +7043,7 @@ law.za
 mil.za
 net.za
 ngo.za
+nic.za
 nis.za
 nom.za
 org.za
@@ -7061,9 +7077,9 @@ org.zw
 
 
 // newGTLDs
-// List of new gTLDs imported from https://newgtlds.icann.org/newgtlds.csv on 2018-05-08T19:40:37Z
-// This list is auto-generated, don't edit it manually.
 
+// List of new gTLDs imported from https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 2019-12-02T17:16:24Z
+// This list is auto-generated, don't edit it manually.
 // aaa : 2015-02-26 American Automobile Association, Inc.
 aaa
 
@@ -7109,7 +7125,7 @@ accountants
 // aco : 2015-01-08 ACO Severin Ahlmann GmbH & Co. KG
 aco
 
-// actor : 2013-12-12 United TLD Holdco Ltd.
+// actor : 2013-12-12 Dog Beach, LLC
 actor
 
 // adac : 2015-07-16 Allgemeiner Deutscher Automobil-Club e.V. (ADAC)
@@ -7151,7 +7167,7 @@ aigo
 // airbus : 2015-07-30 Airbus S.A.S.
 airbus
 
-// airforce : 2014-03-06 United TLD Holdco Ltd.
+// airforce : 2014-03-06 Dog Beach, LLC
 airforce
 
 // airtel : 2014-10-24 Bharti Airtel Limited
@@ -7235,10 +7251,10 @@ arab
 // aramco : 2014-11-20 Aramco Services Company
 aramco
 
-// archi : 2014-02-06 Afilias plc
+// archi : 2014-02-06 Afilias Limited
 archi
 
-// army : 2014-03-06 United TLD Holdco Ltd.
+// army : 2014-03-06 Dog Beach, LLC
 army
 
 // art : 2016-03-24 UK Creative Ideas Limited
@@ -7256,10 +7272,10 @@ associates
 // athleta : 2015-07-30 The Gap, Inc.
 athleta
 
-// attorney : 2014-03-20 United TLD Holdco Ltd.
+// attorney : 2014-03-20 Dog Beach, LLC
 attorney
 
-// auction : 2014-03-20 United TLD Holdco Ltd.
+// auction : 2014-03-20 Dog Beach, LLC
 auction
 
 // audi : 2015-05-21 AUDI Aktiengesellschaft
@@ -7277,7 +7293,7 @@ auspost
 // author : 2014-12-18 Amazon Registry Services, Inc.
 author
 
-// auto : 2014-11-13 Cars Registry Limited
+// auto : 2014-11-13 Cars Registry Limited
 auto
 
 // autos : 2014-01-09 DERAutos, LLC
@@ -7295,7 +7311,7 @@ axa
 // azure : 2014-12-18 Microsoft Corporation
 azure
 
-// baby : 2015-04-09 Johnson & Johnson Services, Inc.
+// baby : 2015-04-09 XYZ.COM LLC
 baby
 
 // baidu : 2015-01-08 Baidu, Inc.
@@ -7307,7 +7323,7 @@ banamex
 // bananarepublic : 2015-07-31 The Gap, Inc.
 bananarepublic
 
-// band : 2014-06-12 United TLD Holdco Ltd.
+// band : 2014-06-12 Dog Beach, LLC
 band
 
 // bank : 2014-09-25 fTLD Registry Services LLC
@@ -7379,7 +7395,7 @@ best
 // bestbuy : 2015-07-31 BBY Solutions, Inc.
 bestbuy
 
-// bet : 2015-05-07 Afilias plc
+// bet : 2015-05-07 Afilias Limited
 bet
 
 // bharti : 2014-01-09 Bharti Enterprises (Holding) Private Limited
@@ -7400,10 +7416,10 @@ bing
 // bingo : 2014-12-04 Binky Moon, LLC
 bingo
 
-// bio : 2014-03-06 Afilias plc
+// bio : 2014-03-06 Afilias Limited
 bio
 
-// black : 2014-01-16 Afilias plc
+// black : 2014-01-16 Afilias Limited
 black
 
 // blackfriday : 2014-01-16 Uniregistry, Corp.
@@ -7418,7 +7434,7 @@ blog
 // bloomberg : 2014-07-17 Bloomberg IP Holdings LLC
 bloomberg
 
-// blue : 2013-11-07 Afilias plc
+// blue : 2013-11-07 Afilias Limited
 blue
 
 // bms : 2014-10-30 Bristol-Myers Squibb Company
@@ -7427,9 +7443,6 @@ bms
 // bmw : 2014-01-09 Bayerische Motoren Werke Aktiengesellschaft
 bmw
 
-// bnl : 2014-07-24 Banca Nazionale del Lavoro
-bnl
-
 // bnpparibas : 2014-05-29 BNP Paribas
 bnpparibas
 
@@ -7445,7 +7458,7 @@ bofa
 // bom : 2014-10-16 Núcleo de Informação e Coordenação do Ponto BR - NIC.br
 bom
 
-// bond : 2014-06-05 Bond University Limited
+// bond : 2014-06-05 ShortDot SA
 bond
 
 // boo : 2014-01-30 Charleston Road Registry Inc.
@@ -7472,7 +7485,7 @@ bot
 // boutique : 2013-11-14 Binky Moon, LLC
 boutique
 
-// box : 2015-11-12 NS1 Limited
+// box : 2015-11-12 .BOX INC.
 box
 
 // bradesco : 2014-12-18 Banco Bradesco S.A.
@@ -7556,7 +7569,7 @@ capital
 // capitalone : 2015-08-06 Capital One Financial Corporation
 capitalone
 
-// car : 2015-01-22 Cars Registry Limited
+// car : 2015-01-22 Cars Registry Limited
 car
 
 // caravan : 2013-12-12 Caravan International, Inc.
@@ -7574,12 +7587,9 @@ career
 // careers : 2013-10-02 Binky Moon, LLC
 careers
 
-// cars : 2014-11-13 Cars Registry Limited
+// cars : 2014-11-13 Cars Registry Limited
 cars
 
-// cartier : 2014-06-23 Richemont DNS Inc.
-cartier
-
 // casa : 2013-11-21 Minds + Machines Group Limited
 casa
 
@@ -7637,7 +7647,7 @@ chanel
 // channel : 2014-05-08 Charleston Road Registry Inc.
 channel
 
-// charity : 2018-04-11 Corn Lake, LLC
+// charity : 2018-04-11 Binky Moon, LLC
 charity
 
 // chase : 2015-04-30 JPMorgan Chase Bank, National Association
@@ -7658,9 +7668,6 @@ christmas
 // chrome : 2014-07-24 Charleston Road Registry Inc.
 chrome
 
-// chrysler : 2015-07-30 FCA US LLC.
-chrysler
-
 // church : 2014-02-06 Binky Moon, LLC
 church
 
@@ -7727,7 +7734,7 @@ coffee
 // college : 2014-01-16 XYZ.COM LLC
 college
 
-// cologne : 2014-02-05 punkt.wien GmbH
+// cologne : 2014-02-05 dotKoeln GmbH
 cologne
 
 // comcast : 2015-07-23 Comcast IP Holdings I, LLC
@@ -7742,7 +7749,7 @@ community
 // company : 2013-11-07 Binky Moon, LLC
 company
 
-// compare : 2015-10-08 iSelect Ltd
+// compare : 2015-10-08 Registry Services, LLC
 compare
 
 // computer : 2013-10-24 Binky Moon, LLC
@@ -7757,10 +7764,10 @@ condos
 // construction : 2013-09-16 Binky Moon, LLC
 construction
 
-// consulting : 2013-12-05 United TLD Holdco Ltd.
+// consulting : 2013-12-05 Dog Beach, LLC
 consulting
 
-// contact : 2015-01-08 Top Level Spectrum, Inc.
+// contact : 2015-01-08 Dog Beach, LLC
 contact
 
 // contractors : 2013-09-10 Binky Moon, LLC
@@ -7790,6 +7797,9 @@ coupons
 // courses : 2014-12-04 OPEN UNIVERSITIES AUSTRALIA PTY LTD
 courses
 
+// cpa : 2019-06-10 American Institute of Certified Public Accountants
+cpa
+
 // credit : 2014-03-20 Binky Moon, LLC
 credit
 
@@ -7817,7 +7827,7 @@ cruises
 // csc : 2014-09-25 Alliance-One Services, Inc.
 csc
 
-// cuisinella : 2014-04-03 SALM S.A.S.
+// cuisinella : 2014-04-03 SCHMIDT GROUPE S.A.S.
 cuisinella
 
 // cymru : 2014-05-08 Nominet UK
@@ -7832,7 +7842,7 @@ dabur
 // dad : 2014-01-23 Charleston Road Registry Inc.
 dad
 
-// dance : 2013-10-24 United TLD Holdco Ltd.
+// dance : 2013-10-24 Dog Beach, LLC
 dance
 
 // data : 2016-06-02 Dish DBS Corporation
@@ -7859,13 +7869,13 @@ dds
 // deal : 2015-06-25 Amazon Registry Services, Inc.
 deal
 
-// dealer : 2014-12-22 Dealer Dot Com, Inc.
+// dealer : 2014-12-22 Intercap Registry Inc.
 dealer
 
 // deals : 2014-05-22 Binky Moon, LLC
 deals
 
-// degree : 2014-03-06 United TLD Holdco Ltd.
+// degree : 2014-03-06 Dog Beach, LLC
 degree
 
 // delivery : 2014-09-11 Binky Moon, LLC
@@ -7880,13 +7890,13 @@ deloitte
 // delta : 2015-02-19 Delta Air Lines, Inc.
 delta
 
-// democrat : 2013-10-24 United TLD Holdco Ltd.
+// democrat : 2013-10-24 Dog Beach, LLC
 democrat
 
 // dental : 2014-03-20 Binky Moon, LLC
 dental
 
-// dentist : 2014-03-20 United TLD Holdco Ltd.
+// dentist : 2014-03-20 Dog Beach, LLC
 dentist
 
 // desi : 2013-11-14 Desi Networks LLC
@@ -7937,9 +7947,6 @@ docs
 // doctor : 2016-06-02 Binky Moon, LLC
 doctor
 
-// dodge : 2015-07-30 FCA US LLC.
-dodge
-
 // dog : 2014-12-04 Binky Moon, LLC
 dog
 
@@ -7967,9 +7974,6 @@ duck
 // dunlop : 2015-07-02 The Goodyear Tire & Rubber Company
 dunlop
 
-// duns : 2015-08-06 The Dun & Bradstreet Corporation
-duns
-
 // dupont : 2015-06-25 E. I. du Pont de Nemours and Company
 dupont
 
@@ -7979,7 +7983,7 @@ durban
 // dvag : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG
 dvag
 
-// dvr : 2016-05-26 Hughes Satellite Systems Corporation
+// dvr : 2016-05-26 DISH Technologies L.L.C.
 dvr
 
 // earth : 2014-12-04 Interlink Co., Ltd.
@@ -8006,7 +8010,7 @@ emerck
 // energy : 2014-09-11 Binky Moon, LLC
 energy
 
-// engineer : 2014-03-06 United TLD Holdco Ltd.
+// engineer : 2014-03-06 Dog Beach, LLC
 engineer
 
 // engineering : 2014-03-06 Binky Moon, LLC
@@ -8048,9 +8052,6 @@ eus
 // events : 2013-12-05 Binky Moon, LLC
 events
 
-// everbank : 2014-05-15 EverBank
-everbank
-
 // exchange : 2014-03-06 Binky Moon, LLC
 exchange
 
@@ -8078,13 +8079,13 @@ fairwinds
 // faith : 2014-11-20 dot Faith Limited
 faith
 
-// family : 2015-04-02 United TLD Holdco Ltd.
+// family : 2015-04-02 Dog Beach, LLC
 family
 
-// fan : 2014-03-06 Asiamix Digital Limited
+// fan : 2014-03-06 Dog Beach, LLC
 fan
 
-// fans : 2014-11-07 Asiamix Digital Limited
+// fans : 2014-11-07 ZDNS International Limited
 fans
 
 // farm : 2013-11-07 Binky Moon, LLC
@@ -8189,7 +8190,7 @@ ford
 // forex : 2014-12-11 Dotforex Registry Limited
 forex
 
-// forsale : 2014-05-22 United TLD Holdco Ltd.
+// forsale : 2014-05-22 Dog Beach, LLC
 forsale
 
 // forum : 2015-04-02 Fegistry, LLC
@@ -8237,7 +8238,7 @@ fund
 // furniture : 2014-03-20 Binky Moon, LLC
 furniture
 
-// futbol : 2013-09-20 United TLD Holdco Ltd.
+// futbol : 2013-09-20 Dog Beach, LLC
 futbol
 
 // fyi : 2015-04-02 Binky Moon, LLC
@@ -8258,7 +8259,7 @@ gallup
 // game : 2015-05-28 Uniregistry, Corp.
 game
 
-// games : 2015-05-28 United TLD Holdco Ltd.
+// games : 2015-05-28 Dog Beach, LLC
 games
 
 // gap : 2015-07-31 The Gap, Inc.
@@ -8267,6 +8268,9 @@ gap
 // garden : 2014-06-26 Minds + Machines Group Limited
 garden
 
+// gay : 2019-05-23 Top Level Design, LLC
+gay
+
 // gbiz : 2014-07-17 Charleston Road Registry Inc.
 gbiz
 
@@ -8294,7 +8298,7 @@ gift
 // gifts : 2014-07-03 Binky Moon, LLC
 gifts
 
-// gives : 2014-03-06 United TLD Holdco Ltd.
+// gives : 2014-03-06 Dog Beach, LLC
 gives
 
 // giving : 2014-11-13 Giving Limited
@@ -8321,7 +8325,7 @@ gmail
 // gmbh : 2016-01-29 Binky Moon, LLC
 gmbh
 
-// gmo : 2014-01-09 GMO Internet Pte. Ltd.
+// gmo : 2014-01-09 GMO Internet, Inc.
 gmo
 
 // gmx : 2014-04-24 1&1 Mail & Media GmbH
@@ -8366,7 +8370,7 @@ graphics
 // gratis : 2014-03-20 Binky Moon, LLC
 gratis
 
-// green : 2014-05-08 Afilias plc
+// green : 2014-05-08 Afilias Limited
 green
 
 // gripe : 2014-03-06 Binky Moon, LLC
@@ -8405,7 +8409,7 @@ hamburg
 // hangout : 2014-11-13 Charleston Road Registry Inc.
 hangout
 
-// haus : 2013-12-05 United TLD Holdco Ltd.
+// haus : 2013-12-05 Dog Beach, LLC
 haus
 
 // hbo : 2015-07-30 HBO Registry Services, Inc.
@@ -8477,9 +8481,6 @@ homesense
 // honda : 2014-12-18 Honda Motor Co., Ltd.
 honda
 
-// honeywell : 2015-07-23 Honeywell GTLD LLC
-honeywell
-
 // horse : 2013-11-21 Minds + Machines Group Limited
 horse
 
@@ -8552,10 +8553,10 @@ imdb
 // immo : 2014-07-10 Binky Moon, LLC
 immo
 
-// immobilien : 2013-11-07 United TLD Holdco Ltd.
+// immobilien : 2013-11-07 Dog Beach, LLC
 immobilien
 
-// inc : 2018-03-10 GTLD Limited
+// inc : 2018-03-10 Intercap Registry Inc.
 inc
 
 // industries : 2013-12-05 Binky Moon, LLC
@@ -8597,9 +8598,6 @@ ipiranga
 // irish : 2014-08-07 Binky Moon, LLC
 irish
 
-// iselect : 2015-02-11 iSelect Ltd
-iselect
-
 // ismaili : 2015-08-06 Fondation Aga Khan (Aga Khan Foundation)
 ismaili
 
@@ -8672,7 +8670,7 @@ juegos
 // juniper : 2015-07-30 JUNIPER NETWORKS, INC.
 juniper
 
-// kaufen : 2013-11-07 United TLD Holdco Ltd.
+// kaufen : 2013-11-07 Dog Beach, LLC
 kaufen
 
 // kddi : 2014-09-12 KDDI CORPORATION
@@ -8693,7 +8691,7 @@ kfh
 // kia : 2015-07-09 KIA MOTORS CORPORATION
 kia
 
-// kim : 2013-09-23 Afilias plc
+// kim : 2013-09-23 Afilias Limited
 kim
 
 // kinder : 2014-11-07 Ferrero Trading Lux S.A.
@@ -8708,7 +8706,7 @@ kitchen
 // kiwi : 2013-09-20 DOT KIWI LIMITED
 kiwi
 
-// koeln : 2014-01-09 punkt.wien GmbH
+// koeln : 2014-01-09 dotKoeln GmbH
 koeln
 
 // komatsu : 2015-01-08 Komatsu Ltd.
@@ -8738,9 +8736,6 @@ kyoto
 // lacaixa : 2014-01-09 Fundación Bancaria Caixa d’Estalvis i Pensions de Barcelona, “la Caixa”
 lacaixa
 
-// ladbrokes : 2015-08-06 LADBROKES INTERNATIONAL PLC
-ladbrokes
-
 // lamborghini : 2015-06-04 Automobili Lamborghini S.p.A.
 lamborghini
 
@@ -8753,9 +8748,6 @@ lancaster
 // lancia : 2015-07-31 Fiat Chrysler Automobiles N.V.
 lancia
 
-// lancome : 2015-07-23 L'Oréal
-lancome
-
 // land : 2013-09-10 Binky Moon, LLC
 land
 
@@ -8777,10 +8769,10 @@ latino
 // latrobe : 2014-06-16 La Trobe University
 latrobe
 
-// law : 2015-01-22 Minds + Machines Group Limited
+// law : 2015-01-22 LW TLD Limited
 law
 
-// lawyer : 2014-03-20 United TLD Holdco Ltd.
+// lawyer : 2014-03-20 Dog Beach, LLC
 lawyer
 
 // lds : 2014-03-20 IRI Domain Management, LLC ("Applicant")
@@ -8804,7 +8796,7 @@ lego
 // lexus : 2015-04-23 TOYOTA MOTOR CORPORATION
 lexus
 
-// lgbt : 2014-05-08 Afilias plc
+// lgbt : 2014-05-08 Afilias Limited
 lgbt
 
 // liaison : 2014-10-02 Liaison Technologies, Incorporated
@@ -8849,7 +8841,7 @@ link
 // lipsy : 2015-06-25 Lipsy Ltd
 lipsy
 
-// live : 2014-12-04 United TLD Holdco Ltd.
+// live : 2014-12-04 Dog Beach, LLC
 live
 
 // living : 2015-07-30 Lifestyle Domain Holdings, Inc.
@@ -8858,9 +8850,12 @@ living
 // lixil : 2015-03-19 LIXIL Group Corporation
 lixil
 
-// llc : 2017-12-14 Afilias plc
+// llc : 2017-12-14 Afilias Limited
 llc
 
+// llp : 2019-08-26 Dot Registry LLC
+llp
+
 // loan : 2014-11-20 dot Loan Limited
 loan
 
@@ -8885,7 +8880,7 @@ london
 // lotte : 2014-11-07 Lotte Holdings Co., Ltd.
 lotte
 
-// lotto : 2014-04-10 Afilias plc
+// lotto : 2014-04-10 Afilias Limited
 lotto
 
 // love : 2014-12-22 Merchant Law Group LLP
@@ -8942,7 +8937,7 @@ mango
 // map : 2016-06-09 Charleston Road Registry Inc.
 map
 
-// market : 2014-03-06 United TLD Holdco Ltd.
+// market : 2014-03-06 Dog Beach, LLC
 market
 
 // marketing : 2013-11-07 Binky Moon, LLC
@@ -8990,7 +8985,7 @@ memorial
 // men : 2015-02-26 Exclusive Registry Limited
 men
 
-// menu : 2013-09-11 Wedding TLD2, LLC
+// menu : 2013-09-11 Dot Menu Registry, LLC
 menu
 
 // merckmsd : 2016-07-14 MSD Registry Holdings, Inc.
@@ -9029,10 +9024,7 @@ mma
 // mobile : 2016-06-02 Dish DBS Corporation
 mobile
 
-// mobily : 2014-12-18 GreenTech Consultancy Company W.L.L.
-mobily
-
-// moda : 2013-11-07 United TLD Holdco Ltd.
+// moda : 2013-11-07 Dog Beach, LLC
 moda
 
 // moe : 2013-11-13 Interlink Co., Ltd.
@@ -9050,16 +9042,13 @@ monash
 // money : 2014-10-16 Binky Moon, LLC
 money
 
-// monster : 2015-09-11 Monster Worldwide, Inc.
+// monster : 2015-09-11 XYZ.COM LLC
 monster
 
-// mopar : 2015-07-30 FCA US LLC.
-mopar
-
 // mormon : 2013-12-05 IRI Domain Management, LLC ("Applicant")
 mormon
 
-// mortgage : 2014-03-20 United TLD Holdco Ltd.
+// mortgage : 2014-03-20 Dog Beach, LLC
 mortgage
 
 // moscow : 2013-12-19 Foundation for Assistance for Internet Technologies and Infrastructure Development (FAITID)
@@ -9107,7 +9096,7 @@ nationwide
 // natura : 2015-03-12 NATURA COSMÉTICOS S.A.
 natura
 
-// navy : 2014-03-06 United TLD Holdco Ltd.
+// navy : 2014-03-06 Dog Beach, LLC
 navy
 
 // nba : 2015-07-31 NBA REGISTRY, LLC
@@ -9134,7 +9123,7 @@ new
 // newholland : 2015-09-03 CNH Industrial N.V.
 newholland
 
-// news : 2014-12-18 United TLD Holdco Ltd.
+// news : 2014-12-18 Dog Beach, LLC
 news
 
 // next : 2015-06-18 Next plc
@@ -9164,7 +9153,7 @@ nike
 // nikon : 2015-05-21 NIKON CORPORATION
 nikon
 
-// ninja : 2013-11-07 United TLD Holdco Ltd.
+// ninja : 2013-11-07 Dog Beach, LLC
 ninja
 
 // nissan : 2014-03-27 NISSAN MOTOR CO., LTD.
@@ -9248,7 +9237,7 @@ online
 // onyourside : 2015-07-23 Nationwide Mutual Insurance Company
 onyourside
 
-// ooo : 2014-01-09 INFIBEAM INCORPORATION LIMITED
+// ooo : 2014-01-09 INFIBEAM AVENUES LIMITED
 ooo
 
 // open : 2015-07-31 American Express Travel Related Services Company, Inc.
@@ -9260,7 +9249,7 @@ oracle
 // orange : 2015-03-12 Orange Brand Services Limited
 orange
 
-// organic : 2014-03-27 Afilias plc
+// organic : 2014-03-27 Afilias Limited
 organic
 
 // origins : 2015-10-01 The Estée Lauder Companies Inc.
@@ -9275,7 +9264,7 @@ otsuka
 // ott : 2015-06-04 Dish DBS Corporation
 ott
 
-// ovh : 2014-01-16 OVH SAS
+// ovh : 2014-01-16 MédiaBC
 ovh
 
 // page : 2014-12-04 Charleston Road Registry Inc.
@@ -9308,7 +9297,7 @@ pay
 // pccw : 2015-05-14 PCCW Enterprises Limited
 pccw
 
-// pet : 2015-05-07 Afilias plc
+// pet : 2015-05-07 Afilias Limited
 pet
 
 // pfizer : 2015-09-11 Pfizer Inc.
@@ -9338,9 +9327,6 @@ photos
 // physio : 2014-05-01 PhysBiz Pty Ltd
 physio
 
-// piaget : 2014-10-16 Richemont DNS Inc.
-piaget
-
 // pics : 2013-11-14 Uniregistry, Corp.
 pics
 
@@ -9359,7 +9345,7 @@ pin
 // ping : 2015-06-11 Ping Registry Provider, Inc.
 ping
 
-// pink : 2013-10-01 Afilias plc
+// pink : 2013-10-01 Afilias Limited
 pink
 
 // pioneer : 2015-07-16 Pioneer Corporation
@@ -9374,7 +9360,7 @@ place
 // play : 2015-03-05 Charleston Road Registry Inc.
 play
 
-// playstation : 2015-07-02 Sony Computer Entertainment Inc.
+// playstation : 2015-07-02 Sony Interactive Entertainment Inc.
 playstation
 
 // plumbing : 2013-09-10 Binky Moon, LLC
@@ -9389,7 +9375,7 @@ pnc
 // pohl : 2014-06-23 Deutsche Vermögensberatung Aktiengesellschaft DVAG
 pohl
 
-// poker : 2014-07-03 Afilias plc
+// poker : 2014-07-03 Afilias Limited
 poker
 
 // politie : 2015-08-20 Politie Nederland
@@ -9422,7 +9408,7 @@ prof
 // progressive : 2015-07-23 Progressive Casualty Insurance Company
 progressive
 
-// promo : 2014-12-18 Afilias plc
+// promo : 2014-12-18 Afilias Limited
 promo
 
 // properties : 2013-12-05 Binky Moon, LLC
@@ -9440,7 +9426,7 @@ pru
 // prudential : 2015-07-30 Prudential Financial, Inc.
 prudential
 
-// pub : 2013-12-12 United TLD Holdco Ltd.
+// pub : 2013-12-12 Dog Beach, LLC
 pub
 
 // pwc : 2015-10-29 PricewaterhouseCoopers LLP
@@ -9452,7 +9438,7 @@ qpon
 // quebec : 2013-12-19 PointQuébec Inc
 quebec
 
-// quest : 2015-03-26 Quest ION Limited
+// quest : 2015-03-26 XYZ.COM LLC
 quest
 
 // qvc : 2015-07-30 QVC, Inc.
@@ -9482,7 +9468,7 @@ realty
 // recipes : 2013-10-17 Binky Moon, LLC
 recipes
 
-// red : 2013-11-07 Afilias plc
+// red : 2013-11-07 Afilias Limited
 red
 
 // redstone : 2014-10-31 Redstone Haute Couture Co., Ltd.
@@ -9491,7 +9477,7 @@ redstone
 // redumbrella : 2015-03-26 Travelers TLD, LLC
 redumbrella
 
-// rehab : 2014-03-06 United TLD Holdco Ltd.
+// rehab : 2014-03-06 Dog Beach, LLC
 rehab
 
 // reise : 2014-03-13 Binky Moon, LLC
@@ -9506,7 +9492,7 @@ reit
 // reliance : 2015-04-02 Reliance Industries Limited
 reliance
 
-// ren : 2013-12-12 Beijing Qianxiang Wangjing Technology Development Co., Ltd.
+// ren : 2013-12-12 ZDNS International Limited
 ren
 
 // rent : 2014-12-04 XYZ.COM LLC
@@ -9521,7 +9507,7 @@ repair
 // report : 2013-12-05 Binky Moon, LLC
 report
 
-// republican : 2014-03-20 United TLD Holdco Ltd.
+// republican : 2014-03-20 Dog Beach, LLC
 republican
 
 // rest : 2013-12-19 Punto 2012 Sociedad Anonima Promotora de Inversion de Capital Variable
@@ -9533,7 +9519,7 @@ restaurant
 // review : 2014-11-20 dot Review Limited
 review
 
-// reviews : 2013-09-13 United TLD Holdco Ltd.
+// reviews : 2013-09-13 Dog Beach, LLC
 reviews
 
 // rexroth : 2015-06-18 Robert Bosch GMBH
@@ -9557,7 +9543,7 @@ ril
 // rio : 2014-02-27 Empresa Municipal de Informática SA - IPLANRIO
 rio
 
-// rip : 2014-07-10 United TLD Holdco Ltd.
+// rip : 2014-07-10 Dog Beach, LLC
 rip
 
 // rmit : 2015-11-19 Royal Melbourne Institute of Technology
@@ -9566,7 +9552,7 @@ rmit
 // rocher : 2014-12-18 Ferrero Trading Lux S.A.
 rocher
 
-// rocks : 2013-11-14 United TLD Holdco Ltd.
+// rocks : 2013-11-14 Dog Beach, LLC
 rocks
 
 // rodeo : 2013-12-19 Minds + Machines Group Limited
@@ -9608,7 +9594,7 @@ safety
 // sakura : 2014-12-18 SAKURA Internet Inc.
 sakura
 
-// sale : 2014-10-16 United TLD Holdco Ltd.
+// sale : 2014-10-16 Dog Beach, LLC
 sale
 
 // salon : 2014-12-11 Binky Moon, LLC
@@ -9659,7 +9645,7 @@ scb
 // schaeffler : 2015-08-06 Schaeffler Technologies AG & Co. KG
 schaeffler
 
-// schmidt : 2014-04-03 SALM S.A.S.
+// schmidt : 2014-04-03 SCHMIDT GROUPE S.A.S.
 schmidt
 
 // scholarships : 2014-04-24 Scholarships.com, LLC
@@ -9701,7 +9687,7 @@ security
 // seek : 2014-12-04 Seek Limited
 seek
 
-// select : 2015-10-08 iSelect Ltd
+// select : 2015-10-08 Registry Services, LLC
 select
 
 // sener : 2014-10-24 Sener Ingeniería y Sistemas, S.A.
@@ -9743,7 +9729,7 @@ shell
 // shia : 2014-09-04 Asia Green IT System Bilgisayar San. ve Tic. Ltd. Sti.
 shia
 
-// shiksha : 2013-11-14 Afilias plc
+// shiksha : 2013-11-14 Afilias Limited
 shiksha
 
 // shoes : 2013-10-02 Binky Moon, LLC
@@ -9779,7 +9765,7 @@ singles
 // site : 2015-01-15 DotSite Inc.
 site
 
-// ski : 2015-04-09 Afilias plc
+// ski : 2015-04-09 Afilias Limited
 ski
 
 // skin : 2015-01-15 L'Oréal
@@ -9791,7 +9777,7 @@ sky
 // skype : 2014-12-18 Microsoft Corporation
 skype
 
-// sling : 2015-07-30 Hughes Satellite Systems Corporation
+// sling : 2015-07-30 DISH Technologies L.L.C.
 sling
 
 // smart : 2015-07-09 Smart Communications, Inc. (SMART)
@@ -9806,13 +9792,13 @@ sncf
 // soccer : 2015-03-26 Binky Moon, LLC
 soccer
 
-// social : 2013-11-07 United TLD Holdco Ltd.
+// social : 2013-11-07 Dog Beach, LLC
 social
 
-// softbank : 2015-07-02 SoftBank Corp.
+// softbank : 2015-07-02 SoftBank Group Corp.
 softbank
 
-// software : 2014-03-20 United TLD Holdco Ltd.
+// software : 2014-03-20 Dog Beach, LLC
 software
 
 // sohu : 2013-12-19 Sohu.com Limited
@@ -9833,6 +9819,9 @@ sony
 // soy : 2014-01-23 Charleston Road Registry Inc.
 soy
 
+// spa : 2019-09-19 Asia Spa and Wellness Promotion Council Limited
+spa
+
 // space : 2014-04-03 DotSpace Inc.
 space
 
@@ -9848,9 +9837,6 @@ spreadbetting
 // srl : 2015-05-07 InterNetX, Corp
 srl
 
-// srt : 2015-07-30 FCA US LLC.
-srt
-
 // stada : 2014-11-13 STADA Arzneimittel AG
 stada
 
@@ -9860,9 +9846,6 @@ staples
 // star : 2015-01-08 Star India Private Limited
 star
 
-// starhub : 2015-02-05 StarHub Ltd
-starhub
-
 // statebank : 2015-03-12 STATE BANK OF INDIA
 statebank
 
@@ -9887,7 +9870,7 @@ store
 // stream : 2016-01-08 dot Stream Limited
 stream
 
-// studio : 2015-02-11 United TLD Holdco Ltd.
+// studio : 2015-02-11 Dog Beach, LLC
 studio
 
 // study : 2014-12-11 OPEN UNIVERSITIES AUSTRALIA PTY LTD
@@ -10115,16 +10098,13 @@ ubank
 // ubs : 2014-12-11 UBS AG
 ubs
 
-// uconnect : 2015-07-30 FCA US LLC.
-uconnect
-
 // unicom : 2015-10-15 China United Network Communications Corporation Limited
 unicom
 
 // university : 2014-03-06 Binky Moon, LLC
 university
 
-// uno : 2013-09-11 Dot Latin LLC
+// uno : 2013-09-11 DotSite Inc.
 uno
 
 // uol : 2014-05-01 UBN INTERNET LTDA.
@@ -10151,16 +10131,16 @@ ventures
 // verisign : 2015-08-13 VeriSign, Inc.
 verisign
 
-// versicherung : 2014-03-20 TLD-BOX Registrydienstleistungen GmbH
+// versicherung : 2014-03-20 tldbox GmbH
 versicherung
 
-// vet : 2014-03-06 United TLD Holdco Ltd.
+// vet : 2014-03-06 Dog Beach, LLC
 vet
 
 // viajes : 2013-10-17 Binky Moon, LLC
 viajes
 
-// video : 2014-10-16 United TLD Holdco Ltd.
+// video : 2014-10-16 Dog Beach, LLC
 video
 
 // vig : 2015-05-14 VIENNA INSURANCE GROUP AG Wiener Versicherung Gruppe
@@ -10238,9 +10218,6 @@ wang
 // wanggou : 2014-12-18 Amazon Registry Services, Inc.
 wanggou
 
-// warman : 2015-06-18 Weir Group IP Limited
-warman
-
 // watch : 2013-11-14 Binky Moon, LLC
 watch
 
@@ -10355,7 +10332,7 @@ xin
 // xn--3bst00m : 2013-09-13 Eagle Horizon Limited
 集团
 
-// xn--3ds443g : 2013-09-08 TLD REGISTRY LIMITED
+// xn--3ds443g : 2013-09-08 TLD REGISTRY LIMITED OY
 在线
 
 // xn--3oq18vl8pn36a : 2015-07-02 Volkswagen (China) Investment Co., Ltd.
@@ -10385,7 +10362,7 @@ xin
 // xn--5tzm5g : 2014-12-22 Global Website TLD Asia Limited
 网站
 
-// xn--6frz82g : 2013-09-23 Afilias plc
+// xn--6frz82g : 2013-09-23 Afilias Limited
 移动
 
 // xn--6qq986b3xl : 2013-09-13 Tycoon Treasure Limited
@@ -10433,7 +10410,7 @@ xin
 // xn--cg4bki : 2013-09-27 SAMSUNG SDS CO., LTD
 삼성
 
-// xn--czr694b : 2014-01-16 Dot Trademark TLD Holding Company Limited
+// xn--czr694b : 2014-01-16 Internet DotTrademark Organisation Limited
 商标
 
 // xn--czrs0t : 2013-12-19 Binky Moon, LLC
@@ -10460,7 +10437,7 @@ xin
 // xn--fhbei : 2015-01-15 VeriSign Sarl
 كوم
 
-// xn--fiq228c5hs : 2013-09-08 TLD REGISTRY LIMITED
+// xn--fiq228c5hs : 2013-09-08 TLD REGISTRY LIMITED OY
 中文网
 
 // xn--fiq64b : 2013-10-14 CITIC Group Corporation
@@ -10490,7 +10467,7 @@ xin
 // xn--i1b6b1a6a2e : 2013-11-14 Public Interest Registry
 संगठन
 
-// xn--imr513n : 2014-12-11 Dot Trademark TLD Holding Company Limited
+// xn--imr513n : 2014-12-11 Internet DotTrademark Organisation Limited
 餐厅
 
 // xn--io0a7i : 2013-11-14 China Internet Network Information Center (CNNIC)
@@ -10526,9 +10503,6 @@ xin
 // xn--mgbab2bd : 2013-10-31 CORE Association
 بازار
 
-// xn--mgbb9fbpob : 2014-12-18 GreenTech Consultancy Company W.L.L.
-موبايلي
-
 // xn--mgbca7dzdo : 2015-07-30 Abu Dhabi Systems and Information Centre
 ابوظبي
 
@@ -10562,7 +10536,7 @@ xin
 // xn--nyqy26a : 2014-11-07 Stable Tone Limited
 健康
 
-// xn--otu796d : 2017-08-06 Dot Trademark TLD Holding Company Limited
+// xn--otu796d : 2017-08-06 Internet DotTrademark Organisation Limited
 招聘
 
 // xn--p1acf : 2013-12-12 Rusnames Limited
@@ -10687,6 +10661,12 @@ cc.ua
 inf.ua
 ltd.ua
 
+// Adobe : https://www.adobe.com/
+// Submitted by Ian Boston <boston@adobe.com>
+adobeaemcloud.com
+adobeaemcloud.net
+*.dev.adobeaemcloud.com
+
 // Agnat sp. z o.o. : https://domena.pl
 // Submitted by Przemyslaw Plewa <it-admin@domena.pl>
 beep.pl
@@ -10700,6 +10680,10 @@ barsy.ca
 *.compute.estate
 *.alces.network
 
+// Altervista: https://www.altervista.org
+// Submitted by Carlo Cannas <tech_staff@altervista.it>
+altervista.org
+
 // alwaysdata : https://www.alwaysdata.com
 // Submitted by Cyril <admin@alwaysdata.com>
 alwaysdata.net
@@ -10800,6 +10784,10 @@ s3-website.eu-west-2.amazonaws.com
 s3-website.eu-west-3.amazonaws.com
 s3-website.us-east-2.amazonaws.com
 
+// Amsterdam Wireless: https://www.amsterdamwireless.nl/
+// Submitted by Imre Jonk <hostmaster@amsterdamwireless.nl>
+amsw.nl
+
 // Amune : https://amune.org/
 // Submitted by Team Amune <cert@amune.org>
 t3l3p0rt.net
@@ -10813,6 +10801,12 @@ apigee.io
 // Submitted by Thomas Orozco <thomas@aptible.com>
 on-aptible.com
 
+// ASEINet : https://www.aseinet.com/
+// Submitted by Asei SEKIGUCHI <mail@aseinet.com>
+user.aseinet.ne.jp
+gv.vc
+d.gv.vc
+
 // Asociación Amigos de la Informática "Euskalamiga" : http://encounter.eus/
 // Submitted by Hector Martin <marcan@euskalencounter.org>
 user.party.eus
@@ -10828,12 +10822,6 @@ sweetpepper.org
 // Submitted by Vincent Tseng <vincenttseng@asustor.com>
 myasustor.com
 
-// Automattic Inc. : https://automattic.com/
-// Submitted by Alex Concha <alex.concha@automattic.com>
-go-vip.co
-go-vip.net
-wpcomstaging.com
-
 // AVM : https://avm.de
 // Submitted by Andreas Weise <a.weise@avm.de>
 myfritz.net
@@ -10851,6 +10839,10 @@ b-data.io
 // Submitted by Anthony Voutas <anthony@backplane.io>
 backplaneapp.io
 
+// Balena : https://www.balena.io
+// Submitted by Petros Angelatos <petrosagg@balena.io>
+balena-devices.com
+
 // Banzai Cloud
 // Submitted by Gabor Kozma <info@banzaicloud.com>
 app.banzaicloud.io
@@ -11001,8 +10993,13 @@ cloudaccess.net
 cloudcontrolled.com
 cloudcontrolapp.com
 
+// Cloudera, Inc. : https://www.cloudera.com/
+// Submitted by Philip Langdale <security@cloudera.com>
+cloudera.site
+
 // Cloudflare, Inc. : https://www.cloudflare.com/
 // Submitted by Jake Riesterer <publicsuffixlist@cloudflare.com>
+trycloudflare.com
 workers.dev
 
 // Clovyr : https://clovyr.io
@@ -11059,6 +11056,15 @@ co.no
 webhosting.be
 hosting-cluster.nl
 
+// Coordination Center for TLD RU and XN--P1AI : https://cctld.ru/en/domains/domens_ru/reserved/
+// Submitted by George Georgievsky <gug@cctld.ru>
+ac.ru
+edu.ru
+gov.ru
+int.ru
+mil.ru
+test.ru
+
 // COSIMO GmbH : http://www.cosimo.de
 // Submitted by Rene Marticke <rmarticke@cosimo.de>
 dyn.cosidns.de
@@ -11083,6 +11089,14 @@ realm.cz
 // Submitted by Jonathan Rudenberg <jonathan@cupcake.io>
 cupcake.is
 
+// Customer OCI - Oracle Dyn https://cloud.oracle.com/home https://dyn.com/dns/
+// Submitted by Gregory Drake <support@dyn.com>
+// Note: This is intended to also include customer-oci.com due to wildcards implicitly including the current label
+*.customer-oci.com
+*.oci.customer-oci.com
+*.ocp.customer-oci.com
+*.ocs.customer-oci.com
+
 // cyon GmbH : https://www.cyon.ch/
 // Submitted by Dominic Luechinger <dol@cyon.ch>
 cyon.link
@@ -11115,6 +11129,14 @@ store.dk
 *.dapps.earth
 *.bzz.dapps.earth
 
+// Dark, Inc. : https://darklang.com
+// Submitted by Paul Biggar <ops@darklang.com>
+builtwithdark.com
+
+// Datawire, Inc : https://www.datawire.io
+// Submitted by Richard Li <secalert@datawire.io>
+edgestack.me
+
 // Debian : https://www.debian.org/
 // Submitted by Peter Palfrader / Debian Sysadmin Team <dsa-publicsuffixlist@debian.org>
 debian.net
@@ -11488,6 +11510,10 @@ dynv6.net
 // Submitted by Vladimir Dudr <info@e4you.cz>
 e4.cz
 
+// En root‽ : https://en-root.org
+// Submitted by Emmanuel Raviart <emmanuel@raviart.com>
+en-root.fr
+
 // Enalean SAS: https://www.enalean.com
 // Submitted by Thomas Cottier <thomas.cottier@enalean.com>
 mytuleap.com
@@ -11717,6 +11743,10 @@ firebaseapp.com
 flynnhub.com
 flynnhosting.net
 
+// Frederik Braun https://frederik-braun.com
+// Submitted by Frederik Braun <fb@frederik-braun.com>
+0e.vc
+
 // Freebox : http://www.freebox.fr
 // Submitted by Romain Fliedel <rfliedel@freebox.fr>
 freebox-os.com
@@ -11750,8 +11780,9 @@ service.gov.uk
 gehirn.ne.jp
 usercontent.jp
 
-// Gentlent, Limited : https://www.gentlent.com
-// Submitted by Tom Klein <tklein@gentlent.com>
+// Gentlent, Inc. : https://www.gentlent.com
+// Submitted by Tom Klein <tom@gentlent.com>
+gentapps.com
 lab.ms
 
 // GitHub, Inc.
@@ -11767,6 +11798,10 @@ gitlab.io
 // Submitted by Mads Hartmann <mads@glitch.com>
 glitch.me
 
+// GMO Pepabo, Inc. : https://pepabo.com/
+// Submitted by dojineko <admin@pepabo.com>
+lolipop.io
+
 // GOV.UK Platform as a Service : https://www.cloud.service.gov.uk/
 // Submitted by Tom Whitwell <tom.whitwell@digital.cabinet-office.gov.uk>
 cloudapps.digital
@@ -11789,8 +11824,10 @@ goip.de
 // Submitted by Eduardo Vela <evn@google.com>
 run.app
 a.run.app
+web.app
 *.0emm.com
 appspot.com
+*.r.appspot.com
 blogspot.ae
 blogspot.al
 blogspot.am
@@ -11875,6 +11912,10 @@ publishproxy.com
 withgoogle.com
 withyoutube.com
 
+// Group 53, LLC : https://www.group53.com
+// Submitted by Tyler Todd <noc@nova53.net>
+awsmppl.com
+
 // Hakaran group: http://hakaran.cz
 // Submited by Arseniy Sokolov <security@hakaran.cz>
 fin.ci
@@ -11883,6 +11924,11 @@ caa.li
 ua.rs
 conf.se
 
+// Handshake : https://handshake.org
+// Submitted by Mike Damm <md@md.vc>
+hs.zone
+hs.run
+
 // Hashbang : https://hashbang.sh
 hashbang.sh
 
@@ -11913,11 +11959,14 @@ ravendb.run
 bpl.biz
 orx.biz
 ng.city
-ng.ink
 biz.gl
+ng.ink
 col.ng
+firm.ng
 gen.ng
 ltd.ng
+ngo.ng
+ng.school
 sch.so
 
 // Häkkinen.fi
@@ -11996,6 +12045,11 @@ ipifony.net
 // Submitted by Kim-Alexander Brodowski <kim.brodowski@iserv.eu>
 mein-iserv.de
 test-iserv.de
+iserv.dev
+
+// I-O DATA DEVICE, INC. : http://www.iodata.com/
+// Submitted by Yuji Minagawa <domains-admin@iodata.jp>
+iobb.net
 
 // Jino : https://www.jino.ru
 // Submitted by Sergey Ulyashin <ulyashin@jino.ru>
@@ -12023,10 +12077,19 @@ khplay.nl
 // Submitted by Martin Dannehl <postmaster@keymachine.de>
 keymachine.de
 
+// KingHost : https://king.host
+// Submitted by Felipe Keller Braz <felipebraz@kinghost.com.br>
+kinghost.net
+uni5.net
+
 // KnightPoint Systems, LLC : http://www.knightpoint.com/
 // Submitted by Roy Keene <rkeene@knightpoint.com>
 knightpoint.systems
 
+// KUROKU LTD : https://kuroku.ltd/
+// Submitted by DisposaBoy <security@oya.to>
+oya.to
+
 // .KRD : http://nic.krd/data/krd/Registration%20Policy.pdf
 co.krd
 edu.krd
@@ -12043,6 +12106,10 @@ leadpages.co
 lpages.co
 lpusercontent.com
 
+// Lelux.fi : https://lelux.fi/
+// Submitted by Lelux Admin <publisuffix@lelux.site>
+lelux.site
+
 // Lifetime Hosting : https://Lifetime.Hosting/
 // Submitted by Mike Fillator <support@lifetime.hosting>
 co.business
@@ -12374,12 +12441,14 @@ nom.al
 nym.by
 nym.bz
 nom.cl
+nym.ec
 nom.gd
 nom.ge
 nom.gl
 nym.gr
 nom.gt
 nym.gy
+nym.hk
 nom.hn
 nym.ie
 nom.im
@@ -12415,6 +12484,10 @@ nom.uy
 nom.vc
 nom.vg
 
+// Observable, Inc. : https://observablehq.com
+// Submitted by Mike Bostock <dns@observablehq.com>
+static.observableusercontent.com
+
 // Octopodal Solutions, LLC. : https://ulterius.io/
 // Submitted by Andrew Sampson <andrew@ulterius.io>
 cya.gg
@@ -12435,6 +12508,10 @@ opencraft.hosting
 // Submitted by Yngve Pettersen <yngve@opera.com>
 operaunite.com
 
+// Oursky Limited : https://skygear.io/
+// Submited by Skygear Developer <hello@skygear.io>
+skygearapp.com
+
 // OutSystems
 // Submitted by Duarte Santos <domain-admin@outsystemscloud.com>
 outsystemscloud.com
@@ -12477,6 +12554,10 @@ gotpantheon.com
 // Submitted by Steve Leung <steveleung@peplink.com>
 mypep.link
 
+// Perspecta : https://perspecta.com/
+// Submitted by Kenneth Van Alstyne <kvanalstyne@perspecta.com>
+perspecta.cloud
+
 // Planet-Work : https://www.planet-work.com/
 // Submitted by Frédéric VANNIÈRE <f.vanniere@planet-work.com>
 on-web.fr
@@ -12487,6 +12568,10 @@ on-web.fr
 // *.platform.sh
 *.platformsh.site
 
+// Port53 : https://port53.io/
+// Submitted by Maximilian Schieder <maxi@zeug.co>
+dyn53.io
+
 // Positive Codes Technology Company : http://co.bn/faq.html
 // Submitted by Zulfais <pc@co.bn>
 co.bn
@@ -12516,6 +12601,14 @@ protonet.io
 chirurgiens-dentistes-en-france.fr
 byen.site
 
+// pubtls.org: https://www.pubtls.org
+// Submitted by Kor Nielsen <kor@pubtls.org>
+pubtls.org
+
+// Qualifio : https://qualifio.com/
+// Submitted by Xavier De Cock <xdecock@gmail.com>
+qualifioapp.com
+
 // Redstar Consultants : https://www.redstarconsultants.com/
 // Submitted by Jons Slemmer <jons@redstarconsultants.com>
 instantcloud.cn
@@ -12528,6 +12621,11 @@ ras.ru
 // Submitted by Daniel Dent (https://www.danieldent.com/)
 qa2.com
 
+// QCX
+// Submitted by Cassandra Beelen <cassandra@beelen.one>
+qcx.io
+*.sys.qcx.io
+
 // QNAP System Inc : https://www.qnap.com
 // Submitted by Nick Chang <nickchang@qnap.com>
 dev-myqnapcloud.com
@@ -12550,6 +12648,7 @@ rackmaze.net
 
 // Rancher Labs, Inc : https://rancher.com
 // Submitted by Vincent Fiduccia <domains@rancher.com>
+*.on-k3s.io
 *.on-rancher.cloud
 *.on-rio.io
 
@@ -12603,6 +12702,10 @@ logoip.com
 // Submitted by Hanno Böck <hanno@schokokeks.org>
 schokokeks.net
 
+// Scottish Government: https://www.gov.scot
+// Submitted by Martin Ellis <martin.ellis@gov.scot>
+gov.scot
+
 // Scry Security : http://www.scrysec.com
 // Submitted by Shante Adam <shante@skyhat.io>
 scrysec.com
@@ -12620,11 +12723,6 @@ my-firewall.org
 myfirewall.org
 spdns.org
 
-// SensioLabs, SAS : https://sensiolabs.com/
-// Submitted by Fabien Potencier <fabien.potencier@sensiolabs.com>
-*.s5y.io
-*.sensiosite.cloud
-
 // Service Online LLC : http://drs.ua/
 // Submitted by Serhii Bulakh <support@drs.ua>
 biz.ua
@@ -12639,6 +12737,10 @@ shiftedit.io
 // Submitted by Alex Bowers <alex@shopblocks.com>
 myshopblocks.com
 
+// Shopit : https://www.shopitcommerce.com/
+// Submitted by Craig McMahon <craig@shopitcommerce.com>
+shopitsite.com
+
 // Siemens Mobility GmbH
 // Submitted by Oliver Graebner <security@mo-siemens.io>
 mo-siemens.io
@@ -12710,6 +12812,11 @@ temp-dns.com
 applicationcloud.io
 scapp.io
 
+// Symfony, SAS : https://symfony.com/
+// Submitted by Fabien Potencier <fabien@symfony.com>
+*.s5y.io
+*.sensiosite.cloud
+
 // Syncloud : https://syncloud.org
 // Submitted by Boris Rybalkin <syncloud@syncloud.it>
 syncloud.it
@@ -12730,6 +12837,7 @@ i234.me
 myds.me
 synology.me
 vpnplus.to
+direct.quickconnect.to
 
 // TAIFUN Software AG : http://taifun-software.de
 // Submitted by Bjoern Henke <dev-server@taifun-software.de>
@@ -12859,10 +12967,18 @@ v-info.info
 // Submitted by Nathan van Bakel <info@voorloper.com>
 voorloper.cloud
 
+// V.UA Domain Administrator : https://domain.v.ua/
+// Submitted by Serhii Rostilo <sergey@rostilo.kiev.ua>
+v.ua
+
 // Waffle Computer Inc., Ltd. : https://docs.waffleinfo.com
 // Submitted by Masayuki Note <masa@blade.wafflecell.com>
 wafflecell.com
 
+// WebHare bv: https://www.webhare.com/
+// Submitted by Arnold Hendriks <info@webhare.com>
+*.webhare.dev
+
 // WeDeploy by Liferay, Inc. : https://www.wedeploy.com
 // Submitted by Henrique Vicente <security@wedeploy.com>
 wedeploy.io
@@ -12893,6 +13009,12 @@ cistron.nl
 demon.nl
 xs4all.space
 
+// Yandex.Cloud LLC: https://cloud.yandex.com
+// Submitted by Alexander Lodin <security+psl@yandex-team.ru>
+yandexcloud.net
+storage.yandexcloud.net
+website.yandexcloud.net
+
 // YesCourse Pty Ltd : https://yescourse.com
 // Submitted by Atul Bhouraskar <atul@yescourse.com>
 official.academy
@@ -12936,8 +13058,4 @@ virtualserver.io
 site.builder.nu
 enterprisecloud.nu
 
-// Zone.id : https://zone.id/
-// Submitted by Su Hendro <admin@zone.id>
-zone.id
-
-// ===END PRIVATE DOMAINS===
-\ No newline at end of file
+// ===END PRIVATE DOMAINS===
diff --git a/chromium/net/base/registry_controlled_domains/effective_tld_names.gperf b/chromium/net/base/registry_controlled_domains/effective_tld_names.gperf
index e8bd23fa812..88a65fc6a8d 100644
--- a/chromium/net/base/registry_controlled_domains/effective_tld_names.gperf
+++ b/chromium/net/base/registry_controlled_domains/effective_tld_names.gperf
@@ -13,6 +13,7 @@ struct DomainRule {
 %%
 0.bg, 0
 001www.com, 4
+0e.vc, 4
 0emm.com, 6
 1.bg, 0
 12hp.at, 4
@@ -102,7 +103,7 @@ ac.nz, 0
 ac.pa, 0
 ac.pr, 0
 ac.rs, 0
-ac.ru, 0
+ac.ru, 4
 ac.rw, 0
 ac.se, 0
 ac.sz, 0
@@ -136,6 +137,8 @@ ad.jp, 0
 adac, 0
 adachi.tokyo.jp, 0
 adm.br, 0
+adobeaemcloud.com, 4
+adobeaemcloud.net, 4
 ads, 0
 adult, 0
 adult.ht, 0
@@ -255,6 +258,7 @@ alstahaug.no, 0
 alstom, 0
 alt.za, 0
 alta.no, 0
+altervista.org, 4
 alto-adige.it, 0
 altoadige.it, 0
 alvdal.no, 0
@@ -285,6 +289,7 @@ amli.no, 0
 amot.no, 0
 amsterdam, 0
 amsterdam.museum, 0
+amsw.nl, 4
 amusement.aero, 0
 an.it, 0
 analytics, 0
@@ -514,6 +519,7 @@ aw, 0
 awaji.hyogo.jp, 0
 awdev.ca, 6
 aws, 0
+awsmppl.com, 4
 ax, 0
 axa, 0
 axis.museum, 0
@@ -554,6 +560,7 @@ bajddar.no, 0
 balashov.su, 4
 balat.no, 0
 bale.museum, 0
+balena-devices.com, 4
 balestrand.no, 0
 ballangen.no, 0
 ballooning.aero, 0
@@ -726,6 +733,7 @@ biz.nr, 0
 biz.pk, 0
 biz.pl, 0
 biz.pr, 0
+biz.ss, 0
 biz.tj, 0
 biz.tr, 0
 biz.tt, 0
@@ -836,7 +844,6 @@ bms, 0
 bmw, 0
 bn, 0
 bn.it, 0
-bnl, 0
 bnpparibas, 0
 bnr.la, 4
 bo, 0
@@ -930,6 +937,7 @@ bugatti, 0
 build, 0
 builders, 0
 building.museum, 0
+builtwithdark.com, 4
 bukhara.su, 4
 bulsan-sudtirol.it, 0
 bulsan-suedtirol.it, 0
@@ -1018,7 +1026,6 @@ carraramassa.it, 0
 carrd.co, 4
 carrier.museum, 0
 cars, 0
-cartier, 0
 cartoonart.museum, 0
 casa, 0
 casacam.net, 4
@@ -1037,6 +1044,7 @@ catanzaro.it, 0
 catering, 0
 catering.aero, 0
 catholic, 0
+catholic.edu.au, 0
 caxias.br, 0
 cb.it, 0
 cba, 0
@@ -1186,7 +1194,6 @@ choyo.kumamoto.jp, 0
 christiansburg.museum, 0
 christmas, 0
 chrome, 0
-chrysler, 0
 chtr.k12.ma.us, 0
 chungbuk.kr, 0
 chungnam.kr, 0
@@ -1253,6 +1260,7 @@ cloudapps.digital, 4
 cloudcontrolapp.com, 4
 cloudcontrolled.com, 4
 cloudeity.net, 4
+cloudera.site, 4
 cloudfront.net, 4
 cloudfunctions.net, 4
 cloudns.asia, 4
@@ -1491,6 +1499,7 @@ com.sh, 0
 com.sl, 0
 com.sn, 0
 com.so, 0
+com.ss, 0
 com.st, 0
 com.sv, 0
 com.sy, 0
@@ -1574,6 +1583,7 @@ county.museum, 0
 coupon, 0
 coupons, 0
 courses, 0
+cpa, 0
 cpa.pro, 0
 cq.cn, 0
 cr, 0
@@ -1617,6 +1627,7 @@ cust.disrec.thingdust.io, 4
 cust.prod.thingdust.io, 4
 cust.testing.thingdust.io, 4
 custom.metacentrum.cz, 4
+customer-oci.com, 6
 customer.enonic.io, 4
 customer.speedpartner.de, 4
 cv, 0
@@ -1638,6 +1649,7 @@ cz.it, 0
 czeladz.pl, 0
 czest.pl, 0
 d.bg, 0
+d.gv.vc, 4
 d.se, 0
 dabur, 0
 dad, 0
@@ -1725,6 +1737,7 @@ design.museum, 0
 detroit.museum, 0
 dev, 0
 dev-myqnapcloud.com, 4
+dev.adobeaemcloud.com, 6
 dev.static.land, 4
 development.run, 4
 devices.resinstaging.io, 4
@@ -1739,6 +1752,7 @@ diet, 0
 digital, 0
 dinosaur.museum, 0
 direct, 0
+direct.quickconnect.to, 4
 directory, 0
 discount, 0
 discourse.group, 4
@@ -1777,7 +1791,6 @@ dnsupdater.de, 4
 do, 0
 docs, 0
 doctor, 0
-dodge, 0
 does-it.net, 4
 doesntexist.com, 4
 doesntexist.org, 4
@@ -1822,7 +1835,6 @@ dubai, 0
 duck, 0
 duckdns.org, 4
 dunlop, 0
-duns, 0
 dupont, 0
 durban, 0
 durham.museum, 0
@@ -1839,6 +1851,7 @@ dyn-vpn.de, 4
 dyn.cosidns.de, 4
 dyn.ddnss.de, 4
 dyn.home-webserver.de, 4
+dyn53.io, 4
 dynalias.com, 4
 dynalias.net, 4
 dynalias.org, 4
@@ -1902,6 +1915,7 @@ ed.cr, 0
 ed.jp, 0
 ed.pw, 0
 edeka, 0
+edgestack.me, 4
 edogawa.tokyo.jp, 0
 edu, 0
 edu.ac, 0
@@ -2000,7 +2014,7 @@ edu.pt, 0
 edu.py, 0
 edu.qa, 0
 edu.rs, 0
-edu.ru, 0
+edu.ru, 4
 edu.sa, 0
 edu.sb, 0
 edu.sc, 0
@@ -2008,6 +2022,8 @@ edu.sd, 0
 edu.sg, 0
 edu.sl, 0
 edu.sn, 0
+edu.so, 0
+edu.ss, 0
 edu.st, 0
 edu.sv, 0
 edu.sy, 0
@@ -2028,6 +2044,7 @@ edu.za, 0
 edu.zm, 0
 education, 0
 education.museum, 0
+education.tas.edu.au, 0
 educational.museum, 0
 educator.aero, 0
 edugit.org, 4
@@ -2067,6 +2084,7 @@ emiliaromagna.it, 0
 emp.br, 0
 empresa.bo, 0
 emr.it, 0
+en-root.fr, 4
 en.it, 0
 ena.gifu.jp, 0
 encyclopedic.museum, 0
@@ -2095,6 +2113,7 @@ environment.museum, 0
 environmentalconservation.museum, 0
 epilepsy.museum, 0
 epson, 0
+eq.edu.au, 0
 equipment, 0
 equipment.aero, 0
 er, 2
@@ -2148,7 +2167,6 @@ eus, 0
 evenassi.no, 0
 evenes.no, 0
 events, 0
-everbank, 0
 evje-og-hornnes.no, 0
 ex.futurecms.at, 6
 ex.ortsinfo.at, 6
@@ -2261,6 +2279,7 @@ firm.dk, 4
 firm.ht, 0
 firm.in, 0
 firm.nf, 0
+firm.ng, 4
 firm.ro, 0
 firm.ve, 0
 firmdale, 0
@@ -2541,6 +2560,7 @@ garden.museum, 0
 gateway.museum, 0
 gaular.no, 0
 gausdal.no, 0
+gay, 0
 gb, 0
 gb.com, 4
 gb.net, 4
@@ -2570,6 +2590,7 @@ genkai.saga.jp, 0
 genoa.it, 0
 genova.it, 0
 gent, 0
+gentapps.com, 4
 genting, 0
 geology.museum, 0
 geometre-expert.fr, 0
@@ -2633,8 +2654,6 @@ gmo, 0
 gmx, 0
 gn, 0
 gniezno.pl, 0
-go-vip.co, 4
-go-vip.net, 4
 go.ci, 0
 go.cr, 0
 go.dyndns.org, 4
@@ -2806,15 +2825,18 @@ gov.pt, 0
 gov.py, 0
 gov.qa, 0
 gov.rs, 0
-gov.ru, 0
+gov.ru, 4
 gov.rw, 0
 gov.sa, 0
 gov.sb, 0
 gov.sc, 0
+gov.scot, 4
 gov.sd, 0
 gov.sg, 0
 gov.sh, 0
 gov.sl, 0
+gov.so, 0
+gov.ss, 0
 gov.st, 0
 gov.sx, 0
 gov.sy, 0
@@ -2916,6 +2938,7 @@ guru, 0
 gushikami.okinawa.jp, 0
 gv.ao, 0
 gv.at, 0
+gv.vc, 4
 gw, 0
 gwangju.kr, 0
 gwiddle.co.uk, 4
@@ -3178,7 +3201,6 @@ honai.ehime.jp, 0
 honbetsu.hokkaido.jp, 0
 honda, 0
 honefoss.no, 0
-honeywell, 0
 hongo.hiroshima.jp, 0
 honjo.akita.jp, 0
 honjo.saitama.jp, 0
@@ -3211,6 +3233,8 @@ hoylandet.no, 0
 hr, 0
 hr.eu.org, 4
 hs.kr, 0
+hs.run, 4
+hs.zone, 4
 hsbc, 0
 ht, 0
 hu, 0
@@ -3429,7 +3453,7 @@ int.mv, 0
 int.mw, 0
 int.ni, 0
 int.pt, 0
-int.ru, 0
+int.ru, 4
 int.tj, 0
 int.tt, 0
 int.ve, 0
@@ -3445,6 +3469,7 @@ inuyama.aichi.jp, 0
 investments, 0
 inzai.chiba.jp, 0
 io, 0
+iobb.net, 4
 ip6.arpa, 0
 ipifony.net, 4
 ipiranga, 0
@@ -3543,9 +3568,9 @@ isa.us, 0
 isahaya.nagasaki.jp, 0
 ise.mie.jp, 0
 isehara.kanagawa.jp, 0
-iselect, 0
 isen.kagoshima.jp, 0
 isernia.it, 0
+iserv.dev, 4
 isesaki.gunma.jp, 0
 ishigaki.okinawa.jp, 0
 ishikari.hokkaido.jp, 0
@@ -3940,6 +3965,7 @@ kimobetsu.hokkaido.jp, 0
 kin.okinawa.jp, 0
 kinder, 0
 kindle, 0
+kinghost.net, 4
 kinko.kagoshima.jp, 0
 kinokawa.wakayama.jp, 0
 kira.aichi.jp, 0
@@ -4170,7 +4196,6 @@ lab.ms, 4
 labor.museum, 0
 labour.museum, 0
 lacaixa, 0
-ladbrokes, 0
 lahppi.no, 0
 lajolla.museum, 0
 lakas.hu, 0
@@ -4180,7 +4205,6 @@ lanbib.se, 0
 lancashire.museum, 0
 lancaster, 0
 lancia, 0
-lancome, 0
 land, 0
 land-4-sale.us, 4
 landes.museum, 0
@@ -4238,6 +4262,7 @@ leitungsen.de, 4
 leka.no, 0
 leksvik.no, 0
 lel.br, 0
+lelux.site, 4
 lenug.su, 4
 lenvik.no, 0
 lerdal.no, 0
@@ -4349,6 +4374,7 @@ livorno.it, 0
 lixil, 0
 lk, 0
 llc, 0
+llp, 0
 ln.cn, 0
 lo.it, 0
 loabat.no, 0
@@ -4371,6 +4397,7 @@ logistics.aero, 0
 logoip.com, 4
 logoip.de, 4
 lol, 0
+lolipop.io, 4
 lom.it, 0
 lom.no, 0
 lombardia.it, 0
@@ -4558,6 +4585,7 @@ me, 0
 me.eu.org, 4
 me.it, 0
 me.ke, 0
+me.so, 0
 me.tz, 0
 me.uk, 0
 me.us, 0
@@ -4689,7 +4717,7 @@ mil.ph, 0
 mil.pl, 0
 mil.py, 0
 mil.qa, 0
-mil.ru, 0
+mil.ru, 4
 mil.rw, 0
 mil.sh, 0
 mil.st, 0
@@ -4828,7 +4856,6 @@ mobi.ng, 0
 mobi.tt, 0
 mobi.tz, 0
 mobile, 0
-mobily, 0
 mochizuki.nagano.jp, 0
 mod.gi, 0
 moda, 0
@@ -4861,7 +4888,6 @@ monzaebrianza.it, 0
 monzaedellabrianza.it, 0
 moonscale.io, 6
 moonscale.net, 4
-mopar, 0
 mordovia.ru, 4
 mordovia.su, 4
 morena.br, 0
@@ -5284,6 +5310,7 @@ net.sg, 0
 net.sh, 0
 net.sl, 0
 net.so, 0
+net.ss, 0
 net.st, 0
 net.sy, 0
 net.th, 0
@@ -5335,8 +5362,10 @@ ng, 0
 ng.city, 4
 ng.eu.org, 4
 ng.ink, 4
+ng.school, 4
 ngo, 0
 ngo.lk, 0
+ngo.ng, 4
 ngo.ph, 0
 ngo.za, 0
 ngrok.io, 4
@@ -5348,6 +5377,7 @@ nhs.uk, 0
 ni, 0
 nic.in, 0
 nic.tj, 0
+nic.za, 0
 nichinan.miyazaki.jp, 0
 nichinan.tottori.jp, 0
 nico, 0
@@ -5534,12 +5564,10 @@ ntt, 0
 nu, 0
 nu.ca, 0
 nu.it, 0
-nuernberg.museum, 0
 numata.gunma.jp, 0
 numata.hokkaido.jp, 0
 numazu.shizuoka.jp, 0
 nuoro.it, 0
-nuremberg.museum, 0
 nv.us, 0
 nx.cn, 0
 ny.us, 0
@@ -5548,8 +5576,10 @@ nyc.mn, 4
 nyc.museum, 0
 nym.by, 4
 nym.bz, 4
+nym.ec, 4
 nym.gr, 4
 nym.gy, 4
+nym.hk, 4
 nym.ie, 4
 nym.kz, 4
 nym.la, 4
@@ -5590,6 +5620,9 @@ obuse.nagano.jp, 0
 oceanographic.museum, 0
 oceanographique.museum, 0
 ochi.kochi.jp, 0
+oci.customer-oci.com, 6
+ocp.customer-oci.com, 6
+ocs.customer-oci.com, 6
 od.ua, 0
 odate.akita.jp, 0
 odawara.kanagawa.jp, 0
@@ -5696,6 +5729,7 @@ omotego.fukushima.jp, 0
 omura.nagasaki.jp, 0
 omuta.fukuoka.jp, 0
 on-aptible.com, 4
+on-k3s.io, 6
 on-rancher.cloud, 6
 on-rio.io, 6
 on-the-web.tv, 4
@@ -5880,6 +5914,7 @@ org.sh, 0
 org.sl, 0
 org.sn, 0
 org.so, 0
+org.ss, 0
 org.st, 0
 org.sv, 0
 org.sy, 0
@@ -5976,6 +6011,7 @@ ownprovider.com, 4
 ox.rs, 4
 oxford.museum, 0
 oy.lc, 4
+oya.to, 4
 oyabe.toyama.jp, 0
 oyama.tochigi.jp, 0
 oyamazaki.kyoto.jp, 0
@@ -6051,6 +6087,7 @@ per.sg, 0
 perso.ht, 0
 perso.sn, 0
 perso.tn, 0
+perspecta.cloud, 4
 perugia.it, 0
 pesaro-urbino.it, 0
 pesarourbino.it, 0
@@ -6083,7 +6120,6 @@ pi.gov.br, 0
 pi.it, 0
 pi.leg.br, 4
 piacenza.it, 0
-piaget, 0
 pics, 0
 pictet, 0
 pictures, 0
@@ -6255,6 +6291,7 @@ publ.pt, 0
 public.museum, 0
 publishproxy.com, 4
 pubol.museum, 0
+pubtls.org, 4
 pueblo.bo, 0
 pug.it, 0
 puglia.it, 0
@@ -6275,18 +6312,21 @@ qa, 0
 qa2.com, 4
 qc.ca, 0
 qc.com, 4
+qcx.io, 4
 qh.cn, 0
 qld.au, 0
 qld.edu.au, 0
 qld.gov.au, 0
 qpon, 0
 qsl.br, 0
+qualifioapp.com, 4
 quebec, 0
 quebec.museum, 0
 quest, 0
 quicksytes.com, 4
 quipelements.com, 6
 qvc, 0
+r.appspot.com, 6
 r.bg, 0
 r.cdn77.net, 4
 r.se, 0
@@ -6709,6 +6749,7 @@ school.museum, 0
 school.na, 0
 school.nz, 0
 school.za, 0
+schools.nsw.edu.au, 0
 schule, 0
 schwarz, 0
 schweiz.museum, 0
@@ -6931,6 +6972,7 @@ shop.hu, 0
 shop.pl, 0
 shop.ro, 4
 shop.th, 4
+shopitsite.com, 4
 shopping, 0
 shouji, 0
 show, 0
@@ -6990,6 +7032,7 @@ skodje.no, 0
 skole.museum, 0
 sky, 0
 skydiving.aero, 0
+skygearapp.com, 4
 skype, 0
 sl, 0
 slask.pl, 0
@@ -7069,6 +7112,7 @@ soy, 0
 sp.gov.br, 0
 sp.it, 0
 sp.leg.br, 4
+spa, 0
 space, 0
 space-to-rent.com, 4
 space.museum, 0
@@ -7094,8 +7138,8 @@ sr, 0
 sr.gov.pl, 0
 sr.it, 0
 srl, 0
-srt, 0
 srv.br, 0
+ss, 0
 ss.it, 0
 ssl.origin.cdn77-secure.org, 4
 st, 0
@@ -7112,7 +7156,6 @@ staples, 0
 star, 0
 starachowice.pl, 0
 stargard.pl, 0
-starhub, 0
 starnberg.museum, 0
 starostwo.gov.pl, 0
 stat.no, 0
@@ -7123,6 +7166,7 @@ stateofdelaware.museum, 0
 stathelle.no, 0
 static-access.net, 4
 static.land, 4
+static.observableusercontent.com, 4
 statics.cloud, 6
 station.museum, 0
 stavanger.no, 0
@@ -7143,6 +7187,7 @@ stokke.no, 0
 stolos.io, 6
 stor-elvdal.no, 0
 storage, 0
+storage.yandexcloud.net, 4
 stord.no, 0
 stordal.no, 0
 store, 0
@@ -7233,6 +7278,7 @@ syno-ds.de, 4
 synology-diskstation.de, 4
 synology-ds.de, 4
 synology.me, 4
+sys.qcx.io, 6
 systems, 0
 sytes.net, 4
 sz, 0
@@ -7393,7 +7439,7 @@ terni.it, 0
 ternopil.ua, 0
 teshikaga.hokkaido.jp, 0
 test-iserv.de, 4
-test.ru, 0
+test.ru, 4
 test.tj, 0
 teva, 0
 texas.museum, 0
@@ -7635,6 +7681,7 @@ trust, 0
 trust.museum, 0
 trustee.museum, 0
 trv, 0
+trycloudflare.com, 4
 trysil.no, 0
 ts.it, 0
 tselinograd.su, 4
@@ -7723,7 +7770,6 @@ uchihara.ibaraki.jp, 0
 uchiko.ehime.jp, 0
 uchinada.ishikawa.jp, 0
 uchinomi.kagawa.jp, 0
-uconnect, 0
 ud.it, 0
 uda.nara.jp, 0
 udi.br, 0
@@ -7762,6 +7808,7 @@ umi.fukuoka.jp, 0
 umig.gov.pl, 0
 unazuki.toyama.jp, 0
 undersea.museum, 0
+uni5.net, 4
 unicom, 0
 union.aero, 0
 univ.sn, 0
@@ -7814,6 +7861,7 @@ usarts.museum, 0
 uscountryestate.museum, 0
 usculture.museum, 0
 usdecorativearts.museum, 0
+user.aseinet.ne.jp, 4
 user.party.eus, 4
 user.srcf.net, 4
 usercontent.jp, 4
@@ -7847,6 +7895,7 @@ uzhgorod.ua, 0
 uzs.gov.pl, 0
 v-info.info, 4
 v.bg, 0
+v.ua, 4
 va, 0
 va.it, 0
 va.no, 0
@@ -8028,7 +8077,6 @@ wanggou, 0
 wanouchi.gifu.jp, 0
 war.museum, 0
 warabi.saitama.jp, 0
-warman, 0
 warmia.pl, 0
 warszawa.pl, 0
 washingtondc.museum, 0
@@ -8045,6 +8093,7 @@ wazuka.kyoto.jp, 0
 we.bs, 4
 weather, 0
 weatherchannel, 0
+web.app, 4
 web.bo, 0
 web.co, 0
 web.do, 0
@@ -8060,6 +8109,7 @@ web.ve, 0
 web.za, 0
 webcam, 0
 weber, 0
+webhare.dev, 6
 webhop.biz, 4
 webhop.info, 4
 webhop.me, 4
@@ -8068,6 +8118,7 @@ webhop.org, 4
 webhosting.be, 4
 webredirect.org, 4
 website, 0
+website.yandexcloud.net, 4
 webspace.rocks, 4
 wed, 0
 wedding, 0
@@ -8125,7 +8176,6 @@ workshop.museum, 0
 world, 0
 worse-than.tv, 4
 wow, 0
-wpcomstaging.com, 4
 wpdevcloud.com, 4
 writesthisblog.com, 4
 wroc.pl, 4
@@ -8399,10 +8449,10 @@ xn--mgba7c0bbn0a, 0
 xn--mgbaakc7dvf, 0
 xn--mgbaam7a8h, 0
 xn--mgbab2bd, 0
+xn--mgbah1a3hjkrd, 0
 xn--mgbai9a5eva00b, 0
 xn--mgbai9azgqp6j, 0
 xn--mgbayh7gpa, 0
-xn--mgbb9fbpob, 0
 xn--mgbbh1a, 0
 xn--mgbbh1a71e, 0
 xn--mgbc0a9azcg, 0
@@ -8654,6 +8704,7 @@ yame.fukuoka.jp, 0
 yanagawa.fukuoka.jp, 0
 yanaizu.fukushima.jp, 0
 yandex, 0
+yandexcloud.net, 4
 yao.osaka.jp, 0
 yaotsu.gifu.jp, 0
 yasaka.nagano.jp, 0
@@ -8762,7 +8813,6 @@ zj.cn, 0
 zlg.br, 0
 zm, 0
 zone, 0
-zone.id, 4
 zoological.museum, 0
 zoology.museum, 0
 zp.gov.pl, 0
diff --git a/chromium/net/base/upload_file_element_reader_unittest.cc b/chromium/net/base/upload_file_element_reader_unittest.cc
index 1b5584ca893..6b813071d10 100644
--- a/chromium/net/base/upload_file_element_reader_unittest.cc
+++ b/chromium/net/base/upload_file_element_reader_unittest.cc
@@ -327,7 +327,7 @@ TEST_P(UploadFileElementReaderTest, WrongPath) {
   EXPECT_THAT(init_callback.WaitForResult(), IsError(ERR_FILE_NOT_FOUND));
 }
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          UploadFileElementReaderTest,
                          testing::ValuesIn({false, true}));
 
diff --git a/chromium/net/base/url_util_unittest.cc b/chromium/net/base/url_util_unittest.cc
index 5785c7058aa..ae61d395303 100644
--- a/chromium/net/base/url_util_unittest.cc
+++ b/chromium/net/base/url_util_unittest.cc
@@ -383,7 +383,7 @@ TEST_P(UrlUtilNonUniqueNameTest, IsHostnameNonUnique) {
   EXPECT_EQ(test_data.is_unique, IsUnique(test_data.hostname));
 }
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          UrlUtilNonUniqueNameTest,
                          testing::ValuesIn(kNonUniqueNameTestData));
 
diff --git a/chromium/net/cert/cert_database_mac.cc b/chromium/net/cert/cert_database_mac.cc
index c7551e3f17f..c5dedce0668 100644
--- a/chromium/net/cert/cert_database_mac.cc
+++ b/chromium/net/cert/cert_database_mac.cc
@@ -10,7 +10,6 @@
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/mac/mac_logging.h"
-#include "base/message_loop/message_loop.h"
 #include "base/message_loop/message_loop_current.h"
 #include "base/process/process_handle.h"
 #include "base/single_thread_task_runner.h"
diff --git a/chromium/net/cert/cert_net_fetcher.h b/chromium/net/cert/cert_net_fetcher.h
index 484f90ac436..a61d083fbc9 100644
--- a/chromium/net/cert/cert_net_fetcher.h
+++ b/chromium/net/cert/cert_net_fetcher.h
@@ -19,6 +19,8 @@ class GURL;
 
 namespace net {
 
+class NetworkIsolationKey;
+
 // CertNetFetcher is a synchronous interface for fetching AIA URLs and CRL
 // URLs. It is shared between a caller thread (which starts and waits for
 // fetches), and a network thread (which does the actual fetches). It can be
@@ -67,16 +69,19 @@ class NET_EXPORT CertNetFetcher
 
   virtual WARN_UNUSED_RESULT std::unique_ptr<Request> FetchCaIssuers(
       const GURL& url,
+      const NetworkIsolationKey& network_isolation_key,
       int timeout_milliseconds,
       int max_response_bytes) = 0;
 
   virtual WARN_UNUSED_RESULT std::unique_ptr<Request> FetchCrl(
       const GURL& url,
+      const NetworkIsolationKey& network_isolation_key,
       int timeout_milliseconds,
       int max_response_bytes) = 0;
 
   virtual WARN_UNUSED_RESULT std::unique_ptr<Request> FetchOcsp(
       const GURL& url,
+      const NetworkIsolationKey& network_isolation_key,
       int timeout_milliseconds,
       int max_response_bytes) = 0;
 
diff --git a/chromium/net/cert/cert_status_flags.cc b/chromium/net/cert/cert_status_flags.cc
index e4b403565c5..b7b9e92cf5c 100644
--- a/chromium/net/cert/cert_status_flags.cc
+++ b/chromium/net/cert/cert_status_flags.cc
@@ -47,6 +47,8 @@ CertStatus MapNetErrorToCertStatus(int error) {
       return CERT_STATUS_VALIDITY_TOO_LONG;
     case ERR_CERT_SYMANTEC_LEGACY:
       return CERT_STATUS_SYMANTEC_LEGACY;
+    case ERR_CERT_KNOWN_INTERCEPTION_BLOCKED:
+      return (CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED | CERT_STATUS_REVOKED);
     default:
       return 0;
   }
@@ -57,14 +59,16 @@ int MapCertStatusToNetError(CertStatus cert_status) {
   // serious error.
 
   // Unrecoverable errors
-  if (cert_status & CERT_STATUS_REVOKED)
-    return ERR_CERT_REVOKED;
   if (cert_status & CERT_STATUS_INVALID)
     return ERR_CERT_INVALID;
   if (cert_status & CERT_STATUS_PINNED_KEY_MISSING)
     return ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN;
 
-  // Recoverable errors
+  // Potentially recoverable errors
+  if (cert_status & CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED)
+    return ERR_CERT_KNOWN_INTERCEPTION_BLOCKED;
+  if (cert_status & CERT_STATUS_REVOKED)
+    return ERR_CERT_REVOKED;
   if (cert_status & CERT_STATUS_AUTHORITY_INVALID)
     return ERR_CERT_AUTHORITY_INVALID;
   if (cert_status & CERT_STATUS_COMMON_NAME_INVALID)
@@ -85,13 +89,12 @@ int MapCertStatusToNetError(CertStatus cert_status) {
     return ERR_CERT_DATE_INVALID;
   if (cert_status & CERT_STATUS_VALIDITY_TOO_LONG)
     return ERR_CERT_VALIDITY_TOO_LONG;
-
-  // Unknown status.  Give it the benefit of the doubt.
   if (cert_status & CERT_STATUS_UNABLE_TO_CHECK_REVOCATION)
     return ERR_CERT_UNABLE_TO_CHECK_REVOCATION;
   if (cert_status & CERT_STATUS_NO_REVOCATION_MECHANISM)
     return ERR_CERT_NO_REVOCATION_MECHANISM;
 
+  // Unknown status. The assumption is 0 (an OK status) won't be used here.
   NOTREACHED();
   return ERR_UNEXPECTED;
 }
diff --git a/chromium/net/cert/cert_status_flags.h b/chromium/net/cert/cert_status_flags.h
index fcf91d294df..f88e160b6e1 100644
--- a/chromium/net/cert/cert_status_flags.h
+++ b/chromium/net/cert/cert_status_flags.h
@@ -30,9 +30,14 @@ static inline bool IsCertStatusError(CertStatus status) {
   return (CERT_STATUS_ALL_ERRORS & status) != 0;
 }
 
-// Maps a network error code to the equivalent certificate status flag.  If
+// Maps a network error code to the equivalent certificate status flag. If
 // the error code is not a certificate error, it is mapped to 0.
-NET_EXPORT CertStatus MapNetErrorToCertStatus(int error);
+// Note: It is not safe to go net::CertStatus -> net::Error -> net::CertStatus,
+// as the CertStatus contains more information. Conversely, going from
+// net::Error -> net::CertStatus -> net::Error is not a lossy function, for the
+// same reason.
+// To avoid incorrect use, this is only exported for unittest helpers.
+NET_EXPORT_PRIVATE CertStatus MapNetErrorToCertStatus(int error);
 
 // Maps the most serious certificate error in the certificate status flags
 // to the equivalent network error code.
diff --git a/chromium/net/cert/cert_status_flags_list.h b/chromium/net/cert/cert_status_flags_list.h
index cbde71f8b6a..62907478fdc 100644
--- a/chromium/net/cert/cert_status_flags_list.h
+++ b/chromium/net/cert/cert_status_flags_list.h
@@ -6,6 +6,7 @@
 // inside a macro to generate enum values. The following line silences a
 // presubmit warning that would otherwise be triggered by this:
 // no-include-guard-because-multiply-included
+// NOLINT(build/header_guard)
 
 // This is the list of CertStatus flags and their values.
 //
@@ -37,7 +38,9 @@ CERT_STATUS_FLAG(REV_CHECKING_ENABLED, 1 << 17)
 // Bit 18 was CERT_STATUS_IS_DNSSEC
 CERT_STATUS_FLAG(SHA1_SIGNATURE_PRESENT, 1 << 19)
 CERT_STATUS_FLAG(CT_COMPLIANCE_FAILED, 1 << 20)
+CERT_STATUS_FLAG(KNOWN_INTERCEPTION_DETECTED, 1 << 21)
 
 // Bits 24 - 31 are for errors.
 CERT_STATUS_FLAG(CERTIFICATE_TRANSPARENCY_REQUIRED, 1 << 24)
 CERT_STATUS_FLAG(SYMANTEC_LEGACY, 1 << 25)
+CERT_STATUS_FLAG(KNOWN_INTERCEPTION_BLOCKED, 1 << 26)
diff --git a/chromium/net/cert/cert_verifier.h b/chromium/net/cert/cert_verifier.h
index 9b7ff450bf2..e688038216e 100644
--- a/chromium/net/cert/cert_verifier.h
+++ b/chromium/net/cert/cert_verifier.h
@@ -89,6 +89,8 @@ class NET_EXPORT CertVerifier {
     // Note that cached information may still be used, if it can be accessed
     // without accessing the network.
     VERIFY_DISABLE_NETWORK_FETCHES = 1 << 0,
+
+    VERIFY_FLAGS_LAST = VERIFY_DISABLE_NETWORK_FETCHES
   };
 
   // Parameters to verify |certificate| against the supplied
@@ -151,18 +153,23 @@ class NET_EXPORT CertVerifier {
   // Returns OK if successful or an error code upon failure.
   //
   // The |*verify_result| structure, including the |verify_result->cert_status|
-  // bitmask, is always filled out regardless of the return value.  If the
+  // bitmask, is always filled out regardless of the return value. If the
   // certificate has multiple errors, the corresponding status flags are set in
   // |verify_result->cert_status|, and the error code for the most serious
   // error is returned.
   //
-  // |callback| must not be null.  ERR_IO_PENDING is returned if the operation
+  // |callback| must not be null. ERR_IO_PENDING is returned if the operation
   // could not be completed synchronously, in which case the result code will
   // be passed to the callback when available.
   //
-  // On asynchronous completion (when Verify returns ERR_IO_PENDING) |out_req|
-  // will be reset with a pointer to the request. Freeing this pointer before
-  // the request has completed will cancel it.
+  // |*out_req| is used to store a request handle in the event of asynchronous
+  // completion (when Verify returns ERR_IO_PENDING). Provided that neither
+  // the CertVerifier nor the Request have been deleted, |callback| will be
+  // invoked once the underlying verification finishes. If either the
+  // CertVerifier or the Request are deleted, then |callback| will be Reset()
+  // and will not be invoked. It is fine for |out_req| to outlive the
+  // CertVerifier, and it is fine to reset |out_req| or delete the
+  // CertVerifier during the processing of |callback|.
   //
   // If Verify() completes synchronously then |out_req| *may* be reset to
   // nullptr. However it is not guaranteed that all implementations will reset
diff --git a/chromium/net/cert/cert_verify_proc.cc b/chromium/net/cert/cert_verify_proc.cc
index 0d0bfee61e9..a2e8cae7b43 100644
--- a/chromium/net/cert/cert_verify_proc.cc
+++ b/chromium/net/cert/cert_verify_proc.cc
@@ -532,6 +532,30 @@ int CertVerifyProc::Verify(X509Certificate* cert,
     BestEffortCheckOCSP(ocsp_response, *verify_result->verified_cert,
                         &verify_result->ocsp_result);
   }
+
+  // Check to see if the connection is being intercepted.
+  if (crl_set) {
+    for (const auto& hash : verify_result->public_key_hashes) {
+      if (hash.tag() != HASH_VALUE_SHA256)
+        continue;
+      if (!crl_set->IsKnownInterceptionKey(base::StringPiece(
+              reinterpret_cast<const char*>(hash.data()), hash.size())))
+        continue;
+
+      if (verify_result->cert_status & CERT_STATUS_REVOKED) {
+        // If the chain was revoked, and a known MITM was present, signal that
+        // with a more meaningful error message.
+        verify_result->cert_status |= CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED;
+        rv = MapCertStatusToNetError(verify_result->cert_status);
+      } else {
+        // Otherwise, simply signal informatively. Both statuses are not set
+        // simultaneously.
+        verify_result->cert_status |= CERT_STATUS_KNOWN_INTERCEPTION_DETECTED;
+      }
+      break;
+    }
+  }
+
   std::vector<std::string> dns_names, ip_addrs;
   cert->GetSubjectAltName(&dns_names, &ip_addrs);
   if (HasNameConstraintsViolation(verify_result->public_key_hashes,
diff --git a/chromium/net/cert/cert_verify_proc_android.cc b/chromium/net/cert/cert_verify_proc_android.cc
index 06b00ea02cd..e213e284451 100644
--- a/chromium/net/cert/cert_verify_proc_android.cc
+++ b/chromium/net/cert/cert_verify_proc_android.cc
@@ -15,6 +15,7 @@
 #include "net/android/cert_verify_result_android.h"
 #include "net/android/network_library.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/cert/asn1_util.h"
 #include "net/cert/cert_net_fetcher.h"
 #include "net/cert/cert_status_flags.h"
@@ -100,7 +101,8 @@ bool PerformAIAFetchAndAddResultToVector(scoped_refptr<CertNetFetcher> fetcher,
   if (!url.is_valid())
     return false;
   std::unique_ptr<CertNetFetcher::Request> request(fetcher->FetchCaIssuers(
-      url, CertNetFetcher::DEFAULT, CertNetFetcher::DEFAULT));
+      url, NetworkIsolationKey::Todo(), CertNetFetcher::DEFAULT,
+      CertNetFetcher::DEFAULT));
   Error error;
   std::vector<uint8_t> aia_fetch_bytes;
   request->WaitForResult(&error, &aia_fetch_bytes);
diff --git a/chromium/net/cert/cert_verify_proc_android_unittest.cc b/chromium/net/cert/cert_verify_proc_android_unittest.cc
index 19d79a5e46b..a3114396a97 100644
--- a/chromium/net/cert/cert_verify_proc_android_unittest.cc
+++ b/chromium/net/cert/cert_verify_proc_android_unittest.cc
@@ -7,6 +7,7 @@
 #include <memory>
 #include <vector>
 
+#include "net/base/network_isolation_key.h"
 #include "net/cert/cert_net_fetcher.h"
 #include "net/cert/cert_verify_proc_android.h"
 #include "net/cert/cert_verify_result.h"
@@ -55,9 +56,21 @@ class MockCertNetFetcher : public CertNetFetcher {
   MockCertNetFetcher() {}
 
   MOCK_METHOD0(Shutdown, void());
-  MOCK_METHOD3(FetchCaIssuers, std::unique_ptr<Request>(const GURL&, int, int));
-  MOCK_METHOD3(FetchCrl, std::unique_ptr<Request>(const GURL&, int, int));
-  MOCK_METHOD3(FetchOcsp, std::unique_ptr<Request>(const GURL&, int, int));
+  MOCK_METHOD4(FetchCaIssuers,
+               std::unique_ptr<Request>(const GURL&,
+                                        const NetworkIsolationKey&,
+                                        int,
+                                        int));
+  MOCK_METHOD4(FetchCrl,
+               std::unique_ptr<Request>(const GURL&,
+                                        const NetworkIsolationKey&,
+                                        int,
+                                        int));
+  MOCK_METHOD4(FetchOcsp,
+               std::unique_ptr<Request>(const GURL&,
+                                        const NetworkIsolationKey&,
+                                        int,
+                                        int));
 
  private:
   ~MockCertNetFetcher() override {}
@@ -220,11 +233,11 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, OneFileAndOneHTTPURL) {
   // http:// URL that returns a valid intermediate signed by |root_|. Though the
   // intermediate itself contains an AIA URL, it should not be fetched because
   // |root_| is in the test trust store.
-  EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("file:///dev/null"), _, _))
+  EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("file:///dev/null"), _, _, _))
       .WillOnce(Return(
           ByMove(CreateMockRequestWithError(ERR_DISALLOWED_URL_SCHEME))));
   EXPECT_CALL(*fetcher_,
-              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _, _))
       .WillOnce(Return(
           ByMove(CreateMockRequestFromX509Certificate(OK, intermediate))));
 
@@ -248,7 +261,8 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
   const scoped_refptr<X509Certificate> bad_intermediate =
       ImportCertFromFile(GetTestCertsDirectory(), "ok_cert.pem");
 
-  EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+  EXPECT_CALL(*fetcher_,
+              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _, _))
       .WillOnce(Return(
           ByMove(CreateMockRequestFromX509Certificate(OK, bad_intermediate))));
 
@@ -270,7 +284,8 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
   scoped_refptr<X509Certificate> cert;
   ASSERT_TRUE(ReadTestCert("target_one_aia.pem", &cert));
 
-  EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+  EXPECT_CALL(*fetcher_,
+              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequestWithError(ERR_FAILED))));
 
   CertVerifyResult verify_result;
@@ -291,7 +306,8 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
   scoped_refptr<X509Certificate> cert;
   ASSERT_TRUE(ReadTestCert("target_one_aia.pem", &cert));
 
-  EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+  EXPECT_CALL(*fetcher_,
+              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequestWithInvalidCertificate())));
 
   CertVerifyResult verify_result;
@@ -321,11 +337,12 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, TwoHTTPURLs) {
   // valid intermediate signed by |root_|. Though the intermediate itself
   // contains an AIA URL, it should not be fetched because |root_| is in the
   // trust store.
-  EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+  EXPECT_CALL(*fetcher_,
+              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _, _))
       .WillOnce(
           Return(ByMove(CreateMockRequestFromX509Certificate(OK, unrelated))));
   EXPECT_CALL(*fetcher_,
-              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _, _))
       .WillOnce(Return(
           ByMove(CreateMockRequestFromX509Certificate(OK, intermediate))));
 
@@ -355,11 +372,12 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching,
 
   // Expect two fetches, the first of which returns an intermediate that itself
   // has an AIA URL.
-  EXPECT_CALL(*fetcher_, FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+  EXPECT_CALL(*fetcher_,
+              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _, _))
       .WillOnce(Return(
           ByMove(CreateMockRequestFromX509Certificate(OK, intermediate))));
   EXPECT_CALL(*fetcher_,
-              FetchCaIssuers(GURL("http://url-for-aia/Root.cer"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia/Root.cer"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequestFromX509Certificate(OK, root))));
 
   CertVerifyResult verify_result;
@@ -381,7 +399,7 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, MaxAIAFetches) {
   scoped_refptr<X509Certificate> cert;
   ASSERT_TRUE(ReadTestCert("target_six_aia.pem", &cert));
 
-  EXPECT_CALL(*fetcher_, FetchCaIssuers(_, _, _))
+  EXPECT_CALL(*fetcher_, FetchCaIssuers(_, _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequestWithError(ERR_FAILED))))
       .WillOnce(Return(ByMove(CreateMockRequestWithError(ERR_FAILED))))
       .WillOnce(Return(ByMove(CreateMockRequestWithError(ERR_FAILED))))
@@ -411,7 +429,7 @@ TEST_F(CertVerifyProcAndroidTestWithAIAFetching, FetchForSuppliedIntermediate) {
   ASSERT_TRUE(ReadTestAIARoot(&root));
 
   EXPECT_CALL(*fetcher_,
-              FetchCaIssuers(GURL("http://url-for-aia/Root.cer"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia/Root.cer"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequestFromX509Certificate(OK, root))));
 
   CertVerifyResult verify_result;
diff --git a/chromium/net/cert/cert_verify_proc_blocklist.inc b/chromium/net/cert/cert_verify_proc_blocklist.inc
index b4abe891d84..cc1a0bc0650 100644
--- a/chromium/net/cert/cert_verify_proc_blocklist.inc
+++ b/chromium/net/cert/cert_verify_proc_blocklist.inc
@@ -319,4 +319,21 @@ static constexpr uint8_t
         {0xc6, 0x91, 0x0d, 0x0b, 0xa9, 0xed, 0xdf, 0x59, 0x33, 0x34, 0x14,
          0x9f, 0xed, 0xfe, 0x87, 0x38, 0x5f, 0x37, 0xb6, 0x25, 0x35, 0x4b,
          0xb4, 0x39, 0x5c, 0x0a, 0xe2, 0xc8, 0xdf, 0x48, 0xe1, 0x7c},
+        // 44a244105569a730791f509b24c3d7838a462216bb0f560ef87fbe76c2e6005a.pem
+        {0xb0, 0xfc, 0xce, 0x78, 0xc1, 0x66, 0x4e, 0x29, 0x35, 0x44, 0xc1,
+         0x43, 0xe3, 0xd2, 0x68, 0x9f, 0x72, 0x3f, 0x5b, 0x6e, 0x63, 0x17,
+         0x10, 0x7e, 0x16, 0x3d, 0x22, 0xba, 0x80, 0x69, 0x79, 0x4a},
+};
+
+// Hashes of SubjectPublicKeyInfos known to be used for interception by a
+// party other than the device or machine owner.
+static constexpr uint8_t kKnownInterceptionList[][crypto::kSHA256Length] = {
+    // 143315c857a9386973ed16840899c3f96b894a7a612c444efb691f14b0dedd87.pem
+    {0xa4, 0xe9, 0xaf, 0x01, 0x41, 0x6e, 0x3a, 0x02, 0x9b, 0x5d, 0x35, 0xe5,
+     0xb1, 0x19, 0xde, 0x00, 0xcf, 0xe1, 0x56, 0xc5, 0xcf, 0x95, 0xfc, 0x82,
+     0x3c, 0xf6, 0xd0, 0x5e, 0x3c, 0x1a, 0x82, 0x37},
+    // 44a244105569a730791f509b24c3d7838a462216bb0f560ef87fbe76c2e6005a.pem
+    {0xb0, 0xfc, 0xce, 0x78, 0xc1, 0x66, 0x4e, 0x29, 0x35, 0x44, 0xc1, 0x43,
+     0xe3, 0xd2, 0x68, 0x9f, 0x72, 0x3f, 0x5b, 0x6e, 0x63, 0x17, 0x10, 0x7e,
+     0x16, 0x3d, 0x22, 0xba, 0x80, 0x69, 0x79, 0x4a},
 };
diff --git a/chromium/net/cert/cert_verify_proc_builtin.cc b/chromium/net/cert/cert_verify_proc_builtin.cc
index bbac46e3243..18c3c4cd815 100644
--- a/chromium/net/cert/cert_verify_proc_builtin.cc
+++ b/chromium/net/cert/cert_verify_proc_builtin.cc
@@ -387,8 +387,10 @@ void MapPathBuilderErrorsToCertStatus(const CertPathErrors& errors,
     *cert_status |= CERT_STATUS_DATE_INVALID;
   }
 
-  if (errors.ContainsError(cert_errors::kDistrustedByTrustStore))
+  if (errors.ContainsError(cert_errors::kDistrustedByTrustStore) ||
+      errors.ContainsError(cert_errors::kVerifySignedDataFailed)) {
     *cert_status |= CERT_STATUS_AUTHORITY_INVALID;
+  }
 
   // IMPORTANT: If the path was invalid for a reason that was not
   // explicity checked above, set a general error. This is important as
diff --git a/chromium/net/cert/cert_verify_proc_builtin_unittest.cc b/chromium/net/cert/cert_verify_proc_builtin_unittest.cc
index 906da1a9175..9b3bc3c7f70 100644
--- a/chromium/net/cert/cert_verify_proc_builtin_unittest.cc
+++ b/chromium/net/cert/cert_verify_proc_builtin_unittest.cc
@@ -12,7 +12,7 @@
 #include "net/cert/crl_set.h"
 #include "net/cert/ev_root_ca_metadata.h"
 #include "net/cert/internal/system_trust_store.h"
-#include "net/cert_net/cert_net_fetcher_impl.h"
+#include "net/cert_net/cert_net_fetcher_url_request.h"
 #include "net/der/encode_values.h"
 #include "net/log/net_log_with_source.h"
 #include "net/test/cert_builder.h"
@@ -84,7 +84,7 @@ class CertVerifyProcBuiltinTest : public ::testing::Test {
   // CertVerifyProcBuiltinTest() {}
 
   void SetUp() override {
-    cert_net_fetcher_ = base::MakeRefCounted<CertNetFetcherImpl>();
+    cert_net_fetcher_ = base::MakeRefCounted<CertNetFetcherURLRequest>();
     verify_proc_ = CreateCertVerifyProcBuiltin(
         cert_net_fetcher_, std::make_unique<DummySystemTrustStoreProvider>());
 
@@ -137,7 +137,7 @@ class CertVerifyProcBuiltinTest : public ::testing::Test {
   CertVerifier::Config config_;
   std::unique_ptr<net::TestURLRequestContext> context_;
   scoped_refptr<CertVerifyProc> verify_proc_;
-  scoped_refptr<CertNetFetcherImpl> cert_net_fetcher_;
+  scoped_refptr<CertNetFetcherURLRequest> cert_net_fetcher_;
 };
 
 TEST_F(CertVerifyProcBuiltinTest, SimpleSuccess) {
@@ -166,7 +166,7 @@ TEST_F(CertVerifyProcBuiltinTest, RevocationCheckDeadlineCRL) {
   ASSERT_TRUE(leaf && intermediate && root);
 
   const base::TimeDelta timeout_increment =
-      CertNetFetcherImpl::GetDefaultTimeoutForTesting() +
+      CertNetFetcherURLRequest::GetDefaultTimeoutForTesting() +
       base::TimeDelta::FromMilliseconds(1);
   const int expected_request_count =
       GetCertVerifyProcBuiltinTimeLimitForTesting() / timeout_increment + 1;
@@ -236,7 +236,7 @@ TEST_F(CertVerifyProcBuiltinTest, RevocationCheckDeadlineOCSP) {
   ASSERT_TRUE(leaf && intermediate && root);
 
   const base::TimeDelta timeout_increment =
-      CertNetFetcherImpl::GetDefaultTimeoutForTesting() +
+      CertNetFetcherURLRequest::GetDefaultTimeoutForTesting() +
       base::TimeDelta::FromMilliseconds(1);
   const int expected_request_count =
       GetCertVerifyProcBuiltinTimeLimitForTesting() / timeout_increment + 1;
@@ -312,7 +312,7 @@ TEST_F(CertVerifyProcBuiltinTest, EVRevocationCheckDeadline) {
   intermediate->SetCertificatePolicies({kEVTestCertPolicy});
 
   const base::TimeDelta timeout_increment =
-      CertNetFetcherImpl::GetDefaultTimeoutForTesting() +
+      CertNetFetcherURLRequest::GetDefaultTimeoutForTesting() +
       base::TimeDelta::FromMilliseconds(1);
   const int expected_request_count =
       GetCertVerifyProcBuiltinTimeLimitForTesting() / timeout_increment + 1;
diff --git a/chromium/net/cert/cert_verify_proc_nss.cc b/chromium/net/cert/cert_verify_proc_nss.cc
index a3846f9c58e..72e52dc1ff2 100644
--- a/chromium/net/cert/cert_verify_proc_nss.cc
+++ b/chromium/net/cert/cert_verify_proc_nss.cc
@@ -15,10 +15,9 @@
 #include <string>
 #include <vector>
 
+#include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/macros.h"
-#include "base/memory/protected_memory.h"
-#include "base/memory/protected_memory_cfi.h"
 #include "base/stl_util.h"
 #include "build/build_config.h"
 #include "crypto/nss_util.h"
@@ -49,22 +48,6 @@ using CacheOCSPResponseFunction = SECStatus (*)(CERTCertDBHandle* handle,
                                                 const SECItem* encodedResponse,
                                                 void* pwArg);
 
-static PROTECTED_MEMORY_SECTION base::ProtectedMemory<CacheOCSPResponseFunction>
-    g_cache_ocsp_response;
-
-// The function pointer for CERT_CacheOCSPResponseFromSideChannel is saved to
-// read-only memory after being dynamically resolved as a security mitigation to
-// prevent the pointer from being tampered with. See crbug.com/771365 for
-// details.
-const base::ProtectedMemory<CacheOCSPResponseFunction>&
-ResolveCacheOCSPResponse() {
-  static base::ProtectedMemory<CacheOCSPResponseFunction>::Initializer init(
-      &g_cache_ocsp_response,
-      reinterpret_cast<CacheOCSPResponseFunction>(
-          dlsym(RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel")));
-  return g_cache_ocsp_response;
-}
-
 typedef std::unique_ptr<
     CERTCertificatePolicies,
     crypto::NSSDestroyer<CERTCertificatePolicies,
@@ -136,6 +119,7 @@ int MapSecurityError(int err) {
     case SEC_ERROR_UNKNOWN_ISSUER:
     case SEC_ERROR_UNTRUSTED_ISSUER:
     case SEC_ERROR_CA_CERT_INVALID:
+    case SEC_ERROR_BAD_SIGNATURE:
     case SEC_ERROR_APPLICATION_CALLBACK_ERROR:  // Rejected by
                                                 // chain_verify_callback.
       return ERR_CERT_AUTHORITY_INVALID;
@@ -149,7 +133,6 @@ int MapSecurityError(int err) {
     case SEC_ERROR_CERT_NOT_IN_NAME_SPACE:
       return ERR_CERT_NAME_CONSTRAINT_VIOLATION;
     case SEC_ERROR_BAD_DER:
-    case SEC_ERROR_BAD_SIGNATURE:
     case SEC_ERROR_CERT_NOT_VALID:
     // TODO(port): add an ERR_CERT_WRONG_USAGE error code.
     case SEC_ERROR_CERT_USAGES_INVALID:
@@ -521,7 +504,7 @@ SECStatus PKIXVerifyCert(CERTCertificate* cert_handle,
   cvin.push_back(in_param);
 
   SECStatus rv = CERT_PKIXVerifyCert(cert_handle, certificateUsageSSLServer,
-                                     &cvin[0], cvout, NULL);
+                                     cvin.data(), cvout, nullptr);
   if (rv != SECSuccess) {
     rv = RetryPKIXVerifyCertWithWorkarounds(cert_handle, num_policy_oids, &cvin,
                                             cvout);
@@ -826,6 +809,7 @@ bool CertVerifyProcNSS::SupportsAdditionalTrustAnchors() const {
   return true;
 }
 
+NO_SANITIZE("cfi-icall")
 int CertVerifyProcNSS::VerifyInternalImpl(
     X509Certificate* cert,
     const std::string& hostname,
@@ -851,7 +835,10 @@ int CertVerifyProcNSS::VerifyInternalImpl(
   }
   CERTCertificate* cert_handle = input_chain[0].get();
 
-  if (!ocsp_response.empty() && *ResolveCacheOCSPResponse() != nullptr) {
+  static CacheOCSPResponseFunction cache_ocsp_response_from_side_channel =
+      reinterpret_cast<CacheOCSPResponseFunction>(
+          dlsym(RTLD_DEFAULT, "CERT_CacheOCSPResponseFromSideChannel"));
+  if (!ocsp_response.empty() && cache_ocsp_response_from_side_channel) {
     // Note: NSS uses a thread-safe global hash table, so this call will
     // affect any concurrent verification operations on |cert| or copies of
     // the same certificate. This is an unavoidable limitation of NSS's OCSP
@@ -860,9 +847,9 @@ int CertVerifyProcNSS::VerifyInternalImpl(
     ocsp_response_item.data = reinterpret_cast<unsigned char*>(
         const_cast<char*>(ocsp_response.data()));
     ocsp_response_item.len = ocsp_response.size();
-    UnsanitizedCfiCall(ResolveCacheOCSPResponse())(
-        CERT_GetDefaultCertDB(), cert_handle, PR_Now(), &ocsp_response_item,
-        nullptr);
+    cache_ocsp_response_from_side_channel(CERT_GetDefaultCertDB(), cert_handle,
+                                          PR_Now(), &ocsp_response_item,
+                                          nullptr);
   }
 
   // Setup a callback to call into CheckChainRevocationWithCRLSet with the
diff --git a/chromium/net/cert/cert_verify_proc_unittest.cc b/chromium/net/cert/cert_verify_proc_unittest.cc
index 58359178938..6414b49d1c5 100644
--- a/chromium/net/cert/cert_verify_proc_unittest.cc
+++ b/chromium/net/cert/cert_verify_proc_unittest.cc
@@ -34,11 +34,11 @@
 #include "net/cert/ev_root_ca_metadata.h"
 #include "net/cert/internal/parse_certificate.h"
 #include "net/cert/internal/signature_algorithm.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 #include "net/cert/test_root_certs.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
-#include "net/cert_net/cert_net_fetcher_impl.h"
+#include "net/cert_net/cert_net_fetcher_url_request.h"
 #include "net/der/input.h"
 #include "net/der/parser.h"
 #include "net/proxy_resolution/proxy_config.h"
@@ -275,8 +275,8 @@ std::string MakeRandomHexString(size_t num_bytes) {
   std::vector<char> rand_bytes;
   rand_bytes.resize(num_bytes);
 
-  base::RandBytes(&rand_bytes[0], rand_bytes.size());
-  return base::HexEncode(&rand_bytes[0], rand_bytes.size());
+  base::RandBytes(rand_bytes.data(), rand_bytes.size());
+  return base::HexEncode(rand_bytes.data(), rand_bytes.size());
 }
 
 }  // namespace
@@ -449,7 +449,7 @@ class CertVerifyProcInternalTest
   scoped_refptr<CertVerifyProc> verify_proc_;
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          CertVerifyProcInternalTest,
                          testing::ValuesIn(kAllCertVerifiers),
                          VerifyProcTypeToName);
@@ -2043,7 +2043,10 @@ TEST_P(CertVerifyProcInternalTest, IsIssuedByKnownRootIgnoresTestRoots) {
 // has a notBefore date after 2018/10/15, and passing a valid |sct_list| to
 // Verify(). Verification should succeed on all platforms. (Assuming the
 // verifier trusts the SCT Logs used in |sct_list|.)
-TEST_P(CertVerifyProcInternalTest, LeafNewerThan20181015WithTlsSctList) {
+//
+// Fails on multiple plaforms, see crbug.com/1050152.
+TEST_P(CertVerifyProcInternalTest,
+       DISABLED_LeafNewerThan20181015WithTlsSctList) {
   scoped_refptr<X509Certificate> chain = CreateCertificateChainFromFile(
       GetTestCertsDirectory(), "treadclimber.pem",
       X509Certificate::FORMAT_PEM_CERT_SEQUENCE);
@@ -2266,6 +2269,140 @@ TEST_P(CertVerifyProcInternalTest, CRLSetRevokedBySubject) {
   EXPECT_THAT(error, IsOk());
 }
 
+// Ensures that CRLSets can be used to block known interception roots on
+// platforms that support CRLSets, while otherwise detect known interception
+// on platforms that do not.
+TEST_P(CertVerifyProcInternalTest, BlockedInterceptionByRoot) {
+  scoped_refptr<X509Certificate> root =
+      ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
+  ASSERT_TRUE(root);
+  ScopedTestRoot test_root(root.get());
+
+  scoped_refptr<X509Certificate> cert = CreateCertificateChainFromFile(
+      GetTestCertsDirectory(), "ok_cert_by_intermediate.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_TRUE(cert);
+
+  // A default/built-in CRLSet should not block
+  scoped_refptr<CRLSet> crl_set = CRLSet::BuiltinCRLSet();
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
+                     CertificateList(), &verify_result);
+  EXPECT_THAT(error, IsOk());
+  EXPECT_EQ(0U, verify_result.cert_status);
+
+  // Read in a CRLSet that marks the root as blocked for interception.
+  std::string crl_set_bytes;
+  ASSERT_TRUE(
+      base::ReadFileToString(GetTestCertsDirectory().AppendASCII(
+                                 "crlset_blocked_interception_by_root.raw"),
+                             &crl_set_bytes));
+  ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
+
+  error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
+                 CertificateList(), &verify_result);
+  if (SupportsCRLSet()) {
+    EXPECT_THAT(error, IsError(ERR_CERT_KNOWN_INTERCEPTION_BLOCKED));
+    EXPECT_TRUE(verify_result.cert_status &
+                CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED);
+  } else {
+    EXPECT_THAT(error, IsOk());
+    EXPECT_TRUE(verify_result.cert_status &
+                CERT_STATUS_KNOWN_INTERCEPTION_DETECTED);
+  }
+}
+
+// Ensures that CRLSets can be used to block known interception intermediates,
+// while still allowing other certificates from that root..
+TEST_P(CertVerifyProcInternalTest, BlockedInterceptionByIntermediate) {
+  scoped_refptr<X509Certificate> root =
+      ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
+  ASSERT_TRUE(root);
+  ScopedTestRoot test_root(root.get());
+
+  scoped_refptr<X509Certificate> cert = CreateCertificateChainFromFile(
+      GetTestCertsDirectory(), "ok_cert_by_intermediate.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_TRUE(cert);
+
+  // A default/built-in CRLSEt should not block
+  scoped_refptr<CRLSet> crl_set = CRLSet::BuiltinCRLSet();
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
+                     CertificateList(), &verify_result);
+  EXPECT_THAT(error, IsOk());
+  EXPECT_EQ(0U, verify_result.cert_status);
+
+  // Read in a CRLSet that marks the intermediate as blocked for interception.
+  std::string crl_set_bytes;
+  ASSERT_TRUE(base::ReadFileToString(
+      GetTestCertsDirectory().AppendASCII(
+          "crlset_blocked_interception_by_intermediate.raw"),
+      &crl_set_bytes));
+  ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
+
+  error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
+                 CertificateList(), &verify_result);
+  if (SupportsCRLSet()) {
+    EXPECT_THAT(error, IsError(ERR_CERT_KNOWN_INTERCEPTION_BLOCKED));
+    EXPECT_TRUE(verify_result.cert_status &
+                CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED);
+  } else {
+    EXPECT_THAT(error, IsOk());
+    EXPECT_TRUE(verify_result.cert_status &
+                CERT_STATUS_KNOWN_INTERCEPTION_DETECTED);
+  }
+
+  // Load a different certificate from that root, which should be unaffected.
+  scoped_refptr<X509Certificate> second_cert = CreateCertificateChainFromFile(
+      GetTestCertsDirectory(), "ok_cert.pem", X509Certificate::FORMAT_AUTO);
+  ASSERT_TRUE(second_cert);
+
+  error = Verify(second_cert.get(), "127.0.0.1", flags, crl_set.get(),
+                 CertificateList(), &verify_result);
+  EXPECT_THAT(error, IsOk());
+  EXPECT_EQ(0U, verify_result.cert_status);
+}
+
+// Ensures that CRLSets can be used to flag known interception roots, even
+// when they are not blocked.
+TEST_P(CertVerifyProcInternalTest, DetectsInterceptionByRoot) {
+  scoped_refptr<X509Certificate> root =
+      ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
+  ASSERT_TRUE(root);
+  ScopedTestRoot test_root(root.get());
+
+  scoped_refptr<X509Certificate> cert = CreateCertificateChainFromFile(
+      GetTestCertsDirectory(), "ok_cert_by_intermediate.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_TRUE(cert);
+
+  // A default/built-in CRLSet should not block
+  scoped_refptr<CRLSet> crl_set = CRLSet::BuiltinCRLSet();
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
+                     CertificateList(), &verify_result);
+  EXPECT_THAT(error, IsOk());
+  EXPECT_EQ(0U, verify_result.cert_status);
+
+  // Read in a CRLSet that marks the root as blocked for interception.
+  std::string crl_set_bytes;
+  ASSERT_TRUE(
+      base::ReadFileToString(GetTestCertsDirectory().AppendASCII(
+                                 "crlset_known_interception_by_root.raw"),
+                             &crl_set_bytes));
+  ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
+
+  error = Verify(cert.get(), "127.0.0.1", flags, crl_set.get(),
+                 CertificateList(), &verify_result);
+  EXPECT_THAT(error, IsOk());
+  EXPECT_TRUE(verify_result.cert_status &
+              CERT_STATUS_KNOWN_INTERCEPTION_DETECTED);
+}
+
 // Tests that CRLSets participate in path building functions, and that as
 // long as a valid path exists within the verification graph, verification
 // succeeds.
@@ -2535,6 +2672,75 @@ TEST_P(CertVerifyProcInternalTest, ValidityJustAfterNotAfter) {
   EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_DATE_INVALID);
 }
 
+TEST_P(CertVerifyProcInternalTest, FailedIntermediateSignatureValidation) {
+  base::FilePath certs_dir =
+      GetTestNetDataDirectory()
+          .AppendASCII("verify_certificate_chain_unittest")
+          .AppendASCII(
+              "intermediate-wrong-signature-no-authority-key-identifier");
+
+  CertificateList certs = CreateCertificateListFromFile(
+      certs_dir, "chain.pem", X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(3U, certs.size());
+
+  std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
+  intermediates.push_back(bssl::UpRef(certs[1]->cert_buffer()));
+
+  scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBuffer(
+      bssl::UpRef(certs[0]->cert_buffer()), std::move(intermediates));
+  ASSERT_TRUE(cert.get());
+
+  // Trust the root certificate.
+  ScopedTestRoot scoped_root(certs.back().get());
+
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(cert.get(), "test.example", flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  // The intermediate was signed by a different root with a different key but
+  // with the same name as the trusted one, and the intermediate has no
+  // authorityKeyIdentifier, so the verifier must try verifying the signature.
+  // Should fail with AUTHORITY_INVALID.
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
+  EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
+}
+
+TEST_P(CertVerifyProcInternalTest, FailedTargetSignatureValidation) {
+  base::FilePath certs_dir =
+      GetTestNetDataDirectory()
+          .AppendASCII("verify_certificate_chain_unittest")
+          .AppendASCII("target-wrong-signature-no-authority-key-identifier");
+
+  CertificateList certs = CreateCertificateListFromFile(
+      certs_dir, "chain.pem", X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(3U, certs.size());
+
+  std::vector<bssl::UniquePtr<CRYPTO_BUFFER>> intermediates;
+  intermediates.push_back(bssl::UpRef(certs[1]->cert_buffer()));
+
+  scoped_refptr<X509Certificate> cert = X509Certificate::CreateFromBuffer(
+      bssl::UpRef(certs[0]->cert_buffer()), std::move(intermediates));
+  ASSERT_TRUE(cert.get());
+
+  // Trust the root certificate.
+  ScopedTestRoot scoped_root(certs.back().get());
+
+  int flags = 0;
+  CertVerifyResult verify_result;
+  int error =
+      Verify(cert.get(), "test.example", flags, CRLSet::BuiltinCRLSet().get(),
+             CertificateList(), &verify_result);
+
+  // The leaf was signed by a different intermediate with a different key but
+  // with the same name as the one in the chain, and the leaf has no
+  // authorityKeyIdentifier, so the verifier must try verifying the signature.
+  // Should fail with AUTHORITY_INVALID.
+  EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_AUTHORITY_INVALID);
+  EXPECT_THAT(error, IsError(ERR_CERT_AUTHORITY_INVALID));
+}
+
 class CertVerifyProcNameNormalizationTest : public CertVerifyProcInternalTest {
  protected:
   void SetUp() override {
@@ -2585,7 +2791,7 @@ class CertVerifyProcNameNormalizationTest : public CertVerifyProcInternalTest {
   base::HistogramTester histograms_;
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          CertVerifyProcNameNormalizationTest,
                          testing::ValuesIn(kAllCertVerifiers),
                          VerifyProcTypeToName);
@@ -2834,7 +3040,7 @@ class CertVerifyProcInternalWithNetFetchingTest
 
   static void SetUpOnNetworkThread(
       std::unique_ptr<URLRequestContext>* context,
-      scoped_refptr<CertNetFetcherImpl>* cert_net_fetcher,
+      scoped_refptr<CertNetFetcherURLRequest>* cert_net_fetcher,
       base::WaitableEvent* initialization_complete_event) {
     URLRequestContextBuilder url_request_context_builder;
     url_request_context_builder.set_user_agent("cert_verify_proc_unittest/0.1");
@@ -2845,14 +3051,14 @@ class CertVerifyProcInternalWithNetFetchingTest
 #if defined(USE_NSS_CERTS)
     SetURLRequestContextForNSSHttpIO(context->get());
 #endif
-    *cert_net_fetcher = base::MakeRefCounted<net::CertNetFetcherImpl>();
+    *cert_net_fetcher = base::MakeRefCounted<net::CertNetFetcherURLRequest>();
     (*cert_net_fetcher)->SetURLRequestContext(context->get());
     initialization_complete_event->Signal();
   }
 
   static void ShutdownOnNetworkThread(
       std::unique_ptr<URLRequestContext>* context,
-      scoped_refptr<net::CertNetFetcherImpl>* cert_net_fetcher) {
+      scoped_refptr<net::CertNetFetcherURLRequest>* cert_net_fetcher) {
 #if defined(USE_NSS_CERTS)
     SetURLRequestContextForNSSHttpIO(nullptr);
 #endif
@@ -2868,7 +3074,7 @@ class CertVerifyProcInternalWithNetFetchingTest
   // Owned by this thread, but initialized, used, and shutdown on the network
   // thread.
   std::unique_ptr<URLRequestContext> context_;
-  scoped_refptr<CertNetFetcherImpl> cert_net_fetcher_;
+  scoped_refptr<CertNetFetcherURLRequest> cert_net_fetcher_;
 
   EmbeddedTestServer test_server_;
 
@@ -2880,7 +3086,7 @@ class CertVerifyProcInternalWithNetFetchingTest
       request_handlers_;
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          CertVerifyProcInternalWithNetFetchingTest,
                          testing::ValuesIn(kAllCertVerifiers),
                          VerifyProcTypeToName);
diff --git a/chromium/net/cert/cert_verify_proc_win.cc b/chromium/net/cert/cert_verify_proc_win.cc
index 41b364703f2..f1104d4c100 100644
--- a/chromium/net/cert/cert_verify_proc_win.cc
+++ b/chromium/net/cert/cert_verify_proc_win.cc
@@ -152,7 +152,7 @@ int MapCertChainErrorStatusToCertStatus(DWORD error_status) {
     if (error_status & CERT_TRUST_HAS_WEAK_SIGNATURE) {
       cert_status |= CERT_STATUS_WEAK_KEY;
     } else {
-      cert_status |= CERT_STATUS_INVALID;
+      cert_status |= CERT_STATUS_AUTHORITY_INVALID;
     }
   }
 
diff --git a/chromium/net/cert/coalescing_cert_verifier.cc b/chromium/net/cert/coalescing_cert_verifier.cc
index 06099903492..905f98fa3bb 100644
--- a/chromium/net/cert/coalescing_cert_verifier.cc
+++ b/chromium/net/cert/coalescing_cert_verifier.cc
@@ -11,13 +11,17 @@
 #include "base/containers/unique_ptr_adapters.h"
 #include "base/memory/weak_ptr.h"
 #include "base/metrics/histogram_macros.h"
+#include "base/strings/string_number_conversions.h"
 #include "base/time/time.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_verify_result.h"
+#include "net/cert/crl_set.h"
+#include "net/cert/pem.h"
 #include "net/cert/x509_certificate_net_log_param.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_source.h"
 #include "net/log/net_log_source_type.h"
+#include "net/log/net_log_values.h"
 #include "net/log/net_log_with_source.h"
 
 namespace net {
@@ -89,6 +93,21 @@ base::Value CertVerifyResultParams(const CertVerifyResult& verify_result) {
   return std::move(results);
 }
 
+base::Value CertVerifierParams(const CertVerifier::RequestParams& params) {
+  base::Value dict(NetLogX509CertificateParams(params.certificate().get()));
+  if (!params.ocsp_response().empty()) {
+    dict.SetStringPath("ocsp_response",
+                       PEMEncode(params.ocsp_response(), "OCSP RESPONSE"));
+  }
+  if (!params.sct_list().empty()) {
+    dict.SetStringPath("sct_list", PEMEncode(params.sct_list(), "SCT LIST"));
+  }
+  dict.SetPath("host", NetLogStringValue(params.hostname()));
+  dict.SetIntPath("verifier_flags", params.flags());
+
+  return dict;
+}
+
 }  // namespace
 
 // Job contains all the state for a single verification using the underlying
@@ -248,9 +267,8 @@ int CoalescingCertVerifier::Job::Start(CertVerifier* underlying_verifier) {
   // multiple times).
   DCHECK(!pending_request_);
 
-  net_log_.BeginEvent(NetLogEventType::CERT_VERIFIER_JOB, [&] {
-    return NetLogX509CertificateParams(params_.certificate().get());
-  });
+  net_log_.BeginEvent(NetLogEventType::CERT_VERIFIER_JOB,
+                      [&] { return CertVerifierParams(params_); });
 
   verify_result_.Reset();
 
@@ -354,6 +372,8 @@ CoalescingCertVerifier::Request::~Request() {
 }
 
 void CoalescingCertVerifier::Request::Complete(int result) {
+  DCHECK(job_);  // There must be a pending/non-aborted job to complete.
+
   *verify_result_ = job_->verify_result();
 
   // On successful completion, the Job removes the Request from its set;
@@ -368,12 +388,16 @@ void CoalescingCertVerifier::Request::Complete(int result) {
 }
 
 void CoalescingCertVerifier::Request::OnJobAbort() {
+  DCHECK(job_);  // There must be a pending job to abort.
+
   // If the Job is deleted before the Request, just clean up. The Request will
   // eventually be deleted by the caller.
   net_log_.AddEvent(NetLogEventType::CANCELLED);
   net_log_.EndEvent(NetLogEventType::CERT_VERIFIER_REQUEST);
 
   job_ = nullptr;
+  // Note: May delete |this|, if the caller made |callback_| own the Request.
+  callback_.Reset();
 }
 
 CoalescingCertVerifier::CoalescingCertVerifier(
diff --git a/chromium/net/cert/crl_set.cc b/chromium/net/cert/crl_set.cc
index 4f09e69fbd5..a782f22f27b 100644
--- a/chromium/net/cert/crl_set.cc
+++ b/chromium/net/cert/crl_set.cc
@@ -34,10 +34,21 @@ namespace {
 //
 // header_bytes consists of a JSON dictionary with the following keys:
 //   Version (int): currently 0
-//   ContentType (string): "CRLSet" or "CRLSetDelta" (magic value)
-//   DeltaFrom (int32_t): if this is a delta update (see below), then this
-//       contains the sequence number of the base CRLSet.
+//   ContentType (string): "CRLSet" (magic value)
 //   Sequence (int32_t): the monotonic sequence number of this CRL set.
+//   NotAfter (optional) (double/int64_t): The number of seconds since the
+//     Unix epoch, after which, this CRLSet is expired.
+//   BlockedSPKIs (array of string): An array of Base64 encoded, SHA-256 hashed
+//     SubjectPublicKeyInfos that should be blocked.
+//   LimitedSubjects (object/map of string -> array of string): A map between
+//     the Base64-encoded SHA-256 hash of the DER-encoded Subject and the
+//     Base64-encoded SHA-256 hashes of the SubjectPublicKeyInfos that are
+//     allowed for that subject.
+//   KnownInterceptionSPKIs (array of string): An array of Base64-encoded
+//     SHA-256 hashed SubjectPublicKeyInfos known to be used for interception.
+//   BlockedInterceptionSPKIs (array of string): An array of Base64-encoded
+//     SHA-256 hashed SubjectPublicKeyInfos known to be used for interception
+//     and that should be actively blocked.
 //
 // ReadHeader reads the header (including length prefix) from |data| and
 // updates |data| to remove the header on return. Caller takes ownership of the
@@ -247,20 +258,44 @@ bool CRLSet::Parse(base::StringPiece data, scoped_refptr<CRLSet>* out_crl_set) {
     crl_set->crls_[std::move(spki_hash)] = std::move(blocked_serials);
   }
 
+  std::vector<std::string> blocked_interception_spkis;
   if (!CopyHashListFromHeader(header_dict.get(), "BlockedSPKIs",
                               &crl_set->blocked_spkis_) ||
       !CopyHashToHashesMapFromHeader(header_dict.get(), "LimitedSubjects",
-                                     &crl_set->limited_subjects_)) {
+                                     &crl_set->limited_subjects_) ||
+      !CopyHashListFromHeader(header_dict.get(), "KnownInterceptionSPKIs",
+                              &crl_set->known_interception_spkis_) ||
+      !CopyHashListFromHeader(header_dict.get(), "BlockedInterceptionSPKIs",
+                              &blocked_interception_spkis)) {
     return false;
   }
 
-  // Defines kSPKIBlockList.
+  // Add the BlockedInterceptionSPKIs to both lists; these are provided as
+  // a separate list to allow less data to be sent over the wire, even though
+  // they are duplicated in-memory.
+  crl_set->blocked_spkis_.insert(crl_set->blocked_spkis_.end(),
+                                 blocked_interception_spkis.begin(),
+                                 blocked_interception_spkis.end());
+  crl_set->known_interception_spkis_.insert(
+      crl_set->known_interception_spkis_.end(),
+      blocked_interception_spkis.begin(), blocked_interception_spkis.end());
+
+  // Defines kSPKIBlockList and kKnownInterceptionList
 #include "net/cert/cert_verify_proc_blocklist.inc"
   for (const auto& hash : kSPKIBlockList) {
     crl_set->blocked_spkis_.push_back(std::string(
         reinterpret_cast<const char*>(hash), crypto::kSHA256Length));
   }
+
+  for (const auto& hash : kKnownInterceptionList) {
+    crl_set->known_interception_spkis_.push_back(std::string(
+        reinterpret_cast<const char*>(hash), crypto::kSHA256Length));
+  }
+
+  // Sort, as these will be std::binary_search()'d.
   std::sort(crl_set->blocked_spkis_.begin(), crl_set->blocked_spkis_.end());
+  std::sort(crl_set->known_interception_spkis_.begin(),
+            crl_set->known_interception_spkis_.end());
 
   *out_crl_set = std::move(crl_set);
   return true;
@@ -317,6 +352,11 @@ CRLSet::Result CRLSet::CheckSerial(
   return GOOD;
 }
 
+bool CRLSet::IsKnownInterceptionKey(base::StringPiece spki_hash) const {
+  return std::binary_search(known_interception_spkis_.begin(),
+                            known_interception_spkis_.end(), spki_hash);
+}
+
 bool CRLSet::IsExpired() const {
   if (not_after_ == 0)
     return false;
diff --git a/chromium/net/cert/crl_set.h b/chromium/net/cert/crl_set.h
index bb876dbdfaa..c012314e465 100644
--- a/chromium/net/cert/crl_set.h
+++ b/chromium/net/cert/crl_set.h
@@ -55,6 +55,11 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
   Result CheckSubject(const base::StringPiece& asn1_subject,
                       const base::StringPiece& spki_hash) const;
 
+  // Returns true if |spki_hash|, the SHA256 of the SubjectPublicKeyInfo,
+  // is known to be used for interception by a party other than the device
+  // or machine owner.
+  bool IsKnownInterceptionKey(base::StringPiece spki_hash) const;
+
   // IsExpired returns true iff the current time is past the NotAfter time
   // specified in the CRLSet.
   bool IsExpired() const;
@@ -114,6 +119,10 @@ class NET_EXPORT CRLSet : public base::RefCountedThreadSafe<CRLSet> {
   // blocked_spkis_ contains the SHA256 hashes of SPKIs which are to be blocked
   // no matter where in a certificate chain they might appear.
   std::vector<std::string> blocked_spkis_;
+  // known_interception_spkis_ contains the SHA256 hashes of SPKIs which are
+  // known to be used for interception by a party other than the device or
+  // machine owner.
+  std::vector<std::string> known_interception_spkis_;
   // limited_subjects_ is a map from the SHA256 hash of an X.501 subject name
   // to a list of allowed SPKI hashes for certificates with that subject name.
   std::unordered_map<std::string, std::vector<std::string>> limited_subjects_;
diff --git a/chromium/net/cert/ct_log_verifier_unittest.cc b/chromium/net/cert/ct_log_verifier_unittest.cc
index dcdc6ced21c..4bbc080a1d6 100644
--- a/chromium/net/cert/ct_log_verifier_unittest.cc
+++ b/chromium/net/cert/ct_log_verifier_unittest.cc
@@ -155,10 +155,9 @@ const AuditProofTestVector kAuditProofs[] = {
 
 // Decodes a hexadecimal string into the binary data it represents.
 std::string HexToBytes(const std::string& hex_data) {
-  std::vector<uint8_t> output;
   std::string result;
-  if (base::HexStringToBytes(hex_data, &output))
-    result.assign(output.begin(), output.end());
+  if (!base::HexStringToString(hex_data, &result))
+    result.clear();
   return result;
 }
 
diff --git a/chromium/net/cert/internal/cert_issuer_source_aia.cc b/chromium/net/cert/internal/cert_issuer_source_aia.cc
index 564beed1a47..72a2c9e035d 100644
--- a/chromium/net/cert/internal/cert_issuer_source_aia.cc
+++ b/chromium/net/cert/internal/cert_issuer_source_aia.cc
@@ -5,9 +5,10 @@
 #include "net/cert/internal/cert_issuer_source_aia.h"
 
 #include "base/strings/string_piece.h"
+#include "net/base/network_isolation_key.h"
 #include "net/cert/cert_net_fetcher.h"
 #include "net/cert/internal/cert_errors.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 #include "net/cert/x509_util.h"
 #include "url/gurl.h"
 
@@ -172,8 +173,9 @@ void CertIssuerSourceAia::AsyncGetIssuersOf(const ParsedCertificate* cert,
     // TODO(mattm): add synchronous failure mode to FetchCaIssuers interface so
     // that this doesn't need to wait for async callback just to tell that an
     // URL has an unsupported scheme?
-    aia_request->AddCertFetcherRequest(cert_fetcher_->FetchCaIssuers(
-        url, kTimeoutMilliseconds, kMaxResponseBytes));
+    aia_request->AddCertFetcherRequest(
+        cert_fetcher_->FetchCaIssuers(url, NetworkIsolationKey::Todo(),
+                                      kTimeoutMilliseconds, kMaxResponseBytes));
   }
 
   *out_req = std::move(aia_request);
diff --git a/chromium/net/cert/internal/cert_issuer_source_aia_unittest.cc b/chromium/net/cert/internal/cert_issuer_source_aia_unittest.cc
index 63774b250dd..94a21b2641b 100644
--- a/chromium/net/cert/internal/cert_issuer_source_aia_unittest.cc
+++ b/chromium/net/cert/internal/cert_issuer_source_aia_unittest.cc
@@ -6,6 +6,7 @@
 
 #include <memory>
 
+#include "net/base/network_isolation_key.h"
 #include "net/cert/cert_net_fetcher.h"
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/parsed_certificate.h"
@@ -67,19 +68,25 @@ class MockCertNetFetcher : public CertNetFetcher {
  public:
   MockCertNetFetcher() = default;
   MOCK_METHOD0(Shutdown, void());
-  MOCK_METHOD3(FetchCaIssuers,
-               std::unique_ptr<Request>(const GURL& url,
-                                        int timeout_milliseconds,
-                                        int max_response_bytes));
-  MOCK_METHOD3(FetchCrl,
-               std::unique_ptr<Request>(const GURL& url,
-                                        int timeout_milliseconds,
-                                        int max_response_bytes));
-
-  MOCK_METHOD3(FetchOcsp,
-               std::unique_ptr<Request>(const GURL& url,
-                                        int timeout_milliseconds,
-                                        int max_response_bytes));
+  MOCK_METHOD4(
+      FetchCaIssuers,
+      std::unique_ptr<Request>(const GURL& url,
+                               const NetworkIsolationKey& network_isolation_key,
+                               int timeout_milliseconds,
+                               int max_response_bytes));
+  MOCK_METHOD4(
+      FetchCrl,
+      std::unique_ptr<Request>(const GURL& url,
+                               const NetworkIsolationKey& network_isolation_key,
+                               int timeout_milliseconds,
+                               int max_response_bytes));
+
+  MOCK_METHOD4(
+      FetchOcsp,
+      std::unique_ptr<Request>(const GURL& url,
+                               const NetworkIsolationKey& network_isolation_key,
+                               int timeout_milliseconds,
+                               int max_response_bytes));
 
  protected:
   ~MockCertNetFetcher() override = default;
@@ -154,7 +161,7 @@ TEST(CertIssuerSourceAiaTest, FileAia) {
   ASSERT_TRUE(ReadTestCert("target_file_aia.pem", &cert));
 
   auto mock_fetcher = base::MakeRefCounted<StrictMock<MockCertNetFetcher>>();
-  EXPECT_CALL(*mock_fetcher, FetchCaIssuers(GURL("file:///dev/null"), _, _))
+  EXPECT_CALL(*mock_fetcher, FetchCaIssuers(GURL("file:///dev/null"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequest(ERR_DISALLOWED_URL_SCHEME))));
 
   CertIssuerSourceAia aia_source(mock_fetcher);
@@ -191,7 +198,7 @@ TEST(CertIssuerSourceAiaTest, OneAia) {
   auto mock_fetcher = base::MakeRefCounted<StrictMock<MockCertNetFetcher>>();
 
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _, _))
       .WillOnce(Return(
           ByMove(CreateMockRequest(CertDataVector(intermediate_cert.get())))));
 
@@ -222,11 +229,11 @@ TEST(CertIssuerSourceAiaTest, OneFileOneHttpAia) {
 
   auto mock_fetcher = base::MakeRefCounted<StrictMock<MockCertNetFetcher>>();
 
-  EXPECT_CALL(*mock_fetcher, FetchCaIssuers(GURL("file:///dev/null"), _, _))
+  EXPECT_CALL(*mock_fetcher, FetchCaIssuers(GURL("file:///dev/null"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequest(ERR_DISALLOWED_URL_SCHEME))));
 
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _, _))
       .WillOnce(Return(
           ByMove(CreateMockRequest(CertDataVector(intermediate_cert.get())))));
 
@@ -255,7 +262,7 @@ TEST(CertIssuerSourceAiaTest, OneInvalidOneHttpAia) {
       new StrictMock<MockCertNetFetcher>());
 
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _, _))
       .WillOnce(Return(
           ByMove(CreateMockRequest(CertDataVector(intermediate_cert.get())))));
 
@@ -290,12 +297,12 @@ TEST(CertIssuerSourceAiaTest, TwoAiaCompletedInSeries) {
       new StrictMock<MockCertNetFetcher>());
 
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _, _))
       .WillOnce(Return(
           ByMove(CreateMockRequest(CertDataVector(intermediate_cert.get())))));
 
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _, _))
       .WillOnce(Return(
           ByMove(CreateMockRequest(CertDataVector(intermediate_cert2.get())))));
 
@@ -333,7 +340,7 @@ TEST(CertIssuerSourceAiaTest, OneAiaHttpError) {
 
   // HTTP request returns with an error.
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequest(ERR_FAILED))));
 
   CertIssuerSourceAia aia_source(mock_fetcher);
@@ -358,7 +365,7 @@ TEST(CertIssuerSourceAiaTest, OneAiaParseError) {
 
   // HTTP request returns invalid certificate data.
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _, _))
       .WillOnce(Return(
           ByMove(CreateMockRequest(std::vector<uint8_t>({1, 2, 3, 4, 5})))));
 
@@ -386,12 +393,12 @@ TEST(CertIssuerSourceAiaTest, TwoAiaCompletedInSeriesFirstFails) {
 
   // Request for I.cer completes first, but fails.
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequest(ERR_INVALID_RESPONSE))));
 
   // Request for I2.foo succeeds.
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _, _))
       .WillOnce(Return(
           ByMove(CreateMockRequest(CertDataVector(intermediate_cert2.get())))));
 
@@ -425,13 +432,13 @@ TEST(CertIssuerSourceAiaTest, TwoAiaCompletedInSeriesSecondFails) {
 
   // Request for I.cer completes first.
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _, _))
       .WillOnce(Return(
           ByMove(CreateMockRequest(CertDataVector(intermediate_cert.get())))));
 
   // Request for I2.foo fails.
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequest(ERR_INVALID_RESPONSE))));
 
   CertIssuerSourceAia aia_source(mock_fetcher);
@@ -463,23 +470,23 @@ TEST(CertIssuerSourceAiaTest, MaxFetchesPerCert) {
   std::vector<uint8_t> bad_der({1, 2, 3, 4, 5});
 
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia/I.cer"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequest(bad_der))));
 
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia2/I2.foo"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequest(bad_der))));
 
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia3/I3.foo"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia3/I3.foo"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequest(bad_der))));
 
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia4/I4.foo"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia4/I4.foo"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequest(bad_der))));
 
   EXPECT_CALL(*mock_fetcher,
-              FetchCaIssuers(GURL("http://url-for-aia5/I5.foo"), _, _))
+              FetchCaIssuers(GURL("http://url-for-aia5/I5.foo"), _, _, _))
       .WillOnce(Return(ByMove(CreateMockRequest(bad_der))));
 
   // Note that the sixth URL (http://url-for-aia6/I6.foo) will not be requested.
diff --git a/chromium/net/cert/internal/certificate_policies_unittest.cc b/chromium/net/cert/internal/certificate_policies_unittest.cc
index ce142b12508..ab0b8fe7d76 100644
--- a/chromium/net/cert/internal/certificate_policies_unittest.cc
+++ b/chromium/net/cert/internal/certificate_policies_unittest.cc
@@ -34,7 +34,7 @@ class ParseCertificatePoliciesExtensionTest
 
 // Run the tests with all possible values for
 // |fail_parsing_unknown_qualifier_oids|.
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          ParseCertificatePoliciesExtensionTest,
                          testing::Bool());
 
diff --git a/chromium/net/cert/internal/crl_unittest.cc b/chromium/net/cert/internal/crl_unittest.cc
index 728159d8b60..45b4677e7b9 100644
--- a/chromium/net/cert/internal/crl_unittest.cc
+++ b/chromium/net/cert/internal/crl_unittest.cc
@@ -115,7 +115,7 @@ struct PrintTestName {
   }
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          CheckCRLTest,
                          ::testing::ValuesIn(kTestParams),
                          PrintTestName());
diff --git a/chromium/net/cert/internal/ocsp.h b/chromium/net/cert/internal/ocsp.h
index f53c0563d78..d0157c91173 100644
--- a/chromium/net/cert/internal/ocsp.h
+++ b/chromium/net/cert/internal/ocsp.h
@@ -285,8 +285,6 @@ NET_EXPORT_PRIVATE bool ParseOCSPResponse(const der::Input& raw_tlv,
 //        the |this_update| field in OCSPSingleResponse. Responses older than
 //        |max_age| will be considered invalid.
 //  * |response_details|: Additional details about failures.
-//      TODO(eroman): This is only being used for logging of Expect-Staple, can
-//      remove if that gets pulled out.
 NET_EXPORT OCSPRevocationStatus CheckOCSP(
     base::StringPiece raw_response,
     base::StringPiece certificate_der,
diff --git a/chromium/net/cert/internal/ocsp_unittest.cc b/chromium/net/cert/internal/ocsp_unittest.cc
index ce8856b334a..61426791ca3 100644
--- a/chromium/net/cert/internal/ocsp_unittest.cc
+++ b/chromium/net/cert/internal/ocsp_unittest.cc
@@ -131,7 +131,7 @@ struct PrintTestName {
   }
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          CheckOCSPTest,
                          ::testing::ValuesIn(kTestParams),
                          PrintTestName());
@@ -189,7 +189,7 @@ base::StringPiece kGetURLTestParams[] = {
 class CreateOCSPGetURLTest
     : public ::testing::TestWithParam<base::StringPiece> {};
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          CreateOCSPGetURLTest,
                          ::testing::ValuesIn(kGetURLTestParams));
 
diff --git a/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc b/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc
new file mode 100644
index 00000000000..cb1718673a1
--- /dev/null
+++ b/chromium/net/cert/internal/parse_authority_key_identifier_fuzzer.cc
@@ -0,0 +1,20 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "net/cert/internal/parse_certificate.h"
+#include "net/der/input.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  net::der::Input der(data, size);
+
+  net::ParsedAuthorityKeyIdentifier authority_key_identifier;
+
+  ignore_result(
+      net::ParseAuthorityKeyIdentifier(der, &authority_key_identifier));
+
+  return 0;
+}
diff --git a/chromium/net/cert/internal/parse_certificate.cc b/chromium/net/cert/internal/parse_certificate.cc
index e7a5fa1936e..8939403eac9 100644
--- a/chromium/net/cert/internal/parse_certificate.cc
+++ b/chromium/net/cert/internal/parse_certificate.cc
@@ -644,6 +644,16 @@ bool ParseExtension(const der::Input& extension_tlv, ParsedExtension* out) {
   return true;
 }
 
+der::Input SubjectKeyIdentifierOid() {
+  // From RFC 5280:
+  //
+  //     id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }
+  //
+  // In dotted notation: 2.5.29.14
+  static const uint8_t oid[] = {0x55, 0x1d, 0x0e};
+  return der::Input(oid);
+}
+
 der::Input KeyUsageOid() {
   // From RFC 5280:
   //
@@ -694,6 +704,16 @@ der::Input CertificatePoliciesOid() {
   return der::Input(oid);
 }
 
+der::Input AuthorityKeyIdentifierOid() {
+  // From RFC 5280:
+  //
+  //     id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }
+  //
+  // In dotted notation: 2.5.29.35
+  static const uint8_t oid[] = {0x55, 0x1d, 0x23};
+  return der::Input(oid);
+}
+
 der::Input PolicyConstraintsOid() {
   // From RFC 5280:
   //
@@ -966,4 +986,85 @@ bool ParseCrlDistributionPoints(
   return true;
 }
 
+ParsedAuthorityKeyIdentifier::ParsedAuthorityKeyIdentifier() = default;
+ParsedAuthorityKeyIdentifier::~ParsedAuthorityKeyIdentifier() = default;
+ParsedAuthorityKeyIdentifier::ParsedAuthorityKeyIdentifier(
+    ParsedAuthorityKeyIdentifier&& other) = default;
+ParsedAuthorityKeyIdentifier& ParsedAuthorityKeyIdentifier::operator=(
+    ParsedAuthorityKeyIdentifier&& other) = default;
+
+bool ParseAuthorityKeyIdentifier(
+    const der::Input& extension_value,
+    ParsedAuthorityKeyIdentifier* authority_key_identifier) {
+  // RFC 5280, section 4.2.1.1.
+  //    AuthorityKeyIdentifier ::= SEQUENCE {
+  //       keyIdentifier             [0] KeyIdentifier           OPTIONAL,
+  //       authorityCertIssuer       [1] GeneralNames            OPTIONAL,
+  //       authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
+  //
+  //    KeyIdentifier ::= OCTET STRING
+
+  der::Parser extension_value_parser(extension_value);
+  der::Parser aki_parser;
+  if (!extension_value_parser.ReadSequence(&aki_parser))
+    return false;
+  if (extension_value_parser.HasMore())
+    return false;
+
+  // TODO(mattm): Should having an empty AuthorityKeyIdentifier SEQUENCE be an
+  // error? RFC 5280 doesn't explicitly say it.
+
+  //       keyIdentifier             [0] KeyIdentifier           OPTIONAL,
+  if (!aki_parser.ReadOptionalTag(der::ContextSpecificPrimitive(0),
+                                  &authority_key_identifier->key_identifier)) {
+    return false;
+  }
+
+  //       authorityCertIssuer       [1] GeneralNames            OPTIONAL,
+  if (!aki_parser.ReadOptionalTag(
+          der::ContextSpecificConstructed(1),
+          &authority_key_identifier->authority_cert_issuer)) {
+    return false;
+  }
+
+  //       authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
+  if (!aki_parser.ReadOptionalTag(
+          der::ContextSpecificPrimitive(2),
+          &authority_key_identifier->authority_cert_serial_number)) {
+    return false;
+  }
+
+  //     -- authorityCertIssuer and authorityCertSerialNumber MUST both
+  //     -- be present or both be absent
+  if (authority_key_identifier->authority_cert_issuer.has_value() !=
+      authority_key_identifier->authority_cert_serial_number.has_value()) {
+    return false;
+  }
+
+  // There shouldn't be any unconsumed data in the AuthorityKeyIdentifier
+  // SEQUENCE.
+  if (aki_parser.HasMore())
+    return false;
+
+  return true;
+}
+
+bool ParseSubjectKeyIdentifier(const der::Input& extension_value,
+                               der::Input* subject_key_identifier) {
+  //    SubjectKeyIdentifier ::= KeyIdentifier
+  //
+  //    KeyIdentifier ::= OCTET STRING
+  der::Parser extension_value_parser(extension_value);
+  if (!extension_value_parser.ReadTag(der::kOctetString,
+                                      subject_key_identifier)) {
+    return false;
+  }
+
+  // There shouldn't be any unconsumed data in the extension SEQUENCE.
+  if (extension_value_parser.HasMore())
+    return false;
+
+  return true;
+}
+
 }  // namespace net
diff --git a/chromium/net/cert/internal/parse_certificate.h b/chromium/net/cert/internal/parse_certificate.h
index 63ab3097c4a..fea939d6b49 100644
--- a/chromium/net/cert/internal/parse_certificate.h
+++ b/chromium/net/cert/internal/parse_certificate.h
@@ -12,6 +12,7 @@
 #include <vector>
 
 #include "base/compiler_specific.h"
+#include "base/optional.h"
 #include "net/base/net_export.h"
 #include "net/der/input.h"
 #include "net/der/parse_values.h"
@@ -313,6 +314,13 @@ NET_EXPORT bool ParseExtension(const der::Input& extension_tlv,
 
 // From RFC 5280:
 //
+//     id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 14 }
+//
+// In dotted notation: 2.5.29.14
+NET_EXPORT der::Input SubjectKeyIdentifierOid();
+
+// From RFC 5280:
+//
 //     id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
 //
 // In dotted notation: 2.5.29.15
@@ -348,6 +356,13 @@ NET_EXPORT der::Input CertificatePoliciesOid();
 
 // From RFC 5280:
 //
+//     id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::=  { id-ce 35 }
+//
+// In dotted notation: 2.5.29.35
+NET_EXPORT der::Input AuthorityKeyIdentifierOid();
+
+// From RFC 5280:
+//
 //     id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }
 //
 // In dotted notation: 2.5.29.36
@@ -530,6 +545,49 @@ NET_EXPORT bool ParseCrlDistributionPoints(
     std::vector<ParsedDistributionPoint>* distribution_points)
     WARN_UNUSED_RESULT;
 
+// Represents the AuthorityKeyIdentifier extension defined by RFC 5280 section
+// 4.2.1.1.
+//
+//    AuthorityKeyIdentifier ::= SEQUENCE {
+//       keyIdentifier             [0] KeyIdentifier           OPTIONAL,
+//       authorityCertIssuer       [1] GeneralNames            OPTIONAL,
+//       authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }
+//
+//    KeyIdentifier ::= OCTET STRING
+struct NET_EXPORT ParsedAuthorityKeyIdentifier {
+  ParsedAuthorityKeyIdentifier();
+  ~ParsedAuthorityKeyIdentifier();
+  ParsedAuthorityKeyIdentifier(ParsedAuthorityKeyIdentifier&& other);
+  ParsedAuthorityKeyIdentifier& operator=(ParsedAuthorityKeyIdentifier&& other);
+
+  // The keyIdentifier, which is an OCTET STRING.
+  base::Optional<der::Input> key_identifier;
+
+  // The authorityCertIssuer, which should be a GeneralNames, but this is not
+  // enforced by ParseAuthorityKeyIdentifier.
+  base::Optional<der::Input> authority_cert_issuer;
+
+  // The DER authorityCertSerialNumber, which should be a
+  // CertificateSerialNumber (an INTEGER) but this is not enforced by
+  // ParseAuthorityKeyIdentifier.
+  base::Optional<der::Input> authority_cert_serial_number;
+};
+
+// Parses the value of an authorityKeyIdentifier extension. Returns true on
+// success and fills |authority_key_identifier| with values that reference data
+// in |extension_value|. On failure the state of |authority_key_identifier| is
+// not guaranteed.
+NET_EXPORT bool ParseAuthorityKeyIdentifier(
+    const der::Input& extension_value,
+    ParsedAuthorityKeyIdentifier* authority_key_identifier) WARN_UNUSED_RESULT;
+
+// Parses the value of a subjectKeyIdentifier extension. Returns true on
+// success and |subject_key_identifier| references data in |extension_value|.
+// On failure the state of |subject_key_identifier| is not guaranteed.
+NET_EXPORT bool ParseSubjectKeyIdentifier(const der::Input& extension_value,
+                                          der::Input* subject_key_identifier)
+    WARN_UNUSED_RESULT;
+
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_PARSE_CERTIFICATE_H_
diff --git a/chromium/net/cert/internal/parse_certificate_unittest.cc b/chromium/net/cert/internal/parse_certificate_unittest.cc
index d61507aa321..7badc0b583c 100644
--- a/chromium/net/cert/internal/parse_certificate_unittest.cc
+++ b/chromium/net/cert/internal/parse_certificate_unittest.cc
@@ -505,6 +505,183 @@ TEST_F(ParseCrlDistributionPointsTest, FullnameAsDirname) {
   ASSERT_EQ(0u, dp1.uris.size());
 }
 
+bool ParseAuthorityKeyIdentifierTestData(
+    const char* file_name,
+    std::string* backing_bytes,
+    ParsedAuthorityKeyIdentifier* authority_key_identifier) {
+  // Read the test file.
+  const PemBlockMapping mappings[] = {
+      {"AUTHORITY_KEY_IDENTIFIER", backing_bytes},
+  };
+  std::string test_file_path =
+      std::string(
+          "net/data/parse_certificate_unittest/authority_key_identifier/") +
+      file_name;
+  EXPECT_TRUE(ReadTestDataFromPemFile(test_file_path, mappings));
+
+  return ParseAuthorityKeyIdentifier(der::Input(backing_bytes),
+                                     authority_key_identifier);
+}
+
+TEST(ParseAuthorityKeyIdentifierTest, EmptyInput) {
+  ParsedAuthorityKeyIdentifier authority_key_identifier;
+  EXPECT_FALSE(
+      ParseAuthorityKeyIdentifier(der::Input(), &authority_key_identifier));
+}
+
+TEST(ParseAuthorityKeyIdentifierTest, EmptySequence) {
+  std::string backing_bytes;
+  ParsedAuthorityKeyIdentifier authority_key_identifier;
+  // TODO(mattm): should this be an error? RFC 5280 doesn't explicitly say it.
+  ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
+      "empty_sequence.pem", &backing_bytes, &authority_key_identifier));
+
+  EXPECT_FALSE(authority_key_identifier.key_identifier);
+  EXPECT_FALSE(authority_key_identifier.authority_cert_issuer);
+  EXPECT_FALSE(authority_key_identifier.authority_cert_serial_number);
+}
+
+TEST(ParseAuthorityKeyIdentifierTest, KeyIdentifier) {
+  std::string backing_bytes;
+  ParsedAuthorityKeyIdentifier authority_key_identifier;
+  ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
+      "key_identifier.pem", &backing_bytes, &authority_key_identifier));
+
+  ASSERT_TRUE(authority_key_identifier.key_identifier);
+  const uint8_t kExpectedValue[] = {0xDE, 0xAD, 0xB0, 0x0F};
+  EXPECT_EQ(der::Input(kExpectedValue),
+            authority_key_identifier.key_identifier);
+}
+
+TEST(ParseAuthorityKeyIdentifierTest, IssuerAndSerial) {
+  std::string backing_bytes;
+  ParsedAuthorityKeyIdentifier authority_key_identifier;
+  ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
+      "issuer_and_serial.pem", &backing_bytes, &authority_key_identifier));
+
+  EXPECT_FALSE(authority_key_identifier.key_identifier);
+
+  ASSERT_TRUE(authority_key_identifier.authority_cert_issuer);
+  const uint8_t kExpectedIssuer[] = {0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30,
+                                     0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+                                     0x04, 0x52, 0x6f, 0x6f, 0x74};
+  EXPECT_EQ(der::Input(kExpectedIssuer),
+            authority_key_identifier.authority_cert_issuer);
+
+  ASSERT_TRUE(authority_key_identifier.authority_cert_serial_number);
+  const uint8_t kExpectedSerial[] = {0x27, 0x4F};
+  EXPECT_EQ(der::Input(kExpectedSerial),
+            authority_key_identifier.authority_cert_serial_number);
+}
+
+TEST(ParseAuthorityKeyIdentifierTest, KeyIdentifierAndIssuerAndSerial) {
+  std::string backing_bytes;
+  ParsedAuthorityKeyIdentifier authority_key_identifier;
+  ASSERT_TRUE(ParseAuthorityKeyIdentifierTestData(
+      "key_identifier_and_issuer_and_serial.pem", &backing_bytes,
+      &authority_key_identifier));
+
+  ASSERT_TRUE(authority_key_identifier.key_identifier);
+  const uint8_t kExpectedValue[] = {0xDE, 0xAD, 0xB0, 0x0F};
+  EXPECT_EQ(der::Input(kExpectedValue),
+            authority_key_identifier.key_identifier);
+
+  ASSERT_TRUE(authority_key_identifier.authority_cert_issuer);
+  const uint8_t kExpectedIssuer[] = {0xa4, 0x11, 0x30, 0x0f, 0x31, 0x0d, 0x30,
+                                     0x0b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
+                                     0x04, 0x52, 0x6f, 0x6f, 0x74};
+  EXPECT_EQ(der::Input(kExpectedIssuer),
+            authority_key_identifier.authority_cert_issuer);
+
+  ASSERT_TRUE(authority_key_identifier.authority_cert_serial_number);
+  const uint8_t kExpectedSerial[] = {0x27, 0x4F};
+  EXPECT_EQ(der::Input(kExpectedSerial),
+            authority_key_identifier.authority_cert_serial_number);
+}
+
+TEST(ParseAuthorityKeyIdentifierTest, IssuerOnly) {
+  std::string backing_bytes;
+  ParsedAuthorityKeyIdentifier authority_key_identifier;
+  EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
+      "issuer_only.pem", &backing_bytes, &authority_key_identifier));
+}
+
+TEST(ParseAuthorityKeyIdentifierTest, SerialOnly) {
+  std::string backing_bytes;
+  ParsedAuthorityKeyIdentifier authority_key_identifier;
+  EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
+      "serial_only.pem", &backing_bytes, &authority_key_identifier));
+}
+
+TEST(ParseAuthorityKeyIdentifierTest, InvalidContents) {
+  std::string backing_bytes;
+  ParsedAuthorityKeyIdentifier authority_key_identifier;
+  EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
+      "invalid_contents.pem", &backing_bytes, &authority_key_identifier));
+}
+
+TEST(ParseAuthorityKeyIdentifierTest, InvalidKeyIdentifier) {
+  std::string backing_bytes;
+  ParsedAuthorityKeyIdentifier authority_key_identifier;
+  EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
+      "invalid_key_identifier.pem", &backing_bytes, &authority_key_identifier));
+}
+
+TEST(ParseAuthorityKeyIdentifierTest, InvalidIssuer) {
+  std::string backing_bytes;
+  ParsedAuthorityKeyIdentifier authority_key_identifier;
+  EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
+      "invalid_issuer.pem", &backing_bytes, &authority_key_identifier));
+}
+
+TEST(ParseAuthorityKeyIdentifierTest, InvalidSerial) {
+  std::string backing_bytes;
+  ParsedAuthorityKeyIdentifier authority_key_identifier;
+  EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
+      "invalid_serial.pem", &backing_bytes, &authority_key_identifier));
+}
+
+TEST(ParseAuthorityKeyIdentifierTest, ExtraContentsAfterIssuerAndSerial) {
+  std::string backing_bytes;
+  ParsedAuthorityKeyIdentifier authority_key_identifier;
+  EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
+      "extra_contents_after_issuer_and_serial.pem", &backing_bytes,
+      &authority_key_identifier));
+}
+
+TEST(ParseAuthorityKeyIdentifierTest, ExtraContentsAfterExtensionSequence) {
+  std::string backing_bytes;
+  ParsedAuthorityKeyIdentifier authority_key_identifier;
+  EXPECT_FALSE(ParseAuthorityKeyIdentifierTestData(
+      "extra_contents_after_extension_sequence.pem", &backing_bytes,
+      &authority_key_identifier));
+}
+
+TEST(ParseSubjectKeyIdentifierTest, EmptyInput) {
+  der::Input subject_key_identifier;
+  EXPECT_FALSE(
+      ParseSubjectKeyIdentifier(der::Input(), &subject_key_identifier));
+}
+
+TEST(ParseSubjectKeyIdentifierTest, Valid) {
+  // OCTET_STRING {`abcd`}
+  const uint8_t kInput[] = {0x04, 0x02, 0xab, 0xcd};
+  const uint8_t kExpected[] = {0xab, 0xcd};
+  der::Input subject_key_identifier;
+  EXPECT_TRUE(
+      ParseSubjectKeyIdentifier(der::Input(kInput), &subject_key_identifier));
+  EXPECT_EQ(der::Input(kExpected), subject_key_identifier);
+}
+
+TEST(ParseSubjectKeyIdentifierTest, ExtraData) {
+  // OCTET_STRING {`abcd`}
+  // NULL
+  const uint8_t kInput[] = {0x04, 0x02, 0xab, 0xcd, 0x05};
+  der::Input subject_key_identifier;
+  EXPECT_FALSE(
+      ParseSubjectKeyIdentifier(der::Input(kInput), &subject_key_identifier));
+}
+
 }  // namespace
 
 }  // namespace net
diff --git a/chromium/net/cert/internal/parsed_certificate.cc b/chromium/net/cert/internal/parsed_certificate.cc
index 1d84f30f048..4b27233f83d 100644
--- a/chromium/net/cert/internal/parsed_certificate.cc
+++ b/chromium/net/cert/internal/parsed_certificate.cc
@@ -46,6 +46,10 @@ DEFINE_CERT_ERROR_ID(kFailedParsingPolicyMappings,
                      "Failed parsing policy mappings");
 DEFINE_CERT_ERROR_ID(kFailedParsingInhibitAnyPolicy,
                      "Failed parsing inhibit any policy");
+DEFINE_CERT_ERROR_ID(kFailedParsingAuthorityKeyIdentifier,
+                     "Failed parsing authority key identifier");
+DEFINE_CERT_ERROR_ID(kFailedParsingSubjectKeyIdentifier,
+                     "Failed parsing subject key identifier");
 
 WARN_UNUSED_RESULT bool GetSequenceValue(const der::Input& tlv,
                                          der::Input* value) {
@@ -288,6 +292,27 @@ scoped_refptr<ParsedCertificate> ParsedCertificate::CreateInternal(
         return nullptr;
       }
     }
+
+    // Subject Key Identifier.
+    if (result->GetExtension(SubjectKeyIdentifierOid(), &extension)) {
+      result->subject_key_identifier_ = base::make_optional<der::Input>();
+      if (!ParseSubjectKeyIdentifier(
+              extension.value, &result->subject_key_identifier_.value())) {
+        errors->AddError(kFailedParsingSubjectKeyIdentifier);
+        return nullptr;
+      }
+    }
+
+    // Authority Key Identifier.
+    if (result->GetExtension(AuthorityKeyIdentifierOid(), &extension)) {
+      result->authority_key_identifier_ =
+          base::make_optional<ParsedAuthorityKeyIdentifier>();
+      if (!ParseAuthorityKeyIdentifier(
+              extension.value, &result->authority_key_identifier_.value())) {
+        errors->AddError(kFailedParsingAuthorityKeyIdentifier);
+        return nullptr;
+      }
+    }
   }
 
   return result;
diff --git a/chromium/net/cert/internal/parsed_certificate.h b/chromium/net/cert/internal/parsed_certificate.h
index 7afb27e25c0..c83cebe57c5 100644
--- a/chromium/net/cert/internal/parsed_certificate.h
+++ b/chromium/net/cert/internal/parsed_certificate.h
@@ -229,6 +229,19 @@ class NET_EXPORT ParsedCertificate
     return inhibit_any_policy_;
   }
 
+  // Returns the AuthorityKeyIdentifier extension, or nullopt if there wasn't
+  // one.
+  const base::Optional<ParsedAuthorityKeyIdentifier>& authority_key_identifier()
+      const {
+    return authority_key_identifier_;
+  }
+
+  // Returns the SubjectKeyIdentifier extension, or nullopt if there wasn't
+  // one.
+  const base::Optional<der::Input>& subject_key_identifier() const {
+    return subject_key_identifier_;
+  }
+
   // Returns a map of all the extensions in the certificate.
   const ExtensionsMap& extensions() const { return extensions_; }
 
@@ -317,6 +330,12 @@ class NET_EXPORT ParsedCertificate
   bool has_inhibit_any_policy_ = false;
   uint8_t inhibit_any_policy_;
 
+  // AuthorityKeyIdentifier extension.
+  base::Optional<ParsedAuthorityKeyIdentifier> authority_key_identifier_;
+
+  // SubjectKeyIdentifier extension.
+  base::Optional<der::Input> subject_key_identifier_;
+
   // All of the extensions.
   ExtensionsMap extensions_;
 
diff --git a/chromium/net/cert/internal/parsed_certificate_unittest.cc b/chromium/net/cert/internal/parsed_certificate_unittest.cc
index 2012ef17c35..4a88ae7c8bc 100644
--- a/chromium/net/cert/internal/parsed_certificate_unittest.cc
+++ b/chromium/net/cert/internal/parsed_certificate_unittest.cc
@@ -135,8 +135,6 @@ TEST(ParsedCertificateTest, ExtensionsDuplicateKeyUsage) {
 
 // Parses a certificate with a bad key usage extension (BIT STRING with zero
 // elements).
-//
-// TODO(eroman): This should be a verification failure not a parsing failure.
 TEST(ParsedCertificateTest, BadKeyUsage) {
   ASSERT_FALSE(ParseCertificateFromFile("bad_key_usage.pem", {}));
 }
@@ -286,15 +284,34 @@ TEST(ParsedCertificateTest, ExtensionsReal) {
 
   EXPECT_TRUE(cert->has_key_usage());
   EXPECT_TRUE(cert->has_basic_constraints());
+  EXPECT_TRUE(cert->has_authority_info_access());
   EXPECT_TRUE(cert->has_policy_oids());
 
+  ASSERT_TRUE(cert->authority_key_identifier());
+  ASSERT_TRUE(cert->authority_key_identifier()->key_identifier);
+  EXPECT_FALSE(cert->authority_key_identifier()->authority_cert_issuer);
+  EXPECT_FALSE(cert->authority_key_identifier()->authority_cert_serial_number);
+  const uint8_t expected_authority_key_identifier[] = {
+      0xc0, 0x7a, 0x98, 0x68, 0x8d, 0x89, 0xfb, 0xab, 0x05, 0x64,
+      0x0c, 0x11, 0x7d, 0xaa, 0x7d, 0x65, 0xb8, 0xca, 0xcc, 0x4e,
+  };
+  EXPECT_EQ(der::Input(expected_authority_key_identifier),
+            cert->authority_key_identifier()->key_identifier);
+
+  ASSERT_TRUE(cert->subject_key_identifier());
+  const uint8_t expected_subject_key_identifier[] = {
+      0x4a, 0xdd, 0x06, 0x16, 0x1b, 0xbc, 0xf6, 0x68, 0xb5, 0x76,
+      0xf5, 0x81, 0xb6, 0xbb, 0x62, 0x1a, 0xba, 0x5a, 0x81, 0x2f};
+  EXPECT_EQ(der::Input(expected_subject_key_identifier),
+            cert->subject_key_identifier());
+
   ParsedExtension extension;
   ASSERT_TRUE(cert->GetExtension(CertificatePoliciesOid(), &extension));
 
   EXPECT_FALSE(extension.critical);
   EXPECT_EQ(16u, extension.value.Length());
 
-  // TODO(eroman): Verify the other 4 extensions' values.
+  // TODO(eroman): Verify the other extensions' values.
 }
 
 // Parses a BasicConstraints with no CA or pathlen.
@@ -549,6 +566,20 @@ TEST(ParsedCertificateTest, InhibitAnyPolicy) {
   EXPECT_EQ(3, skip_count);
 }
 
+// Tests a subjectKeyIdentifier that is not an OCTET_STRING.
+TEST(ParsedCertificateTest, SubjectKeyIdentifierNotOctetString) {
+  scoped_refptr<ParsedCertificate> cert = ParseCertificateFromFile(
+      "subject_key_identifier_not_octet_string.pem", {});
+  ASSERT_FALSE(cert);
+}
+
+// Tests an authorityKeyIdentifier that is not a SEQUENCE.
+TEST(ParsedCertificateTest, AuthourityKeyIdentifierNotSequence) {
+  scoped_refptr<ParsedCertificate> cert =
+      ParseCertificateFromFile("authority_key_identifier_not_sequence.pem", {});
+  ASSERT_FALSE(cert);
+}
+
 }  // namespace
 
 }  // namespace net
diff --git a/chromium/net/cert/internal/path_builder.cc b/chromium/net/cert/internal/path_builder.cc
index e67fc240c81..ccd89249ab4 100644
--- a/chromium/net/cert/internal/path_builder.cc
+++ b/chromium/net/cert/internal/path_builder.cc
@@ -66,32 +66,96 @@ void RecordIterationCountHistogram(uint32_t iteration_count) {
 struct IssuerEntry {
   scoped_refptr<ParsedCertificate> cert;
   CertificateTrust trust;
+  int trust_and_key_id_match_ordering;
 };
 
-// Simple comparator of IssuerEntry that defines the order in which issuers
-// should be explored. It puts trust anchors ahead of unknown or distrusted
-// ones.
-struct IssuerEntryComparator {
-  bool operator()(const IssuerEntry& issuer1, const IssuerEntry& issuer2) {
-    return CertificateTrustToOrder(issuer1.trust) <
-           CertificateTrustToOrder(issuer2.trust);
-  }
+enum KeyIdentifierMatch {
+  // |target| has a keyIdentifier and it matches |issuer|'s
+  // subjectKeyIdentifier.
+  kMatch = 0,
+  // |target| does not have authorityKeyIdentifier or |issuer| does not have
+  // subjectKeyIdentifier.
+  kNoData = 1,
+  // |target|'s authorityKeyIdentifier does not match |issuer|.
+  kMismatch = 2,
+};
 
-  static int CertificateTrustToOrder(const CertificateTrust& trust) {
-    switch (trust.type) {
-      case CertificateTrustType::TRUSTED_ANCHOR:
-      case CertificateTrustType::TRUSTED_ANCHOR_WITH_CONSTRAINTS:
-        return 1;
-      case CertificateTrustType::UNSPECIFIED:
-        return 2;
-      case CertificateTrustType::DISTRUSTED:
-        return 4;
+// Returns an integer that represents the relative ordering of |issuer| for
+// prioritizing certificates in path building based on |issuer|'s
+// subjectKeyIdentifier and |target|'s authorityKeyIdentifier. Lower return
+// values indicate higer priority.
+KeyIdentifierMatch CalculateKeyIdentifierMatch(
+    const ParsedCertificate* target,
+    const ParsedCertificate* issuer) {
+  if (!target->authority_key_identifier())
+    return kNoData;
+
+  // TODO(crbug.com/635205): If issuer does not have a subjectKeyIdentifier,
+  // could try synthesizing one using the standard SHA-1 method. Ideally in a
+  // way where any issuers that do have a matching subjectKeyIdentifier could
+  // be tried first before doing the extra work.
+  if (target->authority_key_identifier()->key_identifier &&
+      issuer->subject_key_identifier()) {
+    if (target->authority_key_identifier()->key_identifier !=
+        issuer->subject_key_identifier().value()) {
+      return kMismatch;
     }
+    return kMatch;
+  }
 
-    NOTREACHED();
-    return 5;
+  return kNoData;
+}
+
+// Returns an integer that represents the relative ordering of |issuer| based
+// on |issuer_trust| and authorityKeyIdentifier matching for prioritizing
+// certificates in path building. Lower return values indicate higer priority.
+int TrustAndKeyIdentifierMatchToOrder(const ParsedCertificate* target,
+                                      const ParsedCertificate* issuer,
+                                      const CertificateTrust& issuer_trust) {
+  enum {
+    kTrustedAndKeyIdMatch = 0,
+    kTrustedAndKeyIdNoData = 1,
+    kKeyIdMatch = 2,
+    kKeyIdNoData = 3,
+    kTrustedAndKeyIdMismatch = 4,
+    kKeyIdMismatch = 5,
+    kDistrustedAndKeyIdMatch = 6,
+    kDistrustedAndKeyIdNoData = 7,
+    kDistrustedAndKeyIdMismatch = 8,
+  };
+
+  KeyIdentifierMatch key_id_match = CalculateKeyIdentifierMatch(target, issuer);
+  switch (issuer_trust.type) {
+    case CertificateTrustType::TRUSTED_ANCHOR:
+    case CertificateTrustType::TRUSTED_ANCHOR_WITH_CONSTRAINTS:
+      switch (key_id_match) {
+        case kMatch:
+          return kTrustedAndKeyIdMatch;
+        case kNoData:
+          return kTrustedAndKeyIdNoData;
+        case kMismatch:
+          return kTrustedAndKeyIdMismatch;
+      }
+    case CertificateTrustType::UNSPECIFIED:
+      switch (key_id_match) {
+        case kMatch:
+          return kKeyIdMatch;
+        case kNoData:
+          return kKeyIdNoData;
+        case kMismatch:
+          return kKeyIdMismatch;
+      }
+    case CertificateTrustType::DISTRUSTED:
+      switch (key_id_match) {
+        case kMatch:
+          return kDistrustedAndKeyIdMatch;
+        case kNoData:
+          return kDistrustedAndKeyIdNoData;
+        case kMismatch:
+          return kDistrustedAndKeyIdMismatch;
+      }
   }
-};
+}
 
 // CertIssuersIter iterates through the intermediates from |cert_issuer_sources|
 // which may be issuers of |cert|.
@@ -235,6 +299,8 @@ void CertIssuersIter::AddIssuers(ParsedCertificateList new_issuers) {
     IssuerEntry entry;
     entry.cert = std::move(issuer);
     trust_store_->GetTrust(entry.cert, &entry.trust, debug_data_);
+    entry.trust_and_key_id_match_ordering = TrustAndKeyIdentifierMatchToOrder(
+        cert(), entry.cert.get(), entry.trust);
 
     issuers_.push_back(std::move(entry));
     issuers_needs_sort_ = true;
@@ -256,16 +322,24 @@ void CertIssuersIter::DoAsyncIssuerQuery() {
 }
 
 void CertIssuersIter::SortRemainingIssuers() {
-  // TODO(mattm): sort by notbefore, etc (eg if cert issuer matches a trust
-  // anchor subject (or is a trust anchor), that should be sorted higher too.
-  // See big list of possible sorting hints in RFC 4158.)
-  // (Update PathBuilderKeyRolloverTest.TestRolloverBothRootsTrusted once that
-  // is done)
   if (!issuers_needs_sort_)
     return;
 
-  std::stable_sort(issuers_.begin() + cur_issuer_, issuers_.end(),
-                   IssuerEntryComparator());
+  std::stable_sort(
+      issuers_.begin() + cur_issuer_, issuers_.end(),
+      [](const IssuerEntry& issuer1, const IssuerEntry& issuer2) {
+        // TODO(crbug.com/635205): Add other prioritization hints. (See big list
+        // of possible sorting hints in RFC 4158.)
+        return std::tie(issuer1.trust_and_key_id_match_ordering,
+                        // Newer(larger) notBefore & notAfter dates are
+                        // preferred, hence |issuer2| is on the LHS of
+                        // the comparison and |issuer1| on the RHS.
+                        issuer2.cert->tbs().validity_not_before,
+                        issuer2.cert->tbs().validity_not_after) <
+               std::tie(issuer2.trust_and_key_id_match_ordering,
+                        issuer1.cert->tbs().validity_not_before,
+                        issuer1.cert->tbs().validity_not_after);
+      });
 
   issuers_needs_sort_ = false;
 }
@@ -595,6 +669,10 @@ void CertPathBuilder::SetDeadline(base::TimeTicks deadline) {
   deadline_ = deadline;
 }
 
+void CertPathBuilder::SetExploreAllPaths(bool explore_all_paths) {
+  explore_all_paths_ = explore_all_paths;
+}
+
 CertPathBuilder::Result CertPathBuilder::Run() {
   uint32_t iteration_count = 0;
 
@@ -633,10 +711,9 @@ CertPathBuilder::Result CertPathBuilder::Run() {
 
     AddResultPath(std::move(result_path));
 
-    if (path_is_good) {
+    if (path_is_good && !explore_all_paths_) {
       RecordIterationCountHistogram(iteration_count);
       // Found a valid path, return immediately.
-      // TODO(mattm): add debug/test mode that tries all possible paths.
       return std::move(out_result_);
     }
     // Path did not verify. Try more paths.
@@ -645,10 +722,12 @@ CertPathBuilder::Result CertPathBuilder::Run() {
 
 void CertPathBuilder::AddResultPath(
     std::unique_ptr<CertPathBuilderResultPath> result_path) {
-  // TODO(mattm): set best_result_index based on number or severity of errors.
-  if (result_path->IsValid())
+  // TODO(mattm): If there are no valid paths, set best_result_index based on
+  // number or severity of errors. If there are multiple valid paths, could set
+  // best_result_index based on prioritization (since due to AIA and such, the
+  // actual order results were discovered may not match the ideal).
+  if (result_path->IsValid() && !out_result_.HasValidPath())
     out_result_.best_result_index = out_result_.paths.size();
-  // TODO(mattm): add flag to only return a single path or all attempted paths?
   out_result_.paths.push_back(std::move(result_path));
 }
 
diff --git a/chromium/net/cert/internal/path_builder.h b/chromium/net/cert/internal/path_builder.h
index 5f3dbb7e464..e7ef60dbb55 100644
--- a/chromium/net/cert/internal/path_builder.h
+++ b/chromium/net/cert/internal/path_builder.h
@@ -180,7 +180,8 @@ class NET_EXPORT CertPathBuilder {
   void AddCertIssuerSource(CertIssuerSource* cert_issuer_source);
 
   // Sets a limit to the number of times to repeat the process of considering a
-  // new intermediate over all potential paths.
+  // new intermediate over all potential paths. Setting |limit| to 0 disables
+  // the iteration limit, which is the default.
   void SetIterationLimit(uint32_t limit);
 
   // Sets a deadline for completing path building. If |deadline| has passed and
@@ -189,6 +190,12 @@ class NET_EXPORT CertPathBuilder {
   // will be when path building is aborted.
   void SetDeadline(base::TimeTicks deadline);
 
+  // If |explore_all_paths| is false (the default), path building will stop as
+  // soon as a valid path is found. If |explore_all_paths| is true, path
+  // building will continue until all possible paths have been exhausted (or
+  // iteration limit / deadline is exceeded).
+  void SetExploreAllPaths(bool explore_all_paths);
+
   // Returns the deadline for path building, if any. If no deadline is set,
   // |deadline().is_null()| will be true.
   base::TimeTicks deadline() const { return deadline_; }
@@ -215,6 +222,7 @@ class NET_EXPORT CertPathBuilder {
   const InitialAnyPolicyInhibit initial_any_policy_inhibit_;
   uint32_t max_iteration_count_ = 0;
   base::TimeTicks deadline_;
+  bool explore_all_paths_ = false;
 
   DISALLOW_COPY_AND_ASSIGN(CertPathBuilder);
 };
diff --git a/chromium/net/cert/internal/path_builder_unittest.cc b/chromium/net/cert/internal/path_builder_unittest.cc
index e9dd8fbffeb..80a3287d375 100644
--- a/chromium/net/cert/internal/path_builder_unittest.cc
+++ b/chromium/net/cert/internal/path_builder_unittest.cc
@@ -17,7 +17,7 @@
 #include "net/cert/internal/trust_store_collection.h"
 #include "net/cert/internal/trust_store_in_memory.h"
 #include "net/cert/internal/verify_certificate_chain.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 #include "net/der/input.h"
 #include "net/test/test_certificate_data.h"
 #include "testing/gmock/include/gmock/gmock.h"
@@ -661,33 +661,22 @@ TEST_F(PathBuilderKeyRolloverTest, TestRolloverOnlyOldRootTrusted) {
 
   EXPECT_TRUE(result.HasValidPath());
 
-  // Path builder will first attempt: target <- newintermediate <- oldroot
-  // but it will fail since newintermediate is signed by newroot.
-  ASSERT_EQ(2U, result.paths.size());
+  // Due to authorityKeyIdentifier prioritization, path builder will first
+  // attempt: target <- newintermediate <- newrootrollover <- oldroot
+  // which will succeed.
+  ASSERT_EQ(1U, result.paths.size());
   const auto& path0 = *result.paths[0];
-  EXPECT_FALSE(result.paths[0]->IsValid());
-  ASSERT_EQ(3U, path0.certs.size());
+  EXPECT_EQ(0U, result.best_result_index);
+  EXPECT_TRUE(path0.IsValid());
+  ASSERT_EQ(4U, path0.certs.size());
   EXPECT_EQ(target_, path0.certs[0]);
   EXPECT_EQ(newintermediate_, path0.certs[1]);
-  EXPECT_EQ(oldroot_, path0.certs[2]);
-
-  // Path builder will next attempt:
-  // target <- newintermediate <- newrootrollover <- oldroot
-  // which will succeed.
-  const auto& path1 = *result.paths[1];
-  EXPECT_EQ(1U, result.best_result_index);
-  EXPECT_TRUE(result.paths[1]->IsValid());
-  ASSERT_EQ(4U, path1.certs.size());
-  EXPECT_EQ(target_, path1.certs[0]);
-  EXPECT_EQ(newintermediate_, path1.certs[1]);
-  EXPECT_EQ(newrootrollover_, path1.certs[2]);
-  EXPECT_EQ(oldroot_, path1.certs[3]);
+  EXPECT_EQ(newrootrollover_, path0.certs[2]);
+  EXPECT_EQ(oldroot_, path0.certs[3]);
 }
 
-// Tests that if both old and new roots are trusted it can build a path through
-// either.
-// TODO(mattm): Once prioritization is implemented, it should test that it
-// always builds the path through the new intermediate and new root.
+// Tests that if both old and new roots are trusted it builds a path through
+// the new intermediate.
 TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) {
   // Both oldroot and newroot are trusted.
   TrustStoreInMemory trust_store;
@@ -710,24 +699,15 @@ TEST_F(PathBuilderKeyRolloverTest, TestRolloverBothRootsTrusted) {
 
   EXPECT_TRUE(result.HasValidPath());
 
-  // Path builder willattempt one of:
-  // target <- oldintermediate <- oldroot
-  // target <- newintermediate <- newroot
-  // either will succeed.
   ASSERT_EQ(1U, result.paths.size());
   const auto& path = *result.paths[0];
   EXPECT_TRUE(result.paths[0]->IsValid());
   ASSERT_EQ(3U, path.certs.size());
   EXPECT_EQ(target_, path.certs[0]);
-  if (path.certs[1] != newintermediate_) {
-    DVLOG(1) << "USED OLD";
-    EXPECT_EQ(oldintermediate_, path.certs[1]);
-    EXPECT_EQ(oldroot_, path.certs[2]);
-  } else {
-    DVLOG(1) << "USED NEW";
-    EXPECT_EQ(newintermediate_, path.certs[1]);
-    EXPECT_EQ(newroot_, path.certs[2]);
-  }
+  // The newer intermediate should be used as newer certs are prioritized in
+  // path building.
+  EXPECT_EQ(newintermediate_, path.certs[1]);
+  EXPECT_EQ(newroot_, path.certs[2]);
 }
 
 // If trust anchor query returned no results, and there are no issuer
@@ -777,33 +757,22 @@ TEST_F(PathBuilderKeyRolloverTest, TestMultipleRootMatchesOnlyOneWorks) {
   auto result = path_builder.Run();
 
   EXPECT_TRUE(result.HasValidPath());
-  ASSERT_EQ(2U, result.paths.size());
-
-  {
-    // Path builder may first attempt: target <- oldintermediate <- newroot
-    // but it will fail since oldintermediate is signed by oldroot.
-    EXPECT_FALSE(result.paths[0]->IsValid());
-    const auto& path = *result.paths[0];
-    ASSERT_EQ(3U, path.certs.size());
-    EXPECT_EQ(target_, path.certs[0]);
-    EXPECT_EQ(oldintermediate_, path.certs[1]);
-    EXPECT_EQ(newroot_, path.certs[2]);
-  }
+  ASSERT_EQ(1U, result.paths.size());
 
-  {
-    // Path builder will next attempt:
-    // target <- old intermediate <- oldroot
-    // which should succeed.
-    EXPECT_TRUE(result.paths[result.best_result_index]->IsValid());
-    const auto& path = *result.paths[result.best_result_index];
-    ASSERT_EQ(3U, path.certs.size());
-    EXPECT_EQ(target_, path.certs[0]);
-    EXPECT_EQ(oldintermediate_, path.certs[1]);
-    EXPECT_EQ(oldroot_, path.certs[2]);
-  }
+  // Due to authorityKeyIdentifier prioritization, path builder will first
+  // attempt: target <- old intermediate <- oldroot
+  // which should succeed.
+  EXPECT_TRUE(result.paths[result.best_result_index]->IsValid());
+  const auto& path = *result.paths[result.best_result_index];
+  ASSERT_EQ(3U, path.certs.size());
+  EXPECT_EQ(target_, path.certs[0]);
+  EXPECT_EQ(oldintermediate_, path.certs[1]);
+  EXPECT_EQ(oldroot_, path.certs[2]);
 }
 
-// Tests that the path builder doesn't build longer than necessary paths.
+// Tests that the path builder doesn't build longer than necessary paths,
+// by skipping certs where the same Name+SAN+SPKI is already in the current
+// path.
 TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) {
   // Only oldroot is trusted.
   TrustStoreInMemory trust_store;
@@ -831,25 +800,25 @@ TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) {
   EXPECT_TRUE(result.HasValidPath());
   ASSERT_EQ(3U, result.paths.size());
 
-  // Path builder will first attempt: target <- newintermediate <- oldroot
-  // but it will fail since newintermediate is signed by newroot.
+  // Path builder will first attempt:
+  // target <- newintermediate <- newroot <- oldroot
+  // but it will fail since newroot is self-signed.
   EXPECT_FALSE(result.paths[0]->IsValid());
   const auto& path0 = *result.paths[0];
-  ASSERT_EQ(3U, path0.certs.size());
+  ASSERT_EQ(4U, path0.certs.size());
   EXPECT_EQ(target_, path0.certs[0]);
   EXPECT_EQ(newintermediate_, path0.certs[1]);
-  EXPECT_EQ(oldroot_, path0.certs[2]);
+  EXPECT_EQ(newroot_, path0.certs[2]);
+  EXPECT_EQ(oldroot_, path0.certs[3]);
 
-  // Path builder will next attempt:
-  // target <- newintermediate <- newroot <- oldroot
-  // but it will fail since newroot is self-signed.
+  // Path builder will next attempt: target <- newintermediate <- oldroot
+  // but it will fail since newintermediate is signed by newroot.
   EXPECT_FALSE(result.paths[1]->IsValid());
   const auto& path1 = *result.paths[1];
-  ASSERT_EQ(4U, path1.certs.size());
+  ASSERT_EQ(3U, path1.certs.size());
   EXPECT_EQ(target_, path1.certs[0]);
   EXPECT_EQ(newintermediate_, path1.certs[1]);
-  EXPECT_EQ(newroot_, path1.certs[2]);
-  EXPECT_EQ(oldroot_, path1.certs[3]);
+  EXPECT_EQ(oldroot_, path1.certs[2]);
 
   // Path builder will skip:
   // target <- newintermediate <- newroot <- newrootrollover <- ...
@@ -867,6 +836,104 @@ TEST_F(PathBuilderKeyRolloverTest, TestRolloverLongChain) {
   EXPECT_EQ(oldroot_, path2.certs[3]);
 }
 
+// Tests that when SetExploreAllPaths is combined with SetIterationLimit the
+// path builder will return all the paths that were able to be built before the
+// iteration limit was reached.
+TEST_F(PathBuilderKeyRolloverTest, ExploreAllPathsWithIterationLimit) {
+  struct Expectation {
+    int iteration_limit;
+    size_t expected_num_paths;
+  } kExpectations[] = {
+      // No iteration limit. All possible paths should be built.
+      {0, 4},
+      // Limit 1 is only enough to reach the intermediate, no paths should be
+      // built.
+      {1, 0},
+      // Limit 2 allows reaching the root on the first path.
+      {2, 1},
+      // Next iteration uses oldroot instead of newroot.
+      {3, 2},
+      // Backtracking to the target cert.
+      {4, 2},
+      // Adding oldintermediate.
+      {5, 2},
+      // Trying oldroot.
+      {6, 3},
+      // Trying newroot.
+      {7, 4},
+  };
+
+  // Trust both old and new roots.
+  TrustStoreInMemory trust_store;
+  trust_store.AddTrustAnchor(oldroot_);
+  trust_store.AddTrustAnchor(newroot_);
+
+  // Intermediates and root rollover are all provided synchronously.
+  CertIssuerSourceStatic sync_certs;
+  sync_certs.AddCert(oldintermediate_);
+  sync_certs.AddCert(newintermediate_);
+
+  for (const auto& expectation : kExpectations) {
+    CertPathBuilder path_builder(
+        target_, &trust_store, &delegate_, time_, KeyPurpose::ANY_EKU,
+        initial_explicit_policy_, user_initial_policy_set_,
+        initial_policy_mapping_inhibit_, initial_any_policy_inhibit_);
+    path_builder.AddCertIssuerSource(&sync_certs);
+
+    // Explore all paths, rather than stopping at the first valid path.
+    path_builder.SetExploreAllPaths(true);
+
+    // Limit the number of iterations.
+    path_builder.SetIterationLimit(expectation.iteration_limit);
+
+    auto result = path_builder.Run();
+
+    EXPECT_EQ(expectation.expected_num_paths > 0, result.HasValidPath());
+    ASSERT_EQ(expectation.expected_num_paths, result.paths.size());
+
+    if (expectation.expected_num_paths > 0) {
+      // Path builder will first build path: target <- newintermediate <-
+      // newroot
+      const auto& path0 = *result.paths[0];
+      EXPECT_TRUE(path0.IsValid());
+      ASSERT_EQ(3U, path0.certs.size());
+      EXPECT_EQ(target_, path0.certs[0]);
+      EXPECT_EQ(newintermediate_, path0.certs[1]);
+      EXPECT_EQ(newroot_, path0.certs[2]);
+    }
+
+    if (expectation.expected_num_paths > 1) {
+      // Next path:  target <- newintermediate <- oldroot
+      const auto& path1 = *result.paths[1];
+      EXPECT_FALSE(path1.IsValid());
+      ASSERT_EQ(3U, path1.certs.size());
+      EXPECT_EQ(target_, path1.certs[0]);
+      EXPECT_EQ(newintermediate_, path1.certs[1]);
+      EXPECT_EQ(oldroot_, path1.certs[2]);
+    }
+
+    if (expectation.expected_num_paths > 2) {
+      // Next path:  target <- oldintermediate <- oldroot
+      const auto& path2 = *result.paths[2];
+      EXPECT_TRUE(path2.IsValid());
+      ASSERT_EQ(3U, path2.certs.size());
+      EXPECT_EQ(target_, path2.certs[0]);
+      EXPECT_EQ(oldintermediate_, path2.certs[1]);
+      EXPECT_EQ(oldroot_, path2.certs[2]);
+    }
+
+    if (expectation.expected_num_paths > 3) {
+      // Final path:  target <- oldintermediate <- newroot
+      const auto& path3 = *result.paths[3];
+      EXPECT_FALSE(path3.IsValid());
+      ASSERT_EQ(3U, path3.certs.size());
+      EXPECT_EQ(target_, path3.certs[0]);
+      EXPECT_EQ(oldintermediate_, path3.certs[1]);
+      EXPECT_EQ(newroot_, path3.certs[2]);
+    }
+  }
+}
+
 // If the target cert is a trust anchor, however is not itself *signed* by a
 // trust anchor, then it is not considered valid (the SPKI and name of the
 // trust anchor matches the SPKI and subject of the targe certificate, but the
@@ -1514,6 +1581,433 @@ TEST_F(PathBuilderCheckPathAfterVerificationTest, SetsDelegateData) {
   EXPECT_EQ(0xB33F, data->value);
 }
 
+TEST(PathBuilderPrioritizationTest, DatePrioritization) {
+  std::string test_dir =
+      "net/data/path_builder_unittest/validity_date_prioritization/";
+  scoped_refptr<ParsedCertificate> root =
+      ReadCertFromFile(test_dir + "root.pem");
+  ASSERT_TRUE(root);
+  scoped_refptr<ParsedCertificate> int_ac =
+      ReadCertFromFile(test_dir + "int_ac.pem");
+  ASSERT_TRUE(int_ac);
+  scoped_refptr<ParsedCertificate> int_ad =
+      ReadCertFromFile(test_dir + "int_ad.pem");
+  ASSERT_TRUE(int_ad);
+  scoped_refptr<ParsedCertificate> int_bc =
+      ReadCertFromFile(test_dir + "int_bc.pem");
+  ASSERT_TRUE(int_bc);
+  scoped_refptr<ParsedCertificate> int_bd =
+      ReadCertFromFile(test_dir + "int_bd.pem");
+  ASSERT_TRUE(int_bd);
+  scoped_refptr<ParsedCertificate> target =
+      ReadCertFromFile(test_dir + "target.pem");
+  ASSERT_TRUE(target);
+
+  SimplePathBuilderDelegate delegate(
+      1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
+  der::GeneralizedTime verify_time = {2017, 3, 1, 0, 0, 0};
+
+  // Distrust the root certificate. This will force the path builder to attempt
+  // all possible paths.
+  TrustStoreInMemory trust_store;
+  trust_store.AddDistrustedCertificateForTest(root);
+
+  for (bool reverse_input_order : {false, true}) {
+    SCOPED_TRACE(reverse_input_order);
+
+    CertIssuerSourceStatic intermediates;
+    // Test with the intermediates supplied in two different orders to ensure
+    // the results don't depend on input ordering.
+    if (reverse_input_order) {
+      intermediates.AddCert(int_bd);
+      intermediates.AddCert(int_bc);
+      intermediates.AddCert(int_ad);
+      intermediates.AddCert(int_ac);
+    } else {
+      intermediates.AddCert(int_ac);
+      intermediates.AddCert(int_ad);
+      intermediates.AddCert(int_bc);
+      intermediates.AddCert(int_bd);
+    }
+
+    CertPathBuilder path_builder(
+        target, &trust_store, &delegate, verify_time, KeyPurpose::ANY_EKU,
+        InitialExplicitPolicy::kFalse, {AnyPolicy()},
+        InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse);
+    path_builder.AddCertIssuerSource(&intermediates);
+
+    CertPathBuilder::Result result = path_builder.Run();
+    EXPECT_FALSE(result.HasValidPath());
+    ASSERT_EQ(4U, result.paths.size());
+
+    // Path builder should have attempted paths using the intermediates in
+    // order: bd, bc, ad, ac
+
+    EXPECT_FALSE(result.paths[0]->IsValid());
+    ASSERT_EQ(3U, result.paths[0]->certs.size());
+    EXPECT_EQ(target, result.paths[0]->certs[0]);
+    EXPECT_EQ(int_bd, result.paths[0]->certs[1]);
+    EXPECT_EQ(root, result.paths[0]->certs[2]);
+
+    EXPECT_FALSE(result.paths[1]->IsValid());
+    ASSERT_EQ(3U, result.paths[1]->certs.size());
+    EXPECT_EQ(target, result.paths[1]->certs[0]);
+    EXPECT_EQ(int_bc, result.paths[1]->certs[1]);
+    EXPECT_EQ(root, result.paths[1]->certs[2]);
+
+    EXPECT_FALSE(result.paths[2]->IsValid());
+    ASSERT_EQ(3U, result.paths[2]->certs.size());
+    EXPECT_EQ(target, result.paths[2]->certs[0]);
+    EXPECT_EQ(int_ad, result.paths[2]->certs[1]);
+    EXPECT_EQ(root, result.paths[2]->certs[2]);
+
+    EXPECT_FALSE(result.paths[3]->IsValid());
+    ASSERT_EQ(3U, result.paths[3]->certs.size());
+    EXPECT_EQ(target, result.paths[3]->certs[0]);
+    EXPECT_EQ(int_ac, result.paths[3]->certs[1]);
+    EXPECT_EQ(root, result.paths[3]->certs[2]);
+  }
+}
+
+TEST(PathBuilderPrioritizationTest, KeyIdPrioritization) {
+  std::string test_dir =
+      "net/data/path_builder_unittest/key_id_prioritization/";
+  scoped_refptr<ParsedCertificate> root =
+      ReadCertFromFile(test_dir + "root.pem");
+  ASSERT_TRUE(root);
+  scoped_refptr<ParsedCertificate> int_matching_ski_a =
+      ReadCertFromFile(test_dir + "int_matching_ski_a.pem");
+  ASSERT_TRUE(int_matching_ski_a);
+  scoped_refptr<ParsedCertificate> int_matching_ski_b =
+      ReadCertFromFile(test_dir + "int_matching_ski_b.pem");
+  ASSERT_TRUE(int_matching_ski_b);
+  scoped_refptr<ParsedCertificate> int_no_ski_a =
+      ReadCertFromFile(test_dir + "int_no_ski_a.pem");
+  ASSERT_TRUE(int_no_ski_a);
+  scoped_refptr<ParsedCertificate> int_no_ski_b =
+      ReadCertFromFile(test_dir + "int_no_ski_b.pem");
+  ASSERT_TRUE(int_no_ski_b);
+  scoped_refptr<ParsedCertificate> int_different_ski_a =
+      ReadCertFromFile(test_dir + "int_different_ski_a.pem");
+  ASSERT_TRUE(int_different_ski_a);
+  scoped_refptr<ParsedCertificate> int_different_ski_b =
+      ReadCertFromFile(test_dir + "int_different_ski_b.pem");
+  ASSERT_TRUE(int_different_ski_b);
+  scoped_refptr<ParsedCertificate> target =
+      ReadCertFromFile(test_dir + "target.pem");
+  ASSERT_TRUE(target);
+
+  SimplePathBuilderDelegate delegate(
+      1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
+  der::GeneralizedTime verify_time = {2017, 3, 1, 0, 0, 0};
+
+  // Distrust the root certificate. This will force the path builder to attempt
+  // all possible paths.
+  TrustStoreInMemory trust_store;
+  trust_store.AddDistrustedCertificateForTest(root);
+
+  for (bool reverse_input_order : {false, true}) {
+    SCOPED_TRACE(reverse_input_order);
+
+    CertIssuerSourceStatic intermediates;
+    // Test with the intermediates supplied in two different orders to ensure
+    // the results don't depend on input ordering.
+    if (reverse_input_order) {
+      intermediates.AddCert(int_different_ski_b);
+      intermediates.AddCert(int_different_ski_a);
+      intermediates.AddCert(int_no_ski_b);
+      intermediates.AddCert(int_no_ski_a);
+      intermediates.AddCert(int_matching_ski_b);
+      intermediates.AddCert(int_matching_ski_a);
+    } else {
+      intermediates.AddCert(int_matching_ski_a);
+      intermediates.AddCert(int_matching_ski_b);
+      intermediates.AddCert(int_no_ski_a);
+      intermediates.AddCert(int_no_ski_b);
+      intermediates.AddCert(int_different_ski_a);
+      intermediates.AddCert(int_different_ski_b);
+    }
+
+    CertPathBuilder path_builder(
+        target, &trust_store, &delegate, verify_time, KeyPurpose::ANY_EKU,
+        InitialExplicitPolicy::kFalse, {AnyPolicy()},
+        InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse);
+    path_builder.AddCertIssuerSource(&intermediates);
+
+    CertPathBuilder::Result result = path_builder.Run();
+    EXPECT_FALSE(result.HasValidPath());
+    ASSERT_EQ(6U, result.paths.size());
+
+    // Path builder should have attempted paths using the intermediates in
+    // order: matching_ski_b, matching_ski_a, no_ski_b, no_ski_a,
+    // different_ski_b, different_ski_a
+
+    EXPECT_FALSE(result.paths[0]->IsValid());
+    ASSERT_EQ(3U, result.paths[0]->certs.size());
+    EXPECT_EQ(target, result.paths[0]->certs[0]);
+    EXPECT_EQ(int_matching_ski_b, result.paths[0]->certs[1]);
+    EXPECT_EQ(root, result.paths[0]->certs[2]);
+
+    EXPECT_FALSE(result.paths[1]->IsValid());
+    ASSERT_EQ(3U, result.paths[1]->certs.size());
+    EXPECT_EQ(target, result.paths[1]->certs[0]);
+    EXPECT_EQ(int_matching_ski_a, result.paths[1]->certs[1]);
+    EXPECT_EQ(root, result.paths[1]->certs[2]);
+
+    EXPECT_FALSE(result.paths[2]->IsValid());
+    ASSERT_EQ(3U, result.paths[2]->certs.size());
+    EXPECT_EQ(target, result.paths[2]->certs[0]);
+    EXPECT_EQ(int_no_ski_b, result.paths[2]->certs[1]);
+    EXPECT_EQ(root, result.paths[2]->certs[2]);
+
+    EXPECT_FALSE(result.paths[3]->IsValid());
+    ASSERT_EQ(3U, result.paths[3]->certs.size());
+    EXPECT_EQ(target, result.paths[3]->certs[0]);
+    EXPECT_EQ(int_no_ski_a, result.paths[3]->certs[1]);
+    EXPECT_EQ(root, result.paths[3]->certs[2]);
+
+    EXPECT_FALSE(result.paths[4]->IsValid());
+    ASSERT_EQ(3U, result.paths[4]->certs.size());
+    EXPECT_EQ(target, result.paths[4]->certs[0]);
+    EXPECT_EQ(int_different_ski_b, result.paths[4]->certs[1]);
+    EXPECT_EQ(root, result.paths[4]->certs[2]);
+
+    EXPECT_FALSE(result.paths[5]->IsValid());
+    ASSERT_EQ(3U, result.paths[5]->certs.size());
+    EXPECT_EQ(target, result.paths[5]->certs[0]);
+    EXPECT_EQ(int_different_ski_a, result.paths[5]->certs[1]);
+    EXPECT_EQ(root, result.paths[5]->certs[2]);
+  }
+}
+
+TEST(PathBuilderPrioritizationTest, TrustAndKeyIdPrioritization) {
+  std::string test_dir =
+      "net/data/path_builder_unittest/key_id_prioritization/";
+  scoped_refptr<ParsedCertificate> root =
+      ReadCertFromFile(test_dir + "root.pem");
+  ASSERT_TRUE(root);
+  scoped_refptr<ParsedCertificate> trusted_and_matching =
+      ReadCertFromFile(test_dir + "int_matching_ski_a.pem");
+  ASSERT_TRUE(trusted_and_matching);
+  scoped_refptr<ParsedCertificate> matching =
+      ReadCertFromFile(test_dir + "int_matching_ski_b.pem");
+  ASSERT_TRUE(matching);
+  scoped_refptr<ParsedCertificate> distrusted_and_matching =
+      ReadCertFromFile(test_dir + "int_matching_ski_c.pem");
+  ASSERT_TRUE(distrusted_and_matching);
+  scoped_refptr<ParsedCertificate> trusted_and_no_match_data =
+      ReadCertFromFile(test_dir + "int_no_ski_a.pem");
+  ASSERT_TRUE(trusted_and_no_match_data);
+  scoped_refptr<ParsedCertificate> no_match_data =
+      ReadCertFromFile(test_dir + "int_no_ski_b.pem");
+  ASSERT_TRUE(no_match_data);
+  scoped_refptr<ParsedCertificate> distrusted_and_no_match_data =
+      ReadCertFromFile(test_dir + "int_no_ski_c.pem");
+  ASSERT_TRUE(distrusted_and_no_match_data);
+  scoped_refptr<ParsedCertificate> trusted_and_mismatch =
+      ReadCertFromFile(test_dir + "int_different_ski_a.pem");
+  ASSERT_TRUE(trusted_and_mismatch);
+  scoped_refptr<ParsedCertificate> mismatch =
+      ReadCertFromFile(test_dir + "int_different_ski_b.pem");
+  ASSERT_TRUE(mismatch);
+  scoped_refptr<ParsedCertificate> distrusted_and_mismatch =
+      ReadCertFromFile(test_dir + "int_different_ski_c.pem");
+  ASSERT_TRUE(distrusted_and_mismatch);
+  scoped_refptr<ParsedCertificate> target =
+      ReadCertFromFile(test_dir + "target.pem");
+  ASSERT_TRUE(target);
+
+  SimplePathBuilderDelegate delegate(
+      1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
+  der::GeneralizedTime verify_time = {2017, 3, 1, 0, 0, 0};
+
+  for (bool reverse_input_order : {false, true}) {
+    SCOPED_TRACE(reverse_input_order);
+
+    TrustStoreInMemory trust_store;
+    // Test with the intermediates supplied in two different orders to ensure
+    // the results don't depend on input ordering.
+    if (reverse_input_order) {
+      trust_store.AddTrustAnchor(trusted_and_matching);
+      trust_store.AddCertificateWithUnspecifiedTrust(matching);
+      trust_store.AddDistrustedCertificateForTest(distrusted_and_matching);
+      trust_store.AddTrustAnchor(trusted_and_no_match_data);
+      trust_store.AddCertificateWithUnspecifiedTrust(no_match_data);
+      trust_store.AddDistrustedCertificateForTest(distrusted_and_no_match_data);
+      trust_store.AddTrustAnchor(trusted_and_mismatch);
+      trust_store.AddCertificateWithUnspecifiedTrust(mismatch);
+      trust_store.AddDistrustedCertificateForTest(distrusted_and_mismatch);
+    } else {
+      trust_store.AddDistrustedCertificateForTest(distrusted_and_matching);
+      trust_store.AddCertificateWithUnspecifiedTrust(no_match_data);
+      trust_store.AddTrustAnchor(trusted_and_no_match_data);
+      trust_store.AddTrustAnchor(trusted_and_matching);
+      trust_store.AddCertificateWithUnspecifiedTrust(matching);
+      trust_store.AddCertificateWithUnspecifiedTrust(mismatch);
+      trust_store.AddDistrustedCertificateForTest(distrusted_and_no_match_data);
+      trust_store.AddTrustAnchor(trusted_and_mismatch);
+      trust_store.AddDistrustedCertificateForTest(distrusted_and_mismatch);
+    }
+    // Also distrust the root certificate. This will force the path builder to
+    // report paths that included an unspecified trust intermediate.
+    trust_store.AddDistrustedCertificateForTest(root);
+
+    CertPathBuilder path_builder(
+        target, &trust_store, &delegate, verify_time, KeyPurpose::ANY_EKU,
+        InitialExplicitPolicy::kFalse, {AnyPolicy()},
+        InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse);
+    path_builder.SetExploreAllPaths(true);
+
+    CertPathBuilder::Result result = path_builder.Run();
+    EXPECT_TRUE(result.HasValidPath());
+    ASSERT_EQ(9U, result.paths.size());
+
+    // Path builder should have attempted paths using the intermediates in
+    // order: trusted_and_matching, trusted_and_no_match_data, matching,
+    // no_match_data, trusted_and_mismatch, mismatch, distrusted_and_matching,
+    // distrusted_and_no_match_data, distrusted_and_mismatch.
+
+    EXPECT_TRUE(result.paths[0]->IsValid());
+    ASSERT_EQ(2U, result.paths[0]->certs.size());
+    EXPECT_EQ(target, result.paths[0]->certs[0]);
+    EXPECT_EQ(trusted_and_matching, result.paths[0]->certs[1]);
+
+    EXPECT_TRUE(result.paths[1]->IsValid());
+    ASSERT_EQ(2U, result.paths[1]->certs.size());
+    EXPECT_EQ(target, result.paths[1]->certs[0]);
+    EXPECT_EQ(trusted_and_no_match_data, result.paths[1]->certs[1]);
+
+    EXPECT_FALSE(result.paths[2]->IsValid());
+    ASSERT_EQ(3U, result.paths[2]->certs.size());
+    EXPECT_EQ(target, result.paths[2]->certs[0]);
+    EXPECT_EQ(matching, result.paths[2]->certs[1]);
+    EXPECT_EQ(root, result.paths[2]->certs[2]);
+
+    EXPECT_FALSE(result.paths[3]->IsValid());
+    ASSERT_EQ(3U, result.paths[3]->certs.size());
+    EXPECT_EQ(target, result.paths[3]->certs[0]);
+    EXPECT_EQ(no_match_data, result.paths[3]->certs[1]);
+    EXPECT_EQ(root, result.paths[3]->certs[2]);
+
+    // Although this intermediate is trusted, it has the wrong key, so
+    // the path should not be valid.
+    EXPECT_FALSE(result.paths[4]->IsValid());
+    ASSERT_EQ(2U, result.paths[4]->certs.size());
+    EXPECT_EQ(target, result.paths[4]->certs[0]);
+    EXPECT_EQ(trusted_and_mismatch, result.paths[4]->certs[1]);
+
+    EXPECT_FALSE(result.paths[5]->IsValid());
+    ASSERT_EQ(3U, result.paths[5]->certs.size());
+    EXPECT_EQ(target, result.paths[5]->certs[0]);
+    EXPECT_EQ(mismatch, result.paths[5]->certs[1]);
+    EXPECT_EQ(root, result.paths[5]->certs[2]);
+
+    EXPECT_FALSE(result.paths[6]->IsValid());
+    ASSERT_EQ(2U, result.paths[6]->certs.size());
+    EXPECT_EQ(target, result.paths[6]->certs[0]);
+    EXPECT_EQ(distrusted_and_matching, result.paths[6]->certs[1]);
+
+    EXPECT_FALSE(result.paths[7]->IsValid());
+    ASSERT_EQ(2U, result.paths[7]->certs.size());
+    EXPECT_EQ(target, result.paths[7]->certs[0]);
+    EXPECT_EQ(distrusted_and_no_match_data, result.paths[7]->certs[1]);
+
+    EXPECT_FALSE(result.paths[8]->IsValid());
+    ASSERT_EQ(2U, result.paths[8]->certs.size());
+    EXPECT_EQ(target, result.paths[8]->certs[0]);
+    EXPECT_EQ(distrusted_and_mismatch, result.paths[8]->certs[1]);
+  }
+}
+
+// PathBuilder does not support prioritization based on the issuer name &
+// serial in authorityKeyIdentifier, so this test just ensures that it does not
+// affect prioritization order and that it is generally just ignored
+// completely.
+TEST(PathBuilderPrioritizationTest, KeyIdNameAndSerialPrioritization) {
+  std::string test_dir =
+      "net/data/path_builder_unittest/key_id_name_and_serial_prioritization/";
+  scoped_refptr<ParsedCertificate> root =
+      ReadCertFromFile(test_dir + "root.pem");
+  ASSERT_TRUE(root);
+  scoped_refptr<ParsedCertificate> root2 =
+      ReadCertFromFile(test_dir + "root2.pem");
+  ASSERT_TRUE(root2);
+  scoped_refptr<ParsedCertificate> int_matching =
+      ReadCertFromFile(test_dir + "int_matching.pem");
+  ASSERT_TRUE(int_matching);
+  scoped_refptr<ParsedCertificate> int_match_name_only =
+      ReadCertFromFile(test_dir + "int_match_name_only.pem");
+  ASSERT_TRUE(int_match_name_only);
+  scoped_refptr<ParsedCertificate> int_mismatch =
+      ReadCertFromFile(test_dir + "int_mismatch.pem");
+  ASSERT_TRUE(int_mismatch);
+  scoped_refptr<ParsedCertificate> target =
+      ReadCertFromFile(test_dir + "target.pem");
+  ASSERT_TRUE(target);
+
+  SimplePathBuilderDelegate delegate(
+      1024, SimplePathBuilderDelegate::DigestPolicy::kWeakAllowSha1);
+  der::GeneralizedTime verify_time = {2017, 3, 1, 0, 0, 0};
+
+  // Distrust the root certificates. This will force the path builder to attempt
+  // all possible paths.
+  TrustStoreInMemory trust_store;
+  trust_store.AddDistrustedCertificateForTest(root);
+  trust_store.AddDistrustedCertificateForTest(root2);
+
+  for (bool reverse_input_order : {false, true}) {
+    SCOPED_TRACE(reverse_input_order);
+
+    CertIssuerSourceStatic intermediates;
+    // Test with the intermediates supplied in two different orders to ensure
+    // the results don't depend on input ordering.
+    if (reverse_input_order) {
+      intermediates.AddCert(int_mismatch);
+      intermediates.AddCert(int_match_name_only);
+      intermediates.AddCert(int_matching);
+    } else {
+      intermediates.AddCert(int_matching);
+      intermediates.AddCert(int_match_name_only);
+      intermediates.AddCert(int_mismatch);
+    }
+
+    CertPathBuilder path_builder(
+        target, &trust_store, &delegate, verify_time, KeyPurpose::ANY_EKU,
+        InitialExplicitPolicy::kFalse, {AnyPolicy()},
+        InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse);
+    path_builder.AddCertIssuerSource(&intermediates);
+
+    CertPathBuilder::Result result = path_builder.Run();
+    EXPECT_FALSE(result.HasValidPath());
+    ASSERT_EQ(3U, result.paths.size());
+
+    // The serial & issuer method is not used in prioritization, so the certs
+    // should have been prioritized based on dates. The test certs have the
+    // date priority order in the reverse of what authorityKeyIdentifier
+    // prioritization would have done if it were supported.
+    // Path builder should have attempted paths using the intermediates in
+    // order: mismatch, match_name_only, matching
+
+    EXPECT_FALSE(result.paths[0]->IsValid());
+    ASSERT_EQ(3U, result.paths[0]->certs.size());
+    EXPECT_EQ(target, result.paths[0]->certs[0]);
+    EXPECT_EQ(int_mismatch, result.paths[0]->certs[1]);
+    EXPECT_EQ(root2, result.paths[0]->certs[2]);
+
+    EXPECT_FALSE(result.paths[1]->IsValid());
+    ASSERT_EQ(3U, result.paths[1]->certs.size());
+    EXPECT_EQ(target, result.paths[1]->certs[0]);
+    EXPECT_EQ(int_match_name_only, result.paths[1]->certs[1]);
+    EXPECT_EQ(root, result.paths[1]->certs[2]);
+
+    EXPECT_FALSE(result.paths[2]->IsValid());
+    ASSERT_EQ(3U, result.paths[2]->certs.size());
+    EXPECT_EQ(target, result.paths[2]->certs[0]);
+    EXPECT_EQ(int_matching, result.paths[2]->certs[1]);
+    EXPECT_EQ(root, result.paths[2]->certs[2]);
+  }
+}
+
 }  // namespace
 
 }  // namespace net
diff --git a/chromium/net/cert/internal/revocation_checker.cc b/chromium/net/cert/internal/revocation_checker.cc
index 458f00797ac..b069f9c75e3 100644
--- a/chromium/net/cert/internal/revocation_checker.cc
+++ b/chromium/net/cert/internal/revocation_checker.cc
@@ -8,6 +8,7 @@
 
 #include "base/strings/string_piece.h"
 #include "crypto/sha2.h"
+#include "net/base/network_isolation_key.h"
 #include "net/cert/cert_net_fetcher.h"
 #include "net/cert/internal/common_cert_errors.h"
 #include "net/cert/internal/crl.h"
@@ -121,7 +122,8 @@ bool CheckCertRevocation(const ParsedCertificateList& certs,
       //               bytes?
       // TODO(eroman): Improve interplay with HTTP cache.
       std::unique_ptr<CertNetFetcher::Request> net_ocsp_request =
-          net_fetcher->FetchOcsp(get_url, CertNetFetcher::DEFAULT,
+          net_fetcher->FetchOcsp(get_url, NetworkIsolationKey::Todo(),
+                                 CertNetFetcher::DEFAULT,
                                  CertNetFetcher::DEFAULT);
 
       Error net_error;
@@ -194,7 +196,8 @@ bool CheckCertRevocation(const ParsedCertificateList& certs,
           // CRL is too old, nor is there a separate CRL cache. It is assumed
           // the CRL server will send reasonable HTTP caching headers.
           std::unique_ptr<CertNetFetcher::Request> net_crl_request =
-              net_fetcher->FetchCrl(parsed_crl_url, CertNetFetcher::DEFAULT,
+              net_fetcher->FetchCrl(parsed_crl_url, NetworkIsolationKey::Todo(),
+                                    CertNetFetcher::DEFAULT,
                                     CertNetFetcher::DEFAULT);
 
           Error net_error;
diff --git a/chromium/net/cert/internal/signature_algorithm_unittest.cc b/chromium/net/cert/internal/signature_algorithm_unittest.cc
index 679b981564d..ea98a0815cf 100644
--- a/chromium/net/cert/internal/signature_algorithm_unittest.cc
+++ b/chromium/net/cert/internal/signature_algorithm_unittest.cc
@@ -9,7 +9,7 @@
 #include "base/files/file_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "net/cert/internal/cert_errors.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 #include "net/der/input.h"
 #include "net/der/parser.h"
 #include "testing/gtest/include/gtest/gtest.h"
diff --git a/chromium/net/cert/internal/simple_path_builder_delegate_unittest.cc b/chromium/net/cert/internal/simple_path_builder_delegate_unittest.cc
index 68dcd324f27..565987b7460 100644
--- a/chromium/net/cert/internal/simple_path_builder_delegate_unittest.cc
+++ b/chromium/net/cert/internal/simple_path_builder_delegate_unittest.cc
@@ -60,7 +60,7 @@ const char* kSuccess1024Filenames[] = {
     "ecdsa-prime256v1-sha512.pem",
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          SimplePathBuilderDelegate1024SuccessTest,
                          ::testing::ValuesIn(kSuccess1024Filenames));
 
@@ -87,7 +87,7 @@ class SimplePathBuilderDelegate2048FailTest
 const char* kFail2048Filenames[] = {"rsa-pkcs1-sha1.pem",
                                     "rsa-pkcs1-sha256.pem"};
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          SimplePathBuilderDelegate2048FailTest,
                          ::testing::ValuesIn(kFail2048Filenames));
 
diff --git a/chromium/net/cert/internal/test_helpers.cc b/chromium/net/cert/internal/test_helpers.cc
index 33ff701f4f8..70f090a26f1 100644
--- a/chromium/net/cert/internal/test_helpers.cc
+++ b/chromium/net/cert/internal/test_helpers.cc
@@ -11,7 +11,7 @@
 #include "base/strings/string_split.h"
 #include "net/cert/internal/cert_error_params.h"
 #include "net/cert/internal/cert_errors.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 #include "net/der/parser.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "third_party/boringssl/src/include/openssl/pool.h"
@@ -174,6 +174,16 @@ bool ReadCertChainFromFile(const std::string& file_path_ascii,
   return true;
 }
 
+scoped_refptr<ParsedCertificate> ReadCertFromFile(
+    const std::string& file_path_ascii) {
+  ParsedCertificateList chain;
+  if (!ReadCertChainFromFile(file_path_ascii, &chain))
+    return nullptr;
+  if (chain.size() != 1)
+    return nullptr;
+  return chain[0];
+}
+
 bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii,
                                      VerifyCertChainTest* test) {
   // Reset all the out parameters to their defaults.
diff --git a/chromium/net/cert/internal/test_helpers.h b/chromium/net/cert/internal/test_helpers.h
index d356e539c0a..78302dda33f 100644
--- a/chromium/net/cert/internal/test_helpers.h
+++ b/chromium/net/cert/internal/test_helpers.h
@@ -124,6 +124,11 @@ bool ReadVerifyCertChainTestFromFile(const std::string& file_path_ascii,
 bool ReadCertChainFromFile(const std::string& file_path_ascii,
                            ParsedCertificateList* chain);
 
+// Reads a certificate from |file_path_ascii|. Returns nullptr if the file
+// contained more that one certificate.
+scoped_refptr<ParsedCertificate> ReadCertFromFile(
+    const std::string& file_path_ascii);
+
 // Reads a data file relative to the src root directory.
 std::string ReadTestFileToString(const std::string& file_path_ascii);
 
diff --git a/chromium/net/cert/internal/trust_store_mac_unittest.cc b/chromium/net/cert/internal/trust_store_mac_unittest.cc
index 9cbf29090f2..dd79ef376b5 100644
--- a/chromium/net/cert/internal/trust_store_mac_unittest.cc
+++ b/chromium/net/cert/internal/trust_store_mac_unittest.cc
@@ -14,7 +14,7 @@
 #include "crypto/mac_security_services_lock.h"
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/test_helpers.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 #include "net/cert/test_keychain_search_list_mac.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util.h"
diff --git a/chromium/net/cert/internal/verify_certificate_chain.cc b/chromium/net/cert/internal/verify_certificate_chain.cc
index 17fa3337c65..8089e721f9c 100644
--- a/chromium/net/cert/internal/verify_certificate_chain.cc
+++ b/chromium/net/cert/internal/verify_certificate_chain.cc
@@ -817,7 +817,9 @@ void PathVerifier::BasicCertificateProcessing(
   // (RFC 5280 section 6.1.3 step a.2)
   VerifyTimeValidity(cert, time, errors);
 
-  // TODO(eroman): Check revocation (RFC 5280 section 6.1.3 step a.3)
+  // RFC 5280 section 6.1.3 step a.3 calls for checking the certificate's
+  // revocation status here. In this implementation revocation checking is
+  // implemented separately from path validation.
 
   // Verify the certificate's issuer name matches the issuing certificate's
   // subject name. (RFC 5280 section 6.1.3 step a.4)
diff --git a/chromium/net/cert/internal/verify_certificate_chain.h b/chromium/net/cert/internal/verify_certificate_chain.h
index be75ff43747..a9870ec483a 100644
--- a/chromium/net/cert/internal/verify_certificate_chain.h
+++ b/chromium/net/cert/internal/verify_certificate_chain.h
@@ -78,6 +78,7 @@ class NET_EXPORT VerifyCertificateChainDelegate {
 //
 //   * If Extended Key Usage appears on intermediates, it is treated as
 //     a restriction on subordinate certificates.
+//   * No revocation checking is performed.
 //
 // -----------------------------------------
 // Additional responsibilities of the caller
diff --git a/chromium/net/cert/internal/verify_certificate_chain_typed_unittest.h b/chromium/net/cert/internal/verify_certificate_chain_typed_unittest.h
index a9fcb14e595..50042c75241 100644
--- a/chromium/net/cert/internal/verify_certificate_chain_typed_unittest.h
+++ b/chromium/net/cert/internal/verify_certificate_chain_typed_unittest.h
@@ -9,7 +9,7 @@
 #include "net/cert/internal/test_helpers.h"
 #include "net/cert/internal/trust_store.h"
 #include "net/cert/internal/verify_certificate_chain.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 #include "net/der/input.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -80,6 +80,9 @@ TYPED_TEST_P(VerifyCertificateChainSingleRootTest, WrongSignature) {
   this->RunTest("target-wrong-signature/main.test");
   this->RunTest("intermediate-and-target-wrong-signature/main.test");
   this->RunTest("incorrect-trust-anchor/main.test");
+  this->RunTest("target-wrong-signature-no-authority-key-identifier/main.test");
+  this->RunTest(
+      "intermediate-wrong-signature-no-authority-key-identifier/main.test");
 }
 
 TYPED_TEST_P(VerifyCertificateChainSingleRootTest, LastCertificateNotTrusted) {
diff --git a/chromium/net/cert/known_roots_nss.cc b/chromium/net/cert/known_roots_nss.cc
index ff4507f8e11..edcc608d97e 100644
--- a/chromium/net/cert/known_roots_nss.cc
+++ b/chromium/net/cert/known_roots_nss.cc
@@ -11,8 +11,7 @@
 
 #include <memory>
 
-#include "base/memory/protected_memory.h"
-#include "base/memory/protected_memory_cfi.h"
+#include "base/compiler_specific.h"
 #include "crypto/nss_util_internal.h"
 #include "net/base/hash_value.h"
 #include "net/cert/x509_util_nss.h"
@@ -30,31 +29,20 @@ using PK11HasAttributeSetFunction = CK_BBOOL (*)(PK11SlotInfo* slot,
                                                  CK_OBJECT_HANDLE id,
                                                  CK_ATTRIBUTE_TYPE type,
                                                  PRBool haslock);
-static PROTECTED_MEMORY_SECTION
-    base::ProtectedMemory<PK11HasAttributeSetFunction>
-        g_pk11_has_attribute_set;
-
-// The function pointer for PK11_HasAttributeSet is saved to read-only memory
-// after being dynamically resolved as a security mitigation to prevent the
-// pointer from being tampered with. See https://crbug.com/771365 for details.
-const base::ProtectedMemory<PK11HasAttributeSetFunction>&
-ResolvePK11HasAttributeSet() {
-  static base::ProtectedMemory<PK11HasAttributeSetFunction>::Initializer init(
-      &g_pk11_has_attribute_set,
-      reinterpret_cast<PK11HasAttributeSetFunction>(
-          dlsym(RTLD_DEFAULT, "PK11_HasAttributeSet")));
-  return g_pk11_has_attribute_set;
-}
 
 }  // namespace
 
 // IsKnownRoot returns true if the given certificate is one that we believe
 // is a standard (as opposed to user-installed) root.
+NO_SANITIZE("cfi-icall")
 bool IsKnownRoot(CERTCertificate* root) {
   if (!root || !root->slot)
     return false;
 
-  if (*ResolvePK11HasAttributeSet() != nullptr) {
+  static PK11HasAttributeSetFunction pk11_has_attribute_set =
+      reinterpret_cast<PK11HasAttributeSetFunction>(
+          dlsym(RTLD_DEFAULT, "PK11_HasAttributeSet"));
+  if (pk11_has_attribute_set) {
     // Historically, the set of root certs was determined based on whether or
     // not it was part of nssckbi.[so,dll], the read-only PKCS#11 module that
     // exported the certs with trust settings. However, some distributions,
@@ -76,9 +64,9 @@ bool IsKnownRoot(CERTCertificate* root) {
         if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot)) {
           CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(slot, root, nullptr);
           if (handle != CK_INVALID_HANDLE &&
-              UnsanitizedCfiCall(ResolvePK11HasAttributeSet())(
-                  root->slot, handle, CKA_NSS_MOZILLA_CA_POLICY, PR_FALSE) ==
-                  CK_TRUE) {
+              pk11_has_attribute_set(root->slot, handle,
+                                     CKA_NSS_MOZILLA_CA_POLICY,
+                                     PR_FALSE) == CK_TRUE) {
             return true;
           }
         }
diff --git a/chromium/net/cert/multi_log_ct_verifier_unittest.cc b/chromium/net/cert/multi_log_ct_verifier_unittest.cc
index d171a465b33..513bbaa12d9 100644
--- a/chromium/net/cert/multi_log_ct_verifier_unittest.cc
+++ b/chromium/net/cert/multi_log_ct_verifier_unittest.cc
@@ -16,7 +16,7 @@
 #include "net/base/net_errors.h"
 #include "net/cert/ct_log_verifier.h"
 #include "net/cert/ct_serialization.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 #include "net/cert/sct_status_flags.h"
 #include "net/cert/signed_certificate_timestamp.h"
 #include "net/cert/signed_certificate_timestamp_and_status.h"
@@ -64,7 +64,7 @@ class MultiLogCTVerifierTest : public ::testing::Test {
     ASSERT_TRUE(embedded_sct_chain_.get());
   }
 
-  bool CheckForEmbeddedSCTInNetLog(const TestNetLog& net_log) {
+  bool CheckForEmbeddedSCTInNetLog(const RecordingTestNetLog& net_log) {
     auto entries = net_log.GetEntries();
     if (entries.size() != 2)
       return false;
@@ -114,7 +114,7 @@ class MultiLogCTVerifierTest : public ::testing::Test {
   // |kLogDescription|.
   bool CheckPrecertificateVerification(scoped_refptr<X509Certificate> chain) {
     SignedCertificateTimestampAndStatusList scts;
-    TestNetLog test_net_log;
+    RecordingTestNetLog test_net_log;
     NetLogWithSource net_log = NetLogWithSource::Make(
         &test_net_log, NetLogSourceType::SSL_CONNECT_JOB);
     verifier_->Verify(kHostname, chain.get(), base::StringPiece(),
diff --git a/chromium/net/cert/pem_tokenizer.cc b/chromium/net/cert/pem.cc
index f9edb3fc6ab..b65640aa988 100644
--- a/chromium/net/cert/pem_tokenizer.cc
+++ b/chromium/net/cert/pem.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 
 #include "base/base64.h"
 #include "base/strings/string_util.h"
@@ -60,10 +60,10 @@ bool PEMTokenizer::GetNext() {
       pos_ = footer_pos + it->footer.size();
       block_type_ = it->type;
 
-      StringPiece encoded = str_.substr(data_begin,
-                                        footer_pos - data_begin);
-      if (!base::Base64Decode(base::CollapseWhitespaceASCII(encoded.as_string(),
-                                                            true), &data_)) {
+      StringPiece encoded = str_.substr(data_begin, footer_pos - data_begin);
+      if (!base::Base64Decode(
+              base::CollapseWhitespaceASCII(encoded.as_string(), true),
+              &data_)) {
         // The most likely cause for a decode failure is a datatype that
         // includes PEM headers, which are not supported.
         break;
@@ -83,9 +83,8 @@ bool PEMTokenizer::GetNext() {
   return false;
 }
 
-void PEMTokenizer::Init(
-    const StringPiece& str,
-    const std::vector<std::string>& allowed_block_types) {
+void PEMTokenizer::Init(const StringPiece& str,
+                        const std::vector<std::string>& allowed_block_types) {
   str_ = str;
   pos_ = 0;
 
@@ -101,4 +100,38 @@ void PEMTokenizer::Init(
   }
 }
 
+std::string PEMEncode(base::StringPiece data, const std::string& type) {
+  std::string b64_encoded;
+  base::Base64Encode(data, &b64_encoded);
+
+  // Divide the Base-64 encoded data into 64-character chunks, as per
+  // 4.3.2.4 of RFC 1421.
+  static const size_t kChunkSize = 64;
+  size_t chunks = (b64_encoded.size() + (kChunkSize - 1)) / kChunkSize;
+
+  std::string pem_encoded;
+  pem_encoded.reserve(
+      // header & footer
+      17 + 15 + type.size() * 2 +
+      // encoded data
+      b64_encoded.size() +
+      // newline characters for line wrapping in encoded data
+      chunks);
+
+  pem_encoded = "-----BEGIN ";
+  pem_encoded.append(type);
+  pem_encoded.append("-----\n");
+
+  for (size_t i = 0, chunk_offset = 0; i < chunks;
+       ++i, chunk_offset += kChunkSize) {
+    pem_encoded.append(b64_encoded, chunk_offset, kChunkSize);
+    pem_encoded.append("\n");
+  }
+
+  pem_encoded.append("-----END ");
+  pem_encoded.append(type);
+  pem_encoded.append("-----\n");
+  return pem_encoded;
+}
+
 }  // namespace net
diff --git a/chromium/net/cert/pem_tokenizer.h b/chromium/net/cert/pem.h
index 808acbd34e8..c964b1b2f01 100644
--- a/chromium/net/cert/pem_tokenizer.h
+++ b/chromium/net/cert/pem.h
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef NET_CERT_PEM_TOKENIZER_H_
-#define NET_CERT_PEM_TOKENIZER_H_
+#ifndef NET_CERT_PEM_H_
+#define NET_CERT_PEM_H_
 
 #include <stddef.h>
 
@@ -75,6 +75,11 @@ class NET_EXPORT_PRIVATE PEMTokenizer {
   DISALLOW_COPY_AND_ASSIGN(PEMTokenizer);
 };
 
+// Encodes |data| in the encapsulated message format described in RFC 1421,
+// with |type| as the PEM block type (eg: CERTIFICATE).
+NET_EXPORT_PRIVATE std::string PEMEncode(base::StringPiece data,
+                                         const std::string& type);
+
 }  // namespace net
 
-#endif  // NET_CERT_PEM_TOKENIZER_H_
+#endif  // NET_CERT_PEM_H_
diff --git a/chromium/net/cert/pem_tokenizer_unittest.cc b/chromium/net/cert/pem_unittest.cc
index d5334db8999..cd2ecad89b2 100644
--- a/chromium/net/cert/pem_tokenizer_unittest.cc
+++ b/chromium/net/cert/pem_unittest.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -166,4 +166,40 @@ TEST(PEMTokenizerTest, BlockWithHeader) {
   EXPECT_FALSE(tokenizer.GetNext());
 }
 
+TEST(PEMEncodeTest, Basic) {
+  EXPECT_EQ(
+      "-----BEGIN BLOCK-ONE-----\n"
+      "RW5jb2RlZERhdGFPbmU=\n"
+      "-----END BLOCK-ONE-----\n",
+      PEMEncode("EncodedDataOne", "BLOCK-ONE"));
+  EXPECT_EQ(
+      "-----BEGIN BLOCK-TWO-----\n"
+      "RW5jb2RlZERhdGFUd28=\n"
+      "-----END BLOCK-TWO-----\n",
+      PEMEncode("EncodedDataTwo", "BLOCK-TWO"));
+}
+
+TEST(PEMEncodeTest, Empty) {
+  EXPECT_EQ(
+      "-----BEGIN EMPTY-----\n"
+      "-----END EMPTY-----\n",
+      PEMEncode("", "EMPTY"));
+}
+
+TEST(PEMEncodeTest, Wrapping) {
+  EXPECT_EQ(
+      "-----BEGIN SINGLE LINE-----\n"
+      "MTIzNDU2Nzg5MGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6QUJDREVGR0hJSktM\n"
+      "-----END SINGLE LINE-----\n",
+      PEMEncode("1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKL",
+                "SINGLE LINE"));
+
+  EXPECT_EQ(
+      "-----BEGIN WRAPPED LINE-----\n"
+      "MTIzNDU2Nzg5MGFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6QUJDREVGR0hJSktM\nTQ==\n"
+      "-----END WRAPPED LINE-----\n",
+      PEMEncode("1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM",
+                "WRAPPED LINE"));
+}
+
 }  // namespace net
diff --git a/chromium/net/cert/trial_comparison_cert_verifier.cc b/chromium/net/cert/trial_comparison_cert_verifier.cc
index d91f542dc7f..fa1b5573d79 100644
--- a/chromium/net/cert/trial_comparison_cert_verifier.cc
+++ b/chromium/net/cert/trial_comparison_cert_verifier.cc
@@ -242,11 +242,12 @@ class TrialComparisonCertVerifier::Job::Request : public CertVerifier::Request {
 
   // Called when the Job has completed, and used to invoke the client
   // callback.
-  // Note: |this| may be deleted after calling this.
+  // Note: |this| may be deleted after calling this method.
   void OnJobComplete(int result, const CertVerifyResult& verify_result);
 
   // Called when the Job is aborted (e.g. the underlying
   // TrialComparisonCertVerifier is being deleted).
+  // Note: |this| may be deleted after calling this method.
   void OnJobAborted();
 
  private:
@@ -275,7 +276,9 @@ TrialComparisonCertVerifier::Job::Job(const CertVerifier::Config& config,
 
 TrialComparisonCertVerifier::Job::~Job() {
   if (request_) {
+    // Note: May delete |request_|.
     request_->OnJobAborted();
+    request_ = nullptr;
   }
 
   if (parent_) {
@@ -628,6 +631,9 @@ void TrialComparisonCertVerifier::Job::Request::OnJobComplete(
 void TrialComparisonCertVerifier::Job::Request::OnJobAborted() {
   DCHECK(parent_);
   parent_ = nullptr;
+
+  // DANGER: |this| may be deleted when this callback is destroyed.
+  client_callback_.Reset();
 }
 
 TrialComparisonCertVerifier::TrialComparisonCertVerifier(
diff --git a/chromium/net/cert/x509_cert_types_unittest.cc b/chromium/net/cert/x509_cert_types_unittest.cc
index 333887e3d79..865cdcb8502 100644
--- a/chromium/net/cert/x509_cert_types_unittest.cc
+++ b/chromium/net/cert/x509_cert_types_unittest.cc
@@ -190,7 +190,7 @@ TEST_P(X509CertTypesDateTest, Parse) {
       base::Time::FromUTCExploded(test_data_.expected_result, &out_time));
   EXPECT_EQ(out_time.ToInternalValue(), parsed_date.ToInternalValue());
 }
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          X509CertTypesDateTest,
                          testing::ValuesIn(kCertDateTimeData));
 
diff --git a/chromium/net/cert/x509_certificate.cc b/chromium/net/cert/x509_certificate.cc
index f59ff53aef6..ffe94cd52c8 100644
--- a/chromium/net/cert/x509_certificate.cc
+++ b/chromium/net/cert/x509_certificate.cc
@@ -33,7 +33,7 @@
 #include "net/cert/internal/signature_algorithm.h"
 #include "net/cert/internal/verify_name_match.h"
 #include "net/cert/internal/verify_signed_data.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 #include "net/cert/x509_util.h"
 #include "net/der/encode_values.h"
 #include "net/der/parser.h"
@@ -597,20 +597,8 @@ bool X509Certificate::GetPEMEncodedFromDER(base::StringPiece der_encoded,
                                            std::string* pem_encoded) {
   if (der_encoded.empty())
     return false;
-  std::string b64_encoded;
-  base::Base64Encode(der_encoded, &b64_encoded);
-  *pem_encoded = "-----BEGIN CERTIFICATE-----\n";
-
-  // Divide the Base-64 encoded data into 64-character chunks, as per
-  // 4.3.2.4 of RFC 1421.
-  static const size_t kChunkSize = 64;
-  size_t chunks = (b64_encoded.size() + (kChunkSize - 1)) / kChunkSize;
-  for (size_t i = 0, chunk_offset = 0; i < chunks;
-       ++i, chunk_offset += kChunkSize) {
-    pem_encoded->append(b64_encoded, chunk_offset, kChunkSize);
-    pem_encoded->append("\n");
-  }
-  pem_encoded->append("-----END CERTIFICATE-----\n");
+
+  *pem_encoded = PEMEncode(der_encoded, "CERTIFICATE");
   return true;
 }
 
diff --git a/chromium/net/cert/x509_certificate_net_log_param.h b/chromium/net/cert/x509_certificate_net_log_param.h
index 986a508a03e..22dd9cc141a 100644
--- a/chromium/net/cert/x509_certificate_net_log_param.h
+++ b/chromium/net/cert/x509_certificate_net_log_param.h
@@ -21,6 +21,15 @@ class X509Certificate;
 NET_EXPORT base::Value NetLogX509CertificateParams(
     const X509Certificate* certificate);
 
+// Creates NetLog parameter to describe verification inputs: an X509Certificate,
+// hostname, VerifyFlags and optional OCSP response and SCT list.
+NET_EXPORT base::Value NetLogX509CertificateVerifyParams(
+    const X509Certificate* certificate,
+    const std::string& hostname,
+    int verify_flags,
+    const std::string& ocsp_response,
+    const std::string& sct_list);
+
 }  // namespace net
 
 #endif  // NET_CERT_X509_CERTIFICATE_NET_LOG_PARAM_H_
diff --git a/chromium/net/cert/x509_certificate_unittest.cc b/chromium/net/cert/x509_certificate_unittest.cc
index 6fd11721d68..44e00992d86 100644
--- a/chromium/net/cert/x509_certificate_unittest.cc
+++ b/chromium/net/cert/x509_certificate_unittest.cc
@@ -19,7 +19,7 @@
 #include "crypto/rsa_private_key.h"
 #include "net/base/net_errors.h"
 #include "net/cert/asn1_util.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 #include "net/cert/x509_util.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/test_certificate_data.h"
@@ -1151,7 +1151,7 @@ TEST_P(X509CertificateParseTest, CanParseFormat) {
   }
 }
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          X509CertificateParseTest,
                          testing::ValuesIn(kFormatTestData));
 
@@ -1337,11 +1337,10 @@ TEST_P(X509CertificateNameVerifyTest, VerifyHostname) {
       ASSERT_NE(0U, addr_ascii.length());
       if (addr_ascii[0] == 'x') {  // Hex encoded address
         addr_ascii.erase(0, 1);
-        std::vector<uint8_t> bytes;
-        EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes))
+        std::string bytes;
+        EXPECT_TRUE(base::HexStringToString(addr_ascii, &bytes))
             << "Could not parse hex address " << addr_ascii << " i = " << i;
-        ip_addressses.push_back(std::string(reinterpret_cast<char*>(&bytes[0]),
-                                            bytes.size()));
+        ip_addressses.push_back(std::move(bytes));
         ASSERT_EQ(16U, ip_addressses.back().size()) << i;
       } else {  // Decimal groups
         std::vector<std::string> decimals_ascii = base::SplitString(
@@ -1366,7 +1365,7 @@ TEST_P(X509CertificateNameVerifyTest, VerifyHostname) {
                                             ip_addressses));
 }
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          X509CertificateNameVerifyTest,
                          testing::ValuesIn(kNameVerifyTestData));
 
@@ -1406,7 +1405,7 @@ TEST_P(X509CertificatePublicKeyInfoTest, GetPublicKeyInfo) {
   EXPECT_EQ(data.expected_type, actual_type);
 }
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          X509CertificatePublicKeyInfoTest,
                          testing::ValuesIn(kPublicKeyInfoTestData));
 
diff --git a/chromium/net/cert/x509_util_unittest.cc b/chromium/net/cert/x509_util_unittest.cc
index c6cb99d088d..e359c599c22 100644
--- a/chromium/net/cert/x509_util_unittest.cc
+++ b/chromium/net/cert/x509_util_unittest.cc
@@ -133,9 +133,8 @@ TEST(X509UtilTest, CreateSelfSigned) {
     0xb1, 0xc5, 0x15, 0xf3
   };
 
-  std::vector<uint8_t> input;
-  input.resize(sizeof(private_key_info));
-  memcpy(&input.front(), private_key_info, sizeof(private_key_info));
+  std::vector<uint8_t> input(std::begin(private_key_info),
+                             std::end(private_key_info));
 
   std::unique_ptr<crypto::RSAPrivateKey> private_key(
       crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(input));
diff --git a/chromium/net/cert_net/cert_net_fetcher_impl.cc b/chromium/net/cert_net/cert_net_fetcher_url_request.cc
index 0a3ed470a5d..c71f1b33177 100644
--- a/chromium/net/cert_net/cert_net_fetcher_impl.cc
+++ b/chromium/net/cert_net/cert_net_fetcher_url_request.cc
@@ -4,16 +4,16 @@
 //
 // Overview
 //
-// The main entry point is CertNetFetcherImpl. This is an implementation of
-// CertNetFetcher that provides a service for fetching network requests.
+// The main entry point is CertNetFetcherURLRequest. This is an implementation
+// of CertNetFetcher that provides a service for fetching network requests.
 //
 // The interface for CertNetFetcher is synchronous, however allows
-// overlapping requests. When starting a request CertNetFetcherImpl
-// returns a CertNetFetcher::Request (CertNetFetcherImpl) that the
+// overlapping requests. When starting a request CertNetFetcherURLRequest
+// returns a CertNetFetcher::Request (CertNetFetcherRequestImpl) that the
 // caller can use to cancel the fetch, or wait for it to complete
 // (blocking).
 //
-// The CertNetFetcherImpl is shared between a network thread and a
+// The CertNetFetcherURLRequest is shared between a network thread and a
 // caller thread that waits for fetches to happen on the network thread.
 //
 // The classes are mainly organized based on their thread affinity:
@@ -22,7 +22,7 @@
 // Straddles caller thread and network thread
 // ---------------
 //
-// CertNetFetcherImpl (implements CertNetFetcher)
+// CertNetFetcherURLRequest (implements CertNetFetcher)
 //   * Main entry point. Must be created and shutdown from the network thread.
 //   * Provides a service to start/cancel/wait for URL fetches, to be
 //     used on the caller thread.
@@ -49,14 +49,14 @@
 // Lives on network thread
 // ---------------
 //
-// AsyncCertNetFetcherImpl
-//   * Asyncronous manager for outstanding requests. Handles de-duplication,
+// AsyncCertNetFetcherURLRequest
+//   * Asynchronous manager for outstanding requests. Handles de-duplication,
 //     timeouts, and actual integration with network stack. This is where the
 //     majority of the logic lives.
 //   * Signals completion of requests through RequestCore's WaitableEvent.
 //   * Attaches requests to Jobs for the purpose of de-duplication
 
-#include "net/cert_net/cert_net_fetcher_impl.h"
+#include "net/cert_net/cert_net_fetcher_url_request.h"
 
 #include <tuple>
 #include <utility>
@@ -72,6 +72,7 @@
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/timer/timer.h"
 #include "net/base/load_flags.h"
+#include "net/base/network_isolation_key.h"
 #include "net/cert/cert_net_fetcher.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
 #include "net/url_request/redirect_info.h"
@@ -113,22 +114,22 @@ using JobSet = std::map<Job*, std::unique_ptr<Job>, JobComparator>;
 
 }  // namespace
 
-// AsyncCertNetFetcherImpl manages URLRequests in an async fashion on the
+// AsyncCertNetFetcherURLRequest manages URLRequests in an async fashion on the
 // URLRequestContexts's task runner thread.
 //
 //  * Schedules
 //  * De-duplicates requests
 //  * Handles timeouts
-class CertNetFetcherImpl::AsyncCertNetFetcherImpl {
+class CertNetFetcherURLRequest::AsyncCertNetFetcherURLRequest {
  public:
-  // Initializes AsyncCertNetFetcherImpl using the specified URLRequestContext
-  // for issuing requests. |context| must remain valid until Shutdown() is
-  // called or the AsyncCertNetFetcherImpl is destroyed.
-  explicit AsyncCertNetFetcherImpl(URLRequestContext* context);
+  // Initializes AsyncCertNetFetcherURLRequest using the specified
+  // URLRequestContext for issuing requests. |context| must remain valid until
+  // Shutdown() is called or the AsyncCertNetFetcherURLRequest is destroyed.
+  explicit AsyncCertNetFetcherURLRequest(URLRequestContext* context);
 
-  // The AsyncCertNetFetcherImpl is expected to be kept alive until all
+  // The AsyncCertNetFetcherURLRequest is expected to be kept alive until all
   // requests have completed or Shutdown() is called.
-  ~AsyncCertNetFetcherImpl();
+  ~AsyncCertNetFetcherURLRequest();
 
   // Starts an asynchronous request to fetch the given URL. On completion
   // request->OnJobCompleted() will be invoked.
@@ -152,12 +153,12 @@ class CertNetFetcherImpl::AsyncCertNetFetcherImpl {
   // invoking callbacks (OnJobCompleted).
   JobSet jobs_;
 
-  // Not owned. |context_| must outlive the AsyncCertNetFetcherImpl.
+  // Not owned. |context_| must outlive the AsyncCertNetFetcherURLRequest.
   URLRequestContext* context_ = nullptr;
 
-  base::ThreadChecker thread_checker_;
+  THREAD_CHECKER(thread_checker_);
 
-  DISALLOW_COPY_AND_ASSIGN(AsyncCertNetFetcherImpl);
+  DISALLOW_COPY_AND_ASSIGN(AsyncCertNetFetcherURLRequest);
 };
 
 namespace {
@@ -200,7 +201,7 @@ enum HttpMethod {
 
 // RequestCore tracks an outstanding call to Fetch(). It is
 // reference-counted for ease of sharing between threads.
-class CertNetFetcherImpl::RequestCore
+class CertNetFetcherURLRequest::RequestCore
     : public base::RefCountedThreadSafe<RequestCore> {
  public:
   explicit RequestCore(scoped_refptr<base::SingleThreadTaskRunner> task_runner)
@@ -276,13 +277,14 @@ class CertNetFetcherImpl::RequestCore
   DISALLOW_COPY_AND_ASSIGN(RequestCore);
 };
 
-struct CertNetFetcherImpl::RequestParams {
+struct CertNetFetcherURLRequest::RequestParams {
   RequestParams();
 
   bool operator<(const RequestParams& other) const;
 
   GURL url;
   HttpMethod http_method;
+  NetworkIsolationKey network_isolation_key;
   size_t max_response_bytes;
 
   // If set to a value <= 0 then means "no timeout".
@@ -294,14 +296,15 @@ struct CertNetFetcherImpl::RequestParams {
   DISALLOW_COPY_AND_ASSIGN(RequestParams);
 };
 
-CertNetFetcherImpl::RequestParams::RequestParams()
+CertNetFetcherURLRequest::RequestParams::RequestParams()
     : http_method(HTTP_METHOD_GET), max_response_bytes(0) {}
 
-bool CertNetFetcherImpl::RequestParams::operator<(
+bool CertNetFetcherURLRequest::RequestParams::operator<(
     const RequestParams& other) const {
-  return std::tie(url, http_method, max_response_bytes, timeout) <
-         std::tie(other.url, other.http_method, other.max_response_bytes,
-                  other.timeout);
+  return std::tie(url, http_method, network_isolation_key, max_response_bytes,
+                  timeout) < std::tie(other.url, other.http_method,
+                                      other.network_isolation_key,
+                                      other.max_response_bytes, other.timeout);
 }
 
 namespace {
@@ -310,20 +313,21 @@ namespace {
 // for it.
 class Job : public URLRequest::Delegate {
  public:
-  Job(std::unique_ptr<CertNetFetcherImpl::RequestParams> request_params,
-      CertNetFetcherImpl::AsyncCertNetFetcherImpl* parent);
+  Job(std::unique_ptr<CertNetFetcherURLRequest::RequestParams> request_params,
+      CertNetFetcherURLRequest::AsyncCertNetFetcherURLRequest* parent);
   ~Job() override;
 
-  const CertNetFetcherImpl::RequestParams& request_params() const {
+  const CertNetFetcherURLRequest::RequestParams& request_params() const {
     return *request_params_;
   }
 
   // Creates a request and attaches it to the job. When the job completes it
   // will notify the request of completion through OnJobCompleted.
-  void AttachRequest(scoped_refptr<CertNetFetcherImpl::RequestCore> request);
+  void AttachRequest(
+      scoped_refptr<CertNetFetcherURLRequest::RequestCore> request);
 
   // Removes |request| from the job.
-  void DetachRequest(CertNetFetcherImpl::RequestCore* request);
+  void DetachRequest(CertNetFetcherURLRequest::RequestCore* request);
 
   // Creates and starts a URLRequest for the job. After the URLRequest has
   // completed, OnJobCompleted() will be invoked and all the registered requests
@@ -332,7 +336,8 @@ class Job : public URLRequest::Delegate {
 
   // Cancels the request with an ERR_ABORTED error and invokes
   // RequestCore::OnJobCompleted() to notify the registered requests of the
-  // cancellation. The job is *not* removed from the AsyncCertNetFetcherImpl.
+  // cancellation. The job is *not* removed from the
+  // AsyncCertNetFetcherURLRequest.
   void Cancel();
 
  private:
@@ -371,10 +376,10 @@ class Job : public URLRequest::Delegate {
   void FailRequest(Error error);
 
   // The requests attached to this job.
-  std::vector<scoped_refptr<CertNetFetcherImpl::RequestCore>> requests_;
+  std::vector<scoped_refptr<CertNetFetcherURLRequest::RequestCore>> requests_;
 
   // The input parameters for starting a URLRequest.
-  std::unique_ptr<CertNetFetcherImpl::RequestParams> request_params_;
+  std::unique_ptr<CertNetFetcherURLRequest::RequestParams> request_params_;
 
   // The URLRequest response information.
   std::vector<uint8_t> response_body_;
@@ -386,15 +391,16 @@ class Job : public URLRequest::Delegate {
   // also used for notifying a failure to start the URLRequest.
   base::OneShotTimer timer_;
 
-  // Non-owned pointer to the AsyncCertNetFetcherImpl that created this job.
-  CertNetFetcherImpl::AsyncCertNetFetcherImpl* parent_;
+  // Non-owned pointer to the AsyncCertNetFetcherURLRequest that created this
+  // job.
+  CertNetFetcherURLRequest::AsyncCertNetFetcherURLRequest* parent_;
 
   DISALLOW_COPY_AND_ASSIGN(Job);
 };
 
 }  // namespace
 
-void CertNetFetcherImpl::RequestCore::CancelJob() {
+void CertNetFetcherURLRequest::RequestCore::CancelJob() {
   if (!task_runner_->RunsTasksInCurrentSequence()) {
     task_runner_->PostTask(FROM_HERE,
                            base::BindOnce(&RequestCore::CancelJob, this));
@@ -410,7 +416,7 @@ void CertNetFetcherImpl::RequestCore::CancelJob() {
   SignalImmediateError();
 }
 
-void CertNetFetcherImpl::RequestCore::SignalImmediateError() {
+void CertNetFetcherURLRequest::RequestCore::SignalImmediateError() {
   // These data members are normally only written on the network thread, but it
   // is safe to write here from either thread. This is because
   // SignalImmediateError is only to be called before this request is attached
@@ -428,8 +434,9 @@ void CertNetFetcherImpl::RequestCore::SignalImmediateError() {
 
 namespace {
 
-Job::Job(std::unique_ptr<CertNetFetcherImpl::RequestParams> request_params,
-         CertNetFetcherImpl::AsyncCertNetFetcherImpl* parent)
+Job::Job(
+    std::unique_ptr<CertNetFetcherURLRequest::RequestParams> request_params,
+    CertNetFetcherURLRequest::AsyncCertNetFetcherURLRequest* parent)
     : request_params_(std::move(request_params)), parent_(parent) {}
 
 Job::~Job() {
@@ -438,12 +445,12 @@ Job::~Job() {
 }
 
 void Job::AttachRequest(
-    scoped_refptr<CertNetFetcherImpl::RequestCore> request) {
+    scoped_refptr<CertNetFetcherURLRequest::RequestCore> request) {
   request->AttachedToJob(this);
   requests_.push_back(std::move(request));
 }
 
-void Job::DetachRequest(CertNetFetcherImpl::RequestCore* request) {
+void Job::DetachRequest(CertNetFetcherURLRequest::RequestCore* request) {
   std::unique_ptr<Job> delete_this;
 
   auto it = std::find(requests_.begin(), requests_.end(), request);
@@ -465,8 +472,9 @@ void Job::StartURLRequest(URLRequestContext* context) {
 
   // Start the URLRequest.
   read_buffer_ = base::MakeRefCounted<IOBuffer>(kReadBufferSizeInBytes);
-  net::NetworkTrafficAnnotationTag traffic_annotation =
-      net::DefineNetworkTrafficAnnotation("certificate_verifier", R"(
+  NetworkTrafficAnnotationTag traffic_annotation =
+      DefineNetworkTrafficAnnotation("certificate_verifier_url_request",
+                                     R"(
         semantics {
           sender: "Certificate Verifier"
           description:
@@ -479,6 +487,8 @@ void Job::StartURLRequest(URLRequestContext* context) {
             "https://tools.ietf.org/html/rfc6960, "
             "https://tools.ietf.org/html/rfc5280#section-4.2.1.13, and"
             "https://tools.ietf.org/html/rfc5280#section-5.2.7."
+            "NOTE: this path is being deprecated. Please see the"
+            "certificate_verifier_url_loader annotation for the new path."
           trigger:
             "Verifying a certificate (likely in response to navigating to an "
             "'https://' website)."
@@ -486,6 +496,8 @@ void Job::StartURLRequest(URLRequestContext* context) {
             "In the case of OCSP this may divulge the website being viewed. No "
             "user data in other cases."
           destination: OTHER
+          destination_other:
+            "The URL specified in the certificate."
         }
         policy {
           cookies_allowed: NO
@@ -496,6 +508,8 @@ void Job::StartURLRequest(URLRequestContext* context) {
                                         this, traffic_annotation);
   if (request_params_->http_method == HTTP_METHOD_POST)
     url_request_->set_method("POST");
+  url_request_->set_network_isolation_key(
+      request_params_->network_isolation_key);
   url_request_->set_allow_credentials(false);
   url_request_->Start();
 
@@ -624,15 +638,16 @@ void Job::FailRequest(Error error) {
 
 }  // namespace
 
-CertNetFetcherImpl::AsyncCertNetFetcherImpl::AsyncCertNetFetcherImpl(
-    URLRequestContext* context)
+CertNetFetcherURLRequest::AsyncCertNetFetcherURLRequest::
+    AsyncCertNetFetcherURLRequest(URLRequestContext* context)
     : context_(context) {
   // Allow creation to happen from another thread.
-  thread_checker_.DetachFromThread();
+  DETACH_FROM_THREAD(thread_checker_);
 }
 
-CertNetFetcherImpl::AsyncCertNetFetcherImpl::~AsyncCertNetFetcherImpl() {
-  DCHECK(thread_checker_.CalledOnValidThread());
+CertNetFetcherURLRequest::AsyncCertNetFetcherURLRequest::
+    ~AsyncCertNetFetcherURLRequest() {
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   jobs_.clear();
 }
 
@@ -640,10 +655,10 @@ bool JobComparator::operator()(const Job* job1, const Job* job2) const {
   return job1->request_params() < job2->request_params();
 }
 
-void CertNetFetcherImpl::AsyncCertNetFetcherImpl::Fetch(
+void CertNetFetcherURLRequest::AsyncCertNetFetcherURLRequest::Fetch(
     std::unique_ptr<RequestParams> request_params,
     scoped_refptr<RequestCore> request) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // If there is an in-progress job that matches the request parameters use it.
   // Otherwise start a new job.
@@ -662,8 +677,8 @@ void CertNetFetcherImpl::AsyncCertNetFetcherImpl::Fetch(
   job->StartURLRequest(context_);
 }
 
-void CertNetFetcherImpl::AsyncCertNetFetcherImpl::Shutdown() {
-  DCHECK(thread_checker_.CalledOnValidThread());
+void CertNetFetcherURLRequest::AsyncCertNetFetcherURLRequest::Shutdown() {
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   for (const auto& job : jobs_) {
     job.first->Cancel();
   }
@@ -674,16 +689,16 @@ namespace {
 
 struct JobToRequestParamsComparator {
   bool operator()(const JobSet::value_type& job,
-                  const CertNetFetcherImpl::RequestParams& value) const {
+                  const CertNetFetcherURLRequest::RequestParams& value) const {
     return job.first->request_params() < value;
   }
 };
 
 }  // namespace
 
-Job* CertNetFetcherImpl::AsyncCertNetFetcherImpl::FindJob(
+Job* CertNetFetcherURLRequest::AsyncCertNetFetcherURLRequest::FindJob(
     const RequestParams& params) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   // The JobSet is kept in sorted order so items can be found using binary
   // search.
@@ -694,9 +709,9 @@ Job* CertNetFetcherImpl::AsyncCertNetFetcherImpl::FindJob(
   return nullptr;
 }
 
-std::unique_ptr<Job> CertNetFetcherImpl::AsyncCertNetFetcherImpl::RemoveJob(
-    Job* job) {
-  DCHECK(thread_checker_.CalledOnValidThread());
+std::unique_ptr<Job>
+CertNetFetcherURLRequest::AsyncCertNetFetcherURLRequest::RemoveJob(Job* job) {
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   auto it = jobs_.find(job);
   CHECK(it != jobs_.end());
   std::unique_ptr<Job> owned_job = std::move(it->second);
@@ -709,7 +724,7 @@ namespace {
 class CertNetFetcherRequestImpl : public CertNetFetcher::Request {
  public:
   explicit CertNetFetcherRequestImpl(
-      scoped_refptr<CertNetFetcherImpl::RequestCore> core)
+      scoped_refptr<CertNetFetcherURLRequest::RequestCore> core)
       : core_(std::move(core)) {
     DCHECK(core_);
   }
@@ -727,31 +742,32 @@ class CertNetFetcherRequestImpl : public CertNetFetcher::Request {
   }
 
  private:
-  scoped_refptr<CertNetFetcherImpl::RequestCore> core_;
+  scoped_refptr<CertNetFetcherURLRequest::RequestCore> core_;
 };
 
 }  // namespace
 
-CertNetFetcherImpl::CertNetFetcherImpl()
+CertNetFetcherURLRequest::CertNetFetcherURLRequest()
     : task_runner_(base::ThreadTaskRunnerHandle::Get()) {}
 
-CertNetFetcherImpl::~CertNetFetcherImpl() {
+CertNetFetcherURLRequest::~CertNetFetcherURLRequest() {
   // The fetcher must be shutdown (at which point |context_| will be set to
   // null) before destruction.
   DCHECK(!context_);
 }
 
-void CertNetFetcherImpl::SetURLRequestContext(URLRequestContext* context) {
+void CertNetFetcherURLRequest::SetURLRequestContext(
+    URLRequestContext* context) {
   DCHECK(task_runner_->RunsTasksInCurrentSequence());
   context_ = context;
 }
 
 // static
-base::TimeDelta CertNetFetcherImpl::GetDefaultTimeoutForTesting() {
+base::TimeDelta CertNetFetcherURLRequest::GetDefaultTimeoutForTesting() {
   return GetTimeout(CertNetFetcher::DEFAULT);
 }
 
-void CertNetFetcherImpl::Shutdown() {
+void CertNetFetcherURLRequest::Shutdown() {
   DCHECK(task_runner_->RunsTasksInCurrentSequence());
   if (impl_) {
     impl_->Shutdown();
@@ -760,14 +776,17 @@ void CertNetFetcherImpl::Shutdown() {
   context_ = nullptr;
 }
 
-std::unique_ptr<CertNetFetcher::Request> CertNetFetcherImpl::FetchCaIssuers(
+std::unique_ptr<CertNetFetcher::Request>
+CertNetFetcherURLRequest::FetchCaIssuers(
     const GURL& url,
+    const NetworkIsolationKey& network_isolation_key,
     int timeout_milliseconds,
     int max_response_bytes) {
   std::unique_ptr<RequestParams> request_params(new RequestParams);
 
   request_params->url = url;
   request_params->http_method = HTTP_METHOD_GET;
+  request_params->network_isolation_key = network_isolation_key;
   request_params->timeout = GetTimeout(timeout_milliseconds);
   request_params->max_response_bytes =
       GetMaxResponseBytes(max_response_bytes, kMaxResponseSizeInBytesForAia);
@@ -775,14 +794,16 @@ std::unique_ptr<CertNetFetcher::Request> CertNetFetcherImpl::FetchCaIssuers(
   return DoFetch(std::move(request_params));
 }
 
-std::unique_ptr<CertNetFetcher::Request> CertNetFetcherImpl::FetchCrl(
+std::unique_ptr<CertNetFetcher::Request> CertNetFetcherURLRequest::FetchCrl(
     const GURL& url,
+    const NetworkIsolationKey& network_isolation_key,
     int timeout_milliseconds,
     int max_response_bytes) {
   std::unique_ptr<RequestParams> request_params(new RequestParams);
 
   request_params->url = url;
   request_params->http_method = HTTP_METHOD_GET;
+  request_params->network_isolation_key = network_isolation_key;
   request_params->timeout = GetTimeout(timeout_milliseconds);
   request_params->max_response_bytes =
       GetMaxResponseBytes(max_response_bytes, kMaxResponseSizeInBytesForCrl);
@@ -790,14 +811,16 @@ std::unique_ptr<CertNetFetcher::Request> CertNetFetcherImpl::FetchCrl(
   return DoFetch(std::move(request_params));
 }
 
-std::unique_ptr<CertNetFetcher::Request> CertNetFetcherImpl::FetchOcsp(
+std::unique_ptr<CertNetFetcher::Request> CertNetFetcherURLRequest::FetchOcsp(
     const GURL& url,
+    const NetworkIsolationKey& network_isolation_key,
     int timeout_milliseconds,
     int max_response_bytes) {
   std::unique_ptr<RequestParams> request_params(new RequestParams);
 
   request_params->url = url;
   request_params->http_method = HTTP_METHOD_GET;
+  request_params->network_isolation_key = network_isolation_key;
   request_params->timeout = GetTimeout(timeout_milliseconds);
   request_params->max_response_bytes =
       GetMaxResponseBytes(max_response_bytes, kMaxResponseSizeInBytesForAia);
@@ -805,7 +828,7 @@ std::unique_ptr<CertNetFetcher::Request> CertNetFetcherImpl::FetchOcsp(
   return DoFetch(std::move(request_params));
 }
 
-void CertNetFetcherImpl::DoFetchOnNetworkSequence(
+void CertNetFetcherURLRequest::DoFetchOnNetworkSequence(
     std::unique_ptr<RequestParams> request_params,
     scoped_refptr<RequestCore> request) {
   DCHECK(task_runner_->RunsTasksInCurrentSequence());
@@ -819,13 +842,14 @@ void CertNetFetcherImpl::DoFetchOnNetworkSequence(
   }
 
   if (!impl_) {
-    impl_.reset(new AsyncCertNetFetcherImpl(context_));
+    impl_.reset(new AsyncCertNetFetcherURLRequest(context_));
   }
 
   impl_->Fetch(std::move(request_params), request);
 }
 
-std::unique_ptr<CertNetFetcherImpl::Request> CertNetFetcherImpl::DoFetch(
+std::unique_ptr<CertNetFetcherURLRequest::Request>
+CertNetFetcherURLRequest::DoFetch(
     std::unique_ptr<RequestParams> request_params) {
   scoped_refptr<RequestCore> request_core = new RequestCore(task_runner_);
 
@@ -835,8 +859,8 @@ std::unique_ptr<CertNetFetcherImpl::Request> CertNetFetcherImpl::DoFetch(
   // then the request will hang (that is, WaitForResult will not return).
   if (!task_runner_->PostTask(
           FROM_HERE,
-          base::BindOnce(&CertNetFetcherImpl::DoFetchOnNetworkSequence, this,
-                         std::move(request_params), request_core))) {
+          base::BindOnce(&CertNetFetcherURLRequest::DoFetchOnNetworkSequence,
+                         this, std::move(request_params), request_core))) {
     request_core->SignalImmediateError();
   }
 
diff --git a/chromium/net/cert_net/cert_net_fetcher_impl.h b/chromium/net/cert_net/cert_net_fetcher_url_request.h
index c4774bea2c4..50dcee17b05 100644
--- a/chromium/net/cert_net/cert_net_fetcher_impl.h
+++ b/chromium/net/cert_net/cert_net_fetcher_url_request.h
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef NET_CERT_NET_CERT_NET_FETCHER_IMPL_H_
-#define NET_CERT_NET_CERT_NET_FETCHER_IMPL_H_
+#ifndef NET_CERT_NET_CERT_NET_FETCHER_URL_REQUEST_H_
+#define NET_CERT_NET_CERT_NET_FETCHER_URL_REQUEST_H_
 
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
@@ -22,15 +22,15 @@ class URLRequestContext;
 // CertNetFetcher's Shutdown method is called. The CertNetFetcher is to be
 // created and shutdown on the network thread. Its Fetch methods are to be used
 // on a *different* thread, since it gives a blocking interface to URL fetching.
-class NET_EXPORT CertNetFetcherImpl : public CertNetFetcher {
+class NET_EXPORT CertNetFetcherURLRequest : public CertNetFetcher {
  public:
-  class AsyncCertNetFetcherImpl;
+  class AsyncCertNetFetcherURLRequest;
   class RequestCore;
   struct RequestParams;
 
-  // Creates the CertNetFetcherImpl. SetURLRequestContext must be called before
-  // the fetcher can be used.
-  CertNetFetcherImpl();
+  // Creates the CertNetFetcherURLRequest. SetURLRequestContext must be called
+  // before the fetcher can be used.
+  CertNetFetcherURLRequest();
 
   // Set the URLRequestContext this fetcher should use.
   // |context_| must stay valid until Shutdown() is called.
@@ -41,19 +41,24 @@ class NET_EXPORT CertNetFetcherImpl : public CertNetFetcher {
 
   // CertNetFetcher impl:
   void Shutdown() override;
-  std::unique_ptr<Request> FetchCaIssuers(const GURL& url,
-                                          int timeout_milliseconds,
-                                          int max_response_bytes) override;
-  std::unique_ptr<Request> FetchCrl(const GURL& url,
-                                    int timeout_milliseconds,
-                                    int max_response_bytes) override;
+  std::unique_ptr<Request> FetchCaIssuers(
+      const GURL& url,
+      const NetworkIsolationKey& network_isolation_key,
+      int timeout_milliseconds,
+      int max_response_bytes) override;
+  std::unique_ptr<Request> FetchCrl(
+      const GURL& url,
+      const NetworkIsolationKey& network_isolation_key,
+      int timeout_milliseconds,
+      int max_response_bytes) override;
   WARN_UNUSED_RESULT std::unique_ptr<Request> FetchOcsp(
       const GURL& url,
+      const NetworkIsolationKey& network_isolation_key,
       int timeout_milliseconds,
       int max_response_bytes) override;
 
  private:
-  ~CertNetFetcherImpl() override;
+  ~CertNetFetcherURLRequest() override;
 
   void DoFetchOnNetworkSequence(std::unique_ptr<RequestParams> request_params,
                                 scoped_refptr<RequestCore> request);
@@ -64,9 +69,9 @@ class NET_EXPORT CertNetFetcherImpl : public CertNetFetcher {
   scoped_refptr<base::SingleThreadTaskRunner> task_runner_;
   // Not owned. |context_| must stay valid until Shutdown() is called.
   URLRequestContext* context_ = nullptr;
-  std::unique_ptr<AsyncCertNetFetcherImpl> impl_;
+  std::unique_ptr<AsyncCertNetFetcherURLRequest> impl_;
 };
 
 }  // namespace net
 
-#endif  // NET_CERT_NET_CERT_NET_FETCHER_IMPL_H_
+#endif  // NET_CERT_NET_CERT_NET_FETCHER_URL_REQUEST_H_
diff --git a/chromium/net/cert_net/cert_net_fetcher_impl_unittest.cc b/chromium/net/cert_net/cert_net_fetcher_url_request_unittest.cc
index 52c33f8f8e5..1e990bf154c 100644
--- a/chromium/net/cert_net/cert_net_fetcher_impl_unittest.cc
+++ b/chromium/net/cert_net/cert_net_fetcher_url_request_unittest.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/cert_net/cert_net_fetcher_impl.h"
+#include "net/cert_net/cert_net_fetcher_url_request.h"
 
 #include <memory>
 #include <string>
@@ -13,12 +13,16 @@
 #include "base/message_loop/message_pump_type.h"
 #include "base/run_loop.h"
 #include "base/synchronization/lock.h"
+#include "base/test/scoped_feature_list.h"
+#include "net/base/features.h"
+#include "net/base/network_isolation_key.h"
 #include "net/cert/cert_net_fetcher.h"
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/mock_cert_verifier.h"
 #include "net/cert/multi_log_ct_verifier.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/http/http_server_properties.h"
+#include "net/quic/quic_context.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "net/test/gtest_util.h"
 #include "net/test/test_with_task_environment.h"
@@ -30,6 +34,7 @@
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "testing/platform_test.h"
+#include "url/origin.h"
 
 using net::test::IsOk;
 
@@ -61,6 +66,7 @@ class RequestContext : public URLRequestContext {
         std::make_unique<SSLConfigServiceDefaults>());
     storage_.set_http_server_properties(
         std::make_unique<HttpServerProperties>());
+    storage_.set_quic_context(std::make_unique<QuicContext>());
 
     HttpNetworkSession::Context session_context;
     session_context.host_resolver = host_resolver();
@@ -71,6 +77,7 @@ class RequestContext : public URLRequestContext {
     session_context.proxy_resolution_service = proxy_resolution_service();
     session_context.ssl_config_service = ssl_config_service();
     session_context.http_server_properties = http_server_properties();
+    session_context.quic_context = quic_context();
     storage_.set_http_network_session(std::make_unique<HttpNetworkSession>(
         HttpNetworkSession::Params(), session_context));
     storage_.set_http_transaction_factory(std::make_unique<HttpCache>(
@@ -113,19 +120,19 @@ struct NetworkThreadState {
   RequestContext context;
 };
 
-class CertNetFetcherImplTest : public PlatformTest {
+class CertNetFetcherURLRequestTest : public PlatformTest {
  public:
-  CertNetFetcherImplTest() {
+  CertNetFetcherURLRequestTest() {
     test_server_.AddDefaultHandlers(base::FilePath(kDocRoot));
     StartNetworkThread();
   }
 
-  ~CertNetFetcherImplTest() override {
+  ~CertNetFetcherURLRequestTest() override {
     if (!network_thread_)
       return;
     network_thread_->task_runner()->PostTask(
         FROM_HERE,
-        base::BindOnce(&CertNetFetcherImplTest::TeardownOnNetworkThread,
+        base::BindOnce(&CertNetFetcherURLRequestTest::TeardownOnNetworkThread,
                        base::Unretained(this)));
     network_thread_->Stop();
   }
@@ -134,7 +141,7 @@ class CertNetFetcherImplTest : public PlatformTest {
   CertNetFetcher* fetcher() const { return fetcher_.get(); }
 
   void CreateFetcherOnNetworkThread(base::WaitableEvent* done) {
-    fetcher_ = base::MakeRefCounted<CertNetFetcherImpl>();
+    fetcher_ = base::MakeRefCounted<CertNetFetcherURLRequest>();
     fetcher_->SetURLRequestContext(&state_->context);
     done->Signal();
   }
@@ -144,8 +151,9 @@ class CertNetFetcherImplTest : public PlatformTest {
                              base::WaitableEvent::InitialState::NOT_SIGNALED);
     network_thread_->task_runner()->PostTask(
         FROM_HERE,
-        base::BindOnce(&CertNetFetcherImplTest::CreateFetcherOnNetworkThread,
-                       base::Unretained(this), &done));
+        base::BindOnce(
+            &CertNetFetcherURLRequestTest::CreateFetcherOnNetworkThread,
+            base::Unretained(this), &done));
     done.Wait();
   }
 
@@ -159,8 +167,9 @@ class CertNetFetcherImplTest : public PlatformTest {
                              base::WaitableEvent::InitialState::NOT_SIGNALED);
     network_thread_->task_runner()->PostTask(
         FROM_HERE,
-        base::BindOnce(&CertNetFetcherImplTest::ShutDownFetcherOnNetworkThread,
-                       base::Unretained(this), &done));
+        base::BindOnce(
+            &CertNetFetcherURLRequestTest::ShutDownFetcherOnNetworkThread,
+            base::Unretained(this), &done));
     done.Wait();
   }
 
@@ -169,8 +178,9 @@ class CertNetFetcherImplTest : public PlatformTest {
     base::WaitableEvent done(base::WaitableEvent::ResetPolicy::MANUAL,
                              base::WaitableEvent::InitialState::NOT_SIGNALED);
     network_thread_->task_runner()->PostTask(
-        FROM_HERE, base::BindOnce(&CertNetFetcherImplTest::CountCreatedRequests,
-                                  base::Unretained(this), &count, &done));
+        FROM_HERE,
+        base::BindOnce(&CertNetFetcherURLRequestTest::CountCreatedRequests,
+                       base::Unretained(this), &count, &done));
     done.Wait();
     return count;
   }
@@ -185,8 +195,9 @@ class CertNetFetcherImplTest : public PlatformTest {
     base::WaitableEvent done(base::WaitableEvent::ResetPolicy::MANUAL,
                              base::WaitableEvent::InitialState::NOT_SIGNALED);
     network_thread_->task_runner()->PostTask(
-        FROM_HERE, base::BindOnce(&CertNetFetcherImplTest::InitOnNetworkThread,
-                                  base::Unretained(this), &done));
+        FROM_HERE,
+        base::BindOnce(&CertNetFetcherURLRequestTest::InitOnNetworkThread,
+                       base::Unretained(this), &done));
     done.Wait();
   }
 
@@ -206,7 +217,7 @@ class CertNetFetcherImplTest : public PlatformTest {
                              base::WaitableEvent::InitialState::NOT_SIGNALED);
     network_thread_->task_runner()->PostTask(
         FROM_HERE,
-        base::BindOnce(&CertNetFetcherImplTest::ResetStateOnNetworkThread,
+        base::BindOnce(&CertNetFetcherURLRequestTest::ResetStateOnNetworkThread,
                        base::Unretained(this), &done));
     done.Wait();
   }
@@ -224,14 +235,14 @@ class CertNetFetcherImplTest : public PlatformTest {
 
   EmbeddedTestServer test_server_;
   std::unique_ptr<base::Thread> network_thread_;
-  scoped_refptr<CertNetFetcherImpl> fetcher_;
+  scoped_refptr<CertNetFetcherURLRequest> fetcher_;
 
   std::unique_ptr<NetworkThreadState> state_;
 };
 
 // Installs URLRequestHangingReadJob handlers and clears them on teardown.
-class CertNetFetcherImplTestWithHangingReadHandler
-    : public CertNetFetcherImplTest,
+class CertNetFetcherURLRequestTestWithHangingReadHandler
+    : public CertNetFetcherURLRequestTest,
       public WithTaskEnvironment {
  protected:
   void SetUp() override { URLRequestHangingReadJob::AddUrlHandler(); }
@@ -242,14 +253,16 @@ class CertNetFetcherImplTestWithHangingReadHandler
 // Helper to start an AIA fetch using default parameters.
 WARN_UNUSED_RESULT std::unique_ptr<CertNetFetcher::Request> StartRequest(
     CertNetFetcher* fetcher,
-    const GURL& url) {
-  return fetcher->FetchCaIssuers(url, CertNetFetcher::DEFAULT,
+    const GURL& url,
+    const NetworkIsolationKey& network_isolation_key = NetworkIsolationKey()) {
+  return fetcher->FetchCaIssuers(url, network_isolation_key,
+                                 CertNetFetcher::DEFAULT,
                                  CertNetFetcher::DEFAULT);
 }
 
 // Fetch a few unique URLs using GET in parallel. Each URL has a different body
 // and Content-Type.
-TEST_F(CertNetFetcherImplTest, ParallelFetchNoDuplicates) {
+TEST_F(CertNetFetcherURLRequestTest, ParallelFetchNoDuplicates) {
   ASSERT_TRUE(test_server_.Start());
   CreateFetcher();
 
@@ -280,7 +293,7 @@ TEST_F(CertNetFetcherImplTest, ParallelFetchNoDuplicates) {
 // The extension is .txt and the Content-Type is text/plain. Despite being
 // unusual this succeeds as the extension and Content-Type are not required to
 // be meaningful.
-TEST_F(CertNetFetcherImplTest, ContentTypeDoesntMatter) {
+TEST_F(CertNetFetcherURLRequestTest, ContentTypeDoesntMatter) {
   ASSERT_TRUE(test_server_.Start());
   CreateFetcher();
 
@@ -292,7 +305,7 @@ TEST_F(CertNetFetcherImplTest, ContentTypeDoesntMatter) {
 
 // Fetch a URLs whose HTTP response code is not 200. These are considered
 // failures.
-TEST_F(CertNetFetcherImplTest, HttpStatusCode) {
+TEST_F(CertNetFetcherURLRequestTest, HttpStatusCode) {
   ASSERT_TRUE(test_server_.Start());
   CreateFetcher();
 
@@ -314,7 +327,7 @@ TEST_F(CertNetFetcherImplTest, HttpStatusCode) {
 }
 
 // Fetching a URL with a Content-Disposition header should have no effect.
-TEST_F(CertNetFetcherImplTest, ContentDisposition) {
+TEST_F(CertNetFetcherURLRequestTest, ContentDisposition) {
   ASSERT_TRUE(test_server_.Start());
   CreateFetcher();
 
@@ -324,9 +337,9 @@ TEST_F(CertNetFetcherImplTest, ContentDisposition) {
   VerifySuccess("-downloadable.js-\n", request.get());
 }
 
-// Verifies that a cachable request will be served from the HTTP cache the
+// Verifies that a cacheable request will be served from the HTTP cache the
 // second time it is requested.
-TEST_F(CertNetFetcherImplTest, Cache) {
+TEST_F(CertNetFetcherURLRequestTest, Cache) {
   ASSERT_TRUE(test_server_.Start());
 
   CreateFetcher();
@@ -356,7 +369,7 @@ TEST_F(CertNetFetcherImplTest, Cache) {
 
 // Verify that the maximum response body constraints are enforced by fetching a
 // resource that is larger than the limit.
-TEST_F(CertNetFetcherImplTest, TooLarge) {
+TEST_F(CertNetFetcherURLRequestTest, TooLarge) {
   ASSERT_TRUE(test_server_.Start());
 
   CreateFetcher();
@@ -364,28 +377,28 @@ TEST_F(CertNetFetcherImplTest, TooLarge) {
   // This file has a response body 12 bytes long. So setting the maximum to 11
   // bytes will cause it to fail.
   GURL url(test_server_.GetURL("/certs.p7c"));
-  std::unique_ptr<CertNetFetcher::Request> request =
-      fetcher()->FetchCaIssuers(url, CertNetFetcher::DEFAULT, 11);
+  std::unique_ptr<CertNetFetcher::Request> request = fetcher()->FetchCaIssuers(
+      url, NetworkIsolationKey(), CertNetFetcher::DEFAULT, 11);
 
   VerifyFailure(ERR_FILE_TOO_BIG, request.get());
 }
 
 // Set the timeout to 10 milliseconds, and try fetching a URL that takes 5
 // seconds to complete. It should fail due to a timeout.
-TEST_F(CertNetFetcherImplTest, Hang) {
+TEST_F(CertNetFetcherURLRequestTest, Hang) {
   ASSERT_TRUE(test_server_.Start());
 
   CreateFetcher();
 
   GURL url(test_server_.GetURL("/slow/certs.p7c?5"));
-  std::unique_ptr<CertNetFetcher::Request> request =
-      fetcher()->FetchCaIssuers(url, 10, CertNetFetcher::DEFAULT);
+  std::unique_ptr<CertNetFetcher::Request> request = fetcher()->FetchCaIssuers(
+      url, NetworkIsolationKey(), 10, CertNetFetcher::DEFAULT);
   VerifyFailure(ERR_TIMED_OUT, request.get());
 }
 
 // Verify that if a response is gzip-encoded it gets inflated before being
 // returned to the caller.
-TEST_F(CertNetFetcherImplTest, Gzip) {
+TEST_F(CertNetFetcherURLRequestTest, Gzip) {
   ASSERT_TRUE(test_server_.Start());
 
   CreateFetcher();
@@ -397,7 +410,7 @@ TEST_F(CertNetFetcherImplTest, Gzip) {
 }
 
 // Try fetching an unsupported URL scheme (https).
-TEST_F(CertNetFetcherImplTest, HttpsNotAllowed) {
+TEST_F(CertNetFetcherURLRequestTest, HttpsNotAllowed) {
   ASSERT_TRUE(test_server_.Start());
 
   CreateFetcher();
@@ -412,7 +425,7 @@ TEST_F(CertNetFetcherImplTest, HttpsNotAllowed) {
 }
 
 // Try fetching a URL which redirects to https.
-TEST_F(CertNetFetcherImplTest, RedirectToHttpsNotAllowed) {
+TEST_F(CertNetFetcherURLRequestTest, RedirectToHttpsNotAllowed) {
   ASSERT_TRUE(test_server_.Start());
 
   CreateFetcher();
@@ -428,7 +441,7 @@ TEST_F(CertNetFetcherImplTest, RedirectToHttpsNotAllowed) {
 
 // Try fetching an unsupported URL scheme (https) and then immediately
 // cancelling. This is a bit special because this codepath needs to post a task.
-TEST_F(CertNetFetcherImplTest, CancelHttpsNotAllowed) {
+TEST_F(CertNetFetcherURLRequestTest, CancelHttpsNotAllowed) {
   ASSERT_TRUE(test_server_.Start());
 
   CreateFetcher();
@@ -444,7 +457,7 @@ TEST_F(CertNetFetcherImplTest, CancelHttpsNotAllowed) {
 
 // Start a few requests, and cancel one of them before running the message loop
 // again.
-TEST_F(CertNetFetcherImplTest, CancelBeforeRunningMessageLoop) {
+TEST_F(CertNetFetcherURLRequestTest, CancelBeforeRunningMessageLoop) {
   ASSERT_TRUE(test_server_.Start());
 
   CreateFetcher();
@@ -484,7 +497,7 @@ TEST_F(CertNetFetcherImplTest, CancelBeforeRunningMessageLoop) {
 // requests are given opened sockets in a FIFO order.
 // TODO(eroman): Make this more robust.
 // TODO(eroman): Rename this test.
-TEST_F(CertNetFetcherImplTest, CancelAfterRunningMessageLoop) {
+TEST_F(CertNetFetcherURLRequestTest, CancelAfterRunningMessageLoop) {
   ASSERT_TRUE(test_server_.Start());
 
   CreateFetcher();
@@ -515,7 +528,7 @@ TEST_F(CertNetFetcherImplTest, CancelAfterRunningMessageLoop) {
 
 // Fetch the same URLs in parallel and verify that only 1 request is made per
 // URL.
-TEST_F(CertNetFetcherImplTest, ParallelFetchDuplicates) {
+TEST_F(CertNetFetcherURLRequestTest, ParallelFetchDuplicates) {
   ASSERT_TRUE(test_server_.Start());
 
   CreateFetcher();
@@ -558,7 +571,7 @@ TEST_F(CertNetFetcherImplTest, ParallelFetchDuplicates) {
 }
 
 // Cancel a request and then start another one for the same URL.
-TEST_F(CertNetFetcherImplTest, CancelThenStart) {
+TEST_F(CertNetFetcherURLRequestTest, CancelThenStart) {
   ASSERT_TRUE(test_server_.Start());
 
   CreateFetcher();
@@ -581,7 +594,7 @@ TEST_F(CertNetFetcherImplTest, CancelThenStart) {
 }
 
 // Start duplicate requests and then cancel all of them.
-TEST_F(CertNetFetcherImplTest, CancelAll) {
+TEST_F(CertNetFetcherURLRequestTest, CancelAll) {
   ASSERT_TRUE(test_server_.Start());
 
   CreateFetcher();
@@ -603,7 +616,7 @@ TEST_F(CertNetFetcherImplTest, CancelAll) {
 
 // Tests that Requests are signalled for completion even if they are
 // created after the CertNetFetcher has been shutdown.
-TEST_F(CertNetFetcherImplTest, RequestsAfterShutdown) {
+TEST_F(CertNetFetcherURLRequestTest, RequestsAfterShutdown) {
   ASSERT_TRUE(test_server_.Start());
   CreateFetcher();
   ShutDownFetcher();
@@ -618,7 +631,8 @@ TEST_F(CertNetFetcherImplTest, RequestsAfterShutdown) {
 // Tests that Requests are signalled for completion if the fetcher is
 // shutdown and the network thread stopped before the request is
 // started.
-TEST_F(CertNetFetcherImplTest, RequestAfterShutdownAndNetworkThreadStopped) {
+TEST_F(CertNetFetcherURLRequestTest,
+       RequestAfterShutdownAndNetworkThreadStopped) {
   ASSERT_TRUE(test_server_.Start());
   CreateFetcher();
   ShutDownFetcher();
@@ -631,8 +645,78 @@ TEST_F(CertNetFetcherImplTest, RequestAfterShutdownAndNetworkThreadStopped) {
   VerifyFailure(ERR_ABORTED, request.get());
 }
 
+// Make sure that "duplicate" requests are only merged if their
+// NetworkIsolationKey matches.
+TEST_F(CertNetFetcherURLRequestTest,
+       MergeDuplicatesRespectsNetworkIsolationKey) {
+  const url::Origin kOrigin1 = url::Origin::Create(GURL("https://a.test"));
+  const url::Origin kOrigin2 = url::Origin::Create(GURL("https://b.test"));
+  const NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
+  const NetworkIsolationKey kNetworkIsolationKey2(kOrigin2, kOrigin2);
+
+  ASSERT_TRUE(test_server_.Start());
+
+  CreateFetcher();
+
+  GURL url = test_server_.GetURL("/cert.crt");
+
+  std::unique_ptr<CertNetFetcher::Request> request1 =
+      StartRequest(fetcher(), url, kNetworkIsolationKey1);
+
+  std::unique_ptr<CertNetFetcher::Request> request2 =
+      StartRequest(fetcher(), url, kNetworkIsolationKey2);
+
+  std::unique_ptr<CertNetFetcher::Request> request3 =
+      StartRequest(fetcher(), url, kNetworkIsolationKey1);
+
+  VerifySuccess("-cert.crt-\n", request1.get());
+  VerifySuccess("-cert.crt-\n", request2.get());
+  VerifySuccess("-cert.crt-\n", request3.get());
+
+  // Verify that only 2 URLRequests were started even though 3 requests were
+  // issued.
+  EXPECT_EQ(2, NumCreatedRequests());
+}
+
+// Make sure the NetworkIsolationKey is respected.
+TEST_F(CertNetFetcherURLRequestTest, NetworkIsolationKeyPassedToURLLoader) {
+  const url::Origin kOrigin1 = url::Origin::Create(GURL("https://a.test"));
+  const url::Origin kOrigin2 = url::Origin::Create(GURL("https://b.test"));
+  const NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
+  const NetworkIsolationKey kNetworkIsolationKey2(kOrigin2, kOrigin2);
+
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitAndEnableFeature(
+      features::kSplitCacheByNetworkIsolationKey);
+
+  CreateFetcher();
+
+  // Start server, fetch a cacheable file using kNetworkIsolationKey1, and stop
+  // the server. The response should be stored in the cache using
+  // kNetworkIsolationKey1.
+  ASSERT_TRUE(test_server_.Start());
+  GURL url = test_server_.GetURL("/cacheable_1hr.crt");
+  std::unique_ptr<CertNetFetcher::Request> request1 =
+      StartRequest(fetcher(), url, kNetworkIsolationKey1);
+  VerifySuccess("-cacheable_1hr.crt-\n", request1.get());
+  ASSERT_TRUE(test_server_.ShutdownAndWaitUntilComplete());
+
+  // Try fetching the resources with kNetworkIsolationKey2. Since the server has
+  // been stopped and the resource is only cached with kNetworkIsolationKey1,
+  // the request should fail.
+  std::unique_ptr<CertNetFetcher::Request> request2 =
+      StartRequest(fetcher(), url, kNetworkIsolationKey2);
+  VerifyFailure(ERR_CONNECTION_REFUSED, request2.get());
+
+  // Fetching with kNetworkIsolationKey1 should return the cached resource.
+  std::unique_ptr<CertNetFetcher::Request> request3 =
+      StartRequest(fetcher(), url, kNetworkIsolationKey1);
+  VerifySuccess("-cacheable_1hr.crt-\n", request3.get());
+}
+
 // Tests that outstanding Requests are cancelled when Shutdown is called.
-TEST_F(CertNetFetcherImplTestWithHangingReadHandler, ShutdownCancelsRequests) {
+TEST_F(CertNetFetcherURLRequestTestWithHangingReadHandler,
+       ShutdownCancelsRequests) {
   CreateFetcher();
 
   GURL url = URLRequestHangingReadJob::GetMockHttpUrl();
diff --git a/chromium/net/cookies/OWNERS b/chromium/net/cookies/OWNERS
index fb0dd2d56c8..9b5ffc36540 100644
--- a/chromium/net/cookies/OWNERS
+++ b/chromium/net/cookies/OWNERS
@@ -1,3 +1,4 @@
+chlily@chromium.org
 estark@chromium.org
 mkwst@chromium.org
 mmenke@chromium.org
diff --git a/chromium/net/cookies/canonical_cookie.cc b/chromium/net/cookies/canonical_cookie.cc
index c49e50d9c16..b9743cc9a89 100644
--- a/chromium/net/cookies/canonical_cookie.cc
+++ b/chromium/net/cookies/canonical_cookie.cc
@@ -133,6 +133,9 @@ void ApplySameSiteCookieWarningToStatus(
     status->set_warning(
         CanonicalCookie::CookieInclusionStatus::WARN_SAMESITE_NONE_INSECURE);
   }
+  // If there are reasons to exclude the cookie other than the new SameSite
+  // rules, don't warn about the cookie at all.
+  status->MaybeClearSameSiteWarning();
 }
 
 }  // namespace
@@ -142,7 +145,8 @@ CanonicalCookie::CanonicalCookie()
     : secure_(false),
       httponly_(false),
       same_site_(CookieSameSite::NO_RESTRICTION),
-      priority_(COOKIE_PRIORITY_MEDIUM) {}
+      priority_(COOKIE_PRIORITY_MEDIUM),
+      source_scheme_(CookieSourceScheme::kUnset) {}
 
 CanonicalCookie::CanonicalCookie(const CanonicalCookie& other) = default;
 
@@ -156,7 +160,8 @@ CanonicalCookie::CanonicalCookie(const std::string& name,
                                  bool secure,
                                  bool httponly,
                                  CookieSameSite same_site,
-                                 CookiePriority priority)
+                                 CookiePriority priority,
+                                 CookieSourceScheme scheme_secure)
     : name_(name),
       value_(value),
       domain_(domain),
@@ -167,7 +172,8 @@ CanonicalCookie::CanonicalCookie(const std::string& name,
       secure_(secure),
       httponly_(httponly),
       same_site_(same_site),
-      priority_(priority) {}
+      priority_(priority),
+      source_scheme_(scheme_secure) {}
 
 CanonicalCookie::~CanonicalCookie() = default;
 
@@ -293,11 +299,15 @@ std::unique_ptr<CanonicalCookie> CanonicalCookie::Create(
   CookieSameSiteString samesite_string = CookieSameSiteString::kUnspecified;
   CookieSameSite samesite = parsed_cookie.SameSite(&samesite_string);
   RecordCookieSameSiteAttributeValueHistogram(samesite_string);
+  CookieSourceScheme source_scheme = url.SchemeIsCryptographic()
+                                         ? CookieSourceScheme::kSecure
+                                         : CookieSourceScheme::kNonSecure;
 
   std::unique_ptr<CanonicalCookie> cc(std::make_unique<CanonicalCookie>(
       parsed_cookie.Name(), parsed_cookie.Value(), cookie_domain, cookie_path,
       creation_time, cookie_expires, creation_time, parsed_cookie.IsSecure(),
-      parsed_cookie.IsHttpOnly(), samesite, parsed_cookie.Priority()));
+      parsed_cookie.IsHttpOnly(), samesite, parsed_cookie.Priority(),
+      source_scheme));
 
   DCHECK(cc->IsCanonical());
 
@@ -306,6 +316,7 @@ std::unique_ptr<CanonicalCookie> CanonicalCookie::Create(
 }
 
 // static
+// TODO(crbug.com/957184): This should ideally return a CookieInclusionStatus.
 std::unique_ptr<CanonicalCookie> CanonicalCookie::CreateSanitizedCookie(
     const GURL& url,
     const std::string& name,
@@ -338,7 +349,11 @@ std::unique_ptr<CanonicalCookie> CanonicalCookie::CreateSanitizedCookie(
   if (!cookie_util::GetCookieDomainWithString(url, domain, &cookie_domain))
     return nullptr;
 
-  if (secure && !url.SchemeIsCryptographic())
+  CookieSourceScheme source_scheme = url.SchemeIsCryptographic()
+                                         ? CookieSourceScheme::kSecure
+                                         : CookieSourceScheme::kNonSecure;
+
+  if (secure && source_scheme == CookieSourceScheme::kNonSecure)
     return nullptr;
 
   std::string cookie_path = CanonicalCookie::CanonPathWithString(url, path);
@@ -364,7 +379,7 @@ std::unique_ptr<CanonicalCookie> CanonicalCookie::CreateSanitizedCookie(
 
   std::unique_ptr<CanonicalCookie> cc(std::make_unique<CanonicalCookie>(
       name, value, cookie_domain, cookie_path, creation_time, expiration_time,
-      last_access_time, secure, http_only, same_site, priority));
+      last_access_time, secure, http_only, same_site, priority, source_scheme));
   DCHECK(cc->IsCanonical());
 
   return cc;
@@ -542,10 +557,34 @@ CanonicalCookie::CookieInclusionStatus CanonicalCookie::IsSetPermittedInContext(
     const CookieOptions& options,
     CookieAccessSemantics access_semantics) const {
   CookieInclusionStatus status;
+  IsSetPermittedInContext(options, access_semantics, &status);
+  return status;
+}
+
+void CanonicalCookie::IsSetPermittedInContext(
+    const CookieOptions& options,
+    CookieAccessSemantics access_semantics,
+    CookieInclusionStatus* status) const {
   if (options.exclude_httponly() && IsHttpOnly()) {
     DVLOG(net::cookie_util::kVlogSetCookies)
         << "HttpOnly cookie not permitted in script context.";
-    status.AddExclusionReason(CookieInclusionStatus::EXCLUDE_HTTP_ONLY);
+    status->AddExclusionReason(CookieInclusionStatus::EXCLUDE_HTTP_ONLY);
+  }
+
+  // If both SameSiteByDefaultCookies and CookiesWithoutSameSiteMustBeSecure
+  // are enabled, non-SameSite cookies without the Secure attribute will be
+  // rejected.
+  if (access_semantics != CookieAccessSemantics::LEGACY &&
+      cookie_util::IsCookiesWithoutSameSiteMustBeSecureEnabled() &&
+      SameSite() == CookieSameSite::NO_RESTRICTION && !IsSecure()) {
+    DVLOG(net::cookie_util::kVlogSetCookies)
+        << "SetCookie() rejecting insecure cookie with SameSite=None.";
+    status->AddExclusionReason(
+        CanonicalCookie::CookieInclusionStatus::EXCLUDE_SAMESITE_NONE_INSECURE);
+  }
+  // Log whether a SameSite=None cookie is Secure or not.
+  if (SameSite() == CookieSameSite::NO_RESTRICTION) {
+    UMA_HISTOGRAM_BOOLEAN("Cookie.SameSiteNoneIsSecure", IsSecure());
   }
 
   CookieEffectiveSameSite effective_same_site =
@@ -560,7 +599,7 @@ CanonicalCookie::CookieInclusionStatus CanonicalCookie::IsSetPermittedInContext(
         DVLOG(net::cookie_util::kVlogSetCookies)
             << "Trying to set a `SameSite=Strict` cookie from a "
                "cross-site URL.";
-        status.AddExclusionReason(
+        status->AddExclusionReason(
             CookieInclusionStatus::EXCLUDE_SAMESITE_STRICT);
       }
       break;
@@ -572,13 +611,13 @@ CanonicalCookie::CookieInclusionStatus CanonicalCookie::IsSetPermittedInContext(
           DVLOG(net::cookie_util::kVlogSetCookies)
               << "Cookies with no known SameSite attribute being treated as "
                  "lax; attempt to set from a cross-site URL denied.";
-          status.AddExclusionReason(
+          status->AddExclusionReason(
               CookieInclusionStatus::
                   EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX);
         } else {
           DVLOG(net::cookie_util::kVlogSetCookies)
               << "Trying to set a `SameSite=Lax` cookie from a cross-site URL.";
-          status.AddExclusionReason(
+          status->AddExclusionReason(
               CookieInclusionStatus::EXCLUDE_SAMESITE_LAX);
         }
       }
@@ -589,9 +628,9 @@ CanonicalCookie::CookieInclusionStatus CanonicalCookie::IsSetPermittedInContext(
 
   ApplySameSiteCookieWarningToStatus(
       SameSite(), effective_same_site, IsSecure(),
-      options.same_site_cookie_context(), &status);
+      options.same_site_cookie_context(), status);
 
-  if (status.IsInclude()) {
+  if (status->IsInclude()) {
     UMA_HISTOGRAM_ENUMERATION("Cookie.IncludedResponseEffectiveSameSite",
                               effective_same_site,
                               CookieEffectiveSameSite::COUNT);
@@ -608,7 +647,6 @@ CanonicalCookie::CookieInclusionStatus CanonicalCookie::IsSetPermittedInContext(
   }
 
   // TODO(chlily): Log metrics.
-  return status;
 }
 
 std::string CanonicalCookie::DebugString() const {
@@ -755,9 +793,13 @@ bool CanonicalCookie::IsCookiePrefixValid(CanonicalCookie::CookiePrefix prefix,
 CookieEffectiveSameSite CanonicalCookie::GetEffectiveSameSite(
     CookieAccessSemantics access_semantics) const {
   base::TimeDelta lax_allow_unsafe_threshold_age =
-      base::FeatureList::IsEnabled(features::kShortLaxAllowUnsafeThreshold)
-          ? kShortLaxAllowUnsafeMaxAge
-          : kLaxAllowUnsafeMaxAge;
+      base::FeatureList::IsEnabled(
+          features::kSameSiteDefaultChecksMethodRigorously)
+          ? base::TimeDelta::Min()
+          : (base::FeatureList::IsEnabled(
+                 features::kShortLaxAllowUnsafeThreshold)
+                 ? kShortLaxAllowUnsafeMaxAge
+                 : kLaxAllowUnsafeMaxAge);
 
   bool should_apply_same_site_lax_by_default =
       cookie_util::IsSameSiteByDefaultCookiesEnabled();
@@ -783,9 +825,6 @@ CookieEffectiveSameSite CanonicalCookie::GetEffectiveSameSite(
       return CookieEffectiveSameSite::LAX_MODE;
     case CookieSameSite::STRICT_MODE:
       return CookieEffectiveSameSite::STRICT_MODE;
-    // TODO(crbug.com/989171): Replace this with FirstParty{Lax,Strict}.
-    case CookieSameSite::EXTENDED_MODE:
-      return CookieEffectiveSameSite::LAX_MODE;
   }
 }
 
@@ -830,13 +869,9 @@ bool CanonicalCookie::CookieInclusionStatus::HasExclusionReason(
 void CanonicalCookie::CookieInclusionStatus::AddExclusionReason(
     ExclusionReason reason) {
   exclusion_reasons_ |= GetBitmask(reason);
-}
-
-void CanonicalCookie::CookieInclusionStatus::AddExclusionReasonsAndWarningIfAny(
-    const CookieInclusionStatus& other) {
-  exclusion_reasons_ |= other.exclusion_reasons_;
-  if (other.warning_ != DO_NOT_WARN)
-    warning_ = other.warning_;
+  // If the cookie would be excluded for reasons other than the new SameSite
+  // rules, don't bother warning about it.
+  MaybeClearSameSiteWarning();
 }
 
 void CanonicalCookie::CookieInclusionStatus::RemoveExclusionReason(
@@ -844,6 +879,14 @@ void CanonicalCookie::CookieInclusionStatus::RemoveExclusionReason(
   exclusion_reasons_ &= ~(GetBitmask(reason));
 }
 
+void CanonicalCookie::CookieInclusionStatus::MaybeClearSameSiteWarning() {
+  uint32_t samesite_reasons_mask =
+      GetBitmask(EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX) |
+      GetBitmask(EXCLUDE_SAMESITE_NONE_INSECURE);
+  if (exclusion_reasons_ & ~samesite_reasons_mask)
+    set_warning(DO_NOT_WARN);
+}
+
 bool CanonicalCookie::CookieInclusionStatus::ShouldWarn() const {
   return warning_ != DO_NOT_WARN;
 }
@@ -868,8 +911,6 @@ std::string CanonicalCookie::CookieInclusionStatus::GetDebugString() const {
     base::StrAppend(&out, {"EXCLUDE_SAMESITE_STRICT, "});
   if (HasExclusionReason(EXCLUDE_SAMESITE_LAX))
     base::StrAppend(&out, {"EXCLUDE_SAMESITE_LAX, "});
-  if (HasExclusionReason(EXCLUDE_SAMESITE_EXTENDED))
-    base::StrAppend(&out, {"EXCLUDE_SAMESITE_EXTENDED, "});
   if (HasExclusionReason(EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX))
     base::StrAppend(&out, {"EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX, "});
   if (HasExclusionReason(EXCLUDE_SAMESITE_NONE_INSECURE))
diff --git a/chromium/net/cookies/canonical_cookie.h b/chromium/net/cookies/canonical_cookie.h
index 3385122c640..a29d1887e0f 100644
--- a/chromium/net/cookies/canonical_cookie.h
+++ b/chromium/net/cookies/canonical_cookie.h
@@ -34,6 +34,7 @@ using CookieAndLineStatusList = std::vector<CookieAndLineWithStatus>;
 class NET_EXPORT CanonicalCookie {
  public:
   class CookieInclusionStatus;
+  using UniqueCookieKey = std::tuple<std::string, std::string, std::string>;
 
   CanonicalCookie();
   CanonicalCookie(const CanonicalCookie& other);
@@ -44,17 +45,19 @@ class NET_EXPORT CanonicalCookie {
   // themselves.
   // NOTE: Prefer using CreateSanitizedCookie() over directly using this
   // constructor.
-  CanonicalCookie(const std::string& name,
-                  const std::string& value,
-                  const std::string& domain,
-                  const std::string& path,
-                  const base::Time& creation,
-                  const base::Time& expiration,
-                  const base::Time& last_access,
-                  bool secure,
-                  bool httponly,
-                  CookieSameSite same_site,
-                  CookiePriority priority);
+  CanonicalCookie(
+      const std::string& name,
+      const std::string& value,
+      const std::string& domain,
+      const std::string& path,
+      const base::Time& creation,
+      const base::Time& expiration,
+      const base::Time& last_access,
+      bool secure,
+      bool httponly,
+      CookieSameSite same_site,
+      CookiePriority priority,
+      CookieSourceScheme scheme_secure = CookieSourceScheme::kUnset);
 
   ~CanonicalCookie();
 
@@ -113,6 +116,10 @@ class NET_EXPORT CanonicalCookie {
   bool IsHttpOnly() const { return httponly_; }
   CookieSameSite SameSite() const { return same_site_; }
   CookiePriority Priority() const { return priority_; }
+  // Returns an enum indicating the source scheme that set this cookie. This is
+  // not part of the cookie spec but is being used to collect metrics for a
+  // potential change to the cookie spec.
+  CookieSourceScheme SourceScheme() const { return source_scheme_; }
   bool IsDomainCookie() const {
     return !domain_.empty() && domain_[0] == '.'; }
   bool IsHostCookie() const { return !IsDomainCookie(); }
@@ -137,7 +144,7 @@ class NET_EXPORT CanonicalCookie {
 
   // Returns a key such that two cookies with the same UniqueKey() are
   // guaranteed to be equivalent in the sense of IsEquivalent().
-  std::tuple<std::string, std::string, std::string> UniqueKey() const {
+  UniqueCookieKey UniqueKey() const {
     return std::make_tuple(name_, domain_, path_);
   }
 
@@ -155,6 +162,9 @@ class NET_EXPORT CanonicalCookie {
   // '/login' and '/' do not match '/login/en').
   bool IsEquivalentForSecureCookieMatching(const CanonicalCookie& ecc) const;
 
+  void SetSourceScheme(CookieSourceScheme source_scheme) {
+    source_scheme_ = source_scheme;
+  }
   void SetLastAccessDate(const base::Time& date) {
     last_access_date_ = date;
   }
@@ -188,6 +198,11 @@ class NET_EXPORT CanonicalCookie {
       CookieAccessSemantics access_semantics =
           CookieAccessSemantics::UNKNOWN) const;
 
+  // Overload that updates an existing |status| rather than returning a new one.
+  void IsSetPermittedInContext(const CookieOptions& options,
+                               CookieAccessSemantics access_semantics,
+                               CookieInclusionStatus* status) const;
+
   std::string DebugString() const;
 
   static std::string CanonPathWithString(const GURL& url,
@@ -297,6 +312,7 @@ class NET_EXPORT CanonicalCookie {
   bool httponly_;
   CookieSameSite same_site_;
   CookiePriority priority_;
+  CookieSourceScheme source_scheme_;
 };
 
 // This class represents if a cookie was included or excluded in a cookie get or
@@ -319,25 +335,23 @@ class NET_EXPORT CanonicalCookie::CookieInclusionStatus {
     EXCLUDE_NOT_ON_PATH = 4,
     EXCLUDE_SAMESITE_STRICT = 5,
     EXCLUDE_SAMESITE_LAX = 6,
-    // TODO(crbug.com/989171): Replace this with FirstPartyLax and
-    // FirstPartyStrict.
-    EXCLUDE_SAMESITE_EXTENDED = 7,
+
     // The following two are used for the SameSiteByDefaultCookies experiment,
     // where if the SameSite attribute is not specified, it will be treated as
     // SameSite=Lax by default.
-    EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX = 8,
+    EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX = 7,
     // This is used if SameSite=None is specified, but the cookie is not
     // Secure.
-    EXCLUDE_SAMESITE_NONE_INSECURE = 9,
-    EXCLUDE_USER_PREFERENCES = 10,
+    EXCLUDE_SAMESITE_NONE_INSECURE = 8,
+    EXCLUDE_USER_PREFERENCES = 9,
 
     // Statuses specific to setting cookies
-    EXCLUDE_FAILURE_TO_STORE = 11,
-    EXCLUDE_NONCOOKIEABLE_SCHEME = 12,
-    EXCLUDE_OVERWRITE_SECURE = 13,
-    EXCLUDE_OVERWRITE_HTTP_ONLY = 14,
-    EXCLUDE_INVALID_DOMAIN = 15,
-    EXCLUDE_INVALID_PREFIX = 16,
+    EXCLUDE_FAILURE_TO_STORE = 10,
+    EXCLUDE_NONCOOKIEABLE_SCHEME = 11,
+    EXCLUDE_OVERWRITE_SECURE = 12,
+    EXCLUDE_OVERWRITE_HTTP_ONLY = 13,
+    EXCLUDE_INVALID_DOMAIN = 14,
+    EXCLUDE_INVALID_PREFIX = 15,
 
     // This should be kept last.
     NUM_EXCLUSION_REASONS
@@ -379,14 +393,14 @@ class NET_EXPORT CanonicalCookie::CookieInclusionStatus {
   // Add an exclusion reason.
   void AddExclusionReason(ExclusionReason status_type);
 
-  // Add all the exclusion reasons given in |other|. If there is a warning in
-  // |other| (other than DO_NOT_WARN), also apply that. This could overwrite the
-  // existing warning, so set the most important warnings last.
-  void AddExclusionReasonsAndWarningIfAny(const CookieInclusionStatus& other);
-
   // Remove an exclusion reason.
   void RemoveExclusionReason(ExclusionReason reason);
 
+  // If the cookie would have been excluded for reasons other than
+  // SAMESITE_UNSPECIFIED_TREATED_AS_LAX or SAMESITE_NONE_INSECURE, don't bother
+  // warning about it (clear the warning).
+  void MaybeClearSameSiteWarning();
+
   // Whether the cookie should be warned about.
   bool ShouldWarn() const;
 
diff --git a/chromium/net/cookies/canonical_cookie_fuzzer.cc b/chromium/net/cookies/canonical_cookie_fuzzer.cc
index 23a84af76c5..9aecd883fb4 100644
--- a/chromium/net/cookies/canonical_cookie_fuzzer.cc
+++ b/chromium/net/cookies/canonical_cookie_fuzzer.cc
@@ -44,7 +44,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
           CookieSameSite::NO_RESTRICTION,
           CookieSameSite::LAX_MODE,
           CookieSameSite::STRICT_MODE,
-          CookieSameSite::EXTENDED_MODE,
       });
 
   const CookiePriority priority =
diff --git a/chromium/net/cookies/canonical_cookie_unittest.cc b/chromium/net/cookies/canonical_cookie_unittest.cc
index f62943413d4..e560dd46087 100644
--- a/chromium/net/cookies/canonical_cookie_unittest.cc
+++ b/chromium/net/cookies/canonical_cookie_unittest.cc
@@ -37,7 +37,7 @@ TEST(CanonicalCookieTest, Constructor) {
   std::unique_ptr<CanonicalCookie> cookie1(std::make_unique<CanonicalCookie>(
       "A", "2", "www.example.com", "/test", current_time, base::Time(),
       base::Time(), false, false, CookieSameSite::NO_RESTRICTION,
-      COOKIE_PRIORITY_DEFAULT));
+      COOKIE_PRIORITY_DEFAULT, CookieSourceScheme::kSecure));
   EXPECT_EQ("A", cookie1->Name());
   EXPECT_EQ("2", cookie1->Value());
   EXPECT_EQ("www.example.com", cookie1->Domain());
@@ -45,11 +45,12 @@ TEST(CanonicalCookieTest, Constructor) {
   EXPECT_FALSE(cookie1->IsSecure());
   EXPECT_FALSE(cookie1->IsHttpOnly());
   EXPECT_EQ(CookieSameSite::NO_RESTRICTION, cookie1->SameSite());
+  EXPECT_EQ(cookie1->SourceScheme(), CookieSourceScheme::kSecure);
 
   std::unique_ptr<CanonicalCookie> cookie2(std::make_unique<CanonicalCookie>(
       "A", "2", ".www.example.com", "/", current_time, base::Time(),
       base::Time(), false, false, CookieSameSite::NO_RESTRICTION,
-      COOKIE_PRIORITY_DEFAULT));
+      COOKIE_PRIORITY_DEFAULT, CookieSourceScheme::kNonSecure));
   EXPECT_EQ("A", cookie2->Name());
   EXPECT_EQ("2", cookie2->Value());
   EXPECT_EQ(".www.example.com", cookie2->Domain());
@@ -57,18 +58,27 @@ TEST(CanonicalCookieTest, Constructor) {
   EXPECT_FALSE(cookie2->IsSecure());
   EXPECT_FALSE(cookie2->IsHttpOnly());
   EXPECT_EQ(CookieSameSite::NO_RESTRICTION, cookie2->SameSite());
+  EXPECT_EQ(cookie2->SourceScheme(), CookieSourceScheme::kNonSecure);
 
-  auto cookie = std::make_unique<CanonicalCookie>(
+  // Set Secure to true but don't specify is_source_scheme_secure
+  auto cookie3 = std::make_unique<CanonicalCookie>(
+      "A", "2", ".www.example.com", "/", current_time, base::Time(),
+      base::Time(), true /* secure */, false, CookieSameSite::NO_RESTRICTION,
+      COOKIE_PRIORITY_DEFAULT);
+  EXPECT_TRUE(cookie3->IsSecure());
+  EXPECT_EQ(cookie3->SourceScheme(), CookieSourceScheme::kUnset);
+
+  auto cookie4 = std::make_unique<CanonicalCookie>(
       "A", "2", ".www.example.com", "/test", current_time, base::Time(),
       base::Time(), false, false, CookieSameSite::NO_RESTRICTION,
       COOKIE_PRIORITY_DEFAULT);
-  EXPECT_EQ("A", cookie->Name());
-  EXPECT_EQ("2", cookie->Value());
-  EXPECT_EQ(".www.example.com", cookie->Domain());
-  EXPECT_EQ("/test", cookie->Path());
-  EXPECT_FALSE(cookie->IsSecure());
-  EXPECT_FALSE(cookie->IsHttpOnly());
-  EXPECT_EQ(CookieSameSite::NO_RESTRICTION, cookie->SameSite());
+  EXPECT_EQ("A", cookie4->Name());
+  EXPECT_EQ("2", cookie4->Value());
+  EXPECT_EQ(".www.example.com", cookie4->Domain());
+  EXPECT_EQ("/test", cookie4->Path());
+  EXPECT_FALSE(cookie4->IsSecure());
+  EXPECT_FALSE(cookie4->IsHttpOnly());
+  EXPECT_EQ(CookieSameSite::NO_RESTRICTION, cookie4->SameSite());
 }
 
 TEST(CanonicalCookie, CreationCornerCases) {
@@ -102,6 +112,7 @@ TEST(CanonicalCookieTest, Create) {
   EXPECT_EQ("www.example.com", cookie->Domain());
   EXPECT_EQ("/test", cookie->Path());
   EXPECT_FALSE(cookie->IsSecure());
+  EXPECT_EQ(cookie->SourceScheme(), CookieSourceScheme::kNonSecure);
 
   GURL url2("http://www.foo.com");
   cookie = CanonicalCookie::Create(url2, "B=1", creation_time, server_time);
@@ -110,6 +121,7 @@ TEST(CanonicalCookieTest, Create) {
   EXPECT_EQ("www.foo.com", cookie->Domain());
   EXPECT_EQ("/", cookie->Path());
   EXPECT_FALSE(cookie->IsSecure());
+  EXPECT_EQ(cookie->SourceScheme(), CookieSourceScheme::kNonSecure);
 
   // Test creating secure cookies. Secure scheme is not checked upon creation,
   // so a URL of any scheme can create a Secure cookie.
@@ -122,6 +134,17 @@ TEST(CanonicalCookieTest, Create) {
                                    server_time, &status);
   EXPECT_TRUE(cookie->IsSecure());
 
+  GURL url3("https://www.foo.com");
+  cookie = CanonicalCookie::Create(url3, "A=2; Secure", creation_time,
+                                   server_time, &status);
+  EXPECT_TRUE(cookie->IsSecure());
+  EXPECT_EQ(cookie->SourceScheme(), CookieSourceScheme::kSecure);
+
+  cookie =
+      CanonicalCookie::Create(url3, "A=2", creation_time, server_time, &status);
+  EXPECT_FALSE(cookie->IsSecure());
+  EXPECT_EQ(cookie->SourceScheme(), CookieSourceScheme::kSecure);
+
   // Test creating http only cookies. HttpOnly is not checked upon creation.
   cookie = CanonicalCookie::Create(url, "A=2; HttpOnly", creation_time,
                                    server_time, &status);
@@ -143,7 +166,7 @@ TEST(CanonicalCookieTest, Create) {
   cookie = CanonicalCookie::Create(url, "A=2; SameSite=Extended", creation_time,
                                    server_time);
   ASSERT_TRUE(cookie.get());
-  EXPECT_EQ(CookieSameSite::EXTENDED_MODE, cookie->SameSite());
+  EXPECT_EQ(CookieSameSite::UNSPECIFIED, cookie->SameSite());
   cookie = CanonicalCookie::Create(url, "A=2; SameSite=None", creation_time,
                                    server_time);
   ASSERT_TRUE(cookie.get());
@@ -479,24 +502,18 @@ TEST(CanonicalCookieTest, GetEffectiveSameSite) {
        CookieAccessSemantics::UNKNOWN},
       {CookieSameSite::STRICT_MODE, CookieEffectiveSameSite::STRICT_MODE,
        CookieAccessSemantics::UNKNOWN},
-      {CookieSameSite::EXTENDED_MODE, CookieEffectiveSameSite::LAX_MODE,
-       CookieAccessSemantics::UNKNOWN},
       {CookieSameSite::NO_RESTRICTION, CookieEffectiveSameSite::NO_RESTRICTION,
        CookieAccessSemantics::LEGACY},
       {CookieSameSite::LAX_MODE, CookieEffectiveSameSite::LAX_MODE,
        CookieAccessSemantics::LEGACY},
       {CookieSameSite::STRICT_MODE, CookieEffectiveSameSite::STRICT_MODE,
        CookieAccessSemantics::LEGACY},
-      {CookieSameSite::EXTENDED_MODE, CookieEffectiveSameSite::LAX_MODE,
-       CookieAccessSemantics::LEGACY},
       {CookieSameSite::NO_RESTRICTION, CookieEffectiveSameSite::NO_RESTRICTION,
        CookieAccessSemantics::NONLEGACY},
       {CookieSameSite::LAX_MODE, CookieEffectiveSameSite::LAX_MODE,
        CookieAccessSemantics::NONLEGACY},
       {CookieSameSite::STRICT_MODE, CookieEffectiveSameSite::STRICT_MODE,
        CookieAccessSemantics::NONLEGACY},
-      {CookieSameSite::EXTENDED_MODE, CookieEffectiveSameSite::LAX_MODE,
-       CookieAccessSemantics::NONLEGACY},
       // UNSPECIFIED always maps to NO_RESTRICTION if LEGACY access semantics.
       {CookieSameSite::UNSPECIFIED, CookieEffectiveSameSite::NO_RESTRICTION,
        CookieAccessSemantics::LEGACY}};
@@ -583,7 +600,7 @@ TEST(CanonicalCookieTest, GetEffectiveSameSite) {
 TEST(CanonicalCookieTest, IncludeForRequestURL) {
   GURL url("http://www.example.com");
   base::Time creation_time = base::Time::Now();
-  CookieOptions options;
+  CookieOptions options = CookieOptions::MakeAllInclusive();
   base::Optional<base::Time> server_time = base::nullopt;
 
   std::unique_ptr<CanonicalCookie> cookie(
@@ -2295,11 +2312,31 @@ TEST(CookieInclusionStatusTest, NotValid) {
 
 TEST(CookieInclusionStatusTest, AddExclusionReason) {
   CanonicalCookie::CookieInclusionStatus status;
+  status.set_warning(CanonicalCookie::CookieInclusionStatus::
+                         WARN_SAMESITE_UNSPECIFIED_LAX_ALLOW_UNSAFE);
   status.AddExclusionReason(
       CanonicalCookie::CookieInclusionStatus::EXCLUDE_UNKNOWN_ERROR);
   EXPECT_TRUE(status.IsValid());
   EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
       {CanonicalCookie::CookieInclusionStatus::EXCLUDE_UNKNOWN_ERROR}));
+  // Adding an exclusion reason other than
+  // EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX or
+  // EXCLUDE_SAMESITE_NONE_INSECURE should clear any SameSite warning.
+  EXPECT_EQ(CanonicalCookie::CookieInclusionStatus::DO_NOT_WARN,
+            status.warning());
+
+  status = CanonicalCookie::CookieInclusionStatus();
+  status.set_warning(CanonicalCookie::CookieInclusionStatus::
+                         WARN_SAMESITE_UNSPECIFIED_CROSS_SITE_CONTEXT);
+  status.AddExclusionReason(CanonicalCookie::CookieInclusionStatus::
+                                EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX);
+  EXPECT_TRUE(status.IsValid());
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CanonicalCookie::CookieInclusionStatus::
+           EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX}));
+  EXPECT_EQ(CanonicalCookie::CookieInclusionStatus::
+                WARN_SAMESITE_UNSPECIFIED_CROSS_SITE_CONTEXT,
+            status.warning());
 }
 
 TEST(CookieInclusionStatusTest, RemoveExclusionReason) {
@@ -2325,20 +2362,4 @@ TEST(CookieInclusionStatusTest, RemoveExclusionReason) {
       CanonicalCookie::CookieInclusionStatus::NUM_EXCLUSION_REASONS));
 }
 
-TEST(CookieInclusionStatusTest, AddExclusionReasonsAndWarningIfAny) {
-  CanonicalCookie::CookieInclusionStatus status1;
-  CanonicalCookie::CookieInclusionStatus status2;
-
-  status1.set_exclusion_reasons(0b00011111u);
-  status2.set_exclusion_reasons(0b11111000u);
-  status2.set_warning(
-      CanonicalCookie::CookieInclusionStatus::WARN_SAMESITE_NONE_INSECURE);
-
-  status1.AddExclusionReasonsAndWarningIfAny(status2);
-
-  EXPECT_EQ(0b11111111u, status1.exclusion_reasons());
-  EXPECT_EQ(CanonicalCookie::CookieInclusionStatus::WARN_SAMESITE_NONE_INSECURE,
-            status1.warning());
-}
-
 }  // namespace net
diff --git a/chromium/net/cookies/cookie_access_delegate.h b/chromium/net/cookies/cookie_access_delegate.h
index 5c021ee0597..5c5fd96c1da 100644
--- a/chromium/net/cookies/cookie_access_delegate.h
+++ b/chromium/net/cookies/cookie_access_delegate.h
@@ -8,6 +8,7 @@
 #include "net/base/net_export.h"
 #include "net/cookies/canonical_cookie.h"
 #include "net/cookies/cookie_constants.h"
+#include "url/gurl.h"
 
 namespace net {
 
@@ -21,6 +22,12 @@ class NET_EXPORT CookieAccessDelegate {
   virtual CookieAccessSemantics GetAccessSemantics(
       const CanonicalCookie& cookie) const = 0;
 
+  // Returns whether a cookie should be attached regardless of its SameSite
+  // value vs the request context.
+  virtual bool ShouldIgnoreSameSiteRestrictions(
+      const GURL& url,
+      const GURL& site_for_cookies) const = 0;
+
  private:
   DISALLOW_COPY_AND_ASSIGN(CookieAccessDelegate);
 };
diff --git a/chromium/net/cookies/cookie_constants.cc b/chromium/net/cookies/cookie_constants.cc
index 900767bf629..95adeef96e9 100644
--- a/chromium/net/cookies/cookie_constants.cc
+++ b/chromium/net/cookies/cookie_constants.cc
@@ -63,8 +63,6 @@ std::string CookieSameSiteToString(CookieSameSite same_site) {
       return kSameSiteStrict;
     case CookieSameSite::NO_RESTRICTION:
       return kSameSiteNone;
-    case CookieSameSite::EXTENDED_MODE:
-      return kSameSiteExtended;
     case CookieSameSite::UNSPECIFIED:
       return kSameSiteUnspecified;
   }
@@ -91,7 +89,7 @@ CookieSameSite StringToCookieSameSite(const std::string& same_site,
     samesite = CookieSameSite::STRICT_MODE;
     *samesite_string = CookieSameSiteString::kStrict;
   } else if (base::EqualsCaseInsensitiveASCII(same_site, kSameSiteExtended)) {
-    samesite = CookieSameSite::EXTENDED_MODE;
+    // Extended isn't supported anymore -- we just parse it for UMA stats.
     *samesite_string = CookieSameSiteString::kExtended;
   } else if (same_site == "") {
     *samesite_string = CookieSameSiteString::kEmptyString;
diff --git a/chromium/net/cookies/cookie_constants.h b/chromium/net/cookies/cookie_constants.h
index 6a5847086aa..55ef5680694 100644
--- a/chromium/net/cookies/cookie_constants.h
+++ b/chromium/net/cookies/cookie_constants.h
@@ -36,7 +36,7 @@ enum class CookieSameSite {
   NO_RESTRICTION = 0,
   LAX_MODE = 1,
   STRICT_MODE = 2,
-  EXTENDED_MODE = 3,  // TODO(chlily): Remove or gate behind flag.
+  // Reserved 3 (was EXTENDED_MODE), next number is 4.
 };
 
 // These are the enforcement modes that may be applied to a cookie when deciding
@@ -64,7 +64,7 @@ enum class CookieSameSiteString {
   kLax = 3,
   kStrict = 4,
   kNone = 5,
-  kExtended = 6,
+  kExtended = 6,  // Deprecated, kept for metrics only.
 
   // Keep last, update if adding new value.
   kMaxValue = kExtended
@@ -82,6 +82,16 @@ enum class CookieAccessSemantics {
   LEGACY,
 };
 
+// What scheme was used in the setting of a cookie.
+// Do not renumber.
+enum class CookieSourceScheme {
+  kUnset = 0,
+  kNonSecure = 1,
+  kSecure = 2,
+
+  kMaxValue = kSecure  // Keep as the last value.
+};
+
 // Returns the Set-Cookie header priority token corresponding to |priority|.
 //
 // TODO(mkwst): Remove this once its callsites are refactored.
diff --git a/chromium/net/cookies/cookie_constants_unittest.cc b/chromium/net/cookies/cookie_constants_unittest.cc
index 9a8ac98d6bb..8fab6e292c9 100644
--- a/chromium/net/cookies/cookie_constants_unittest.cc
+++ b/chromium/net/cookies/cookie_constants_unittest.cc
@@ -50,9 +50,9 @@ TEST(CookieConstantsTest, TestCookieSameSite) {
   EXPECT_EQ(CookieSameSite::STRICT_MODE, StringToCookieSameSite("Strict"));
   EXPECT_EQ(CookieSameSite::STRICT_MODE, StringToCookieSameSite("STRICT"));
   EXPECT_EQ(CookieSameSite::STRICT_MODE, StringToCookieSameSite("sTrIcT"));
-  EXPECT_EQ(CookieSameSite::EXTENDED_MODE, StringToCookieSameSite("extended"));
-  EXPECT_EQ(CookieSameSite::EXTENDED_MODE, StringToCookieSameSite("EXTENDED"));
-  EXPECT_EQ(CookieSameSite::EXTENDED_MODE, StringToCookieSameSite("ExtenDED"));
+  EXPECT_EQ(CookieSameSite::UNSPECIFIED, StringToCookieSameSite("extended"));
+  EXPECT_EQ(CookieSameSite::UNSPECIFIED, StringToCookieSameSite("EXTENDED"));
+  EXPECT_EQ(CookieSameSite::UNSPECIFIED, StringToCookieSameSite("ExtenDED"));
 
   // Unrecognized tokens are interpreted as UNSPECIFIED.
   const char* const bad_tokens[] = {"",          "foo",   "none ",
diff --git a/chromium/net/cookies/cookie_monster.cc b/chromium/net/cookies/cookie_monster.cc
index 5e5b1067d79..15068300b26 100644
--- a/chromium/net/cookies/cookie_monster.cc
+++ b/chromium/net/cookies/cookie_monster.cc
@@ -194,43 +194,6 @@ bool LRACookieSorter(const CookieMonster::CookieMap::iterator& it1,
   return it1->second->CreationDate() < it2->second->CreationDate();
 }
 
-// Our strategy to find duplicates is:
-// (1) Build a map from (cookiename, cookiepath) to
-//     {list of cookies with this signature, sorted by creation time}.
-// (2) For each list with more than 1 entry, keep the cookie having the
-//     most recent creation time, and delete the others.
-//
-// Two cookies are considered equivalent if they have the same domain,
-// name, and path.
-struct CookieSignature {
- public:
-  CookieSignature(const std::string& name,
-                  const std::string& domain,
-                  const std::string& path)
-      : name(name), domain(domain), path(path) {}
-
-  // To be a key for a map this class needs to be assignable, copyable,
-  // and have an operator<.  The default assignment operator
-  // and copy constructor are exactly what we want.
-
-  bool operator<(const CookieSignature& cs) const {
-    // Name compare dominates, then domain, then path.
-    int diff = name.compare(cs.name);
-    if (diff != 0)
-      return diff < 0;
-
-    diff = domain.compare(cs.domain);
-    if (diff != 0)
-      return diff < 0;
-
-    return path.compare(cs.path) < 0;
-  }
-
-  std::string name;
-  std::string domain;
-  std::string path;
-};
-
 // For a CookieItVector iterator range [|it_begin|, |it_end|),
 // sorts the first |num_sort| elements by LastAccessDate().
 void SortLeastRecentlyAccessed(CookieMonster::CookieItVector::iterator it_begin,
@@ -334,6 +297,15 @@ size_t CountCookiesForPossibleDeletion(
   return cookies_count;
 }
 
+// Returns whether the CookieOptions has at least as same-site of a context as
+// |same_site_requirement|, and the options permit HttpOnly access.
+bool IsHttpSameSiteContextAtLeast(
+    const CookieOptions& options,
+    CookieOptions::SameSiteCookieContext same_site_requirement) {
+  return !options.exclude_httponly() &&
+         options.same_site_cookie_context() >= same_site_requirement;
+}
+
 }  // namespace
 
 CookieMonster::CookieMonster(scoped_refptr<PersistentCookieStore> store,
@@ -557,15 +529,6 @@ void CookieMonster::DumpMemoryStats(
 
 CookieMonster::~CookieMonster() {
   DCHECK(thread_checker_.CalledOnValidThread());
-
-  // TODO(mmenke): Does it really make sense to run
-  // CookieChanged callbacks when the CookieStore is destroyed?
-  for (auto cookie_it = cookies_.begin(); cookie_it != cookies_.end();) {
-    auto current_cookie_it = cookie_it;
-    ++cookie_it;
-    InternalDeleteCookie(current_cookie_it, false /* sync_to_store */,
-                         DELETE_COOKIE_DONT_RECORD);
-  }
   net_log_.EndEvent(NetLogEventType::COOKIE_STORE_ALIVE);
 }
 
@@ -604,7 +567,7 @@ void CookieMonster::AttachAccessSemanticsListForCookieList(
     const CookieList& cookie_list) {
   std::vector<CookieAccessSemantics> access_semantics_list;
   for (const CanonicalCookie& cookie : cookie_list) {
-    access_semantics_list.push_back(GetAccessSemanticsForCookie(cookie));
+    access_semantics_list.push_back(GetAccessSemanticsForCookieGet(cookie));
   }
   MaybeRunCookieCallback(std::move(callback), cookie_list,
                          access_semantics_list);
@@ -663,7 +626,8 @@ void CookieMonster::DeleteAllMatchingInfo(CookieDeletionInfo delete_info,
     CanonicalCookie* cc = curit->second.get();
     ++it;
 
-    if (delete_info.Matches(*cc, GetAccessSemanticsForCookie(*cc))) {
+    if (delete_info.Matches(*cc, GetAccessSemanticsForCookie(
+                                     *cc, false /* legacy_access_granted */))) {
       InternalDeleteCookie(curit, true, /*sync_to_store*/
                            DELETE_COOKIE_EXPLICIT);
       ++num_deleted;
@@ -877,6 +841,12 @@ void CookieMonster::EnsureCookiesMapIsValid() {
   }
 }
 
+// Our strategy to find duplicates is:
+// (1) Build a map from cookie unique key to
+//     {list of cookies with this signature, sorted by creation time}.
+// (2) For each list with more than 1 entry, keep the cookie having the
+//     most recent creation time, and delete the others.
+//
 void CookieMonster::TrimDuplicateCookiesForKey(const std::string& key,
                                                CookieMap::iterator begin,
                                                CookieMap::iterator end) {
@@ -886,7 +856,7 @@ void CookieMonster::TrimDuplicateCookiesForKey(const std::string& key,
   typedef std::multiset<CookieMap::iterator, OrderByCreationTimeDesc> CookieSet;
 
   // Helper map we populate to find the duplicates.
-  typedef std::map<CookieSignature, CookieSet> EquivalenceMap;
+  typedef std::map<CanonicalCookie::UniqueCookieKey, CookieSet> EquivalenceMap;
   EquivalenceMap equivalent_cookies;
 
   // The number of duplicate cookies that have been found.
@@ -898,7 +868,7 @@ void CookieMonster::TrimDuplicateCookiesForKey(const std::string& key,
     DCHECK_EQ(key, it->first);
     CanonicalCookie* cookie = it->second.get();
 
-    CookieSignature signature(cookie->Name(), cookie->Domain(), cookie->Path());
+    CanonicalCookie::UniqueCookieKey signature(cookie->UniqueKey());
     CookieSet& set = equivalent_cookies[signature];
 
     // We found a duplicate!
@@ -921,7 +891,7 @@ void CookieMonster::TrimDuplicateCookiesForKey(const std::string& key,
   // and from the backing store.
   for (auto it = equivalent_cookies.begin(); it != equivalent_cookies.end();
        ++it) {
-    const CookieSignature& signature = it->first;
+    const CanonicalCookie::UniqueCookieKey& signature = it->first;
     CookieSet& dupes = it->second;
 
     if (dupes.size() <= 1)
@@ -936,8 +906,9 @@ void CookieMonster::TrimDuplicateCookiesForKey(const std::string& key,
     LOG(ERROR) << base::StringPrintf(
         "Found %d duplicate cookies for host='%s', "
         "with {name='%s', domain='%s', path='%s'}",
-        static_cast<int>(dupes.size()), key.c_str(), signature.name.c_str(),
-        signature.domain.c_str(), signature.path.c_str());
+        static_cast<int>(dupes.size()), key.c_str(),
+        std::get<0>(signature).c_str(), std::get<1>(signature).c_str(),
+        std::get<2>(signature).c_str());
 
     // Remove all the cookies identified by |dupes|. It is valid to delete our
     // list of iterators one at a time, since |cookies_| is a multimap (they
@@ -995,7 +966,7 @@ void CookieMonster::FilterCookiesWithOptions(
     // given |url|. HTTP only cookies are filtered depending on the passed
     // cookie |options|.
     CanonicalCookie::CookieInclusionStatus status = (*it)->IncludeForRequestURL(
-        url, options, GetAccessSemanticsForCookie(**it));
+        url, options, GetAccessSemanticsForCookieGet(**it));
 
     if (!status.IsInclude()) {
       if (options.return_excluded_cookies())
@@ -1006,126 +977,133 @@ void CookieMonster::FilterCookiesWithOptions(
     if (options.update_access_time())
       InternalUpdateCookieAccessTime(*it, current_time);
 
+    MaybeRecordCookieAccessWithOptions(**it, options, false);
+
     included_cookies->push_back({**it, status});
   }
 }
 
 void CookieMonster::MaybeDeleteEquivalentCookieAndUpdateStatus(
     const std::string& key,
-    const CanonicalCookie& ecc,
+    const CanonicalCookie& cookie_being_set,
     bool source_secure,
     bool skip_httponly,
     bool already_expired,
     base::Time* creation_date_to_inherit,
     CanonicalCookie::CookieInclusionStatus* status) {
   DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK(!status->HasExclusionReason(
+      CanonicalCookie::CookieInclusionStatus::EXCLUDE_OVERWRITE_SECURE));
+  DCHECK(!status->HasExclusionReason(
+      CanonicalCookie::CookieInclusionStatus::EXCLUDE_OVERWRITE_HTTP_ONLY));
 
   bool found_equivalent_cookie = false;
-  bool skipped_httponly = false;
-  bool skipped_secure_cookie = false;
-
-  histogram_cookie_delete_equivalent_->Add(COOKIE_DELETE_EQUIVALENT_ATTEMPT);
-
-  CookieMap::iterator cookie_it_to_possibly_delete = cookies_.end();
+  CookieMap::iterator maybe_delete_it = cookies_.end();
   CanonicalCookie* cc_skipped_secure = nullptr;
-  for (CookieMapItPair its = cookies_.equal_range(key);
-       its.first != its.second;) {
-    auto curit = its.first;
-    CanonicalCookie* cc = curit->second.get();
-    ++its.first;
 
+  // Check every cookie matching this domain key for equivalence.
+  CookieMapItPair range_its = cookies_.equal_range(key);
+  for (auto cur_it = range_its.first; cur_it != range_its.second; ++cur_it) {
+    CanonicalCookie* cc = cur_it->second.get();
+
+    // Evaluate "Leave Secure Cookies Alone":
     // If the cookie is being set from an insecure scheme, then if a cookie
     // already exists with the same name and it is Secure, then the cookie
     // should *not* be updated if they domain-match and ignoring the path
-    // attribute.
+    // attribute. This notion of equivalence is slightly more inclusive than the
+    // usual IsEquivalent() check.
     //
     // See: https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone
     if (cc->IsSecure() && !source_secure &&
-        ecc.IsEquivalentForSecureCookieMatching(*cc)) {
-      skipped_secure_cookie = true;
+        cookie_being_set.IsEquivalentForSecureCookieMatching(*cc)) {
+      // Hold onto this for additional Netlogging later if we end up preserving
+      // a would-have-been-deleted cookie because of this.
       cc_skipped_secure = cc;
-      histogram_cookie_delete_equivalent_->Add(
-          COOKIE_DELETE_EQUIVALENT_SKIPPING_SECURE);
       net_log_.AddEvent(NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_SECURE,
                         [&](NetLogCaptureMode capture_mode) {
                           return NetLogCookieMonsterCookieRejectedSecure(
-                              cc, &ecc, capture_mode);
+                              cc_skipped_secure, &cookie_being_set,
+                              capture_mode);
                         });
-      // If the cookie is equivalent to the new cookie and wouldn't have been
-      // skipped for being HTTP-only, record that it is a skipped secure cookie
-      // that would have been deleted otherwise.
-      if (ecc.IsEquivalent(*cc)) {
-        found_equivalent_cookie = true;
-
-        if (!skip_httponly || !cc->IsHttpOnly()) {
-          histogram_cookie_delete_equivalent_->Add(
-              COOKIE_DELETE_EQUIVALENT_WOULD_HAVE_DELETED);
-        } else {
-          // Would also have skipped for being httponly, so make a note of that.
-          skipped_httponly = true;
-        }
-      }
-    } else if (ecc.IsEquivalent(*cc)) {
+      status->AddExclusionReason(
+          CanonicalCookie::CookieInclusionStatus::EXCLUDE_OVERWRITE_SECURE);
+    }
+
+    if (cookie_being_set.IsEquivalent(*cc)) {
       // We should never have more than one equivalent cookie, since they should
-      // overwrite each other, unless secure cookies require secure scheme is
-      // being enforced. In that case, cookies with different paths might exist
-      // and be considered equivalent.
+      // overwrite each other.
       CHECK(!found_equivalent_cookie)
           << "Duplicate equivalent cookies found, cookie store is corrupted.";
-      DCHECK(cookie_it_to_possibly_delete == cookies_.end());
+      DCHECK(maybe_delete_it == cookies_.end());
+      found_equivalent_cookie = true;
+
+      // The |cookie_being_set| is rejected for trying to overwrite an httponly
+      // cookie when it should not be able to.
       if (skip_httponly && cc->IsHttpOnly()) {
-        skipped_httponly = true;
         net_log_.AddEvent(
             NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_HTTPONLY,
             [&](NetLogCaptureMode capture_mode) {
-              return NetLogCookieMonsterCookieRejectedHttponly(cc, &ecc,
-                                                               capture_mode);
+              return NetLogCookieMonsterCookieRejectedHttponly(
+                  cc, &cookie_being_set, capture_mode);
             });
+        status->AddExclusionReason(CanonicalCookie::CookieInclusionStatus::
+                                       EXCLUDE_OVERWRITE_HTTP_ONLY);
       } else {
-        cookie_it_to_possibly_delete = curit;
+        maybe_delete_it = cur_it;
       }
-      found_equivalent_cookie = true;
     }
   }
 
-  if (cookie_it_to_possibly_delete != cookies_.end()) {
-    CanonicalCookie* cc_to_possibly_delete =
-        cookie_it_to_possibly_delete->second.get();
-    // 1) If a secure cookie was encountered (and left alone), don't actually
-    // modify any of the pre-existing cookies. Only delete if no secure cookies
-    // were skipped. 2) Only delete if the status of the current cookie-addition
-    // is "include", so that we don't throw out a valid cookie for a bad cookie.
-    if (!skipped_secure_cookie && status->IsInclude()) {
-      histogram_cookie_delete_equivalent_->Add(COOKIE_DELETE_EQUIVALENT_FOUND);
-      if (cc_to_possibly_delete->Value() == ecc.Value()) {
-        *creation_date_to_inherit = cc_to_possibly_delete->CreationDate();
-        histogram_cookie_delete_equivalent_->Add(
-            COOKIE_DELETE_EQUIVALENT_FOUND_WITH_SAME_VALUE);
-      }
-      InternalDeleteCookie(cookie_it_to_possibly_delete, true,
+  if (maybe_delete_it != cookies_.end()) {
+    CanonicalCookie* maybe_delete_cc = maybe_delete_it->second.get();
+    if (maybe_delete_cc->Value() == cookie_being_set.Value())
+      *creation_date_to_inherit = maybe_delete_cc->CreationDate();
+    if (status->IsInclude()) {
+      InternalDeleteCookie(maybe_delete_it, true,
                            already_expired ? DELETE_COOKIE_EXPIRED_OVERWRITE
                                            : DELETE_COOKIE_OVERWRITE);
-    } else if (skipped_secure_cookie) {
-      // If any secure cookie was skipped, preserve the pre-existing cookie.
+    } else if (status->HasExclusionReason(
+                   CanonicalCookie::CookieInclusionStatus::
+                       EXCLUDE_OVERWRITE_SECURE)) {
+      // Log that we preserved a cookie that would have been deleted due to
+      // Leave Secure Cookies Alone. This arbitrarily only logs the last
+      // |cc_skipped_secure| that we were left with after the for loop, even if
+      // there were multiple matching Secure cookies that were left alone.
       DCHECK(cc_skipped_secure);
       net_log_.AddEvent(
           NetLogEventType::COOKIE_STORE_COOKIE_PRESERVED_SKIPPED_SECURE,
           [&](NetLogCaptureMode capture_mode) {
             return NetLogCookieMonsterCookiePreservedSkippedSecure(
-                cc_skipped_secure, cc_to_possibly_delete, &ecc, capture_mode);
+                cc_skipped_secure, maybe_delete_cc, &cookie_being_set,
+                capture_mode);
           });
     }
   }
+}
 
-  if (skipped_httponly) {
-    status->AddExclusionReason(
-        CanonicalCookie::CookieInclusionStatus::EXCLUDE_OVERWRITE_HTTP_ONLY);
-  }
-
-  if (skipped_secure_cookie) {
-    status->AddExclusionReason(
-        CanonicalCookie::CookieInclusionStatus::EXCLUDE_OVERWRITE_SECURE);
+// Find the creation time of an equivalent cookie with the same value
+// ("identical", well, modulo other attributes that don't get compared)
+// if any. This iterates through the matching range of the |cookies_| map an
+// extra time, but this is ok because it is only used if
+// RecentCreationTimeGrantsLegacyCookieSemantics is enabled.
+base::Time CookieMonster::EffectiveCreationTimeForMaybePreexistingCookie(
+    const std::string& key,
+    const CanonicalCookie& cookie) const {
+  DCHECK(cookie_util::IsRecentCreationTimeGrantsLegacyCookieSemanticsEnabled());
+  base::Time effective_creation_time = cookie.CreationDate();
+  const auto range_its = cookies_.equal_range(key);
+  for (auto cur_it = range_its.first; cur_it != range_its.second; ++cur_it) {
+    CanonicalCookie* preexisting_maybe_identical_cookie = cur_it->second.get();
+    if (cookie.IsEquivalent(*preexisting_maybe_identical_cookie)) {
+      if (preexisting_maybe_identical_cookie->Value() == cookie.Value()) {
+        effective_creation_time =
+            preexisting_maybe_identical_cookie->CreationDate();
+      }
+      // There should only ever be at most one equivalent cookie in the store.
+      break;
+    }
   }
+  return effective_creation_time;
 }
 
 CookieMonster::CookieMap::iterator CookieMonster::InternalInsertCookie(
@@ -1148,7 +1126,8 @@ CookieMonster::CookieMap::iterator CookieMonster::InternalInsertCookie(
 
   // See InitializeHistograms() for details.
   int32_t type_sample =
-      !cc_ptr->IsEffectivelySameSiteNone(GetAccessSemanticsForCookie(*cc_ptr))
+      !cc_ptr->IsEffectivelySameSiteNone(GetAccessSemanticsForCookie(
+          *cc_ptr, false /* legacy_access_granted */))
           ? 1 << COOKIE_TYPE_SAME_SITE
           : 0;
   type_sample |= cc_ptr->IsHttpOnly() ? 1 << COOKIE_TYPE_HTTPONLY : 0;
@@ -1156,7 +1135,9 @@ CookieMonster::CookieMap::iterator CookieMonster::InternalInsertCookie(
   histogram_cookie_type_->Add(type_sample);
 
   change_dispatcher_.DispatchChange(
-      CookieChangeInfo(*cc_ptr, GetAccessSemanticsForCookie(*cc_ptr),
+      CookieChangeInfo(*cc_ptr,
+                       GetAccessSemanticsForCookie(
+                           *cc_ptr, false /* legacy_access_granted */),
                        CookieChangeCause::INSERTED),
       true);
 
@@ -1173,38 +1154,29 @@ void CookieMonster::SetCanonicalCookie(std::unique_ptr<CanonicalCookie> cc,
 
   std::string scheme_lower = base::ToLowerASCII(source_scheme);
   bool secure_source = GURL::SchemeIsCryptographic(scheme_lower);
+  cc->SetSourceScheme(secure_source ? CookieSourceScheme::kSecure
+                                    : CookieSourceScheme::kNonSecure);
   if ((cc->IsSecure() && !secure_source)) {
     status.AddExclusionReason(
         CanonicalCookie::CookieInclusionStatus::EXCLUDE_SECURE_ONLY);
   }
 
-  status.AddExclusionReasonsAndWarningIfAny(
-      cc->IsSetPermittedInContext(options, GetAccessSemanticsForCookie(*cc)));
-
   if (!IsCookieableScheme(scheme_lower)) {
     status.AddExclusionReason(
         CanonicalCookie::CookieInclusionStatus::EXCLUDE_NONCOOKIEABLE_SCHEME);
   }
 
-  // If both SameSiteByDefaultCookies and CookiesWithoutSameSiteMustBeSecure
-  // are enabled, non-SameSite cookies without the Secure attribute will be
-  // rejected. A warning for this would have been added by
-  // IsSetPermittedInContext().
-  if (GetAccessSemanticsForCookie(*cc) != CookieAccessSemantics::LEGACY &&
-      cookie_util::IsCookiesWithoutSameSiteMustBeSecureEnabled() &&
-      cc->SameSite() == CookieSameSite::NO_RESTRICTION && !cc->IsSecure()) {
-    DVLOG(net::cookie_util::kVlogSetCookies)
-        << "SetCookie() rejecting insecure cookie with SameSite=None.";
-    status.AddExclusionReason(
-        CanonicalCookie::CookieInclusionStatus::EXCLUDE_SAMESITE_NONE_INSECURE);
-  }
-  // Log whether a SameSite=None cookie is Secure or not.
-  if (cc->SameSite() == CookieSameSite::NO_RESTRICTION) {
-    UMA_HISTOGRAM_BOOLEAN("Cookie.SameSiteNoneIsSecure", cc->IsSecure());
-  }
-
   const std::string key(GetKey(cc->Domain()));
 
+  cc->IsSetPermittedInContext(
+      options,
+      GetAccessSemanticsForCookieSet(
+          *cc, options,
+          cookie_util::IsRecentCreationTimeGrantsLegacyCookieSemanticsEnabled()
+              ? EffectiveCreationTimeForMaybePreexistingCookie(key, *cc)
+              : base::Time()),
+      &status);
+
   base::Time creation_date = cc->CreationDate();
   if (creation_date.is_null()) {
     creation_date = Time::Now();
@@ -1259,6 +1231,8 @@ void CookieMonster::SetCanonicalCookie(std::unique_ptr<CanonicalCookie> cc,
         cc->SetCreationDate(creation_date_to_inherit);
       }
 
+      MaybeRecordCookieAccessWithOptions(*cc, options, true);
+
       InternalInsertCookie(key, std::move(cc), true);
     } else {
       DVLOG(net::cookie_util::kVlogSetCookies)
@@ -1354,12 +1328,23 @@ void CookieMonster::InternalDeleteCookie(CookieMap::iterator it,
                       });
   }
 
+  // Skip this if the map is empty, to avoid unnecessarily constructing the
+  // UniqueCookieKey.
+  if (!last_http_same_site_accesses_.empty()) {
+    DCHECK(cookie_util::
+               IsRecentHttpSameSiteAccessGrantsLegacyCookieSemanticsEnabled());
+    last_http_same_site_accesses_.erase(it->second->UniqueKey());
+  }
+
   if ((cc->IsPersistent() || persist_session_cookies_) && store_.get() &&
       sync_to_store) {
     store_->DeleteCookie(*cc);
   }
   change_dispatcher_.DispatchChange(
-      CookieChangeInfo(*cc, GetAccessSemanticsForCookie(*cc), mapping.cause),
+      CookieChangeInfo(
+          *cc,
+          GetAccessSemanticsForCookie(*cc, false /* legacy_access_granted */),
+          mapping.cause),
       mapping.notify);
   cookies_.erase(it);
 }
@@ -1697,12 +1682,93 @@ bool CookieMonster::HasCookieableScheme(const GURL& url) {
 }
 
 CookieAccessSemantics CookieMonster::GetAccessSemanticsForCookie(
-    const CanonicalCookie& cookie) const {
+    const CanonicalCookie& cookie,
+    bool legacy_semantics_granted) const {
+  if (legacy_semantics_granted)
+    return CookieAccessSemantics::LEGACY;
   if (cookie_access_delegate())
     return cookie_access_delegate()->GetAccessSemantics(cookie);
   return CookieAccessSemantics::UNKNOWN;
 }
 
+CookieAccessSemantics CookieMonster::GetAccessSemanticsForCookieGet(
+    const CanonicalCookie& cookie) const {
+  bool legacy_semantics_granted =
+      cookie_util::DoesLastHttpSameSiteAccessGrantLegacySemantics(
+          LastAccessFromHttpSameSiteContext(cookie)) ||
+      cookie_util::DoesCreationTimeGrantLegacySemantics(cookie.CreationDate());
+  return GetAccessSemanticsForCookie(cookie, legacy_semantics_granted);
+}
+
+CookieAccessSemantics CookieMonster::GetAccessSemanticsForCookieSet(
+    const CanonicalCookie& cookie,
+    const CookieOptions& options,
+    base::Time effective_creation_time) const {
+  // If the current cookie access is a set, directly treat the cookie as LEGACY
+  // if the |options| qualify, because there may not be a time entry in
+  // |last_http_same_site_accesses_| since it may be a new cookie without a
+  // previous access. It will still only be added to the map as a qualifying
+  // cookie access if the final inclusion status is include.
+  bool legacy_semantics_granted =
+      (cookie_util::
+           IsRecentHttpSameSiteAccessGrantsLegacyCookieSemanticsEnabled() &&
+       IsHttpSameSiteContextAtLeast(
+           options, CookieOptions::SameSiteCookieContext::SAME_SITE_LAX));
+
+  // If the current cookie access is not itself http-and-same-site, but the last
+  // one that was, was recent enough, (and the corresponding feature is enabled)
+  // grant legacy semantics.
+  legacy_semantics_granted =
+      legacy_semantics_granted ||
+      cookie_util::DoesLastHttpSameSiteAccessGrantLegacySemantics(
+          LastAccessFromHttpSameSiteContext(cookie));
+
+  // If the cookie's creation time (or that of an identical preexisting cookie)
+  // was recent enough (and the corresponding feature is enabled), grant legacy
+  // semantics.
+  legacy_semantics_granted = legacy_semantics_granted ||
+                             cookie_util::DoesCreationTimeGrantLegacySemantics(
+                                 effective_creation_time);
+
+  return GetAccessSemanticsForCookie(cookie, legacy_semantics_granted);
+}
+
+base::TimeTicks CookieMonster::LastAccessFromHttpSameSiteContext(
+    const CanonicalCookie& cookie) const {
+  // Return early to avoid unnecessarily constructing the UniqueCookieKey
+  if (last_http_same_site_accesses_.empty()) {
+    return base::TimeTicks();
+  }
+
+  const auto it = last_http_same_site_accesses_.find(cookie.UniqueKey());
+  if (it != last_http_same_site_accesses_.end())
+    return it->second;
+  return base::TimeTicks();
+}
+
+void CookieMonster::MaybeRecordCookieAccessWithOptions(
+    const CanonicalCookie& cookie,
+    const CookieOptions& options,
+    bool is_set) {
+  // Don't populate |last_http_same_site_accesses_| if the relevant feature is
+  // not enabled.
+  if (!cookie_util::
+          IsRecentHttpSameSiteAccessGrantsLegacyCookieSemanticsEnabled()) {
+    return;
+  }
+
+  // Don't update time for accesses that don't update access time. (E.g. the
+  // time should not be updated when the cookie is accessed to populate the UI.)
+  if (!options.update_access_time())
+    return;
+
+  CookieOptions::SameSiteCookieContext same_site_requirement =
+      is_set ? CookieOptions::SameSiteCookieContext::SAME_SITE_LAX
+             : CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT;
+  if (IsHttpSameSiteContextAtLeast(options, same_site_requirement))
+    last_http_same_site_accesses_[cookie.UniqueKey()] = base::TimeTicks::Now();
+}
+
 // Test to see if stats should be recorded, and record them if so.
 // The goal here is to get sampling for the average browser-hour of
 // activity.  We won't take samples when the web isn't being surfed,
@@ -1770,11 +1836,6 @@ void CookieMonster::InitializeHistograms() {
   histogram_cookie_source_scheme_ = base::LinearHistogram::FactoryGet(
       "Cookie.CookieSourceScheme", 1, COOKIE_SOURCE_LAST_ENTRY - 1,
       COOKIE_SOURCE_LAST_ENTRY, base::Histogram::kUmaTargetedHistogramFlag);
-  histogram_cookie_delete_equivalent_ = base::LinearHistogram::FactoryGet(
-      "Cookie.CookieDeleteEquivalent", 1,
-      COOKIE_DELETE_EQUIVALENT_LAST_ENTRY - 1,
-      COOKIE_DELETE_EQUIVALENT_LAST_ENTRY,
-      base::Histogram::kUmaTargetedHistogramFlag);
 
   // From UMA_HISTOGRAM_{CUSTOM_,}TIMES
   histogram_time_blocked_on_load_ = base::Histogram::FactoryTimeGet(
diff --git a/chromium/net/cookies/cookie_monster.h b/chromium/net/cookies/cookie_monster.h
index 66ad270bb07..431fab884a5 100644
--- a/chromium/net/cookies/cookie_monster.h
+++ b/chromium/net/cookies/cookie_monster.h
@@ -302,43 +302,6 @@ class NET_EXPORT CookieMonster : public CookieStore {
     COOKIE_SOURCE_LAST_ENTRY
   };
 
-  // Used to populate a histogram for cookie setting in the "delete equivalent"
-  // step. Measures total attempts to delete an equivalent cookie, and
-  // categorizes the outcome.
-  //
-  // * COOKIE_DELETE_EQUIVALENT_ATTEMPT is incremented each time a cookie is
-  //   set, causing the equivalent deletion algorithm to execute.
-  //
-  // * COOKIE_DELETE_EQUIVALENT_SKIPPING_SECURE is incremented when a non-secure
-  //   cookie is ignored because an equivalent, but secure, cookie already
-  //   exists.
-  //
-  // * COOKIE_DELETE_EQUIVALENT_WOULD_HAVE_DELETED is incremented when a cookie
-  //   is skipped due to `secure` rules (e.g. whenever
-  //   COOKIE_DELETE_EQUIVALENT_SKIPPING_SECURE is incremented), but would have
-  //   caused a deletion without those rules.
-  //
-  //   TODO(mkwst): Now that we've shipped strict secure cookie checks, we don't
-  //   need this value anymore.
-  //
-  // * COOKIE_DELETE_EQUIVALENT_FOUND is incremented each time an equivalent
-  //   cookie is found (and deleted).
-  //
-  // * COOKIE_DELETE_EQUIVALENT_FOUND_WITH_SAME_VALUE is incremented each time
-  //   an equivalent cookie that also shared the same value with the new cookie
-  //   is found (and deleted).
-  //
-  // Please do not reorder or remove entries. New entries must be added to the
-  // end of the list, just before COOKIE_DELETE_EQUIVALENT_LAST_ENTRY.
-  enum CookieDeleteEquivalent {
-    COOKIE_DELETE_EQUIVALENT_ATTEMPT = 0,
-    COOKIE_DELETE_EQUIVALENT_FOUND,
-    COOKIE_DELETE_EQUIVALENT_SKIPPING_SECURE,
-    COOKIE_DELETE_EQUIVALENT_WOULD_HAVE_DELETED,
-    COOKIE_DELETE_EQUIVALENT_FOUND_WITH_SAME_VALUE,
-    COOKIE_DELETE_EQUIVALENT_LAST_ENTRY
-  };
-
   // Record statistics every kRecordStatisticsIntervalSeconds of uptime.
   static const int kRecordStatisticsIntervalSeconds = 10 * 60;
 
@@ -434,18 +397,24 @@ class NET_EXPORT CookieMonster : public CookieStore {
                                 CookieStatusList* included_cookies,
                                 CookieStatusList* excluded_cookies);
 
-  // Delete any cookies that are equivalent to |ecc| (same path, domain, etc).
+  // Possibly delete an existing cookie equivalent to |cookie_being_set| (same
+  // path, domain, and name).
+  //
   // |source_secure| indicates if the source may override existing secure
-  // cookies.
+  // cookies. If the source is not secure, and there is an existing "equivalent"
+  // cookie that is Secure, that cookie will be preserved, under "Leave Secure
+  // Cookies Alone" (see
+  // https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01).
+  // ("equivalent" here is in quotes because the equivalency check for the
+  // purposes of preserving existing Secure cookies is slightly more inclusive.)
   //
-  // If |skip_httponly| is true, httponly cookies will not be deleted.  The
-  // return value will be true if |skip_httponly| skipped an httponly cookie or
-  // the cookie to delete was Secure and the scheme of |ecc| is insecure.  |key|
-  // is the key to find the cookie in cookies_; see the comment before the
+  // If |skip_httponly| is true, httponly cookies will not be deleted even if
+  // they are equivalent.
+  // |key| is the key to find the cookie in cookies_; see the comment before the
   // CookieMap typedef for details.
   //
-  // If a cookie is deleted, and its value matches |ecc|'s value, then
-  // |creation_date_to_inherit| will be set to that cookie's creation date.
+  // If a cookie is deleted, and its value matches |cookie_being_set|'s value,
+  // then |creation_date_to_inherit| will be set to that cookie's creation date.
   //
   // The cookie will not be deleted if |*status| is not "include" when calling
   // the function. The function will update |*status| with exclusion reasons if
@@ -454,13 +423,21 @@ class NET_EXPORT CookieMonster : public CookieStore {
   // NOTE: There should never be more than a single matching equivalent cookie.
   void MaybeDeleteEquivalentCookieAndUpdateStatus(
       const std::string& key,
-      const CanonicalCookie& ecc,
+      const CanonicalCookie& cookie_being_set,
       bool source_secure,
       bool skip_httponly,
       bool already_expired,
       base::Time* creation_date_to_inherit,
       CanonicalCookie::CookieInclusionStatus* status);
 
+  // This is only used if the RecentCreationTimeGrantsLegacyCookieSemantics
+  // feature is enabled. It finds an equivalent cookie (based on name, domain,
+  // path) with the same value, if there is any, and returns its creation time,
+  // or the creation time of the |cookie| itself, if there is none.
+  base::Time EffectiveCreationTimeForMaybePreexistingCookie(
+      const std::string& key,
+      const CanonicalCookie& cookie) const;
+
   // Inserts |cc| into cookies_. Returns an iterator that points to the inserted
   // cookie in cookies_. Guarantee: all iterators to cookies_ remain valid.
   CookieMap::iterator InternalInsertCookie(const std::string& key,
@@ -535,11 +512,50 @@ class NET_EXPORT CookieMonster : public CookieStore {
 
   bool HasCookieableScheme(const GURL& url);
 
-  // Get the cookie's access semantics (LEGACY or NONLEGACY) from the cookie
-  // access delegate, if it is non-null. Otherwise return UNKNOWN.
+  // Get the cookie's access semantics (LEGACY or NONLEGACY), considering any
+  // features granting legacy semantics for special conditions (if any are
+  // active and meet the conditions for granting legacy access, pass true for
+  // |legacy_semantics_granted|). If none are active, this then checks for a
+  // value from the cookie access delegate, if it is non-null. Otherwise returns
+  // UNKNOWN.
   CookieAccessSemantics GetAccessSemanticsForCookie(
+      const CanonicalCookie& cookie,
+      bool legacy_semantics_granted) const;
+
+  // This is called for getting a cookie.
+  CookieAccessSemantics GetAccessSemanticsForCookieGet(
       const CanonicalCookie& cookie) const;
 
+  // This is called for setting a cookie with the options specified by
+  // |options|. For setting a cookie, a same-site access is lax or better (since
+  // CookieOptions for setting a cookie will never be strict).
+  // |effective_creation_time| is the time that should be used for deciding
+  // whether the RecentCreationTimeGrantsLegacyCookieSemantics feature should
+  // grant legacy semantics. This may differ from the CreationDate() field of
+  // the cookie, if there was a preexisting equivalent cookie (in which case it
+  // is the creation time of that equivalent cookie).
+  CookieAccessSemantics GetAccessSemanticsForCookieSet(
+      const CanonicalCookie& cookie,
+      const CookieOptions& options,
+      base::Time effective_creation_time) const;
+
+  // Looks up the last time a cookie matching the (name, domain, path) of
+  // |cookie| was accessed in a same-site context permitting HttpOnly
+  // cookie access. If there was none, this returns a null base::Time.
+  // Returns null value if RecentHttpSameSiteAccessGrantsLegacyCookieSemantics
+  // is not enabled.
+  base::TimeTicks LastAccessFromHttpSameSiteContext(
+      const CanonicalCookie& cookie) const;
+
+  // Updates |last_http_same_site_accesses_| with the current time if the
+  // |options| are appropriate (same-site and permits HttpOnly access).
+  // |is_set| is true if the access is setting the cookie, false otherwise (e.g.
+  // if getting the cookie). Does nothing if
+  // RecentHttpSameSiteAccessGrantsLegacyCookieSemantics is not enabled.
+  void MaybeRecordCookieAccessWithOptions(const CanonicalCookie& cookie,
+                                          const CookieOptions& options,
+                                          bool is_set);
+
   // Statistics support
 
   // This function should be called repeatedly, and will record
@@ -570,7 +586,6 @@ class NET_EXPORT CookieMonster : public CookieStore {
   base::HistogramBase* histogram_count_;
   base::HistogramBase* histogram_cookie_type_;
   base::HistogramBase* histogram_cookie_source_scheme_;
-  base::HistogramBase* histogram_cookie_delete_equivalent_;
   base::HistogramBase* histogram_time_blocked_on_load_;
 
   CookieMap cookies_;
@@ -624,6 +639,17 @@ class NET_EXPORT CookieMonster : public CookieStore {
   // wanted.  Thus this value is not initialized.
   base::Time earliest_access_time_;
 
+  // Records the last access to a cookie (either getting or setting) from a
+  // context that is both same-site and permits HttpOnly access.
+  // The access is considered same-site if it is at least laxly same-site for
+  // set, or strictly same-site for get.
+  // This information is used to determine if the feature
+  // kRecentSameSiteAccessGrantsLegacyCookieSemantics should grant legacy
+  // access semantics to a cookie for subsequent accesses.
+  // This map is not used if that feature is not enabled.
+  std::map<CanonicalCookie::UniqueCookieKey, base::TimeTicks>
+      last_http_same_site_accesses_;
+
   std::vector<std::string> cookieable_schemes_;
 
   base::Time last_statistic_record_time_;
diff --git a/chromium/net/cookies/cookie_monster_unittest.cc b/chromium/net/cookies/cookie_monster_unittest.cc
index 4646e34f74f..d8afbf47bd2 100644
--- a/chromium/net/cookies/cookie_monster_unittest.cc
+++ b/chromium/net/cookies/cookie_monster_unittest.cc
@@ -57,6 +57,13 @@ namespace net {
 using base::Time;
 using base::TimeDelta;
 using CookieDeletionInfo = net::CookieDeletionInfo;
+using features::kCookiesWithoutSameSiteMustBeSecure;
+using features::kRecentCreationTimeGrantsLegacyCookieSemantics;
+using features::kRecentCreationTimeGrantsLegacyCookieSemanticsMilliseconds;
+using features::kRecentHttpSameSiteAccessGrantsLegacyCookieSemantics;
+using features::
+    kRecentHttpSameSiteAccessGrantsLegacyCookieSemanticsMilliseconds;
+using features::kSameSiteByDefaultCookies;
 
 namespace {
 
@@ -156,7 +163,8 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
     cm->SetCanonicalCookieAsync(
         CanonicalCookie::Create(url, cookie_line, creation_time,
                                 base::nullopt /* server_time */),
-        url.scheme(), CookieOptions(), callback.MakeCallback());
+        url.scheme(), CookieOptions::MakeAllInclusive(),
+        callback.MakeCallback());
     callback.WaitUntilDone();
     return callback.result().IsInclude();
   }
@@ -205,22 +213,22 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
         cm,
         std::make_unique<CanonicalCookie>(
             "dom_1", "A", ".harvard.edu", "/", base::Time(), base::Time(),
-            base::Time(), false, false, CookieSameSite::NO_RESTRICTION,
+            base::Time(), false, false, CookieSameSite::LAX_MODE,
             COOKIE_PRIORITY_DEFAULT),
         "http", true /*modify_httponly*/));
     EXPECT_TRUE(this->SetCanonicalCookie(
         cm,
         std::make_unique<CanonicalCookie>(
             "dom_2", "B", ".math.harvard.edu", "/", base::Time(), base::Time(),
-            base::Time(), false, false, CookieSameSite::NO_RESTRICTION,
+            base::Time(), false, false, CookieSameSite::LAX_MODE,
             COOKIE_PRIORITY_DEFAULT),
         "http", true /*modify_httponly*/));
     EXPECT_TRUE(this->SetCanonicalCookie(
         cm,
         std::make_unique<CanonicalCookie>(
             "dom_3", "C", ".bourbaki.math.harvard.edu", "/", base::Time(),
-            base::Time(), base::Time(), false, false,
-            CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT),
+            base::Time(), base::Time(), false, false, CookieSameSite::LAX_MODE,
+            COOKIE_PRIORITY_DEFAULT),
         "http", true /*modify_httponly*/));
 
     // Host cookies
@@ -228,22 +236,22 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
         cm,
         std::make_unique<CanonicalCookie>(
             "host_1", "A", url_top_level_domain_plus_1, "/", base::Time(),
-            base::Time(), base::Time(), false, false,
-            CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT),
+            base::Time(), base::Time(), false, false, CookieSameSite::LAX_MODE,
+            COOKIE_PRIORITY_DEFAULT),
         "http", true /*modify_httponly*/));
     EXPECT_TRUE(this->SetCanonicalCookie(
         cm,
         std::make_unique<CanonicalCookie>(
             "host_2", "B", url_top_level_domain_plus_2, "/", base::Time(),
-            base::Time(), base::Time(), false, false,
-            CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT),
+            base::Time(), base::Time(), false, false, CookieSameSite::LAX_MODE,
+            COOKIE_PRIORITY_DEFAULT),
         "http", true /*modify_httponly*/));
     EXPECT_TRUE(this->SetCanonicalCookie(
         cm,
         std::make_unique<CanonicalCookie>(
             "host_3", "C", url_top_level_domain_plus_3, "/", base::Time(),
-            base::Time(), base::Time(), false, false,
-            CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT),
+            base::Time(), base::Time(), false, false, CookieSameSite::LAX_MODE,
+            COOKIE_PRIORITY_DEFAULT),
         "http", true /*modify_httponly*/));
 
     // http_only cookie
@@ -251,8 +259,8 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
         cm,
         std::make_unique<CanonicalCookie>(
             "httpo_check", "A", url_top_level_domain_plus_2, "/", base::Time(),
-            base::Time(), base::Time(), false, true,
-            CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT),
+            base::Time(), base::Time(), false, true, CookieSameSite::LAX_MODE,
+            COOKIE_PRIORITY_DEFAULT),
         "http", true /*modify_httponly*/));
 
     // same-site cookie
@@ -286,15 +294,15 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
         cm,
         std::make_unique<CanonicalCookie>(
             "dom_path_1", "A", ".math.harvard.edu", "/dir1", base::Time(),
-            base::Time(), base::Time(), false, false,
-            CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT),
+            base::Time(), base::Time(), false, false, CookieSameSite::LAX_MODE,
+            COOKIE_PRIORITY_DEFAULT),
         "http", true /*modify_httponly*/));
     EXPECT_TRUE(this->SetCanonicalCookie(
         cm,
         std::make_unique<CanonicalCookie>(
             "dom_path_2", "B", ".math.harvard.edu", "/dir1/dir2", base::Time(),
-            base::Time(), base::Time(), false, false,
-            CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT),
+            base::Time(), base::Time(), false, false, CookieSameSite::LAX_MODE,
+            COOKIE_PRIORITY_DEFAULT),
         "http", true /*modify_httponly*/));
 
     // Host path cookies
@@ -303,7 +311,7 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
         std::make_unique<CanonicalCookie>(
             "host_path_1", "A", url_top_level_domain_plus_2, "/dir1",
             base::Time(), base::Time(), base::Time(), false, false,
-            CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT),
+            CookieSameSite::LAX_MODE, COOKIE_PRIORITY_DEFAULT),
         "http", true /*modify_httponly*/));
 
     EXPECT_TRUE(this->SetCanonicalCookie(
@@ -311,7 +319,7 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
         std::make_unique<CanonicalCookie>(
             "host_path_2", "B", url_top_level_domain_plus_2, "/dir1/dir2",
             base::Time(), base::Time(), base::Time(), false, false,
-            CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT),
+            CookieSameSite::LAX_MODE, COOKIE_PRIORITY_DEFAULT),
         "http", true /*modify_httponly*/));
 
     EXPECT_EQ(14U, this->GetAllCookies(cm).size());
@@ -814,10 +822,11 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
       std::unique_ptr<CanonicalCookie> cc(std::make_unique<CanonicalCookie>(
           "a", "1", base::StringPrintf("h%05d.izzle", i), "/" /* path */,
           creation_time, base::Time() /* expiration_time */,
-          creation_time /* last_access */, false /* secure */,
+          creation_time /* last_access */, true /* secure */,
           false /* http_only */, CookieSameSite::NO_RESTRICTION,
           COOKIE_PRIORITY_DEFAULT));
-      cm->SetCanonicalCookieAsync(std::move(cc), "http", CookieOptions(),
+      cm->SetCanonicalCookieAsync(std::move(cc), "https",
+                                  CookieOptions::MakeAllInclusive(),
                                   CookieStore::SetCookiesCallback());
     }
     return cm;
@@ -839,7 +848,7 @@ class CookieMonsterTestBase : public CookieStoreTest<T> {
 
     return false;
   }
-  TestNetLog net_log_;
+  RecordingTestNetLog net_log_;
 };
 
 using CookieMonsterTest = CookieMonsterTestBase<CookieMonsterTestTraits>;
@@ -933,7 +942,8 @@ TEST_F(DeferredCookieTaskTest, DeferredGetCookieList) {
 
   GetCookieListCallback call1;
   cookie_monster_->GetCookieListWithOptionsAsync(
-      http_www_foo_.url(), CookieOptions(), call1.MakeCallback());
+      http_www_foo_.url(), CookieOptions::MakeAllInclusive(),
+      call1.MakeCallback());
   base::RunLoop().RunUntilIdle();
   EXPECT_FALSE(call1.was_run());
 
@@ -945,7 +955,8 @@ TEST_F(DeferredCookieTaskTest, DeferredGetCookieList) {
 
   GetCookieListCallback call2;
   cookie_monster_->GetCookieListWithOptionsAsync(
-      http_www_foo_.url(), CookieOptions(), call2.MakeCallback());
+      http_www_foo_.url(), CookieOptions::MakeAllInclusive(),
+      call2.MakeCallback());
   // Already ready, no need for second load.
   EXPECT_THAT(call2.cookies(), MatchesCookieLine("X=1"));
   EXPECT_EQ("", TakeCommandSummary());
@@ -959,7 +970,8 @@ TEST_F(DeferredCookieTaskTest, DeferredSetCookie) {
   cookie_monster_->SetCanonicalCookieAsync(
       CanonicalCookie::Create(http_www_foo_.url(), "A=B", base::Time::Now(),
                               base::nullopt /* server_time */),
-      http_www_foo_.url().scheme(), CookieOptions(), call1.MakeCallback());
+      http_www_foo_.url().scheme(), CookieOptions::MakeAllInclusive(),
+      call1.MakeCallback());
   base::RunLoop().RunUntilIdle();
   EXPECT_FALSE(call1.was_run());
 
@@ -972,7 +984,8 @@ TEST_F(DeferredCookieTaskTest, DeferredSetCookie) {
   cookie_monster_->SetCanonicalCookieAsync(
       CanonicalCookie::Create(http_www_foo_.url(), "X=Y", base::Time::Now(),
                               base::nullopt /* server_time */),
-      http_www_foo_.url().scheme(), CookieOptions(), call2.MakeCallback());
+      http_www_foo_.url().scheme(), CookieOptions::MakeAllInclusive(),
+      call2.MakeCallback());
   ASSERT_TRUE(call2.was_run());
   EXPECT_TRUE(call2.result().IsInclude());
   EXPECT_EQ("ADD; ", TakeCommandSummary());
@@ -1065,7 +1078,8 @@ TEST_F(DeferredCookieTaskTest, DeferredGetAllForUrlWithOptionsCookies) {
 
   GetCookieListCallback call1;
   cookie_monster_->GetCookieListWithOptionsAsync(
-      http_www_foo_.url(), CookieOptions(), call1.MakeCallback());
+      http_www_foo_.url(), CookieOptions::MakeAllInclusive(),
+      call1.MakeCallback());
   base::RunLoop().RunUntilIdle();
   EXPECT_FALSE(call1.was_run());
 
@@ -1076,7 +1090,8 @@ TEST_F(DeferredCookieTaskTest, DeferredGetAllForUrlWithOptionsCookies) {
 
   GetCookieListCallback call2;
   cookie_monster_->GetCookieListWithOptionsAsync(
-      http_www_foo_.url(), CookieOptions(), call2.MakeCallback());
+      http_www_foo_.url(), CookieOptions::MakeAllInclusive(),
+      call2.MakeCallback());
   EXPECT_TRUE(call2.was_run());
   EXPECT_THAT(call2.cookies(), MatchesCookieLine("X=1"));
   EXPECT_EQ("", TakeCommandSummary());
@@ -1206,7 +1221,7 @@ TEST_F(DeferredCookieTaskTest, DeferredTaskOrder) {
       set_cookies_callback;
   base::RunLoop run_loop;
   cookie_monster_->GetCookieListWithOptionsAsync(
-      http_www_foo_.url(), CookieOptions(),
+      http_www_foo_.url(), CookieOptions::MakeAllInclusive(),
       base::BindLambdaForTesting([&](const CookieStatusList& cookies,
                                      const CookieStatusList& excluded_list) {
         // This should complete before the set.
@@ -1221,7 +1236,7 @@ TEST_F(DeferredCookieTaskTest, DeferredTaskOrder) {
         // Queue up a second get. It should see the result of the set queued
         // before it.
         cookie_monster_->GetCookieListWithOptionsAsync(
-            http_www_foo_.url(), CookieOptions(),
+            http_www_foo_.url(), CookieOptions::MakeAllInclusive(),
             get_cookie_list_callback_deferred.MakeCallback());
 
         run_loop.Quit();
@@ -1230,7 +1245,7 @@ TEST_F(DeferredCookieTaskTest, DeferredTaskOrder) {
   cookie_monster_->SetCanonicalCookieAsync(
       CanonicalCookie::Create(http_www_foo_.url(), "A=B", base::Time::Now(),
                               base::nullopt /* server_time */),
-      http_www_foo_.url().scheme(), CookieOptions(),
+      http_www_foo_.url().scheme(), CookieOptions::MakeAllInclusive(),
       set_cookies_callback.MakeCallback());
 
   // Nothing happened yet, before loads are done.
@@ -1253,8 +1268,7 @@ TEST_F(DeferredCookieTaskTest, DeferredTaskOrder) {
 TEST_F(CookieMonsterTest, TestCookieDeleteAll) {
   scoped_refptr<MockPersistentCookieStore> store(new MockPersistentCookieStore);
   std::unique_ptr<CookieMonster> cm(new CookieMonster(store.get(), &net_log_));
-  CookieOptions options;
-  options.set_include_httponly();
+  CookieOptions options = CookieOptions::MakeAllInclusive();
 
   EXPECT_TRUE(SetCookie(cm.get(), http_www_foo_.url(), kValidCookieLine));
   EXPECT_EQ("A=B", GetCookies(cm.get(), http_www_foo_.url()));
@@ -1400,7 +1414,7 @@ TEST_F(CookieMonsterTest, TestLastAccess) {
   // is requested with options that would update the access date. First, test
   // that the flag's behavior is respected.
   base::PlatformThread::Sleep(kAccessDelay);
-  CookieOptions options;
+  CookieOptions options = CookieOptions::MakeAllInclusive();
   options.set_do_not_update_access_time();
   EXPECT_EQ("A=B",
             GetCookiesWithOptions(cm.get(), http_www_foo_.url(), options));
@@ -1417,7 +1431,7 @@ TEST_F(CookieMonsterTest, TestLastAccess) {
   EXPECT_TRUE(++it == cookies.end());
 
   // If the flag isn't set, the last accessed time should be updated.
-  options = CookieOptions();
+  options.set_update_access_time();
   EXPECT_EQ("A=B",
             GetCookiesWithOptions(cm.get(), http_www_foo_.url(), options));
   EXPECT_FALSE(last_access_date == GetFirstCookieAccessDate(cm.get()));
@@ -1502,8 +1516,7 @@ TEST_F(CookieMonsterTest, GetAllCookiesForURL) {
       new CookieMonster(nullptr, kLastAccessThreshold, &net_log_));
 
   // Create an httponly cookie.
-  CookieOptions options;
-  options.set_include_httponly();
+  CookieOptions options = CookieOptions::MakeAllInclusive();
 
   EXPECT_TRUE(CreateAndSetCookie(cm.get(), http_www_foo_.url(), "A=B; httponly",
                                  options));
@@ -1537,8 +1550,11 @@ TEST_F(CookieMonsterTest, GetAllCookiesForURL) {
   ASSERT_TRUE(++it == cookies.end());
 
   // Check cookies for url excluding http-only cookies.
+  CookieOptions exclude_httponly = options;
+  exclude_httponly.set_exclude_httponly();
+
   cookies = GetAllCookiesForURLWithOptions(cm.get(), http_www_foo_.url(),
-                                           CookieOptions());
+                                           exclude_httponly);
   it = cookies.begin();
 
   ASSERT_TRUE(it != cookies.end());
@@ -1574,8 +1590,7 @@ TEST_F(CookieMonsterTest, GetExcludedCookiesForURL) {
       new CookieMonster(nullptr, kLastAccessThreshold, &net_log_));
 
   // Create an httponly cookie.
-  CookieOptions options;
-  options.set_include_httponly();
+  CookieOptions options = CookieOptions::MakeAllInclusive();
 
   EXPECT_TRUE(CreateAndSetCookie(cm.get(), http_www_foo_.url(), "A=B; httponly",
                                  options));
@@ -1612,9 +1627,11 @@ TEST_F(CookieMonsterTest, GetExcludedCookiesForURL) {
   ASSERT_TRUE(++iter == excluded_cookies.end());
 
   // Checking that excluded cookies get sent with their statuses with http-only.
-  CookieOptions return_excluded = CookieOptions();
+  CookieOptions return_excluded;
   return_excluded.set_return_excluded_cookies();
   return_excluded.set_exclude_httponly();
+  return_excluded.set_same_site_cookie_context(
+      CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
 
   excluded_cookies = GetExcludedCookiesForURLWithOptions(
       cm.get(), http_www_foo_.url(), return_excluded);
@@ -1643,7 +1660,7 @@ TEST_F(CookieMonsterTest, GetExcludedCookiesForURL) {
 
 TEST_F(CookieMonsterTest, GetAllCookiesForURLPathMatching) {
   std::unique_ptr<CookieMonster> cm(new CookieMonster(nullptr, &net_log_));
-  CookieOptions options;
+  CookieOptions options = CookieOptions::MakeAllInclusive();
 
   EXPECT_TRUE(CreateAndSetCookie(cm.get(), www_foo_foo_.url(),
                                  "A=B; path=/foo;", options));
@@ -1681,7 +1698,7 @@ TEST_F(CookieMonsterTest, GetAllCookiesForURLPathMatching) {
 
 TEST_F(CookieMonsterTest, GetExcludedCookiesForURLPathMatching) {
   std::unique_ptr<CookieMonster> cm(new CookieMonster(nullptr, &net_log_));
-  CookieOptions options;
+  CookieOptions options = CookieOptions::MakeAllInclusive();
 
   EXPECT_TRUE(CreateAndSetCookie(cm.get(), www_foo_foo_.url(),
                                  "A=B; path=/foo;", options));
@@ -1965,14 +1982,14 @@ TEST_F(CookieMonsterTest, BackingStoreCommunication) {
   base::Time expires(base::Time::Now() + base::TimeDelta::FromSeconds(100));
 
   const CookiesInputInfo input_info[] = {
-      {GURL("http://a.b.foo.com"), "a", "1", "a.b.foo.com", "/path/to/cookie",
-       expires, false, false, CookieSameSite::NO_RESTRICTION,
+      {GURL("https://a.b.foo.com"), "a", "1", "a.b.foo.com", "/path/to/cookie",
+       expires, true /* secure */, false, CookieSameSite::NO_RESTRICTION,
        COOKIE_PRIORITY_DEFAULT},
       {GURL("https://www.foo.com"), "b", "2", ".foo.com", "/path/from/cookie",
        expires + TimeDelta::FromSeconds(10), true, true,
        CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT},
       {GURL("https://foo.com"), "c", "3", "foo.com", "/another/path/to/cookie",
-       base::Time::Now() + base::TimeDelta::FromSeconds(100), true, false,
+       base::Time::Now() + base::TimeDelta::FromSeconds(100), false, false,
        CookieSameSite::STRICT_MODE, COOKIE_PRIORITY_DEFAULT}};
   const int INPUT_DELETE = 1;
 
@@ -2207,7 +2224,8 @@ TEST_F(CookieMonsterTest, WhileLoadingLoadCompletesBeforeKeyLoadCompletes) {
                                         base::nullopt /* server_time */);
   ResultSavingCookieCallback<CanonicalCookie::CookieInclusionStatus>
       set_cookie_callback;
-  cm->SetCanonicalCookieAsync(std::move(cookie), kUrl.scheme(), CookieOptions(),
+  cm->SetCanonicalCookieAsync(std::move(cookie), kUrl.scheme(),
+                              CookieOptions::MakeAllInclusive(),
                               set_cookie_callback.MakeCallback());
 
   GetAllCookiesCallback get_cookies_callback1;
@@ -2255,7 +2273,7 @@ TEST_F(CookieMonsterTest, WhileLoadingDeleteAllGetForURL) {
   cm->DeleteAllAsync(delete_callback.MakeCallback());
 
   GetCookieListCallback get_cookie_list_callback;
-  cm->GetCookieListWithOptionsAsync(kUrl, CookieOptions(),
+  cm->GetCookieListWithOptionsAsync(kUrl, CookieOptions::MakeAllInclusive(),
                                     get_cookie_list_callback.MakeCallback());
 
   // Only the main load should have been queued.
@@ -2295,7 +2313,8 @@ TEST_F(CookieMonsterTest, WhileLoadingGetAllSetGetAll) {
                                         base::nullopt /* server_time */);
   ResultSavingCookieCallback<CanonicalCookie::CookieInclusionStatus>
       set_cookie_callback;
-  cm->SetCanonicalCookieAsync(std::move(cookie), kUrl.scheme(), CookieOptions(),
+  cm->SetCanonicalCookieAsync(std::move(cookie), kUrl.scheme(),
+                              CookieOptions::MakeAllInclusive(),
                               set_cookie_callback.MakeCallback());
 
   GetAllCookiesCallback get_cookies_callback2;
@@ -2346,7 +2365,7 @@ TEST_F(CookieMonsterTest, CheckOrderOfCookieTaskQueueWhenLoadingCompletes) {
       &RunClosureOnAllCookiesReceived,
       base::BindOnce(&CookieStore::SetCanonicalCookieAsync,
                      base::Unretained(cm.get()), std::move(cookie),
-                     kUrl.scheme(), CookieOptions(),
+                     kUrl.scheme(), CookieOptions::MakeAllInclusive(),
                      set_cookie_callback.MakeCallback())));
 
   // Get cookie task. Queued before the delete task is executed, so should not
@@ -2533,9 +2552,8 @@ TEST_F(CookieMonsterTest, HistogramCheck) {
       std::make_unique<CanonicalCookie>(
           "a", "b", "a.url", "/", base::Time(),
           base::Time::Now() + base::TimeDelta::FromMinutes(59), base::Time(),
-          false, false, CookieSameSite::NO_RESTRICTION,
-          COOKIE_PRIORITY_DEFAULT),
-      "http", true /*modify_httponly*/));
+          true, false, CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT),
+      "https", true /*modify_httponly*/));
 
   std::unique_ptr<base::HistogramSamples> samples2(
       expired_histogram->SnapshotSamples());
@@ -2735,110 +2753,107 @@ TEST_F(CookieMonsterTest, CookieSourceHistogram) {
       CookieMonster::COOKIE_SOURCE_NONSECURE_COOKIE_NONCRYPTOGRAPHIC_SCHEME, 1);
 }
 
-// Test that cookie delete equivalent histograms are recorded correctly.
-TEST_F(CookieMonsterTest, CookieDeleteEquivalentHistogramTest) {
-  base::HistogramTester histograms;
-  const std::string cookie_source_histogram = "Cookie.CookieDeleteEquivalent";
-
+TEST_F(CookieMonsterTest, MaybeDeleteEquivalentCookieAndUpdateStatus) {
   scoped_refptr<MockPersistentCookieStore> store(new MockPersistentCookieStore);
   std::unique_ptr<CookieMonster> cm(new CookieMonster(store.get(), &net_log_));
 
-  // Set a secure cookie from a secure origin
-  EXPECT_TRUE(SetCookie(cm.get(), https_www_foo_.url(), "A=B; Secure"));
-  histograms.ExpectTotalCount(cookie_source_histogram, 1);
-  histograms.ExpectBucketCount(cookie_source_histogram,
-                               CookieMonster::COOKIE_DELETE_EQUIVALENT_ATTEMPT,
-                               1);
+  // Set a secure, httponly cookie from a secure origin
+  auto preexisting_cookie = CanonicalCookie::Create(
+      https_www_foo_.url(), "A=B;Secure;HttpOnly", base::Time::Now(),
+      base::nullopt /* server_time */);
+  CanonicalCookie::CookieInclusionStatus status =
+      SetCanonicalCookieReturnStatus(cm.get(), std::move(preexisting_cookie),
+                                     "https", true /* can_modify_httponly */);
+  ASSERT_TRUE(status.IsInclude());
 
-  // Set a new cookie with a different name from a variety of origins (including
-  // the same one).
+  // Set a new cookie with a different name. Should work because cookies with
+  // different names are not considered equivalent nor "equivalent for secure
+  // cookie matching".
+  // Same origin:
   EXPECT_TRUE(SetCookie(cm.get(), https_www_foo_.url(), "B=A;"));
-  histograms.ExpectTotalCount(cookie_source_histogram, 2);
-  histograms.ExpectBucketCount(cookie_source_histogram,
-                               CookieMonster::COOKIE_DELETE_EQUIVALENT_ATTEMPT,
-                               2);
+  // Different scheme, same domain:
   EXPECT_TRUE(SetCookie(cm.get(), http_www_foo_.url(), "C=A;"));
-  histograms.ExpectTotalCount(cookie_source_histogram, 3);
-  histograms.ExpectBucketCount(cookie_source_histogram,
-                               CookieMonster::COOKIE_DELETE_EQUIVALENT_ATTEMPT,
-                               3);
 
-  // Set a non-secure cookie from an insecure origin that matches the name of an
-  // already existing cookie and additionally is equivalent to the existing
-  // cookie. This should fail since it's trying to overwrite a secure cookie.
-  EXPECT_FALSE(SetCookie(cm.get(), http_www_foo_.url(), "A=B;"));
-  histograms.ExpectTotalCount(cookie_source_histogram, 6);
-  histograms.ExpectBucketCount(cookie_source_histogram,
-                               CookieMonster::COOKIE_DELETE_EQUIVALENT_ATTEMPT,
-                               4);
-  histograms.ExpectBucketCount(cookie_source_histogram,
-                               CookieMonster::COOKIE_DELETE_EQUIVALENT_FOUND,
-                               0);
-  histograms.ExpectBucketCount(
-      cookie_source_histogram,
-      CookieMonster::COOKIE_DELETE_EQUIVALENT_SKIPPING_SECURE, 1);
-  histograms.ExpectBucketCount(
-      cookie_source_histogram,
-      CookieMonster::COOKIE_DELETE_EQUIVALENT_WOULD_HAVE_DELETED, 1);
+  // Set a non-Secure cookie from an insecure origin that is
+  // equivalent to the pre-existing Secure cookie.
+  auto bad_cookie =
+      CanonicalCookie::Create(http_www_foo_.url(), "A=D", base::Time::Now(),
+                              base::nullopt /* server_time */);
+  // Allow modifying HttpOnly, so that we don't skip preexisting cookies for
+  // being HttpOnly.
+  status = SetCanonicalCookieReturnStatus(
+      cm.get(), std::move(bad_cookie), "http", true /* can_modify_httponly */);
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CanonicalCookie::CookieInclusionStatus::EXCLUDE_OVERWRITE_SECURE}));
+  // The preexisting cookie should still be there.
+  EXPECT_THAT(GetCookiesWithOptions(cm.get(), https_www_foo_.url(),
+                                    CookieOptions::MakeAllInclusive()),
+              ::testing::HasSubstr("A=B"));
 
   auto entries = net_log_.GetEntries();
-  ExpectLogContainsSomewhere(
+  size_t skipped_secure_netlog_index = ExpectLogContainsSomewhere(
       entries, 0, NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_SECURE,
       NetLogEventPhase::NONE);
+  EXPECT_FALSE(LogContainsEntryWithTypeAfter(
+      entries, 0, NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_HTTPONLY));
+  ExpectLogContainsSomewhereAfter(
+      entries, skipped_secure_netlog_index,
+      NetLogEventType::COOKIE_STORE_COOKIE_PRESERVED_SKIPPED_SECURE,
+      NetLogEventPhase::NONE);
+
+  net_log_.Clear();
 
   // Set a non-secure cookie from an insecure origin that matches the name of an
   // already existing cookie but is not equivalent. This should fail since it's
   // trying to shadow a secure cookie.
-  EXPECT_FALSE(
-      SetCookie(cm.get(), http_www_foo_.url(), "A=C; path=/some/path"));
-  histograms.ExpectTotalCount(cookie_source_histogram, 8);
-  histograms.ExpectBucketCount(cookie_source_histogram,
-                               CookieMonster::COOKIE_DELETE_EQUIVALENT_ATTEMPT,
-                               5);
-  histograms.ExpectBucketCount(
-      cookie_source_histogram,
-      CookieMonster::COOKIE_DELETE_EQUIVALENT_SKIPPING_SECURE, 2);
-
-  // Set a secure cookie from a secure origin that matches the name of an
-  // already existing cookies and is equivalent.
-  EXPECT_TRUE(SetCookie(cm.get(), https_www_foo_.url(), "A=D; secure"));
-  histograms.ExpectTotalCount(cookie_source_histogram, 10);
-  histograms.ExpectBucketCount(cookie_source_histogram,
-                               CookieMonster::COOKIE_DELETE_EQUIVALENT_ATTEMPT,
-                               6);
-  histograms.ExpectBucketCount(cookie_source_histogram,
-                               CookieMonster::COOKIE_DELETE_EQUIVALENT_FOUND,
-                               1);
-  histograms.ExpectBucketCount(
-      cookie_source_histogram,
-      CookieMonster::COOKIE_DELETE_EQUIVALENT_FOUND_WITH_SAME_VALUE, 0);
-
-  // Set a secure cookie from a secure origin that matches the name of an
-  // already existing cookie and is not equivalent.
-  EXPECT_TRUE(SetCookie(cm.get(), https_www_foo_.url(),
-                        "A=E; secure; path=/some/other/path"));
-  histograms.ExpectTotalCount(cookie_source_histogram, 11);
-  histograms.ExpectBucketCount(cookie_source_histogram,
-                               CookieMonster::COOKIE_DELETE_EQUIVALENT_ATTEMPT,
-                               7);
-
-  // Set a cookie that matches both the name and value of an already existing
-  // cookie.
-  EXPECT_TRUE(SetCookie(cm.get(), https_www_foo_.url(), "A=D; secure"));
-  histograms.ExpectTotalCount(cookie_source_histogram, 14);
-  histograms.ExpectBucketCount(cookie_source_histogram,
-                               CookieMonster::COOKIE_DELETE_EQUIVALENT_ATTEMPT,
-                               8);
-  histograms.ExpectBucketCount(cookie_source_histogram,
-                               CookieMonster::COOKIE_DELETE_EQUIVALENT_FOUND,
-                               2);
-  histograms.ExpectBucketCount(
-      cookie_source_histogram,
-      CookieMonster::COOKIE_DELETE_EQUIVALENT_FOUND_WITH_SAME_VALUE, 1);
+  bad_cookie = CanonicalCookie::Create(
+      http_www_foo_.url(), "A=E; path=/some/path", base::Time::Now(),
+      base::nullopt /* server_time */);
+  // Allow modifying HttpOnly, so that we don't skip preexisting cookies for
+  // being HttpOnly.
+  status = SetCanonicalCookieReturnStatus(
+      cm.get(), std::move(bad_cookie), "http", true /* can_modify_httponly */);
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CanonicalCookie::CookieInclusionStatus::EXCLUDE_OVERWRITE_SECURE}));
+  // The preexisting cookie should still be there.
+  EXPECT_THAT(GetCookiesWithOptions(cm.get(), https_www_foo_.url(),
+                                    CookieOptions::MakeAllInclusive()),
+              ::testing::HasSubstr("A=B"));
+
+  entries = net_log_.GetEntries();
+  skipped_secure_netlog_index = ExpectLogContainsSomewhere(
+      entries, 0, NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_SECURE,
+      NetLogEventPhase::NONE);
+  EXPECT_FALSE(LogContainsEntryWithTypeAfter(
+      entries, 0, NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_HTTPONLY));
+  // There wasn't actually a strictly equivalent cookie that we would have
+  // deleted.
+  EXPECT_FALSE(LogContainsEntryWithTypeAfter(
+      entries, skipped_secure_netlog_index,
+      NetLogEventType::COOKIE_STORE_COOKIE_PRESERVED_SKIPPED_SECURE));
+
+  net_log_.Clear();
+
+  // Test skipping equivalent cookie for HttpOnly only.
+  bad_cookie = CanonicalCookie::Create(https_www_foo_.url(), "A=E; Secure",
+                                       base::Time::Now(),
+                                       base::nullopt /* server_time */);
+  status =
+      SetCanonicalCookieReturnStatus(cm.get(), std::move(bad_cookie), "https",
+                                     false /* can_modify_httponly */);
+  EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
+      {CanonicalCookie::CookieInclusionStatus::EXCLUDE_OVERWRITE_HTTP_ONLY}));
+
+  entries = net_log_.GetEntries();
+  ExpectLogContainsSomewhere(
+      entries, 0, NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_HTTPONLY,
+      NetLogEventPhase::NONE);
+  EXPECT_FALSE(LogContainsEntryWithTypeAfter(
+      entries, 0, NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_SECURE));
 }
 
-// Test skipping a cookie in DeleteAnyEquivalentCookie for multiple reasons
-// (Secure and HttpOnly).
+// Test skipping a cookie in MaybeDeleteEquivalentCookieAndUpdateStatus for
+// multiple reasons (Secure and HttpOnly).
 TEST_F(CookieMonsterTest, SkipDontOverwriteForMultipleReasons) {
   scoped_refptr<MockPersistentCookieStore> store(new MockPersistentCookieStore);
   std::unique_ptr<CookieMonster> cm(new CookieMonster(store.get(), &net_log_));
@@ -2862,6 +2877,14 @@ TEST_F(CookieMonsterTest, SkipDontOverwriteForMultipleReasons) {
   EXPECT_TRUE(status.HasExactlyExclusionReasonsForTesting(
       {CanonicalCookie::CookieInclusionStatus::EXCLUDE_OVERWRITE_SECURE,
        CanonicalCookie::CookieInclusionStatus::EXCLUDE_OVERWRITE_HTTP_ONLY}));
+
+  auto entries = net_log_.GetEntries();
+  ExpectLogContainsSomewhere(
+      entries, 0, NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_SECURE,
+      NetLogEventPhase::NONE);
+  ExpectLogContainsSomewhere(
+      entries, 0, NetLogEventType::COOKIE_STORE_COOKIE_REJECTED_HTTPONLY,
+      NetLogEventPhase::NONE);
 }
 
 // Test that when we check for equivalent cookies, we don't remove any if the
@@ -3055,8 +3078,7 @@ TEST_F(CookieMonsterTest, SetSecureCookies) {
 
   // Verify that if an httponly version of the cookie exists, adding a Secure
   // version of the cookie still does not overwrite it.
-  CookieOptions include_httponly;
-  include_httponly.set_include_httponly();
+  CookieOptions include_httponly = CookieOptions::MakeAllInclusive();
   EXPECT_TRUE(CreateAndSetCookie(cm.get(), https_url, "C=D; httponly",
                                  include_httponly));
   // Note that the lack of an explicit options object below uses the default,
@@ -3234,11 +3256,12 @@ TEST_F(CookieMonsterTest, SetCanonicalCookieDoesNotBlockForLoadAll) {
   cm.SetCanonicalCookieAsync(
       CanonicalCookie::Create(GURL("http://a.com/"), "A=B", base::Time::Now(),
                               base::nullopt /* server_time */),
-      "http", CookieOptions(), callback_set.MakeCallback());
+      "http", CookieOptions::MakeAllInclusive(), callback_set.MakeCallback());
 
   // Get cookies for a different URL.
   GetCookieListCallback callback_get;
-  cm.GetCookieListWithOptionsAsync(GURL("http://b.com/"), CookieOptions(),
+  cm.GetCookieListWithOptionsAsync(GURL("http://b.com/"),
+                                   CookieOptions::MakeAllInclusive(),
                                    callback_get.MakeCallback());
 
   // Now go through the store commands, and execute individual loads.
@@ -3281,8 +3304,8 @@ TEST_F(CookieMonsterTest, DeleteDuplicateCTime) {
     }
 
     // Delete the run'th cookie.
-    CookieList all_cookies =
-        GetAllCookiesForURLWithOptions(&cm, url, CookieOptions());
+    CookieList all_cookies = GetAllCookiesForURLWithOptions(
+        &cm, url, CookieOptions::MakeAllInclusive());
     ASSERT_EQ(all_cookies.size(), base::size(kNames));
     for (size_t i = 0; i < base::size(kNames); ++i) {
       const CanonicalCookie& cookie = all_cookies[i];
@@ -3292,7 +3315,8 @@ TEST_F(CookieMonsterTest, DeleteDuplicateCTime) {
     }
 
     // Check that the right cookie got removed.
-    all_cookies = GetAllCookiesForURLWithOptions(&cm, url, CookieOptions());
+    all_cookies = GetAllCookiesForURLWithOptions(
+        &cm, url, CookieOptions::MakeAllInclusive());
     ASSERT_EQ(all_cookies.size(), base::size(kNames) - 1);
     for (size_t i = 0; i < base::size(kNames) - 1; ++i) {
       const CanonicalCookie& cookie = all_cookies[i];
@@ -3306,7 +3330,7 @@ TEST_F(CookieMonsterTest, DeleteCookieWithInheritedTimestamps) {
   Time t2 = t1 + base::TimeDelta::FromSeconds(1);
   GURL url("http://www.example.com");
   std::string cookie_line = "foo=bar";
-  CookieOptions options;
+  CookieOptions options = CookieOptions::MakeAllInclusive();
   base::Optional<base::Time> server_time = base::nullopt;
   CookieMonster cm(nullptr, nullptr);
 
@@ -3378,7 +3402,8 @@ TEST_F(CookieMonsterTest, RejectCreatedSecureCookieOnSet) {
 
   // Cookie is rejected when attempting to set from a non-secure scheme.
   ResultSavingCookieCallback<CanonicalCookie::CookieInclusionStatus> callback;
-  cm.SetCanonicalCookieAsync(std::move(cookie), "http", CookieOptions(),
+  cm.SetCanonicalCookieAsync(std::move(cookie), "http",
+                             CookieOptions::MakeAllInclusive(),
                              callback.MakeCallback());
   callback.WaitUntilDone();
   EXPECT_TRUE(callback.result().HasExactlyExclusionReasonsForTesting(
@@ -3402,6 +3427,8 @@ TEST_F(CookieMonsterTest, RejectCreatedHttpOnlyCookieOnSet) {
   // Cookie is rejected when attempting to set with a CookieOptions that does
   // not allow httponly.
   CookieOptions options_no_httponly;
+  options_no_httponly.set_same_site_cookie_context(
+      CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
   options_no_httponly.set_exclude_httponly();  // Default, but make it explicit.
   ResultSavingCookieCallback<CanonicalCookie::CookieInclusionStatus> callback;
   cm.SetCanonicalCookieAsync(std::move(cookie), "http", options_no_httponly,
@@ -3514,15 +3541,13 @@ TEST_F(CookieMonsterTest, CookiesWithoutSameSiteMustBeSecure) {
     base::test::ScopedFeatureList feature_list;
     if (test.is_cookies_without_samesite_must_be_secure_enabled) {
       feature_list.InitWithFeatures(
-          {features::kSameSiteByDefaultCookies,
-           features::
-               kCookiesWithoutSameSiteMustBeSecure} /* enabled_features */,
+          {kSameSiteByDefaultCookies,
+           kCookiesWithoutSameSiteMustBeSecure} /* enabled_features */,
           {} /* disabled_features */);
     } else {
       feature_list.InitWithFeatures(
-          {features::kSameSiteByDefaultCookies} /* enabled_features */,
-          {features::
-               kCookiesWithoutSameSiteMustBeSecure} /* disabled_features */);
+          {kSameSiteByDefaultCookies} /* enabled_features */,
+          {kCookiesWithoutSameSiteMustBeSecure} /* disabled_features */);
     }
     ASSERT_TRUE(cookie_util::IsSameSiteByDefaultCookiesEnabled());
     ASSERT_EQ(test.is_cookies_without_samesite_must_be_secure_enabled,
@@ -3632,47 +3657,92 @@ class CookieMonsterLegacyCookieAccessTest : public CookieMonsterTest {
   CookieMonsterLegacyCookieAccessTest()
       : cm_(std::make_unique<CookieMonster>(nullptr /* store */,
                                             nullptr /* netlog */)) {
+    // Need to reset first because there cannot be two TaskEnvironments at the
+    // same time.
+    task_environment_.reset();
+    task_environment_ =
+        std::make_unique<base::test::SingleThreadTaskEnvironment>(
+            base::test::TaskEnvironment::TimeSource::MOCK_TIME);
+
     std::unique_ptr<TestCookieAccessDelegate> access_delegate =
         std::make_unique<TestCookieAccessDelegate>();
     access_delegate_ = access_delegate.get();
     cm_->SetCookieAccessDelegate(std::move(access_delegate));
+
+    feature_list_ = std::make_unique<base::test::ScopedFeatureList>();
   }
 
   ~CookieMonsterLegacyCookieAccessTest() override {}
 
-  void SetFeatures(bool is_same_site_by_default_cookies_enabled,
-                   bool is_cookies_without_samesite_must_be_secure_enabled) {
+  // The third parameter is nullopt if
+  // kRecentHttpSameSiteAccessGrantsLegacyCookieSemantics is not enabled.
+  // Otherwise it gives the value of the corresponding parameter.
+  // Similarly for the fourth parameter, which is for
+  // kRecentCreationTimeGrantsLegacyCookieSemantics.
+  void SetFeatures(
+      bool is_same_site_by_default_cookies_enabled,
+      bool is_cookies_without_samesite_must_be_secure_enabled,
+      base::Optional<int>
+          milliseconds_for_http_same_site_access_grants_legacy_semantics,
+      base::Optional<int>
+          milliseconds_for_creation_time_grants_legacy_semantics) {
     feature_list_ = std::make_unique<base::test::ScopedFeatureList>();
 
-    std::vector<base::Feature> enabled;
+    std::vector<base::test::ScopedFeatureList::FeatureAndParams> enabled;
     std::vector<base::Feature> disabled;
 
     if (is_same_site_by_default_cookies_enabled) {
-      enabled.push_back(features::kSameSiteByDefaultCookies);
+      enabled.push_back({kSameSiteByDefaultCookies, {}});
     } else {
-      disabled.push_back(features::kSameSiteByDefaultCookies);
+      disabled.push_back(kSameSiteByDefaultCookies);
     }
 
     if (is_cookies_without_samesite_must_be_secure_enabled) {
-      enabled.push_back(features::kCookiesWithoutSameSiteMustBeSecure);
+      enabled.push_back({kCookiesWithoutSameSiteMustBeSecure, {}});
+    } else {
+      disabled.push_back(kCookiesWithoutSameSiteMustBeSecure);
+    }
+
+    if (milliseconds_for_http_same_site_access_grants_legacy_semantics) {
+      enabled.push_back(
+          {kRecentHttpSameSiteAccessGrantsLegacyCookieSemantics,
+           {{kRecentHttpSameSiteAccessGrantsLegacyCookieSemanticsMilliseconds
+                 .name,
+             base::NumberToString(
+                 milliseconds_for_http_same_site_access_grants_legacy_semantics
+                     .value())}}});
     } else {
-      disabled.push_back(features::kCookiesWithoutSameSiteMustBeSecure);
+      disabled.push_back(kRecentHttpSameSiteAccessGrantsLegacyCookieSemantics);
     }
 
-    feature_list_->InitWithFeatures(enabled, disabled);
+    if (milliseconds_for_creation_time_grants_legacy_semantics) {
+      enabled.push_back(
+          {kRecentCreationTimeGrantsLegacyCookieSemantics,
+           {{kRecentCreationTimeGrantsLegacyCookieSemanticsMilliseconds.name,
+             base::NumberToString(
+                 milliseconds_for_creation_time_grants_legacy_semantics
+                     .value())}}});
+    } else {
+      disabled.push_back(kRecentCreationTimeGrantsLegacyCookieSemantics);
+    }
+
+    feature_list_->InitWithFeaturesAndParameters(enabled, disabled);
   }
 
  protected:
   const std::string kDomain = "example.test";
   const GURL kHttpsUrl = GURL("https://example.test");
   const GURL kHttpUrl = GURL("http://example.test");
+  // The FeatureList must be before the CookieMonster because the CookieMonster
+  // destructor expects the state of the features to be the same as when it's in
+  // use.
+  std::unique_ptr<base::test::ScopedFeatureList> feature_list_;
   std::unique_ptr<CookieMonster> cm_;
   TestCookieAccessDelegate* access_delegate_;
-  std::unique_ptr<base::test::ScopedFeatureList> feature_list_;
 };
 
 TEST_F(CookieMonsterLegacyCookieAccessTest, SetLegacyNoSameSiteCookie) {
-  SetFeatures(true, true);
+  SetFeatures(true, true, base::nullopt, base::nullopt);
   // Check that setting unspecified-SameSite cookie from cross-site context
   // fails if not set to Legacy semantics, but succeeds if set to legacy.
   EXPECT_FALSE(CreateAndSetCookie(cm_.get(), kHttpUrl, "cookie=chocolate_chip",
@@ -3694,13 +3764,13 @@ TEST_F(CookieMonsterLegacyCookieAccessTest, SetLegacyNoSameSiteCookie) {
 TEST_F(CookieMonsterLegacyCookieAccessTest, GetLegacyNoSameSiteCookie) {
   // Set an unspecified-SameSite cookie with SameSite features turned off.
   // Getting the cookie will succeed.
-  SetFeatures(false, false);
+  SetFeatures(false, false, base::nullopt, base::nullopt);
   ASSERT_TRUE(CreateAndSetCookie(cm_.get(), kHttpUrl, "cookie=chocolate_chip",
                                  CookieOptions()));
   EXPECT_EQ("cookie=chocolate_chip",
             GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
   // Turn on the features. Now getting the cookie fails.
-  SetFeatures(true, true);
+  SetFeatures(true, true, base::nullopt, base::nullopt);
   access_delegate_->SetExpectationForCookieDomain(
       kDomain, CookieAccessSemantics::UNKNOWN);
   EXPECT_EQ("", GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
@@ -3716,14 +3786,14 @@ TEST_F(CookieMonsterLegacyCookieAccessTest, GetLegacyNoSameSiteCookie) {
 
 TEST_F(CookieMonsterLegacyCookieAccessTest,
        SetLegacySameSiteNoneInsecureCookie) {
-  SetFeatures(true, true);
+  SetFeatures(true, true, base::nullopt, base::nullopt);
   access_delegate_->SetExpectationForCookieDomain(
       kDomain, CookieAccessSemantics::UNKNOWN);
   EXPECT_FALSE(CreateAndSetCookie(cm_.get(), kHttpsUrl,
                                   "cookie=oatmeal_raisin; SameSite=None",
                                   CookieOptions()));
   access_delegate_->SetExpectationForCookieDomain(
-      kDomain, CookieAccessSemantics::UNKNOWN);
+      kDomain, CookieAccessSemantics::NONLEGACY);
   EXPECT_FALSE(CreateAndSetCookie(cm_.get(), kHttpsUrl,
                                   "cookie=oatmeal_raisin; SameSite=None",
                                   CookieOptions()));
@@ -3741,14 +3811,14 @@ TEST_F(CookieMonsterLegacyCookieAccessTest,
        GetLegacySameSiteNoneInsecureCookie) {
   // Set an SameSite=None insecure cookie with SameSite features turned off.
   // Getting the cookie will succeed.
-  SetFeatures(false, false);
+  SetFeatures(false, false, base::nullopt, base::nullopt);
   ASSERT_TRUE(CreateAndSetCookie(cm_.get(), kHttpUrl,
                                  "cookie=oatmeal_raisin; SameSite=None",
                                  CookieOptions()));
   EXPECT_EQ("cookie=oatmeal_raisin",
             GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
   // Turn on the features. Now getting the cookie fails.
-  SetFeatures(true, true);
+  SetFeatures(true, true, base::nullopt, base::nullopt);
   access_delegate_->SetExpectationForCookieDomain(
       kDomain, CookieAccessSemantics::UNKNOWN);
   EXPECT_EQ("", GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
@@ -3764,7 +3834,7 @@ TEST_F(CookieMonsterLegacyCookieAccessTest,
 
 TEST_F(CookieMonsterLegacyCookieAccessTest, NonlegacyCookie) {
   // Nonlegacy cookie will have default as Lax.
-  SetFeatures(false, false);
+  SetFeatures(false, false, base::nullopt, base::nullopt);
   access_delegate_->SetExpectationForCookieDomain(
       kDomain, CookieAccessSemantics::NONLEGACY);
   EXPECT_FALSE(CreateAndSetCookie(cm_.get(), kHttpUrl, "cookie=chocolate_chip",
@@ -3779,4 +3849,161 @@ TEST_F(CookieMonsterLegacyCookieAccessTest, NonlegacyCookie) {
             GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
 }
 
+// Test the RecentHttpSameSiteAccessGrantsLegacyCookieSemantics feature.
+TEST_F(CookieMonsterLegacyCookieAccessTest, RecentHttpSameSiteAccess) {
+  SetFeatures(true, true, 100, base::nullopt);
+  // This feature overrides the CookieAccessDelegate setting.
+  access_delegate_->SetExpectationForCookieDomain(
+      kDomain, CookieAccessSemantics::NONLEGACY);
+
+  // Set a cookie from a qualifying (HTTP and same-site) context.
+  CookieOptions http_lax_options;
+  http_lax_options.set_include_httponly();
+  http_lax_options.set_same_site_cookie_context(
+      CookieOptions::SameSiteCookieContext::SAME_SITE_LAX);
+  // This one only works because it's treated as Legacy, otherwise it would be
+  // rejected for being SameSite=None without secure.
+  EXPECT_TRUE(CreateAndSetCookie(cm_.get(), kHttpUrl, "cookie=1;SameSite=None",
+                                 http_lax_options));
+  // Subsequently getting the cookie from a cross-site context also works
+  // because we just accessed it in an eligible context.
+  EXPECT_EQ("cookie=1",
+            GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
+  // This one should work regardless.
+  EXPECT_TRUE(
+      CreateAndSetCookie(cm_.get(), kHttpUrl, "cookie=2", http_lax_options));
+  // Subsequently getting the cookie from a cross-site context works even though
+  // it defaults to Lax, because we just accessed it in an eligible context.
+  EXPECT_EQ("cookie=2",
+            GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
+  // After some delay less than the recency threshold, we can still get the
+  // cookie from a cross-site context because the last eligible access was
+  // recent enough.
+  task_environment_->FastForwardBy(TimeDelta::FromMilliseconds(90));
+  EXPECT_EQ("cookie=2",
+            GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
+  // After a further delay that passes the recency threshold, we can no longer
+  // get the cookie from a cross-site context.
+  // Notably, the last access didn't reset the timer because it wasn't a
+  // same-site access.
+  task_environment_->FastForwardBy(TimeDelta::FromMilliseconds(20));
+  EXPECT_EQ("", GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
+
+  // Deleting the cookie clears the last access time.
+  DeleteAll(cm_.get());
+
+  // Set a cookie from a same-site but not Http context. This should work
+  // because it's same-site, but does not activate the feature because it isn't
+  // http.
+  CookieOptions exclude_http_lax_options;
+  exclude_http_lax_options.set_exclude_httponly();
+  exclude_http_lax_options.set_same_site_cookie_context(
+      CookieOptions::SameSiteCookieContext::SAME_SITE_LAX);
+  EXPECT_TRUE(CreateAndSetCookie(cm_.get(), kHttpUrl, "cookie=1",
+                                 exclude_http_lax_options));
+  // There is no recent eligible last access time, because we deleted the
+  // cookie and subsequently re-set it from a non-eligible context.
+  EXPECT_EQ("", GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
+  // Accessing it from a laxly same-site context works (because the cookie
+  // defaults to lax).
+  EXPECT_EQ("cookie=1",
+            GetCookiesWithOptions(cm_.get(), kHttpUrl, http_lax_options));
+  // However that doesn't count as a recent http same-site access because it was
+  // only laxly (not strictly) same-site, so getting the cookie from a
+  // cross-site context does not currently work.
+  EXPECT_EQ("", GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
+  // Attempting to set a cookie (unsuccessfully) from an eligible context does
+  // not count.
+  CookieOptions http_strict_options;
+  http_strict_options.set_include_httponly();
+  http_strict_options.set_same_site_cookie_context(
+      CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
+  EXPECT_FALSE(CreateAndSetCookie(cm_.get(), kHttpUrl, "cookie=2;Secure",
+                                  http_strict_options));
+  EXPECT_EQ("", GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
+  // Now get the cookie from an eligible, Http and strictly same-site context.
+  EXPECT_EQ("cookie=1",
+            GetCookiesWithOptions(cm_.get(), kHttpUrl, http_strict_options));
+  // Subsequently getting the cookie from a cross-site context also works
+  // because we just accessed it in an eligible context.
+  EXPECT_EQ("cookie=1",
+            GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
+  // After some delay less than the recency threshold, we can still get the
+  // cookie from a cross-site context because the last eligible access was
+  // recent enough.
+  task_environment_->FastForwardBy(TimeDelta::FromMilliseconds(90));
+  EXPECT_EQ("cookie=1",
+            GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
+  // After a further delay that passes the recency threshold, we can no longer
+  // get the cookie from a cross-site context.
+  // Notably, the last access didn't reset the timer because it wasn't a
+  // same-site access.
+  task_environment_->FastForwardBy(TimeDelta::FromMilliseconds(20));
+  EXPECT_EQ("", GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
+}
+
+// Test the RecentCreationTimeGrantsLegacyCookieSemantics feature.
+TEST_F(CookieMonsterLegacyCookieAccessTest, RecentCreationTime) {
+  SetFeatures(true, true, base::nullopt, 100);
+  // This feature overrides the CookieAccessDelegate setting.
+  access_delegate_->SetExpectationForCookieDomain(
+      kDomain, CookieAccessSemantics::NONLEGACY);
+
+  // While the grace period is active, even if the delegate returns NONLEGACY
+  // semantics, we are able to set unspecified-SameSite cookies from a
+  // cross-site context, and we are allowed to set SameSite=None cookies without
+  // Secure. We are also allowed to get such cookies.
+  EXPECT_TRUE(CreateAndSetCookie(cm_.get(), kHttpUrl, "cookie1=chocolate_chip",
+                                 CookieOptions()));
+  EXPECT_TRUE(CreateAndSetCookie(cm_.get(), kHttpUrl,
+                                 "cookie2=oatmeal_raisin; SameSite=None",
+                                 CookieOptions()));
+  EXPECT_EQ("cookie1=chocolate_chip; cookie2=oatmeal_raisin",
+            GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
+
+  // After some time passes, but we are still under the time threshold,
+  // the cookie is still accessible in a cross-site context.
+  task_environment_->FastForwardBy(TimeDelta::FromMilliseconds(90));
+  EXPECT_EQ("cookie1=chocolate_chip; cookie2=oatmeal_raisin",
+            GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
+  // After the grace period expires, these cookies are now blocked.
+  task_environment_->FastForwardBy(TimeDelta::FromMilliseconds(20));
+  EXPECT_EQ("", GetCookiesWithOptions(cm_.get(), kHttpUrl, CookieOptions()));
+
+  // Also, now that there is a preexisting cookie in the store that's older than
+  // the grace period, the same cookie will not be granted legacy semantics
+  // again because the creation date of the preexisting identical cookie is
+  // inherited. (This disallows refreshing the grace period by repeatedly
+  // setting an identical cookie.)
+  EXPECT_FALSE(CreateAndSetCookie(cm_.get(), kHttpUrl, "cookie1=chocolate_chip",
+                                  CookieOptions()));
+  EXPECT_FALSE(CreateAndSetCookie(cm_.get(), kHttpUrl,
+                                  "cookie2=oatmeal_raisin; SameSite=None",
+                                  CookieOptions()));
+  // However, an equivalent (but not identical) cookie can still be set with
+  // legacy semantics, because now the creation date isn't inherited from the
+  // preexisting cookie.
+  // TODO(chlily): It might not actually make sense to allow this... This could
+  // in effect allow repeatedly refreshing the grace period by setting a cookie
+  // with a different value and then immediately setting it back to the original
+  // value.
+  EXPECT_TRUE(CreateAndSetCookie(cm_.get(), kHttpUrl, "cookie1=snickerdoodle",
+                                 CookieOptions()));
+  EXPECT_TRUE(CreateAndSetCookie(cm_.get(), kHttpUrl,
+                                 "cookie2=gingerbread; SameSite=None",
+                                 CookieOptions()));
+
+  // Test the behavior when the time threshold is 0 (the default value).
+  SetFeatures(true, true, base::nullopt, 0);
+  // No legacy behavior is used if there is no active, non-zero grace period.
+  // In particular, if there is a zero grace period, we don't allow setting the
+  // cookie even if it was created at the very instant it was attempted to be
+  // set.
+  EXPECT_FALSE(CreateAndSetCookie(cm_.get(), kHttpUrl, "cookie1=chocolate_chip",
+                                  CookieOptions()));
+  EXPECT_FALSE(CreateAndSetCookie(cm_.get(), kHttpUrl,
+                                  "cookie2=oatmeal_raisin; SameSite=None",
+                                  CookieOptions()));
+}
+
 }  // namespace net
diff --git a/chromium/net/cookies/cookie_store.h b/chromium/net/cookies/cookie_store.h
index ebec5df3a7e..996ad7d14df 100644
--- a/chromium/net/cookies/cookie_store.h
+++ b/chromium/net/cookies/cookie_store.h
@@ -152,7 +152,6 @@ class NET_EXPORT CookieStore {
   virtual void DumpMemoryStats(base::trace_event::ProcessMemoryDump* pmd,
                                const std::string& parent_absolute_name) const;
 
- protected:
   // This may be null if no delegate has been set yet, or the delegate has been
   // reset to null.
   const CookieAccessDelegate* cookie_access_delegate() const {
diff --git a/chromium/net/cookies/cookie_store_change_unittest.h b/chromium/net/cookies/cookie_store_change_unittest.h
index c6df422ee59..0361b2659a0 100644
--- a/chromium/net/cookies/cookie_store_change_unittest.h
+++ b/chromium/net/cookies/cookie_store_change_unittest.h
@@ -381,6 +381,9 @@ TYPED_TEST_P(CookieStoreChangeGlobalTest, OverwriteWithHttpOnly) {
   // overwrite the non-http-only version.
   CookieOptions allow_httponly;
   allow_httponly.set_include_httponly();
+  allow_httponly.set_same_site_cookie_context(
+      net::CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
+
   EXPECT_TRUE(this->CreateAndSetCookie(cs, this->http_www_foo_.url(),
                                        "A=C; path=/path1; httponly",
                                        allow_httponly));
@@ -1175,6 +1178,9 @@ TYPED_TEST_P(CookieStoreChangeUrlTest, OverwriteWithHttpOnly) {
   // overwrite the non-http-only version.
   CookieOptions allow_httponly;
   allow_httponly.set_include_httponly();
+  allow_httponly.set_same_site_cookie_context(
+      net::CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
+
   EXPECT_TRUE(this->CreateAndSetCookie(cs, this->http_www_foo_.url(),
                                        "A=C; path=/foo; httponly",
                                        allow_httponly));
@@ -2196,6 +2202,9 @@ TYPED_TEST_P(CookieStoreChangeNamedTest, OverwriteWithHttpOnly) {
   // overwrite the non-http-only version.
   CookieOptions allow_httponly;
   allow_httponly.set_include_httponly();
+  allow_httponly.set_same_site_cookie_context(
+      net::CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
+
   EXPECT_TRUE(this->CreateAndSetCookie(cs, this->http_www_foo_.url(),
                                        "abc=hij; path=/foo; httponly",
                                        allow_httponly));
diff --git a/chromium/net/cookies/cookie_store_test_callbacks.cc b/chromium/net/cookies/cookie_store_test_callbacks.cc
index 87ab3aee499..a582a6eb8d2 100644
--- a/chromium/net/cookies/cookie_store_test_callbacks.cc
+++ b/chromium/net/cookies/cookie_store_test_callbacks.cc
@@ -5,7 +5,6 @@
 #include "net/cookies/cookie_store_test_callbacks.h"
 
 #include "base/location.h"
-#include "base/message_loop/message_loop.h"
 #include "base/single_thread_task_runner.h"
 #include "base/threading/thread.h"
 #include "base/threading/thread_task_runner_handle.h"
diff --git a/chromium/net/cookies/cookie_store_unittest.h b/chromium/net/cookies/cookie_store_unittest.h
index 891fa67ceed..8e9a5bea740 100644
--- a/chromium/net/cookies/cookie_store_unittest.h
+++ b/chromium/net/cookies/cookie_store_unittest.h
@@ -14,10 +14,10 @@
 
 #include "base/bind.h"
 #include "base/location.h"
-#include "base/message_loop/message_loop.h"
 #include "base/message_loop/message_loop_current.h"
 #include "base/single_thread_task_runner.h"
 #include "base/strings/string_tokenizer.h"
+#include "base/test/task_environment.h"
 #include "base/threading/thread.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/cookies/canonical_cookie.h"
@@ -126,9 +126,11 @@ class CookieStoreTest : public testing::Test {
         http_baz_com_("http://baz.com"),
         http_bar_com_("http://bar.com") {
     // This test may be used outside of the net test suite, and thus may not
-    // have a message loop.
-    if (!base::MessageLoopCurrent::Get())
-      message_loop_.reset(new base::MessageLoop);
+    // have a task environment.
+    if (!base::MessageLoopCurrent::Get()) {
+      task_environment_ =
+          std::make_unique<base::test::SingleThreadTaskEnvironment>();
+    }
   }
 
   // Helper methods for the asynchronous Cookie Store API that call the
@@ -141,6 +143,8 @@ class CookieStoreTest : public testing::Test {
     CookieOptions options;
     if (!CookieStoreTestTraits::supports_http_only)
       options.set_include_httponly();
+    options.set_same_site_cookie_context(
+        net::CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
     return GetCookiesWithOptions(cs, url, options);
   }
 
@@ -227,6 +231,8 @@ class CookieStoreTest : public testing::Test {
     CookieOptions options;
     if (!CookieStoreTestTraits::supports_http_only)
       options.set_include_httponly();
+    options.set_same_site_cookie_context(
+        net::CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
     return CreateAndSetCookie(cs, url, cookie_line, options,
                               base::make_optional(server_time));
   }
@@ -237,6 +243,8 @@ class CookieStoreTest : public testing::Test {
     CookieOptions options;
     if (!CookieStoreTestTraits::supports_http_only)
       options.set_include_httponly();
+    options.set_same_site_cookie_context(
+        net::CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
     return CreateAndSetCookie(cs, url, cookie_line, options);
   }
 
@@ -387,7 +395,7 @@ class CookieStoreTest : public testing::Test {
   const CookieURLHelper http_baz_com_;
   const CookieURLHelper http_bar_com_;
 
-  std::unique_ptr<base::MessageLoop> message_loop_;
+  std::unique_ptr<base::test::SingleThreadTaskEnvironment> task_environment_;
 
  private:
   // Returns a set of strings of type "name=value". Fails in case of duplicate.
@@ -414,7 +422,7 @@ TYPED_TEST_P(CookieStoreTest, FilterTest) {
   std::unique_ptr<CanonicalCookie> cc(CanonicalCookie::CreateSanitizedCookie(
       this->www_foo_foo_.url(), "A", "B", std::string(), "/foo", one_hour_ago,
       one_hour_from_now, base::Time(), false, false,
-      CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT));
+      CookieSameSite::STRICT_MODE, COOKIE_PRIORITY_DEFAULT));
   ASSERT_TRUE(cc);
   EXPECT_TRUE(this->SetCanonicalCookie(cs, std::move(cc), "https",
                                        true /*modify_httponly*/));
@@ -424,7 +432,7 @@ TYPED_TEST_P(CookieStoreTest, FilterTest) {
   cc = CanonicalCookie::CreateSanitizedCookie(
       this->www_foo_bar_.url(), "C", "D", this->www_foo_bar_.domain(), "/bar",
       two_hours_ago, base::Time(), one_hour_ago, false, true,
-      CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT);
+      CookieSameSite::STRICT_MODE, COOKIE_PRIORITY_DEFAULT);
   ASSERT_TRUE(cc);
   EXPECT_TRUE(this->SetCanonicalCookie(cs, std::move(cc), "https",
                                        true /*modify_httponly*/));
@@ -474,8 +482,11 @@ TYPED_TEST_P(CookieStoreTest, FilterTest) {
   // Verify that the cookie was set as 'httponly' by passing in a CookieOptions
   // that excludes them and getting an empty result.
   if (TypeParam::supports_http_only) {
-    cookies = this->GetCookieListWithOptions(cs, this->www_foo_bar_.url(),
-                                             CookieOptions());
+    net::CookieOptions options;
+    options.set_same_site_cookie_context(
+        net::CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
+    cookies =
+        this->GetCookieListWithOptions(cs, this->www_foo_bar_.url(), options);
     it = cookies.begin();
     ASSERT_TRUE(it == cookies.end());
   }
@@ -538,7 +549,7 @@ TYPED_TEST_P(CookieStoreTest, SetCanonicalCookieTest) {
       std::make_unique<CanonicalCookie>(
           "A", "B", foo_foo_host, "/foo", one_hour_ago, one_hour_from_now,
           base::Time(), false /* secure */, false /* httponly */,
-          CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT),
+          CookieSameSite::LAX_MODE, COOKIE_PRIORITY_DEFAULT),
       "http", true));
   // Note that for the creation time to be set exactly, without modification,
   // it must be different from the one set by the line above.
@@ -546,7 +557,7 @@ TYPED_TEST_P(CookieStoreTest, SetCanonicalCookieTest) {
       cs,
       std::make_unique<CanonicalCookie>(
           "C", "D", "." + foo_bar_domain, "/bar", two_hours_ago, base::Time(),
-          one_hour_ago, false, true, CookieSameSite::NO_RESTRICTION,
+          one_hour_ago, false, true, CookieSameSite::LAX_MODE,
           COOKIE_PRIORITY_DEFAULT),
       "http", true));
 
@@ -605,7 +616,7 @@ TYPED_TEST_P(CookieStoreTest, SetCanonicalCookieTest) {
                 std::make_unique<CanonicalCookie>(
                     "G", "H", http_foo_host, "/unique", base::Time(),
                     base::Time(), base::Time(), false /* secure */,
-                    true /* httponly */, CookieSameSite::NO_RESTRICTION,
+                    true /* httponly */, CookieSameSite::LAX_MODE,
                     COOKIE_PRIORITY_DEFAULT),
                 "http", false /* modify_http_only */)
             .HasExclusionReason(
@@ -632,7 +643,7 @@ TYPED_TEST_P(CookieStoreTest, SetCanonicalCookieTest) {
         std::make_unique<CanonicalCookie>(
             "G", "H", http_foo_host, "/unique", base::Time(), base::Time(),
             base::Time(), false /* secure */, true /* httponly */,
-            CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT),
+            CookieSameSite::LAX_MODE, COOKIE_PRIORITY_DEFAULT),
         "http", true /* modify_http_only */));
 
     EXPECT_TRUE(
@@ -641,7 +652,7 @@ TYPED_TEST_P(CookieStoreTest, SetCanonicalCookieTest) {
                 std::make_unique<CanonicalCookie>(
                     "G", "H", http_foo_host, "/unique", base::Time(),
                     base::Time(), base::Time(), false /* secure */,
-                    true /* httponly */, CookieSameSite::NO_RESTRICTION,
+                    true /* httponly */, CookieSameSite::LAX_MODE,
                     COOKIE_PRIORITY_DEFAULT),
                 "http", false /* modify_http_only */)
             .HasExclusionReason(
@@ -653,7 +664,7 @@ TYPED_TEST_P(CookieStoreTest, SetCanonicalCookieTest) {
         std::make_unique<CanonicalCookie>(
             "G", "H", http_foo_host, "/unique", base::Time(), base::Time(),
             base::Time(), false /* secure */, true /* httponly */,
-            CookieSameSite::NO_RESTRICTION, COOKIE_PRIORITY_DEFAULT),
+            CookieSameSite::LAX_MODE, COOKIE_PRIORITY_DEFAULT),
         "http", true /* modify_http_only */));
   }
 
@@ -730,28 +741,28 @@ TYPED_TEST_P(CookieStoreTest, SecureEnforcement) {
       cs,
       std::make_unique<CanonicalCookie>(
           "A", "B", http_domain, "/", base::Time::Now(), base::Time(),
-          base::Time(), true, false, CookieSameSite::NO_RESTRICTION,
+          base::Time(), true, false, CookieSameSite::STRICT_MODE,
           COOKIE_PRIORITY_DEFAULT),
       "http", true /*modify_httponly*/));
   EXPECT_TRUE(this->SetCanonicalCookie(
       cs,
       std::make_unique<CanonicalCookie>(
           "A", "B", http_domain, "/", base::Time::Now(), base::Time(),
-          base::Time(), true, false, CookieSameSite::NO_RESTRICTION,
+          base::Time(), true, false, CookieSameSite::STRICT_MODE,
           COOKIE_PRIORITY_DEFAULT),
       "https", true /*modify_httponly*/));
   EXPECT_TRUE(this->SetCanonicalCookie(
       cs,
       std::make_unique<CanonicalCookie>(
           "A", "B", http_domain, "/", base::Time::Now(), base::Time(),
-          base::Time(), false, false, CookieSameSite::NO_RESTRICTION,
+          base::Time(), false, false, CookieSameSite::STRICT_MODE,
           COOKIE_PRIORITY_DEFAULT),
       "https", true /*modify_httponly*/));
   EXPECT_TRUE(this->SetCanonicalCookie(
       cs,
       std::make_unique<CanonicalCookie>(
           "A", "B", http_domain, "/", base::Time::Now(), base::Time(),
-          base::Time(), false, false, CookieSameSite::NO_RESTRICTION,
+          base::Time(), false, false, CookieSameSite::STRICT_MODE,
           COOKIE_PRIORITY_DEFAULT),
       "http", true /*modify_httponly*/));
 }
@@ -1174,9 +1185,10 @@ TYPED_TEST_P(CookieStoreTest, InvalidScheme_Read) {
       this->SetCookie(cs, this->http_www_foo_.url(), kValidDomainCookieLine));
   this->MatchCookieLines(std::string(),
                          this->GetCookies(cs, this->ftp_foo_.url()));
-  EXPECT_EQ(0U, this->GetCookieListWithOptions(cs, this->ftp_foo_.url(),
-                                               CookieOptions())
-                    .size());
+  EXPECT_EQ(0U,
+            this->GetCookieListWithOptions(cs, this->ftp_foo_.url(),
+                                           CookieOptions::MakeAllInclusive())
+                .size());
 }
 
 TYPED_TEST_P(CookieStoreTest, PathTest) {
@@ -1204,6 +1216,8 @@ TYPED_TEST_P(CookieStoreTest, EmptyExpires) {
   CookieOptions options;
   if (!TypeParam::supports_http_only)
     options.set_include_httponly();
+  options.set_same_site_cookie_context(
+      net::CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
   GURL url("http://www7.ipdl.inpit.go.jp/Tokujitu/tjkta.ipdl?N0000=108");
   std::string set_cookie_line =
       "ACSTM=20130308043820420042; path=/; domain=ipdl.inpit.go.jp; Expires=";
@@ -1232,6 +1246,8 @@ TYPED_TEST_P(CookieStoreTest, HttpOnlyTest) {
   CookieStore* cs = this->GetCookieStore();
   CookieOptions options;
   options.set_include_httponly();
+  options.set_same_site_cookie_context(
+      net::CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
 
   // Create a httponly cookie.
   EXPECT_TRUE(this->CreateAndSetCookie(cs, this->http_www_foo_.url(),
@@ -1518,6 +1534,8 @@ TYPED_TEST_P(CookieStoreTest, OverwritePersistentCookie) {
   // overwrite the non-http-only version.
   CookieOptions allow_httponly;
   allow_httponly.set_include_httponly();
+  allow_httponly.set_same_site_cookie_context(
+      net::CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
   EXPECT_TRUE(this->CreateAndSetCookie(cs, url_foo,
                                        "b=val2; path=/path1; httponly; "
                                        "expires=Mon, 18-Apr-22 22:50:14 GMT",
@@ -1572,6 +1590,9 @@ TYPED_TEST_P(CookieStoreTest, EmptyName) {
   CookieOptions options;
   if (!TypeParam::supports_http_only)
     options.set_include_httponly();
+  options.set_same_site_cookie_context(
+      net::CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
+
   EXPECT_TRUE(this->CreateAndSetCookie(cs, url_foo, "a", options));
   CookieList list = this->GetAllCookiesForURL(cs, url_foo);
   EXPECT_EQ(1u, list.size());
@@ -1612,6 +1633,9 @@ TYPED_TEST_P(CookieStoreTest, CookieOrdering) {
             this->GetCookies(cs, GURL("http://d.c.b.a.foo.com/aa/bb/cc/dd")));
 
   CookieOptions options;
+  options.set_same_site_cookie_context(
+      net::CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT);
+
   CookieList cookies = this->GetCookieListWithOptions(
       cs, GURL("http://d.c.b.a.foo.com/aa/bb/cc/dd"), options);
   CookieList::const_iterator it = cookies.begin();
@@ -1732,7 +1756,7 @@ TYPED_TEST_P(CookieStoreTest, DeleteCanonicalCookieAsync) {
 
   // Delete the "/foo" cookie, and make sure only it was deleted.
   CookieList cookies = this->GetCookieListWithOptions(
-      cs, this->www_foo_foo_.url(), CookieOptions());
+      cs, this->www_foo_foo_.url(), CookieOptions::MakeAllInclusive());
   ASSERT_EQ(1u, cookies.size());
   EXPECT_EQ(1u, this->DeleteCanonicalCookie(cs, cookies[0]));
   EXPECT_EQ(1u, this->GetAllCookies(cs).size());
@@ -1744,7 +1768,7 @@ TYPED_TEST_P(CookieStoreTest, DeleteCanonicalCookieAsync) {
 
   // Try to delete the "/bar" cookie after overwriting it with a new cookie.
   cookies = this->GetCookieListWithOptions(cs, this->www_foo_bar_.url(),
-                                           CookieOptions());
+                                           CookieOptions::MakeAllInclusive());
   ASSERT_EQ(1u, cookies.size());
   EXPECT_TRUE(this->SetCookie(cs, this->http_www_foo_.url(), "A=D;Path=/bar"));
   EXPECT_EQ(0u, this->DeleteCanonicalCookie(cs, cookies[0]));
@@ -1753,7 +1777,7 @@ TYPED_TEST_P(CookieStoreTest, DeleteCanonicalCookieAsync) {
 
   // Delete the new "/bar" cookie.
   cookies = this->GetCookieListWithOptions(cs, this->www_foo_bar_.url(),
-                                           CookieOptions());
+                                           CookieOptions::MakeAllInclusive());
   ASSERT_EQ(1u, cookies.size());
   EXPECT_EQ(1u, this->DeleteCanonicalCookie(cs, cookies[0]));
   EXPECT_EQ(0u, this->GetAllCookies(cs).size());
diff --git a/chromium/net/cookies/cookie_util.cc b/chromium/net/cookies/cookie_util.cc
index bff9f2f0eb2..87a52405cfa 100644
--- a/chromium/net/cookies/cookie_util.cc
+++ b/chromium/net/cookies/cookie_util.cc
@@ -483,10 +483,15 @@ CookieOptions::SameSiteCookieContext ComputeSameSiteContextForRequest(
 }
 
 NET_EXPORT CookieOptions::SameSiteCookieContext
-ComputeSameSiteContextForScriptGet(
-    const GURL& url,
-    const GURL& site_for_cookies,
-    const base::Optional<url::Origin>& initiator) {
+ComputeSameSiteContextForScriptGet(const GURL& url,
+                                   const GURL& site_for_cookies,
+                                   const base::Optional<url::Origin>& initiator,
+                                   bool attach_same_site_cookies) {
+  if (attach_same_site_cookies) {
+    return ComputeSchemeChange(
+        CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT, url,
+        site_for_cookies);
+  }
   return ComputeSameSiteContext(url, site_for_cookies, initiator);
 }
 
@@ -509,8 +514,10 @@ CookieOptions::SameSiteCookieContext ComputeSameSiteContextForResponse(
 
 CookieOptions::SameSiteCookieContext ComputeSameSiteContextForScriptSet(
     const GURL& url,
-    const GURL& site_for_cookies) {
-  if (MatchesSiteForCookies(url, site_for_cookies)) {
+    const GURL& site_for_cookies,
+    bool attach_same_site_cookies) {
+  if (attach_same_site_cookies ||
+      MatchesSiteForCookies(url, site_for_cookies)) {
     return ComputeSchemeChange(
         CookieOptions::SameSiteCookieContext::SAME_SITE_LAX, url,
         site_for_cookies);
@@ -519,12 +526,14 @@ CookieOptions::SameSiteCookieContext ComputeSameSiteContextForScriptSet(
   }
 }
 
-NET_EXPORT CookieOptions::SameSiteCookieContext
-ComputeSameSiteContextForSubresource(const GURL& url,
-                                     const GURL& site_for_cookies) {
+CookieOptions::SameSiteCookieContext ComputeSameSiteContextForSubresource(
+    const GURL& url,
+    const GURL& site_for_cookies,
+    bool attach_same_site_cookies) {
   // If the URL is same-site as site_for_cookies it's same-site as all frames
   // in the tree from the initiator frame up --- including the initiator frame.
-  if (MatchesSiteForCookies(url, site_for_cookies)) {
+  if (attach_same_site_cookies ||
+      MatchesSiteForCookies(url, site_for_cookies)) {
     return ComputeSchemeChange(
         CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT, url,
         site_for_cookies);
@@ -543,6 +552,51 @@ bool IsCookiesWithoutSameSiteMustBeSecureEnabled() {
              features::kCookiesWithoutSameSiteMustBeSecure);
 }
 
+bool IsRecentHttpSameSiteAccessGrantsLegacyCookieSemanticsEnabled() {
+  return IsSameSiteByDefaultCookiesEnabled() &&
+         base::FeatureList::IsEnabled(
+             features::kRecentHttpSameSiteAccessGrantsLegacyCookieSemantics) &&
+         features::
+                 kRecentHttpSameSiteAccessGrantsLegacyCookieSemanticsMilliseconds
+                     .Get() > 0;
+}
+
+bool IsRecentCreationTimeGrantsLegacyCookieSemanticsEnabled() {
+  return IsSameSiteByDefaultCookiesEnabled() &&
+         base::FeatureList::IsEnabled(
+             features::kRecentCreationTimeGrantsLegacyCookieSemantics) &&
+         features::kRecentCreationTimeGrantsLegacyCookieSemanticsMilliseconds
+                 .Get() > 0;
+}
+
+bool DoesLastHttpSameSiteAccessGrantLegacySemantics(
+    base::TimeTicks last_http_same_site_access) {
+  if (last_http_same_site_access.is_null())
+    return false;
+  if (!IsRecentHttpSameSiteAccessGrantsLegacyCookieSemanticsEnabled())
+    return false;
+
+  base::TimeDelta recency_threshold = base::TimeDelta::FromMilliseconds(
+      features::kRecentHttpSameSiteAccessGrantsLegacyCookieSemanticsMilliseconds
+          .Get());
+  DCHECK(!recency_threshold.is_zero());
+  return (base::TimeTicks::Now() - last_http_same_site_access) <
+         recency_threshold;
+}
+
+bool DoesCreationTimeGrantLegacySemantics(base::Time creation_date) {
+  if (creation_date.is_null())
+    return false;
+  if (!IsRecentCreationTimeGrantsLegacyCookieSemanticsEnabled())
+    return false;
+
+  base::TimeDelta recency_threshold = base::TimeDelta::FromMilliseconds(
+      features::kRecentCreationTimeGrantsLegacyCookieSemanticsMilliseconds
+          .Get());
+  DCHECK(!recency_threshold.is_zero());
+  return (base::Time::Now() - creation_date) < recency_threshold;
+}
+
 base::OnceCallback<void(net::CanonicalCookie::CookieInclusionStatus)>
 AdaptCookieInclusionStatusToBool(base::OnceCallback<void(bool)> callback) {
   return base::BindOnce(
diff --git a/chromium/net/cookies/cookie_util.h b/chromium/net/cookies/cookie_util.h
index f936d663b35..521c2e9e604 100644
--- a/chromium/net/cookies/cookie_util.h
+++ b/chromium/net/cookies/cookie_util.h
@@ -98,16 +98,18 @@ NET_EXPORT std::string SerializeRequestCookieLine(
 // or selecting a bookmark.
 //
 // If |attach_same_site_cookies| is specified, all SameSite cookies will be
-// attached.
+// attached, i.e. this will return SAME_SITE_STRICT. This flag is set to true
+// when the |site_for_cookies| is a chrome:// URL embedding a secure origin,
+// among other scenarios.
+// This is *not* set when the *initiator* is chrome-extension://,
+// which is intentional, since it would be bad to let an extension arbitrarily
+// redirect anywhere and bypass SameSite=Strict rules.
 //
 // See also documentation for corresponding methods on net::URLRequest.
 //
 // |http_method| is used to enforce the requirement that, in a context that's
 // lax same-site but not strict same-site, SameSite=lax cookies be only sent
 // when the method is "safe" in the RFC7231 section 4.2.1 sense.
-//
-// This also applies the net feature |URLRequest::site_for_cookies|, which
-// upgrades SameSite=Lax level access to Strict-level access if on.
 NET_EXPORT CookieOptions::SameSiteCookieContext
 ComputeSameSiteContextForRequest(const std::string& http_method,
                                  const GURL& url,
@@ -117,11 +119,12 @@ ComputeSameSiteContextForRequest(const std::string& http_method,
 
 // As above, but applying for scripts. |initiator| here should be the initiator
 // used when fetching the document.
+// If |attach_same_site_cookies| is true, this returns SAME_SITE_STRICT.
 NET_EXPORT CookieOptions::SameSiteCookieContext
-ComputeSameSiteContextForScriptGet(
-    const GURL& url,
-    const GURL& site_for_cookies,
-    const base::Optional<url::Origin>& initiator);
+ComputeSameSiteContextForScriptGet(const GURL& url,
+                                   const GURL& site_for_cookies,
+                                   const base::Optional<url::Origin>& initiator,
+                                   bool attach_same_site_cookies);
 
 // Determines which of the cookies for |url| can be set from a network response,
 // with respect to the SameSite attribute. This will only return CROSS_SITE or
@@ -138,20 +141,39 @@ ComputeSameSiteContextForResponse(const GURL& url,
 // with respect to the SameSite attribute. This will only return CROSS_SITE or
 // SAME_SITE_LAX (cookie sets of SameSite=strict cookies are permitted in same
 // contexts that sets of SameSite=lax cookies are).
+// If |attach_same_site_cookies| is true, this returns SAME_SITE_LAX.
 NET_EXPORT CookieOptions::SameSiteCookieContext
 ComputeSameSiteContextForScriptSet(const GURL& url,
-                                   const GURL& site_for_cookies);
+                                   const GURL& site_for_cookies,
+                                   bool attach_same_site_cookies);
 
 // Determines which of the cookies for |url| can be accessed when fetching a
 // subresources. This is either CROSS_SITE or SAME_SITE_STRICT,
 // since the initiator for a subresource is the frame loading it.
 NET_EXPORT CookieOptions::SameSiteCookieContext
+// If |attach_same_site_cookies| is true, this returns SAME_SITE_STRICT.
 ComputeSameSiteContextForSubresource(const GURL& url,
-                                     const GURL& site_for_cookies);
+                                     const GURL& site_for_cookies,
+                                     bool attach_same_site_cookies);
 
 // Returns whether the respective SameSite feature is enabled.
 NET_EXPORT bool IsSameSiteByDefaultCookiesEnabled();
 NET_EXPORT bool IsCookiesWithoutSameSiteMustBeSecureEnabled();
+bool IsRecentHttpSameSiteAccessGrantsLegacyCookieSemanticsEnabled();
+bool IsRecentCreationTimeGrantsLegacyCookieSemanticsEnabled();
+
+// Determines whether the last same-site access to a cookie should grant legacy
+// access semantics to the current attempted cookies access, based on the state
+// of the feature kRecentSameSiteAccessGrantsLegacyCookieSemantics, the value of
+// the feature param, and the time since the last eligible same-site access.
+bool DoesLastHttpSameSiteAccessGrantLegacySemantics(
+    base::TimeTicks last_http_same_site_access);
+
+// Determines whether the creation time of a cookie should grant legacy
+// access semantics to the current attempted cookies access, based on the state
+// of the feature kRecentCreationTimeGrantsLegacyCookieSemantics, the value of
+// the feature param, and the creation time of the cookie.
+bool DoesCreationTimeGrantLegacySemantics(base::Time creation_date);
 
 // Takes a callback accepting a CookieInclusionStatus and returns a callback
 // that accepts a bool, setting the bool to true if the CookieInclusionStatus
diff --git a/chromium/net/cookies/cookie_util_unittest.cc b/chromium/net/cookies/cookie_util_unittest.cc
index 9d0d340dbec..bb44c72d7db 100644
--- a/chromium/net/cookies/cookie_util_unittest.cc
+++ b/chromium/net/cookies/cookie_util_unittest.cc
@@ -255,26 +255,30 @@ TEST(CookieUtilTest, TestIsDomainMatch) {
 
 TEST(CookieUtilTest, TestComputeSameSiteContextForScriptGet) {
   // |site_for_cookies| not matching the URL -> it's cross-site.
-  EXPECT_EQ(CookieOptions::SameSiteCookieContext::CROSS_SITE,
-            cookie_util::ComputeSameSiteContextForScriptGet(
-                GURL("http://example.com"), GURL("http://notexample.com"),
-                base::nullopt /*initiator*/));
+  EXPECT_EQ(
+      CookieOptions::SameSiteCookieContext::CROSS_SITE,
+      cookie_util::ComputeSameSiteContextForScriptGet(
+          GURL("http://example.com"), GURL("http://notexample.com"),
+          base::nullopt /*initiator*/, false /* attach_same_site_cookies */));
 
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::CROSS_SITE,
             cookie_util::ComputeSameSiteContextForScriptGet(
                 GURL("http://example.com"), GURL("http://notexample.com"),
-                url::Origin::Create(GURL("http://example.com"))));
+                url::Origin::Create(GURL("http://example.com")),
+                false /* attach_same_site_cookies */));
 
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::CROSS_SITE,
             cookie_util::ComputeSameSiteContextForScriptGet(
                 GURL("http://a.com"), GURL("http://b.com"),
-                url::Origin::Create(GURL("http://from-elsewhere.com"))));
+                url::Origin::Create(GURL("http://from-elsewhere.com")),
+                false /* attach_same_site_cookies */));
 
   // Same |site_for_cookies|, but not |initiator| -> it's same-site lax.
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
             cookie_util::ComputeSameSiteContextForScriptGet(
                 GURL("http://example.com"), GURL("http://example.com"),
-                url::Origin::Create(GURL("http://from-elsewhere.com"))));
+                url::Origin::Create(GURL("http://from-elsewhere.com")),
+                false /* attach_same_site_cookies */));
 
   // This isn't a full on origin check --- subdomains and different schema are
   // accepted.
@@ -282,52 +286,113 @@ TEST(CookieUtilTest, TestComputeSameSiteContextForScriptGet) {
                 SAME_SITE_LAX_CROSS_SCHEME_SECURE_URL,
             cookie_util::ComputeSameSiteContextForScriptGet(
                 GURL("https://example.com"), GURL("http://example.com"),
-                url::Origin::Create(GURL("http://from-elsewhere.com"))));
+                url::Origin::Create(GURL("http://from-elsewhere.com")),
+                false /* attach_same_site_cookies */));
 
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::
                 SAME_SITE_LAX_CROSS_SCHEME_INSECURE_URL,
             cookie_util::ComputeSameSiteContextForScriptGet(
                 GURL("http://example.com"), GURL("https://example.com"),
-                url::Origin::Create(GURL("http://from-elsewhere.com"))));
+                url::Origin::Create(GURL("http://from-elsewhere.com")),
+                false /* attach_same_site_cookies */));
 
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
             cookie_util::ComputeSameSiteContextForScriptGet(
                 GURL("http://sub.example.com"), GURL("http://sub2.example.com"),
-                url::Origin::Create(GURL("http://from-elsewhere.com"))));
+                url::Origin::Create(GURL("http://from-elsewhere.com")),
+                false /* attach_same_site_cookies */));
 
   EXPECT_EQ(
       CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
       cookie_util::ComputeSameSiteContextForScriptGet(
           GURL("http://sub.example.com"), GURL("http://sub.example.com:8080"),
-          url::Origin::Create(GURL("http://from-elsewhere.com"))));
+          url::Origin::Create(GURL("http://from-elsewhere.com")),
+          false /* attach_same_site_cookies */));
 
   // nullopt |initiator| is trusted for purposes of strict, an opaque one isn't.
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
             cookie_util::ComputeSameSiteContextForScriptGet(
                 GURL("http://example.com"), GURL("http://example.com"),
-                url::Origin::Create(GURL("http://example.com"))));
+                url::Origin::Create(GURL("http://example.com")),
+                false /* attach_same_site_cookies */));
+
+  EXPECT_EQ(
+      CookieOptions::SameSiteCookieContext::
+          SAME_SITE_STRICT_CROSS_SCHEME_SECURE_URL,
+      cookie_util::ComputeSameSiteContextForScriptGet(
+          GURL("https://example.com"), GURL("http://example.com"),
+          base::nullopt /*initiator*/, false /* attach_same_site_cookies */));
+
+  EXPECT_EQ(
+      CookieOptions::SameSiteCookieContext::
+          SAME_SITE_STRICT_CROSS_SCHEME_INSECURE_URL,
+      cookie_util::ComputeSameSiteContextForScriptGet(
+          GURL("http://example.com"), GURL("https://example.com"),
+          base::nullopt /*initiator*/, false /* attach_same_site_cookies */));
+
+  EXPECT_EQ(
+      CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
+      cookie_util::ComputeSameSiteContextForScriptGet(
+          GURL("http://example.com"), GURL("http://example.com"),
+          base::nullopt /*initiator*/, false /* attach_same_site_cookies */));
+
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
+            cookie_util::ComputeSameSiteContextForScriptGet(
+                GURL("http://example.com"), GURL("http://example.com"),
+                url::Origin(), false /* attach_same_site_cookies */));
+
+  // |attach_same_site_cookies| causes (some variant of) SAME_SITE_STRICT to be
+  // returned.
+  EXPECT_EQ(
+      CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
+      cookie_util::ComputeSameSiteContextForScriptGet(
+          GURL("http://example.com"), GURL("http://notexample.com"),
+          base::nullopt /*initiator*/, true /* attach_same_site_cookies */));
+
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
+            cookie_util::ComputeSameSiteContextForScriptGet(
+                GURL("http://example.com"), GURL("http://notexample.com"),
+                url::Origin::Create(GURL("http://example.com")),
+                true /* attach_same_site_cookies */));
+
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
+            cookie_util::ComputeSameSiteContextForScriptGet(
+                GURL("http://a.com"), GURL("http://b.com"),
+                url::Origin::Create(GURL("http://from-elsewhere.com")),
+                true /* attach_same_site_cookies */));
+
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
+            cookie_util::ComputeSameSiteContextForScriptGet(
+                GURL("http://example.com"), GURL("http://example.com"),
+                url::Origin::Create(GURL("http://from-elsewhere.com")),
+                true /* attach_same_site_cookies */));
 
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::
                 SAME_SITE_STRICT_CROSS_SCHEME_SECURE_URL,
             cookie_util::ComputeSameSiteContextForScriptGet(
                 GURL("https://example.com"), GURL("http://example.com"),
-                base::nullopt /*initiator*/));
+                url::Origin::Create(GURL("http://from-elsewhere.com")),
+                true /* attach_same_site_cookies */));
 
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::
                 SAME_SITE_STRICT_CROSS_SCHEME_INSECURE_URL,
             cookie_util::ComputeSameSiteContextForScriptGet(
                 GURL("http://example.com"), GURL("https://example.com"),
-                base::nullopt /*initiator*/));
+                url::Origin::Create(GURL("http://from-elsewhere.com")),
+                true /* attach_same_site_cookies */));
 
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
             cookie_util::ComputeSameSiteContextForScriptGet(
-                GURL("http://example.com"), GURL("http://example.com"),
-                base::nullopt /*initiator*/));
+                GURL("http://sub.example.com"), GURL("http://sub2.example.com"),
+                url::Origin::Create(GURL("http://from-elsewhere.com")),
+                true /* attach_same_site_cookies */));
 
-  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
-            cookie_util::ComputeSameSiteContextForScriptGet(
-                GURL("http://example.com"), GURL("http://example.com"),
-                url::Origin()));
+  EXPECT_EQ(
+      CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
+      cookie_util::ComputeSameSiteContextForScriptGet(
+          GURL("http://sub.example.com"), GURL("http://sub.example.com:8080"),
+          url::Origin::Create(GURL("http://from-elsewhere.com")),
+          true /* attach_same_site_cookies */));
 }
 
 TEST(CookieUtilTest, ComputeSameSiteContextForRequest) {
@@ -465,7 +530,14 @@ TEST(CookieUtilTest, ComputeSameSiteContextForSet) {
 
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::CROSS_SITE,
             cookie_util::ComputeSameSiteContextForScriptSet(
-                GURL("http://example.com"), GURL("http://notexample.com")));
+                GURL("http://example.com"), GURL("http://notexample.com"),
+                false /* attach_same_site_cookies */));
+
+  // Same as above except |attach_same_site_cookies| makes it return LAX.
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
+            cookie_util::ComputeSameSiteContextForScriptSet(
+                GURL("http://example.com"), GURL("http://notexample.com"),
+                true /* attach_same_site_cookies */));
 
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
             cookie_util::ComputeSameSiteContextForResponse(
@@ -496,48 +568,58 @@ TEST(CookieUtilTest, ComputeSameSiteContextForSet) {
                 GURL("https://example.com/dir"), GURL("http://sub.example.com"),
                 base::nullopt, true /* attach_same_site_cookies */));
 
-  EXPECT_EQ(
-      CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
-      cookie_util::ComputeSameSiteContextForScriptSet(
-          GURL("http://example.com/dir"), GURL("http://sub.example.com")));
-  EXPECT_EQ(
-      CookieOptions::SameSiteCookieContext::
-          SAME_SITE_LAX_CROSS_SCHEME_INSECURE_URL,
-      cookie_util::ComputeSameSiteContextForScriptSet(
-          GURL("http://example.com/dir"), GURL("https://sub.example.com")));
-  EXPECT_EQ(
-      CookieOptions::SameSiteCookieContext::
-          SAME_SITE_LAX_CROSS_SCHEME_SECURE_URL,
-      cookie_util::ComputeSameSiteContextForScriptSet(
-          GURL("https://example.com/dir"), GURL("http://sub.example.com")));
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_LAX,
+            cookie_util::ComputeSameSiteContextForScriptSet(
+                GURL("http://example.com/dir"), GURL("http://sub.example.com"),
+                false /* attach_same_site_cookies */));
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::
+                SAME_SITE_LAX_CROSS_SCHEME_INSECURE_URL,
+            cookie_util::ComputeSameSiteContextForScriptSet(
+                GURL("http://example.com/dir"), GURL("https://sub.example.com"),
+                false /* attach_same_site_cookies */));
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::
+                SAME_SITE_LAX_CROSS_SCHEME_SECURE_URL,
+            cookie_util::ComputeSameSiteContextForScriptSet(
+                GURL("https://example.com/dir"), GURL("http://sub.example.com"),
+                false /* attach_same_site_cookies */));
 }
 
 TEST(CookieUtilTest, TestComputeSameSiteContextForSubresource) {
   // |site_for_cookies| not matching the URL -> it's cross-site.
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::CROSS_SITE,
             cookie_util::ComputeSameSiteContextForSubresource(
-                GURL("http://example.com"), GURL("http://notexample.com")));
+                GURL("http://example.com"), GURL("http://notexample.com"),
+                false /* attach_same_site_cookies */));
+
+  // Same as above except |attach_same_site_cookies| makes it return STRICT.
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
+            cookie_util::ComputeSameSiteContextForSubresource(
+                GURL("http://example.com"), GURL("http://notexample.com"),
+                true /* attach_same_site_cookies */));
 
   // This isn't a full on origin check --- subdomains and different schema are
   // accepted.
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::
                 SAME_SITE_STRICT_CROSS_SCHEME_SECURE_URL,
             cookie_util::ComputeSameSiteContextForSubresource(
-                GURL("https://example.com"), GURL("http://example.com")));
+                GURL("https://example.com"), GURL("http://example.com"),
+                false /* attach_same_site_cookies */));
 
-  EXPECT_EQ(
-      CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
-      cookie_util::ComputeSameSiteContextForSubresource(
-          GURL("http://sub.example.com"), GURL("http://sub2.example.com")));
+  EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
+            cookie_util::ComputeSameSiteContextForSubresource(
+                GURL("http://sub.example.com"), GURL("http://sub2.example.com"),
+                false /* attach_same_site_cookies */));
 
   EXPECT_EQ(
       CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
       cookie_util::ComputeSameSiteContextForSubresource(
-          GURL("http://sub.example.com"), GURL("http://sub.example.com:8080")));
+          GURL("http://sub.example.com"), GURL("http://sub.example.com:8080"),
+          false /* attach_same_site_cookies */));
 
   EXPECT_EQ(CookieOptions::SameSiteCookieContext::SAME_SITE_STRICT,
             cookie_util::ComputeSameSiteContextForSubresource(
-                GURL("http://example.com"), GURL("http://example.com")));
+                GURL("http://example.com"), GURL("http://example.com"),
+                false /* attach_same_site_cookies */));
 }
 
 TEST(CookieUtilTest, AdaptCookieInclusionStatusToBool) {
diff --git a/chromium/net/cookies/parsed_cookie_unittest.cc b/chromium/net/cookies/parsed_cookie_unittest.cc
index 81776c90de2..d2f6b730d5a 100644
--- a/chromium/net/cookies/parsed_cookie_unittest.cc
+++ b/chromium/net/cookies/parsed_cookie_unittest.cc
@@ -526,7 +526,7 @@ TEST(ParsedCookieTest, CookieSameSiteStringEnum) {
   EXPECT_EQ(CookieSameSiteString::kNone, actual);
 
   pc.SetSameSite("Extended");
-  EXPECT_EQ(CookieSameSite::EXTENDED_MODE, pc.SameSite(&actual));
+  EXPECT_EQ(CookieSameSite::UNSPECIFIED, pc.SameSite(&actual));
   EXPECT_EQ(CookieSameSiteString::kExtended, actual);
 
   pc.SetSameSite("Bananas");
diff --git a/chromium/net/cookies/test_cookie_access_delegate.cc b/chromium/net/cookies/test_cookie_access_delegate.cc
index 993e294ef70..634a351163c 100644
--- a/chromium/net/cookies/test_cookie_access_delegate.cc
+++ b/chromium/net/cookies/test_cookie_access_delegate.cc
@@ -20,12 +20,31 @@ CookieAccessSemantics TestCookieAccessDelegate::GetAccessSemantics(
   return CookieAccessSemantics::UNKNOWN;
 }
 
+bool TestCookieAccessDelegate::ShouldIgnoreSameSiteRestrictions(
+    const GURL& url,
+    const GURL& site_for_cookies) const {
+  auto it =
+      ignore_samesite_restrictions_schemes_.find(site_for_cookies.scheme());
+  if (it == ignore_samesite_restrictions_schemes_.end())
+    return false;
+  if (it->second)
+    return url.SchemeIsCryptographic();
+  return true;
+}
+
 void TestCookieAccessDelegate::SetExpectationForCookieDomain(
     const std::string& cookie_domain,
     CookieAccessSemantics access_semantics) {
   expectations_[GetKeyForDomainValue(cookie_domain)] = access_semantics;
 }
 
+void TestCookieAccessDelegate::SetIgnoreSameSiteRestrictionsScheme(
+    const std::string& site_for_cookies_scheme,
+    bool require_secure_origin) {
+  ignore_samesite_restrictions_schemes_[site_for_cookies_scheme] =
+      require_secure_origin;
+}
+
 std::string TestCookieAccessDelegate::GetKeyForDomainValue(
     const std::string& domain) const {
   DCHECK(!domain.empty());
diff --git a/chromium/net/cookies/test_cookie_access_delegate.h b/chromium/net/cookies/test_cookie_access_delegate.h
index 49ba1be2bca..276fe7fd4e2 100644
--- a/chromium/net/cookies/test_cookie_access_delegate.h
+++ b/chromium/net/cookies/test_cookie_access_delegate.h
@@ -23,6 +23,9 @@ class TestCookieAccessDelegate : public CookieAccessDelegate {
   // CookieAccessDelegate implementation:
   CookieAccessSemantics GetAccessSemantics(
       const CanonicalCookie& cookie) const override;
+  bool ShouldIgnoreSameSiteRestrictions(
+      const GURL& url,
+      const GURL& site_for_cookies) const override;
 
   // Sets the expected return value for any cookie whose Domain
   // matches |cookie_domain|. Pass the value of |cookie.Domain()| and any
@@ -30,11 +33,19 @@ class TestCookieAccessDelegate : public CookieAccessDelegate {
   void SetExpectationForCookieDomain(const std::string& cookie_domain,
                                      CookieAccessSemantics access_semantics);
 
+  // Sets the expected return value for ShouldAlwaysAttachSameSiteCookies.
+  // Can set schemes that always attach SameSite cookies, or schemes that always
+  // attach SameSite cookies if the request URL is secure.
+  void SetIgnoreSameSiteRestrictionsScheme(
+      const std::string& site_for_cookies_scheme,
+      bool require_secure_origin);
+
  private:
   // Discard any leading dot in the domain string.
   std::string GetKeyForDomainValue(const std::string& domain) const;
 
   std::map<std::string, CookieAccessSemantics> expectations_;
+  std::map<std::string, bool> ignore_samesite_restrictions_schemes_;
 
   DISALLOW_COPY_AND_ASSIGN(TestCookieAccessDelegate);
 };
diff --git a/chromium/net/data/fuzzer_dictionaries/net_data_url_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_data_url_fuzzer.dict
new file mode 100644
index 00000000000..7f40fd3633a
--- /dev/null
+++ b/chromium/net/data/fuzzer_dictionaries/net_data_url_fuzzer.dict
@@ -0,0 +1,29 @@
+# Copyright 2019 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+"GET"
+"HEAD"
+
+"data:"
+"data:,"
+
+"text/html"
+"text/plain"
+"image/png"
+"text/plain,"
+"charset="
+"US-ASCII"
+";charset=US-ASCII"
+
+"base64"
+"base64,"
+";base64,"
+";base64"
+
+"all"
+"%"
+","
+";"
+"%20"
+"%00"
diff --git a/chromium/net/data/fuzzer_dictionaries/net_dns_hosts_parse_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_dns_hosts_parse_fuzzer.dict
index dd72cefbdbe..ebda2939525 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_dns_hosts_parse_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_dns_hosts_parse_fuzzer.dict
@@ -40,6 +40,10 @@
 "\x00\x1c\x00\x01"
 "\x00\x05\x00\x01"
 
+# ESNI (TLS 1.3 encrypted server name indication, experimental) draft 4
+# request suffix
+"\xff\x9f\x00\x01"
+
 # A, AAAA, and CNAME requests for foo and foo.com.
 "\x03foo\x00\x00\x01\x00\x01"
 "\x03foo\x00\x00\x1c\x00\x01"
@@ -48,6 +52,10 @@
 "\x03foo\x03com\x00\x00\x1c\x00\x01"
 "\x03foo\x03com\x00\x00\x05\x00\x01"
 
+# ESNI draft 4 (see above) requests for foo and foo.com
+"\x03foo\x00\xff\x9f\x00\x01"
+"\x03foo\x03com\x00\xff\x9f\x00\x01"
+
 # All of the answers below are missing the name field, which should appear
 # first.
 
@@ -66,6 +74,10 @@
 "\x00\x05\x00\x01\x00\x00\x00\xFF\x00\x05\x03bar\x00"
 "\x00\x05\x00\x01\x00\x00\x00\xFF\x00\x09\x03foo\x03com\x00"
 
+# ESNI draft 4 (see above) answer suffix, first truncated
+# (These are construted from dns_test_util's kWellFormedEsniKeys.)
+"\xff\x9f\x00\x01\x00\x00\x00\xFF\xff\x03\x00\x01\x00\x33\xff\x00\x24\x00\x1d\x00\x20\xed\xed\xc8\x68\xc1\x71\xd6\x9e\xa9\xf0\xa2\xc9\xf5\xa9\xdc\xcf\xf9\xb8\xed\x15\x5c\xc4\x5a\xec\x6f\xb2\x86\x14\xb7\x71\x1b\x7c\x00\x02"
+"\xff\x9f\x00\x01\x00\x00\x00\xFF\xff\x03\x00\x01\x00\x33\xff\x00\x24\x00\x1d\x00\x20\xed\xed\xc8\x68\xc1\x71\xd6\x9e\xa9\xf0\xa2\xc9\xf5\xa9\xdc\xcf\xf9\xb8\xed\x15\x5c\xc4\x5a\xec\x6f\xb2\x86\x14\xb7\x71\x1b\x7c\x00\x02\x13\x01\x01\x04\x00\x00"
 
 # This part has been generated with testing/libfuzzer/dictionary_generator.py
 # using net_dns_hosts_parse_fuzzer binary, RFC 1034 and RFC 1035.
diff --git a/chromium/net/data/fuzzer_dictionaries/net_dns_record_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_dns_record_fuzzer.dict
index eb26765b526..9793ef04faf 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_dns_record_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_dns_record_fuzzer.dict
@@ -40,6 +40,10 @@
 "\x00\x1c\x00\x01"
 "\x00\x05\x00\x01"
 
+# ESNI (TLS 1.3 encrypted server name indication, experimental) draft 4
+# request suffix
+"\xff\x9f\x00\x01"
+
 # A, AAAA, and CNAME requests for foo and foo.com.
 "\x03foo\x00\x00\x01\x00\x01"
 "\x03foo\x00\x00\x1c\x00\x01"
@@ -48,6 +52,10 @@
 "\x03foo\x03com\x00\x00\x1c\x00\x01"
 "\x03foo\x03com\x00\x00\x05\x00\x01"
 
+# ESNI draft 4 (see above) requests for foo and foo.com
+"\x03foo\x00\xff\x9f\x00\x01"
+"\x03foo\x03com\x00\xff\x9f\x00\x01"
+
 # All of the answers below are missing the name field, which should appear
 # first.
 
@@ -66,6 +74,10 @@
 "\x00\x05\x00\x01\x00\x00\x00\xFF\x00\x05\x03bar\x00"
 "\x00\x05\x00\x01\x00\x00\x00\xFF\x00\x09\x03foo\x03com\x00"
 
+# ESNI draft 4 (see above) answer suffix, first truncated
+# (These are construted from dns_test_util's kWellFormedEsniKeys.)
+"\xff\x9f\x00\x01\x00\x00\x00\xFF\xff\x03\x00\x01\x00\x33\xff\x00\x24\x00\x1d\x00\x20\xed\xed\xc8\x68\xc1\x71\xd6\x9e\xa9\xf0\xa2\xc9\xf5\xa9\xdc\xcf\xf9\xb8\xed\x15\x5c\xc4\x5a\xec\x6f\xb2\x86\x14\xb7\x71\x1b\x7c\x00\x02"
+"\xff\x9f\x00\x01\x00\x00\x00\xFF\xff\x03\x00\x01\x00\x33\xff\x00\x24\x00\x1d\x00\x20\xed\xed\xc8\x68\xc1\x71\xd6\x9e\xa9\xf0\xa2\xc9\xf5\xa9\xdc\xcf\xf9\xb8\xed\x15\x5c\xc4\x5a\xec\x6f\xb2\x86\x14\xb7\x71\x1b\x7c\x00\x02\x13\x01\x01\x04\x00\x00"
 
 # This part has been generated with testing/libfuzzer/dictionary_generator.py
 # using net_dns_record_fuzzer binary, RFC 1034 and RFC 1035.
diff --git a/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_basic_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_basic_fuzzer.dict
new file mode 100644
index 00000000000..25b4ab624e5
--- /dev/null
+++ b/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_basic_fuzzer.dict
@@ -0,0 +1,9 @@
+# Copyright 2019 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+"realm="
+"\""
+","
+" "
+
diff --git a/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_digest_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_digest_fuzzer.dict
new file mode 100644
index 00000000000..12601cfad49
--- /dev/null
+++ b/chromium/net/data/fuzzer_dictionaries/net_http_auth_handler_digest_fuzzer.dict
@@ -0,0 +1,21 @@
+# Copyright 2019 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+"realm"
+"="
+"\""
+","
+" "
+"nonce"
+"domain"
+"opaque"
+"stale"
+"true"
+"false"
+"algorithm"
+"md5"
+"md5-sess"
+"qop"
+"auth"
+
diff --git a/chromium/net/data/fuzzer_dictionaries/net_http_content_disposition_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_http_content_disposition_fuzzer.dict
index d339b7ca401..34aed071211 100644
--- a/chromium/net/data/fuzzer_dictionaries/net_http_content_disposition_fuzzer.dict
+++ b/chromium/net/data/fuzzer_dictionaries/net_http_content_disposition_fuzzer.dict
@@ -13,7 +13,10 @@
 " "
 ","
 "''"
-"\n"
+
+# A newline.
+"\x0a"
+
 "?"
 "%"
 "en"
diff --git a/chromium/net/data/fuzzer_dictionaries/net_parse_data_url_fuzzer.dict b/chromium/net/data/fuzzer_dictionaries/net_parse_data_url_fuzzer.dict
deleted file mode 100644
index 1668f4cc752..00000000000
--- a/chromium/net/data/fuzzer_dictionaries/net_parse_data_url_fuzzer.dict
+++ /dev/null
@@ -1,449 +0,0 @@
-# Copyright 2016 The Chromium Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-# This file has been generated with testing/libfuzzer/dictionary_generator.py
-# using net_parse_data_url_fuzzer binary and RFC 3986.
-"all"
-"DNS"
-"text"
-"labels"
-"DQUOTE"
-"\"%D3%81%87%A4%95%81@%C2%85%81%83%88\"."
-"[RFC2234]"
-"F.,"
-"FORCE"
-"SOCIETY"
-"\"%\""
-"with"
-"cache"
-"WINS,"
-"D.1."
-"0"
-"only"
-"HTML"
-"SPONSORED"
-"[RFC1630]."
-"D.,"
-"[RFC1123]"
-"US-ASCII"
-"(STD"
-"[RFC1808],"
-"string"
-"get"
-"=="
-"H"
-"HEREIN"
-"[BCP35]"
-"SP)"
-"SCTP)"
-"(NUL)"
-"THE"
-"(URI):"
-"REPRESENTS"
-"[RFC2732]."
-"resource"
-"A.,"
-"EXPRESS"
-"list"
-"(%2E),"
-"WILL"
-"HE/SHE"
-"J."
-"INCLUDING"
-"common"
-"segment."
-"[RFC2732]"
-"(URL)\","
-"set"
-"HTTP"
-"IANA"
-"INFORMATION"
-"(%41-%5A"
-"[RFC2518]"
-"M."
-"direct"
-"sign"
-"Only"
-"Version"
-"are"
-"allowed."
-"\"X\""
-"HTTP,"
-"(SP)."
-"2DIGIT"
-"section"
-"BUT"
-"\"UTF-8,"
-"3"
-"version"
-"[RFC1034]"
-"probably"
-"[UCS],"
-"metadata"
-"Y.,"
-"C"
-"WWW\""
-"parent"
-"0X"
-"W3C/IETF"
-"S"
-"key"
-"address"
-"INPUT"
-"["
-"P."
-"WWW:"
-"AND"
-"received"
-"WWW"
-"[BCP35]."
-"MA"
-"\"AS"
-"[RFC2718]."
-"(IDNA)\","
-"implementation"
-"TCP"
-"NOT"
-"(URN)"
-"ANY"
-"[RFC1808]"
-"WARRANTY"
-"useful"
-"[RFC1737]."
-"[STD63],"
-"\"HTTP\""
-"(MIME)"
-"TELNET"
-"[RFC1630]"
-"S."
-"D.2."
-"B.,"
-"[RFC2234]."
-"[RFC2234],"
-"BCP"
-"select"
-"[STD63];"
-"use"
-"LATIN"
-"from"
-"C."
-"to"
-"WARRANTIES"
-"(MHTML)\","
-"ENGINEERING"
-"URI;"
-"."
-"few"
-"(DNS)."
-"expected"
-"USENET"
-"type"
-"empty"
-"XML"
-"URL?\","
-"W3C/MIT"
-"F"
-"CA"
-"STD:"
-"SMTP"
-"[RFC2141],"
-"N"
-"A),"
-"flag"
-"NOTE:"
-"CR"
-"MHTML"
-"BY"
-"must"
-"ANY),"
-"ALL"
-"[STD63]"
-"RIGHTS"
-"this"
-"SP"
-"[BCP19]"
-"value"
-"INFRINGE"
-"while"
-"KATAKANA"
-"resources"
-"error"
-"following"
-"example"
-"loop"
-"J.,"
-"2E:"
-"type."
-"L."
-"have"
-"%61-%7A),"
-"is"
-"allowed"
-"thus"
-"URI,"
-"parse"
-"STEP"
-"MIME"
-"UTF-8"
-"in"
-"[RFC0952]."
-"native"
-"FOR"
-"binary"
-"ISO/IEC"
-"\"A"
-"(%5F),"
-")"
-"algorithm."
-"returning"
-"\"A\","
-"[RFC2141]"
-"BUFFER"
-"ABNF"
-"[RFC2557]."
-"I."
-"WARRANTIES,"
-"URN"
-"EBCDIC"
-"A"
-"LF"
-"used"
-"http"
-"I"
-"IP"
-"IS"
-"after"
-"L"
-"Q"
-"'A'"
-"running"
-"HEXDIG"
-"such"
-"EBCDIC,"
-"data"
-"TASK"
-"a"
-"task"
-"P"
-"[ASCII]."
-"M.,"
-"Names"
-"flag."
-"the"
-"If"
-"[RFC3490]"
-"US-ASCII."
-"2C:"
-"THAT"
-"being"
-"when"
-"E.,"
-"(%2D),"
-"\"URL:\""
-"mechanism"
-"WITH"
-"its"
-"before"
-"tables"
-"[UCS]"
-"TO"
-"BNF"
-"platform"
-"internal"
-"P.,"
-"ORGANIZATION"
-"\"HTTP"
-"URI."
-"it,"
-"D"
-"format"
-"URL"
-"S.,"
-"(0"
-"URI\""
-"URI"
-"K."
-"URI:"
-"T"
-"D.W."
-"not"
-"R."
-"LIMITED"
-"\"%3A\")"
-"name"
-"OF"
-"B."
-"[RFC1736]"
-"(R),"
-"IPR"
-"[RFC1738];"
-"OUTPUT"
-"LALR"
-"OR"
-"STD"
-"[RFC3513]"
-"because"
-"bytes"
-"DNS,"
-"some"
-"back"
-"(URI)"
-"*DIGIT"
-"[RFC2046]"
-"[RFC3305]"
-"\"%7E\""
-"W3C"
-"E."
-"for"
-"space"
-"ABNF\","
-"avoid"
-"[RFC1535]."
-"/"
-"increase"
-"may"
-"time."
-"does"
-"'F'"
-"[RFC2396]"
-"be"
-"K.,"
-"DISCLAIM"
-"G"
-"(UTF-16),"
-"This"
-"M"
-"INTERNET"
-"RFC"
-"X3.4,"
-"base"
-"(T):"
-"IMPLIED,"
-"by"
-"\"URL\""
-"on"
-"DIGIT"
-"(ABNF)"
-"WEBDAV\","
-"of"
-"could"
-"R.,"
-"(ABNF:"
-"failed"
-"or"
-"1*4HEXDIG"
-"already"
-"No"
-"CAPITAL"
-"number"
-"one"
-"ISO"
-"FITNESS"
-"message"
-"open"
-"ANSI"
-"[BCP19],"
-"\"%C3%80\","
-"IETF"
-"unknown"
-"support"
-"\"URN"
-"[RFC1123]."
-"long"
-"[RFC0952]"
-"[ASCII]"
-":"
-"was"
-"[RFC3513]."
-"[RFC2718]"
-"B"
-"N."
-"that"
-"IDNA"
-"OCTET"
-"but"
-"R"
-"POSIX"
-"LETTER"
-"CONTRIBUTOR,"
-"[RFC1738]"
-"line"
-"(C)"
-"true"
-"\"URI\""
-"PARTICULAR"
-"target"
-"16"
-"default"
-"double"
-"\"URN\""
-"[RFC2557]"
-"enabled"
-"up"
-"TCP,"
-"PURPOSE."
-"MERCHANTABILITY"
-"1)"
-"IS\""
-"\"IANA"
-"called"
-"multipart"
-"and"
-"USE"
-"false"
-"(IF"
-"USA"
-"URL,"
-"an"
-"To"
-"as"
-"(%7E)"
-"at"
-"file"
-"need"
-"any"
-"\"%E3%82%A2\"."
-"physical"
-"1*HEXDIG"
-"no"
-"[RFC1737]"
-"-"
-"invalid"
-"A."
-"application"
-"valid"
-"take"
-"which"
-"test"
-"[RFC2732],"
-"you"
-"="
-"GRAVE"
-"<URI>"
-"begin"
-"[RFC2396],"
-"multiple"
-"2B:"
-"period,"
-"UDP,"
-"[RFC1535]"
-"T."
-"(UCS)\","
-"U"
-"A-F."
-"T.,"
-"The"
-"]"
-"source"
-"D."
-"persistent"
-"traditional"
-"L.,"
-"As"
-"IMPLIED"
-"(URL)"
-"ALPHA"
-"[RFC3305]."
-"H.,"
-"\"MIME"
diff --git a/chromium/net/data/proxy_resolver_perftest/no-ads.pac b/chromium/net/data/proxy_resolver_perftest/no-ads.pac
deleted file mode 100644
index e55fa0ffd7e..00000000000
--- a/chromium/net/data/proxy_resolver_perftest/no-ads.pac
+++ /dev/null
@@ -1,1362 +0,0 @@
-//////////////////////////////////////////////////////////////////////////////
-//
-// John's No-ADS proxy auto configuration script
-//	http://www.schooner.com/~loverso/no-ads/
-//	loverso@schooner.com
-//	Questions/help web forum at http://www.network54.com/Hide/Forum/223428
-//
-// Copyright 1996-2004, John LoVerso.  All Rights Reserved.
-//
-//	Permission is given to use and distribute this file, as long as this
-//	copyright message and author notice are not removed.
-//
-//	No responsibility is taken for any errors on inaccuracies inherent
-//	either to the comments or the code of this program, but if reported
-//	to me, then an attempt will be made to fix them.
-//
-// ("no monies exchanged" in Copyright clause removed 11/2001)
-//
-var noadsver = "$Id: no-ads.pac,v 5.70 2007/05/11 16:56:01 loverso Exp loverso $";
-
-// ****
-// **** If you do not use a proxy to access the Internet, then the following
-// **** line is already fine.
-// ****
-// **** If you use an a proxy to access the Internet, as required by your
-// **** ISP or firewall, then change the line below, replacing
-// **** "DIRECT" with "PROXY hostname:port", using the correct hostname:port
-// **** for your proxy server.
-// ****
-var normal = "DIRECT";
-
-// ***
-// *** If you are not using a blackhold proxy, then you can leave this
-// *** setting as is.
-// ***
-// *** Otherwise, update the next line with the correct hostname:port
-// *** of your blackhole proxy server.  If you are using Larry Wang's
-// *** BHP for Windows, you need to change the "0.0.0.0" to "127.0.0.1"
-// ***
-var blackhole = "PROXY 0.0.0.0:3421";
-
-// ***
-// *** If you need a different proxy to access local/internal hosts vs.
-// *** the rest of the Internet, set 'localproxy' to that value.  Otherwise,
-// *** 'localproxy' defaults to the same value as 'normal', so you do
-// *** not need to change anything in the normal case.
-// ***
-// *** Some typical cases:
-// ***	- 'normal' might be one proxy, and 'localproxy' might be another
-// ***	- 'normal' might be a proxy, and 'localproxy' might be "DIRECT"
-// ***
-// *** You will also need to change the LOCAL section below by adding
-// *** rules to match your local/internal hosts.
-// ***
-var localproxy = normal;
-
-// ***
-// *** 'bypass' is the preferred proxy setting for when no-ads is inactive.
-// *** Either use '= normal' or '= localproxy' (or perhaps just "DIRECT").
-// *** This only matters when you need to use a localproxy.
-// *** (You probably don't need to care about this)
-// ***
-var bypass = normal;
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// This simple kludge uses a mechanism built into most browsers (IE, Netscape,
-// Mozilla, Firefox, and Opera) on most platforms to block connections to
-// banner ad servers.
-//
-// This mechanism uses the "proxy auto configuration" to blackhole requests
-// to load ad images without forcing all your traffic through an ad-blocking
-// proxy server.  Of course, unlike ad-blocking proxy servers, this does not
-// otherwise not strip cookies.
-//
-// "Proxy auto configuration" invokes the JavaScript FindProxyForURL function
-// below each time your browser requests a URL.  This works even if you have
-// JavaScript otherwise disabled in your browser!  (Which you should!)
-//
-
-//
-// Send me your additions or comments.  I'll credit you in the file.
-// (But I've removed all email addresses to stop spam harvesters).
-//
-
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// These are the basic steps needed to use "no-ads.pac".
-// Detailed instructions follow below!
-//
-// 1. Save this as a file (no-ads.pac) on your local disk
-//    (or, add it to your home page, if you have one)
-// 2. Select a no-ads "blackhole".
-// 3. Configure your browser to use this file as its auto proxy configuration.
-// 4. Clear your browser's cache
-//    (or else it may still show you ads it has saved on your disk).
-//
-
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// 1. SAVE THIS FILE
-//
-// Copy this file to your local machine; use your home directory (UNIX)
-// or your Desktop or C:\ directory (Windows).
-//
-
-
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// 2. SELECT A NO-ADS BLACKHOLE
-//
-// You can skip this section if you are using any version of Internet Explorer.
-// You can also skip this section for Netscape 7.1, Mozilla 1.4, or
-// Firefox 1.0 (or later), as they include PAC failover support (but do
-// read the note in section "2a" below).
-//
-//
-// The basic trick of no-ads is to match the site or URL of annoying web content
-// and tell your browser to use a proxy that will deny loading of that resource
-// (image, page, etc).
-//
-// A "black-hole" proxy server is one that always denies loading a web page.
-// ("send it off to a blackhole").
-//
-// When you initially get "no-ads.pac", it is using this as the blackhole:
-//
-//	"PROXY 0.0.0.0:3421"
-//
-// This says to use the local host at a port which nothing should be listening
-// on.  Thus, this is "a server that doesn't repond."
-//
-// This is a good default for all systems, and especially Windows.
-// However, if you are using the Blackhole Proxy Server on Windows, 
-// be sure to change it to "PROXY 127.0.0.1:3421"
-//
-//
-// Some possibilities for the blackhole:
-//
-//	a. A server that doesn't respond.
-//
-//		*** This works for all versions of Internet Explorer.
-//		*** This mostly works for Mozilla, Firefox, and Netscape.
-//
-//		If you do nothing, then this is configured to direct annoying
-//		content to the proxy running on your own host at port 3421.
-//		Since you shouldn't have anything running on that port, that
-//		connection will timeout and the annoying content will never be
-//		loaded.
-//
-//		Older versions of Netscape wait to connect to the proxy server
-//		(usually it needs to load part of the image to layout the web
-//		page), and then asks if you want to disable the proxy that
-//		doesn't answer.
-//
-//		Older versions of Mozilla will give an alert saying it couldn't
-//		connect to the proxy server.
-//
-//		Mozilla 1.4+, Firefox 1.0+ and Netscape 7.1 will only give
-//		you this alert if the whole page being display is blocked,
-//		rather than just an image on that page.  Thus, I still
-//		recommend a blackhole proxy even though it isn't needed.
-//
-//		Opera will disable your auto proxy config if the proxy server
-//		doesn't respond.
-//
-//		IE doesn't care that the proxy server isn't responding.  As
-//		this avoids a connection for annoying content, it is fastest.
-//
-//	b. A simple, blackhole server
-//
-//		When needed, I run a simple "server" at port 3421 that denies
-//		all requests.  Some options you can use for this:
-//
-//		- On Windows, you can try Larry Wang's black-hole proxy program:
-//
-//			http://leisuresuit10.tripod.com/BlackHoleProxy/
-//
-//		  I can not vouch that his binaries are virus free, but he does
-//		  offer the source code.
-//
-//		- I use this shell script on UNIX; it is invoked via inetd.
-//		  /usr/local/lib/noproxy:
-//
-//			#!/bin/sh
-//			read a
-//			read b
-//			echo HTTP/1.0 501 No Ads Accepted
-//			echo ""
-//			exit
-//
-//		  Add this line to inetd.conf ('kill -HUP' inetd afterwards):
-//
-//		    3421 stream tcp nowait nobody /usr/local/lib/noproxy noproxy
-//
-//		  This simple script doesn't work on Linux because of the
-//		  (IMHO) broken way its TCP stack works.  See the bottom of
-//		  http://www.schooner.com/~loverso/no-ads/ for a complete copy
-//		  of the `noproxy' shell script.
-//
-//		  If always exec'ing a shell was expensive on your computer
-//		  (it isn't on mine), then you could use a "wait"-style Perl
-//		  script that would accept() incoming connections.
-//
-//		- Sean Burke has a black-hole proxy written in Perl script:
-//
-//		  http://www.speech.cs.cmu.edu/~sburke/pub/black_hole_http_server.pl
-//		  (This is a standalone server, not run from inetd).
-//
-//	e. A trick: use an HTTP/1.0 non-proxy server
-//
-//		An HTTP/1.0 non-proxy server will return a 501 error when
-//		given a proxy request.  Thus, just use the address of your
-//		local intranet web server as your blackhole PROXY.
-//		The downside of this is that it will probably also log an
-//		error, which wastes a small amount of resources.
-//
-//	***
-//	*** Be sure to update the "blackhole" variable above with a setting of
-//	*** "PROXY hostname:port" that matches your blackhole server!!
-//	***
-//
-//	***
-//	*** If you already use a proxy server to access the WWW,
-//	*** change the "normal" variable above from "DIRECT" to
-//	*** be "PROXY proxy:port" to match your proxy server.
-//	***
-
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// 3. TO CONFIGURE YOUR BROWSER
-//
-// The Proxy Auto Configuration file can be either on the local disk or
-// accessed from a web server, with the following constraints:
-//
-//	a. IE4 can only load the PAC from a web server (http:// URL)
-//	b. Netscape, Mozilla, Firefox and IE (5 or later) can load the
-//	   PAC from anywhere.
-//	c. Netscape, Mozilla, Firefox and (probably) Opera require the correct
-//	   MIME type when loading the PAC from a web server.
-//
-//
-// To set the Proxy Auto Configuration with Netscape, Mozilla, or Firefox:
-//
-//   1. Enable Proxy Auto Config:
-//
-//	For Netsacpe/Mozilla:
-//
-//		Open "Edit->Preferences"
-//		Select "Advanced"
-//		Select "Proxies"
-//
-//	For Firefox (1.0):
-//
-//		Open "Tools->Options"
-//		Select "Coonection Settings" on the General tab:
-//
-//	Select the "Auto proxy configuration URL" option.
-//	Enter URL or path of where you've saved this file, such as:
-//
-//		http://yourserver/no-ads.pac
-//
-//	If you place this on your local disk, you should use a
-//	file: URL such as:
-//
-//		file:/home/loverso/no-ads.pac			(UNIX)
-//		file:///c:/windows/desktop/no-ads.pac		(Windows)
-//
-//	(file:/ and file:// will work in Mozilla, but file:/// is correct
-//	required for Firefox)
-//
-//   2. If you are serving this from a web server, these browsers require
-//      the correct MIME type on the file before using it.  You must configure
-//      your web server to provide a "application/x-ns-proxy-autoconfig"
-//	MIME type.
-//
-//      a. For Apache, name the file with a ".pac" extension and add this
-//	   line to the http.conf (or the .htaccess file in the same directory):
-//
-//		AddType application/x-ns-proxy-autoconfig .pac
-//
-//      b. For IIS (instructions from Kevin Roth)
-//
-//	   Open Internet Services Manager
-//	   Right click on the web site (or directory) you wish to change.
-//	   Choose Properties
-//	   Click the "HTTP Headers" tab
-//	   Click the "File Types" button in the "MIME Map" section
-//	   Click the "New Type..." button
-//	   Enter "pac" for "Associated Extension"
-//	   Enter "application/x-ns-proxy-autoconfig" for "Content Type (MIME)"
-//	   Click OK to close the Add type dialog, the MIME types dialog,
-//		and the main properties dialog.
-//
-//      (This is definately needed for NS, but not for IE)
-//
-//
-// To set the Proxy Auto Configuration with IE:
-//
-//   1. Enable Proxy Auto Config:
-//
-//	Open "Tools->Internet Options"
-//	Select "Connections" tab
-//	Click "LAN Settings"
-//		or Choose an entry from "Dial-up settings" and click "Settings"
-//
-//	On the settings dialog, select "Use automatic configuration script"
-//	Enter the URL of this file in Address field.
-//
-//		http://yourserver/no-ads.pac
-//		file:///c:/windows/desktop/no-ads.pac		(Windows)
-//
-//	You can only use a file: URL with IE5 (or later).
-//	("file:///" with with IE versions after 5.0 SP2)
-//
-//   2. Fix Security Settings (IMPORTANT):
-//
-//	Select "Security" tab
-//	Select "Local intranet"
-//	Click "Sites" box
-//	Unselect "include all sites that bypass the proxy server" option
-//
-//   3. Disable "Auto Proxy Caching" (IMPORTANT):
-//      (thanks to Kevin Roth for alerting me of this!)
-//
-//	IE contains a proxy result caching mechanism that will defeat the
-//	ability to block servers that server both ad and non-ad content.
-//	To prevent this, add the registry key described in this MS KB article:
-//
-//		http://support.microsoft.com/?kbid=271361
-//
-//	You can do so by downloading this file and clicking on it to load
-//	it into the registry.  This must be done on a per-user basis.
-//	http://www.schooner.com/~loverso/no-ads/IE-no-auto-proxy-cache.reg
-//
-//   IE doesn't currently check the MIME type of the PAC file.
-//
-//   To see some notes from MS on PAC in IE, see
-//	http://msdn.microsoft.com/library/periodic/period99/faq0599.htm
-//	(they seem to have removed this URL)
-//
-//
-// To set the Proxy Auto Configuration with Opera 6 (6.04 on Windows tested):
-//
-//   1. Enable Proxy Auto Config:
-//	Open the Preferences (Alt-P)
-//	Select "Network"
-//	Click the "Proxy servers" box
-//	Select "Use automatic proxy configuration"
-//	Enter the URL of this file as
-//
-//		http://yourserver/no-ads.pac
-//		file://c:/windows/desktop/no-ads.pac
-//
-//	(file:/// might be needed; I've not tested Opera lately)
-//
-//   2. You must use a blackhole proxy for Opera (it will not work with an
-//	address of a server that does not respond).
-//
-//   3. Be sure to clear the cache and exit/restart Opera.
-//
-
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// 4. CLEAR YOUR BROWSER'S CACHE
-//
-// For Internet Explorer:
-//
-//	Open "Tools->Internet Options"
-//	Select "Delete Files" under "Temporary Internet Files"
-//	Click "OK"
-//
-// For Mozilla/Netscape Navigator:
-//
-//	Open "Edit->Preferences"
-//	Select "Advanced"
-//	Select "Proxies"
-//	Click "Clear Disk Cache"
-//	Click "Clear Memory Cache"
-//
-// For Firefox:
-//
-//	Open "Tools->Options"
-//	Select the "Privay" tab
-//	Scroll down or go to the "Cache" section
-//	Click "Clear"
-//
-// For Opera:
-//
-//	Open "File->Preferences"
-//	Select "History and cache"
-//	Click "Empty now"
-//
-
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// To see the definition of this page's JavaScript contents, see
-//
-//	http://home.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html
-//
-// Microsoft includes this in their KB article:
-//
-//	http://support.microsoft.com/support/kb/articles/Q209/2/66.ASP
-//
-// Special PAC functions:
-// Hostname:
-//	isPlainHostName(host)
-//	dnsDomainIs(host, domain)
-//	localHostOrDomainIs(host, hostdom)
-//	isResolvable(host)
-//	isInNet(host, pattern, mask)
-// Utility:
-//	dnsResolve(host)
-//	myIpAddress()
-//	dnsDomainLevels(host)
-// URL:
-//	shExpMatch(str, shexp)
-// Time:
-//	weekdayRange(wd1, wd2, gmt)
-//	dateRange(...)
-//	timeRange(...)
-//
-// Other functions and methods that may work:
-//	http://developer.netscape.com/docs/manuals/communicator/jsref/win1.htm
-//	Note that "alert()" only works with Netscape4 and IE, and Mozilla 1.4+.
-//
-// NOTE:
-//	isInNet() will resolve a hostname to an IP address, and cause
-//	hangs on Mozilla/Firefox.  Currently, these are stubbed out and replaced
-//	with shExpMatch(host, "a.b.c.*"), which doesn't do the same thing,
-//	but is sufficient for these purposes.
-//
-// Additional Mozilla/Firefox comments:
-//
-//	All the above PAC functions are implemented in JavaScript,
-//	and are added to the body of your PAC file when it is loaded.
-//	See the "components/nsProxyAutoConfig.js" browser install
-//	directory.
-//
-//	- shExpMatch() is implemented as three pattern.replaces()
-//		 followed by a call to RegExp()  (SLOW)
-//	- isPlainHostname() just checks for lack of "." in the string
-//	- dnsDomainIs() just matches strings exactly
-//	- alert() is bound to this.proxyAlert(), which displays a message
-//		in the JavaScript console window
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// Regular Expressions
-//
-// Angus Turnbull pointed out the JavaScript 1.2 RE operators to me.
-// These should work in NS4 and IE4 (or later), but I have only tested on
-// Mozilla (1.3), IE5.5, and IE6.  PLEASE TELL ME IF IT WORKS FOR YOU!
-//
-// A good introduction is at:
-//	http://www.evolt.org/article/Regular_Expressions_in_JavaScript/17/36435/
-// Some references:
-//	(old Netscape documentation is gone)
-//	http://devedge.netscape.com/library/manuals/2000/javascript/1.5/reference/regexp.html
-//	http://developer.netscape.com/docs/manuals/js/client/jsref/regexp.htm
-//	http://www.webreference.com/js/column5/
-//	http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/js56jsobjRegExpression.asp
-//	http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/js56jsgrpRegExpSyntax.asp
-// Real-time evaluator:
-//	http://www.cuneytyilmaz.com/prog/jrx/
-//
-// I'm slowly replacing multiple glob patterns with regexps.
-// By using RE literals of /.../ rather than the constructor 'new RegExp()',
-// the regexps should be compiled as no-ads.pac is loaded.
-// 
-// Important notes:
-// -	if using the constructor, \ needs to be quoted; thus "\\." is used
-//	to match a literal '.'.  In the RE literal form, I need to end up
-//	quoting any / for a URL path.
-// -    Avoid these for now; they are broken or not supported in "older"
-//	browsers such as NS4 and IE4:
-//	- look-aheads (?=pat)
-//	- non-greedy ? - a ? that follows *,+,?, and {}; (s)? is NOT non-greedy
-//
-
-// matches several common URL paths for ad images:
-// such as: /banner/ /..._banner/ /banner_...
-// but matches several words and includes plurals
-var re_banner = /\/(.*_){0,1}(ad|adverts?|adimage|adframe|adserver|admentor|adview|banner|popup|popunder)(s)?[_.\/]/i;
-
-// matches host names staring with "ad" but not (admin|add|adsl)
-// or any hostname starting with "pop", "clicks", and "cash"
-// or any hostname containing "banner"
-// ^(ad(s)?.{0,4}\.|pop|click|cash|[^.]*banner|[^.]*adserv)
-// ^(ad(?!(min|sl|d\.))|pop|click|cash|[^.]*banner|[^.]*adserv)
-// ^(ad(?!(min|sl|d\.))|pop|click|cash|[^.]*banner|[^.]*adserv|.*\.ads\.)
-var re_adhost = /^(www\.)?(ad(?!(ult|obe.*|min|sl|d|olly.*))|tology|pop|click|cash|[^.]*banner|[^.]*adserv|.+\.ads?\.)/i;
-
-// neg:
-//	admin.foobar.com
-//	add.iahoo.com
-//	adsl.allow.com
-//	administration.all.net
-// pos:
-//	fire.ads.ighoo.com
-//	ads.foo.org
-//	ad0121.aaaa.com
-//	adserver.goo.biz
-//	popup.foo.bar
-
-///////////////////////////////////////////////////////////////////////////////
-
-var isActive = 1;
-
-function FindProxyForURL(url, host)
-{
-    // debug
-    // alert("checking: url=" + url + ", host=" + host);
-
-    // Excellent kludge from Sean M. Burke:
-    // Enable or disable no-ads for the current browser session.
-    //
-    // To disable, visit this URL:		http://no-ads.int/off
-    // To re-enable, visit this URL:		http://no-ads.int/on
-    //
-    // (this will not work with Mozilla or Opera if the alert()s are present)
-    //
-    // This happens before lowercasing the URL, so make sure you use lowercase!
-    //
-    if (shExpMatch(host, "no-ads.int")) {
-        if (shExpMatch(url, "*/on*")) {
-	    isActive = 1;
-	    //alert("no-ads is enabled.\n" + url);
-	} else if (shExpMatch(url, "*/off*")) {
-	    isActive = 0;
-	    //alert("no-ads has been disabled.\n" + url);
-	} else if (shExpMatch(url, "*no-ads.int/")) {
-	    alert("no-ads is "+(isActive ? "enabled" : "disabled")+".\n" + url);
-	} else {
-	    alert("no-ads unknown option.\n" + url);
-	}
-
-	return blackhole;
-    }
-
-    if (!isActive) {
-	// alert("allowing (not active): return " + bypass);
-	return bypass;
-    }
-
-    // Suggestion from Quinten Martens
-    // Make everything lower case.
-    // WARNING: all shExpMatch rules following MUST be lowercase!
-    url = url.toLowerCase();
-    host = host.toLowerCase();
-
-    //
-    // Local/Internal rule
-    // matches to this rule get the 'local' proxy.
-    // Adding rules here enables the use of 'local'
-    //
-    if (0
-	// LOCAL
-	// add rules such as:
-  	//	|| dnsDomainIs(host, "schooner.com")
-	//	|| isPlainHostName(host)
-	// or for a single host
-	//	|| (host == "some-local-host")
-	) {
-	// alert("allowing (local): return " + localproxy);
-	return localproxy;
-    }
-
-    //
-    // Whitelist section from InvisiBill
-    //
-    // Add sites here that should never be matched for ads.
-    //
-    if (0
-	// WHITELIST
-    	// To add whitelist domains, simple add a line such as:
-  	//	|| dnsDomainIs(host, "schooner.com")
-	// or for a single host
-	//	|| (host == "some-host-name")
-
-	// Note: whitelisting schooner.com will defeat the "is-it-working"
-	// test page at http://www.schooner.com/~loverso/no-ads/ads/
-
-	// Apple.com "Switch" ads
-	|| shExpMatch(url, "*.apple.com/switch/ads/*")
-
-	// SprintPCS
-	|| dnsDomainIs(host, ".sprintpcs.com")
-
-	// Lego
-	|| dnsDomainIs(host, ".lego.com")
-
-	// Dell login popups
-	|| host == "ecomm.dell.com"
-
-	|| host == "click2tab.mozdev.org"
-	|| host == "addons.mozilla.org"
-
-	// Uncomment for metacrawler
-	// || (host == "clickit.go2net.com")
-
-        // Wunderground weather station banners
-	|| shExpMatch(url, "*banners.wunderground.com/cgi-bin/banner/ban/wxbanner*")
-	|| shExpMatch(url, "*banners.wunderground.com/weathersticker/*")
-	) {
-	// alert("allowing (whitelist): return " + normal);
-	return normal;
-    }
-
-    // To add more sites, simply include them in the correct format.
-    //
-    // The sites below are ones I currently block.  Tell me of others you add!
-
-    if (0
-	// BLOCK
-	// Block IE4/5 "favicon.ico" fetches
-	// (to avoid being tracked as having bookmarked the site)
-	|| shExpMatch(url, "*/favicon.ico")
-
-	//////
-	//
-	// Global Section
-	// tries to match common names
-	//
-
-	// RE for common URL paths
-	|| re_banner.test(url)
-
-	// RE for common adserver hostnames.
-	// The regexp matches all hostnames starting with "ad" that are not
-	//	admin|add|adsl
-	// (replaces explicit shExpMatch's below)
-	|| re_adhost.test(host)
-
-//	|| (re_adhost.test(host)
-//	    && !(
-//	        shExpMatch(host, "add*")
-//	     || shExpMatch(host, "admin*")
-//	     || shExpMatch(host, "adsl*")
-//	   )
-//	)
-//	// or any subdomain "ads"
-//	|| (dnsDomainLevels(host) > 2 && shExpMatch(host, "*.ads.*"))
-
-	//////
-	//
-	// banner/ad organizations
-	// Just delete the entire namespace
-	//
-
-        // doubleclick
-	|| dnsDomainIs(host, ".doubleclick.com")
-        || dnsDomainIs(host, ".doubleclick.net")
-        || dnsDomainIs(host, ".rpts.net")
-	|| dnsDomainIs(host, ".2mdn.net")
-	|| dnsDomainIs(host, ".2mdn.com")
-
-	// these set cookies
-	|| dnsDomainIs(host, ".globaltrack.com")
-	|| dnsDomainIs(host, ".burstnet.com")
-	|| dnsDomainIs(host, ".adbureau.net")
-	|| dnsDomainIs(host, ".targetnet.com")
-	|| dnsDomainIs(host, ".humanclick.com")
-	|| dnsDomainIs(host, ".linkexchange.com")
-
-	|| dnsDomainIs(host, ".fastclick.com")
-	|| dnsDomainIs(host, ".fastclick.net")
-
-        // one whole class C full of ad servers (fastclick)
-	// XXX this might need the resolver
-//        || isInNet(host, "205.180.85.0", "255.255.255.0")
-	|| shExpMatch(host, "205.180.85.*")
-
-	// these use 1x1 images to track you
-	|| dnsDomainIs(host, ".admonitor.com")
-	|| dnsDomainIs(host, ".focalink.com")
-
-	|| dnsDomainIs(host, ".websponsors.com")
-	|| dnsDomainIs(host, ".advertising.com")
-	|| dnsDomainIs(host, ".cybereps.com")
-	|| dnsDomainIs(host, ".postmasterdirect.com")
-	|| dnsDomainIs(host, ".mediaplex.com")
-	|| dnsDomainIs(host, ".adtegrity.com")
-	|| dnsDomainIs(host, ".bannerbank.ru")
-	|| dnsDomainIs(host, ".bannerspace.com")
-	|| dnsDomainIs(host, ".theadstop.com")
-	|| dnsDomainIs(host, ".l90.com")
-	|| dnsDomainIs(host, ".webconnect.net")
-	|| dnsDomainIs(host, ".avenuea.com")
-	|| dnsDomainIs(host, ".flycast.com")
-	|| dnsDomainIs(host, ".engage.com")
-	|| dnsDomainIs(host, ".imgis.com")
-	|| dnsDomainIs(host, ".datais.com")
-	|| dnsDomainIs(host, ".link4ads.com")
-	|| dnsDomainIs(host, ".247media.com")
-	|| dnsDomainIs(host, ".hightrafficads.com")
-	|| dnsDomainIs(host, ".tribalfusion.com")
-	|| dnsDomainIs(host, ".rightserve.net")
-	|| dnsDomainIs(host, ".admaximize.com")
-	|| dnsDomainIs(host, ".valueclick.com")
-	|| dnsDomainIs(host, ".adlibris.se")
-	|| dnsDomainIs(host, ".vibrantmedia.com")
-	|| dnsDomainIs(host, ".coremetrics.com")
-	|| dnsDomainIs(host, ".vx2.cc")
-	|| dnsDomainIs(host, ".webpower.com")
-	|| dnsDomainIs(host, ".everyone.net")
-	|| dnsDomainIs(host, ".zedo.com")
-	|| dnsDomainIs(host, ".bigbangmedia.com")
-	|| dnsDomainIs(host, ".ad-annex.com")
-	|| dnsDomainIs(host, ".iwdirect.com")
-	|| dnsDomainIs(host, ".adlink.de")
-	|| dnsDomainIs(host, ".bidclix.net")
-	|| dnsDomainIs(host, ".webclients.net")
-	|| dnsDomainIs(host, ".linkcounter.com")
-	|| dnsDomainIs(host, ".sitetracker.com")
-	|| dnsDomainIs(host, ".adtrix.com")
-	|| dnsDomainIs(host, ".netshelter.net")
-	|| dnsDomainIs(host, ".rn11.com")
-	// http://vpdc.ru4.com/content/images/66/011.gif
-	|| dnsDomainIs(host, ".ru4.com")
-	// no '.' for rightmedia.net
-	|| dnsDomainIs(host, "rightmedia.net")
-	|| dnsDomainIs(host, ".casalemedia.com")
-	|| dnsDomainIs(host, ".casalemedia.com")
-
-	// C-J
-	|| dnsDomainIs(host, ".commission-junction.com")
-	|| dnsDomainIs(host, ".qkimg.net")
-	// emjcd.com ... many others
-
-	// */adv/*
-	|| dnsDomainIs(host, ".bluestreak.com")
-
-	// Virtumundo -- as annoying as they get
-	|| dnsDomainIs(host, ".virtumundo.com")
-	|| dnsDomainIs(host, ".treeloot.com")
-	|| dnsDomainIs(host, ".memberprize.com")
-
-	// internetfuel and _some_ of the sites they redirect to
-	// (more internetfuel - from Sam G)
-	|| dnsDomainIs(host, ".internetfuel.net")
-	|| dnsDomainIs(host, ".internetfuel.com")
-	|| dnsDomainIs(host, ".peoplecaster.com")
-	|| dnsDomainIs(host, ".cupidsdatabase.com")
-	|| dnsDomainIs(host, ".automotive-times.com")
-	|| dnsDomainIs(host, ".healthy-lifetimes.com")
-	|| dnsDomainIs(host, ".us-world-business.com")
-	|| dnsDomainIs(host, ".internet-2-web.com")
-	|| dnsDomainIs(host, ".my-job-careers.com")
-	|| dnsDomainIs(host, ".freeonline.com")
-	|| dnsDomainIs(host, ".exitfuel.com")
-	|| dnsDomainIs(host, ".netbroadcaster.com")
-	|| dnsDomainIs(host, ".spaceports.com")
-	|| dnsDomainIs(host, ".mircx.com")
-	|| dnsDomainIs(host, ".exitchat.com")
-	|| dnsDomainIs(host, ".atdmt.com")
-	|| dnsDomainIs(host, ".partner2profit.com")
-	|| dnsDomainIs(host, ".centrport.net")
-	|| dnsDomainIs(host, ".centrport.com")
-	|| dnsDomainIs(host, ".rampidads.com")
-
-	//////
-	//
-	// banner servers
-	// (typically these set cookies or serve animated ads)
-	//
-
-	|| dnsDomainIs(host, "commonwealth.riddler.com")
-	|| dnsDomainIs(host, "banner.freeservers.com")
-	|| dnsDomainIs(host, "usads.futurenet.com")
-	|| dnsDomainIs(host, "banners.egroups.com")
-	|| dnsDomainIs(host, "ngadclient.hearme.com")
-	|| dnsDomainIs(host, "affiliates.allposters.com")
-	|| dnsDomainIs(host, "adincl.go2net.com")
-	|| dnsDomainIs(host, "webads.bizservers.com")
-	|| dnsDomainIs(host, ".addserv.com")
-	|| dnsDomainIs(host, ".falkag.net")
-	|| (host == "promote.pair.com")
-
-	// marketwatch.com (flash ads), but CSS get loaded
-	|| (dnsDomainIs(host, ".mktw.net")
-	    && !shExpMatch(url, "*/css/*"))
-	|| dnsDomainIs(host, ".cjt1.net")
-	|| dnsDomainIs(host, ".bns1.net")
-	
-	// "undergroundonline"
-	// comes from iframe with this url: http://mediamgr.ugo.com/html.ng/size=728x90&affiliate=megagames&channel=games&subchannel=pc&Network=affiliates&rating=g
-	|| dnsDomainIs(host, "image.ugo.com")
-	|| dnsDomainIs(host, "mediamgr.ugo.com")
-
-	// web ads and "cheap Long Distance"
-	|| dnsDomainIs(host, "zonecms.com")
-	|| dnsDomainIs(host, "zoneld.com")
-
-	// AOL
-	|| dnsDomainIs(host, ".atwola.com")
-	|| dnsDomainIs(host, "toolbar.aol.com")
-
-	// animated ads shown at techbargains
-	|| (dnsDomainIs(host, ".overstock.com")
-	    && shExpMatch(url, "*/linkshare/*"))
-	|| (dnsDomainIs(host, ".supermediastore.com")
-	    && shExpMatch(url, "*/lib/supermediastore/*"))
-	|| (dnsDomainIs(host, ".shop4tech.com")
-	    && shExpMatch(url, "*/assets/*"))
-	|| (dnsDomainIs(host, ".softwareandstuff.com")
-	    && shExpMatch(url, "*/media/*"))
-	|| (dnsDomainIs(host, ".buy.com")
-	    && shExpMatch(url, "*/affiliate/*"))
-
-	|| (dnsDomainIs(host, "pdaphonehome.com")
-	    && (shExpMatch(url, "*/pocketpcmagbest.gif")
-		|| shExpMatch(url, "*/link-msmobiles.gif")))
-	|| (dnsDomainIs(host, "ppc4you.com")
-	    && shExpMatch(url, "*/ppc_top_sites.gif"))
-
-	// more animated ads... these really drive me crazy
-	|| (dnsDomainIs(host, ".freewarepalm.com")
-	    && shExpMatch(url, "*/sponsors/*"))
-
-	//////
-	//
-	// popups/unders
-	//
-
-	|| dnsDomainIs(host, "remotead.cnet.com")
-	|| dnsDomainIs(host, ".1st-dating.com")
-	|| dnsDomainIs(host, ".mousebucks.com")
-	|| dnsDomainIs(host, ".yourfreedvds.com")
-	|| dnsDomainIs(host, ".popupsavings.com")
-	|| dnsDomainIs(host, ".popupmoney.com")
-	|| dnsDomainIs(host, ".popuptraffic.com")
-	|| dnsDomainIs(host, ".popupnation.com")
-	|| dnsDomainIs(host, ".infostart.com")
-	|| dnsDomainIs(host, ".popupad.net")
-	|| dnsDomainIs(host, ".usapromotravel.com")
-	|| dnsDomainIs(host, ".goclick.com")
-	|| dnsDomainIs(host, ".trafficwave.net")
-	|| dnsDomainIs(host, ".popupad.net")
-	|| dnsDomainIs(host, ".paypopup.com")
-
-	// Popups from ezboard
-	|| dnsDomainIs(host, ".greenreaper.com")
-	|| dnsDomainIs(host, ".spewey.com")
-	|| dnsDomainIs(host, ".englishharbour.com")
-	|| dnsDomainIs(host, ".casino-trade.com")
-	|| dnsDomainIs(host, "got2goshop.com")
-	// more ezboard crud (from Miika Asunta)
-	|| dnsDomainIs(host, ".addynamix.com")
-	|| dnsDomainIs(host, ".trafficmp.com")
-	|| dnsDomainIs(host, ".makingmoneyfromhome.net")
-	|| dnsDomainIs(host, ".leadcart.com")
-
-	// http://www.power-mark.com/js/popunder.js
-	|| dnsDomainIs(host, ".power-mark.com")
-
-	//////
-	//
-	// User tracking (worse than ads) && hit counting "services"
-	//
-
-	// "web trends live"
-	|| dnsDomainIs(host, ".webtrendslive.com")
-	|| dnsDomainIs(host, ".wtlive.com")
-
-	// 1x1 tracking images
-	// ** (but also used in some pay-for-clicks that I want to follow,
-	// **  so disabled for now.  9/2001)
-	// || dnsDomainIs(host, "service.bfast.com")
-
-	// one whole class C full of ad servers
-	// XXX this might need the resolver
-//	|| isInNet(host, "66.40.16.0", "255.255.255.0")
-	|| shExpMatch(host, "66.40.16.*")
-
-	|| dnsDomainIs(host, ".web-stat.com")
-	|| dnsDomainIs(host, ".superstats.com")
-	|| dnsDomainIs(host, ".allhits.ru")
-	|| dnsDomainIs(host, ".list.ru")
-	|| dnsDomainIs(host, ".counted.com")
-	|| dnsDomainIs(host, ".rankyou.com")
-	|| dnsDomainIs(host, ".clickcash.com")
-	|| dnsDomainIs(host, ".clickbank.com")
-	|| dnsDomainIs(host, ".paycounter.com")
-	|| dnsDomainIs(host, ".cashcount.com")
-	|| dnsDomainIs(host, ".clickedyclick.com")
-	|| dnsDomainIs(host, ".clickxchange.com")
-	|| dnsDomainIs(host, ".sitestats.com")
-	|| dnsDomainIs(host, ".site-stats.com")
-	|| dnsDomainIs(host, ".hitbox.com")
-	|| dnsDomainIs(host, ".exitdirect.com")
-	|| dnsDomainIs(host, ".realtracker.com")
-	|| dnsDomainIs(host, ".etracking.com")
-	|| dnsDomainIs(host, ".livestat.com")
-	|| dnsDomainIs(host, ".spylog.com")
-	|| dnsDomainIs(host, ".freestats.com")
-	|| dnsDomainIs(host, ".addfreestats.com")
-	|| dnsDomainIs(host, ".topclicks.net")
-	|| dnsDomainIs(host, ".mystat.pl")
-	|| dnsDomainIs(host, ".hitz4you.de")
-	|| dnsDomainIs(host, ".hitslink.com")
-	|| dnsDomainIs(host, ".thecounter.com")
-	|| dnsDomainIs(host, ".roiservice.com")
-	|| dnsDomainIs(host, ".overture.com")
-	|| dnsDomainIs(host, ".xiti.com")
-	|| dnsDomainIs(host, ".cj.com")
-	|| dnsDomainIs(host, ".anrdoezrs.net")
-	|| dnsDomainIs(host, ".hey.it")
-	|| dnsDomainIs(host, ".ppctracking.net")
-	|| dnsDomainIs(host, ".darkcounter.com")
-	|| dnsDomainIs(host, ".2o7.com")
-	|| dnsDomainIs(host, ".2o7.net")
-	|| dnsDomainIs(host, ".gostats.com")
-	|| dnsDomainIs(host, ".everstats.com")
-	|| dnsDomainIs(host, ".onestat.com")
-	|| dnsDomainIs(host, ".statcounter.com")
-	|| dnsDomainIs(host, ".trafic.ro")
-	|| dnsDomainIs(host, ".exitexchange.com")
-
-	// clickability, via CNN
-	|| dnsDomainIs(host, ".clickability.com")
-	|| dnsDomainIs(host, ".savethis.com")
-
-	//////
-	//
-	// Dead domain parking
-	//
-	|| dnsDomainIs(host, ".netster.com")
-
-	//////
-	//
-	// Search engine "optimizers"
-	//
-	|| dnsDomainIs(host, ".searchmarketing.com")
-
-	//////
-	//
-	// Spyware/worms
-	//
-
-	|| dnsDomainIs(host, ".friendgreetings.com")
-	|| dnsDomainIs(host, ".permissionedmedia.com")
-	|| dnsDomainIs(host, ".searchbarcash.com")
-
-	//////
-	//
-	// "Surveys"
-	//
-
-	|| dnsDomainIs(host, ".zoomerang.com")
-
-	//////
-	//
-	// "Casino" ads (scams)
-	//
-
-	|| dnsDomainIs(host, ".aceshigh.com")
-	|| dnsDomainIs(host, ".idealcasino.net")
-	|| dnsDomainIs(host, ".casinobar.net")
-	|| dnsDomainIs(host, ".casinoionair.com")
-
-	|| (dnsDomainIs(host, ".go2net.com")
-	    && shExpMatch(url, "*adclick*")
-	)
-
-	//////
-	//
-	// Spammers
-	//
-
-	|| dnsDomainIs(host, ".licensed-collectibles.com")
-	|| dnsDomainIs(host, ".webdesignprofessional.com")
-
-	//////
-	//
-	// Directed at extra annoying places
-	//
-
-	// Attempts to download ad-supported spyware without asking first
-	|| dnsDomainIs(host, ".gator.com")
-
-	// ebay
-	|| ((dnsDomainIs(host, "pics.ebay.com")
-	     || dnsDomainIs(host, "pics.ebaystatic.com"))
-	    && shExpMatch(url, "*/pics/mops/*/*[0-9]x[0-9]*")
-	)
-	|| (dnsDomainIs(host, "ebayobjects.com")
-	    && shExpMatch(url, "*search/keywords*")
-	)
-	|| dnsDomainIs(host, "admarketplace.com")
-	|| dnsDomainIs(host, "admarketplace.net")
-
-	// Bravenet & Ezboard
-	|| (dnsDomainIs(host, ".ezboard.com")
-	    && shExpMatch(url, "*/bravenet/*")
-	)
-	|| (dnsDomainIs(host, ".bravenet.com")
-	    && (   shExpMatch(host, "*counter*")
-		|| shExpMatch(url, "*/jsbanner*")
-	        || shExpMatch(url, "*/bravenet/*")
-	    )
-	)
-
-	// GeoCities
-	// (checking "toto" from Prakash Persaud)
-	|| ((   dnsDomainIs(host,"geo.yahoo.com")
-	     || dnsDomainIs(host,".geocities.com"))
-	    && (
-		   shExpMatch(url,"*/toto?s*")
-		|| shExpMatch(url, "*geocities.com/js_source*")
-		|| dnsDomainIs(host, "visit.geocities.com")
-	    )
-	)
-
-	// Yahoo ads (direct and via Akamai)
-	// http://us.a1.yimg.com/us.yimg.com/a/...
-	|| (dnsDomainIs(host,"yimg.com")
-	    && (   shExpMatch(url,"*yimg.com/a/*")
-		|| shExpMatch(url,"*yimg.com/*/adv/*")
-	    )
-	)
-	// "eyewonder" ads at Yahoo
-	|| dnsDomainIs(host,"qz3.net")
-	|| dnsDomainIs(host,".eyewonder.com")
-
-	// background ad images
-	|| dnsDomainIs(host,"buzzcity.com")
-
-	// FortuneCity - ads and tracking
-	|| (dnsDomainIs(host,".fortunecity.com")
-	    && (    shExpMatch(url,"*/js/adscript*")
-		 || shExpMatch(url,"*/js/fctrack*")
-	    )
-	)
-
-	// zdnet
-	// tracking webbugs:
-	// http://gserv.zdnet.com/clear/ns.gif?a000009999999999999+2093
-	|| (dnsDomainIs(host, ".zdnet.com")
-	    && (   dnsDomainIs(host, "ads3.zdnet.com")
-		|| host == "gserv.zdnet.com"
-		|| shExpMatch(url, "*/texis/cs/ad.html")
-		|| shExpMatch(url, "*/adverts")
-	     )
-	)
-
-	// cnet
-	// web bugs and ad redirections
-	// taken care of by hostname rules:
-	//	http://adimg.com.com/...
-	//	http://adlog.com.com/...
-	// http://dw.com.com/clear/c.gif
-	// http://dw.com.com/redir?astid=2&destUrl=http%3A%2F%2Fwww.buy ...
-	// http://mads.com.com/mac-ad?...
-	|| (host == "dw.com.com" || host == "mads.com.com")
-	|| (dnsDomainIs(host, ".com.com")
-	    && (   host == "dw.com.com"
-		|| host == "mads.com.com"
-	     )
-	)
-
-	// nytimes
-	|| (dnsDomainIs(host, ".nytimes.com")
-	    && shExpMatch(url,"*/adx/*")
-	)
-
-	// pop-after
-	|| dnsDomainIs(host, ".unicast.net")
-
-
-	// Be Free affiliate ads
-	|| dnsDomainIs(host, ".reporting.net")
-	|| dnsDomainIs(host, ".affliate.net")
-	|| (dnsDomainIs(host, ".akamai.net")
-	    && shExpMatch(url, "*.affiliate.net/*")
-	)
-
-	// Infospace.com popunder
-	// for "webmarket.com" & "shopping.dogpile.com" -- just say no!
-	|| (dnsDomainIs(host, ".infospace.com")
-	    && shExpMatch(url, "*/goshopping/*")
-	)
-	|| dnsDomainIs(host, ".webmarket.com")
-	|| dnsDomainIs(host, "shopping.dogpile.com")
-
-	// goto.com popunder for information.gopher.com
-	|| dnsDomainIs(host, "information.gopher.com")
-
-	// About.com popunder and floating ad bar
-	|| (dnsDomainIs(host, ".about.com")
-	    && (0
-	    || shExpMatch(url, "*/sprinks/*")
-	    || shExpMatch(url, "*about.com/0/js/*")
-	    || shExpMatch(url, "*about.com/f/p/*")
-	    )
-	)
-
-	// Dell
-	|| (dnsDomainIs(host, ".dell.com")
-	    && shExpMatch(url, "*/images/affiliates/*")
-	)
-
-	// IFilm iframes
-	|| (dnsDomainIs(host, ".ifilm.com")
-	    && (shExpMatch(url, "*/partners/*")
-	        || shExpMatch(url, "*/redirect*")
-	    )
-	)
-
-	// tomshardware
-	// they are most annoying:
-	// - cookies on their background images to track you
-	// - looping shockwave ads
-	// this kills most of the crud
-//	     || isInNet(host, "216.92.21.0", "255.255.255.0")
-	|| ((dnsDomainIs(host, ".tomshardware.com")
-	     || shExpMatch(host, "216.92.21.*"))
-	    && (   shExpMatch(url, "*/cgi-bin/banner*")
-	        || shExpMatch(url, "*/cgi-bin/bd.m*")
-	        || shExpMatch(url, "*/images/banner/*")
-	    )
-	)
-
-	|| shExpMatch(url, "*mapsonus.com/ad.images*")
-
-	// Slashdot: added these when I saw hidden 1x1 images with cookies
-	|| dnsDomainIs(host, "adfu.blockstackers.com")
-	|| (dnsDomainIs(host, "slashdot.org")
-	    && (
-	           shExpMatch(url, "*/slashdot/pc.gif*")
-		|| shExpMatch(url, "*/pagecount.gif*")
-		|| shExpMatch(url, "*/adlog.pl*")
-	    )
-        )
-	|| dnsDomainIs(host, "googlesyndication.com")
-	|| dnsDomainIs(host, "google-analytics.com")
-
-	// it-aint-cool.com
-	|| (dnsDomainIs(host, "aintitcool.com")
-	    && (
-	           shExpMatch(url, "*/newline/*")
-		|| shExpMatch(url, "*/drillteammedia/*")
-		|| shExpMatch(url, "*/foxsearchlight/*")
-		|| shExpMatch(url, "*/media/aol*")
-		|| shExpMatch(url, "*swf")
-	    )
-	)
-
-	// Staples & CrossMediaServices
-	|| (dnsDomainIs(host, ".staples.com")
-	    && shExpMatch(url, "*/pixeltracker/*")
-	)
-	|| dnsDomainIs(host, "pt.crossmediaservices.com")
-
-	// OfficeMax affiliate art (affArt->affart because of toLowerCase)
-	|| (dnsDomainIs(host, ".officemax.com")
-	    && shExpMatch(url, "*/affart/*")
-	)
-
-	// complicated JavaScript for directed ads!
-// 1/5/2004: allow /js/ as they now use it for graphs
-//	|| (dnsDomainIs(host, ".anandtech.com")
-//	    && (shExpMatch(url,"*/js/*")
-//	        || shExpMatch(url,"*/bnr_*")
-//	    )
-//	)
-
-	// hardocp
-	// http://65.119.30.151/UploadFilesForNewegg/onlineads/newegg728hardocp.swf
-	|| (host == "hera.hardocp.com")
-	|| shExpMatch(url,"*/onlineads/*")
-
-	// complicated JavaScript for gliding ads!
-	|| (dnsDomainIs(host, ".fatwallet.com")
-	    && shExpMatch(url,"*/js/*")
-	)
-
-	// cnet ads
-	|| dnsDomainIs(host, "promo.search.com")
-
-	// IMDB celeb photos
-	// (Photos/CMSIcons->photos/cmsicons because of toLowerCase)
-	|| (dnsDomainIs(host, "imdb.com")
-	    && (   shExpMatch(url, "*/photos/cmsicons/*")
-	        || shExpMatch(url, "*/icons/*/celeb/*")
-	        || shExpMatch(url, "*.swf")
-	    )
-	)
-	// incredibly annoying IMDB shock/flash ads
-	|| dnsDomainIs(host, "kliptracker.com")
-	|| dnsDomainIs(host, "klipmart.com")
-
-	|| host == "spinbox.techtracker.com"
-
-	// Amazon affiliate 'search'. retrieves a JS that writes new HTML
-	// that references one or more images "related to your search".
-	// (If there is a real use for rcm.amazon.com, let me know)
-	// http://rcm.amazon.com/e/cm?t=starlingtechnolo&amp;l=st1&amp;search=cynicism&amp;mode=books&amp;p=11&amp;o=1&amp;bg1=CEE7FF&amp;fc1=000000&amp;lc1=083194&amp;lt1=_blank
-	|| host == "rcm.amazon.com"
-
-	//////
-	//
-	// "Other Scum And Villainry"
-	//
-
-	// Popup from "reserved" domains at register.com
-	// (I considered blocking all of register.com)
-	|| (dnsDomainIs(host, ".register.com")
-	    && (shExpMatch(url,"*.js")
-		|| shExpMatch(host, "searchtheweb*")
-		|| shExpMatch(host, "futuresite*")
-	    )
-	)
-
-	|| dnsDomainIs(host, ".oingo.com")
-	|| dnsDomainIs(host, ".namingsolutions.com")
-
-	// "Data collection"
-	|| dnsDomainIs(host, ".coremetrics.com")
-
-	// Sets your home page
-	|| dnsDomainIs(host, ".firehunt.com")
-
-	// tracking
-	|| dnsDomainIs(host, ".appliedsemantics.com")
-
-	// Scum who buy ad space from the above
-	// || dnsDomainIs(host, ".hartfordrents.com")
-	// || dnsDomainIs(host, ".chicagocomputerrentals.com")
-	// || dnsDomainIs(host, ".ccrsolutions.com")
-	// || dnsDomainIs(host, ".rushcomputer.com")
-	// || dnsDomainIs(host, ".localesimates.com")
-	// || dnsDomainIs(host, ".unitedvision.com")
-	// XXX this might need the resolver
-//	|| isInNet(host, "216.216.246.31", "255.255.255.255")
-	|| (host == "216.216.246.31")
-
-	// avsforum ads
-//	|| isInNet(host, "216.66.21.35", "255.255.255.255")
-	|| (host == "216.66.21.35")
-	|| dnsDomainIs(host, ".avsads.com")
-
-	// bogus "search" sites at non-existent sites
-	|| dnsDomainIs(host, ".search411.com")
-
-	// palmgear.com
-	|| (dnsDomainIs(host, ".palmgear.com")
-	    && (   shExpMatch(url, "*/adsales/*")
-		|| shExpMatch(url, "*/emailblast*")
-	    )
-	)
-
-	//////
-	//
-	// Contributed adult sites
-	//
-
-	|| dnsDomainIs(host, ".porntrack.com")
-	|| dnsDomainIs(host, ".sexe-portail.com")
-	|| dnsDomainIs(host, ".sextracker.com")
-	|| dnsDomainIs(host, ".sexspy.com")
-	|| dnsDomainIs(host, ".offshoreclicks.com")
-	|| dnsDomainIs(host, ".exxxit.com")
-	|| dnsDomainIs(host, "private-dailer.biz")
-	|| shExpMatch(url, "*retestrak.nl/misc/reet.gif")
-	|| shExpMatch(url, "*dontstayin.com/*.swf")
-
-	// debug
-	// || (alertmatch("NOT:" + url) && 0)
-
-	) {
-
-	// alert("blackholing: " + url);
-
-	// deny this request
-	return blackhole;
-
-    } else {
-	// debug
-	// alert("allowing: " + url);
-
-	// all other requests go direct and avoid any overhead
-	return normal;
-    }
-}
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// This line is just for testing; you can ignore it.  But, if you are having
-// problems where you think this PAC file isn't being loaded, then change this
-// to read "if (1)" and the alert box should appear when the browser loads this
-// file.
-//
-// This works for IE4, IE5, IE5.5, IE6 and Netscape 2.x, 3.x, and 4.x.
-// (For IE6, tested on Win2K)
-// This does not work for Mozilla before 1.4 (and not for Netscape 6.x).
-// In Mozilla 1.4+ and Fireox, this will write to the JavaScript console.
-//
-if (0) {
-	alert("no-ads.pac: LOADED:\n" +
-		"	version:	"+noadsver+"\n" +
-		"	normal:		"+normal+"\n" +
-		"	blackhole:	"+blackhole+"\n" +
-		"	localproxy:	"+localproxy+"\n" +
-		"	bypass:		"+bypass+"\n"
-		// MSG
-	);
-}
-
-// The above should show you that this JavaScript is executed in an
-// unprotected global context.  NEVER point at someone elses autoconfig file;
-// always load from your own copy!
-
-// an alert that returns true
-function alertmatch(str)
-{
-	// alert("match: "+str);
-	return 1;
-}
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// Replacement function for dnsDomainIs().  This is to replace the
-// prefix problem, which a leading '.' used to be used for.
-//
-//	dnsDomainIs("bar.com", "bar.com") => true
-//	dnsDomainIs("www.bar.com", "bar.com") => true
-//	dnsDomainIs("www.foobar.com", "bar.com") => true	<<< incorrect
-//
-//	isInDomain("bar.com", "bar.com") => true
-//	isInDomain("www.bar.com", "bar.com") => true
-//	isInDomain("www.foobar.com", "bar.com") => false	<<< correct
-//
-function isInDomain(host, domain) {
-    if (host.length > domain.length) {
-	return (host.substring(host.length - domain.length - 1) == "."+domain);
-    }
-    return (host == domain);
-}
-
-///////////////////////////////////////////////////////////////////////////////
-//
-// Tired of reading boring comments?  Try reading today's comics:
-//	http://www.schooner.com/~loverso/comics/
-//
-// or getting a quote from my collection:
-//	http://www.schooner.com/~loverso/quote/
-//
-
-// eof
-	//intelliserv.net
-	//intellisrv.net
-	//rambler.ru
-	//rightmedia.net
-	//calloffate.com
-	//fairmeasures.com
-
diff --git a/chromium/net/data/ssl/blocklist/143315c857a9386973ed16840899c3f96b894a7a612c444efb691f14b0dedd87.pem b/chromium/net/data/ssl/blocklist/143315c857a9386973ed16840899c3f96b894a7a612c444efb691f14b0dedd87.pem
new file mode 100644
index 00000000000..796454a5f3d
--- /dev/null
+++ b/chromium/net/data/ssl/blocklist/143315c857a9386973ed16840899c3f96b894a7a612c444efb691f14b0dedd87.pem
@@ -0,0 +1,157 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            08:91:9e:e2:76:8f:8c:21:ec:72:d8:6c:45:76:fb:8c
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
+        Validity
+            Not Before: Dec 16 00:00:00 2019 GMT
+            Not After : Dec 20 12:00:00 2021 GMT
+        Subject: C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = known-interception.badssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:c7:8f:2d:12:d9:25:d6:57:dd:e3:64:40:67:0c:
+                    cb:0a:d4:21:69:57:93:ca:53:57:d1:b2:f7:61:87:
+                    a5:73:ac:15:39:2a:bc:38:00:0c:bf:d4:84:45:cc:
+                    c2:9f:67:81:62:89:e5:74:0e:c4:00:30:18:ef:de:
+                    e9:5b:b0:53:3e:2f:f3:c1:33:a6:ca:05:5d:eb:63:
+                    6d:b4:ea:19:e0:c2:60:34:08:90:48:ec:1a:6f:39:
+                    3f:0f:5b:0c:6d:1d:6f:a8:ba:4a:13:e0:a0:59:f6:
+                    b9:54:7d:6f:66:7e:72:85:09:64:62:17:f1:a9:47:
+                    05:56:97:7f:ec:3b:d9:1d:48:cb:2d:17:a2:83:d5:
+                    4d:d8:01:7c:ba:8a:09:d0:3c:96:fc:14:49:18:b8:
+                    d3:f2:e6:e1:67:6b:d5:e3:43:a9:eb:28:ba:25:86:
+                    d1:24:90:fe:33:f0:cc:2e:7a:8f:d4:14:f7:fe:b1:
+                    e5:7d:35:1d:59:ba:08:cf:77:10:a4:8f:a5:f0:91:
+                    9e:1f:cd:7f:32:34:fc:ff:bc:1a:35:6b:af:c7:d8:
+                    4e:17:a1:df:a1:a3:e4:5b:4b:9f:6e:d5:33:e8:99:
+                    ec:db:47:70:f5:a7:99:cb:71:1d:64:3e:17:b8:2c:
+                    2c:68:69:ea:d9:3f:79:b5:a9:ee:eb:10:97:6e:97:
+                    ae:eb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2
+
+            X509v3 Subject Key Identifier: 
+                65:16:4E:26:8D:41:4F:B4:D6:33:61:17:51:AE:7E:09:DF:6C:C8:2C
+            X509v3 Subject Alternative Name: 
+                DNS:known-interception.badssl.com, DNS:www.known-interception.badssl.com
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://crl3.digicert.com/ssca-sha2-g6.crl
+
+                Full Name:
+                  URI:http://crl4.digicert.com/ssca-sha2-g6.crl
+
+            X509v3 Certificate Policies: 
+                Policy: 2.16.840.1.114412.1.1
+                  CPS: https://www.digicert.com/CPS
+                Policy: 2.23.140.1.2.3
+
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.digicert.com
+                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
+
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            CT Precertificate SCTs: 
+                Signed Certificate Timestamp:
+                    Version   : v1 (0x0)
+                    Log ID    : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
+                                3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
+                    Timestamp : Dec 16 19:25:03.735 2019 GMT
+                    Extensions: none
+                    Signature : ecdsa-with-SHA256
+                                30:46:02:21:00:BF:58:DF:CB:40:35:C7:EB:56:A3:3D:
+                                33:A7:15:99:78:92:16:00:51:73:BF:E4:83:29:3A:95:
+                                9A:4E:70:E2:B5:02:21:00:CC:CD:B2:E9:28:B1:E1:84:
+                                59:77:99:FD:28:75:59:06:48:21:E7:16:18:7A:40:78:
+                                5A:C2:4A:97:BE:83:82:BC
+                Signed Certificate Timestamp:
+                    Version   : v1 (0x0)
+                    Log ID    : 44:94:65:2E:B0:EE:CE:AF:C4:40:07:D8:A8:FE:28:C0:
+                                DA:E6:82:BE:D8:CB:31:B5:3F:D3:33:96:B5:B6:81:A8
+                    Timestamp : Dec 16 19:25:03.808 2019 GMT
+                    Extensions: none
+                    Signature : ecdsa-with-SHA256
+                                30:45:02:20:22:7C:CB:BA:4B:E1:C4:0F:93:0C:69:8F:
+                                E5:06:A3:04:FA:D2:3F:F4:24:1C:DF:29:AC:7B:E2:51:
+                                06:35:B2:FC:02:21:00:D4:75:B0:0F:88:B0:2A:0B:CA:
+                                89:B9:B9:09:CE:85:92:CD:13:B9:18:86:ED:DE:9A:37:
+                                58:A2:44:10:3B:67:87
+                Signed Certificate Timestamp:
+                    Version   : v1 (0x0)
+                    Log ID    : BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47:
+                                38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85
+                    Timestamp : Dec 16 19:25:03.896 2019 GMT
+                    Extensions: none
+                    Signature : ecdsa-with-SHA256
+                                30:46:02:21:00:CB:60:EE:F3:90:EF:DB:D8:39:0F:58:
+                                3D:DE:42:F2:F6:D4:68:E3:CB:7C:59:55:DC:35:C4:76:
+                                6A:E4:D9:D4:9F:02:21:00:A1:83:D6:3F:22:5B:DD:7C:
+                                BC:17:18:F8:D2:FC:BF:A5:77:1C:1E:B9:8A:7C:E2:4C:
+                                14:B9:C8:27:35:99:23:96
+    Signature Algorithm: sha256WithRSAEncryption
+         bb:e4:97:22:2e:43:11:dd:42:56:5f:d9:d4:0d:c9:c9:7c:c6:
+         47:5b:a8:6b:17:94:b3:ae:b3:63:d6:6b:68:17:87:b5:78:49:
+         68:a0:13:13:39:76:93:34:b9:29:46:a1:7e:8c:17:e1:e1:27:
+         0a:46:8e:1e:fd:e2:56:06:18:86:9a:ab:e1:e1:03:eb:ef:c3:
+         a4:3f:e3:2c:7a:9a:c7:95:5e:85:84:a5:1e:52:63:f1:4e:4a:
+         79:45:93:d3:92:6d:f6:9d:be:a6:20:31:bb:90:2e:71:a4:27:
+         66:44:f8:24:51:b1:03:69:2c:b3:4c:ec:69:10:c1:84:92:9b:
+         2a:89:4e:13:29:10:97:dd:59:35:40:25:b0:87:a4:56:aa:87:
+         f4:1a:c5:2b:53:53:7b:cb:47:d4:59:64:e1:11:37:86:71:c8:
+         18:78:84:66:86:51:a5:d8:3c:b8:9a:10:d0:d4:98:29:40:6a:
+         8b:8e:3d:c6:a3:9b:09:93:19:fc:87:76:45:98:d2:c7:c8:b7:
+         a5:3f:f2:2e:c5:15:59:0e:fe:17:36:40:7a:35:5a:a7:2d:f5:
+         c0:b5:80:95:3a:3c:a7:54:46:8a:a0:67:e9:69:35:b2:3c:9a:
+         51:ef:58:a6:ff:6d:7e:61:17:a4:d8:1f:42:88:90:0d:5a:91:
+         3e:6c:90:98
+-----BEGIN CERTIFICATE-----
+MIIG4zCCBcugAwIBAgIQCJGe4naPjCHscthsRXb7jDANBgkqhkiG9w0BAQsFADBN
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
+aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkxMjE2MDAwMDAwWhcN
+MjExMjIwMTIwMDAwWjB/MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
+YTEVMBMGA1UEBxMMV2FsbnV0IENyZWVrMRwwGgYDVQQKExNMdWNhcyBHYXJyb24g
+VG9ycmVzMSYwJAYDVQQDEx1rbm93bi1pbnRlcmNlcHRpb24uYmFkc3NsLmNvbTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMePLRLZJdZX3eNkQGcMywrU
+IWlXk8pTV9Gy92GHpXOsFTkqvDgADL/UhEXMwp9ngWKJ5XQOxAAwGO/e6VuwUz4v
+88EzpsoFXetjbbTqGeDCYDQIkEjsGm85Pw9bDG0db6i6ShPgoFn2uVR9b2Z+coUJ
+ZGIX8alHBVaXf+w72R1Iyy0XooPVTdgBfLqKCdA8lvwUSRi40/Lm4Wdr1eNDqeso
+uiWG0SSQ/jPwzC56j9QU9/6x5X01HVm6CM93EKSPpfCRnh/NfzI0/P+8GjVrr8fY
+Theh36Gj5FtLn27VM+iZ7NtHcPWnmctxHWQ+F7gsLGhp6tk/ebWp7usQl26XrusC
+AwEAAaOCA4swggOHMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0G
+A1UdDgQWBBRlFk4mjUFPtNYzYRdRrn4J32zILDBLBgNVHREERDBCgh1rbm93bi1p
+bnRlcmNlcHRpb24uYmFkc3NsLmNvbYIhd3d3Lmtub3duLWludGVyY2VwdGlvbi5i
+YWRzc2wuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+KwYBBQUHAwIwawYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQu
+Y29tL3NzY2Etc2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
+LmNvbS9zc2NhLXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCow
+KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EM
+AQIDMHwGCCsGAQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGln
+aWNlcnQuY29tMEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5j
+b20vRGlnaUNlcnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAw
+ggGABgorBgEEAdZ5AgQCBIIBcASCAWwBagB3AKS5CZC0GFgUh7sTosxncAo8NZgE
++RvfuON3zQ7IDdwQAAABbxArzXcAAAQDAEgwRgIhAL9Y38tANcfrVqM9M6cVmXiS
+FgBRc7/kgyk6lZpOcOK1AiEAzM2y6Six4YRZd5n9KHVZBkgh5xYYekB4WsJKl76D
+grwAdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAW8QK83AAAAE
+AwBHMEUCICJ8y7pL4cQPkwxpj+UGowT60j/0JBzfKax74lEGNbL8AiEA1HWwD4iw
+KgvKibm5Cc6Fks0TuRiG7d6aN1iiRBA7Z4cAdwC72d+8H4pxtZOUI5eqkntHOFeV
+CqtS6BqQlmQ2jh7RhQAAAW8QK84YAAAEAwBIMEYCIQDLYO7zkO/b2DkPWD3eQvL2
+1Gjjy3xZVdw1xHZq5NnUnwIhAKGD1j8iW918vBcY+NL8v6V3HB65inziTBS5yCc1
+mSOWMA0GCSqGSIb3DQEBCwUAA4IBAQC75JciLkMR3UJWX9nUDcnJfMZHW6hrF5Sz
+rrNj1mtoF4e1eElooBMTOXaTNLkpRqF+jBfh4ScKRo4e/eJWBhiGmqvh4QPr78Ok
+P+MseprHlV6FhKUeUmPxTkp5RZPTkm32nb6mIDG7kC5xpCdmRPgkUbEDaSyzTOxp
+EMGEkpsqiU4TKRCX3Vk1QCWwh6RWqof0GsUrU1N7y0fUWWThETeGccgYeIRmhlGl
+2Dy4mhDQ1JgpQGqLjj3Go5sJkxn8h3ZFmNLHyLelP/IuxRVZDv4XNkB6NVqnLfXA
+tYCVOjynVEaKoGfpaTWyPJpR71im/21+YRek2B9CiJANWpE+bJCY
+-----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/blocklist/44a244105569a730791f509b24c3d7838a462216bb0f560ef87fbe76c2e6005a.pem b/chromium/net/data/ssl/blocklist/44a244105569a730791f509b24c3d7838a462216bb0f560ef87fbe76c2e6005a.pem
new file mode 100644
index 00000000000..c94bbcfe29e
--- /dev/null
+++ b/chromium/net/data/ssl/blocklist/44a244105569a730791f509b24c3d7838a462216bb0f560ef87fbe76c2e6005a.pem
@@ -0,0 +1,157 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            03:2f:9c:4e:f4:4d:1e:c9:00:42:67:7e:d9:d4:df:83
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
+        Validity
+            Not Before: Dec 16 00:00:00 2019 GMT
+            Not After : Dec 20 12:00:00 2021 GMT
+        Subject: C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = blocked-interception.badssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:9c:c4:b1:a6:98:0a:77:0f:b9:a9:36:04:99:68:
+                    dc:0e:b1:5d:7e:ef:5d:bf:c4:75:e9:bf:16:d7:ca:
+                    07:02:10:fe:3a:80:f1:26:42:6d:c2:ca:9d:e7:5b:
+                    2e:77:d0:3b:b1:a5:ce:b4:84:6a:4f:f0:a2:4a:99:
+                    97:fe:b0:c2:5d:d4:0f:26:3a:ea:4e:d6:f5:9b:c9:
+                    87:aa:fc:b1:ff:83:fd:33:ce:5b:5b:d5:0a:94:e8:
+                    67:24:a3:b7:86:99:dd:69:92:10:5f:67:5c:01:b1:
+                    d2:9f:10:bf:7c:23:a5:e1:bd:34:99:5d:f5:8f:8b:
+                    b0:22:b9:8b:e5:03:b9:30:d4:91:ff:2b:6c:13:9c:
+                    00:22:26:a8:27:30:7f:75:c4:cb:85:04:31:39:68:
+                    c9:72:37:71:62:b7:db:f5:65:a1:55:37:2e:94:e6:
+                    e4:c2:2e:01:90:92:32:d6:07:5c:00:ea:1b:bd:5b:
+                    62:3d:32:39:de:2a:68:39:39:b4:b5:b3:14:e9:02:
+                    00:6e:bb:bd:6a:ac:0e:35:2b:e3:3e:8b:83:51:51:
+                    59:63:f0:bf:e2:f3:cc:00:24:88:28:77:8f:c6:61:
+                    f0:84:c6:20:cf:68:0f:dd:e6:bc:9c:04:6d:fe:fa:
+                    52:d7:7f:1e:96:c2:e0:f8:42:7f:ff:68:2b:da:f3:
+                    5b:c5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Authority Key Identifier: 
+                keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2
+
+            X509v3 Subject Key Identifier: 
+                A9:05:22:41:ED:F9:98:F1:E7:EF:27:E1:2A:2F:C0:1B:1D:C0:AE:D4
+            X509v3 Subject Alternative Name: 
+                DNS:blocked-interception.badssl.com, DNS:www.blocked-interception.badssl.com
+            X509v3 Key Usage: critical
+                Digital Signature, Key Encipherment
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 CRL Distribution Points: 
+
+                Full Name:
+                  URI:http://crl3.digicert.com/ssca-sha2-g6.crl
+
+                Full Name:
+                  URI:http://crl4.digicert.com/ssca-sha2-g6.crl
+
+            X509v3 Certificate Policies: 
+                Policy: 2.16.840.1.114412.1.1
+                  CPS: https://www.digicert.com/CPS
+                Policy: 2.23.140.1.2.3
+
+            Authority Information Access: 
+                OCSP - URI:http://ocsp.digicert.com
+                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
+
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            CT Precertificate SCTs: 
+                Signed Certificate Timestamp:
+                    Version   : v1 (0x0)
+                    Log ID    : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
+                                3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
+                    Timestamp : Dec 16 19:27:47.556 2019 GMT
+                    Extensions: none
+                    Signature : ecdsa-with-SHA256
+                                30:45:02:20:6E:DC:0C:F1:EC:26:57:3F:B8:FB:21:9E:
+                                0C:BA:58:39:9D:09:57:48:DE:BC:B4:65:63:6D:02:09:
+                                78:64:F9:1B:02:21:00:86:1E:3F:6E:01:B8:27:4F:45:
+                                04:68:AD:04:4A:E4:CB:2F:68:EE:00:58:AB:FF:69:45:
+                                F9:93:03:3E:ED:5D:8D
+                Signed Certificate Timestamp:
+                    Version   : v1 (0x0)
+                    Log ID    : 44:94:65:2E:B0:EE:CE:AF:C4:40:07:D8:A8:FE:28:C0:
+                                DA:E6:82:BE:D8:CB:31:B5:3F:D3:33:96:B5:B6:81:A8
+                    Timestamp : Dec 16 19:27:47.472 2019 GMT
+                    Extensions: none
+                    Signature : ecdsa-with-SHA256
+                                30:45:02:21:00:C5:2A:BF:4F:52:59:2B:21:68:69:B6:
+                                2C:96:B2:9E:48:76:A6:BD:01:95:C1:1A:A7:98:F6:7E:
+                                A7:BB:9D:27:91:02:20:46:9E:A8:1E:22:66:08:A2:4A:
+                                B2:88:A3:E4:89:A0:8A:F3:E0:10:35:5B:2A:3F:EC:AD:
+                                99:88:86:8C:5D:F7:EA
+                Signed Certificate Timestamp:
+                    Version   : v1 (0x0)
+                    Log ID    : BB:D9:DF:BC:1F:8A:71:B5:93:94:23:97:AA:92:7B:47:
+                                38:57:95:0A:AB:52:E8:1A:90:96:64:36:8E:1E:D1:85
+                    Timestamp : Dec 16 19:27:47.558 2019 GMT
+                    Extensions: none
+                    Signature : ecdsa-with-SHA256
+                                30:45:02:21:00:95:10:28:21:D3:32:AD:8E:41:39:D2:
+                                D5:DB:C9:B8:A7:0D:AA:16:CC:F2:37:5D:FC:36:1A:93:
+                                CE:72:73:77:84:02:20:0F:49:96:AC:F0:B4:95:8D:24:
+                                84:BA:6B:DD:D3:1E:66:41:A7:C3:94:74:D6:10:E3:EE:
+                                FA:A7:BD:98:4A:62:BE
+    Signature Algorithm: sha256WithRSAEncryption
+         3d:74:18:ea:0d:07:64:53:de:94:ea:0d:fa:9e:87:8d:d6:32:
+         38:a0:c2:be:09:96:1c:65:32:78:85:6e:aa:ca:5f:ea:ed:82:
+         51:00:58:2a:a3:5f:f4:ba:c1:db:3d:7f:19:fb:7e:a5:b5:d1:
+         4f:b6:3a:36:a4:f7:d9:e8:49:59:c8:d5:eb:d4:c9:8d:d8:8f:
+         2a:d1:b5:16:ca:3a:11:c4:d5:da:8a:38:76:fb:57:34:a6:09:
+         ae:48:3b:c4:3d:5d:62:ec:3a:54:4e:59:d2:11:19:18:88:91:
+         5a:6c:b3:6b:76:8c:ed:b0:61:c3:cf:83:90:f7:aa:8d:88:ce:
+         90:f5:16:35:dd:51:ff:6f:1f:d4:09:b7:57:74:30:54:bd:61:
+         a1:eb:bc:cd:67:d5:3c:c2:e5:4c:26:ee:08:c1:de:1e:12:12:
+         64:ec:d9:2c:d6:49:01:31:f8:b2:4c:48:cc:f9:7d:3e:49:5b:
+         b2:87:5d:c1:09:af:60:1b:ed:1f:6d:4c:ee:b1:ec:a2:37:9c:
+         57:72:d6:5e:8b:ab:d4:39:05:a1:d6:b4:0b:a3:9c:3c:cf:1e:
+         ed:4c:51:d7:7f:b1:3e:15:c8:f8:5b:51:29:a9:16:99:d1:12:
+         e5:a1:37:86:73:46:e4:b9:b6:db:48:0b:75:a4:51:d0:f7:a4:
+         ee:e5:4a:b1
+-----BEGIN CERTIFICATE-----
+MIIG6DCCBdCgAwIBAgIQAy+cTvRNHskAQmd+2dTfgzANBgkqhkiG9w0BAQsFADBN
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
+aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkxMjE2MDAwMDAwWhcN
+MjExMjIwMTIwMDAwWjCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
+aWExFTATBgNVBAcTDFdhbG51dCBDcmVlazEcMBoGA1UEChMTTHVjYXMgR2Fycm9u
+IFRvcnJlczEoMCYGA1UEAxMfYmxvY2tlZC1pbnRlcmNlcHRpb24uYmFkc3NsLmNv
+bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJzEsaaYCncPuak2BJlo
+3A6xXX7vXb/Edem/FtfKBwIQ/jqA8SZCbcLKnedbLnfQO7GlzrSEak/wokqZl/6w
+wl3UDyY66k7W9ZvJh6r8sf+D/TPOW1vVCpToZySjt4aZ3WmSEF9nXAGx0p8Qv3wj
+peG9NJld9Y+LsCK5i+UDuTDUkf8rbBOcACImqCcwf3XEy4UEMTloyXI3cWK32/Vl
+oVU3LpTm5MIuAZCSMtYHXADqG71bYj0yOd4qaDk5tLWzFOkCAG67vWqsDjUr4z6L
+g1FRWWPwv+LzzAAkiCh3j8Zh8ITGIM9oD93mvJwEbf76Utd/HpbC4PhCf/9oK9rz
+W8UCAwEAAaOCA40wggOJMB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtni
+MB0GA1UdDgQWBBSpBSJB7fmY8efvJ+EqL8AbHcCu1DBPBgNVHREESDBGgh9ibG9j
+a2VkLWludGVyY2VwdGlvbi5iYWRzc2wuY29tgiN3d3cuYmxvY2tlZC1pbnRlcmNl
+cHRpb24uYmFkc3NsLmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
+BQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRp
+Z2ljZXJ0LmNvbS9zc2NhLXNoYTItZzYuY3JsMC+gLaArhilodHRwOi8vY3JsNC5k
+aWdpY2VydC5jb20vc3NjYS1zaGEyLWc2LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
+/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
+MAgGBmeBDAECAzB8BggrBgEFBQcBAQRwMG4wJAYIKwYBBQUHMAGGGGh0dHA6Ly9v
+Y3NwLmRpZ2ljZXJ0LmNvbTBGBggrBgEFBQcwAoY6aHR0cDovL2NhY2VydHMuZGln
+aWNlcnQuY29tL0RpZ2lDZXJ0U0hBMlNlY3VyZVNlcnZlckNBLmNydDAMBgNVHRMB
+Af8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LM
+Z3AKPDWYBPkb37jjd80OyA3cEAAAAW8QLk1kAAAEAwBHMEUCIG7cDPHsJlc/uPsh
+ngy6WDmdCVdI3ry0ZWNtAgl4ZPkbAiEAhh4/bgG4J09FBGitBErkyy9o7gBYq/9p
+RfmTAz7tXY0AdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAW8Q
+Lk0QAAAEAwBHMEUCIQDFKr9PUlkrIWhptiyWsp5Idqa9AZXBGqeY9n6nu50nkQIg
+Rp6oHiJmCKJKsoij5ImgivPgEDVbKj/srZmIhoxd9+oAdgC72d+8H4pxtZOUI5eq
+kntHOFeVCqtS6BqQlmQ2jh7RhQAAAW8QLk1mAAAEAwBHMEUCIQCVECgh0zKtjkE5
+0tXbybinDaoWzPI3Xfw2GpPOcnN3hAIgD0mWrPC0lY0khLpr3dMeZkGnw5R01hDj
+7vqnvZhKYr4wDQYJKoZIhvcNAQELBQADggEBAD10GOoNB2RT3pTqDfqeh43WMjig
+wr4JlhxlMniFbqrKX+rtglEAWCqjX/S6wds9fxn7fqW10U+2Ojak99noSVnI1evU
+yY3YjyrRtRbKOhHE1dqKOHb7VzSmCa5IO8Q9XWLsOlROWdIRGRiIkVpss2t2jO2w
+YcPPg5D3qo2IzpD1FjXdUf9vH9QJt1d0MFS9YaHrvM1n1TzC5Uwm7gjB3h4SEmTs
+2SzWSQEx+LJMSMz5fT5JW7KHXcEJr2Ab7R9tTO6x7KI3nFdy1l6Lq9Q5BaHWtAuj
+nDzPHu1MUdd/sT4VyPhbUSmpFpnREuWhN4ZzRuS5tttIC3WkUdD3pO7lSrE=
+-----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/blocklist/README.md b/chromium/net/data/ssl/blocklist/README.md
index 11afdd057d2..64c03fe5321 100644
--- a/chromium/net/data/ssl/blocklist/README.md
+++ b/chromium/net/data/ssl/blocklist/README.md
@@ -287,6 +287,14 @@ For details, see <https://security.googleblog.com/2019/08/protecting-chrome-user
 
   * [c6910d0ba9eddf593334149fedfe87385f37b625354bb4395c0ae2c8df48e17c.pem](c6910d0ba9eddf593334149fedfe87385f37b625354bb4395c0ae2c8df48e17c.pem)
 
+### blocked-interception.badssl.com
+
+  * [44a244105569a730791f509b24c3d7838a462216bb0f560ef87fbe76c2e6005a](44a244105569a730791f509b24c3d7838a462216bb0f560ef87fbe76c2e6005a.pem)
+
+### known-interception.badssl.com
+
+  * [143315c857a9386973ed16840899c3f96b894a7a612c444efb691f14b0dedd87](143315c857a9386973ed16840899c3f96b894a7a612c444efb691f14b0dedd87.pem)
+
 ### revoked.grc.com
 
   * [53d48e7b8869a3314f213fd2e0178219ca09022dbe50053bf6f76fccd61e8112.pem](53d48e7b8869a3314f213fd2e0178219ca09022dbe50053bf6f76fccd61e8112.pem)
diff --git a/chromium/net/data/ssl/certificates/README b/chromium/net/data/ssl/certificates/README
index 9f9714f6321..f9f2e3c3f77 100644
--- a/chromium/net/data/ssl/certificates/README
+++ b/chromium/net/data/ssl/certificates/README
@@ -146,6 +146,10 @@ unit tests.
     A certificate and private key valid for *.example.org, used in various
     net unit tests.
 
+- test_names.pem
+    A certificate and private key valid for a number of test names. See
+    [test_names] in ee.cnf. Other names may be added as needed.
+
 - name_constraint_bad.pem
 - name_constraint_good.pem
     Two certificates used to test the built-in ability to restrict a root to
diff --git a/chromium/net/data/ssl/certificates/crlset_blocked_interception_by_intermediate.raw b/chromium/net/data/ssl/certificates/crlset_blocked_interception_by_intermediate.raw
new file mode 100644
index 00000000000..aa07f5178f6
--- /dev/null
+++ b/chromium/net/data/ssl/certificates/crlset_blocked_interception_by_intermediate.raw
diff --git a/chromium/net/data/ssl/certificates/crlset_blocked_interception_by_root.raw b/chromium/net/data/ssl/certificates/crlset_blocked_interception_by_root.raw
new file mode 100644
index 00000000000..8ee04f10fbd
--- /dev/null
+++ b/chromium/net/data/ssl/certificates/crlset_blocked_interception_by_root.raw
diff --git a/chromium/net/data/ssl/certificates/crlset_known_interception_by_root.raw b/chromium/net/data/ssl/certificates/crlset_known_interception_by_root.raw
new file mode 100644
index 00000000000..9e8cf9a1ea8
--- /dev/null
+++ b/chromium/net/data/ssl/certificates/crlset_known_interception_by_root.raw
diff --git a/chromium/net/data/ssl/certificates/redundant-server-chain.pem b/chromium/net/data/ssl/certificates/redundant-server-chain.pem
index a4993a90689..755b84dcace 100644
--- a/chromium/net/data/ssl/certificates/redundant-server-chain.pem
+++ b/chromium/net/data/ssl/certificates/redundant-server-chain.pem
@@ -1,328 +1,333 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAs9htMWsxQD/3s1phTjWQ2u8R4idEckpFjVHN+C9K3HEKIS9K
-VN51HtRwu9nj36OT970k2xC3+O5SAtqdy23/5oMPUTdoD5zKdNvGVxLSGypFOMZX
-jgt39pulOan4sJJ/DtdrRjZEkjXBqgYy0xSeBoJIf1tewIJiv8YEYOjwMQKaznLM
-qaVY8+k8n/NtRb49etaBR0j3531UCupBMEyiiITqMd1Z/dwQodvD5UZhxaSxY1xl
-nw6/HX1f32zWq6zSZrnk9JDpLPyBuJy4d/op7mJv4Tv/jFc7qMpB0AvCflqneeeU
-r4TI34CSo+zFu7IPIFVzvd8ZYUGPtIkane2JVQIDAQABAoIBAFcpIvJ6cuoille0
-C8itqUCR8ObcBQ4m9MJizSHlObDQkAo5MxsinTyN1P0VwpyWWJYOcxhAaAka52A+
-t47qBsWe6wN/iM1YPb6Y7O0yT+WefOHhLnnHESLRmCf0OnTI6w80U+c5Uc5Sg0N1
-sZgfO98HsT8X9znxdw5eV6zn99CoFCXouF8lCci/PQ0LnIWrMYHggN1MuhLlh3pB
-Vi+ozl5ZYPbsU8+BOWk7T4xhNfgCYqrKSsz9qthiCxPfA9bmGBK02qXFbx55VXJe
-C5+LZV0oleDjChskH0FpfFoTh2aasGmhM3bwIp2rsz32MJe/QHTaT24eeRNgdB+H
-Xb7BRIECgYEA4/Be1j2TQbvyp4Yd/cW2NUVzxo/kq5FY5yi3CGQ7fkTU/KgER3p/
-DuCOk/ly9IdrILg9ojGXnPQgEbVNkmeulrFD+UBZtFqdpusX50Ehv8TLwoInLsOf
-v1BN3Vhh8NfHEFiD/DuVBN1rwk9R+yIG6ZTe3kohLRXWHspCGGnrFQUCgYEAyfxc
-Oc3sVJa5S9Vug3ZcmolKI/sZP7/4+q0HtfGmimQGmA1gNy/vPTe6gYnoVNgFmvGG
-LQCm/qYoUtcKGoQJuAj8hurYZehWmhmXudf82r1DaN26V70DCVV/bMXQROQGWxTN
-ci7h13dmOl6vJXf2jcqRAIRYnbH6bbUaGryV1BECgYBw1JaNZJOVMW0PYgNMkGb+
-fa+utaHTD7K7UlswCzWr7nSj0KO1ojxs59mMBCnUQ4hS/QB9XiEXr3yEZ4PLmglB
-TORB6Im/DjAF5U/CyGnlXIwkb3rn2iwkbqLsk4h/yMAgJkDHRdMhQl3KJKuHLbPQ
-QkIENRuxDqMcQLBxF1Un5QKBgAXZgypBZnjErLUfh0XTZbcsBrOoEAEipClOXYzN
-ZM9ZOj+pE4JFpx4UwRgDUHE0mGT2XbZr8Gorkbtkcux1qnpj+DxIDOBWrDtmRlih
-grcrCAq/cSgdVzsr+LbDu9Zi7DQzFAgch3ngAVvrZhMluEQ++5gSPSbEAsaumgTw
-NT6hAoGBAM2IpPgrCi60ikYxmFx9gtqAGedWPu7c1BlP2HVBuib+STodK3sVcNU3
-px9zzrGTbil/r873Co4/sgFXk5r+23qTuFCpUOrW0YDsKOe85WSuOY8RiSf/SQhd
-B9gqBDymZgZ/0kCIUGhigZNNcJEhdY++eggmgt0lUt2QQNa7o3JI
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDsdrSxnyz5qQNr
+JRBll0qjD5zDYW41+A+X2rDMDONOaLlO9OODtjvoCRBg5KUJ2y9a/Vsui77szkLD
+7h4lJPTlxGyFNxgtfyzSuXEb5ZBP0kYD+RXfafIeTmQECIFwsmnc3ytonl+Hzr+g
+6G2w12qNWOL3DqrxgOc/9UeZKuTf4ERM7x1cfBmA3keW0M8PqJ9rVSG7zzLreago
+Q81pmlWVttFrZWt2PAq6DH7BEdN+cbIEa6bSFOmBW24r+TJxxDc9X95xXNdC/LYn
+fb9tN+1gPDd1bcjeEdPIg0EMqb0BtfcaUjZojownuIt04fcaet4OaVoo/HNhy9XM
+GqqoHQeHAgMBAAECggEAIBGZP92Og+1gAU/tgVmbTbH4WKcGA1u5AacvAv1cdm3N
+c9/SWzKDvVw9VGat20BWk8h4bT+WjRcMBvZsMC1q6R5SeV6XcNQmiA2OQXJIuAqU
+ZEWLqdj8dQ+8kK92nooTwVii0nVoD0sCwhfDiJAuayz62vaqSEZrFkl1hFhE4feN
+jpNOjzU54nbtmAnT1umyO13pJxTcRjetTJioIsl/uvTGuIhBsY6gqYchtPtZ0c35
+0/YNOMtAWKERDgpyFwBNmUA9YunmS603ThA5SB7rbaMbANyxXoGRcRjNavI67ues
+fgvRY/GghnY2sKroyc9CIsnghrGAITW6miQw3uWRQQKBgQD4mTh7g0DP3bfHUIqm
+af7UmPV7gPrJItlvgrYRYy4zjnxvNk/kcfgrJATMAnqGX5KrbXFX6AdfanRRnJcP
+gCojd1C3v3cotUVky9r91v/1Hn1fe2hDzy/qrbwh2WBATPKCJjL0PuXNhGsfqoKG
+SMhvqy95sfFnqvy4f4pUPh6pIwKBgQDzgP7WUAVWUcmjjxq6QM8WfDD5RMuPfAL4
+skkpm3WB/H+xUeqax+KSKNDDrWTfhWpTucZt0v84aG6NQz4vzkc5DrRnWltkqFgR
+NLU1esrgn1bnh/iNQt+bmw8OgH0puJsI82wBa7QjGYu3ocW043Avp1DS2ocMGMzu
+S+hFvBG4TQKBgFDI8drpVzl1cpBZswTLMx2BK1zcGCMeqQwcrO/PjCcC6Zr2SlYR
+VzUluk1VjN1312DP6uJHK4YtQOl4enp2CruFvXxIwv8+kPNlb5/Hq1vLcbCCmOpY
+PNkFZjqVujqLBs+WfD505ha4LluW/F2I72GifoYMdkdbAE8wWxJvMWWDAoGADRQg
+m+IwZzJ9YguNo/NXLB3/g2PuiwZeIn1w8IspBJJLSXrc3vNdd/w5OklV4auIynZv
+8fYjPyRcy7mQ3YB20tm3VtXDkuR31nS+RuERhH8Ka+UhtHSjDfiGFoFQN61ypkhs
+xKbERh5ZIsPNmqmcnPKfpLOYDU5Hs4TgNN6lFQECgYA/0Y25oCHqLH9MfPGs2gMJ
+BTeMxzAIsA2lwhr2/WOANHA9cWnHtI3d1eNequZpNgxtKbw2mxbM+IfnO50czV7g
+5PJPvU79T6d64u1AOtoKbCxgm9wTL8UmEPvEInnT8SfnECPxW9Pwey2rC39527jl
+i5FkIsSiwU8YIZk73YCqDg==
+-----END PRIVATE KEY-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 4096 (0x1000)
-    Signature Algorithm: sha256WithRSAEncryption
+        Signature Algorithm: sha256WithRSAEncryption
         Issuer: CN=B CA
         Validity
-            Not Before: Aug 14 02:47:12 2014 GMT
-            Not After : Aug 11 02:47:12 2024 GMT
+            Not Before: Oct 18 22:24:10 2019 GMT
+            Not After : Oct 15 22:24:10 2029 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
-                    00:b3:d8:6d:31:6b:31:40:3f:f7:b3:5a:61:4e:35:
-                    90:da:ef:11:e2:27:44:72:4a:45:8d:51:cd:f8:2f:
-                    4a:dc:71:0a:21:2f:4a:54:de:75:1e:d4:70:bb:d9:
-                    e3:df:a3:93:f7:bd:24:db:10:b7:f8:ee:52:02:da:
-                    9d:cb:6d:ff:e6:83:0f:51:37:68:0f:9c:ca:74:db:
-                    c6:57:12:d2:1b:2a:45:38:c6:57:8e:0b:77:f6:9b:
-                    a5:39:a9:f8:b0:92:7f:0e:d7:6b:46:36:44:92:35:
-                    c1:aa:06:32:d3:14:9e:06:82:48:7f:5b:5e:c0:82:
-                    62:bf:c6:04:60:e8:f0:31:02:9a:ce:72:cc:a9:a5:
-                    58:f3:e9:3c:9f:f3:6d:45:be:3d:7a:d6:81:47:48:
-                    f7:e7:7d:54:0a:ea:41:30:4c:a2:88:84:ea:31:dd:
-                    59:fd:dc:10:a1:db:c3:e5:46:61:c5:a4:b1:63:5c:
-                    65:9f:0e:bf:1d:7d:5f:df:6c:d6:ab:ac:d2:66:b9:
-                    e4:f4:90:e9:2c:fc:81:b8:9c:b8:77:fa:29:ee:62:
-                    6f:e1:3b:ff:8c:57:3b:a8:ca:41:d0:0b:c2:7e:5a:
-                    a7:79:e7:94:af:84:c8:df:80:92:a3:ec:c5:bb:b2:
-                    0f:20:55:73:bd:df:19:61:41:8f:b4:89:1a:9d:ed:
-                    89:55
+                    00:ec:76:b4:b1:9f:2c:f9:a9:03:6b:25:10:65:97:
+                    4a:a3:0f:9c:c3:61:6e:35:f8:0f:97:da:b0:cc:0c:
+                    e3:4e:68:b9:4e:f4:e3:83:b6:3b:e8:09:10:60:e4:
+                    a5:09:db:2f:5a:fd:5b:2e:8b:be:ec:ce:42:c3:ee:
+                    1e:25:24:f4:e5:c4:6c:85:37:18:2d:7f:2c:d2:b9:
+                    71:1b:e5:90:4f:d2:46:03:f9:15:df:69:f2:1e:4e:
+                    64:04:08:81:70:b2:69:dc:df:2b:68:9e:5f:87:ce:
+                    bf:a0:e8:6d:b0:d7:6a:8d:58:e2:f7:0e:aa:f1:80:
+                    e7:3f:f5:47:99:2a:e4:df:e0:44:4c:ef:1d:5c:7c:
+                    19:80:de:47:96:d0:cf:0f:a8:9f:6b:55:21:bb:cf:
+                    32:eb:79:a8:28:43:cd:69:9a:55:95:b6:d1:6b:65:
+                    6b:76:3c:0a:ba:0c:7e:c1:11:d3:7e:71:b2:04:6b:
+                    a6:d2:14:e9:81:5b:6e:2b:f9:32:71:c4:37:3d:5f:
+                    de:71:5c:d7:42:fc:b6:27:7d:bf:6d:37:ed:60:3c:
+                    37:75:6d:c8:de:11:d3:c8:83:41:0c:a9:bd:01:b5:
+                    f7:1a:52:36:68:8e:8c:27:b8:8b:74:e1:f7:1a:7a:
+                    de:0e:69:5a:28:fc:73:61:cb:d5:cc:1a:aa:a8:1d:
+                    07:87
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                C0:E2:E7:28:2E:67:6F:8E:24:79:39:78:B6:0C:7E:B1:48:35:40:1E
+                E7:8D:C4:21:0B:CE:12:A1:F7:05:E6:52:AF:3B:A6:10:BA:71:68:3D
             X509v3 Authority Key Identifier: 
-                keyid:69:C1:9C:85:EC:20:DC:38:0C:32:B0:51:FC:CF:DB:C1:97:03:50:5D
+                keyid:77:3C:D2:AA:A1:C9:7D:FE:B6:90:3F:CB:1B:F6:38:37:0C:28:1A:F7
 
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Alternative Name: 
+                IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         da:56:18:d4:16:55:5a:e4:c4:1c:66:15:dd:f0:eb:e6:94:b6:
-         d1:84:65:75:06:c8:15:fd:16:6b:e0:f0:0c:90:9f:0b:23:a2:
-         7f:30:2a:59:31:b1:fe:c5:88:06:fe:ad:82:7d:e3:9d:73:82:
-         cf:31:22:93:4d:36:32:49:e5:21:9c:5a:99:e0:74:d8:4d:ed:
-         f8:99:83:5f:ba:50:96:34:6d:aa:cc:50:61:a2:7c:60:e8:c1:
-         00:b4:68:a5:05:cf:b8:44:7e:36:9a:c7:06:c5:26:e0:f8:58:
-         2e:ec:d3:45:e0:64:99:95:4f:08:f3:6d:d4:aa:e9:93:a0:b4:
-         bd:5d:77:20:b9:84:61:e2:dd:04:7a:75:4f:dc:94:48:f7:b3:
-         76:ef:a9:21:f5:24:42:ef:aa:e2:eb:80:c1:6f:66:91:dc:45:
-         27:a6:f9:fc:d7:e7:9d:c9:3f:d3:ce:8d:e7:a6:0f:41:50:72:
-         94:01:9a:72:82:d3:86:23:cc:fe:f3:2e:d8:b9:b5:16:ed:1c:
-         7a:d0:39:06:e5:2b:0b:ac:d9:21:29:30:b4:06:f2:ee:a5:6b:
-         b3:13:8d:23:eb:62:95:b7:43:ca:f1:cb:fa:3a:fd:ce:5a:eb:
-         36:fe:47:f0:51:47:fe:b1:70:90:45:ce:4d:b2:60:80:b7:7f:
-         19:4d:79:e5
+         17:ff:16:47:18:ed:d0:b5:54:fb:b6:02:c7:e4:c1:9a:4d:99:
+         54:cb:ca:df:75:25:d4:e5:b5:20:74:3d:ac:f9:e2:a1:87:a5:
+         d1:a2:da:48:c0:71:12:9f:84:9e:10:70:9c:bd:4c:74:85:90:
+         b8:15:9c:b2:fb:f2:4c:03:7c:7a:a6:6e:c4:91:19:93:79:a4:
+         47:96:fa:30:15:a3:02:20:d0:07:23:70:16:db:73:aa:6e:61:
+         b9:b1:0f:a9:e5:f8:d4:4f:34:19:a1:2e:fa:d6:f0:97:76:8c:
+         ff:08:54:8e:dc:a3:49:c9:a3:d8:e0:c3:71:e9:8f:98:3d:dd:
+         25:73:c4:da:c3:fa:43:19:48:39:5c:43:8c:30:7a:cf:de:5a:
+         c9:ee:8e:2e:88:b0:e7:84:74:5f:d4:91:a6:65:8d:bc:fd:10:
+         51:3c:53:32:fe:dd:03:84:9b:b0:64:58:9d:99:b4:bc:5f:ce:
+         30:af:67:58:f5:6c:02:67:20:f9:aa:dc:d6:96:fc:00:e8:6d:
+         72:48:12:a9:f9:dc:4b:00:26:fb:ab:1f:00:ac:e2:11:f9:36:
+         2c:bd:a9:1c:86:b5:77:c6:97:6d:29:ec:3f:d3:94:95:46:54:
+         a4:2d:66:7e:9d:d7:1b:ea:21:f7:39:a3:b4:fb:e9:b6:38:4d:
+         eb:49:1d:83
 -----BEGIN CERTIFICATE-----
-MIIDWjCCAkKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD
-QTAeFw0xNDA4MTQwMjQ3MTJaFw0yNDA4MTEwMjQ3MTJaMGAxCzAJBgNVBAYTAlVT
+MIIDbDCCAlSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD
+QTAeFw0xOTEwMTgyMjI0MTBaFw0yOTEwMTUyMjI0MTBaMGAxCzAJBgNVBAYTAlVT
 MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRAw
 DgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQCz2G0xazFAP/ezWmFONZDa7xHiJ0RySkWNUc34
-L0rccQohL0pU3nUe1HC72ePfo5P3vSTbELf47lIC2p3Lbf/mgw9RN2gPnMp028ZX
-EtIbKkU4xleOC3f2m6U5qfiwkn8O12tGNkSSNcGqBjLTFJ4Ggkh/W17AgmK/xgRg
-6PAxAprOcsyppVjz6Tyf821Fvj161oFHSPfnfVQK6kEwTKKIhOox3Vn93BCh28Pl
-RmHFpLFjXGWfDr8dfV/fbNarrNJmueT0kOks/IG4nLh3+inuYm/hO/+MVzuoykHQ
-C8J+Wqd555SvhMjfgJKj7MW7sg8gVXO93xlhQY+0iRqd7YlVAgMBAAGjbzBtMAwG
-A1UdEwEB/wQCMAAwHQYDVR0OBBYEFMDi5yguZ2+OJHk5eLYMfrFINUAeMB8GA1Ud
-IwQYMBaAFGnBnIXsINw4DDKwUfzP28GXA1BdMB0GA1UdJQQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEA2lYY1BZVWuTEHGYV3fDr5pS2
-0YRldQbIFf0Wa+DwDJCfCyOifzAqWTGx/sWIBv6tgn3jnXOCzzEik002MknlIZxa
-meB02E3t+JmDX7pQljRtqsxQYaJ8YOjBALRopQXPuER+NprHBsUm4PhYLuzTReBk
-mZVPCPNt1Krpk6C0vV13ILmEYeLdBHp1T9yUSPezdu+pIfUkQu+q4uuAwW9mkdxF
-J6b5/Nfnnck/086N56YPQVBylAGacoLThiPM/vMu2Lm1Fu0cetA5BuUrC6zZISkw
-tAby7qVrsxONI+tilbdDyvHL+jr9zlrrNv5H8FFH/rFwkEXOTbJggLd/GU155Q==
+DQEBAQUAA4IBDwAwggEKAoIBAQDsdrSxnyz5qQNrJRBll0qjD5zDYW41+A+X2rDM
+DONOaLlO9OODtjvoCRBg5KUJ2y9a/Vsui77szkLD7h4lJPTlxGyFNxgtfyzSuXEb
+5ZBP0kYD+RXfafIeTmQECIFwsmnc3ytonl+Hzr+g6G2w12qNWOL3DqrxgOc/9UeZ
+KuTf4ERM7x1cfBmA3keW0M8PqJ9rVSG7zzLreagoQ81pmlWVttFrZWt2PAq6DH7B
+EdN+cbIEa6bSFOmBW24r+TJxxDc9X95xXNdC/LYnfb9tN+1gPDd1bcjeEdPIg0EM
+qb0BtfcaUjZojownuIt04fcaet4OaVoo/HNhy9XMGqqoHQeHAgMBAAGjgYAwfjAM
+BgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTnjcQhC84SofcF5lKvO6YQunFoPTAfBgNV
+HSMEGDAWgBR3PNKqocl9/raQP8sb9jg3DCga9zAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
+F/8WRxjt0LVU+7YCx+TBmk2ZVMvK33Ul1OW1IHQ9rPnioYel0aLaSMBxEp+EnhBw
+nL1MdIWQuBWcsvvyTAN8eqZuxJEZk3mkR5b6MBWjAiDQByNwFttzqm5hubEPqeX4
+1E80GaEu+tbwl3aM/whUjtyjScmj2ODDcemPmD3dJXPE2sP6QxlIOVxDjDB6z95a
+ye6OLoiw54R0X9SRpmWNvP0QUTxTMv7dA4SbsGRYnZm0vF/OMK9nWPVsAmcg+arc
+1pb8AOhtckgSqfncSwAm+6sfAKziEfk2LL2pHIa1d8aXbSnsP9OUlUZUpC1mfp3X
+G+oh9zmjtPvptjhN60kdgw==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 4097 (0x1001)
-    Signature Algorithm: sha256WithRSAEncryption
+        Signature Algorithm: sha256WithRSAEncryption
         Issuer: CN=C CA
         Validity
-            Not Before: Aug 14 02:47:12 2014 GMT
-            Not After : Aug 11 02:47:12 2024 GMT
+            Not Before: Oct 18 22:24:10 2019 GMT
+            Not After : Oct 15 22:24:10 2029 GMT
         Subject: CN=B CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
-                    00:ec:ac:40:57:bc:13:cd:7a:72:b9:2b:fb:46:a3:
-                    ca:a0:0e:f9:74:87:0d:16:e4:d4:78:79:38:ac:f3:
-                    39:61:52:2d:11:38:15:cc:7a:02:1e:b1:a8:d7:0d:
-                    39:fd:d1:2e:0c:66:35:e0:47:66:96:6c:3a:aa:11:
-                    3f:91:36:e4:fb:71:5e:2d:e5:4a:c1:2c:82:bc:de:
-                    0e:e4:d4:fb:8d:c0:a7:0e:82:70:4e:64:aa:55:5a:
-                    cb:59:de:b7:8f:e0:77:96:db:3a:4a:47:52:a8:1b:
-                    ef:7a:c9:c3:d5:7e:e1:65:2f:6d:35:21:24:37:12:
-                    c9:e8:c1:43:35:8d:7f:81:a5:77:fa:b6:c4:f0:74:
-                    3b:ab:40:03:a7:98:32:9d:7b:67:5a:19:b1:29:0c:
-                    ac:96:28:12:4c:cb:3b:e0:71:08:6a:02:86:de:b4:
-                    fe:66:b4:46:ac:7b:c6:45:62:27:1b:40:7a:f6:d7:
-                    38:02:52:43:21:9e:6a:80:91:83:b1:16:aa:ca:87:
-                    4c:d2:db:d5:1c:e0:2c:73:07:d1:36:43:4c:b3:09:
-                    5d:88:6e:5b:90:61:5a:74:c6:84:1a:da:29:1c:9c:
-                    5c:b0:b7:18:f0:12:9d:9c:c9:23:96:1f:50:5f:94:
-                    4f:a6:65:1a:45:cb:88:bb:a7:c7:66:fd:74:c0:75:
-                    ad:c1
+                    00:96:bf:0b:a1:79:f7:12:d1:8c:ec:e3:63:4a:c7:
+                    30:53:10:0d:60:41:84:27:99:f0:9f:a4:9e:ec:19:
+                    24:28:80:0b:8e:55:0c:13:ab:16:72:2b:43:aa:ac:
+                    fa:0f:b2:47:ae:a3:a2:8d:66:85:2b:2f:b1:c6:f2:
+                    bd:b6:5e:3b:d1:2b:0d:c2:bc:96:4f:d9:5f:2c:74:
+                    7b:7f:2a:2c:52:84:f6:71:a7:87:df:d3:4e:be:e7:
+                    53:70:cd:f0:47:5b:e4:5b:5b:64:49:37:5b:93:99:
+                    09:78:22:f2:04:9e:af:aa:91:f6:22:a5:59:5d:9e:
+                    c7:cd:c5:11:1a:9e:99:3b:19:ad:51:59:f5:0e:ec:
+                    30:f2:7e:64:33:91:cd:f0:26:12:fe:cb:f2:6e:67:
+                    a2:ec:94:6e:b2:97:3e:51:c0:ca:0a:e4:8a:f3:c6:
+                    fa:cd:55:95:11:57:5e:bd:9b:b9:70:d4:04:af:f2:
+                    c8:5e:1e:fb:b3:d7:03:0a:0e:be:cf:fa:c7:97:63:
+                    7a:e0:b4:22:07:a7:18:b6:a7:1a:d5:23:26:c1:c4:
+                    39:83:3c:45:53:9d:fd:a4:17:62:8d:bd:f2:4b:40:
+                    d3:85:1d:06:3a:24:4f:8f:65:77:cd:c9:e8:64:a4:
+                    55:16:20:8f:17:5c:f1:6b:75:db:8e:ac:eb:2c:97:
+                    28:09
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Subject Key Identifier: 
-                69:C1:9C:85:EC:20:DC:38:0C:32:B0:51:FC:CF:DB:C1:97:03:50:5D
+                77:3C:D2:AA:A1:C9:7D:FE:B6:90:3F:CB:1B:F6:38:37:0C:28:1A:F7
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         69:cd:f5:27:4e:fd:65:b2:91:8f:37:9f:ea:3a:46:ad:b3:8e:
-         d8:f4:ba:a7:e1:da:9b:22:39:44:2b:eb:37:84:ed:f4:b4:87:
-         bc:db:7f:f0:db:06:78:38:30:5d:33:70:05:e3:70:20:39:fc:
-         18:86:86:6a:95:0f:ce:a7:ad:8d:c6:5d:29:c8:39:0c:f1:82:
-         a1:c3:4c:f6:58:e3:3f:2c:95:70:13:29:a8:b4:17:8c:94:bb:
-         01:af:07:9d:a5:d3:47:28:15:45:a6:40:0a:f0:37:f3:32:e4:
-         af:8c:e6:59:8a:bb:0d:a0:38:e0:6d:20:75:22:24:12:75:69:
-         ac:4a:87:aa:c1:d1:8e:e5:9d:be:8f:cd:6e:c6:d8:5e:43:83:
-         7f:fb:50:43:8a:6f:db:9a:fc:7e:61:70:87:10:15:c4:2c:1b:
-         6b:24:ee:eb:16:08:4b:d2:9e:ba:c0:ef:59:d3:be:9f:36:4c:
-         70:4d:11:ab:16:10:0a:b4:26:f4:b0:a0:60:5f:02:60:dc:0d:
-         3c:82:69:5b:7e:c8:2c:3b:ec:59:7d:08:65:e5:a5:d8:c3:d0:
-         e8:b7:c8:2a:27:95:6e:d1:84:54:76:dc:58:9f:9a:2d:4b:9e:
-         1d:44:44:7f:ed:b7:ef:9e:52:49:1c:cf:6d:c9:ba:d5:54:d9:
-         59:2d:c7:af
+         8c:35:9a:a4:61:08:6e:60:d9:9e:af:ab:22:89:ca:ca:39:03:
+         9c:5d:4e:5f:dc:e5:dc:33:ce:19:af:19:fd:db:c9:a7:ca:d8:
+         65:73:42:73:35:70:57:99:f0:e0:b5:c8:79:31:72:f4:85:d8:
+         3d:20:04:cb:28:dc:22:bf:ce:43:7f:72:39:7e:b4:aa:c2:a4:
+         e4:25:dd:af:0e:8c:a9:fc:23:a8:4e:3d:52:fe:d4:27:dd:08:
+         de:4c:b6:6c:9c:9c:11:87:11:6e:cb:f0:43:38:4b:62:71:e7:
+         09:d0:01:3f:5c:51:03:41:06:03:76:27:17:15:19:26:a4:6d:
+         17:63:3e:00:d3:d4:02:17:33:17:87:57:9d:33:b5:7e:76:98:
+         3c:a5:68:da:e6:08:76:c5:3b:ea:6a:58:4c:16:da:92:d4:b3:
+         a6:d0:2e:4d:07:7d:ed:57:fa:e1:2a:09:bc:1e:4c:94:3e:f2:
+         11:41:4c:03:a8:08:a4:4c:7a:f1:42:f2:8f:ae:d5:15:5a:c5:
+         22:d3:b0:d8:d5:1d:10:6a:ee:ed:a1:4d:b4:2c:33:e2:0b:c3:
+         92:91:c7:c9:f4:f4:2c:53:8a:f6:1a:80:ff:dc:b3:91:2d:51:
+         0d:cf:e8:d3:89:3f:b1:90:76:44:8f:b1:f9:c1:60:4d:03:28:
+         74:72:ba:26
 -----BEGIN CERTIFICATE-----
 MIIC3DCCAcSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQyBD
-QTAeFw0xNDA4MTQwMjQ3MTJaFw0yNDA4MTEwMjQ3MTJaMA8xDTALBgNVBAMMBEIg
-Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDsrEBXvBPNenK5K/tG
-o8qgDvl0hw0W5NR4eTis8zlhUi0ROBXMegIesajXDTn90S4MZjXgR2aWbDqqET+R
-NuT7cV4t5UrBLIK83g7k1PuNwKcOgnBOZKpVWstZ3reP4HeW2zpKR1KoG+96ycPV
-fuFlL201ISQ3EsnowUM1jX+BpXf6tsTwdDurQAOnmDKde2daGbEpDKyWKBJMyzvg
-cQhqAobetP5mtEase8ZFYicbQHr21zgCUkMhnmqAkYOxFqrKh0zS29Uc4CxzB9E2
-Q0yzCV2IbluQYVp0xoQa2ikcnFywtxjwEp2cySOWH1BflE+mZRpFy4i7p8dm/XTA
-da3BAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGnBnIXsINw4
-DDKwUfzP28GXA1BdMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA
-ac31J079ZbKRjzef6jpGrbOO2PS6p+HamyI5RCvrN4Tt9LSHvNt/8NsGeDgwXTNw
-BeNwIDn8GIaGapUPzqetjcZdKcg5DPGCocNM9ljjPyyVcBMpqLQXjJS7Aa8HnaXT
-RygVRaZACvA38zLkr4zmWYq7DaA44G0gdSIkEnVprEqHqsHRjuWdvo/NbsbYXkOD
-f/tQQ4pv25r8fmFwhxAVxCwbayTu6xYIS9KeusDvWdO+nzZMcE0RqxYQCrQm9LCg
-YF8CYNwNPIJpW37ILDvsWX0IZeWl2MPQ6LfIKieVbtGEVHbcWJ+aLUueHUREf+23
-755SSRzPbcm61VTZWS3Hrw==
+QTAeFw0xOTEwMTgyMjI0MTBaFw0yOTEwMTUyMjI0MTBaMA8xDTALBgNVBAMMBEIg
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWvwuhefcS0Yzs42NK
+xzBTEA1gQYQnmfCfpJ7sGSQogAuOVQwTqxZyK0OqrPoPskeuo6KNZoUrL7HG8r22
+XjvRKw3CvJZP2V8sdHt/KixShPZxp4ff006+51NwzfBHW+RbW2RJN1uTmQl4IvIE
+nq+qkfYipVldnsfNxREanpk7Ga1RWfUO7DDyfmQzkc3wJhL+y/JuZ6LslG6ylz5R
+wMoK5IrzxvrNVZURV169m7lw1ASv8sheHvuz1wMKDr7P+seXY3rgtCIHpxi2pxrV
+IybBxDmDPEVTnf2kF2KNvfJLQNOFHQY6JE+PZXfNyehkpFUWII8XXPFrdduOrOss
+lygJAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHc80qqhyX3+
+tpA/yxv2ODcMKBr3MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA
+jDWapGEIbmDZnq+rIonKyjkDnF1OX9zl3DPOGa8Z/dvJp8rYZXNCczVwV5nw4LXI
+eTFy9IXYPSAEyyjcIr/OQ39yOX60qsKk5CXdrw6MqfwjqE49Uv7UJ90I3ky2bJyc
+EYcRbsvwQzhLYnHnCdABP1xRA0EGA3YnFxUZJqRtF2M+ANPUAhczF4dXnTO1fnaY
+PKVo2uYIdsU76mpYTBbaktSzptAuTQd97Vf64SoJvB5MlD7yEUFMA6gIpEx68ULy
+j67VFVrFItOw2NUdEGru7aFNtCwz4gvDkpHHyfT0LFOK9hqA/9yzkS1RDc/o04k/
+sZB2RI+x+cFgTQModHK6Jg==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 4099 (0x1003)
-    Signature Algorithm: sha256WithRSAEncryption
+        Signature Algorithm: sha256WithRSAEncryption
         Issuer: CN=D Root CA
         Validity
-            Not Before: Aug 14 02:47:12 2014 GMT
-            Not After : Aug 11 02:47:12 2024 GMT
+            Not Before: Oct 18 22:24:10 2019 GMT
+            Not After : Oct 15 22:24:10 2029 GMT
         Subject: CN=C CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
-                    00:a7:3d:f2:7d:cf:2c:cd:eb:2c:bc:03:65:da:ae:
-                    96:29:80:29:8d:c5:42:e1:93:d9:3a:d7:78:9b:b5:
-                    be:7b:ef:df:c9:fd:86:30:18:c6:38:92:c6:a5:63:
-                    2e:ba:d0:9c:16:91:af:b3:80:38:14:5f:88:ca:b3:
-                    8b:a4:c4:ba:2f:c4:d4:c0:c0:2e:43:6c:1e:af:5e:
-                    9c:6a:9c:96:17:c3:89:ab:af:2a:93:7d:76:ea:34:
-                    2a:56:c9:5c:e9:72:50:f7:d1:e6:a0:2c:ee:df:27:
-                    a8:2f:17:c1:f6:fd:80:d6:dd:19:64:fe:7f:b7:80:
-                    a6:00:94:28:0e:01:fa:9b:40:d2:ed:43:2c:b1:10:
-                    2e:b0:57:5a:e4:5a:2f:86:6c:63:fa:22:d4:e2:c6:
-                    81:c0:d8:76:7e:54:a6:81:b7:b0:bb:ac:66:80:ed:
-                    a1:ab:25:6f:4d:7d:b6:cc:37:65:74:30:df:52:84:
-                    4b:93:f7:95:76:96:fb:db:fe:b9:d3:2c:ff:65:4d:
-                    89:09:15:32:3c:5d:60:68:79:57:9b:98:59:bc:d7:
-                    c2:93:30:91:81:7c:fc:d5:7e:46:3c:85:ef:4d:d2:
-                    9e:96:b0:86:95:78:20:6f:bd:a0:72:3f:d1:25:4c:
-                    f7:2e:c5:a1:21:5a:c7:7b:5e:98:73:15:37:0a:9d:
-                    80:0b
+                    00:97:21:4e:ff:ff:22:dd:de:6d:cc:05:75:3b:37:
+                    80:28:9f:61:8b:a2:ac:9b:3b:b1:e6:3a:a4:35:ce:
+                    7b:95:ce:d2:2f:95:f1:c2:51:c2:9d:21:71:dd:06:
+                    3a:eb:67:68:59:2d:f6:19:b1:7d:98:06:c2:c4:19:
+                    34:2a:00:0a:f1:0a:0b:76:39:ba:0f:e9:69:bc:14:
+                    c9:fa:38:b4:f6:38:55:45:3d:21:c7:b8:20:e3:47:
+                    ac:5b:9e:ec:7f:a9:8b:72:00:79:5c:25:13:01:86:
+                    a9:6a:d9:12:b1:d2:3a:a1:cc:e5:e0:63:b2:0d:ea:
+                    aa:a7:42:f9:de:cf:de:e0:15:9b:6e:cd:86:81:d8:
+                    5f:3f:a1:7b:bc:97:31:40:0e:17:a3:aa:c4:48:5a:
+                    5c:c8:e5:89:92:68:85:08:6c:cb:31:35:9c:fb:1e:
+                    d3:66:35:ee:d9:d7:ea:b8:5c:3e:d0:60:94:4c:3d:
+                    2b:21:6b:72:b8:3a:16:e4:f1:ea:97:74:0c:cf:27:
+                    a5:03:c1:b7:c3:d9:4d:5a:3d:c5:8e:3f:ca:99:b4:
+                    b6:59:c6:9f:22:38:0d:4d:c7:f7:11:f8:d0:71:99:
+                    5d:4b:e2:30:62:00:fb:01:c9:ca:3e:ed:6a:d8:6d:
+                    2d:0f:1a:77:33:02:b4:41:b3:ba:f6:1c:38:be:54:
+                    c9:73
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Subject Key Identifier: 
-                08:C0:24:F4:0D:BB:C2:01:35:30:BA:2C:41:96:6B:16:DB:F8:22:F5
+                63:B1:47:26:FC:DB:79:3F:76:96:69:4D:EA:7E:D0:B7:6A:D2:3F:A8
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         20:97:de:df:43:2c:d1:43:19:77:8d:1f:9f:fa:9c:c5:40:0b:
-         4f:cc:b1:4a:6f:61:74:92:d7:3f:cb:17:a8:f0:d9:f2:29:08:
-         28:56:fd:ad:ae:db:b2:10:2b:90:ac:10:6d:65:36:73:55:6a:
-         9f:92:8b:c4:d4:72:ff:a2:6a:55:e0:71:be:0b:60:f0:e5:45:
-         a3:ae:c8:cf:21:f0:30:56:fc:b7:b0:46:60:12:dc:85:62:79:
-         93:2d:dd:74:1b:62:8e:0e:cd:a5:de:b1:9f:6e:45:2b:5a:1c:
-         8f:b8:fa:ac:05:21:1a:69:a7:e2:be:59:fe:88:ad:26:98:5f:
-         78:9d:58:ca:06:8c:9a:6d:aa:2e:2c:52:ab:3c:99:66:cb:1f:
-         56:eb:4b:17:e8:de:ab:d3:40:c7:92:f3:84:78:15:70:53:6b:
-         bd:f3:5e:c3:4d:36:19:b6:da:54:79:eb:3f:80:8f:28:4f:35:
-         cd:4d:3a:b5:e5:e9:3d:c0:eb:92:f5:64:ff:e9:69:ff:3c:06:
-         bd:94:62:45:45:9c:85:bd:ff:18:45:48:d0:fb:28:1a:97:5c:
-         0c:21:32:a7:a5:94:e3:51:14:4e:b3:fe:a7:bc:c6:6e:fc:1f:
-         09:93:92:9a:3b:bf:8c:8a:3e:66:fe:fa:c9:2d:b4:18:96:c9:
-         c6:64:90:98
+         b2:52:23:e9:38:02:24:58:bf:cb:b4:62:f3:97:74:9a:24:4a:
+         aa:c6:bd:59:5b:d7:33:a4:7e:8f:10:3a:09:44:a3:a1:90:f2:
+         32:c2:e9:a7:e5:16:ca:c9:6c:a1:4e:94:8a:e6:f0:dd:f2:59:
+         2c:7c:62:84:c8:28:e2:5f:f1:6f:c7:04:21:49:3f:24:8f:fb:
+         4c:38:1c:3a:5d:18:e9:f2:5d:28:5c:a8:ce:01:12:aa:17:f2:
+         c0:bb:87:43:70:d7:8a:59:e7:80:38:ef:df:72:b3:1c:70:88:
+         a8:65:66:40:b3:25:1d:57:f4:a8:c1:34:e6:30:1e:2d:b5:b7:
+         fb:1f:99:4b:e1:fa:03:af:79:4e:5f:3c:39:02:14:e6:8b:06:
+         1b:5b:34:c7:c1:c0:30:48:2e:1c:16:ab:6b:4f:25:37:1e:a7:
+         f1:fd:09:29:23:ae:89:21:31:fd:64:7c:67:37:ca:bc:26:47:
+         fd:aa:d5:45:84:e1:27:47:fb:cb:05:10:cc:5b:55:f2:fb:c1:
+         08:55:89:43:0c:36:5e:4f:16:3b:35:3c:1c:61:59:90:ae:8a:
+         a3:53:4d:23:da:22:80:36:5c:e9:ff:49:9e:94:eb:4f:6c:15:
+         d0:4c:6c:8b:21:eb:18:24:44:d8:72:4e:de:5f:47:d2:6c:55:
+         dd:4f:c6:81
 -----BEGIN CERTIFICATE-----
 MIIC4TCCAcmgAwIBAgICEAMwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJRCBS
-b290IENBMB4XDTE0MDgxNDAyNDcxMloXDTI0MDgxMTAyNDcxMlowDzENMAsGA1UE
-AwwEQyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKc98n3PLM3r
-LLwDZdqulimAKY3FQuGT2TrXeJu1vnvv38n9hjAYxjiSxqVjLrrQnBaRr7OAOBRf
-iMqzi6TEui/E1MDALkNsHq9enGqclhfDiauvKpN9duo0KlbJXOlyUPfR5qAs7t8n
-qC8Xwfb9gNbdGWT+f7eApgCUKA4B+ptA0u1DLLEQLrBXWuRaL4ZsY/oi1OLGgcDY
-dn5UpoG3sLusZoDtoaslb019tsw3ZXQw31KES5P3lXaW+9v+udMs/2VNiQkVMjxd
-YGh5V5uYWbzXwpMwkYF8/NV+RjyF703SnpawhpV4IG+9oHI/0SVM9y7FoSFax3te
-mHMVNwqdgAsCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUCMAk
-9A27wgE1MLosQZZrFtv4IvUwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUA
-A4IBAQAgl97fQyzRQxl3jR+f+pzFQAtPzLFKb2F0ktc/yxeo8NnyKQgoVv2trtuy
-ECuQrBBtZTZzVWqfkovE1HL/ompV4HG+C2Dw5UWjrsjPIfAwVvy3sEZgEtyFYnmT
-Ld10G2KODs2l3rGfbkUrWhyPuPqsBSEaaafivln+iK0mmF94nVjKBoyabaouLFKr
-PJlmyx9W60sX6N6r00DHkvOEeBVwU2u9817DTTYZttpUees/gI8oTzXNTTq15ek9
-wOuS9WT/6Wn/PAa9lGJFRZyFvf8YRUjQ+ygal1wMITKnpZTjURROs/6nvMZu/B8J
-k5KaO7+Mij5m/vrJLbQYlsnGZJCY
+b290IENBMB4XDTE5MTAxODIyMjQxMFoXDTI5MTAxNTIyMjQxMFowDzENMAsGA1UE
+AwwEQyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJchTv//It3e
+bcwFdTs3gCifYYuirJs7seY6pDXOe5XO0i+V8cJRwp0hcd0GOutnaFkt9hmxfZgG
+wsQZNCoACvEKC3Y5ug/pabwUyfo4tPY4VUU9Ice4IONHrFue7H+pi3IAeVwlEwGG
+qWrZErHSOqHM5eBjsg3qqqdC+d7P3uAVm27NhoHYXz+he7yXMUAOF6OqxEhaXMjl
+iZJohQhsyzE1nPse02Y17tnX6rhcPtBglEw9KyFrcrg6FuTx6pd0DM8npQPBt8PZ
+TVo9xY4/ypm0tlnGnyI4DU3H9xH40HGZXUviMGIA+wHJyj7tathtLQ8adzMCtEGz
+uvYcOL5UyXMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUY7FH
+JvzbeT92lmlN6n7Qt2rSP6gwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUA
+A4IBAQCyUiPpOAIkWL/LtGLzl3SaJEqqxr1ZW9czpH6PEDoJRKOhkPIywumn5RbK
+yWyhTpSK5vDd8lksfGKEyCjiX/FvxwQhST8kj/tMOBw6XRjp8l0oXKjOARKqF/LA
+u4dDcNeKWeeAOO/fcrMccIioZWZAsyUdV/SowTTmMB4ttbf7H5lL4foDr3lOXzw5
+AhTmiwYbWzTHwcAwSC4cFqtrTyU3Hqfx/QkpI66JITH9ZHxnN8q8Jkf9qtVFhOEn
+R/vLBRDMW1Xy+8EIVYlDDDZeTxY7NTwcYVmQroqjU00j2iKANlzp/0melOtPbBXQ
+TGyLIesYJETYck7eX0fSbFXdT8aB
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 17926601032734454847 (0xf8c814a8fa49b43f)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: CN=D Root CA
+        Serial Number:
+            37:4c:99:18:7e:b3:0c:6e:53:25:45:1c:0c:89:17:9a:88:0c:86:44
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = D Root CA
         Validity
-            Not Before: Aug 14 02:47:11 2014 GMT
-            Not After : Aug 11 02:47:11 2024 GMT
-        Subject: CN=D Root CA
+            Not Before: Oct 18 22:24:10 2019 GMT
+            Not After : Oct 15 22:24:10 2029 GMT
+        Subject: CN = D Root CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
-                    00:a8:28:d1:e2:8f:e8:bc:f3:d4:88:2e:a8:f6:b4:
-                    91:b5:20:1e:cf:e5:3a:0a:2f:17:c9:4d:40:ba:39:
-                    3a:ee:0d:b1:21:4a:c4:13:63:c3:05:8b:06:57:b5:
-                    41:8b:f5:a3:69:81:e7:eb:3a:d3:f8:05:e8:be:ca:
-                    a6:b5:17:41:0e:54:47:b6:88:3a:a6:31:d9:f2:05:
-                    37:17:ab:b8:15:d4:00:85:dc:04:ed:c7:e0:de:16:
-                    86:82:01:14:e0:f3:e9:d9:d0:7e:83:9e:4e:f3:7b:
-                    33:fe:e6:dd:35:3c:fb:af:c8:08:30:36:78:ff:a5:
-                    c4:a1:47:62:9c:37:25:fc:3a:21:78:c5:ec:a9:0c:
-                    cc:72:69:e7:2b:b0:04:66:ca:a5:20:92:96:e6:3a:
-                    90:b5:60:13:41:90:3d:ab:44:8e:21:ff:59:df:ed:
-                    ce:30:7c:54:96:bb:fa:69:1c:f5:3d:1c:22:3b:9d:
-                    75:44:ee:73:03:d4:6a:72:a7:5b:a7:8a:fd:ad:bc:
-                    01:4f:32:2e:95:85:36:cb:fe:cd:52:8e:01:75:09:
-                    78:d1:ea:fd:1c:0d:ea:4d:7d:02:f6:71:db:73:71:
-                    1b:aa:20:f0:cd:74:4f:b5:c4:84:bd:65:d2:cc:54:
-                    48:17:40:9d:bd:86:4b:1d:c7:7d:f4:e7:70:24:63:
-                    67:af
+                    00:dc:15:a5:eb:d7:9f:c0:de:cc:53:f2:2e:f2:d6:
+                    e4:22:66:16:f9:39:25:0c:f9:c4:51:19:1c:7f:ca:
+                    16:64:fb:c1:8f:18:b4:77:cc:c1:6f:99:ce:54:59:
+                    2a:e8:5f:14:fc:2f:58:51:ed:01:bb:31:93:13:9a:
+                    f5:49:07:f7:e8:ae:fa:34:78:1b:d2:1e:3a:c8:4a:
+                    a4:30:c5:5c:22:09:ad:3d:b8:cc:0c:56:24:ba:fd:
+                    ab:b8:2d:dd:92:e3:f4:88:a3:64:f0:e6:b6:f9:f2:
+                    ac:86:3c:77:e0:19:26:4b:0e:dc:f1:97:05:9e:13:
+                    de:0c:1d:72:47:ec:ed:1c:09:18:f8:f3:7d:55:ba:
+                    59:06:9f:3a:5f:08:ee:cd:35:b2:3c:29:e1:fb:4a:
+                    a3:4d:1c:fa:59:62:da:ac:13:bc:ad:d2:da:9c:e8:
+                    ee:10:e8:36:e2:97:04:e3:04:ca:af:d6:97:7e:e9:
+                    44:86:8d:46:9f:7d:58:2f:be:0a:1d:34:7c:e3:f0:
+                    0b:9a:50:78:ff:d2:ee:6d:4c:2a:b0:e6:a5:80:45:
+                    4c:9c:dd:a6:df:93:6d:ae:e7:98:c2:4b:c4:c5:d6:
+                    55:9a:d4:df:ba:00:a5:0f:1d:23:b4:63:75:cc:c7:
+                    ff:08:8e:1c:77:bb:6b:cb:cc:b4:e0:81:ff:56:fa:
+                    45:b3
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Subject Key Identifier: 
-                CF:6C:D3:AC:BC:C9:3C:DB:03:65:F9:7C:BC:03:A2:A3:9C:B8:45:E7
+                EE:13:A0:76:5C:58:BE:8C:5A:67:31:CA:23:35:67:55:0D:51:0E:12
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
-    Signature Algorithm: sha1WithRSAEncryption
-         2c:86:9e:a4:fc:bc:71:8b:b2:95:41:0b:f9:db:58:fc:b0:69:
-         05:8b:0a:77:86:62:f3:6c:fd:91:f2:e6:b6:ce:c8:08:c1:46:
-         bb:6a:0c:01:52:6f:a9:63:da:2f:3a:2c:16:cf:ba:a2:df:cd:
-         3f:22:3c:16:0c:28:a0:75:8d:33:67:b7:b4:4b:f6:a0:90:b0:
-         28:f1:d5:82:1e:2d:23:5f:6b:79:f7:73:72:9b:54:08:59:66:
-         f8:f9:43:98:22:8b:af:94:b1:c4:76:c1:80:7e:9c:3c:a2:75:
-         c1:69:33:52:54:0c:65:ae:af:41:21:9b:ad:18:bc:c3:44:f0:
-         a1:88:2f:0f:3b:33:79:51:5c:a9:e1:2c:43:b4:8c:56:b6:56:
-         ab:95:a3:03:72:ed:9d:bc:4b:fc:e1:19:50:e6:09:f8:7d:50:
-         12:74:d7:c0:f2:2a:b8:af:ba:13:3f:b5:ca:96:ca:4f:c2:c1:
-         64:bb:f5:7f:aa:b6:8d:ed:71:c8:6d:d0:be:0f:99:d8:1d:66:
-         e9:e3:ce:d0:1f:d3:09:84:d4:96:ee:a1:01:dd:35:6c:5b:83:
-         55:22:38:c8:01:6e:88:3e:8e:c7:13:4b:a8:e0:c0:96:4b:3e:
-         83:e9:46:44:a0:46:f6:0e:75:e7:f4:6c:9e:5b:72:f3:1b:13:
-         ae:05:1f:9e
+    Signature Algorithm: sha256WithRSAEncryption
+         3d:ad:ea:a5:49:bb:c6:f0:0a:5c:2a:2a:8c:be:7f:24:9d:55:
+         83:85:78:cb:c5:02:5a:eb:cd:f5:36:aa:df:32:8b:3f:19:f6:
+         c0:9e:66:20:12:81:e9:e1:39:48:31:e8:92:c8:b1:af:fa:1f:
+         b7:07:8b:54:2e:d2:55:79:c8:c8:44:75:b0:fe:d7:d2:8d:93:
+         58:82:eb:ff:49:69:93:63:de:df:19:ba:e0:a3:79:41:48:2c:
+         18:f4:33:a5:de:d9:00:da:e7:05:7e:88:74:8c:df:01:ec:17:
+         f8:37:81:eb:00:4e:03:9b:0a:09:15:4d:b1:f5:72:fe:8a:1f:
+         c0:f9:c6:26:3b:13:52:c3:59:c7:bf:cc:1e:79:a6:93:62:65:
+         56:25:e2:58:8b:df:db:2a:4f:a7:6a:33:f7:f9:d1:99:42:be:
+         ee:dc:e4:a1:34:23:9b:40:77:d5:e4:45:b3:b1:93:9a:d0:48:
+         0a:34:31:c8:f1:60:1c:fe:10:76:74:7e:f5:96:47:19:ef:3a:
+         84:b2:0e:f3:74:23:91:9b:3f:51:7c:e4:3a:b5:40:50:ba:c6:
+         58:f9:ea:c8:b6:5c:1d:76:ac:ac:23:d0:f1:13:86:fb:4d:19:
+         1d:99:32:21:f7:56:8a:7f:c3:90:ca:51:3a:73:a1:27:64:6b:
+         1d:9b:53:1d
 -----BEGIN CERTIFICATE-----
-MIIC7TCCAdWgAwIBAgIJAPjIFKj6SbQ/MA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNV
-BAMMCUQgUm9vdCBDQTAeFw0xNDA4MTQwMjQ3MTFaFw0yNDA4MTEwMjQ3MTFaMBQx
-EjAQBgNVBAMMCUQgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBAKgo0eKP6Lzz1IguqPa0kbUgHs/lOgovF8lNQLo5Ou4NsSFKxBNjwwWLBle1
-QYv1o2mB5+s60/gF6L7KprUXQQ5UR7aIOqYx2fIFNxeruBXUAIXcBO3H4N4WhoIB
-FODz6dnQfoOeTvN7M/7m3TU8+6/ICDA2eP+lxKFHYpw3Jfw6IXjF7KkMzHJp5yuw
-BGbKpSCSluY6kLVgE0GQPatEjiH/Wd/tzjB8VJa7+mkc9T0cIjuddUTucwPUanKn
-W6eK/a28AU8yLpWFNsv+zVKOAXUJeNHq/RwN6k19AvZx23NxG6og8M10T7XEhL1l
-0sxUSBdAnb2GSx3HffTncCRjZ68CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAd
-BgNVHQ4EFgQUz2zTrLzJPNsDZfl8vAOio5y4RecwDgYDVR0PAQH/BAQDAgEGMA0G
-CSqGSIb3DQEBBQUAA4IBAQAshp6k/Lxxi7KVQQv521j8sGkFiwp3hmLzbP2R8ua2
-zsgIwUa7agwBUm+pY9ovOiwWz7qi380/IjwWDCigdY0zZ7e0S/agkLAo8dWCHi0j
-X2t593Nym1QIWWb4+UOYIouvlLHEdsGAfpw8onXBaTNSVAxlrq9BIZutGLzDRPCh
-iC8POzN5UVyp4SxDtIxWtlarlaMDcu2dvEv84RlQ5gn4fVASdNfA8iq4r7oTP7XK
-lspPwsFku/V/qraN7XHIbdC+D5nYHWbp487QH9MJhNSW7qEB3TVsW4NVIjjIAW6I
-Po7HE0uo4MCWSz6D6UZEoEb2DnXn9GyeW3LzGxOuBR+e
+MIIC+DCCAeCgAwIBAgIUN0yZGH6zDG5TJUUcDIkXmogMhkQwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJRCBSb290IENBMB4XDTE5MTAxODIyMjQxMFoXDTI5MTAx
+NTIyMjQxMFowFDESMBAGA1UEAwwJRCBSb290IENBMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEA3BWl69efwN7MU/Iu8tbkImYW+TklDPnEURkcf8oWZPvB
+jxi0d8zBb5nOVFkq6F8U/C9YUe0BuzGTE5r1SQf36K76NHgb0h46yEqkMMVcIgmt
+PbjMDFYkuv2ruC3dkuP0iKNk8Oa2+fKshjx34BkmSw7c8ZcFnhPeDB1yR+ztHAkY
++PN9VbpZBp86XwjuzTWyPCnh+0qjTRz6WWLarBO8rdLanOjuEOg24pcE4wTKr9aX
+fulEho1Gn31YL74KHTR84/ALmlB4/9LubUwqsOalgEVMnN2m35NtrueYwkvExdZV
+mtTfugClDx0jtGN1zMf/CI4cd7try8y04IH/VvpFswIDAQABo0IwQDAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBTuE6B2XFi+jFpnMcojNWdVDVEOEjAOBgNVHQ8B
+Af8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAD2t6qVJu8bwClwqKoy+fySdVYOF
+eMvFAlrrzfU2qt8yiz8Z9sCeZiASgenhOUgx6JLIsa/6H7cHi1Qu0lV5yMhEdbD+
+19KNk1iC6/9JaZNj3t8ZuuCjeUFILBj0M6Xe2QDa5wV+iHSM3wHsF/g3gesATgOb
+CgkVTbH1cv6KH8D5xiY7E1LDWce/zB55ppNiZVYl4liL39sqT6dqM/f50ZlCvu7c
+5KE0I5tAd9XkRbOxk5rQSAo0McjxYBz+EHZ0fvWWRxnvOoSyDvN0I5GbP1F85Dq1
+QFC6xlj56si2XB12rKwj0PEThvtNGR2ZMiH3Vop/w5DKUTpzoSdkax2bUx0=
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/redundant-validated-chain-root.pem b/chromium/net/data/ssl/certificates/redundant-validated-chain-root.pem
index 1c14f35576f..6fadba06fe2 100644
--- a/chromium/net/data/ssl/certificates/redundant-validated-chain-root.pem
+++ b/chromium/net/data/ssl/certificates/redundant-validated-chain-root.pem
@@ -1,74 +1,75 @@
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 15821419482712091348 (0xdb90f931ad7faad4)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: CN=C CA
+        Serial Number:
+            7d:19:e5:55:d1:85:7c:54:62:f6:56:00:7a:cf:78:a9:38:29:81:ff
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = C CA
         Validity
-            Not Before: Aug 14 02:47:11 2014 GMT
-            Not After : Aug 11 02:47:11 2024 GMT
-        Subject: CN=C CA
+            Not Before: Oct 18 22:24:10 2019 GMT
+            Not After : Oct 15 22:24:10 2029 GMT
+        Subject: CN = C CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
-                    00:a7:3d:f2:7d:cf:2c:cd:eb:2c:bc:03:65:da:ae:
-                    96:29:80:29:8d:c5:42:e1:93:d9:3a:d7:78:9b:b5:
-                    be:7b:ef:df:c9:fd:86:30:18:c6:38:92:c6:a5:63:
-                    2e:ba:d0:9c:16:91:af:b3:80:38:14:5f:88:ca:b3:
-                    8b:a4:c4:ba:2f:c4:d4:c0:c0:2e:43:6c:1e:af:5e:
-                    9c:6a:9c:96:17:c3:89:ab:af:2a:93:7d:76:ea:34:
-                    2a:56:c9:5c:e9:72:50:f7:d1:e6:a0:2c:ee:df:27:
-                    a8:2f:17:c1:f6:fd:80:d6:dd:19:64:fe:7f:b7:80:
-                    a6:00:94:28:0e:01:fa:9b:40:d2:ed:43:2c:b1:10:
-                    2e:b0:57:5a:e4:5a:2f:86:6c:63:fa:22:d4:e2:c6:
-                    81:c0:d8:76:7e:54:a6:81:b7:b0:bb:ac:66:80:ed:
-                    a1:ab:25:6f:4d:7d:b6:cc:37:65:74:30:df:52:84:
-                    4b:93:f7:95:76:96:fb:db:fe:b9:d3:2c:ff:65:4d:
-                    89:09:15:32:3c:5d:60:68:79:57:9b:98:59:bc:d7:
-                    c2:93:30:91:81:7c:fc:d5:7e:46:3c:85:ef:4d:d2:
-                    9e:96:b0:86:95:78:20:6f:bd:a0:72:3f:d1:25:4c:
-                    f7:2e:c5:a1:21:5a:c7:7b:5e:98:73:15:37:0a:9d:
-                    80:0b
+                    00:97:21:4e:ff:ff:22:dd:de:6d:cc:05:75:3b:37:
+                    80:28:9f:61:8b:a2:ac:9b:3b:b1:e6:3a:a4:35:ce:
+                    7b:95:ce:d2:2f:95:f1:c2:51:c2:9d:21:71:dd:06:
+                    3a:eb:67:68:59:2d:f6:19:b1:7d:98:06:c2:c4:19:
+                    34:2a:00:0a:f1:0a:0b:76:39:ba:0f:e9:69:bc:14:
+                    c9:fa:38:b4:f6:38:55:45:3d:21:c7:b8:20:e3:47:
+                    ac:5b:9e:ec:7f:a9:8b:72:00:79:5c:25:13:01:86:
+                    a9:6a:d9:12:b1:d2:3a:a1:cc:e5:e0:63:b2:0d:ea:
+                    aa:a7:42:f9:de:cf:de:e0:15:9b:6e:cd:86:81:d8:
+                    5f:3f:a1:7b:bc:97:31:40:0e:17:a3:aa:c4:48:5a:
+                    5c:c8:e5:89:92:68:85:08:6c:cb:31:35:9c:fb:1e:
+                    d3:66:35:ee:d9:d7:ea:b8:5c:3e:d0:60:94:4c:3d:
+                    2b:21:6b:72:b8:3a:16:e4:f1:ea:97:74:0c:cf:27:
+                    a5:03:c1:b7:c3:d9:4d:5a:3d:c5:8e:3f:ca:99:b4:
+                    b6:59:c6:9f:22:38:0d:4d:c7:f7:11:f8:d0:71:99:
+                    5d:4b:e2:30:62:00:fb:01:c9:ca:3e:ed:6a:d8:6d:
+                    2d:0f:1a:77:33:02:b4:41:b3:ba:f6:1c:38:be:54:
+                    c9:73
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Subject Key Identifier: 
-                08:C0:24:F4:0D:BB:C2:01:35:30:BA:2C:41:96:6B:16:DB:F8:22:F5
+                63:B1:47:26:FC:DB:79:3F:76:96:69:4D:EA:7E:D0:B7:6A:D2:3F:A8
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
-    Signature Algorithm: sha1WithRSAEncryption
-         5f:95:30:a9:ee:b0:b0:b4:fb:0e:3e:7a:df:57:6e:cc:e4:59:
-         45:bf:93:08:62:d2:98:f6:7b:37:cf:b6:f5:8c:8d:82:dc:c8:
-         f0:af:3b:0d:1e:cc:c4:b7:b1:f3:da:58:f9:29:d6:f7:ed:16:
-         63:51:dc:d3:1c:37:2f:a3:f4:29:0f:91:5d:90:2e:d2:c7:ef:
-         1b:55:01:c9:ad:cb:7b:45:da:2d:65:01:c7:3f:b5:a4:78:b1:
-         22:81:d3:a6:6c:c6:ba:5e:23:88:1d:d5:3e:7d:c6:15:88:88:
-         19:f7:c4:83:a6:27:96:9e:4b:c5:ef:7e:2c:6a:09:e1:3f:79:
-         2d:91:27:ab:28:12:18:6f:b3:b8:cf:0f:06:1d:d7:75:47:9b:
-         39:4d:66:3c:b4:12:58:0a:b8:b2:d7:c7:99:26:a0:9c:e4:90:
-         cd:5e:1b:0a:50:d1:61:20:ff:b7:c7:da:7e:7c:e5:e7:d3:91:
-         a8:82:f8:90:f4:2d:aa:6e:b7:28:59:02:42:fc:90:a2:1d:f9:
-         d4:74:b0:a3:c4:9c:95:9a:33:e2:30:dd:7d:6e:58:e7:b0:41:
-         de:b3:db:7f:16:da:94:e6:99:32:49:d4:69:6b:68:be:95:2e:
-         2e:fa:fd:eb:ec:67:87:24:f6:74:cc:1c:3b:32:fa:45:24:a9:
-         ff:f5:df:12
+    Signature Algorithm: sha256WithRSAEncryption
+         8e:4d:6c:49:c9:9c:f9:cb:a0:81:9b:65:31:c7:bc:8c:c0:75:
+         4d:60:16:ef:bb:b6:b4:2a:5d:68:34:d7:e0:53:1f:3e:84:b6:
+         aa:7d:fd:a1:c9:29:88:83:2e:ab:f3:87:43:a8:d8:5c:a8:1b:
+         e0:58:50:84:03:05:15:03:01:07:30:d0:4a:f9:95:f1:86:be:
+         45:5b:31:f0:88:12:22:d7:7a:fb:0b:9f:95:41:ba:df:40:e3:
+         b2:71:e7:4e:09:91:1c:5f:51:b3:ce:a5:00:0b:82:d1:04:f2:
+         1c:5a:14:4b:1b:3f:2d:41:11:7c:33:37:89:56:b4:b7:fa:d8:
+         b9:20:8d:bd:a6:68:60:2a:3c:aa:61:38:74:d4:0a:16:41:70:
+         d8:75:c4:6d:04:a8:b6:a5:0f:e7:02:52:0b:7d:44:d6:1b:2f:
+         ca:06:aa:61:3d:8d:82:3f:34:c5:bb:08:69:6f:6c:b7:53:e5:
+         52:3d:dd:7b:1c:1f:d3:7d:38:43:ca:c7:75:9a:a8:a1:93:27:
+         13:b0:57:1a:ff:22:90:1f:b2:69:da:7a:a4:2f:16:51:fa:81:
+         6c:ed:c0:19:42:58:b5:21:67:c1:54:93:db:55:86:c7:97:09:
+         76:18:32:55:2a:b4:b1:ac:12:bc:3f:00:3d:b5:1c:ef:55:c4:
+         f0:6c:a1:17
 -----BEGIN CERTIFICATE-----
-MIIC4zCCAcugAwIBAgIJANuQ+TGtf6rUMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNV
-BAMMBEMgQ0EwHhcNMTQwODE0MDI0NzExWhcNMjQwODExMDI0NzExWjAPMQ0wCwYD
-VQQDDARDIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApz3yfc8s
-zessvANl2q6WKYApjcVC4ZPZOtd4m7W+e+/fyf2GMBjGOJLGpWMuutCcFpGvs4A4
-FF+IyrOLpMS6L8TUwMAuQ2wer16capyWF8OJq68qk3126jQqVslc6XJQ99HmoCzu
-3yeoLxfB9v2A1t0ZZP5/t4CmAJQoDgH6m0DS7UMssRAusFda5Fovhmxj+iLU4saB
-wNh2flSmgbewu6xmgO2hqyVvTX22zDdldDDfUoRLk/eVdpb72/650yz/ZU2JCRUy
-PF1gaHlXm5hZvNfCkzCRgXz81X5GPIXvTdKelrCGlXggb72gcj/RJUz3LsWhIVrH
-e16YcxU3Cp2ACwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQI
-wCT0DbvCATUwuixBlmsW2/gi9TAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEF
-BQADggEBAF+VMKnusLC0+w4+et9XbszkWUW/kwhi0pj2ezfPtvWMjYLcyPCvOw0e
-zMS3sfPaWPkp1vftFmNR3NMcNy+j9CkPkV2QLtLH7xtVAcmty3tF2i1lAcc/taR4
-sSKB06ZsxrpeI4gd1T59xhWIiBn3xIOmJ5aeS8XvfixqCeE/eS2RJ6soEhhvs7jP
-DwYd13VHmzlNZjy0ElgKuLLXx5kmoJzkkM1eGwpQ0WEg/7fH2n585efTkaiC+JD0
-LaputyhZAkL8kKId+dR0sKPEnJWaM+Iw3X1uWOewQd6z238W2pTmmTJJ1GlraL6V
-Li76/evsZ4ck9nTMHDsy+kUkqf/13xI=
+MIIC7jCCAdagAwIBAgIUfRnlVdGFfFRi9lYAes94qTgpgf8wDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEQyBDQTAeFw0xOTEwMTgyMjI0MTBaFw0yOTEwMTUyMjI0
+MTBaMA8xDTALBgNVBAMMBEMgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCXIU7//yLd3m3MBXU7N4Aon2GLoqybO7HmOqQ1znuVztIvlfHCUcKdIXHd
+BjrrZ2hZLfYZsX2YBsLEGTQqAArxCgt2OboP6Wm8FMn6OLT2OFVFPSHHuCDjR6xb
+nux/qYtyAHlcJRMBhqlq2RKx0jqhzOXgY7IN6qqnQvnez97gFZtuzYaB2F8/oXu8
+lzFADhejqsRIWlzI5YmSaIUIbMsxNZz7HtNmNe7Z1+q4XD7QYJRMPSsha3K4Ohbk
+8eqXdAzPJ6UDwbfD2U1aPcWOP8qZtLZZxp8iOA1Nx/cR+NBxmV1L4jBiAPsByco+
+7WrYbS0PGnczArRBs7r2HDi+VMlzAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8w
+HQYDVR0OBBYEFGOxRyb823k/dpZpTep+0Ldq0j+oMA4GA1UdDwEB/wQEAwIBBjAN
+BgkqhkiG9w0BAQsFAAOCAQEAjk1sScmc+cuggZtlMce8jMB1TWAW77u2tCpdaDTX
+4FMfPoS2qn39ockpiIMuq/OHQ6jYXKgb4FhQhAMFFQMBBzDQSvmV8Ya+RVsx8IgS
+Itd6+wuflUG630DjsnHnTgmRHF9Rs86lAAuC0QTyHFoUSxs/LUERfDM3iVa0t/rY
+uSCNvaZoYCo8qmE4dNQKFkFw2HXEbQSotqUP5wJSC31E1hsvygaqYT2Ngj80xbsI
+aW9st1PlUj3dexwf0304Q8rHdZqooZMnE7BXGv8ikB+yadp6pC8WUfqBbO3AGUJY
+tSFnwVST21WGx5cJdhgyVSq0sawSvD8APbUc71XE8GyhFw==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/redundant-validated-chain.pem b/chromium/net/data/ssl/certificates/redundant-validated-chain.pem
index d8ca1233aca..8239cdc184c 100644
--- a/chromium/net/data/ssl/certificates/redundant-validated-chain.pem
+++ b/chromium/net/data/ssl/certificates/redundant-validated-chain.pem
@@ -1,254 +1,259 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAs9htMWsxQD/3s1phTjWQ2u8R4idEckpFjVHN+C9K3HEKIS9K
-VN51HtRwu9nj36OT970k2xC3+O5SAtqdy23/5oMPUTdoD5zKdNvGVxLSGypFOMZX
-jgt39pulOan4sJJ/DtdrRjZEkjXBqgYy0xSeBoJIf1tewIJiv8YEYOjwMQKaznLM
-qaVY8+k8n/NtRb49etaBR0j3531UCupBMEyiiITqMd1Z/dwQodvD5UZhxaSxY1xl
-nw6/HX1f32zWq6zSZrnk9JDpLPyBuJy4d/op7mJv4Tv/jFc7qMpB0AvCflqneeeU
-r4TI34CSo+zFu7IPIFVzvd8ZYUGPtIkane2JVQIDAQABAoIBAFcpIvJ6cuoille0
-C8itqUCR8ObcBQ4m9MJizSHlObDQkAo5MxsinTyN1P0VwpyWWJYOcxhAaAka52A+
-t47qBsWe6wN/iM1YPb6Y7O0yT+WefOHhLnnHESLRmCf0OnTI6w80U+c5Uc5Sg0N1
-sZgfO98HsT8X9znxdw5eV6zn99CoFCXouF8lCci/PQ0LnIWrMYHggN1MuhLlh3pB
-Vi+ozl5ZYPbsU8+BOWk7T4xhNfgCYqrKSsz9qthiCxPfA9bmGBK02qXFbx55VXJe
-C5+LZV0oleDjChskH0FpfFoTh2aasGmhM3bwIp2rsz32MJe/QHTaT24eeRNgdB+H
-Xb7BRIECgYEA4/Be1j2TQbvyp4Yd/cW2NUVzxo/kq5FY5yi3CGQ7fkTU/KgER3p/
-DuCOk/ly9IdrILg9ojGXnPQgEbVNkmeulrFD+UBZtFqdpusX50Ehv8TLwoInLsOf
-v1BN3Vhh8NfHEFiD/DuVBN1rwk9R+yIG6ZTe3kohLRXWHspCGGnrFQUCgYEAyfxc
-Oc3sVJa5S9Vug3ZcmolKI/sZP7/4+q0HtfGmimQGmA1gNy/vPTe6gYnoVNgFmvGG
-LQCm/qYoUtcKGoQJuAj8hurYZehWmhmXudf82r1DaN26V70DCVV/bMXQROQGWxTN
-ci7h13dmOl6vJXf2jcqRAIRYnbH6bbUaGryV1BECgYBw1JaNZJOVMW0PYgNMkGb+
-fa+utaHTD7K7UlswCzWr7nSj0KO1ojxs59mMBCnUQ4hS/QB9XiEXr3yEZ4PLmglB
-TORB6Im/DjAF5U/CyGnlXIwkb3rn2iwkbqLsk4h/yMAgJkDHRdMhQl3KJKuHLbPQ
-QkIENRuxDqMcQLBxF1Un5QKBgAXZgypBZnjErLUfh0XTZbcsBrOoEAEipClOXYzN
-ZM9ZOj+pE4JFpx4UwRgDUHE0mGT2XbZr8Gorkbtkcux1qnpj+DxIDOBWrDtmRlih
-grcrCAq/cSgdVzsr+LbDu9Zi7DQzFAgch3ngAVvrZhMluEQ++5gSPSbEAsaumgTw
-NT6hAoGBAM2IpPgrCi60ikYxmFx9gtqAGedWPu7c1BlP2HVBuib+STodK3sVcNU3
-px9zzrGTbil/r873Co4/sgFXk5r+23qTuFCpUOrW0YDsKOe85WSuOY8RiSf/SQhd
-B9gqBDymZgZ/0kCIUGhigZNNcJEhdY++eggmgt0lUt2QQNa7o3JI
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDsdrSxnyz5qQNr
+JRBll0qjD5zDYW41+A+X2rDMDONOaLlO9OODtjvoCRBg5KUJ2y9a/Vsui77szkLD
+7h4lJPTlxGyFNxgtfyzSuXEb5ZBP0kYD+RXfafIeTmQECIFwsmnc3ytonl+Hzr+g
+6G2w12qNWOL3DqrxgOc/9UeZKuTf4ERM7x1cfBmA3keW0M8PqJ9rVSG7zzLreago
+Q81pmlWVttFrZWt2PAq6DH7BEdN+cbIEa6bSFOmBW24r+TJxxDc9X95xXNdC/LYn
+fb9tN+1gPDd1bcjeEdPIg0EMqb0BtfcaUjZojownuIt04fcaet4OaVoo/HNhy9XM
+GqqoHQeHAgMBAAECggEAIBGZP92Og+1gAU/tgVmbTbH4WKcGA1u5AacvAv1cdm3N
+c9/SWzKDvVw9VGat20BWk8h4bT+WjRcMBvZsMC1q6R5SeV6XcNQmiA2OQXJIuAqU
+ZEWLqdj8dQ+8kK92nooTwVii0nVoD0sCwhfDiJAuayz62vaqSEZrFkl1hFhE4feN
+jpNOjzU54nbtmAnT1umyO13pJxTcRjetTJioIsl/uvTGuIhBsY6gqYchtPtZ0c35
+0/YNOMtAWKERDgpyFwBNmUA9YunmS603ThA5SB7rbaMbANyxXoGRcRjNavI67ues
+fgvRY/GghnY2sKroyc9CIsnghrGAITW6miQw3uWRQQKBgQD4mTh7g0DP3bfHUIqm
+af7UmPV7gPrJItlvgrYRYy4zjnxvNk/kcfgrJATMAnqGX5KrbXFX6AdfanRRnJcP
+gCojd1C3v3cotUVky9r91v/1Hn1fe2hDzy/qrbwh2WBATPKCJjL0PuXNhGsfqoKG
+SMhvqy95sfFnqvy4f4pUPh6pIwKBgQDzgP7WUAVWUcmjjxq6QM8WfDD5RMuPfAL4
+skkpm3WB/H+xUeqax+KSKNDDrWTfhWpTucZt0v84aG6NQz4vzkc5DrRnWltkqFgR
+NLU1esrgn1bnh/iNQt+bmw8OgH0puJsI82wBa7QjGYu3ocW043Avp1DS2ocMGMzu
+S+hFvBG4TQKBgFDI8drpVzl1cpBZswTLMx2BK1zcGCMeqQwcrO/PjCcC6Zr2SlYR
+VzUluk1VjN1312DP6uJHK4YtQOl4enp2CruFvXxIwv8+kPNlb5/Hq1vLcbCCmOpY
+PNkFZjqVujqLBs+WfD505ha4LluW/F2I72GifoYMdkdbAE8wWxJvMWWDAoGADRQg
+m+IwZzJ9YguNo/NXLB3/g2PuiwZeIn1w8IspBJJLSXrc3vNdd/w5OklV4auIynZv
+8fYjPyRcy7mQ3YB20tm3VtXDkuR31nS+RuERhH8Ka+UhtHSjDfiGFoFQN61ypkhs
+xKbERh5ZIsPNmqmcnPKfpLOYDU5Hs4TgNN6lFQECgYA/0Y25oCHqLH9MfPGs2gMJ
+BTeMxzAIsA2lwhr2/WOANHA9cWnHtI3d1eNequZpNgxtKbw2mxbM+IfnO50czV7g
+5PJPvU79T6d64u1AOtoKbCxgm9wTL8UmEPvEInnT8SfnECPxW9Pwey2rC39527jl
+i5FkIsSiwU8YIZk73YCqDg==
+-----END PRIVATE KEY-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 4096 (0x1000)
-    Signature Algorithm: sha256WithRSAEncryption
+        Signature Algorithm: sha256WithRSAEncryption
         Issuer: CN=B CA
         Validity
-            Not Before: Aug 14 02:47:12 2014 GMT
-            Not After : Aug 11 02:47:12 2024 GMT
+            Not Before: Oct 18 22:24:10 2019 GMT
+            Not After : Oct 15 22:24:10 2029 GMT
         Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
-                    00:b3:d8:6d:31:6b:31:40:3f:f7:b3:5a:61:4e:35:
-                    90:da:ef:11:e2:27:44:72:4a:45:8d:51:cd:f8:2f:
-                    4a:dc:71:0a:21:2f:4a:54:de:75:1e:d4:70:bb:d9:
-                    e3:df:a3:93:f7:bd:24:db:10:b7:f8:ee:52:02:da:
-                    9d:cb:6d:ff:e6:83:0f:51:37:68:0f:9c:ca:74:db:
-                    c6:57:12:d2:1b:2a:45:38:c6:57:8e:0b:77:f6:9b:
-                    a5:39:a9:f8:b0:92:7f:0e:d7:6b:46:36:44:92:35:
-                    c1:aa:06:32:d3:14:9e:06:82:48:7f:5b:5e:c0:82:
-                    62:bf:c6:04:60:e8:f0:31:02:9a:ce:72:cc:a9:a5:
-                    58:f3:e9:3c:9f:f3:6d:45:be:3d:7a:d6:81:47:48:
-                    f7:e7:7d:54:0a:ea:41:30:4c:a2:88:84:ea:31:dd:
-                    59:fd:dc:10:a1:db:c3:e5:46:61:c5:a4:b1:63:5c:
-                    65:9f:0e:bf:1d:7d:5f:df:6c:d6:ab:ac:d2:66:b9:
-                    e4:f4:90:e9:2c:fc:81:b8:9c:b8:77:fa:29:ee:62:
-                    6f:e1:3b:ff:8c:57:3b:a8:ca:41:d0:0b:c2:7e:5a:
-                    a7:79:e7:94:af:84:c8:df:80:92:a3:ec:c5:bb:b2:
-                    0f:20:55:73:bd:df:19:61:41:8f:b4:89:1a:9d:ed:
-                    89:55
+                    00:ec:76:b4:b1:9f:2c:f9:a9:03:6b:25:10:65:97:
+                    4a:a3:0f:9c:c3:61:6e:35:f8:0f:97:da:b0:cc:0c:
+                    e3:4e:68:b9:4e:f4:e3:83:b6:3b:e8:09:10:60:e4:
+                    a5:09:db:2f:5a:fd:5b:2e:8b:be:ec:ce:42:c3:ee:
+                    1e:25:24:f4:e5:c4:6c:85:37:18:2d:7f:2c:d2:b9:
+                    71:1b:e5:90:4f:d2:46:03:f9:15:df:69:f2:1e:4e:
+                    64:04:08:81:70:b2:69:dc:df:2b:68:9e:5f:87:ce:
+                    bf:a0:e8:6d:b0:d7:6a:8d:58:e2:f7:0e:aa:f1:80:
+                    e7:3f:f5:47:99:2a:e4:df:e0:44:4c:ef:1d:5c:7c:
+                    19:80:de:47:96:d0:cf:0f:a8:9f:6b:55:21:bb:cf:
+                    32:eb:79:a8:28:43:cd:69:9a:55:95:b6:d1:6b:65:
+                    6b:76:3c:0a:ba:0c:7e:c1:11:d3:7e:71:b2:04:6b:
+                    a6:d2:14:e9:81:5b:6e:2b:f9:32:71:c4:37:3d:5f:
+                    de:71:5c:d7:42:fc:b6:27:7d:bf:6d:37:ed:60:3c:
+                    37:75:6d:c8:de:11:d3:c8:83:41:0c:a9:bd:01:b5:
+                    f7:1a:52:36:68:8e:8c:27:b8:8b:74:e1:f7:1a:7a:
+                    de:0e:69:5a:28:fc:73:61:cb:d5:cc:1a:aa:a8:1d:
+                    07:87
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:FALSE
             X509v3 Subject Key Identifier: 
-                C0:E2:E7:28:2E:67:6F:8E:24:79:39:78:B6:0C:7E:B1:48:35:40:1E
+                E7:8D:C4:21:0B:CE:12:A1:F7:05:E6:52:AF:3B:A6:10:BA:71:68:3D
             X509v3 Authority Key Identifier: 
-                keyid:69:C1:9C:85:EC:20:DC:38:0C:32:B0:51:FC:CF:DB:C1:97:03:50:5D
+                keyid:77:3C:D2:AA:A1:C9:7D:FE:B6:90:3F:CB:1B:F6:38:37:0C:28:1A:F7
 
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Alternative Name: 
+                IP Address:127.0.0.1
     Signature Algorithm: sha256WithRSAEncryption
-         da:56:18:d4:16:55:5a:e4:c4:1c:66:15:dd:f0:eb:e6:94:b6:
-         d1:84:65:75:06:c8:15:fd:16:6b:e0:f0:0c:90:9f:0b:23:a2:
-         7f:30:2a:59:31:b1:fe:c5:88:06:fe:ad:82:7d:e3:9d:73:82:
-         cf:31:22:93:4d:36:32:49:e5:21:9c:5a:99:e0:74:d8:4d:ed:
-         f8:99:83:5f:ba:50:96:34:6d:aa:cc:50:61:a2:7c:60:e8:c1:
-         00:b4:68:a5:05:cf:b8:44:7e:36:9a:c7:06:c5:26:e0:f8:58:
-         2e:ec:d3:45:e0:64:99:95:4f:08:f3:6d:d4:aa:e9:93:a0:b4:
-         bd:5d:77:20:b9:84:61:e2:dd:04:7a:75:4f:dc:94:48:f7:b3:
-         76:ef:a9:21:f5:24:42:ef:aa:e2:eb:80:c1:6f:66:91:dc:45:
-         27:a6:f9:fc:d7:e7:9d:c9:3f:d3:ce:8d:e7:a6:0f:41:50:72:
-         94:01:9a:72:82:d3:86:23:cc:fe:f3:2e:d8:b9:b5:16:ed:1c:
-         7a:d0:39:06:e5:2b:0b:ac:d9:21:29:30:b4:06:f2:ee:a5:6b:
-         b3:13:8d:23:eb:62:95:b7:43:ca:f1:cb:fa:3a:fd:ce:5a:eb:
-         36:fe:47:f0:51:47:fe:b1:70:90:45:ce:4d:b2:60:80:b7:7f:
-         19:4d:79:e5
+         17:ff:16:47:18:ed:d0:b5:54:fb:b6:02:c7:e4:c1:9a:4d:99:
+         54:cb:ca:df:75:25:d4:e5:b5:20:74:3d:ac:f9:e2:a1:87:a5:
+         d1:a2:da:48:c0:71:12:9f:84:9e:10:70:9c:bd:4c:74:85:90:
+         b8:15:9c:b2:fb:f2:4c:03:7c:7a:a6:6e:c4:91:19:93:79:a4:
+         47:96:fa:30:15:a3:02:20:d0:07:23:70:16:db:73:aa:6e:61:
+         b9:b1:0f:a9:e5:f8:d4:4f:34:19:a1:2e:fa:d6:f0:97:76:8c:
+         ff:08:54:8e:dc:a3:49:c9:a3:d8:e0:c3:71:e9:8f:98:3d:dd:
+         25:73:c4:da:c3:fa:43:19:48:39:5c:43:8c:30:7a:cf:de:5a:
+         c9:ee:8e:2e:88:b0:e7:84:74:5f:d4:91:a6:65:8d:bc:fd:10:
+         51:3c:53:32:fe:dd:03:84:9b:b0:64:58:9d:99:b4:bc:5f:ce:
+         30:af:67:58:f5:6c:02:67:20:f9:aa:dc:d6:96:fc:00:e8:6d:
+         72:48:12:a9:f9:dc:4b:00:26:fb:ab:1f:00:ac:e2:11:f9:36:
+         2c:bd:a9:1c:86:b5:77:c6:97:6d:29:ec:3f:d3:94:95:46:54:
+         a4:2d:66:7e:9d:d7:1b:ea:21:f7:39:a3:b4:fb:e9:b6:38:4d:
+         eb:49:1d:83
 -----BEGIN CERTIFICATE-----
-MIIDWjCCAkKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD
-QTAeFw0xNDA4MTQwMjQ3MTJaFw0yNDA4MTEwMjQ3MTJaMGAxCzAJBgNVBAYTAlVT
+MIIDbDCCAlSgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQiBD
+QTAeFw0xOTEwMTgyMjI0MTBaFw0yOTEwMTUyMjI0MTBaMGAxCzAJBgNVBAYTAlVT
 MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRAw
 DgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqGSIb3
-DQEBAQUAA4IBDwAwggEKAoIBAQCz2G0xazFAP/ezWmFONZDa7xHiJ0RySkWNUc34
-L0rccQohL0pU3nUe1HC72ePfo5P3vSTbELf47lIC2p3Lbf/mgw9RN2gPnMp028ZX
-EtIbKkU4xleOC3f2m6U5qfiwkn8O12tGNkSSNcGqBjLTFJ4Ggkh/W17AgmK/xgRg
-6PAxAprOcsyppVjz6Tyf821Fvj161oFHSPfnfVQK6kEwTKKIhOox3Vn93BCh28Pl
-RmHFpLFjXGWfDr8dfV/fbNarrNJmueT0kOks/IG4nLh3+inuYm/hO/+MVzuoykHQ
-C8J+Wqd555SvhMjfgJKj7MW7sg8gVXO93xlhQY+0iRqd7YlVAgMBAAGjbzBtMAwG
-A1UdEwEB/wQCMAAwHQYDVR0OBBYEFMDi5yguZ2+OJHk5eLYMfrFINUAeMB8GA1Ud
-IwQYMBaAFGnBnIXsINw4DDKwUfzP28GXA1BdMB0GA1UdJQQWMBQGCCsGAQUFBwMB
-BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEA2lYY1BZVWuTEHGYV3fDr5pS2
-0YRldQbIFf0Wa+DwDJCfCyOifzAqWTGx/sWIBv6tgn3jnXOCzzEik002MknlIZxa
-meB02E3t+JmDX7pQljRtqsxQYaJ8YOjBALRopQXPuER+NprHBsUm4PhYLuzTReBk
-mZVPCPNt1Krpk6C0vV13ILmEYeLdBHp1T9yUSPezdu+pIfUkQu+q4uuAwW9mkdxF
-J6b5/Nfnnck/086N56YPQVBylAGacoLThiPM/vMu2Lm1Fu0cetA5BuUrC6zZISkw
-tAby7qVrsxONI+tilbdDyvHL+jr9zlrrNv5H8FFH/rFwkEXOTbJggLd/GU155Q==
+DQEBAQUAA4IBDwAwggEKAoIBAQDsdrSxnyz5qQNrJRBll0qjD5zDYW41+A+X2rDM
+DONOaLlO9OODtjvoCRBg5KUJ2y9a/Vsui77szkLD7h4lJPTlxGyFNxgtfyzSuXEb
+5ZBP0kYD+RXfafIeTmQECIFwsmnc3ytonl+Hzr+g6G2w12qNWOL3DqrxgOc/9UeZ
+KuTf4ERM7x1cfBmA3keW0M8PqJ9rVSG7zzLreagoQ81pmlWVttFrZWt2PAq6DH7B
+EdN+cbIEa6bSFOmBW24r+TJxxDc9X95xXNdC/LYnfb9tN+1gPDd1bcjeEdPIg0EM
+qb0BtfcaUjZojownuIt04fcaet4OaVoo/HNhy9XMGqqoHQeHAgMBAAGjgYAwfjAM
+BgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTnjcQhC84SofcF5lKvO6YQunFoPTAfBgNV
+HSMEGDAWgBR3PNKqocl9/raQP8sb9jg3DCga9zAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwDwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
+F/8WRxjt0LVU+7YCx+TBmk2ZVMvK33Ul1OW1IHQ9rPnioYel0aLaSMBxEp+EnhBw
+nL1MdIWQuBWcsvvyTAN8eqZuxJEZk3mkR5b6MBWjAiDQByNwFttzqm5hubEPqeX4
+1E80GaEu+tbwl3aM/whUjtyjScmj2ODDcemPmD3dJXPE2sP6QxlIOVxDjDB6z95a
+ye6OLoiw54R0X9SRpmWNvP0QUTxTMv7dA4SbsGRYnZm0vF/OMK9nWPVsAmcg+arc
+1pb8AOhtckgSqfncSwAm+6sfAKziEfk2LL2pHIa1d8aXbSnsP9OUlUZUpC1mfp3X
+G+oh9zmjtPvptjhN60kdgw==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 4097 (0x1001)
-    Signature Algorithm: sha256WithRSAEncryption
+        Signature Algorithm: sha256WithRSAEncryption
         Issuer: CN=C CA
         Validity
-            Not Before: Aug 14 02:47:12 2014 GMT
-            Not After : Aug 11 02:47:12 2024 GMT
+            Not Before: Oct 18 22:24:10 2019 GMT
+            Not After : Oct 15 22:24:10 2029 GMT
         Subject: CN=B CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
-                    00:ec:ac:40:57:bc:13:cd:7a:72:b9:2b:fb:46:a3:
-                    ca:a0:0e:f9:74:87:0d:16:e4:d4:78:79:38:ac:f3:
-                    39:61:52:2d:11:38:15:cc:7a:02:1e:b1:a8:d7:0d:
-                    39:fd:d1:2e:0c:66:35:e0:47:66:96:6c:3a:aa:11:
-                    3f:91:36:e4:fb:71:5e:2d:e5:4a:c1:2c:82:bc:de:
-                    0e:e4:d4:fb:8d:c0:a7:0e:82:70:4e:64:aa:55:5a:
-                    cb:59:de:b7:8f:e0:77:96:db:3a:4a:47:52:a8:1b:
-                    ef:7a:c9:c3:d5:7e:e1:65:2f:6d:35:21:24:37:12:
-                    c9:e8:c1:43:35:8d:7f:81:a5:77:fa:b6:c4:f0:74:
-                    3b:ab:40:03:a7:98:32:9d:7b:67:5a:19:b1:29:0c:
-                    ac:96:28:12:4c:cb:3b:e0:71:08:6a:02:86:de:b4:
-                    fe:66:b4:46:ac:7b:c6:45:62:27:1b:40:7a:f6:d7:
-                    38:02:52:43:21:9e:6a:80:91:83:b1:16:aa:ca:87:
-                    4c:d2:db:d5:1c:e0:2c:73:07:d1:36:43:4c:b3:09:
-                    5d:88:6e:5b:90:61:5a:74:c6:84:1a:da:29:1c:9c:
-                    5c:b0:b7:18:f0:12:9d:9c:c9:23:96:1f:50:5f:94:
-                    4f:a6:65:1a:45:cb:88:bb:a7:c7:66:fd:74:c0:75:
-                    ad:c1
+                    00:96:bf:0b:a1:79:f7:12:d1:8c:ec:e3:63:4a:c7:
+                    30:53:10:0d:60:41:84:27:99:f0:9f:a4:9e:ec:19:
+                    24:28:80:0b:8e:55:0c:13:ab:16:72:2b:43:aa:ac:
+                    fa:0f:b2:47:ae:a3:a2:8d:66:85:2b:2f:b1:c6:f2:
+                    bd:b6:5e:3b:d1:2b:0d:c2:bc:96:4f:d9:5f:2c:74:
+                    7b:7f:2a:2c:52:84:f6:71:a7:87:df:d3:4e:be:e7:
+                    53:70:cd:f0:47:5b:e4:5b:5b:64:49:37:5b:93:99:
+                    09:78:22:f2:04:9e:af:aa:91:f6:22:a5:59:5d:9e:
+                    c7:cd:c5:11:1a:9e:99:3b:19:ad:51:59:f5:0e:ec:
+                    30:f2:7e:64:33:91:cd:f0:26:12:fe:cb:f2:6e:67:
+                    a2:ec:94:6e:b2:97:3e:51:c0:ca:0a:e4:8a:f3:c6:
+                    fa:cd:55:95:11:57:5e:bd:9b:b9:70:d4:04:af:f2:
+                    c8:5e:1e:fb:b3:d7:03:0a:0e:be:cf:fa:c7:97:63:
+                    7a:e0:b4:22:07:a7:18:b6:a7:1a:d5:23:26:c1:c4:
+                    39:83:3c:45:53:9d:fd:a4:17:62:8d:bd:f2:4b:40:
+                    d3:85:1d:06:3a:24:4f:8f:65:77:cd:c9:e8:64:a4:
+                    55:16:20:8f:17:5c:f1:6b:75:db:8e:ac:eb:2c:97:
+                    28:09
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Subject Key Identifier: 
-                69:C1:9C:85:EC:20:DC:38:0C:32:B0:51:FC:CF:DB:C1:97:03:50:5D
+                77:3C:D2:AA:A1:C9:7D:FE:B6:90:3F:CB:1B:F6:38:37:0C:28:1A:F7
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
     Signature Algorithm: sha256WithRSAEncryption
-         69:cd:f5:27:4e:fd:65:b2:91:8f:37:9f:ea:3a:46:ad:b3:8e:
-         d8:f4:ba:a7:e1:da:9b:22:39:44:2b:eb:37:84:ed:f4:b4:87:
-         bc:db:7f:f0:db:06:78:38:30:5d:33:70:05:e3:70:20:39:fc:
-         18:86:86:6a:95:0f:ce:a7:ad:8d:c6:5d:29:c8:39:0c:f1:82:
-         a1:c3:4c:f6:58:e3:3f:2c:95:70:13:29:a8:b4:17:8c:94:bb:
-         01:af:07:9d:a5:d3:47:28:15:45:a6:40:0a:f0:37:f3:32:e4:
-         af:8c:e6:59:8a:bb:0d:a0:38:e0:6d:20:75:22:24:12:75:69:
-         ac:4a:87:aa:c1:d1:8e:e5:9d:be:8f:cd:6e:c6:d8:5e:43:83:
-         7f:fb:50:43:8a:6f:db:9a:fc:7e:61:70:87:10:15:c4:2c:1b:
-         6b:24:ee:eb:16:08:4b:d2:9e:ba:c0:ef:59:d3:be:9f:36:4c:
-         70:4d:11:ab:16:10:0a:b4:26:f4:b0:a0:60:5f:02:60:dc:0d:
-         3c:82:69:5b:7e:c8:2c:3b:ec:59:7d:08:65:e5:a5:d8:c3:d0:
-         e8:b7:c8:2a:27:95:6e:d1:84:54:76:dc:58:9f:9a:2d:4b:9e:
-         1d:44:44:7f:ed:b7:ef:9e:52:49:1c:cf:6d:c9:ba:d5:54:d9:
-         59:2d:c7:af
+         8c:35:9a:a4:61:08:6e:60:d9:9e:af:ab:22:89:ca:ca:39:03:
+         9c:5d:4e:5f:dc:e5:dc:33:ce:19:af:19:fd:db:c9:a7:ca:d8:
+         65:73:42:73:35:70:57:99:f0:e0:b5:c8:79:31:72:f4:85:d8:
+         3d:20:04:cb:28:dc:22:bf:ce:43:7f:72:39:7e:b4:aa:c2:a4:
+         e4:25:dd:af:0e:8c:a9:fc:23:a8:4e:3d:52:fe:d4:27:dd:08:
+         de:4c:b6:6c:9c:9c:11:87:11:6e:cb:f0:43:38:4b:62:71:e7:
+         09:d0:01:3f:5c:51:03:41:06:03:76:27:17:15:19:26:a4:6d:
+         17:63:3e:00:d3:d4:02:17:33:17:87:57:9d:33:b5:7e:76:98:
+         3c:a5:68:da:e6:08:76:c5:3b:ea:6a:58:4c:16:da:92:d4:b3:
+         a6:d0:2e:4d:07:7d:ed:57:fa:e1:2a:09:bc:1e:4c:94:3e:f2:
+         11:41:4c:03:a8:08:a4:4c:7a:f1:42:f2:8f:ae:d5:15:5a:c5:
+         22:d3:b0:d8:d5:1d:10:6a:ee:ed:a1:4d:b4:2c:33:e2:0b:c3:
+         92:91:c7:c9:f4:f4:2c:53:8a:f6:1a:80:ff:dc:b3:91:2d:51:
+         0d:cf:e8:d3:89:3f:b1:90:76:44:8f:b1:f9:c1:60:4d:03:28:
+         74:72:ba:26
 -----BEGIN CERTIFICATE-----
 MIIC3DCCAcSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEQyBD
-QTAeFw0xNDA4MTQwMjQ3MTJaFw0yNDA4MTEwMjQ3MTJaMA8xDTALBgNVBAMMBEIg
-Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDsrEBXvBPNenK5K/tG
-o8qgDvl0hw0W5NR4eTis8zlhUi0ROBXMegIesajXDTn90S4MZjXgR2aWbDqqET+R
-NuT7cV4t5UrBLIK83g7k1PuNwKcOgnBOZKpVWstZ3reP4HeW2zpKR1KoG+96ycPV
-fuFlL201ISQ3EsnowUM1jX+BpXf6tsTwdDurQAOnmDKde2daGbEpDKyWKBJMyzvg
-cQhqAobetP5mtEase8ZFYicbQHr21zgCUkMhnmqAkYOxFqrKh0zS29Uc4CxzB9E2
-Q0yzCV2IbluQYVp0xoQa2ikcnFywtxjwEp2cySOWH1BflE+mZRpFy4i7p8dm/XTA
-da3BAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGnBnIXsINw4
-DDKwUfzP28GXA1BdMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA
-ac31J079ZbKRjzef6jpGrbOO2PS6p+HamyI5RCvrN4Tt9LSHvNt/8NsGeDgwXTNw
-BeNwIDn8GIaGapUPzqetjcZdKcg5DPGCocNM9ljjPyyVcBMpqLQXjJS7Aa8HnaXT
-RygVRaZACvA38zLkr4zmWYq7DaA44G0gdSIkEnVprEqHqsHRjuWdvo/NbsbYXkOD
-f/tQQ4pv25r8fmFwhxAVxCwbayTu6xYIS9KeusDvWdO+nzZMcE0RqxYQCrQm9LCg
-YF8CYNwNPIJpW37ILDvsWX0IZeWl2MPQ6LfIKieVbtGEVHbcWJ+aLUueHUREf+23
-755SSRzPbcm61VTZWS3Hrw==
+QTAeFw0xOTEwMTgyMjI0MTBaFw0yOTEwMTUyMjI0MTBaMA8xDTALBgNVBAMMBEIg
+Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCWvwuhefcS0Yzs42NK
+xzBTEA1gQYQnmfCfpJ7sGSQogAuOVQwTqxZyK0OqrPoPskeuo6KNZoUrL7HG8r22
+XjvRKw3CvJZP2V8sdHt/KixShPZxp4ff006+51NwzfBHW+RbW2RJN1uTmQl4IvIE
+nq+qkfYipVldnsfNxREanpk7Ga1RWfUO7DDyfmQzkc3wJhL+y/JuZ6LslG6ylz5R
+wMoK5IrzxvrNVZURV169m7lw1ASv8sheHvuz1wMKDr7P+seXY3rgtCIHpxi2pxrV
+IybBxDmDPEVTnf2kF2KNvfJLQNOFHQY6JE+PZXfNyehkpFUWII8XXPFrdduOrOss
+lygJAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHc80qqhyX3+
+tpA/yxv2ODcMKBr3MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEA
+jDWapGEIbmDZnq+rIonKyjkDnF1OX9zl3DPOGa8Z/dvJp8rYZXNCczVwV5nw4LXI
+eTFy9IXYPSAEyyjcIr/OQ39yOX60qsKk5CXdrw6MqfwjqE49Uv7UJ90I3ky2bJyc
+EYcRbsvwQzhLYnHnCdABP1xRA0EGA3YnFxUZJqRtF2M+ANPUAhczF4dXnTO1fnaY
+PKVo2uYIdsU76mpYTBbaktSzptAuTQd97Vf64SoJvB5MlD7yEUFMA6gIpEx68ULy
+j67VFVrFItOw2NUdEGru7aFNtCwz4gvDkpHHyfT0LFOK9hqA/9yzkS1RDc/o04k/
+sZB2RI+x+cFgTQModHK6Jg==
 -----END CERTIFICATE-----
 Certificate:
     Data:
         Version: 3 (0x2)
-        Serial Number: 15821419482712091348 (0xdb90f931ad7faad4)
-    Signature Algorithm: sha1WithRSAEncryption
-        Issuer: CN=C CA
+        Serial Number:
+            7d:19:e5:55:d1:85:7c:54:62:f6:56:00:7a:cf:78:a9:38:29:81:ff
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = C CA
         Validity
-            Not Before: Aug 14 02:47:11 2014 GMT
-            Not After : Aug 11 02:47:11 2024 GMT
-        Subject: CN=C CA
+            Not Before: Oct 18 22:24:10 2019 GMT
+            Not After : Oct 15 22:24:10 2029 GMT
+        Subject: CN = C CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
-                Public-Key: (2048 bit)
+                RSA Public-Key: (2048 bit)
                 Modulus:
-                    00:a7:3d:f2:7d:cf:2c:cd:eb:2c:bc:03:65:da:ae:
-                    96:29:80:29:8d:c5:42:e1:93:d9:3a:d7:78:9b:b5:
-                    be:7b:ef:df:c9:fd:86:30:18:c6:38:92:c6:a5:63:
-                    2e:ba:d0:9c:16:91:af:b3:80:38:14:5f:88:ca:b3:
-                    8b:a4:c4:ba:2f:c4:d4:c0:c0:2e:43:6c:1e:af:5e:
-                    9c:6a:9c:96:17:c3:89:ab:af:2a:93:7d:76:ea:34:
-                    2a:56:c9:5c:e9:72:50:f7:d1:e6:a0:2c:ee:df:27:
-                    a8:2f:17:c1:f6:fd:80:d6:dd:19:64:fe:7f:b7:80:
-                    a6:00:94:28:0e:01:fa:9b:40:d2:ed:43:2c:b1:10:
-                    2e:b0:57:5a:e4:5a:2f:86:6c:63:fa:22:d4:e2:c6:
-                    81:c0:d8:76:7e:54:a6:81:b7:b0:bb:ac:66:80:ed:
-                    a1:ab:25:6f:4d:7d:b6:cc:37:65:74:30:df:52:84:
-                    4b:93:f7:95:76:96:fb:db:fe:b9:d3:2c:ff:65:4d:
-                    89:09:15:32:3c:5d:60:68:79:57:9b:98:59:bc:d7:
-                    c2:93:30:91:81:7c:fc:d5:7e:46:3c:85:ef:4d:d2:
-                    9e:96:b0:86:95:78:20:6f:bd:a0:72:3f:d1:25:4c:
-                    f7:2e:c5:a1:21:5a:c7:7b:5e:98:73:15:37:0a:9d:
-                    80:0b
+                    00:97:21:4e:ff:ff:22:dd:de:6d:cc:05:75:3b:37:
+                    80:28:9f:61:8b:a2:ac:9b:3b:b1:e6:3a:a4:35:ce:
+                    7b:95:ce:d2:2f:95:f1:c2:51:c2:9d:21:71:dd:06:
+                    3a:eb:67:68:59:2d:f6:19:b1:7d:98:06:c2:c4:19:
+                    34:2a:00:0a:f1:0a:0b:76:39:ba:0f:e9:69:bc:14:
+                    c9:fa:38:b4:f6:38:55:45:3d:21:c7:b8:20:e3:47:
+                    ac:5b:9e:ec:7f:a9:8b:72:00:79:5c:25:13:01:86:
+                    a9:6a:d9:12:b1:d2:3a:a1:cc:e5:e0:63:b2:0d:ea:
+                    aa:a7:42:f9:de:cf:de:e0:15:9b:6e:cd:86:81:d8:
+                    5f:3f:a1:7b:bc:97:31:40:0e:17:a3:aa:c4:48:5a:
+                    5c:c8:e5:89:92:68:85:08:6c:cb:31:35:9c:fb:1e:
+                    d3:66:35:ee:d9:d7:ea:b8:5c:3e:d0:60:94:4c:3d:
+                    2b:21:6b:72:b8:3a:16:e4:f1:ea:97:74:0c:cf:27:
+                    a5:03:c1:b7:c3:d9:4d:5a:3d:c5:8e:3f:ca:99:b4:
+                    b6:59:c6:9f:22:38:0d:4d:c7:f7:11:f8:d0:71:99:
+                    5d:4b:e2:30:62:00:fb:01:c9:ca:3e:ed:6a:d8:6d:
+                    2d:0f:1a:77:33:02:b4:41:b3:ba:f6:1c:38:be:54:
+                    c9:73
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Subject Key Identifier: 
-                08:C0:24:F4:0D:BB:C2:01:35:30:BA:2C:41:96:6B:16:DB:F8:22:F5
+                63:B1:47:26:FC:DB:79:3F:76:96:69:4D:EA:7E:D0:B7:6A:D2:3F:A8
             X509v3 Key Usage: critical
                 Certificate Sign, CRL Sign
-    Signature Algorithm: sha1WithRSAEncryption
-         5f:95:30:a9:ee:b0:b0:b4:fb:0e:3e:7a:df:57:6e:cc:e4:59:
-         45:bf:93:08:62:d2:98:f6:7b:37:cf:b6:f5:8c:8d:82:dc:c8:
-         f0:af:3b:0d:1e:cc:c4:b7:b1:f3:da:58:f9:29:d6:f7:ed:16:
-         63:51:dc:d3:1c:37:2f:a3:f4:29:0f:91:5d:90:2e:d2:c7:ef:
-         1b:55:01:c9:ad:cb:7b:45:da:2d:65:01:c7:3f:b5:a4:78:b1:
-         22:81:d3:a6:6c:c6:ba:5e:23:88:1d:d5:3e:7d:c6:15:88:88:
-         19:f7:c4:83:a6:27:96:9e:4b:c5:ef:7e:2c:6a:09:e1:3f:79:
-         2d:91:27:ab:28:12:18:6f:b3:b8:cf:0f:06:1d:d7:75:47:9b:
-         39:4d:66:3c:b4:12:58:0a:b8:b2:d7:c7:99:26:a0:9c:e4:90:
-         cd:5e:1b:0a:50:d1:61:20:ff:b7:c7:da:7e:7c:e5:e7:d3:91:
-         a8:82:f8:90:f4:2d:aa:6e:b7:28:59:02:42:fc:90:a2:1d:f9:
-         d4:74:b0:a3:c4:9c:95:9a:33:e2:30:dd:7d:6e:58:e7:b0:41:
-         de:b3:db:7f:16:da:94:e6:99:32:49:d4:69:6b:68:be:95:2e:
-         2e:fa:fd:eb:ec:67:87:24:f6:74:cc:1c:3b:32:fa:45:24:a9:
-         ff:f5:df:12
+    Signature Algorithm: sha256WithRSAEncryption
+         8e:4d:6c:49:c9:9c:f9:cb:a0:81:9b:65:31:c7:bc:8c:c0:75:
+         4d:60:16:ef:bb:b6:b4:2a:5d:68:34:d7:e0:53:1f:3e:84:b6:
+         aa:7d:fd:a1:c9:29:88:83:2e:ab:f3:87:43:a8:d8:5c:a8:1b:
+         e0:58:50:84:03:05:15:03:01:07:30:d0:4a:f9:95:f1:86:be:
+         45:5b:31:f0:88:12:22:d7:7a:fb:0b:9f:95:41:ba:df:40:e3:
+         b2:71:e7:4e:09:91:1c:5f:51:b3:ce:a5:00:0b:82:d1:04:f2:
+         1c:5a:14:4b:1b:3f:2d:41:11:7c:33:37:89:56:b4:b7:fa:d8:
+         b9:20:8d:bd:a6:68:60:2a:3c:aa:61:38:74:d4:0a:16:41:70:
+         d8:75:c4:6d:04:a8:b6:a5:0f:e7:02:52:0b:7d:44:d6:1b:2f:
+         ca:06:aa:61:3d:8d:82:3f:34:c5:bb:08:69:6f:6c:b7:53:e5:
+         52:3d:dd:7b:1c:1f:d3:7d:38:43:ca:c7:75:9a:a8:a1:93:27:
+         13:b0:57:1a:ff:22:90:1f:b2:69:da:7a:a4:2f:16:51:fa:81:
+         6c:ed:c0:19:42:58:b5:21:67:c1:54:93:db:55:86:c7:97:09:
+         76:18:32:55:2a:b4:b1:ac:12:bc:3f:00:3d:b5:1c:ef:55:c4:
+         f0:6c:a1:17
 -----BEGIN CERTIFICATE-----
-MIIC4zCCAcugAwIBAgIJANuQ+TGtf6rUMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNV
-BAMMBEMgQ0EwHhcNMTQwODE0MDI0NzExWhcNMjQwODExMDI0NzExWjAPMQ0wCwYD
-VQQDDARDIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApz3yfc8s
-zessvANl2q6WKYApjcVC4ZPZOtd4m7W+e+/fyf2GMBjGOJLGpWMuutCcFpGvs4A4
-FF+IyrOLpMS6L8TUwMAuQ2wer16capyWF8OJq68qk3126jQqVslc6XJQ99HmoCzu
-3yeoLxfB9v2A1t0ZZP5/t4CmAJQoDgH6m0DS7UMssRAusFda5Fovhmxj+iLU4saB
-wNh2flSmgbewu6xmgO2hqyVvTX22zDdldDDfUoRLk/eVdpb72/650yz/ZU2JCRUy
-PF1gaHlXm5hZvNfCkzCRgXz81X5GPIXvTdKelrCGlXggb72gcj/RJUz3LsWhIVrH
-e16YcxU3Cp2ACwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQI
-wCT0DbvCATUwuixBlmsW2/gi9TAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEF
-BQADggEBAF+VMKnusLC0+w4+et9XbszkWUW/kwhi0pj2ezfPtvWMjYLcyPCvOw0e
-zMS3sfPaWPkp1vftFmNR3NMcNy+j9CkPkV2QLtLH7xtVAcmty3tF2i1lAcc/taR4
-sSKB06ZsxrpeI4gd1T59xhWIiBn3xIOmJ5aeS8XvfixqCeE/eS2RJ6soEhhvs7jP
-DwYd13VHmzlNZjy0ElgKuLLXx5kmoJzkkM1eGwpQ0WEg/7fH2n585efTkaiC+JD0
-LaputyhZAkL8kKId+dR0sKPEnJWaM+Iw3X1uWOewQd6z238W2pTmmTJJ1GlraL6V
-Li76/evsZ4ck9nTMHDsy+kUkqf/13xI=
+MIIC7jCCAdagAwIBAgIUfRnlVdGFfFRi9lYAes94qTgpgf8wDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEQyBDQTAeFw0xOTEwMTgyMjI0MTBaFw0yOTEwMTUyMjI0
+MTBaMA8xDTALBgNVBAMMBEMgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCXIU7//yLd3m3MBXU7N4Aon2GLoqybO7HmOqQ1znuVztIvlfHCUcKdIXHd
+BjrrZ2hZLfYZsX2YBsLEGTQqAArxCgt2OboP6Wm8FMn6OLT2OFVFPSHHuCDjR6xb
+nux/qYtyAHlcJRMBhqlq2RKx0jqhzOXgY7IN6qqnQvnez97gFZtuzYaB2F8/oXu8
+lzFADhejqsRIWlzI5YmSaIUIbMsxNZz7HtNmNe7Z1+q4XD7QYJRMPSsha3K4Ohbk
+8eqXdAzPJ6UDwbfD2U1aPcWOP8qZtLZZxp8iOA1Nx/cR+NBxmV1L4jBiAPsByco+
+7WrYbS0PGnczArRBs7r2HDi+VMlzAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8w
+HQYDVR0OBBYEFGOxRyb823k/dpZpTep+0Ldq0j+oMA4GA1UdDwEB/wQEAwIBBjAN
+BgkqhkiG9w0BAQsFAAOCAQEAjk1sScmc+cuggZtlMce8jMB1TWAW77u2tCpdaDTX
+4FMfPoS2qn39ockpiIMuq/OHQ6jYXKgb4FhQhAMFFQMBBzDQSvmV8Ya+RVsx8IgS
+Itd6+wuflUG630DjsnHnTgmRHF9Rs86lAAuC0QTyHFoUSxs/LUERfDM3iVa0t/rY
+uSCNvaZoYCo8qmE4dNQKFkFw2HXEbQSotqUP5wJSC31E1hsvygaqYT2Ngj80xbsI
+aW9st1PlUj3dexwf0304Q8rHdZqooZMnE7BXGv8ikB+yadp6pC8WUfqBbO3AGUJY
+tSFnwVST21WGx5cJdhgyVSq0sawSvD8APbUc71XE8GyhFw==
 -----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/certificates/test_names.pem b/chromium/net/data/ssl/certificates/test_names.pem
new file mode 100644
index 00000000000..95ff8975a70
--- /dev/null
+++ b/chromium/net/data/ssl/certificates/test_names.pem
@@ -0,0 +1,114 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCr56DO++8VlWy3
+9XXdRKtmLymKfGU8mfUnv4ByKKnZu05BCLrkskcHn0KjferLmUvsuTr88H+icNbP
+px1ZvJ58G4lesVcFx+rotsVaBFKPBt+BXlUxDhReet2Vb56/1F8clTeYz+IWQYzt
+OpABrO/dxQRq0xmVG0pHXUI6Dk11Vo4Zd62c526kDFCyozvdxYyi62ZuRGI8nMVD
+vymk5BvR88zSaRNFeA71GGTxInxi+3/UwVR3hcdhZ1CGRx/52pF3XDrTtKYuhwJL
+OZOoUDY+CR9skbEBLvrCemL5PFwl/6upBuLWWxzYqGNrMd6WgEd0XcgAvJplqmeW
+wzSgm/27AgMBAAECggEAf5zMsLsvihtKAOoUHDVc89dxBCBCWxGDf4VXCegL5tl4
+Ryj+7MU3m33rz0irY4ciaNI86wZyCZmwrahGTpaKJGGgwY3upxj41tbPfHqW+xxE
+EVqA7ZChKF4XXlblR0yVareO9T7lfFYfEwCVZNkHm98k31Rkul7u7jlZ75UshTyL
+esQcX8mlEZQXbBVEQ2ojoknWhq+jjRmZzAEZpXLJGIjLe20JT/p+QaNDclFimt6R
+thxJ42bnx8G2Pxhl7wXgLmy+Pu6kDrs7gUa9iKqFoMswxifZODMD+iqUct5vgRV2
+e1+1XskeJJn+AKnMymCNujHiSS4iLL/LamMXtWElEQKBgQDS+alLOCzhNSnhFre/
+d4TkPWVLJcafMQ0Embmj1I8JOnpGx7KWuI+f3I8ut1G8kbNichD4yHui0fDlfqRT
+pKWZE44K0GZGq5rzA/c3NfFCndHV7lkofS1I8AYVaUnl3oKVg7lhkg0pAr9cC2vE
++k9+iV2Fwq1L3qoiuJF5O1AsWQKBgQDQl2hZSnHxflk9nTtS7njnGI9Q5QSlW8eJ
+BrN+6D7lVPK+U/Tqd7QHXwnRsrnOuSuiS0HiFM/7OAmjLRDxCGjUxnkVDAqm0Htj
+oVp06FKofRElNb/up8wbFjhjEMrSWF0qGD3WDjmFSHp3ZznO7mw752CnzabD7tid
+LF+4mrdoMwKBgDaESynjxz0exsaiXzL7yHxOHSmxBkVGoI2Kx7y9BYUl9kjp+40U
+/hAaJ2mz90wZ/le3EAmpjMFDLNOwyPfQOPZ4ZiEHPxaN64lWggBjUQeczodQgvuC
+dTw+weOwhGcA+491LWc4HWx2iEpZrSyGXhpdlqwk5TEQxbgZJ4ZDPHFpAoGAVHZK
+eYVsd/XKWumUwPLxH9pRBdeGNxLfy/tbqTKPbTslg63pSRupWSbBihjNpghSw8en
+aM02ninFtT4lUwQttqKbGsuicIOQwvnt79K2zaS+0YtfKVrmib1IncyJ4/yF1Oq1
+9zwRTIfZlwnEXacrSmJZP/lE4qePLK1wIQb85wMCgYBR6l2B8Cf/MlOlsqfP24ZU
+AOm63+CWFarTh0m/pi/SVByLrS8LD3l1jZjaH6Gjw8Xfm6c7iVDJYCe7QWOxvb3c
+QbafGkVB+EPmqL6wtnqpxLjtuhe19/L6qlTuM9oqODqqESzhU+bworovVtV8ZH00
+q+99H/JlBoMr13sYXsZYFw==
+-----END PRIVATE KEY-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            f3:16:df:45:2e:03:f3:bc:17:7c:99:0e:a4:e5:25:5a
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=California, L=Mountain View, O=Test CA, CN=Test Root CA
+        Validity
+            Not Before: Nov 27 22:36:24 2019 GMT
+            Not After : Nov 24 22:36:24 2029 GMT
+        Subject: C=US, ST=California, L=Mountain View, O=Test CA, CN=127.0.0.1
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:ab:e7:a0:ce:fb:ef:15:95:6c:b7:f5:75:dd:44:
+                    ab:66:2f:29:8a:7c:65:3c:99:f5:27:bf:80:72:28:
+                    a9:d9:bb:4e:41:08:ba:e4:b2:47:07:9f:42:a3:7d:
+                    ea:cb:99:4b:ec:b9:3a:fc:f0:7f:a2:70:d6:cf:a7:
+                    1d:59:bc:9e:7c:1b:89:5e:b1:57:05:c7:ea:e8:b6:
+                    c5:5a:04:52:8f:06:df:81:5e:55:31:0e:14:5e:7a:
+                    dd:95:6f:9e:bf:d4:5f:1c:95:37:98:cf:e2:16:41:
+                    8c:ed:3a:90:01:ac:ef:dd:c5:04:6a:d3:19:95:1b:
+                    4a:47:5d:42:3a:0e:4d:75:56:8e:19:77:ad:9c:e7:
+                    6e:a4:0c:50:b2:a3:3b:dd:c5:8c:a2:eb:66:6e:44:
+                    62:3c:9c:c5:43:bf:29:a4:e4:1b:d1:f3:cc:d2:69:
+                    13:45:78:0e:f5:18:64:f1:22:7c:62:fb:7f:d4:c1:
+                    54:77:85:c7:61:67:50:86:47:1f:f9:da:91:77:5c:
+                    3a:d3:b4:a6:2e:87:02:4b:39:93:a8:50:36:3e:09:
+                    1f:6c:91:b1:01:2e:fa:c2:7a:62:f9:3c:5c:25:ff:
+                    ab:a9:06:e2:d6:5b:1c:d8:a8:63:6b:31:de:96:80:
+                    47:74:5d:c8:00:bc:9a:65:aa:67:96:c3:34:a0:9b:
+                    fd:bb
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                72:93:A0:82:75:3D:83:80:E7:FA:7F:34:7B:30:F3:E8:7A:1B:D4:B1
+            X509v3 Authority Key Identifier: 
+                keyid:9B:26:0B:8A:98:A9:BB:1D:B9:1F:1C:E3:1A:40:33:ED:8E:17:88:AB
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication, TLS Web Client Authentication
+            X509v3 Subject Alternative Name: 
+                DNS:a.test, DNS:*.a.test, DNS:b.test, DNS:*.b.test, DNS:c.test, DNS:*.c.test, DNS:d.test, DNS:*.d.test
+    Signature Algorithm: sha256WithRSAEncryption
+         9a:cf:6b:2b:2e:00:74:2e:70:a1:eb:a2:4e:b3:46:b6:03:ed:
+         ea:94:51:66:a2:9b:53:f0:a3:2a:8f:62:24:b4:2b:9b:68:3c:
+         f1:0f:fd:79:23:94:4d:6d:e6:06:2a:dd:88:d0:47:e8:f6:10:
+         b6:15:29:32:83:73:a8:7e:65:d5:46:36:d6:50:41:dd:0a:c3:
+         b5:45:92:8b:59:c8:1c:43:4d:77:78:9b:39:23:16:f4:6c:a5:
+         a7:1d:82:32:38:6f:d2:8d:d2:2c:97:3b:d7:f1:ed:18:0b:6c:
+         c3:e1:45:d1:39:96:ca:fb:71:7e:71:2e:0c:0e:0b:c2:18:53:
+         72:c0:cf:2f:ec:b2:f1:4c:84:ea:9e:b7:18:e5:f0:ac:57:0d:
+         64:3f:ff:6c:c2:18:10:5f:0a:30:d9:3a:a2:04:90:c4:96:c4:
+         c5:75:d1:13:b6:e3:53:6e:38:f0:ba:a3:42:3d:8d:6c:e8:cf:
+         84:79:24:60:b9:63:88:e2:f7:59:7b:5d:4a:cb:cd:aa:bd:b3:
+         04:7f:1f:2d:d3:60:de:20:c2:9f:89:0d:96:4c:c6:66:08:1e:
+         64:c5:0e:17:89:b7:f1:5a:a6:90:74:b0:c7:aa:5e:a7:03:15:
+         d5:f8:a4:ef:9e:b3:a5:19:f8:0c:82:b6:bc:89:10:cb:5d:8b:
+         3d:f8:ec:88
+-----BEGIN CERTIFICATE-----
+MIIEEjCCAvqgAwIBAgIRAPMW30UuA/O8F3yZDqTlJVowDQYJKoZIhvcNAQELBQAw
+YzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1v
+dW50YWluIFZpZXcxEDAOBgNVBAoMB1Rlc3QgQ0ExFTATBgNVBAMMDFRlc3QgUm9v
+dCBDQTAeFw0xOTExMjcyMjM2MjRaFw0yOTExMjQyMjM2MjRaMGAxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3
+MRAwDgYDVQQKDAdUZXN0IENBMRIwEAYDVQQDDAkxMjcuMC4wLjEwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr56DO++8VlWy39XXdRKtmLymKfGU8mfUn
+v4ByKKnZu05BCLrkskcHn0KjferLmUvsuTr88H+icNbPpx1ZvJ58G4lesVcFx+ro
+tsVaBFKPBt+BXlUxDhReet2Vb56/1F8clTeYz+IWQYztOpABrO/dxQRq0xmVG0pH
+XUI6Dk11Vo4Zd62c526kDFCyozvdxYyi62ZuRGI8nMVDvymk5BvR88zSaRNFeA71
+GGTxInxi+3/UwVR3hcdhZ1CGRx/52pF3XDrTtKYuhwJLOZOoUDY+CR9skbEBLvrC
+emL5PFwl/6upBuLWWxzYqGNrMd6WgEd0XcgAvJplqmeWwzSgm/27AgMBAAGjgcMw
+gcAwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUcpOggnU9g4Dn+n80ezDz6Hob1LEw
+HwYDVR0jBBgwFoAUmyYLipipux25HxzjGkAz7Y4XiKswHQYDVR0lBBYwFAYIKwYB
+BQUHAwEGCCsGAQUFBwMCMFEGA1UdEQRKMEiCBmEudGVzdIIIKi5hLnRlc3SCBmIu
+dGVzdIIIKi5iLnRlc3SCBmMudGVzdIIIKi5jLnRlc3SCBmQudGVzdIIIKi5kLnRl
+c3QwDQYJKoZIhvcNAQELBQADggEBAJrPaysuAHQucKHrok6zRrYD7eqUUWaim1Pw
+oyqPYiS0K5toPPEP/XkjlE1t5gYq3YjQR+j2ELYVKTKDc6h+ZdVGNtZQQd0Kw7VF
+kotZyBxDTXd4mzkjFvRspacdgjI4b9KN0iyXO9fx7RgLbMPhRdE5lsr7cX5xLgwO
+C8IYU3LAzy/ssvFMhOqetxjl8KxXDWQ//2zCGBBfCjDZOqIEkMSWxMV10RO241Nu
+OPC6o0I9jWzoz4R5JGC5Y4ji91l7XUrLzaq9swR/Hy3TYN4gwp+JDZZMxmYIHmTF
+DheJt/FappB0sMeqXqcDFdX4pO+es6UZ+AyCtryJEMtdiz347Ig=
+-----END CERTIFICATE-----
diff --git a/chromium/net/data/ssl/scripts/crlsetutil.py b/chromium/net/data/ssl/scripts/crlsetutil.py
index 8e2a8c289d1..5d65cd15271 100755
--- a/chromium/net/data/ssl/scripts/crlsetutil.py
+++ b/chromium/net/data/ssl/scripts/crlsetutil.py
@@ -233,14 +233,21 @@ def main():
     ]
     for pem_file, allowed_pems in config.get('LimitedSubjects', {}).iteritems()
   }
+  known_interception_spkis = [
+    pem_cert_file_to_spki_hash(pem_file).encode('base64').strip()
+    for pem_file in config.get('KnownInterceptionSPKIs', [])]
+  blocked_interception_spkis = [
+    pem_cert_file_to_spki_hash(pem_file).encode('base64').strip()
+    for pem_file in config.get('BlockedInterceptionSPKIs', [])]
   header_json = {
       'Version': 0,
       'ContentType': 'CRLSet',
       'Sequence': int(config.get("Sequence", 0)),
-      'DeltaFrom': 0,
       'NumParents': len(parents),
       'BlockedSPKIs': blocked_spkis,
       'LimitedSubjects': limited_subjects,
+      'KnownInterceptionSPKIs': known_interception_spkis,
+      'BlockedInterceptionSPKIs': blocked_interception_spkis
   }
   header = json.dumps(header_json)
   outfile.write(struct.pack('<H', len(header)))
diff --git a/chromium/net/data/ssl/scripts/ee.cnf b/chromium/net/data/ssl/scripts/ee.cnf
index 205a9afb8c2..53b055d76e8 100644
--- a/chromium/net/data/ssl/scripts/ee.cnf
+++ b/chromium/net/data/ssl/scripts/ee.cnf
@@ -105,6 +105,9 @@ subjectAltName = @spdy_pooling
 [req_wildcard]
 subjectAltName = @wildcard
 
+[req_test_names]
+subjectAltName = @test_names
+
 [more_san_sanity]
 CN=127.0.0.3
 
@@ -122,6 +125,16 @@ DNS.3 = blahblahblahblah.com
 [wildcard]
 DNS.1 = *.example.org
 
+[test_names]
+DNS.1 = a.test
+DNS.2 = *.a.test
+DNS.3 = b.test
+DNS.4 = *.b.test
+DNS.5 = c.test
+DNS.6 = *.c.test
+DNS.7 = d.test
+DNS.8 = *.d.test
+
 [subj_rsa_no_extension]
 CN = RSA-2048 no keyUsage extension
 [ext_rsa_no_extension]
diff --git a/chromium/net/data/ssl/scripts/generate-redundant-test-chains.sh b/chromium/net/data/ssl/scripts/generate-redundant-test-chains.sh
index d7fd17bdc86..f3e30cd7fbe 100755
--- a/chromium/net/data/ssl/scripts/generate-redundant-test-chains.sh
+++ b/chromium/net/data/ssl/scripts/generate-redundant-test-chains.sh
@@ -135,12 +135,15 @@ CA_COMMON_NAME="B CA" \
     -out out/A.pem \
     -config redundant-ca.cnf
 
+# EmbeddedTestServer only supports PKCS#8 format.
+try openssl pkcs8 -topk8 -nocrypt -in out/A.key -out out/A-pkcs8.key
+
 echo Create redundant-server-chain.pem
-try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C.pem out/D.pem \
+try /bin/sh -c "cat out/A-pkcs8.key out/A.pem out/B.pem out/C.pem out/D.pem \
     > ../certificates/redundant-server-chain.pem"
 
 echo Create redundant-validated-chain.pem
-try /bin/sh -c "cat out/A.key out/A.pem out/B.pem out/C2.pem \
+try /bin/sh -c "cat out/A-pkcs8.key out/A.pem out/B.pem out/C2.pem \
   > ../certificates/redundant-validated-chain.pem"
 
 echo Create redundant-validated-chain-root.pem
diff --git a/chromium/net/data/ssl/scripts/generate-test-certs.sh b/chromium/net/data/ssl/scripts/generate-test-certs.sh
index e9226061816..52c9ded06b5 100755
--- a/chromium/net/data/ssl/scripts/generate-test-certs.sh
+++ b/chromium/net/data/ssl/scripts/generate-test-certs.sh
@@ -12,11 +12,15 @@ rm -rf out
 mkdir out
 mkdir out/int
 
-/bin/sh -c "echo 01 > out/2048-sha256-root-serial"
+openssl rand -hex -out out/2048-sha256-root-serial 16
 touch out/2048-sha256-root-index.txt
 
-# Generate the key
-openssl genrsa -out out/2048-sha256-root.key 2048
+# Generate the key or copy over the existing one if present.
+if [ -f ../certificates/root_ca_cert.pem ]; then
+  openssl rsa -in ../certificates/root_ca_cert.pem -out out/2048-sha256-root.key
+else
+  openssl genrsa -out out/2048-sha256-root.key 2048
+fi
 
 # Generate the root certificate
 CA_NAME="req_ca_dn" \
@@ -36,13 +40,21 @@ CA_NAME="req_ca_dn" \
     -text > out/2048-sha256-root.pem
 
 # Generate the test intermediate
-/bin/sh -c "echo 01 > out/int/2048-sha256-int-serial"
+openssl rand -hex -out out/int/2048-sha256-int-serial 16
 touch out/int/2048-sha256-int-index.txt
 
+# Copy over an existing key if present.
+if [ -f ../certificates/intermediate_ca_cert.pem ]; then
+  openssl rsa -in ../certificates/intermediate_ca_cert.pem \
+    -out out/int/2048-sha256-int.key
+else
+  openssl genrsa -out out/int/2048-sha256-int.key 2048
+fi
+
 CA_NAME="req_intermediate_dn" \
   openssl req \
     -new \
-    -keyout out/int/2048-sha256-int.key \
+    -key out/int/2048-sha256-int.key \
     -out out/int/2048-sha256-int.req \
     -config ca.cnf
 
@@ -83,6 +95,13 @@ openssl req \
   -reqexts req_localhost_san \
   -config ee.cnf
 
+openssl req \
+  -new \
+  -keyout out/test_names.key \
+  -out out/test_names.req \
+  -reqexts req_test_names \
+  -config ee.cnf
+
 # Generate the leaf certificates
 CA_NAME="req_ca_dn" \
   openssl ca \
@@ -163,6 +182,15 @@ CA_NAME="req_ca_dn" \
     -out out/bad_validity.pem \
     -config ca.cnf
 
+CA_NAME="req_ca_dn" \
+  openssl ca \
+    -batch \
+    -extensions user_cert \
+    -days 3650 \
+    -in out/test_names.req \
+    -out out/test_names.pem \
+    -config ca.cnf
+
 /bin/sh -c "cat out/ok_cert.key out/ok_cert.pem \
     > ../certificates/ok_cert.pem"
 /bin/sh -c "cat out/wildcard.key out/wildcard.pem \
@@ -187,6 +215,8 @@ CA_NAME="req_ca_dn" \
 /bin/sh -c "cat out/int/ok_cert.pem out/int/2048-sha256-int.pem \
     out/2048-sha256-root.pem \
     > ../certificates/x509_verify_results.chain.pem"
+/bin/sh -c "cat out/test_names.key out/test_names.pem \
+    > ../certificates/test_names.pem"
 
 # Now generate the one-off certs
 ## Self-signed cert for SPDY/QUIC/HTTP2 pooling testing
@@ -605,3 +635,36 @@ python crlsetutil.py -o ../certificates/crlset_by_leaf_subject_no_spki.raw \
   }
 }
 CRLSETBYLEAFSUBJECTNOSPKI
+
+## Mark a given root as blocked for interception.
+python crlsetutil.py -o \
+  ../certificates/crlset_blocked_interception_by_root.raw \
+<<CRLSETINTERCEPTIONBYROOT
+{
+  "BlockedInterceptionSPKIs": [
+    "../certificates/root_ca_cert.pem"
+  ]
+}
+CRLSETINTERCEPTIONBYROOT
+
+## Mark a given intermediate as blocked for interception.
+python crlsetutil.py -o \
+  ../certificates/crlset_blocked_interception_by_intermediate.raw \
+<<CRLSETINTERCEPTIONBYINTERMEDIATE
+{
+  "BlockedInterceptionSPKIs": [
+    "../certificates/intermediate_ca_cert.pem"
+  ]
+}
+CRLSETINTERCEPTIONBYINTERMEDIATE
+
+## Mark a given root as known for interception, but not blocked.
+python crlsetutil.py -o \
+  ../certificates/crlset_known_interception_by_root.raw \
+<<CRLSETINTERCEPTIONBYROOT
+{
+  "KnownInterceptionSPKIs": [
+    "../certificates/root_ca_cert.pem"
+  ]
+}
+CRLSETINTERCEPTIONBYROOT
diff --git a/chromium/net/data/websocket/connect_check.html b/chromium/net/data/websocket/connect_check.html
index 1efc604bb59..8e8f3176d0f 100644
--- a/chromium/net/data/websocket/connect_check.html
+++ b/chromium/net/data/websocket/connect_check.html
@@ -22,6 +22,7 @@ var workerConnection = new Promise((resolve, reject) => {
       reject();
     }
   };
+  worker.onerror = reject;
 
   // Start the worker.
   worker.postMessage('');
diff --git a/chromium/net/disk_cache/backend_unittest.cc b/chromium/net/disk_cache/backend_unittest.cc
index 5a1e5b7bfb3..bbd01932022 100644
--- a/chromium/net/disk_cache/backend_unittest.cc
+++ b/chromium/net/disk_cache/backend_unittest.cc
@@ -19,7 +19,6 @@
 #include "base/strings/stringprintf.h"
 #include "base/task/post_task.h"
 #include "base/test/metrics/histogram_tester.h"
-#include "base/test/mock_entropy_provider.h"
 #include "base/test/scoped_feature_list.h"
 #include "base/third_party/dynamic_annotations/dynamic_annotations.h"
 #include "base/threading/platform_thread.h"
@@ -153,6 +152,17 @@ class DiskCacheBackendTest : public DiskCacheTestWithCache {
   // rounds the exact size appropriately.
   int GetRoundedSize(int exact_size);
 
+  // Create a default key with the name provided, populate it with
+  // CacheTestFillBuffer, and ensure this was done correctly.
+  void CreateKeyAndCheck(disk_cache::Backend* cache, std::string key);
+
+  // For the simple cache, wait until indexing has occurred and make sure
+  // completes successfully.
+  void WaitForSimpleCacheIndexAndCheck(disk_cache::Backend* cache);
+
+  // Run all of the task runners untile idle, covers cache worker pools.
+  void RunUntilIdle();
+
   // Actual tests:
   void BackendBasics();
   void BackendKeying();
@@ -206,6 +216,39 @@ class DiskCacheBackendTest : public DiskCacheTestWithCache {
   void BackendIteratorConcurrentDoom();
 };
 
+void DiskCacheBackendTest::CreateKeyAndCheck(disk_cache::Backend* cache,
+                                             std::string key) {
+  const int kBufSize = 4 * 1024;
+  scoped_refptr<net::IOBuffer> buffer =
+      base::MakeRefCounted<net::IOBuffer>(kBufSize);
+  CacheTestFillBuffer(buffer->data(), kBufSize, true);
+  TestEntryResultCompletionCallback cb_entry;
+  disk_cache::EntryResult result =
+      cache->CreateEntry(key, net::HIGHEST, cb_entry.callback());
+  result = cb_entry.GetResult(std::move(result));
+  ASSERT_EQ(net::OK, result.net_error());
+  disk_cache::Entry* entry = result.ReleaseEntry();
+  EXPECT_EQ(kBufSize, WriteData(entry, 0, 0, buffer.get(), kBufSize, false));
+  entry->Close();
+  RunUntilIdle();
+}
+
+void DiskCacheBackendTest::WaitForSimpleCacheIndexAndCheck(
+    disk_cache::Backend* cache) {
+  net::TestCompletionCallback wait_for_index_cb;
+  static_cast<disk_cache::SimpleBackendImpl*>(cache)->index()->ExecuteWhenReady(
+      wait_for_index_cb.callback());
+  int rv = wait_for_index_cb.WaitForResult();
+  ASSERT_THAT(rv, IsOk());
+  RunUntilIdle();
+}
+
+void DiskCacheBackendTest::RunUntilIdle() {
+  DiskCacheTestWithCache::RunUntilIdle();
+  base::RunLoop().RunUntilIdle();
+  disk_cache::SimpleBackendImpl::FlushWorkerPoolForTesting();
+}
+
 int DiskCacheBackendTest::GeneratePendingIO(net::TestCompletionCallback* cb) {
   if (!use_current_thread_ && !simple_cache_mode_) {
     ADD_FAILURE();
@@ -531,15 +574,15 @@ TEST_F(DiskCacheTest, CreateBackend) {
 
     // Now test the public API.
     int rv = disk_cache::CreateCacheBackend(
-        net::DISK_CACHE, net::CACHE_BACKEND_DEFAULT, cache_path_, 0, false,
-        nullptr, &cache, cb.callback());
+        net::DISK_CACHE, net::CACHE_BACKEND_DEFAULT, cache_path_, 0,
+        disk_cache::ResetHandling::kNeverReset, nullptr, &cache, cb.callback());
     ASSERT_THAT(cb.GetResult(rv), IsOk());
     ASSERT_TRUE(cache.get());
     cache.reset();
 
     rv = disk_cache::CreateCacheBackend(
         net::MEMORY_CACHE, net::CACHE_BACKEND_DEFAULT, base::FilePath(), 0,
-        false, nullptr, &cache, cb.callback());
+        disk_cache::ResetHandling::kNeverReset, nullptr, &cache, cb.callback());
     ASSERT_THAT(cb.GetResult(rv), IsOk());
     ASSERT_TRUE(cache.get());
     cache.reset();
@@ -555,8 +598,9 @@ TEST_F(DiskCacheTest, MemBackendPostCleanupCallback) {
 
   std::unique_ptr<disk_cache::Backend> cache;
   int rv = disk_cache::CreateCacheBackend(
-      net::MEMORY_CACHE, net::CACHE_BACKEND_DEFAULT, base::FilePath(), 0, false,
-      nullptr, &cache, on_cleanup.closure(), cb.callback());
+      net::MEMORY_CACHE, net::CACHE_BACKEND_DEFAULT, base::FilePath(), 0,
+      disk_cache::ResetHandling::kNeverReset, nullptr, &cache,
+      on_cleanup.closure(), cb.callback());
   ASSERT_THAT(cb.GetResult(rv), IsOk());
   ASSERT_TRUE(cache.get());
   // The callback should be posted after backend is destroyed.
@@ -578,12 +622,12 @@ TEST_F(DiskCacheTest, CreateBackendDouble) {
   std::unique_ptr<disk_cache::Backend> cache, cache2;
 
   int rv = disk_cache::CreateCacheBackend(
-      net::APP_CACHE, net::CACHE_BACKEND_DEFAULT, cache_path_, 0, false,
-      nullptr, &cache, cb.callback());
+      net::APP_CACHE, net::CACHE_BACKEND_DEFAULT, cache_path_, 0,
+      disk_cache::ResetHandling::kNeverReset, nullptr, &cache, cb.callback());
 
   int rv2 = disk_cache::CreateCacheBackend(
-      net::APP_CACHE, net::CACHE_BACKEND_DEFAULT, cache_path_, 0, false,
-      nullptr, &cache2, cb2.callback());
+      net::APP_CACHE, net::CACHE_BACKEND_DEFAULT, cache_path_, 0,
+      disk_cache::ResetHandling::kNeverReset, nullptr, &cache2, cb2.callback());
 
   EXPECT_THAT(cb.GetResult(rv), IsOk());
   EXPECT_TRUE(cache.get());
@@ -615,12 +659,12 @@ TEST_F(DiskCacheBackendTest, CreateBackendDoubleOpenEntry) {
   std::unique_ptr<disk_cache::Backend> cache, cache2;
 
   int rv = disk_cache::CreateCacheBackend(
-      net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0, false, nullptr,
-      &cache, cb.callback());
+      net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0,
+      disk_cache::ResetHandling::kNeverReset, nullptr, &cache, cb.callback());
 
   int rv2 = disk_cache::CreateCacheBackend(
-      net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0, false, nullptr,
-      &cache2, cb2.callback());
+      net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0,
+      disk_cache::ResetHandling::kNeverReset, nullptr, &cache2, cb2.callback());
 
   EXPECT_THAT(cb.GetResult(rv), IsOk());
   ASSERT_TRUE(cache.get());
@@ -665,8 +709,9 @@ TEST_F(DiskCacheBackendTest, CreateBackendPostCleanup) {
   std::unique_ptr<disk_cache::Backend> cache;
 
   int rv = disk_cache::CreateCacheBackend(
-      net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0, false, nullptr,
-      &cache, run_loop.QuitClosure(), cb.callback());
+      net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0,
+      disk_cache::ResetHandling::kNeverReset, nullptr, &cache,
+      run_loop.QuitClosure(), cb.callback());
   EXPECT_THAT(cb.GetResult(rv), IsOk());
   ASSERT_TRUE(cache.get());
 
@@ -712,8 +757,9 @@ TEST_F(DiskCacheBackendTest, SimpleCreateBackendRecoveryAppCache) {
   // Create a backend with post-cleanup callback specified, in order to know
   // when the index has been written back (so it can be deleted race-free).
   int rv = disk_cache::CreateCacheBackend(
-      net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0, false, nullptr,
-      &cache, run_loop.QuitClosure(), cb.callback());
+      net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0,
+      disk_cache::ResetHandling::kNeverReset, nullptr, &cache,
+      run_loop.QuitClosure(), cb.callback());
   EXPECT_THAT(cb.GetResult(rv), IsOk());
   ASSERT_TRUE(cache.get());
 
@@ -949,7 +995,8 @@ TEST_F(DiskCacheBackendTest, MultipleInstancesWithPendingFileIO) {
   net::TestCompletionCallback cb;
   std::unique_ptr<disk_cache::Backend> extra_cache;
   int rv = disk_cache::CreateCacheBackend(
-      net::DISK_CACHE, net::CACHE_BACKEND_DEFAULT, store.GetPath(), 0, false,
+      net::DISK_CACHE, net::CACHE_BACKEND_DEFAULT, store.GetPath(), 0,
+      disk_cache::ResetHandling::kNeverReset,
       /* net_log = */ nullptr, &extra_cache, cb.callback());
   ASSERT_THAT(cb.GetResult(rv), IsOk());
   ASSERT_TRUE(extra_cache.get() != nullptr);
@@ -1097,8 +1144,8 @@ TEST_F(DiskCacheTest, TruncatedIndex) {
 
   std::unique_ptr<disk_cache::Backend> backend;
   int rv = disk_cache::CreateCacheBackend(
-      net::DISK_CACHE, net::CACHE_BACKEND_BLOCKFILE, cache_path_, 0, false,
-      nullptr, &backend, cb.callback());
+      net::DISK_CACHE, net::CACHE_BACKEND_BLOCKFILE, cache_path_, 0,
+      disk_cache::ResetHandling::kNeverReset, nullptr, &backend, cb.callback());
   ASSERT_NE(net::OK, cb.GetResult(rv));
 
   ASSERT_FALSE(backend);
@@ -2081,7 +2128,7 @@ TEST_F(DiskCacheBackendTest, InMemorySparseEvict) {
   disk_cache::Entry* entry = nullptr;
   // Create a bunch of entries
   for (size_t i = 0; i < 14; i++) {
-    std::string name = "http://www." + std::to_string(i) + ".com/";
+    std::string name = "http://www." + base::NumberToString(i) + ".com/";
     ASSERT_THAT(CreateEntry(name, &entry), IsOk());
     entries.push_back(disk_cache::ScopedEntryPtr(entry));
   }
@@ -2519,15 +2566,14 @@ TEST_F(DiskCacheTest, SimpleCacheControlJoin) {
 
   // Instantiate the SimpleCacheTrial, forcing this run into the
   // ExperimentControl group.
-  base::FieldTrialList field_trial_list(
-      std::make_unique<base::MockEntropyProvider>());
   base::FieldTrialList::CreateFieldTrial("SimpleCacheTrial",
                                          "ExperimentControl");
   net::TestCompletionCallback cb;
   std::unique_ptr<disk_cache::Backend> base_cache;
   int rv = disk_cache::CreateCacheBackend(
-      net::DISK_CACHE, net::CACHE_BACKEND_BLOCKFILE, cache_path_, 0, true,
-      nullptr, &base_cache, cb.callback());
+      net::DISK_CACHE, net::CACHE_BACKEND_BLOCKFILE, cache_path_, 0,
+      disk_cache::ResetHandling::kResetOnError, nullptr, &base_cache,
+      cb.callback());
   ASSERT_THAT(cb.GetResult(rv), IsOk());
   EXPECT_EQ(0, base_cache->GetEntryCount());
 }
@@ -2538,8 +2584,6 @@ TEST_F(DiskCacheTest, SimpleCacheControlJoin) {
 TEST_F(DiskCacheTest, SimpleCacheControlRestart) {
   // Instantiate the SimpleCacheTrial, forcing this run into the
   // ExperimentControl group.
-  base::FieldTrialList field_trial_list(
-      std::make_unique<base::MockEntropyProvider>());
   base::FieldTrialList::CreateFieldTrial("SimpleCacheTrial",
                                          "ExperimentControl");
 
@@ -2571,8 +2615,6 @@ TEST_F(DiskCacheTest, SimpleCacheControlLeave) {
   {
     // Instantiate the SimpleCacheTrial, forcing this run into the
     // ExperimentControl group.
-    base::FieldTrialList field_trial_list(
-        std::make_unique<base::MockEntropyProvider>());
     base::FieldTrialList::CreateFieldTrial("SimpleCacheTrial",
                                            "ExperimentControl");
 
@@ -2583,8 +2625,6 @@ TEST_F(DiskCacheTest, SimpleCacheControlLeave) {
 
   // Instantiate the SimpleCacheTrial, forcing this run into the
   // ExperimentNo group.
-  base::FieldTrialList field_trial_list(
-      std::make_unique<base::MockEntropyProvider>());
   base::FieldTrialList::CreateFieldTrial("SimpleCacheTrial", "ExperimentNo");
   net::TestCompletionCallback cb;
 
@@ -2618,8 +2658,9 @@ TEST_F(DiskCacheBackendTest, DeleteOld) {
   bool prev = base::ThreadRestrictions::SetIOAllowed(false);
   base::FilePath path(cache_path_);
   int rv = disk_cache::CreateCacheBackend(
-      net::DISK_CACHE, net::CACHE_BACKEND_BLOCKFILE, path, 0, true, nullptr,
-      &cache_, cb.callback());
+      net::DISK_CACHE, net::CACHE_BACKEND_BLOCKFILE, path, 0,
+      disk_cache::ResetHandling::kResetOnError, nullptr, &cache_,
+      cb.callback());
   path.clear();  // Make sure path was captured by the previous call.
   ASSERT_THAT(cb.GetResult(rv), IsOk());
   base::ThreadRestrictions::SetIOAllowed(prev);
@@ -3719,12 +3760,14 @@ TEST_F(DiskCacheTest, MultipleInstances) {
   std::unique_ptr<disk_cache::Backend> cache[kNumberOfCaches];
 
   int rv = disk_cache::CreateCacheBackend(
-      net::DISK_CACHE, net::CACHE_BACKEND_DEFAULT, store1.GetPath(), 0, false,
-      nullptr, &cache[0], cb.callback());
+      net::DISK_CACHE, net::CACHE_BACKEND_DEFAULT, store1.GetPath(), 0,
+      disk_cache::ResetHandling::kNeverReset, nullptr, &cache[0],
+      cb.callback());
   ASSERT_THAT(cb.GetResult(rv), IsOk());
   rv = disk_cache::CreateCacheBackend(
       net::GENERATED_BYTE_CODE_CACHE, net::CACHE_BACKEND_DEFAULT,
-      store2.GetPath(), 0, false, nullptr, &cache[1], cb.callback());
+      store2.GetPath(), 0, disk_cache::ResetHandling::kNeverReset, nullptr,
+      &cache[1], cb.callback());
   ASSERT_THAT(cb.GetResult(rv), IsOk());
 
   ASSERT_TRUE(cache[0].get() != nullptr && cache[1].get() != nullptr);
@@ -4973,8 +5016,8 @@ TEST_F(DiskCacheBackendTest, EmptyCorruptSimpleCacheRecovery) {
 
   // Simple cache should be able to recover.
   int rv = disk_cache::CreateCacheBackend(
-      net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0, false, nullptr,
-      &cache, cb.callback());
+      net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0,
+      disk_cache::ResetHandling::kNeverReset, nullptr, &cache, cb.callback());
   EXPECT_THAT(cb.GetResult(rv), IsOk());
 }
 
@@ -4996,8 +5039,8 @@ TEST_F(DiskCacheBackendTest, MAYBE_NonEmptyCorruptSimpleCacheDoesNotRecover) {
 
   // Simple cache should not be able to recover when there are entry files.
   int rv = disk_cache::CreateCacheBackend(
-      net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0, false, nullptr,
-      &cache, cb.callback());
+      net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0,
+      disk_cache::ResetHandling::kNeverReset, nullptr, &cache, cb.callback());
   EXPECT_THAT(cb.GetResult(rv), IsError(net::ERR_FAILED));
 }
 
@@ -5056,3 +5099,180 @@ TEST_F(DiskCacheBackendTest, SimpleOwnershipTransferBackendDestroyRace) {
 
   entry->Close();
 }
+
+// Verify that reloading the cache will preserve indices in kNeverReset mode.
+TEST_F(DiskCacheBackendTest, SimpleCacheSoftResetKeepsValues) {
+  SetSimpleCacheMode();
+  SetCacheType(net::APP_CACHE);
+  DisableFirstCleanup();
+  CleanupCacheDir();
+
+  {  // Do the initial cache creation then delete the values.
+    std::unique_ptr<disk_cache::Backend> cache;
+    net::TestCompletionCallback cb;
+
+    // Create an initial back-end and wait for indexing
+    int rv = disk_cache::CreateCacheBackend(
+        net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0,
+        disk_cache::ResetHandling::kNeverReset, nullptr, &cache, cb.callback());
+    EXPECT_THAT(cb.GetResult(rv), IsOk());
+    ASSERT_TRUE(cache.get());
+    WaitForSimpleCacheIndexAndCheck(cache.get());
+
+    // Create an entry in the cache
+    CreateKeyAndCheck(cache.get(), "key");
+  }
+
+  RunUntilIdle();
+
+  {  // Do the second cache creation with no reset flag, preserving entries.
+    std::unique_ptr<disk_cache::Backend> cache;
+    net::TestCompletionCallback cb;
+
+    int rv = disk_cache::CreateCacheBackend(
+        net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0,
+        disk_cache::ResetHandling::kNeverReset, nullptr, &cache, cb.callback());
+    EXPECT_THAT(cb.GetResult(rv), IsOk());
+    ASSERT_TRUE(cache.get());
+    WaitForSimpleCacheIndexAndCheck(cache.get());
+
+    // The entry should be present, as a forced reset was not called for.
+    EXPECT_TRUE(static_cast<disk_cache::SimpleBackendImpl*>(cache.get())
+                    ->index()
+                    ->Has(disk_cache::simple_util::GetEntryHashKey("key")));
+  }
+}
+
+// Verify that reloading the cache will not preserve indices in Reset mode.
+TEST_F(DiskCacheBackendTest, SimpleCacheHardResetDropsValues) {
+  SetSimpleCacheMode();
+  SetCacheType(net::APP_CACHE);
+  DisableFirstCleanup();
+  CleanupCacheDir();
+
+  {  // Create the initial back-end.
+    net::TestCompletionCallback cb;
+    std::unique_ptr<disk_cache::Backend> cache;
+
+    int rv = disk_cache::CreateCacheBackend(
+        net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0,
+        disk_cache::ResetHandling::kNeverReset, nullptr, &cache, cb.callback());
+    EXPECT_THAT(cb.GetResult(rv), IsOk());
+    ASSERT_TRUE(cache.get());
+    WaitForSimpleCacheIndexAndCheck(cache.get());
+
+    // Create an entry in the cache.
+    CreateKeyAndCheck(cache.get(), "key");
+  }
+
+  RunUntilIdle();
+
+  {  // Re-load cache with a reset flag, which should ignore existing entries.
+    net::TestCompletionCallback cb;
+    std::unique_ptr<disk_cache::Backend> cache;
+
+    int rv = disk_cache::CreateCacheBackend(
+        net::APP_CACHE, net::CACHE_BACKEND_SIMPLE, cache_path_, 0,
+        disk_cache::ResetHandling::kReset, nullptr, &cache, cb.callback());
+    EXPECT_THAT(cb.GetResult(rv), IsOk());
+    ASSERT_TRUE(cache.get());
+    WaitForSimpleCacheIndexAndCheck(cache.get());
+
+    // The entry shouldn't be present, as a forced reset was called for.
+    EXPECT_FALSE(static_cast<disk_cache::SimpleBackendImpl*>(cache.get())
+                     ->index()
+                     ->Has(disk_cache::simple_util::GetEntryHashKey("key")));
+
+    // Add the entry back in the cache, then make sure it's present.
+    CreateKeyAndCheck(cache.get(), "key");
+
+    EXPECT_TRUE(static_cast<disk_cache::SimpleBackendImpl*>(cache.get())
+                    ->index()
+                    ->Has(disk_cache::simple_util::GetEntryHashKey("key")));
+  }
+}
+
+// Test to make sure cancelation of backend operation that got queued after
+// a pending doom on backend destruction happens properly.
+TEST_F(DiskCacheBackendTest, SimpleCancelOpPendingDoom) {
+  struct CleanupContext {
+    explicit CleanupContext(bool* ran_ptr) : ran_ptr(ran_ptr) {}
+    ~CleanupContext() { *ran_ptr = true; }
+
+    bool* ran_ptr;
+  };
+
+  const char kKey[] = "skeleton";
+
+  // Disable optimistic ops.
+  SetCacheType(net::APP_CACHE);
+  SetSimpleCacheMode();
+  InitCache();
+
+  disk_cache::Entry* entry = nullptr;
+  ASSERT_THAT(CreateEntry(kKey, &entry), IsOk());
+  entry->Close();
+
+  // Queue doom.
+  cache_->DoomEntry(kKey, net::LOWEST, base::DoNothing());
+
+  // Queue create after it.
+  bool cleanup_context_ran = false;
+  auto cleanup_context = std::make_unique<CleanupContext>(&cleanup_context_ran);
+
+  EntryResult entry_result = cache_->CreateEntry(
+      kKey, net::HIGHEST,
+      base::BindOnce(
+          [](std::unique_ptr<CleanupContext>, EntryResult result) {
+            ADD_FAILURE() << "This should not actually run";
+          },
+          std::move(cleanup_context)));
+
+  EXPECT_EQ(net::ERR_IO_PENDING, entry_result.net_error());
+  cache_.reset();
+
+  RunUntilIdle();
+  EXPECT_TRUE(cleanup_context_ran);
+}
+
+TEST_F(DiskCacheBackendTest, SimpleDontLeakPostDoomCreate) {
+  // If an entry has been optimistically created after a pending doom, and the
+  // backend destroyed before the doom completed, the entry would get wedged,
+  // with no operations on it workable and entry leaked.
+  // (See https://crbug.com/1015774).
+  const char kKey[] = "for_lock";
+  const int kBufSize = 2 * 1024;
+  scoped_refptr<net::IOBuffer> buffer =
+      base::MakeRefCounted<net::IOBuffer>(kBufSize);
+  CacheTestFillBuffer(buffer->data(), kBufSize, true);
+
+  SetSimpleCacheMode();
+  InitCache();
+
+  disk_cache::Entry* entry = nullptr;
+  ASSERT_THAT(CreateEntry(kKey, &entry), IsOk());
+  entry->Close();
+
+  // Make sure create actually succeeds, not just optimistically.
+  RunUntilIdle();
+
+  // Queue doom.
+  int rv = cache_->DoomEntry(kKey, net::LOWEST, base::DoNothing());
+  ASSERT_EQ(net::ERR_IO_PENDING, rv);
+
+  // And then do a create. This actually succeeds optimistically.
+  EntryResult result =
+      cache_->CreateEntry(kKey, net::LOWEST, base::DoNothing());
+  ASSERT_EQ(net::OK, result.net_error());
+  entry = result.ReleaseEntry();
+
+  cache_.reset();
+
+  // Entry is still supposed to be operable. This part is needed to see the bug
+  // without a leak checker.
+  EXPECT_EQ(kBufSize, WriteData(entry, 1, 0, buffer.get(), kBufSize, false));
+
+  entry->Close();
+
+  // Should not have leaked files here.
+}
diff --git a/chromium/net/disk_cache/blockfile/backend_impl.cc b/chromium/net/disk_cache/blockfile/backend_impl.cc
index 0675953dd05..342795d3115 100644
--- a/chromium/net/disk_cache/blockfile/backend_impl.cc
+++ b/chromium/net/disk_cache/blockfile/backend_impl.cc
@@ -498,7 +498,7 @@ void BackendImpl::SyncOnExternalCacheHit(const std::string& key) {
   if (disabled_)
     return;
 
-  uint32_t hash = base::Hash(key);
+  uint32_t hash = base::PersistentHash(key);
   bool error;
   scoped_refptr<EntryImpl> cache_entry =
       MatchEntry(key, hash, false, Addr(), &error);
@@ -511,7 +511,7 @@ scoped_refptr<EntryImpl> BackendImpl::OpenEntryImpl(const std::string& key) {
     return nullptr;
 
   TimeTicks start = TimeTicks::Now();
-  uint32_t hash = base::Hash(key);
+  uint32_t hash = base::PersistentHash(key);
   Trace("Open hash 0x%x", hash);
 
   bool error;
@@ -552,7 +552,7 @@ scoped_refptr<EntryImpl> BackendImpl::CreateEntryImpl(const std::string& key) {
     return nullptr;
 
   TimeTicks start = TimeTicks::Now();
-  uint32_t hash = base::Hash(key);
+  uint32_t hash = base::PersistentHash(key);
   Trace("Create hash 0x%x", hash);
 
   scoped_refptr<EntryImpl> parent;
@@ -1456,7 +1456,7 @@ void BackendImpl::AdjustMaxCacheSize(int table_len) {
   if (table_len)
     available += data_->header.num_bytes;
 
-  max_size_ = PreferredCacheSize(available);
+  max_size_ = PreferredCacheSize(available, GetCacheType());
 
   if (!table_len)
     return;
diff --git a/chromium/net/disk_cache/blockfile/entry_impl.cc b/chromium/net/disk_cache/blockfile/entry_impl.cc
index 054f8d3fcc8..a55ed1541f5 100644
--- a/chromium/net/disk_cache/blockfile/entry_impl.cc
+++ b/chromium/net/disk_cache/blockfile/entry_impl.cc
@@ -131,7 +131,7 @@ class EntryImpl::UserBuffer {
   // Prepare this buffer for reuse.
   void Reset();
 
-  char* Data() { return buffer_.size() ? &buffer_[0] : nullptr; }
+  char* Data() { return buffer_.data(); }
   int Size() { return static_cast<int>(buffer_.size()); }
   int Start() { return offset_; }
   int End() { return offset_ + Size(); }
@@ -648,7 +648,7 @@ bool EntryImpl::DataSanityCheck() {
   if (!key_addr.is_initialized() && stored->key[stored->key_len])
     return false;
 
-  if (stored->hash != base::Hash(GetKey()))
+  if (stored->hash != base::PersistentHash(GetKey()))
     return false;
 
   for (int i = 0; i < kNumStreams; i++) {
diff --git a/chromium/net/disk_cache/blockfile/storage_block-inl.h b/chromium/net/disk_cache/blockfile/storage_block-inl.h
index 09b87931826..903d65c665f 100644
--- a/chromium/net/disk_cache/blockfile/storage_block-inl.h
+++ b/chromium/net/disk_cache/blockfile/storage_block-inl.h
@@ -217,7 +217,7 @@ template<typename T> void StorageBlock<T>::DeleteData() {
 
 template <typename T>
 uint32_t StorageBlock<T>::CalculateHash() const {
-  return base::Hash(data_, offsetof(T, self_hash));
+  return base::PersistentHash(data_, offsetof(T, self_hash));
 }
 
 }  // namespace disk_cache
diff --git a/chromium/net/disk_cache/cache_util.cc b/chromium/net/disk_cache/cache_util.cc
index 57cba5984c2..2a8b256c948 100644
--- a/chromium/net/disk_cache/cache_util.cc
+++ b/chromium/net/disk_cache/cache_util.cc
@@ -10,9 +10,6 @@
 #include "base/files/file_enumerator.h"
 #include "base/files/file_util.h"
 #include "base/location.h"
-#include "base/metrics/field_trial_params.h"
-#include "base/strings/string_number_conversions.h"
-#include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/task/post_task.h"
@@ -86,9 +83,6 @@ namespace disk_cache {
 
 const int kDefaultCacheSize = 80 * 1024 * 1024;
 
-const base::Feature kChangeDiskCacheSizeExperiment{
-    "ChangeDiskCacheSize", base::FEATURE_DISABLED_BY_DEFAULT};
-
 void DeleteCache(const base::FilePath& path, bool remove_folder) {
   if (remove_folder) {
     if (!base::DeleteFile(path, /* recursive */ true))
@@ -153,46 +147,28 @@ bool DelayedCacheCleanup(const base::FilePath& full_path) {
 
 // Returns the preferred maximum number of bytes for the cache given the
 // number of available bytes.
-int PreferredCacheSize(int64_t available) {
-  // Percent of cache size to use, relative to the default size. "100" means to
-  // use 100% of the default size.
-  int percent_relative_size;
-  std::map<std::string, std::string> params;
-  if (!base::GetFieldTrialParamsByFeature(
-          disk_cache::kChangeDiskCacheSizeExperiment, &params) ||
-      !base::StringToInt(params["percent_relative_size"],
-                         &percent_relative_size) ||
-      percent_relative_size <= 0) {
-    percent_relative_size = 100;
-  }
-
-  // Cap scaling, as a safety check, to avoid overflow.
-  if (percent_relative_size > 200)
-    percent_relative_size = 200;
-
-  int64_t scaled_default_disk_cache_size =
-      static_cast<int64_t>(disk_cache::kDefaultCacheSize) *
-      percent_relative_size / 100;
+int PreferredCacheSize(int64_t available, net::CacheType type) {
   if (available < 0)
-    return static_cast<int32_t>(scaled_default_disk_cache_size);
+    return kDefaultCacheSize;
 
   int64_t preferred_cache_size = PreferredCacheSizeInternal(available);
 
-  // If the preferred cache size is less 20% of the available space, scale for
-  // the field trial, capping the scaled value at 20% of the available space.
-  if (preferred_cache_size < available / 5) {
-    preferred_cache_size = preferred_cache_size * percent_relative_size / 100;
-    if (preferred_cache_size > available / 5)
-      preferred_cache_size = available / 5;
-  }
-
   // Limit cache size to somewhat less than kint32max to avoid potential
   // integer overflows in cache backend implementations.
-  DCHECK_LT(scaled_default_disk_cache_size * 4,
-            std::numeric_limits<int32_t>::max());
-  return static_cast<int32_t>(
-      std::min(preferred_cache_size,
-               static_cast<int64_t>(scaled_default_disk_cache_size * 4)));
+  //
+  // Note: the 4x limit is of course far below that; historically it came
+  // from the blockfile backend with the following explanation:
+  // "Let's not use more than the default size while we tune-up the performance
+  // of bigger caches. "
+  int64_t size_limit = static_cast<int64_t>(kDefaultCacheSize) * 4;
+  // Native code entries can be large, so we would like a larger cache.
+  // Make the size limit 50% larger in that case.
+  if (type == net::GENERATED_NATIVE_CODE_CACHE) {
+    size_limit = (size_limit / 2) * 3;
+  }
+
+  DCHECK_LT(size_limit, std::numeric_limits<int32_t>::max());
+  return static_cast<int32_t>(std::min(preferred_cache_size, size_limit));
 }
 
 }  // namespace disk_cache
diff --git a/chromium/net/disk_cache/cache_util.h b/chromium/net/disk_cache/cache_util.h
index 0a831ee33a8..2cfea3eb438 100644
--- a/chromium/net/disk_cache/cache_util.h
+++ b/chromium/net/disk_cache/cache_util.h
@@ -17,8 +17,6 @@ class FilePath;
 
 namespace disk_cache {
 
-NET_EXPORT_PRIVATE extern const base::Feature kChangeDiskCacheSizeExperiment;
-
 // Moves the cache files from the given path to another location.
 // Fails if the destination exists already, or if it doesn't have
 // permission for the operation.  This is basically a rename operation
@@ -40,8 +38,11 @@ NET_EXPORT_PRIVATE bool DeleteCacheFile(const base::FilePath& name);
 // task. Used by cache creator itself or by backends for self-restart on error.
 bool DelayedCacheCleanup(const base::FilePath& full_path);
 
-// Returns the preferred max cache size given the available disk space.
-NET_EXPORT_PRIVATE int PreferredCacheSize(int64_t available);
+// Returns the preferred max cache size given the available disk space and
+// cache type.
+NET_EXPORT_PRIVATE int PreferredCacheSize(
+    int64_t available,
+    net::CacheType type = net::DISK_CACHE);
 
 // The default cache size should not ideally be exposed, but the blockfile
 // backend uses it for reasons that include testing.
diff --git a/chromium/net/disk_cache/cache_util_unittest.cc b/chromium/net/disk_cache/cache_util_unittest.cc
index 598d59ff3cf..fcc0d14da23 100644
--- a/chromium/net/disk_cache/cache_util_unittest.cc
+++ b/chromium/net/disk_cache/cache_util_unittest.cc
@@ -101,63 +101,45 @@ TEST_F(CacheUtilTest, DeleteCacheFile) {
 TEST_F(CacheUtilTest, PreferredCacheSize) {
   const struct TestCase {
     int64_t available;
-    int expected_without_trial;
-    int expected_with_200_trial;
+    int expected;
   } kTestCases[] = {
+      // Weird negative value for available --- return the "default"
+      {-1000LL, 80 * 1024 * 1024},
+      {-1LL, 80 * 1024 * 1024},
+
+      // 0 produces 0.
+      {0LL, 0},
+
       // Cache is 80% of available space, when default cache size is larger than
       // 80% of available space..
-      {50 * 1024 * 1024LL, 40 * 1024 * 1024, 40 * 1024 * 1024},
+      {50 * 1024 * 1024LL, 40 * 1024 * 1024},
       // Cache is default size, when default size is 10% to 80% of available
       // space.
-      {100 * 1024 * 1024LL, 80 * 1024 * 1024, 80 * 1024 * 1024},
-      {200 * 1024 * 1024LL, 80 * 1024 * 1024, 80 * 1024 * 1024},
-      // Same case as above, but the size is now less than 20% of available
-      // space, so the trial increases cache size, though not yet doubling it.
-      {500 * 1024 * 1024LL, 80 * 1024 * 1024, 100 * 1024 * 1024},
+      {100 * 1024 * 1024LL, 80 * 1024 * 1024},
+      {200 * 1024 * 1024LL, 80 * 1024 * 1024},
       // Cache is 10% of available space if 2.5 * default size is more than 10%
       // of available space.
-      {1000 * 1024 * 1024LL, 100 * 1024 * 1024, 200 * 1024 * 1024},
-      {2000 * 1024 * 1024LL, 200 * 1024 * 1024, 400 * 1024 * 1024},
+      {1000 * 1024 * 1024LL, 100 * 1024 * 1024},
+      {2000 * 1024 * 1024LL, 200 * 1024 * 1024},
       // Cache is 2.5 * kDefaultCacheSize if 2.5 * kDefaultCacheSize uses from
       // 1% to 10% of available space.
-      {10000 * 1024 * 1024LL, 200 * 1024 * 1024, 400 * 1024 * 1024},
+      {10000 * 1024 * 1024LL, 200 * 1024 * 1024},
       // Otherwise, cache is 1% of available space.
-      {20000 * 1024 * 1024LL, 200 * 1024 * 1024, 400 * 1024 * 1024},
+      {20000 * 1024 * 1024LL, 200 * 1024 * 1024},
       // Until it runs into the cache size cap.
-      {32000 * 1024 * 1024LL, 320 * 1024 * 1024, 640 * 1024 * 1024},
-      {50000 * 1024 * 1024LL, 320 * 1024 * 1024, 640 * 1024 * 1024},
+      {32000 * 1024 * 1024LL, 320 * 1024 * 1024},
+      {50000 * 1024 * 1024LL, 320 * 1024 * 1024},
   };
 
   for (const auto& test_case : kTestCases) {
-    EXPECT_EQ(test_case.expected_without_trial,
-              PreferredCacheSize(test_case.available));
+    EXPECT_EQ(test_case.expected, PreferredCacheSize(test_case.available))
+        << test_case.available;
   }
 
-  // Check 100 "percent_relative_size" matches default behavior.
-  {
-    base::test::ScopedFeatureList scoped_feature_list;
-    std::map<std::string, std::string> field_trial_params;
-    field_trial_params["percent_relative_size"] = "100";
-    scoped_feature_list.InitAndEnableFeatureWithParameters(
-        disk_cache::kChangeDiskCacheSizeExperiment, field_trial_params);
-    for (const auto& test_case : kTestCases) {
-      EXPECT_EQ(test_case.expected_without_trial,
-                PreferredCacheSize(test_case.available));
-    }
-  }
-
-  // Check 200 "percent_relative_size".
-  {
-    base::test::ScopedFeatureList scoped_feature_list;
-    std::map<std::string, std::string> field_trial_params;
-    field_trial_params["percent_relative_size"] = "200";
-    scoped_feature_list.InitAndEnableFeatureWithParameters(
-        disk_cache::kChangeDiskCacheSizeExperiment, field_trial_params);
-    for (const auto& test_case : kTestCases) {
-      EXPECT_EQ(test_case.expected_with_200_trial,
-                PreferredCacheSize(test_case.available));
-    }
-  }
+  // Check that the cache size cap is 50% higher for native code caches.
+  EXPECT_EQ(((320 * 1024 * 1024) / 2) * 3,
+            PreferredCacheSize(50000 * 1024 * 1024LL,
+                               net::GENERATED_NATIVE_CODE_CACHE));
 }
 
 }  // namespace disk_cache
diff --git a/chromium/net/disk_cache/disk_cache.cc b/chromium/net/disk_cache/disk_cache.cc
index b5d3315bd28..0012a88db6c 100644
--- a/chromium/net/disk_cache/disk_cache.cc
+++ b/chromium/net/disk_cache/disk_cache.cc
@@ -28,7 +28,7 @@ namespace {
 class CacheCreator {
  public:
   CacheCreator(const base::FilePath& path,
-               bool force,
+               disk_cache::ResetHandling reset_handling,
                int64_t max_bytes,
                net::CacheType type,
                net::BackendType backend_type,
@@ -54,7 +54,7 @@ class CacheCreator {
   void OnIOComplete(int result);
 
   const base::FilePath path_;
-  bool force_;
+  disk_cache::ResetHandling reset_handling_;
   bool retry_;
   int64_t max_bytes_;
   net::CacheType type_;
@@ -74,7 +74,7 @@ class CacheCreator {
 
 CacheCreator::CacheCreator(
     const base::FilePath& path,
-    bool force,
+    disk_cache::ResetHandling reset_handling,
     int64_t max_bytes,
     net::CacheType type,
     net::BackendType backend_type,
@@ -86,7 +86,7 @@ CacheCreator::CacheCreator(
     base::OnceClosure post_cleanup_callback,
     net::CompletionOnceCallback callback)
     : path_(path),
-      force_(force),
+      reset_handling_(reset_handling),
       retry_(false),
       max_bytes_(max_bytes),
       type_(type),
@@ -108,6 +108,12 @@ net::Error CacheCreator::Run() {
 #else
   static const bool kSimpleBackendIsDefault = false;
 #endif
+  if (!retry_ && reset_handling_ == disk_cache::ResetHandling::kReset) {
+    base::SequencedTaskRunnerHandle::Get()->PostTask(
+        FROM_HERE, base::BindOnce(&CacheCreator::OnIOComplete,
+                                  base::Unretained(this), net::ERR_IO_PENDING));
+    return net::ERR_IO_PENDING;
+  }
   if (backend_type_ == net::CACHE_BACKEND_SIMPLE ||
       (backend_type_ == net::CACHE_BACKEND_DEFAULT &&
        kSimpleBackendIsDefault)) {
@@ -182,14 +188,15 @@ void CacheCreator::DoCallback(int result) {
   delete this;
 }
 
-// If the initialization of the cache fails, and |force| is true, we will
-// discard the whole cache and create a new one.
+// If the initialization of the cache fails, and |reset_handling| isn't set to
+// kNeverReset, we will discard the whole cache and create a new one.
 void CacheCreator::OnIOComplete(int result) {
-  if (result == net::OK || !force_ || retry_)
+  if (result == net::OK ||
+      reset_handling_ == disk_cache::ResetHandling::kNeverReset || retry_) {
     return DoCallback(result);
+  }
 
-  // This is a failure and we are supposed to try again, so delete the object,
-  // delete all the files, and try again.
+  // We are supposed to try again, so delete the object and all files and do so.
   retry_ = true;
   created_cache_.reset();
   if (!disk_cache::DelayedCacheCleanup(path_))
@@ -210,7 +217,7 @@ net::Error CreateCacheBackendImpl(
     net::BackendType backend_type,
     const base::FilePath& path,
     int64_t max_bytes,
-    bool force,
+    ResetHandling reset_handling,
 #if defined(OS_ANDROID)
     base::android::ApplicationStatusListener* app_status_listener,
 #endif
@@ -238,7 +245,7 @@ net::Error CreateCacheBackendImpl(
 
   bool had_post_cleanup_callback = !post_cleanup_callback.is_null();
   CacheCreator* creator = new CacheCreator(
-      path, force, max_bytes, type, backend_type,
+      path, reset_handling, max_bytes, type, backend_type,
 #if defined(OS_ANDROID)
       std::move(app_status_listener),
 #endif
@@ -255,16 +262,16 @@ net::Error CreateCacheBackend(net::CacheType type,
                               net::BackendType backend_type,
                               const base::FilePath& path,
                               int64_t max_bytes,
-                              bool force,
+                              ResetHandling reset_handling,
                               net::NetLog* net_log,
                               std::unique_ptr<Backend>* backend,
                               net::CompletionOnceCallback callback) {
-  return CreateCacheBackendImpl(type, backend_type, path, max_bytes, force,
+  return CreateCacheBackendImpl(
+      type, backend_type, path, max_bytes, reset_handling,
 #if defined(OS_ANDROID)
-                                nullptr,
+      nullptr,
 #endif
-                                net_log, backend, base::OnceClosure(),
-                                std::move(callback));
+      net_log, backend, base::OnceClosure(), std::move(callback));
 }
 
 #if defined(OS_ANDROID)
@@ -273,14 +280,14 @@ NET_EXPORT net::Error CreateCacheBackend(
     net::BackendType backend_type,
     const base::FilePath& path,
     int64_t max_bytes,
-    bool force,
+    ResetHandling reset_handling,
     net::NetLog* net_log,
     std::unique_ptr<Backend>* backend,
     net::CompletionOnceCallback callback,
     base::android::ApplicationStatusListener* app_status_listener) {
-  return CreateCacheBackendImpl(type, backend_type, path, max_bytes, force,
-                                std::move(app_status_listener), net_log,
-                                backend, base::OnceClosure(),
+  return CreateCacheBackendImpl(type, backend_type, path, max_bytes,
+                                reset_handling, std::move(app_status_listener),
+                                net_log, backend, base::OnceClosure(),
                                 std::move(callback));
 }
 #endif
@@ -289,13 +296,13 @@ net::Error CreateCacheBackend(net::CacheType type,
                               net::BackendType backend_type,
                               const base::FilePath& path,
                               int64_t max_bytes,
-                              bool force,
+                              ResetHandling reset_handling,
                               net::NetLog* net_log,
                               std::unique_ptr<Backend>* backend,
                               base::OnceClosure post_cleanup_callback,
                               net::CompletionOnceCallback callback) {
   return CreateCacheBackendImpl(
-      type, backend_type, path, max_bytes, force,
+      type, backend_type, path, max_bytes, reset_handling,
 #if defined(OS_ANDROID)
       nullptr,
 #endif
diff --git a/chromium/net/disk_cache/disk_cache.h b/chromium/net/disk_cache/disk_cache.h
index c1d5f7ae660..579600e31f4 100644
--- a/chromium/net/disk_cache/disk_cache.h
+++ b/chromium/net/disk_cache/disk_cache.h
@@ -49,28 +49,36 @@ class Backend;
 class EntryResult;
 using EntryResultCallback = base::OnceCallback<void(EntryResult)>;
 
+// How to handle resetting the back-end cache from the previous session.
+// See CreateCacheBackend() for its usage.
+enum class ResetHandling { kReset, kResetOnError, kNeverReset };
+
 // Returns an instance of a Backend of the given |type|. |path| points to a
 // folder where the cached data will be stored (if appropriate). This cache
 // instance must be the only object that will be reading or writing files to
 // that folder (if another one exists, and |type| is not net::DISK_CACHE this
 // operation will not complete until the previous duplicate gets destroyed and
-// finishes all I/O).
+// finishes all I/O). The returned object should be deleted when not needed
+// anymore.
+//
+// If |reset_handling| is set to kResetOnError and there is a problem with the
+// cache initialization, the files will be deleted and a new set will be
+// created. If it's set to kReset, this will happen even if there isn't a
+// problem with cache initialization. Finally, if it's set to kNeverReset, the
+// cache creation will fail if there is a problem with cache initialization.
 //
-// The returned object should be deleted when not needed anymore.
-// If |force| is true, and there is a problem with the cache initialization, the
-// files will be deleted and a new set will be created. |max_bytes| is the
-// maximum size the cache can grow to. If zero is passed in as |max_bytes|, the
-// cache will determine the value to use. The returned pointer can be
-// NULL if a fatal error is found. The actual return value of the function is a
-// net error code. If this function returns ERR_IO_PENDING, the |callback| will
-// be invoked when a backend is available or a fatal error condition is reached.
-// The pointer to receive the |backend| must remain valid until the operation
-// completes (the callback is notified).
+// |max_bytes| is the maximum size the cache can grow to. If zero is passed in
+// as |max_bytes|, the cache will determine the value to use. The returned
+// pointer can be nullptr if a fatal error is found. The actual return value of
+// the function is a net error code. If this function returns ERR_IO_PENDING,
+// the |callback| will be invoked when a backend is available or a fatal error
+// condition is reached.  The pointer to receive the |backend| must remain valid
+// until the operation completes (the callback is notified).
 NET_EXPORT net::Error CreateCacheBackend(net::CacheType type,
                                          net::BackendType backend_type,
                                          const base::FilePath& path,
                                          int64_t max_bytes,
-                                         bool force,
+                                         ResetHandling reset_handling,
                                          net::NetLog* net_log,
                                          std::unique_ptr<Backend>* backend,
                                          net::CompletionOnceCallback callback);
@@ -84,7 +92,7 @@ NET_EXPORT net::Error CreateCacheBackend(
     net::BackendType backend_type,
     const base::FilePath& path,
     int64_t max_bytes,
-    bool force,
+    ResetHandling reset_handling,
     net::NetLog* net_log,
     std::unique_ptr<Backend>* backend,
     net::CompletionOnceCallback callback,
@@ -105,7 +113,7 @@ NET_EXPORT net::Error CreateCacheBackend(
     net::BackendType backend_type,
     const base::FilePath& path,
     int64_t max_bytes,
-    bool force,
+    ResetHandling reset_handling,
     net::NetLog* net_log,
     std::unique_ptr<Backend>* backend,
     base::OnceClosure post_cleanup_callback,
diff --git a/chromium/net/disk_cache/disk_cache_fuzzer.cc b/chromium/net/disk_cache/disk_cache_fuzzer.cc
index cc531029c74..f88effda31f 100644
--- a/chromium/net/disk_cache/disk_cache_fuzzer.cc
+++ b/chromium/net/disk_cache/disk_cache_fuzzer.cc
@@ -19,9 +19,12 @@
 #include "base/macros.h"
 #include "base/memory/ref_counted.h"
 #include "base/memory/scoped_refptr.h"
+#include "base/numerics/checked_math.h"
+#include "base/strings/string_number_conversions.h"
 #include "base/test/task_environment.h"
 #include "base/time/time.h"
 #include "net/base/cache_type.h"
+#include "net/base/interval.h"
 #include "net/base/io_buffer.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_completion_callback.h"
@@ -59,6 +62,12 @@ const uint64_t kFirstSavedTime =
 const uint32_t kMaxNumMillisToWait = 2019;
 const int kMaxFdsSimpleCache = 10;
 
+// Known colliding key values taken from SimpleCacheCreateCollision unittest.
+const std::string kCollidingKey1 =
+    "\xfb\x4e\x9c\x1d\x66\x71\xf7\x54\xa3\x11\xa0\x7e\x16\xa5\x68\xf6";
+const std::string kCollidingKey2 =
+    "\xbc\x60\x64\x92\xbc\xa0\x5c\x15\x17\x93\x29\x2d\xe4\x21\xbd\x03";
+
 #define IOTYPES_APPLY(F) \
   F(WriteData)           \
   F(ReadData)            \
@@ -228,7 +237,15 @@ inline base::RepeatingCallback<void(int)> GetIOCallback(IOType iot) {
 }
 
 std::string ToKey(uint64_t key_num) {
-  return "Key" + std::to_string(key_num);
+  // Use one of the two colliding key values in 1% of executions.
+  if (key_num % 100 == 99)
+    return kCollidingKey1;
+  if (key_num % 100 == 98)
+    return kCollidingKey2;
+
+  // Otherwise, use a value based on the key id and fuzzy padding.
+  std::string padding(key_num & 0xFFFF, 'A');
+  return "Key" + padding + base::NumberToString(key_num);
 }
 
 net::RequestPriority GetRequestPriority(
@@ -420,6 +437,11 @@ bool DiskCacheLPMFuzzer::IsValidEntry(EntryInfo* ei) {
 
 void DiskCacheLPMFuzzer::RunCommands(
     const disk_cache_fuzzer::FuzzCommands& commands) {
+  // Skip too long command sequences, they are counterproductive for fuzzing.
+  // The number was chosen empirically using the existing fuzzing corpus.
+  if (commands.fuzz_commands_size() > 129)
+    return;
+
   uint32_t mask =
       commands.has_set_mask() ? (commands.set_mask() ? 0x1 : 0xf) : 0;
   net::CacheType type =
@@ -969,17 +991,27 @@ void DiskCacheLPMFuzzer::RunCommands(
                uint32_t offset, uint32_t len, int rv) {
               std::move(callback).Run(rv);
 
-              if (rv < 0)
+              if (rv <= 0)
                 return;
 
               int64_t* start_tmp = &start->data;
-              CHECK_LE(offset, *start_tmp);
-              CHECK_LE(*start_tmp, offset + len);
-              CHECK_LE(*start_tmp + rv, offset + len);
-              // Offsets are capped by kMaxEntrySize
-              CHECK_LE(*start_tmp, kMaxEntrySize);
-              // And size are also capped by kMaxEntrySize
-              CHECK_LE(*start_tmp + rv, kMaxEntrySize * 2);
+
+              // Make sure that the result is contained in what was
+              // requested. It doesn't have to be the same even if there was
+              // an exact corresponding write, since representation of ranges
+              // may be imprecise, and here we don't know that there was.
+
+              // No overflow thanks to % kMaxEntrySize.
+              net::Interval<uint32_t> requested(offset, offset + len);
+
+              uint32_t range_start, range_end;
+              base::CheckedNumeric<uint64_t> range_start64(*start_tmp);
+              CHECK(range_start64.AssignIfValid(&range_start));
+              base::CheckedNumeric<uint64_t> range_end64 = range_start + rv;
+              CHECK(range_end64.AssignIfValid(&range_end));
+              net::Interval<uint32_t> gotten(range_start, range_end);
+
+              CHECK(requested.Contains(gotten));
             },
             GetIOCallback(IOType::GetAvailableRange), start, offset, len);
 
diff --git a/chromium/net/disk_cache/disk_cache_perftest.cc b/chromium/net/disk_cache/disk_cache_perftest.cc
index 43583a319e3..595ca387489 100644
--- a/chromium/net/disk_cache/disk_cache_perftest.cc
+++ b/chromium/net/disk_cache/disk_cache_perftest.cc
@@ -437,7 +437,10 @@ TEST_F(DiskCachePerfTest, BlockfileHashes) {
   base::ElapsedTimer timer;
   for (int i = 0; i < 300000; i++) {
     std::string key = GenerateKey(true);
-    base::Hash(key);
+    // TODO(dcheng): It's unclear if this is sufficient to keep a sufficiently
+    // smart optimizer from simply discarding the function call if it realizes
+    // there are no side effects.
+    base::PersistentHash(key);
   }
   reporter.AddResult(kMetricCacheKeysHashTimeMs,
                      timer.Elapsed().InMillisecondsF());
diff --git a/chromium/net/disk_cache/entry_unittest.cc b/chromium/net/disk_cache/entry_unittest.cc
index 3e609b9e10a..763174f31f9 100644
--- a/chromium/net/disk_cache/entry_unittest.cc
+++ b/chromium/net/disk_cache/entry_unittest.cc
@@ -15,7 +15,6 @@
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/test/metrics/histogram_tester.h"
-#include "base/test/mock_entropy_provider.h"
 #include "base/test/scoped_feature_list.h"
 #include "base/threading/platform_thread.h"
 #include "net/base/completion_once_callback.h"
@@ -5532,9 +5531,7 @@ TEST_F(DiskCacheEntryTest, BlockFileSparsePendingAfterDtor) {
 
 class DiskCacheSimplePrefetchTest : public DiskCacheEntryTest {
  public:
-  DiskCacheSimplePrefetchTest()
-      : field_trial_list_(std::make_unique<base::FieldTrialList>(
-            std::make_unique<base::MockEntropyProvider>())) {}
+  DiskCacheSimplePrefetchTest() = default;
 
   enum { kEntrySize = 1024 };
 
@@ -5614,9 +5611,6 @@ class DiskCacheSimplePrefetchTest : public DiskCacheEntryTest {
 
  protected:
   scoped_refptr<net::IOBuffer> payload_;
-
-  // Need to have the one "global" trial list before we change things.
-  std::unique_ptr<base::FieldTrialList> field_trial_list_;
   base::test::ScopedFeatureList scoped_feature_list_;
 };
 
diff --git a/chromium/net/disk_cache/simple/post_doom_waiter.cc b/chromium/net/disk_cache/simple/post_doom_waiter.cc
new file mode 100644
index 00000000000..2f6464fd08a
--- /dev/null
+++ b/chromium/net/disk_cache/simple/post_doom_waiter.cc
@@ -0,0 +1,61 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/disk_cache/simple/post_doom_waiter.h"
+
+#include "base/bind.h"
+#include "base/callback.h"
+#include "net/disk_cache/simple/simple_histogram_macros.h"
+
+namespace disk_cache {
+
+SimplePostDoomWaiter::SimplePostDoomWaiter() {}
+
+SimplePostDoomWaiter::SimplePostDoomWaiter(base::OnceClosure to_run_post_doom)
+    : time_queued(base::TimeTicks::Now()),
+      run_post_doom(std::move(to_run_post_doom)) {}
+
+SimplePostDoomWaiter::SimplePostDoomWaiter(SimplePostDoomWaiter&& other) =
+    default;
+SimplePostDoomWaiter& SimplePostDoomWaiter::operator=(
+    SimplePostDoomWaiter&& other) = default;
+SimplePostDoomWaiter::~SimplePostDoomWaiter() {}
+
+SimplePostDoomWaiterTable::SimplePostDoomWaiterTable(net::CacheType cache_type)
+    : cache_type_(cache_type) {}
+SimplePostDoomWaiterTable::~SimplePostDoomWaiterTable() = default;
+
+void SimplePostDoomWaiterTable::OnDoomStart(uint64_t entry_hash) {
+  DCHECK_EQ(0u, entries_pending_doom_.count(entry_hash));
+  entries_pending_doom_.insert(
+      std::make_pair(entry_hash, std::vector<SimplePostDoomWaiter>()));
+}
+
+void SimplePostDoomWaiterTable::OnDoomComplete(uint64_t entry_hash) {
+  DCHECK_EQ(1u, entries_pending_doom_.count(entry_hash));
+  auto it = entries_pending_doom_.find(entry_hash);
+  std::vector<SimplePostDoomWaiter> to_handle_waiters;
+  to_handle_waiters.swap(it->second);
+  entries_pending_doom_.erase(it);
+
+  SIMPLE_CACHE_UMA(COUNTS_1000, "NumOpsBlockedByPendingDoom", cache_type_,
+                   to_handle_waiters.size());
+
+  for (SimplePostDoomWaiter& post_doom : to_handle_waiters) {
+    SIMPLE_CACHE_UMA(TIMES, "QueueLatency.PendingDoom", cache_type_,
+                     (base::TimeTicks::Now() - post_doom.time_queued));
+    std::move(post_doom.run_post_doom).Run();
+  }
+}
+
+std::vector<SimplePostDoomWaiter>* SimplePostDoomWaiterTable::Find(
+    uint64_t entry_hash) {
+  auto doom_it = entries_pending_doom_.find(entry_hash);
+  if (doom_it != entries_pending_doom_.end())
+    return &doom_it->second;
+  else
+    return nullptr;
+}
+
+}  // namespace disk_cache
diff --git a/chromium/net/disk_cache/simple/post_doom_waiter.h b/chromium/net/disk_cache/simple/post_doom_waiter.h
new file mode 100644
index 00000000000..a7b42682ff2
--- /dev/null
+++ b/chromium/net/disk_cache/simple/post_doom_waiter.h
@@ -0,0 +1,71 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_DISK_CACHE_SIMPLE_POST_DOOM_WAITER_H_
+#define NET_DISK_CACHE_SIMPLE_POST_DOOM_WAITER_H_
+
+#include <stdint.h>
+
+#include <unordered_map>
+#include <vector>
+
+#include "base/callback.h"
+#include "base/macros.h"
+#include "base/memory/ref_counted.h"
+#include "net/base/cache_type.h"
+
+namespace disk_cache {
+
+struct SimplePostDoomWaiter {
+  SimplePostDoomWaiter();
+  // Also initializes |time_queued|.
+  explicit SimplePostDoomWaiter(base::OnceClosure to_run_post_doom);
+  explicit SimplePostDoomWaiter(SimplePostDoomWaiter&& other);
+  ~SimplePostDoomWaiter();
+  SimplePostDoomWaiter& operator=(SimplePostDoomWaiter&& other);
+
+  base::TimeTicks time_queued;
+  base::OnceClosure run_post_doom;
+};
+
+// See |SimpleBackendImpl::post_doom_waiting_| for the description. This is
+// refcounted since sometimes this needs to survive backend destruction to
+// complete some per-entry operations.
+class SimplePostDoomWaiterTable
+    : public base::RefCounted<SimplePostDoomWaiterTable> {
+  friend class base::RefCounted<SimplePostDoomWaiterTable>;
+
+ public:
+  explicit SimplePostDoomWaiterTable(net::CacheType cache_type);
+
+  // The entry for |entry_hash| is being doomed; the backend will not attempt
+  // to run new operations for this |entry_hash| until the Doom is completed.
+  void OnDoomStart(uint64_t entry_hash);
+
+  // The entry for |entry_hash| has been successfully doomed, we can now allow
+  // operations on this entry, and we can run any operations enqueued while the
+  // doom completed.
+  void OnDoomComplete(uint64_t entry_hash);
+
+  // Returns nullptr if not found.
+  std::vector<SimplePostDoomWaiter>* Find(uint64_t entry_hash);
+
+  bool Has(uint64_t entry_hash) {
+    return entries_pending_doom_.find(entry_hash) !=
+           entries_pending_doom_.end();
+  }
+
+ private:
+  ~SimplePostDoomWaiterTable();
+
+  net::CacheType cache_type_;
+  std::unordered_map<uint64_t, std::vector<SimplePostDoomWaiter>>
+      entries_pending_doom_;
+
+  DISALLOW_COPY_AND_ASSIGN(SimplePostDoomWaiterTable);
+};
+
+}  // namespace disk_cache
+
+#endif  // NET_DISK_CACHE_SIMPLE_POST_DOOM_WAITER_H_
diff --git a/chromium/net/disk_cache/simple/simple_backend_impl.cc b/chromium/net/disk_cache/simple/simple_backend_impl.cc
index b8b40267592..395993e1ab3 100644
--- a/chromium/net/disk_cache/simple/simple_backend_impl.cc
+++ b/chromium/net/disk_cache/simple/simple_backend_impl.cc
@@ -130,10 +130,14 @@ base::RepeatingCallback<void(int)> MakeBarrierCompletionCallback(
 }
 
 // A short bindable thunk that ensures a completion callback is always called
-// after running an operation asynchronously.
+// after running an operation asynchronously. Checks for backend liveness first.
 void RunOperationAndCallback(
+    base::WeakPtr<SimpleBackendImpl> backend,
     base::OnceCallback<net::Error(net::CompletionOnceCallback)> operation,
     net::CompletionOnceCallback operation_callback) {
+  if (!backend)
+    return;
+
   base::RepeatingCallback<void(int)> copyable_callback;
   if (operation_callback)
     copyable_callback =
@@ -145,8 +149,12 @@ void RunOperationAndCallback(
 
 // Same but for things that work with EntryResult.
 void RunEntryResultOperationAndCallback(
+    base::WeakPtr<SimpleBackendImpl> backend,
     base::OnceCallback<EntryResult(EntryResultCallback)> operation,
     EntryResultCallback operation_callback) {
+  if (!backend)
+    return;
+
   base::RepeatingCallback<void(EntryResult)> copyable_callback;
   if (operation_callback)
     copyable_callback =
@@ -229,6 +237,8 @@ SimpleBackendImpl::SimpleBackendImpl(
                               cache_type == net::GENERATED_NATIVE_CODE_CACHE)
                                  ? SimpleEntryImpl::OPTIMISTIC_OPERATIONS
                                  : SimpleEntryImpl::NON_OPTIMISTIC_OPERATIONS),
+      post_doom_waiting_(
+          base::MakeRefCounted<SimplePostDoomWaiterTable>(cache_type)),
       net_log_(net_log) {
   // Treat negative passed-in sizes same as SetMaxSize would here and in other
   // backends, as default (if first call).
@@ -292,27 +302,10 @@ int64_t SimpleBackendImpl::MaxFileSize() const {
       kMinFileSizeLimit);
 }
 
-void SimpleBackendImpl::OnDoomStart(uint64_t entry_hash) {
-  DCHECK_EQ(0u, entries_pending_doom_.count(entry_hash));
-  entries_pending_doom_.insert(
-      std::make_pair(entry_hash, std::vector<PostDoomWaiter>()));
-}
-
-void SimpleBackendImpl::OnDoomComplete(uint64_t entry_hash) {
-  DCHECK_EQ(1u, entries_pending_doom_.count(entry_hash));
-  auto it = entries_pending_doom_.find(entry_hash);
-  std::vector<PostDoomWaiter> to_handle_waiters;
-  to_handle_waiters.swap(it->second);
-  entries_pending_doom_.erase(it);
-
-  SIMPLE_CACHE_UMA(COUNTS_1000, "NumOpsBlockedByPendingDoom", GetCacheType(),
-                   to_handle_waiters.size());
-
-  for (PostDoomWaiter& post_doom : to_handle_waiters) {
-    SIMPLE_CACHE_UMA(TIMES, "QueueLatency.PendingDoom", GetCacheType(),
-                     (base::TimeTicks::Now() - post_doom.time_queued));
-    std::move(post_doom.run_post_doom).Run();
-  }
+scoped_refptr<SimplePostDoomWaiterTable> SimpleBackendImpl::OnDoomStart(
+    uint64_t entry_hash) {
+  post_doom_waiting_->OnDoomStart(entry_hash);
+  return post_doom_waiting_;
 }
 
 void SimpleBackendImpl::DoomEntries(std::vector<uint64_t>* entry_hashes,
@@ -332,7 +325,7 @@ void SimpleBackendImpl::DoomEntries(std::vector<uint64_t>* entry_hashes,
   for (int i = mass_doom_entry_hashes->size() - 1; i >= 0; --i) {
     const uint64_t entry_hash = (*mass_doom_entry_hashes)[i];
     if (!active_entries_.count(entry_hash) &&
-        !entries_pending_doom_.count(entry_hash)) {
+        !post_doom_waiting_->Has(entry_hash)) {
       continue;
     }
 
@@ -385,7 +378,7 @@ EntryResult SimpleBackendImpl::OpenEntry(const std::string& key,
                                          EntryResultCallback callback) {
   const uint64_t entry_hash = simple_util::GetEntryHashKey(key);
 
-  std::vector<PostDoomWaiter>* post_doom = nullptr;
+  std::vector<SimplePostDoomWaiter>* post_doom = nullptr;
   scoped_refptr<SimpleEntryImpl> simple_entry = CreateOrFindActiveOrDoomedEntry(
       entry_hash, key, request_priority, &post_doom);
   if (!simple_entry) {
@@ -406,7 +399,7 @@ EntryResult SimpleBackendImpl::OpenEntry(const std::string& key,
         base::BindOnce(&SimpleBackendImpl::OpenEntry, base::Unretained(this),
                        key, request_priority);
     post_doom->emplace_back(base::BindOnce(&RunEntryResultOperationAndCallback,
-                                           std::move(operation),
+                                           AsWeakPtr(), std::move(operation),
                                            std::move(callback)));
     return EntryResult::MakeError(net::ERR_IO_PENDING);
   }
@@ -420,7 +413,7 @@ EntryResult SimpleBackendImpl::CreateEntry(
   DCHECK_LT(0u, key.size());
   const uint64_t entry_hash = simple_util::GetEntryHashKey(key);
 
-  std::vector<PostDoomWaiter>* post_doom = nullptr;
+  std::vector<SimplePostDoomWaiter>* post_doom = nullptr;
   scoped_refptr<SimpleEntryImpl> simple_entry = CreateOrFindActiveOrDoomedEntry(
       entry_hash, key, request_priority, &post_doom);
 
@@ -437,7 +430,7 @@ EntryResult SimpleBackendImpl::CreateEntry(
         base::BindOnce(&SimpleBackendImpl::CreateEntry, base::Unretained(this),
                        key, request_priority);
     post_doom->emplace_back(base::BindOnce(&RunEntryResultOperationAndCallback,
-                                           std::move(operation),
+                                           AsWeakPtr(), std::move(operation),
                                            std::move(callback)));
     return EntryResult::MakeError(net::ERR_IO_PENDING);
   }
@@ -452,7 +445,7 @@ EntryResult SimpleBackendImpl::OpenOrCreateEntry(
   DCHECK_LT(0u, key.size());
   const uint64_t entry_hash = simple_util::GetEntryHashKey(key);
 
-  std::vector<PostDoomWaiter>* post_doom = nullptr;
+  std::vector<SimplePostDoomWaiter>* post_doom = nullptr;
   scoped_refptr<SimpleEntryImpl> simple_entry = CreateOrFindActiveOrDoomedEntry(
       entry_hash, key, request_priority, &post_doom);
 
@@ -469,7 +462,7 @@ EntryResult SimpleBackendImpl::OpenOrCreateEntry(
           base::BindOnce(&SimpleBackendImpl::OpenOrCreateEntry,
                          base::Unretained(this), key, request_priority);
       post_doom->emplace_back(
-          base::BindOnce(&RunEntryResultOperationAndCallback,
+          base::BindOnce(&RunEntryResultOperationAndCallback, AsWeakPtr(),
                          std::move(operation), std::move(callback)));
       return EntryResult::MakeError(net::ERR_IO_PENDING);
     }
@@ -483,7 +476,7 @@ SimpleBackendImpl::MaybeOptimisticCreateForPostDoom(
     uint64_t entry_hash,
     const std::string& key,
     net::RequestPriority request_priority,
-    std::vector<PostDoomWaiter>* post_doom) {
+    std::vector<SimplePostDoomWaiter>* post_doom) {
   scoped_refptr<SimpleEntryImpl> simple_entry;
   // We would like to optimistically have create go ahead, for benefit of
   // HTTP cache use. This can only be sanely done if we are the only op
@@ -513,7 +506,7 @@ net::Error SimpleBackendImpl::DoomEntry(const std::string& key,
                                         CompletionOnceCallback callback) {
   const uint64_t entry_hash = simple_util::GetEntryHashKey(key);
 
-  std::vector<PostDoomWaiter>* post_doom = nullptr;
+  std::vector<SimplePostDoomWaiter>* post_doom = nullptr;
   scoped_refptr<SimpleEntryImpl> simple_entry =
       CreateOrFindActiveOrDoomedEntry(entry_hash, key, priority, &post_doom);
   if (!simple_entry) {
@@ -524,8 +517,9 @@ net::Error SimpleBackendImpl::DoomEntry(const std::string& key,
     base::OnceCallback<net::Error(CompletionOnceCallback)> operation =
         base::BindOnce(&SimpleBackendImpl::DoomEntry, base::Unretained(this),
                        key, priority);
-    post_doom->emplace_back(base::BindOnce(
-        &RunOperationAndCallback, std::move(operation), std::move(callback)));
+    post_doom->emplace_back(base::BindOnce(&RunOperationAndCallback,
+                                           AsWeakPtr(), std::move(operation),
+                                           std::move(callback)));
     return net::ERR_IO_PENDING;
   }
 
@@ -679,26 +673,6 @@ void SimpleBackendImpl::SetEntryInMemoryData(const std::string& key,
   index_->SetEntryInMemoryData(entry_hash, data);
 }
 
-SimpleBackendImpl::PostDoomWaiter::PostDoomWaiter() {}
-
-SimpleBackendImpl::PostDoomWaiter::PostDoomWaiter(
-    base::OnceClosure to_run_post_doom)
-    : time_queued(base::TimeTicks::Now()),
-      run_post_doom(std::move(to_run_post_doom)) {}
-
-SimpleBackendImpl::PostDoomWaiter::PostDoomWaiter(PostDoomWaiter&& other)
-    : time_queued(other.time_queued),
-      run_post_doom(std::move(other.run_post_doom)) {}
-
-SimpleBackendImpl::PostDoomWaiter& SimpleBackendImpl::PostDoomWaiter::operator=(
-    PostDoomWaiter&& other) {
-  time_queued = other.time_queued;
-  run_post_doom = std::move(other.run_post_doom);
-  return *this;
-}
-
-SimpleBackendImpl::PostDoomWaiter::~PostDoomWaiter() {}
-
 void SimpleBackendImpl::InitializeIndex(CompletionOnceCallback callback,
                                         const DiskStatResult& result) {
   if (result.net_error == net::OK) {
@@ -799,7 +773,7 @@ SimpleBackendImpl::DiskStatResult SimpleBackendImpl::InitCacheStructureOnDisk(
       result.net_error = net::ERR_FAILED;
     } else if (!result.max_size) {
       int64_t available = base::SysInfo::AmountOfFreeDiskSpace(path);
-      result.max_size = disk_cache::PreferredCacheSize(available);
+      result.max_size = disk_cache::PreferredCacheSize(available, cache_type);
       DCHECK(result.max_size);
     }
   }
@@ -811,15 +785,13 @@ SimpleBackendImpl::CreateOrFindActiveOrDoomedEntry(
     const uint64_t entry_hash,
     const std::string& key,
     net::RequestPriority request_priority,
-    std::vector<PostDoomWaiter>** post_doom) {
+    std::vector<SimplePostDoomWaiter>** post_doom) {
   DCHECK_EQ(entry_hash, simple_util::GetEntryHashKey(key));
 
   // If there is a doom pending, we would want to serialize after it.
-  auto doom_it = entries_pending_doom_.find(entry_hash);
-  if (doom_it != entries_pending_doom_.end()) {
-    *post_doom = &doom_it->second;
+  *post_doom = post_doom_waiting_->Find(entry_hash);
+  if (*post_doom)
     return nullptr;
-  }
 
   std::pair<EntryMap::iterator, bool> insert_result =
       active_entries_.insert(EntryMap::value_type(entry_hash, NULL));
@@ -841,7 +813,7 @@ SimpleBackendImpl::CreateOrFindActiveOrDoomedEntry(
   if (key != it->second->key()) {
     it->second->Doom();
     DCHECK_EQ(0U, active_entries_.count(entry_hash));
-    DCHECK_EQ(1U, entries_pending_doom_.count(entry_hash));
+    DCHECK(post_doom_waiting_->Has(entry_hash));
     // Re-run ourselves to handle the now-pending doom.
     return CreateOrFindActiveOrDoomedEntry(entry_hash, key, request_priority,
                                            post_doom);
@@ -851,13 +823,15 @@ SimpleBackendImpl::CreateOrFindActiveOrDoomedEntry(
 
 EntryResult SimpleBackendImpl::OpenEntryFromHash(uint64_t entry_hash,
                                                  EntryResultCallback callback) {
-  auto it = entries_pending_doom_.find(entry_hash);
-  if (it != entries_pending_doom_.end()) {
+  std::vector<SimplePostDoomWaiter>* post_doom =
+      post_doom_waiting_->Find(entry_hash);
+  if (post_doom) {
     base::OnceCallback<EntryResult(EntryResultCallback)> operation =
         base::BindOnce(&SimpleBackendImpl::OpenEntryFromHash,
                        base::Unretained(this), entry_hash);
-    it->second.emplace_back(base::BindOnce(&RunEntryResultOperationAndCallback,
-                                           std::move(operation),
+    // TODO(https://crbug.com/1019682) The cancellation behavior looks wrong.
+    post_doom->emplace_back(base::BindOnce(&RunEntryResultOperationAndCallback,
+                                           AsWeakPtr(), std::move(operation),
                                            std::move(callback)));
     return EntryResult::MakeError(net::ERR_IO_PENDING);
   }
@@ -884,13 +858,15 @@ net::Error SimpleBackendImpl::DoomEntryFromHash(
   Entry** entry = new Entry*();
   std::unique_ptr<Entry*> scoped_entry(entry);
 
-  auto pending_it = entries_pending_doom_.find(entry_hash);
-  if (pending_it != entries_pending_doom_.end()) {
+  std::vector<SimplePostDoomWaiter>* post_doom =
+      post_doom_waiting_->Find(entry_hash);
+  if (post_doom) {
     base::OnceCallback<net::Error(CompletionOnceCallback)> operation =
         base::BindOnce(&SimpleBackendImpl::DoomEntryFromHash,
                        base::Unretained(this), entry_hash);
-    pending_it->second.emplace_back(base::BindOnce(
-        &RunOperationAndCallback, std::move(operation), std::move(callback)));
+    post_doom->emplace_back(base::BindOnce(&RunOperationAndCallback,
+                                           AsWeakPtr(), std::move(operation),
+                                           std::move(callback)));
     return net::ERR_IO_PENDING;
   }
 
@@ -943,7 +919,7 @@ void SimpleBackendImpl::DoomEntriesComplete(
     CompletionOnceCallback callback,
     int result) {
   for (const uint64_t& entry_hash : *entry_hashes)
-    OnDoomComplete(entry_hash);
+    post_doom_waiting_->OnDoomComplete(entry_hash);
   std::move(callback).Run(result);
 }
 
diff --git a/chromium/net/disk_cache/simple/simple_backend_impl.h b/chromium/net/disk_cache/simple/simple_backend_impl.h
index e2dc4fbab49..debb437d4cf 100644
--- a/chromium/net/disk_cache/simple/simple_backend_impl.h
+++ b/chromium/net/disk_cache/simple/simple_backend_impl.h
@@ -25,6 +25,7 @@
 #include "net/base/cache_type.h"
 #include "net/base/net_export.h"
 #include "net/disk_cache/disk_cache.h"
+#include "net/disk_cache/simple/post_doom_waiter.h"
 #include "net/disk_cache/simple/simple_entry_impl.h"
 #include "net/disk_cache/simple/simple_index_delegate.h"
 
@@ -93,12 +94,9 @@ class NET_EXPORT_PRIVATE SimpleBackendImpl : public Backend,
 
   // The entry for |entry_hash| is being doomed; the backend will not attempt
   // run new operations for this |entry_hash| until the Doom is completed.
-  void OnDoomStart(uint64_t entry_hash);
-
-  // The entry for |entry_hash| has been successfully doomed, we can now allow
-  // operations on this entry, and we can run any operations enqueued while the
-  // doom completed.
-  void OnDoomComplete(uint64_t entry_hash);
+  //
+  // The return value should be used to call OnDoomComplete.
+  scoped_refptr<SimplePostDoomWaiterTable> OnDoomStart(uint64_t entry_hash);
 
   // SimpleIndexDelegate:
   void DoomEntries(std::vector<uint64_t>* entry_hashes,
@@ -170,18 +168,6 @@ class NET_EXPORT_PRIVATE SimpleBackendImpl : public Backend,
     int net_error;
   };
 
-  struct PostDoomWaiter {
-    PostDoomWaiter();
-    // Also initializes |time_queued|.
-    explicit PostDoomWaiter(base::OnceClosure to_run_post_doom);
-    explicit PostDoomWaiter(PostDoomWaiter&& other);
-    ~PostDoomWaiter();
-    PostDoomWaiter& operator=(PostDoomWaiter&& other);
-
-    base::TimeTicks time_queued;
-    base::OnceClosure run_post_doom;
-  };
-
   void InitializeIndex(CompletionOnceCallback callback,
                        const DiskStatResult& result);
 
@@ -219,7 +205,7 @@ class NET_EXPORT_PRIVATE SimpleBackendImpl : public Backend,
       uint64_t entry_hash,
       const std::string& key,
       net::RequestPriority request_priority,
-      std::vector<PostDoomWaiter>** post_doom);
+      std::vector<SimplePostDoomWaiter>** post_doom);
 
   // If post-doom and settings indicates that optimistically succeeding a create
   // due to being immediately after a doom is possible, sets up an entry for
@@ -231,7 +217,7 @@ class NET_EXPORT_PRIVATE SimpleBackendImpl : public Backend,
       uint64_t entry_hash,
       const std::string& key,
       net::RequestPriority request_priority,
-      std::vector<PostDoomWaiter>* post_doom);
+      std::vector<SimplePostDoomWaiter>* post_doom);
 
   // Given a hash, will try to open the corresponding Entry. If we have an Entry
   // corresponding to |hash| in the map of active entries, opens it. Otherwise,
@@ -294,10 +280,10 @@ class NET_EXPORT_PRIVATE SimpleBackendImpl : public Backend,
 
   // The set of all entries which are currently being doomed. To avoid races,
   // these entries cannot have Doom/Create/Open operations run until the doom
-  // is complete. The base::Closure |PostDoomWaiter::run_post_doom| field is
-  // used to store deferred operations to be run at the completion of the Doom.
-  std::unordered_map<uint64_t, std::vector<PostDoomWaiter>>
-      entries_pending_doom_;
+  // is complete. The base::Closure |SimplePostDoomWaiter::run_post_doom| field
+  // is used to store deferred operations to be run at the completion of the
+  // Doom.
+  scoped_refptr<SimplePostDoomWaiterTable> post_doom_waiting_;
 
   net::NetLog* const net_log_;
 
diff --git a/chromium/net/disk_cache/simple/simple_entry_impl.cc b/chromium/net/disk_cache/simple/simple_entry_impl.cc
index 84833b9dd04..6f814ce6340 100644
--- a/chromium/net/disk_cache/simple/simple_entry_impl.cc
+++ b/chromium/net/disk_cache/simple/simple_entry_impl.cc
@@ -314,7 +314,7 @@ net::Error SimpleEntryImpl::DoomEntry(net::CompletionOnceCallback callback) {
   MarkAsDoomed(DOOM_QUEUED);
   if (backend_.get()) {
     if (optimistic_create_pending_doom_state_ == CREATE_NORMAL) {
-      backend_->OnDoomStart(entry_hash_);
+      post_doom_waiting_ = backend_->OnDoomStart(entry_hash_);
     } else {
       DCHECK_EQ(STATE_IO_PENDING, state_);
       DCHECK_EQ(CREATE_OPTIMISTIC_PENDING_DOOM,
@@ -348,7 +348,7 @@ void SimpleEntryImpl::NotifyDoomBeforeCreateComplete() {
   DCHECK_NE(CREATE_NORMAL, optimistic_create_pending_doom_state_);
   if (backend_.get() && optimistic_create_pending_doom_state_ ==
                             CREATE_OPTIMISTIC_PENDING_DOOM_FOLLOWED_BY_DOOM)
-    backend_->OnDoomStart(entry_hash_);
+    post_doom_waiting_ = backend_->OnDoomStart(entry_hash_);
 
   state_ = STATE_UNINITIALIZED;
   optimistic_create_pending_doom_state_ = CREATE_NORMAL;
@@ -1691,8 +1691,10 @@ void SimpleEntryImpl::DoomOperationComplete(
   net_log_.AddEvent(net::NetLogEventType::SIMPLE_CACHE_ENTRY_DOOM_END);
   PostClientCallback(std::move(callback), result);
   RunNextOperationIfNeeded();
-  if (backend_)
-    backend_->OnDoomComplete(entry_hash_);
+  if (post_doom_waiting_) {
+    post_doom_waiting_->OnDoomComplete(entry_hash_);
+    post_doom_waiting_ = nullptr;
+  }
 }
 
 void SimpleEntryImpl::RecordReadResultConsideringChecksum(
diff --git a/chromium/net/disk_cache/simple/simple_entry_impl.h b/chromium/net/disk_cache/simple/simple_entry_impl.h
index b6d991c06e2..ad2d267da97 100644
--- a/chromium/net/disk_cache/simple/simple_entry_impl.h
+++ b/chromium/net/disk_cache/simple/simple_entry_impl.h
@@ -18,6 +18,7 @@
 #include "net/base/net_export.h"
 #include "net/base/request_priority.h"
 #include "net/disk_cache/disk_cache.h"
+#include "net/disk_cache/simple/post_doom_waiter.h"
 #include "net/disk_cache/simple/simple_entry_format.h"
 #include "net/disk_cache/simple/simple_entry_operation.h"
 #include "net/disk_cache/simple/simple_synchronous_entry.h"
@@ -455,6 +456,9 @@ class NET_EXPORT_PRIVATE SimpleEntryImpl : public Entry,
   // discarded. It may also be null if it wasn't prefetched in the first place.
   scoped_refptr<net::GrowableIOBuffer> stream_1_prefetch_data_;
 
+  // This is used only while a doom is pending.
+  scoped_refptr<SimplePostDoomWaiterTable> post_doom_waiting_;
+
   // Choosing uint32_t over uint64_t for space savings. Pages have in the
   // hundres to possibly thousands of resources. Wrapping every 4 billion
   // shouldn't cause inverted priorities very often.
diff --git a/chromium/net/disk_cache/simple/simple_synchronous_entry.cc b/chromium/net/disk_cache/simple/simple_synchronous_entry.cc
index a9903c5826e..c4612cc2109 100644
--- a/chromium/net/disk_cache/simple/simple_synchronous_entry.cc
+++ b/chromium/net/disk_cache/simple/simple_synchronous_entry.cc
@@ -1362,7 +1362,7 @@ bool SimpleSynchronousEntry::CheckHeaderAndKey(base::File* file,
   }
 
   char* key_data = header_data.data() + sizeof(*header);
-  if (base::Hash(key_data, header->key_length) != header->key_hash) {
+  if (base::PersistentHash(key_data, header->key_length) != header->key_hash) {
     RecordSyncOpenResult(cache_type_, OPEN_ENTRY_KEY_HASH_MISMATCH);
     return false;
   }
@@ -1483,7 +1483,7 @@ bool SimpleSynchronousEntry::InitializeCreatedFile(
   header.version = kSimpleEntryVersionOnDisk;
 
   header.key_length = key_.size();
-  header.key_hash = base::Hash(key_);
+  header.key_hash = base::PersistentHash(key_);
 
   int bytes_written =
       file->Write(0, reinterpret_cast<char*>(&header), sizeof(header));
@@ -1873,7 +1873,7 @@ bool SimpleSynchronousEntry::InitializeSparseFile(base::File* sparse_file) {
   header.initial_magic_number = kSimpleInitialMagicNumber;
   header.version = kSimpleVersion;
   header.key_length = key_.size();
-  header.key_hash = base::Hash(key_);
+  header.key_hash = base::PersistentHash(key_);
 
   int header_write_result =
       sparse_file->Write(0, reinterpret_cast<char*>(&header), sizeof(header));
diff --git a/chromium/net/dns/BUILD.gn b/chromium/net/dns/BUILD.gn
index bbf7cf20af0..ca54108824e 100644
--- a/chromium/net/dns/BUILD.gn
+++ b/chromium/net/dns/BUILD.gn
@@ -32,6 +32,8 @@ source_set("dns") {
 
   if (!is_nacl) {
     sources += [
+      "address_info.cc",
+      "address_info.h",
       "address_sorter.h",
       "address_sorter_win.cc",
       "context_host_resolver.cc",
@@ -56,8 +58,11 @@ source_set("dns") {
       "dns_socket_pool.cc",
       "dns_socket_pool.h",
       "dns_transaction.cc",
+      "esni_content.cc",
       "host_cache.cc",
       "host_resolver.cc",
+      "host_resolver_histograms.cc",
+      "host_resolver_histograms.h",
       "host_resolver_manager.cc",
       "host_resolver_mdns_listener_impl.cc",
       "host_resolver_mdns_listener_impl.h",
@@ -65,7 +70,6 @@ source_set("dns") {
       "host_resolver_mdns_task.h",
       "host_resolver_proc.cc",
       "host_resolver_proc.h",
-      "host_resolver_source.h",
       "mapped_host_resolver.cc",
       "notify_watcher_mac.cc",
       "notify_watcher_mac.h",
@@ -192,8 +196,10 @@ source_set("host_resolver") {
     sources += [
       "dns_config.h",
       "dns_config_overrides.h",
+      "esni_content.h",
       "host_cache.h",
       "host_resolver.h",
+      "host_resolver_source.h",
       "mapped_host_resolver.h",
     ]
   }
@@ -372,6 +378,7 @@ source_set("mdns_client") {
 source_set("tests") {
   testonly = true
   sources = [
+    "address_info_unittest.cc",
     "context_host_resolver_unittest.cc",
     "dns_config_service_unittest.cc",
     "dns_config_service_win_unittest.cc",
@@ -382,6 +389,7 @@ source_set("tests") {
     "dns_socket_pool_unittest.cc",
     "dns_transaction_unittest.cc",
     "dns_util_unittest.cc",
+    "esni_content_unittest.cc",
     "host_cache_unittest.cc",
     "host_resolver_manager_unittest.cc",
     "mapped_host_resolver_unittest.cc",
@@ -424,11 +432,13 @@ source_set("tests") {
 source_set("test_support") {
   testonly = true
   sources = [
+    "address_info_test_util.cc",
     "dns_test_util.cc",
     "mock_host_resolver.cc",
     "test_dns_config_service.cc",
   ]
   public = [
+    "address_info_test_util.h",
     "dns_test_util.h",
     "mock_host_resolver.h",
     "test_dns_config_service.h",
diff --git a/chromium/net/dns/address_info.cc b/chromium/net/dns/address_info.cc
new file mode 100644
index 00000000000..ec8016a33f3
--- /dev/null
+++ b/chromium/net/dns/address_info.cc
@@ -0,0 +1,195 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/dns/address_info.h"
+
+#include "base/logging.h"
+#include "base/sys_byteorder.h"
+#include "net/base/address_list.h"
+#include "net/base/net_errors.h"
+#include "net/base/sys_addrinfo.h"
+
+namespace net {
+
+namespace {
+
+const addrinfo* Next(const addrinfo* ai) {
+  return ai->ai_next;
+}
+
+}  // namespace
+
+//// iterator
+
+AddressInfo::const_iterator::const_iterator(const addrinfo* ai) : ai_(ai) {}
+
+bool AddressInfo::const_iterator::operator!=(
+    const AddressInfo::const_iterator& o) const {
+  return ai_ != o.ai_;
+}
+
+AddressInfo::const_iterator& AddressInfo::const_iterator::operator++() {
+  ai_ = Next(ai_);
+  return *this;
+}
+
+const addrinfo* AddressInfo::const_iterator::operator->() const {
+  return ai_;
+}
+
+const addrinfo& AddressInfo::const_iterator::operator*() const {
+  return *ai_;
+}
+
+//// constructors
+
+AddressInfo::AddressInfoAndResult AddressInfo::Get(
+    const std::string& host,
+    const addrinfo& hints,
+    std::unique_ptr<AddrInfoGetter> getter) {
+  if (getter == nullptr)
+    getter = std::make_unique<AddrInfoGetter>();
+  int err = OK;
+  int os_error = 0;
+  addrinfo* ai = getter->getaddrinfo(host, &hints, &os_error);
+
+  if (!ai) {
+    err = ERR_NAME_NOT_RESOLVED;
+
+    // If the call to getaddrinfo() failed because of a system error, report
+    // it separately from ERR_NAME_NOT_RESOLVED.
+#if defined(OS_WIN)
+    if (os_error != WSAHOST_NOT_FOUND && os_error != WSANO_DATA)
+      err = ERR_NAME_RESOLUTION_FAILED;
+#elif defined(OS_ANDROID)
+    // Workaround for Android's getaddrinfo leaving ai==nullptr without an
+    // error.
+    // http://crbug.com/134142
+    err = ERR_NAME_NOT_RESOLVED;
+#elif defined(OS_POSIX) && !defined(OS_FREEBSD)
+    if (os_error != EAI_NONAME && os_error != EAI_NODATA)
+      err = ERR_NAME_RESOLUTION_FAILED;
+#endif
+
+    return AddressInfoAndResult(base::Optional<AddressInfo>(), err, os_error);
+  }
+
+  return AddressInfoAndResult(
+      base::Optional<AddressInfo>(AddressInfo(ai, std::move(getter))), OK, 0);
+}
+
+AddressInfo::AddressInfo(AddressInfo&& other)
+    : ai_(other.ai_), getter_(std::move(other.getter_)) {
+  other.ai_ = nullptr;
+}
+
+AddressInfo& AddressInfo::operator=(AddressInfo&& other) {
+  ai_ = other.ai_;
+  other.ai_ = nullptr;
+  getter_ = std::move(other.getter_);
+  return *this;
+}
+
+AddressInfo::~AddressInfo() {
+  if (ai_)
+    getter_->freeaddrinfo(ai_);
+}
+
+//// public methods
+
+AddressInfo::const_iterator AddressInfo::begin() const {
+  return const_iterator(ai_);
+}
+
+AddressInfo::const_iterator AddressInfo::end() const {
+  return const_iterator(nullptr);
+}
+
+base::Optional<std::string> AddressInfo::GetCanonicalName() const {
+  return (ai_->ai_canonname != nullptr)
+             ? base::Optional<std::string>(std::string(ai_->ai_canonname))
+             : base::Optional<std::string>();
+}
+
+bool AddressInfo::IsAllLocalhostOfOneFamily() const {
+  bool saw_v4_localhost = false;
+  bool saw_v6_localhost = false;
+  const auto* ai = ai_;
+  for (; ai != nullptr; ai = Next(ai)) {
+    switch (ai->ai_family) {
+      case AF_INET: {
+        const struct sockaddr_in* addr_in =
+            reinterpret_cast<struct sockaddr_in*>(ai->ai_addr);
+        if ((base::NetToHost32(addr_in->sin_addr.s_addr) & 0xff000000) ==
+            0x7f000000)
+          saw_v4_localhost = true;
+        else
+          return false;
+        break;
+      }
+      case AF_INET6: {
+        const struct sockaddr_in6* addr_in6 =
+            reinterpret_cast<struct sockaddr_in6*>(ai->ai_addr);
+        if (IN6_IS_ADDR_LOOPBACK(&addr_in6->sin6_addr))
+          saw_v6_localhost = true;
+        else
+          return false;
+        break;
+      }
+      default:
+        NOTREACHED();
+        return false;
+    }
+  }
+
+  return saw_v4_localhost != saw_v6_localhost;
+}
+
+AddressList AddressInfo::CreateAddressList() const {
+  AddressList list;
+  auto canonical_name = GetCanonicalName();
+  if (canonical_name)
+    list.set_canonical_name(*canonical_name);
+  for (auto&& ai : *this) {
+    IPEndPoint ipe;
+    // NOTE: Ignoring non-INET* families.
+    if (ipe.FromSockAddr(ai.ai_addr, ai.ai_addrlen))
+      list.push_back(ipe);
+    else
+      DLOG(WARNING) << "Unknown family found in addrinfo: " << ai.ai_family;
+  }
+  return list;
+}
+
+//// private methods
+
+AddressInfo::AddressInfo(addrinfo* ai, std::unique_ptr<AddrInfoGetter> getter)
+    : ai_(ai), getter_(std::move(getter)) {}
+
+//// AddrInfoGetter
+
+AddrInfoGetter::AddrInfoGetter() = default;
+AddrInfoGetter::~AddrInfoGetter() = default;
+
+addrinfo* AddrInfoGetter::getaddrinfo(const std::string& host,
+                                      const addrinfo* hints,
+                                      int* out_os_error) {
+  addrinfo* ai;
+  *out_os_error = ::getaddrinfo(host.c_str(), nullptr, hints, &ai);
+
+  if (*out_os_error) {
+#if defined(OS_WIN)
+    *out_os_error = WSAGetLastError();
+#endif
+    return nullptr;
+  }
+
+  return ai;
+}
+
+void AddrInfoGetter::freeaddrinfo(addrinfo* ai) {
+  ::freeaddrinfo(ai);
+}
+
+}  // namespace net
diff --git a/chromium/net/dns/address_info.h b/chromium/net/dns/address_info.h
new file mode 100644
index 00000000000..95bc277c30b
--- /dev/null
+++ b/chromium/net/dns/address_info.h
@@ -0,0 +1,99 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_DNS_ADDRESS_INFO_H_
+#define NET_DNS_ADDRESS_INFO_H_
+
+#include <memory>
+#include <string>
+#include <tuple>
+
+#include "base/macros.h"
+#include "base/optional.h"
+#include "build/build_config.h"
+#include "net/base/address_family.h"
+#include "net/base/net_export.h"
+#include "net/base/sys_addrinfo.h"
+
+namespace net {
+
+class AddressList;
+class AddrInfoGetter;
+
+// AddressInfo -- this encapsulates the system call to getaddrinfo and the
+// data structure that it populates and returns.
+class NET_EXPORT_PRIVATE AddressInfo {
+ public:
+  // Types
+  class NET_EXPORT_PRIVATE const_iterator {
+   public:
+    using iterator_category = std::forward_iterator_tag;
+    using value_type = const addrinfo;
+    using difference_type = std::ptrdiff_t;
+    using pointer = const addrinfo*;
+    using reference = const addrinfo&;
+
+    const_iterator(const const_iterator& other) = default;
+    explicit const_iterator(const addrinfo* ai);
+    bool operator!=(const const_iterator& o) const;
+    const_iterator& operator++();  // prefix
+    const addrinfo* operator->() const;
+    const addrinfo& operator*() const;
+
+   private:
+    const addrinfo* ai_;
+  };
+
+  // Constructors
+  using AddressInfoAndResult = std::
+      tuple<base::Optional<AddressInfo>, int /* err */, int /* os_error */>;
+  // Invokes AddrInfoGetter with provided |host| and |hints|. If |getter| is
+  // null, the system's getaddrinfo will be invoked. (A non-null |getter| is
+  // primarily for tests).
+  static AddressInfoAndResult Get(
+      const std::string& host,
+      const addrinfo& hints,
+      std::unique_ptr<AddrInfoGetter> getter = nullptr);
+
+  AddressInfo(AddressInfo&& other);
+  AddressInfo& operator=(AddressInfo&& other);
+  ~AddressInfo();
+
+  // Accessors
+  const_iterator begin() const;
+  const_iterator end() const;
+
+  // Methods
+  base::Optional<std::string> GetCanonicalName() const;
+  bool IsAllLocalhostOfOneFamily() const;
+  AddressList CreateAddressList() const;
+
+ private:
+  // Constructors
+  AddressInfo(addrinfo* ai, std::unique_ptr<AddrInfoGetter> getter);
+
+  // Data.
+  addrinfo* ai_;  // Never null (except after move)
+  std::unique_ptr<AddrInfoGetter> getter_;
+
+  DISALLOW_COPY_AND_ASSIGN(AddressInfo);
+};
+
+// Encapsulates calls to getaddrinfo and freeaddrinfo for tests.
+class NET_EXPORT_PRIVATE AddrInfoGetter {
+ public:
+  AddrInfoGetter();
+  // Virtual for tests.
+  virtual ~AddrInfoGetter();
+  virtual addrinfo* getaddrinfo(const std::string& host,
+                                const addrinfo* hints,
+                                int* out_os_error);
+  virtual void freeaddrinfo(addrinfo* ai);
+
+  DISALLOW_COPY_AND_ASSIGN(AddrInfoGetter);
+};
+
+}  // namespace net
+
+#endif  // NET_DNS_ADDRESS_INFO_H_
diff --git a/chromium/net/dns/address_info_test_util.cc b/chromium/net/dns/address_info_test_util.cc
new file mode 100644
index 00000000000..a457c90b8d5
--- /dev/null
+++ b/chromium/net/dns/address_info_test_util.cc
@@ -0,0 +1,67 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/dns/address_info_test_util.h"
+
+#include "base/logging.h"
+#include "base/sys_byteorder.h"
+#include "net/base/sys_addrinfo.h"
+
+namespace net {
+namespace test {
+
+template <unsigned int N>
+std::unique_ptr<char[]> make_addrinfo_list(std::vector<IpAndPort> ipp,
+                                           const std::string& canonical_name) {
+  struct Buffer {
+    addrinfo ai[N];
+    sockaddr_in addr[N];
+    char canonical_name[256];
+  };
+
+  CHECK(ipp.size() == N);
+  CHECK(canonical_name.length() <= 255);
+
+  std::unique_ptr<char[]> data(new char[sizeof(Buffer)]);
+  memset(data.get(), 0x0, sizeof(Buffer));
+  Buffer* buffer = reinterpret_cast<Buffer*>(data.get());
+
+  memcpy(&buffer->canonical_name[0], canonical_name.data(),
+         canonical_name.length() + 1);
+
+  for (unsigned int i = 0; i < N; ++i) {
+    std::uint8_t ip[4] = {ipp[i].ip.a, ipp[i].ip.b, ipp[i].ip.c, ipp[i].ip.d};
+    sockaddr_in* addr = &buffer->addr[i];
+    memcpy(&addr->sin_addr, ip, 4);
+    addr->sin_family = AF_INET;
+    addr->sin_port = base::HostToNet16(static_cast<std::uint16_t>(ipp[i].port));
+
+    addrinfo* ai = &buffer->ai[i];
+    ai->ai_family = AF_INET;
+    ai->ai_socktype = SOCK_STREAM;
+    ai->ai_addrlen = sizeof(sockaddr_in);
+    ai->ai_addr = reinterpret_cast<sockaddr*>(addr);
+    ai->ai_canonname = reinterpret_cast<decltype(buffer->ai[0].ai_canonname)>(
+        buffer->canonical_name);
+    if (i < (N - 1))
+      ai->ai_next = &buffer->ai[i + 1];
+  }
+
+  return data;
+}
+
+template std::unique_ptr<char[]> make_addrinfo_list<1>(
+    std::vector<IpAndPort> ipp,
+    const std::string& canonical_name);
+template std::unique_ptr<char[]> make_addrinfo_list<3>(
+    std::vector<IpAndPort> ipp,
+    const std::string& canonical_name);
+
+std::unique_ptr<char[]> make_addrinfo(IpAndPort ipp,
+                                      const std::string& canonical_name) {
+  return make_addrinfo_list<1>({ipp}, canonical_name);
+}
+
+}  // namespace test
+}  // namespace net
diff --git a/chromium/net/dns/address_info_test_util.h b/chromium/net/dns/address_info_test_util.h
new file mode 100644
index 00000000000..59715ad5854
--- /dev/null
+++ b/chromium/net/dns/address_info_test_util.h
@@ -0,0 +1,38 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_DNS_ADDRESS_INFO_TEST_UTIL_H_
+#define NET_DNS_ADDRESS_INFO_TEST_UTIL_H_
+
+#include <memory>
+#include <string>
+#include <vector>
+
+namespace net {
+namespace test {
+
+struct IpAndPort {
+  struct Ip {
+    int a;
+    int b;
+    int c;
+    int d;
+  };
+  Ip ip;
+  int port;
+};
+
+// |N| is the length of the IpAndPort vector.
+// (The templating greatly simplifies the internals of this function).
+template <unsigned int N>
+std::unique_ptr<char[]> make_addrinfo_list(std::vector<IpAndPort> ipp,
+                                           const std::string& canonical_name);
+
+std::unique_ptr<char[]> make_addrinfo(IpAndPort ipp,
+                                      const std::string& canonical_name);
+
+}  // namespace test
+}  // namespace net
+
+#endif  // NET_DNS_ADDRESS_INFO_TEST_UTIL_H_
diff --git a/chromium/net/dns/address_info_unittest.cc b/chromium/net/dns/address_info_unittest.cc
new file mode 100644
index 00000000000..45e39879f8c
--- /dev/null
+++ b/chromium/net/dns/address_info_unittest.cc
@@ -0,0 +1,254 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/dns/address_info.h"
+
+#include <memory>
+#include <tuple>
+
+#include "base/sys_byteorder.h"
+#include "build/build_config.h"
+#include "net/base/address_list.h"
+#include "net/base/net_errors.h"
+#include "net/base/sys_addrinfo.h"
+#include "net/dns/address_info_test_util.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+namespace {
+
+class MockAddrInfoGetter : public AddrInfoGetter {
+ public:
+  addrinfo* getaddrinfo(const std::string& host,
+                        const addrinfo* hints,
+                        int* out_os_error) override;
+  void freeaddrinfo(addrinfo* ai) override;
+};
+
+addrinfo* MockAddrInfoGetter::getaddrinfo(const std::string& host,
+                                          const addrinfo* /* hints */,
+                                          int* out_os_error) {
+  // Presume success
+  *out_os_error = 0;
+
+  if (host == std::string("canonical.bar.com"))
+    return reinterpret_cast<addrinfo*>(
+        test::make_addrinfo({{1, 2, 3, 4}, 80}, "canonical.bar.com").release());
+  else if (host == "iteration.test")
+    return reinterpret_cast<addrinfo*>(
+        test::make_addrinfo_list<3>({{{10, 20, 30, 40}, 80},
+                                     {{11, 21, 31, 41}, 81},
+                                     {{12, 22, 32, 42}, 82}},
+                                    "iteration.test")
+            .release());
+  else if (host == "alllocalhost.com")
+    return reinterpret_cast<addrinfo*>(
+        test::make_addrinfo_list<3>(
+            {{{127, 0, 0, 1}, 80}, {{127, 0, 0, 2}, 80}, {{127, 0, 0, 3}, 80}},
+            "alllocalhost.com")
+            .release());
+  else if (host == "not.alllocalhost.com")
+    return reinterpret_cast<addrinfo*>(
+        test::make_addrinfo_list<3>(
+            {{{128, 0, 0, 1}, 80}, {{127, 0, 0, 2}, 80}, {{127, 0, 0, 3}, 80}},
+            "not.alllocalhost.com")
+            .release());
+  else if (host == "www.example.com")
+    return reinterpret_cast<addrinfo*>(
+        test::make_addrinfo({{8, 8, 8, 8}, 80}, "www.example.com").release());
+
+  // Failure
+  *out_os_error = 1;
+
+  return nullptr;
+}
+
+void MockAddrInfoGetter::freeaddrinfo(addrinfo* ai) {
+  std::unique_ptr<char[]> mock_addrinfo(reinterpret_cast<char*>(ai));
+}
+
+std::unique_ptr<addrinfo> MakeHints(AddressFamily address_family,
+                                    HostResolverFlags host_resolver_flags) {
+  auto hints = std::make_unique<addrinfo>();
+  *hints = {0};
+
+  switch (address_family) {
+    case ADDRESS_FAMILY_IPV4:
+      hints->ai_family = AF_INET;
+      break;
+    case ADDRESS_FAMILY_IPV6:
+      hints->ai_family = AF_INET6;
+      break;
+    case ADDRESS_FAMILY_UNSPECIFIED:
+      hints->ai_family = AF_UNSPEC;
+      break;
+  }
+
+  if (host_resolver_flags & HOST_RESOLVER_CANONNAME)
+    hints->ai_flags |= AI_CANONNAME;
+
+  hints->ai_socktype = SOCK_STREAM;
+
+  return hints;
+}
+
+TEST(AddressInfoTest, Failure) {
+  base::Optional<AddressInfo> ai;
+  int err;
+  int os_error;
+  auto getter = std::make_unique<MockAddrInfoGetter>();
+  std::tie(ai, err, os_error) = AddressInfo::Get(
+      "failure.com", *MakeHints(ADDRESS_FAMILY_IPV4, HOST_RESOLVER_CANONNAME),
+      std::move(getter));
+
+  EXPECT_FALSE(ai);
+  EXPECT_NE(err, OK);
+  EXPECT_NE(os_error, 0);
+}
+
+#if defined(OS_WIN)
+// Note: this test is descriptive, not prescriptive.
+TEST(AddressInfoTest, FailureWin) {
+  base::Optional<AddressInfo> ai;
+  int err;
+  int os_error;
+  auto getter = std::make_unique<MockAddrInfoGetter>();
+  std::tie(ai, err, os_error) = AddressInfo::Get(
+      "failure.com", *MakeHints(ADDRESS_FAMILY_IPV4, HOST_RESOLVER_CANONNAME),
+      std::move(getter));
+
+  EXPECT_FALSE(ai);
+  EXPECT_EQ(err, ERR_NAME_RESOLUTION_FAILED);
+  EXPECT_NE(os_error, 0);
+}
+#endif  // OS_WIN
+
+#if defined(OS_ANDROID)
+// Note: this test is descriptive, not prescriptive.
+TEST(AddressInfoTest, FailureAndroid) {
+  base::Optional<AddressInfo> ai;
+  int err;
+  int os_error;
+  auto getter = std::make_unique<MockAddrInfoGetter>();
+  std::tie(ai, err, os_error) = AddressInfo::Get(
+      "failure.com", *MakeHints(ADDRESS_FAMILY_IPV4, HOST_RESOLVER_CANONNAME),
+      std::move(getter));
+
+  EXPECT_FALSE(ai);
+  EXPECT_EQ(err, ERR_NAME_NOT_RESOLVED);
+  EXPECT_NE(os_error, 0);
+}
+#endif  // OS_ANDROID
+
+TEST(AddressInfoTest, Canonical) {
+  base::Optional<AddressInfo> ai;
+  int err;
+  int os_error;
+  std::tie(ai, err, os_error) =
+      AddressInfo::Get("canonical.bar.com",
+                       *MakeHints(ADDRESS_FAMILY_IPV4, HOST_RESOLVER_CANONNAME),
+                       std::make_unique<MockAddrInfoGetter>());
+
+  EXPECT_TRUE(ai);
+  EXPECT_EQ(err, OK);
+  EXPECT_EQ(os_error, 0);
+  EXPECT_THAT(ai->GetCanonicalName(),
+              base::Optional<std::string>("canonical.bar.com"));
+}
+
+TEST(AddressInfoTest, Iteration) {
+  base::Optional<AddressInfo> ai;
+  int err;
+  int os_error;
+  std::tie(ai, err, os_error) =
+      AddressInfo::Get("iteration.test",
+                       *MakeHints(ADDRESS_FAMILY_IPV4, HOST_RESOLVER_CANONNAME),
+                       std::make_unique<MockAddrInfoGetter>());
+
+  EXPECT_TRUE(ai);
+  EXPECT_EQ(err, OK);
+  EXPECT_EQ(os_error, 0);
+
+  {
+    int count = 0;
+    for (auto aii = ai->begin(); aii != ai->end(); ++aii) {
+      const sockaddr_in* addr = reinterpret_cast<sockaddr_in*>(aii->ai_addr);
+      EXPECT_EQ(base::HostToNet16(addr->sin_port) % 10, count % 10);
+      ++count;
+    }
+
+    EXPECT_EQ(count, 3);
+  }
+
+  {
+    int count = 0;
+    for (auto&& aii : ai.value()) {
+      const sockaddr_in* addr = reinterpret_cast<sockaddr_in*>(aii.ai_addr);
+      EXPECT_EQ(base::HostToNet16(addr->sin_port) % 10, count % 10);
+      ++count;
+    }
+
+    EXPECT_EQ(count, 3);
+  }
+}
+
+TEST(AddressInfoTest, IsAllLocalhostOfOneFamily) {
+  base::Optional<AddressInfo> ai;
+  int err;
+  int os_error;
+  std::tie(ai, err, os_error) =
+      AddressInfo::Get("alllocalhost.com",
+                       *MakeHints(ADDRESS_FAMILY_IPV4, HOST_RESOLVER_CANONNAME),
+                       std::make_unique<MockAddrInfoGetter>());
+
+  EXPECT_TRUE(ai);
+  EXPECT_EQ(err, OK);
+  EXPECT_EQ(os_error, 0);
+  EXPECT_TRUE(ai->IsAllLocalhostOfOneFamily());
+}
+
+TEST(AddressInfoTest, IsAllLocalhostOfOneFamilyFalse) {
+  base::Optional<AddressInfo> ai;
+  int err;
+  int os_error;
+  std::tie(ai, err, os_error) =
+      AddressInfo::Get("not.alllocalhost.com",
+                       *MakeHints(ADDRESS_FAMILY_IPV4, HOST_RESOLVER_CANONNAME),
+                       std::make_unique<MockAddrInfoGetter>());
+
+  EXPECT_TRUE(ai);
+  EXPECT_EQ(err, OK);
+  EXPECT_EQ(os_error, 0);
+  EXPECT_FALSE(ai->IsAllLocalhostOfOneFamily());
+}
+
+TEST(AddressInfoTest, CreateAddressList) {
+  base::Optional<AddressInfo> ai;
+  int err;
+  int os_error;
+  std::tie(ai, err, os_error) =
+      AddressInfo::Get("www.example.com",
+                       *MakeHints(ADDRESS_FAMILY_IPV4, HOST_RESOLVER_CANONNAME),
+                       std::make_unique<MockAddrInfoGetter>());
+
+  EXPECT_TRUE(ai);
+  EXPECT_EQ(err, OK);
+  EXPECT_EQ(os_error, 0);
+
+  AddressList list = ai->CreateAddressList();
+
+  // Verify one result.
+  ASSERT_EQ(1u, list.size());
+  ASSERT_EQ(ADDRESS_FAMILY_IPV4, list[0].GetFamily());
+
+  // Check if operator= works.
+  AddressList copy;
+  copy = list;
+  ASSERT_EQ(1u, copy.size());
+}
+
+}  // namespace
+}  // namespace net
diff --git a/chromium/net/dns/context_host_resolver.cc b/chromium/net/dns/context_host_resolver.cc
index 444141a1eff..772d0b892a4 100644
--- a/chromium/net/dns/context_host_resolver.cc
+++ b/chromium/net/dns/context_host_resolver.cc
@@ -12,40 +12,34 @@
 #include "base/strings/string_piece.h"
 #include "base/time/tick_clock.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/dns/dns_config.h"
 #include "net/dns/host_cache.h"
 #include "net/dns/host_resolver_manager.h"
 #include "net/dns/host_resolver_proc.h"
+#include "net/dns/public/resolve_error_info.h"
 #include "net/url_request/url_request_context.h"
 
 namespace net {
 
 // Wrapper of ResolveHostRequests that on destruction will remove itself from
 // |ContextHostResolver::handed_out_requests_|.
-class ContextHostResolver::WrappedRequest
-    : public HostResolver::ResolveHostRequest {
+class ContextHostResolver::WrappedRequest {
  public:
-  WrappedRequest(
-      std::unique_ptr<HostResolverManager::CancellableRequest> inner_request,
-      ContextHostResolver* resolver,
-      bool shutting_down)
-      : inner_request_(std::move(inner_request)),
-        resolver_(resolver),
-        shutting_down_(shutting_down) {
+  WrappedRequest(ContextHostResolver* resolver, bool shutting_down)
+      : resolver_(resolver), shutting_down_(shutting_down) {
     DCHECK_CALLED_ON_VALID_SEQUENCE(resolver_->sequence_checker_);
   }
 
-  ~WrappedRequest() override { Cancel(); }
+  WrappedRequest(const WrappedRequest&) = delete;
+  WrappedRequest& operator=(const WrappedRequest&) = delete;
+
+  virtual ~WrappedRequest() { DetachFromResolver(); }
 
   void Cancel() {
     DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
     OnShutdown();
-
-    if (resolver_) {
-      DCHECK_EQ(1u, resolver_->handed_out_requests_.count(this));
-      resolver_->handed_out_requests_.erase(this);
-      resolver_ = nullptr;
-    }
+    DetachFromResolver();
   }
 
   void OnShutdown() {
@@ -53,8 +47,8 @@ class ContextHostResolver::WrappedRequest
 
     // Cannot destroy |inner_request_| because it is still allowed to call
     // Get...Results() methods if the request was already complete.
-    if (inner_request_)
-      inner_request_->Cancel();
+    if (inner_request())
+      inner_request()->Cancel();
 
     shutting_down_ = true;
 
@@ -62,21 +56,62 @@ class ContextHostResolver::WrappedRequest
     // Start() from full cancellation on resolver destruction.
   }
 
+  virtual HostResolverManager::CancellableRequest* inner_request() = 0;
+
+  ContextHostResolver* resolver() { return resolver_; }
+  bool shutting_down() { return shutting_down_; }
+
+ private:
+  void DetachFromResolver() {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+    if (resolver_) {
+      DCHECK_EQ(1u, resolver_->handed_out_requests_.count(this));
+      resolver_->handed_out_requests_.erase(this);
+      resolver_ = nullptr;
+    }
+  }
+
+  // Resolver is expected to call Cancel() on destruction, clearing the pointer
+  // before it becomes invalid.
+  ContextHostResolver* resolver_;
+  bool shutting_down_ = false;
+
+  SEQUENCE_CHECKER(sequence_checker_);
+};
+
+class ContextHostResolver::WrappedResolveHostRequest
+    : public WrappedRequest,
+      public HostResolver::ResolveHostRequest {
+ public:
+  WrappedResolveHostRequest(
+      std::unique_ptr<HostResolverManager::CancellableResolveHostRequest>
+          request,
+      ContextHostResolver* resolver,
+      bool shutting_down)
+      : WrappedRequest(resolver, shutting_down),
+        inner_request_(std::move(request)) {}
+
+  WrappedResolveHostRequest(const WrappedResolveHostRequest&) = delete;
+  WrappedResolveHostRequest& operator=(const WrappedResolveHostRequest&) =
+      delete;
+
   int Start(CompletionOnceCallback callback) override {
     DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
-    if (!resolver_) {
+    if (!resolver()) {
       // Parent resolver has been destroyed. HostResolver generally disallows
       // calling Start() in this case, but this implementation returns
       // ERR_FAILED to allow testing the case.
       inner_request_ = nullptr;
-      return ERR_FAILED;
+      resolve_error_info_ = ResolveErrorInfo(ERR_FAILED);
+      return ERR_NAME_NOT_RESOLVED;
     }
 
-    if (shutting_down_) {
+    if (shutting_down()) {
       // Shutting down but the resolver is not yet destroyed.
       inner_request_ = nullptr;
-      return ERR_CONTEXT_SHUT_DOWN;
+      resolve_error_info_ = ResolveErrorInfo(ERR_CONTEXT_SHUT_DOWN);
+      return ERR_NAME_NOT_RESOLVED;
     }
 
     DCHECK(inner_request_);
@@ -114,6 +149,23 @@ class ContextHostResolver::WrappedRequest
     return inner_request_->GetHostnameResults();
   }
 
+  const base::Optional<EsniContent>& GetEsniResults() const override {
+    if (!inner_request_) {
+      static const base::NoDestructor<base::Optional<EsniContent>>
+          nullopt_result;
+      return *nullopt_result;
+    }
+
+    return inner_request_->GetEsniResults();
+  }
+
+  net::ResolveErrorInfo GetResolveErrorInfo() const override {
+    if (!inner_request_) {
+      return resolve_error_info_;
+    }
+    return inner_request_->GetResolveErrorInfo();
+  }
+
   const base::Optional<HostCache::EntryStaleness>& GetStaleInfo()
       const override {
     if (!inner_request_) {
@@ -132,17 +184,64 @@ class ContextHostResolver::WrappedRequest
     inner_request_->ChangeRequestPriority(priority);
   }
 
+  HostResolverManager::CancellableRequest* inner_request() override {
+    return inner_request_.get();
+  }
+
  private:
-  std::unique_ptr<HostResolverManager::CancellableRequest> inner_request_;
+  std::unique_ptr<HostResolverManager::CancellableResolveHostRequest>
+      inner_request_;
 
-  // Resolver is expected to call Cancel() on destruction, clearing the pointer
-  // before it becomes invalid.
-  ContextHostResolver* resolver_;
-  bool shutting_down_ = false;
+  // Error info for a |inner_request_| that was destroyed before it started.
+  ResolveErrorInfo resolve_error_info_;
 
   SEQUENCE_CHECKER(sequence_checker_);
+};
+
+class ContextHostResolver::WrappedProbeRequest
+    : public WrappedRequest,
+      public HostResolver::ProbeRequest {
+ public:
+  WrappedProbeRequest(
+      std::unique_ptr<HostResolverManager::CancellableProbeRequest>
+          inner_request,
+      ContextHostResolver* resolver,
+      bool shutting_down)
+      : WrappedRequest(resolver, shutting_down),
+        inner_request_(std::move(inner_request)) {}
 
-  DISALLOW_COPY_AND_ASSIGN(WrappedRequest);
+  WrappedProbeRequest(const WrappedProbeRequest&) = delete;
+  WrappedProbeRequest& operator=(const WrappedProbeRequest&) = delete;
+
+  int Start() override {
+    DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+    if (!resolver()) {
+      // Parent resolver has been destroyed. HostResolver generally disallows
+      // calling Start() in this case, but this implementation returns
+      // ERR_FAILED to allow testing the case.
+      inner_request_ = nullptr;
+      return ERR_FAILED;
+    }
+
+    if (shutting_down()) {
+      // Shutting down but the resolver is not yet destroyed.
+      inner_request_ = nullptr;
+      return ERR_CONTEXT_SHUT_DOWN;
+    }
+
+    DCHECK(inner_request_);
+    return inner_request_->Start();
+  }
+
+  HostResolverManager::CancellableRequest* inner_request() override {
+    return inner_request_.get();
+  }
+
+ private:
+  std::unique_ptr<HostResolverManager::CancellableProbeRequest> inner_request_;
+
+  SEQUENCE_CHECKER(sequence_checker_);
 };
 
 ContextHostResolver::ContextHostResolver(HostResolverManager* manager,
@@ -185,30 +284,44 @@ void ContextHostResolver::OnShutdown() {
     active_request->OnShutdown();
 
   DCHECK(context_);
-  manager_->CancelProbesForContext(context_);
 
   context_ = nullptr;
   shutting_down_ = true;
-
-  // TODO(crbug.com/1006902): Cancel DoH prober requests too if using
-  // |context_|.
 }
 
 std::unique_ptr<HostResolver::ResolveHostRequest>
 ContextHostResolver::CreateRequest(
     const HostPortPair& host,
+    const NetworkIsolationKey& network_isolation_key,
     const NetLogWithSource& source_net_log,
     const base::Optional<ResolveHostParameters>& optional_parameters) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
-  std::unique_ptr<HostResolverManager::CancellableRequest> inner_request;
+  std::unique_ptr<HostResolverManager::CancellableResolveHostRequest>
+      inner_request;
+  if (!shutting_down_) {
+    inner_request = manager_->CreateRequest(host, network_isolation_key,
+                                            source_net_log, optional_parameters,
+                                            context_, host_cache_.get());
+  }
+
+  auto request = std::make_unique<WrappedResolveHostRequest>(
+      std::move(inner_request), this, shutting_down_);
+  handed_out_requests_.insert(request.get());
+  return request;
+}
+
+std::unique_ptr<HostResolver::ProbeRequest>
+ContextHostResolver::CreateDohProbeRequest() {
+  DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  std::unique_ptr<HostResolverManager::CancellableProbeRequest> inner_request;
   if (!shutting_down_) {
-    inner_request = manager_->CreateRequest(
-        host, source_net_log, optional_parameters, context_, host_cache_.get());
+    inner_request = manager_->CreateDohProbeRequest(context_);
   }
 
-  auto request = std::make_unique<WrappedRequest>(std::move(inner_request),
-                                                  this, shutting_down_);
+  auto request = std::make_unique<WrappedProbeRequest>(std::move(inner_request),
+                                                       this, shutting_down_);
   handed_out_requests_.insert(request.get());
   return request;
 }
diff --git a/chromium/net/dns/context_host_resolver.h b/chromium/net/dns/context_host_resolver.h
index 8d94b3ce33c..e9308158d77 100644
--- a/chromium/net/dns/context_host_resolver.h
+++ b/chromium/net/dns/context_host_resolver.h
@@ -46,9 +46,11 @@ class NET_EXPORT ContextHostResolver : public HostResolver {
   void OnShutdown() override;
   std::unique_ptr<ResolveHostRequest> CreateRequest(
       const HostPortPair& host,
+      const NetworkIsolationKey& network_isolation_key,
       const NetLogWithSource& net_log,
       const base::Optional<ResolveHostParameters>& optional_parameters)
       override;
+  std::unique_ptr<ProbeRequest> CreateDohProbeRequest() override;
   std::unique_ptr<MdnsListener> CreateMdnsListener(
       const HostPortPair& host,
       DnsQueryType query_type) override;
@@ -73,6 +75,8 @@ class NET_EXPORT ContextHostResolver : public HostResolver {
 
  private:
   class WrappedRequest;
+  class WrappedResolveHostRequest;
+  class WrappedProbeRequest;
 
   HostResolverManager* const manager_;
   std::unique_ptr<HostResolverManager> owned_manager_;
diff --git a/chromium/net/dns/context_host_resolver_unittest.cc b/chromium/net/dns/context_host_resolver_unittest.cc
index ff4467b7012..746ff49f504 100644
--- a/chromium/net/dns/context_host_resolver_unittest.cc
+++ b/chromium/net/dns/context_host_resolver_unittest.cc
@@ -9,8 +9,11 @@
 #include "base/bind.h"
 #include "base/optional.h"
 #include "base/run_loop.h"
+#include "base/test/scoped_feature_list.h"
 #include "base/test/simple_test_tick_clock.h"
+#include "base/test/task_environment.h"
 #include "base/time/time.h"
+#include "net/base/features.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
@@ -24,12 +27,15 @@
 #include "net/dns/host_resolver_source.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/dns/public/dns_protocol.h"
+#include "net/dns/public/resolve_error_info.h"
 #include "net/log/net_log_with_source.h"
 #include "net/test/gtest_util.h"
 #include "net/test/test_with_task_environment.h"
 #include "net/url_request/url_request_context.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
+#include "url/origin.h"
 
 namespace net {
 
@@ -37,12 +43,22 @@ namespace {
 const IPEndPoint kEndpoint(IPAddress(1, 2, 3, 4), 100);
 }
 
-class ContextHostResolverTest : public TestWithTaskEnvironment {
+class ContextHostResolverTest : public ::testing::Test,
+                                public WithTaskEnvironment {
  protected:
+  // Use mock time to prevent the HostResolverManager's injected IPv6 probe
+  // result from timing out.
+  ContextHostResolverTest()
+      : WithTaskEnvironment(
+            base::test::TaskEnvironment::TimeSource::MOCK_TIME) {}
+
+  ~ContextHostResolverTest() override = default;
+
   void SetUp() override {
     manager_ = std::make_unique<HostResolverManager>(
         HostResolver::ManagerOptions(),
         nullptr /* system_dns_config_notifier */, nullptr /* net_log */);
+    manager_->SetLastIPv6ProbeResultForTesting(true);
   }
 
   void SetMockDnsRules(MockDnsClientRuleList rules) {
@@ -90,11 +106,13 @@ TEST_F(ContextHostResolverTest, Resolve) {
   resolver->SetRequestContext(&context);
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
   EXPECT_THAT(callback.GetResult(rv), test::IsOk());
+  EXPECT_THAT(request->GetResolveErrorInfo().error, test::IsError(net::OK));
   EXPECT_THAT(request->GetAddressResults().value().endpoints(),
               testing::ElementsAre(kEndpoint));
 }
@@ -116,7 +134,8 @@ TEST_F(ContextHostResolverTest, DestroyRequest) {
       manager_.get(), nullptr /* host_cache */);
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
   EXPECT_EQ(1u, resolver->GetNumActiveRequestsForTesting());
 
   TestCompletionCallback callback;
@@ -133,6 +152,29 @@ TEST_F(ContextHostResolverTest, DestroyRequest) {
   EXPECT_EQ(0u, resolver->GetNumActiveRequestsForTesting());
 }
 
+TEST_F(ContextHostResolverTest, DohProbeRequest) {
+  // Set empty MockDnsClient rules to ensure DnsClient is mocked out.
+  MockDnsClientRuleList rules;
+  SetMockDnsRules(std::move(rules));
+
+  URLRequestContext context;
+  auto resolver = std::make_unique<ContextHostResolver>(
+      manager_.get(), HostCache::CreateDefaultCache());
+  resolver->SetRequestContext(&context);
+
+  std::unique_ptr<HostResolver::ProbeRequest> request =
+      resolver->CreateDohProbeRequest();
+
+  ASSERT_FALSE(dns_client_->factory()->doh_probes_running());
+
+  EXPECT_THAT(request->Start(), test::IsError(ERR_IO_PENDING));
+  EXPECT_TRUE(dns_client_->factory()->doh_probes_running());
+
+  request.reset();
+
+  EXPECT_FALSE(dns_client_->factory()->doh_probes_running());
+}
+
 // Test that cancelling a resolver cancels its (and only its) requests.
 TEST_F(ContextHostResolverTest, DestroyResolver) {
   // Set up delayed results for "example.com" and "google.com".
@@ -157,12 +199,14 @@ TEST_F(ContextHostResolverTest, DestroyResolver) {
       manager_.get(), nullptr /* host_cache */);
   std::unique_ptr<HostResolver::ResolveHostRequest> request1 =
       resolver1->CreateRequest(HostPortPair("example.com", 100),
-                               NetLogWithSource(), base::nullopt);
+                               NetworkIsolationKey(), NetLogWithSource(),
+                               base::nullopt);
   auto resolver2 = std::make_unique<ContextHostResolver>(
       manager_.get(), nullptr /* host_cache */);
   std::unique_ptr<HostResolver::ResolveHostRequest> request2 =
       resolver2->CreateRequest(HostPortPair("google.com", 100),
-                               NetLogWithSource(), base::nullopt);
+                               NetworkIsolationKey(), NetLogWithSource(),
+                               base::nullopt);
 
   TestCompletionCallback callback1;
   int rv1 = request1->Start(callback1.callback());
@@ -204,12 +248,14 @@ TEST_F(ContextHostResolverTest, DestroyResolver_RemainingRequests) {
       manager_.get(), nullptr /* host_cache */);
   std::unique_ptr<HostResolver::ResolveHostRequest> request1 =
       resolver1->CreateRequest(HostPortPair("example.com", 100),
-                               NetLogWithSource(), base::nullopt);
+                               NetworkIsolationKey(), NetLogWithSource(),
+                               base::nullopt);
   auto resolver2 = std::make_unique<ContextHostResolver>(
       manager_.get(), nullptr /* host_cache */);
   std::unique_ptr<HostResolver::ResolveHostRequest> request2 =
       resolver2->CreateRequest(HostPortPair("example.com", 100),
-                               NetLogWithSource(), base::nullopt);
+                               NetworkIsolationKey(), NetLogWithSource(),
+                               base::nullopt);
 
   TestCompletionCallback callback1;
   int rv1 = request1->Start(callback1.callback());
@@ -224,6 +270,7 @@ TEST_F(ContextHostResolverTest, DestroyResolver_RemainingRequests) {
   dns_client_->CompleteDelayedTransactions();
 
   EXPECT_THAT(callback2.GetResult(rv2), test::IsOk());
+  EXPECT_THAT(request2->GetResolveErrorInfo().error, test::IsError(net::OK));
   EXPECT_THAT(request2->GetAddressResults().value().endpoints(),
               testing::ElementsAre(kEndpoint));
 
@@ -248,7 +295,8 @@ TEST_F(ContextHostResolverTest, DestroyResolver_CompletedRequests) {
       manager_.get(), nullptr /* host_cache */);
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
 
   // Complete request and then destroy the resolver.
   TestCompletionCallback callback;
@@ -257,10 +305,32 @@ TEST_F(ContextHostResolverTest, DestroyResolver_CompletedRequests) {
   resolver = nullptr;
 
   // Expect completed results are still available.
+  EXPECT_THAT(request->GetResolveErrorInfo().error, test::IsError(net::OK));
   EXPECT_THAT(request->GetAddressResults().value().endpoints(),
               testing::ElementsAre(kEndpoint));
 }
 
+TEST_F(ContextHostResolverTest, DestroyResolver_DohProbeRequest) {
+  // Set empty MockDnsClient rules to ensure DnsClient is mocked out.
+  MockDnsClientRuleList rules;
+  SetMockDnsRules(std::move(rules));
+
+  URLRequestContext context;
+  auto resolver = std::make_unique<ContextHostResolver>(
+      manager_.get(), nullptr /* host_cache */);
+  resolver->SetRequestContext(&context);
+
+  std::unique_ptr<HostResolver::ProbeRequest> request =
+      resolver->CreateDohProbeRequest();
+
+  request->Start();
+  ASSERT_TRUE(dns_client_->factory()->doh_probes_running());
+
+  resolver.reset();
+
+  EXPECT_FALSE(dns_client_->factory()->doh_probes_running());
+}
+
 // Test a request created before resolver destruction but not yet started.
 TEST_F(ContextHostResolverTest, DestroyResolver_DelayedStartRequest) {
   // Set up delayed result for "example.com".
@@ -277,17 +347,38 @@ TEST_F(ContextHostResolverTest, DestroyResolver_DelayedStartRequest) {
       manager_.get(), nullptr /* host_cache */);
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
 
   resolver = nullptr;
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
 
-  EXPECT_THAT(callback.GetResult(rv), test::IsError(ERR_FAILED));
+  EXPECT_THAT(callback.GetResult(rv), test::IsError(ERR_NAME_NOT_RESOLVED));
+  EXPECT_THAT(request->GetResolveErrorInfo().error, test::IsError(ERR_FAILED));
   EXPECT_FALSE(request->GetAddressResults());
 }
 
+TEST_F(ContextHostResolverTest, DestroyResolver_DelayedStartDohProbeRequest) {
+  // Set empty MockDnsClient rules to ensure DnsClient is mocked out.
+  MockDnsClientRuleList rules;
+  SetMockDnsRules(std::move(rules));
+
+  URLRequestContext context;
+  auto resolver = std::make_unique<ContextHostResolver>(
+      manager_.get(), nullptr /* host_cache */);
+  resolver->SetRequestContext(&context);
+
+  std::unique_ptr<HostResolver::ProbeRequest> request =
+      resolver->CreateDohProbeRequest();
+
+  resolver = nullptr;
+
+  EXPECT_THAT(request->Start(), test::IsError(ERR_FAILED));
+  EXPECT_FALSE(dns_client_->factory()->doh_probes_running());
+}
+
 TEST_F(ContextHostResolverTest, OnShutdown_PendingRequest) {
   // Set up delayed result for "example.com".
   MockDnsClientRuleList rules;
@@ -306,7 +397,8 @@ TEST_F(ContextHostResolverTest, OnShutdown_PendingRequest) {
   resolver->SetRequestContext(&context);
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
@@ -321,6 +413,27 @@ TEST_F(ContextHostResolverTest, OnShutdown_PendingRequest) {
   EXPECT_FALSE(callback.have_result());
 }
 
+TEST_F(ContextHostResolverTest, OnShutdown_DohProbeRequest) {
+  // Set empty MockDnsClient rules to ensure DnsClient is mocked out.
+  MockDnsClientRuleList rules;
+  SetMockDnsRules(std::move(rules));
+
+  URLRequestContext context;
+  auto resolver = std::make_unique<ContextHostResolver>(
+      manager_.get(), nullptr /* host_cache */);
+  resolver->SetRequestContext(&context);
+
+  std::unique_ptr<HostResolver::ProbeRequest> request =
+      resolver->CreateDohProbeRequest();
+
+  request->Start();
+  ASSERT_TRUE(dns_client_->factory()->doh_probes_running());
+
+  resolver->OnShutdown();
+
+  EXPECT_FALSE(dns_client_->factory()->doh_probes_running());
+}
+
 TEST_F(ContextHostResolverTest, OnShutdown_CompletedRequests) {
   MockDnsClientRuleList rules;
   rules.emplace_back("example.com", dns_protocol::kTypeA, false /* secure */,
@@ -338,7 +451,8 @@ TEST_F(ContextHostResolverTest, OnShutdown_CompletedRequests) {
   resolver->SetRequestContext(&context);
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
 
   // Complete request and then shutdown the resolver.
   TestCompletionCallback callback;
@@ -347,6 +461,7 @@ TEST_F(ContextHostResolverTest, OnShutdown_CompletedRequests) {
   resolver->OnShutdown();
 
   // Expect completed results are still available.
+  EXPECT_THAT(request->GetResolveErrorInfo().error, test::IsError(net::OK));
   EXPECT_THAT(request->GetAddressResults().value().endpoints(),
               testing::ElementsAre(kEndpoint));
 }
@@ -360,22 +475,46 @@ TEST_F(ContextHostResolverTest, OnShutdown_SubsequentRequests) {
 
   std::unique_ptr<HostResolver::ResolveHostRequest> request1 =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
   std::unique_ptr<HostResolver::ResolveHostRequest> request2 =
       resolver->CreateRequest(HostPortPair("127.0.0.1", 100),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
 
   TestCompletionCallback callback1;
   int rv1 = request1->Start(callback1.callback());
   TestCompletionCallback callback2;
   int rv2 = request2->Start(callback2.callback());
 
-  EXPECT_THAT(callback1.GetResult(rv1), test::IsError(ERR_CONTEXT_SHUT_DOWN));
+  EXPECT_THAT(callback1.GetResult(rv1), test::IsError(ERR_NAME_NOT_RESOLVED));
+  EXPECT_THAT(request1->GetResolveErrorInfo().error,
+              test::IsError(ERR_CONTEXT_SHUT_DOWN));
   EXPECT_FALSE(request1->GetAddressResults());
-  EXPECT_THAT(callback2.GetResult(rv2), test::IsError(ERR_CONTEXT_SHUT_DOWN));
+  EXPECT_THAT(callback2.GetResult(rv2), test::IsError(ERR_NAME_NOT_RESOLVED));
+  EXPECT_THAT(request2->GetResolveErrorInfo().error,
+              test::IsError(ERR_CONTEXT_SHUT_DOWN));
   EXPECT_FALSE(request2->GetAddressResults());
 }
 
+TEST_F(ContextHostResolverTest, OnShutdown_SubsequentDohProbeRequest) {
+  // Set empty MockDnsClient rules to ensure DnsClient is mocked out.
+  MockDnsClientRuleList rules;
+  SetMockDnsRules(std::move(rules));
+
+  URLRequestContext context;
+  auto resolver = std::make_unique<ContextHostResolver>(
+      manager_.get(), nullptr /* host_cache */);
+  resolver->SetRequestContext(&context);
+  resolver->OnShutdown();
+
+  std::unique_ptr<HostResolver::ProbeRequest> request =
+      resolver->CreateDohProbeRequest();
+
+  EXPECT_THAT(request->Start(), test::IsError(ERR_CONTEXT_SHUT_DOWN));
+  EXPECT_FALSE(dns_client_->factory()->doh_probes_running());
+}
+
 // Test a request created before shutdown but not yet started.
 TEST_F(ContextHostResolverTest, OnShutdown_DelayedStartRequest) {
   // Set up delayed result for "example.com".
@@ -394,29 +533,51 @@ TEST_F(ContextHostResolverTest, OnShutdown_DelayedStartRequest) {
   resolver->SetRequestContext(&context);
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
 
   resolver->OnShutdown();
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
 
-  EXPECT_THAT(callback.GetResult(rv), test::IsError(ERR_CONTEXT_SHUT_DOWN));
+  EXPECT_THAT(callback.GetResult(rv), test::IsError(ERR_NAME_NOT_RESOLVED));
+  EXPECT_THAT(request->GetResolveErrorInfo().error,
+              test::IsError(ERR_CONTEXT_SHUT_DOWN));
   EXPECT_FALSE(request->GetAddressResults());
 }
 
+TEST_F(ContextHostResolverTest, OnShutdown_DelayedStartDohProbeRequest) {
+  // Set empty MockDnsClient rules to ensure DnsClient is mocked out.
+  MockDnsClientRuleList rules;
+  SetMockDnsRules(std::move(rules));
+
+  URLRequestContext context;
+  auto resolver = std::make_unique<ContextHostResolver>(
+      manager_.get(), nullptr /* host_cache */);
+  resolver->SetRequestContext(&context);
+
+  std::unique_ptr<HostResolver::ProbeRequest> request =
+      resolver->CreateDohProbeRequest();
+
+  resolver->OnShutdown();
+
+  EXPECT_THAT(request->Start(), test::IsError(ERR_CONTEXT_SHUT_DOWN));
+  EXPECT_FALSE(dns_client_->factory()->doh_probes_running());
+}
+
 TEST_F(ContextHostResolverTest, ResolveFromCache) {
   base::SimpleTestTickClock clock;
   clock.Advance(base::TimeDelta::FromDays(62));  // Arbitrary non-zero time.
 
   AddressList expected(kEndpoint);
   std::unique_ptr<HostCache> cache = HostCache::CreateDefaultCache();
-  cache->Set(
-      HostCache::Key("example.com", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY),
-      HostCache::Entry(OK, expected, HostCache::Entry::SOURCE_DNS,
-                       base::TimeDelta::FromDays(1)),
-      clock.NowTicks(), base::TimeDelta::FromDays(1));
+  cache->Set(HostCache::Key("example.com", DnsQueryType::UNSPECIFIED,
+                            0 /* host_resolver_flags */,
+                            HostResolverSource::ANY, NetworkIsolationKey()),
+             HostCache::Entry(OK, expected, HostCache::Entry::SOURCE_DNS,
+                              base::TimeDelta::FromDays(1)),
+             clock.NowTicks(), base::TimeDelta::FromDays(1));
 
   auto resolver =
       std::make_unique<ContextHostResolver>(manager_.get(), std::move(cache));
@@ -430,11 +591,13 @@ TEST_F(ContextHostResolverTest, ResolveFromCache) {
       HostResolver::ResolveHostParameters::CacheUsage::STALE_ALLOWED;
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetLogWithSource(), parameters);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              parameters);
 
   TestCompletionCallback callback;
   int rv = request->Start(callback.callback());
   EXPECT_THAT(callback.GetResult(rv), test::IsOk());
+  EXPECT_THAT(request->GetResolveErrorInfo().error, test::IsError(net::OK));
   EXPECT_THAT(request->GetAddressResults().value().endpoints(),
               testing::ElementsAre(kEndpoint));
   ASSERT_TRUE(request->GetStaleInfo());
@@ -458,7 +621,8 @@ TEST_F(ContextHostResolverTest, ResultsAddedToCache) {
 
   std::unique_ptr<HostResolver::ResolveHostRequest> caching_request =
       resolver->CreateRequest(HostPortPair("example.com", 103),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
   TestCompletionCallback caching_callback;
   int rv = caching_request->Start(caching_callback.callback());
   EXPECT_THAT(caching_callback.GetResult(rv), test::IsOk());
@@ -467,15 +631,62 @@ TEST_F(ContextHostResolverTest, ResultsAddedToCache) {
   local_resolve_parameters.source = HostResolverSource::LOCAL_ONLY;
   std::unique_ptr<HostResolver::ResolveHostRequest> cached_request =
       resolver->CreateRequest(HostPortPair("example.com", 100),
-                              NetLogWithSource(), local_resolve_parameters);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              local_resolve_parameters);
 
   TestCompletionCallback callback;
   rv = cached_request->Start(callback.callback());
   EXPECT_THAT(callback.GetResult(rv), test::IsOk());
+  EXPECT_THAT(cached_request->GetResolveErrorInfo().error,
+              test::IsError(net::OK));
   EXPECT_THAT(cached_request->GetAddressResults().value().endpoints(),
               testing::ElementsAre(kEndpoint));
 }
 
+// Do a lookup with a NetworkIsolationKey, and then make sure the entry added to
+// the cache is in fact using that NetworkIsolationKey.
+TEST_F(ContextHostResolverTest, ResultsAddedToCacheWithNetworkIsolationKey) {
+  const url::Origin kOrigin = url::Origin::Create(GURL("https://origin.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey(kOrigin, kOrigin);
+
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      features::kSplitHostCacheByNetworkIsolationKey);
+
+  MockDnsClientRuleList rules;
+  rules.emplace_back("example.com", dns_protocol::kTypeA, false /* secure */,
+                     MockDnsClientRule::Result(BuildTestDnsResponse(
+                         "example.com", kEndpoint.address())),
+                     false /* delay */);
+  rules.emplace_back("example.com", dns_protocol::kTypeAAAA, false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::EMPTY),
+                     false /* delay */);
+  SetMockDnsRules(std::move(rules));
+
+  auto resolver = std::make_unique<ContextHostResolver>(
+      manager_.get(), HostCache::CreateDefaultCache());
+
+  std::unique_ptr<HostResolver::ResolveHostRequest> caching_request =
+      resolver->CreateRequest(HostPortPair("example.com", 103),
+                              kNetworkIsolationKey, NetLogWithSource(),
+                              base::nullopt);
+  TestCompletionCallback caching_callback;
+  int rv = caching_request->Start(caching_callback.callback());
+  EXPECT_THAT(caching_callback.GetResult(rv), test::IsOk());
+
+  HostCache::Key cache_key("example.com", DnsQueryType::UNSPECIFIED,
+                           0 /* host_resolver_flags */, HostResolverSource::ANY,
+                           kNetworkIsolationKey);
+  EXPECT_TRUE(
+      resolver->GetHostCache()->Lookup(cache_key, base::TimeTicks::Now()));
+
+  HostCache::Key cache_key_with_empty_nik(
+      "example.com", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
+  EXPECT_FALSE(resolver->GetHostCache()->Lookup(cache_key_with_empty_nik,
+                                                base::TimeTicks::Now()));
+}
+
 // Test HostCacheInvalidator that counts number of requested invalidations.
 class TrackingHostCacheInvalidator : public HostCache::Invalidator {
  public:
diff --git a/chromium/net/dns/dns_client.cc b/chromium/net/dns/dns_client.cc
index 9155d7c7ff8..2eda63116d1 100644
--- a/chromium/net/dns/dns_client.cc
+++ b/chromium/net/dns/dns_client.cc
@@ -10,7 +10,6 @@
 #include "base/metrics/field_trial.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/rand_util.h"
-#include "base/timer/timer.h"
 #include "base/values.h"
 #include "net/dns/address_sorter.h"
 #include "net/dns/dns_session.h"
@@ -86,15 +85,10 @@ class DnsClientImpl : public DnsClient,
   DnsClientImpl(NetLog* net_log,
                 ClientSocketFactory* socket_factory,
                 const RandIntCallback& rand_int_callback)
-      : probes_allowed_(false),
-        url_request_context_for_probes_(nullptr),
-        net_log_(net_log),
+      : net_log_(net_log),
         socket_factory_(socket_factory),
         rand_int_callback_(rand_int_callback) {
     NetworkChangeNotifier::AddConnectionTypeObserver(this);
-    delayed_probes_allowed_timer_.Start(
-        FROM_HERE, kInitialDohTimeout,
-        base::Bind(&DnsClientImpl::SetProbesAllowed, base::Unretained(this)));
   }
 
   ~DnsClientImpl() override {
@@ -161,21 +155,20 @@ class DnsClientImpl : public DnsClient,
     return &config->hosts;
   }
 
-  void SetRequestContextForProbes(
-      URLRequestContext* url_request_context) override {
+  void ActivateDohProbes(URLRequestContext* url_request_context) override {
     DCHECK(url_request_context);
-    DCHECK(!url_request_context_for_probes_ ||
-           url_request_context == url_request_context_for_probes_);
+    DCHECK(!url_request_context_for_probes_);
 
     url_request_context_for_probes_ = url_request_context;
+    StartDohProbes(false /* network_change */);
   }
 
-  void CancelProbesForContext(URLRequestContext* url_request_context) override {
-    if (url_request_context_for_probes_ != url_request_context || !factory_)
-      return;
+  void CancelDohProbes() override {
+    DCHECK(url_request_context_for_probes_);
+
+    if (factory_)
+      factory_->CancelDohProbes();
 
-    factory_->CancelDohProbes();
-    delayed_probes_start_timer_.Stop();
     url_request_context_for_probes_ = nullptr;
   }
 
@@ -210,10 +203,6 @@ class DnsClientImpl : public DnsClient,
     factory_ = std::move(factory);
   }
 
-  void StartDohProbesForTesting() override {
-    StartDohProbes(false /* network_change */);
-  }
-
  private:
   base::Optional<DnsConfig> BuildEffectiveConfig() const {
     DnsConfig config;
@@ -286,23 +275,12 @@ class DnsClientImpl : public DnsClient,
   }
 
   void StartDohProbes(bool network_change) {
-    if (!url_request_context_for_probes_)
+    if (!url_request_context_for_probes_ || !factory_)
       return;
 
-    if (probes_allowed_) {
-      delayed_probes_start_timer_.Stop();
-      factory_->StartDohProbes(url_request_context_for_probes_, network_change);
-    } else {
-      delayed_probes_start_timer_.Start(
-          FROM_HERE, delayed_probes_allowed_timer_.GetCurrentDelay(),
-          base::BindOnce(&DnsTransactionFactory::StartDohProbes,
-                         factory_->weak_factory_.GetWeakPtr(),
-                         url_request_context_for_probes_, network_change));
-    }
+    factory_->StartDohProbes(url_request_context_for_probes_, network_change);
   }
 
-  void SetProbesAllowed() { probes_allowed_ = true; }
-
   bool insecure_enabled_ = false;
   int insecure_fallback_failures_ = 0;
 
@@ -313,12 +291,7 @@ class DnsClientImpl : public DnsClient,
   std::unique_ptr<DnsTransactionFactory> factory_;
   std::unique_ptr<AddressSorter> address_sorter_ =
       AddressSorter::CreateAddressSorter();
-  // Probes are not allowed until some amount of time has passed in order to
-  // prevent interference with startup tasks.
-  bool probes_allowed_;
-  base::OneShotTimer delayed_probes_allowed_timer_;
-  base::OneShotTimer delayed_probes_start_timer_;
-  URLRequestContext* url_request_context_for_probes_;
+  URLRequestContext* url_request_context_for_probes_ = nullptr;
 
   NetLog* net_log_;
 
@@ -331,10 +304,6 @@ class DnsClientImpl : public DnsClient,
 }  // namespace
 
 // static
-const base::TimeDelta DnsClient::kInitialDohTimeout =
-    base::TimeDelta::FromSeconds(5);
-
-// static
 std::unique_ptr<DnsClient> DnsClient::CreateClient(NetLog* net_log) {
   return std::make_unique<DnsClientImpl>(
       net_log, ClientSocketFactory::GetDefaultFactory(),
diff --git a/chromium/net/dns/dns_client.h b/chromium/net/dns/dns_client.h
index 4eae6e2f9b7..c93164bb974 100644
--- a/chromium/net/dns/dns_client.h
+++ b/chromium/net/dns/dns_client.h
@@ -29,7 +29,6 @@ class NetLog;
 class NET_EXPORT DnsClient {
  public:
   static const int kMaxInsecureFallbackFailures = 16;
-  static const base::TimeDelta kInitialDohTimeout;
 
   virtual ~DnsClient() {}
 
@@ -65,12 +64,11 @@ class NET_EXPORT DnsClient {
   virtual const DnsConfig* GetEffectiveConfig() const = 0;
   virtual const DnsHosts* GetHosts() const = 0;
 
-  // Sets the URLRequestContext to use for issuing DoH probes.
-  virtual void SetRequestContextForProbes(
-      URLRequestContext* url_request_context) = 0;
-
-  virtual void CancelProbesForContext(
-      URLRequestContext* url_request_context) = 0;
+  // Enables DoH probes to be sent using |url_request_context| whenever the DNS
+  // configuration contains DoH servers. Currently only allows one probe
+  // activation at a time. Must be cancelled before activating another.
+  virtual void ActivateDohProbes(URLRequestContext* url_request_context) = 0;
+  virtual void CancelDohProbes() = 0;
 
   // Returns null if the current config is not valid.
   virtual DnsTransactionFactory* GetTransactionFactory() = 0;
@@ -87,7 +85,6 @@ class NET_EXPORT DnsClient {
 
   virtual void SetTransactionFactoryForTesting(
       std::unique_ptr<DnsTransactionFactory> factory) = 0;
-  virtual void StartDohProbesForTesting() = 0;
 
   // Creates default client.
   static std::unique_ptr<DnsClient> CreateClient(NetLog* net_log);
diff --git a/chromium/net/dns/dns_client_unittest.cc b/chromium/net/dns/dns_client_unittest.cc
index b1b9a69c9f5..2fc0ffefbd3 100644
--- a/chromium/net/dns/dns_client_unittest.cc
+++ b/chromium/net/dns/dns_client_unittest.cc
@@ -246,43 +246,40 @@ TEST_F(DnsClientTest, OverrideToInvalid) {
   EXPECT_FALSE(client_->GetEffectiveConfig());
 }
 
-TEST_F(DnsClientTest, DohProbes) {
-  URLRequestContext context;
-  client_->SetRequestContextForProbes(&context);
-
+TEST_F(DnsClientTest, ActivateDohProbes) {
   client_->SetSystemConfig(ValidConfigWithDoh());
   auto transaction_factory =
       std::make_unique<MockDnsTransactionFactory>(MockDnsClientRuleList());
   auto* transaction_factory_ptr = transaction_factory.get();
   client_->SetTransactionFactoryForTesting(std::move(transaction_factory));
 
-  client_->StartDohProbesForTesting();
-  EXPECT_FALSE(transaction_factory_ptr->doh_probes_running());
-  FastForwardBy(DnsClient::kInitialDohTimeout);
-  EXPECT_TRUE(transaction_factory_ptr->doh_probes_running());
-}
+  ASSERT_FALSE(transaction_factory_ptr->doh_probes_running());
 
-TEST_F(DnsClientTest, CancelDohProbesBeforeEnabled) {
   URLRequestContext context;
-  client_->SetRequestContextForProbes(&context);
+  client_->ActivateDohProbes(&context);
+  EXPECT_TRUE(transaction_factory_ptr->doh_probes_running());
+}
 
+TEST_F(DnsClientTest, CancelDohProbes) {
   client_->SetSystemConfig(ValidConfigWithDoh());
   auto transaction_factory =
       std::make_unique<MockDnsTransactionFactory>(MockDnsClientRuleList());
   auto* transaction_factory_ptr = transaction_factory.get();
   client_->SetTransactionFactoryForTesting(std::move(transaction_factory));
 
-  client_->StartDohProbesForTesting();
-  EXPECT_FALSE(transaction_factory_ptr->doh_probes_running());
-  client_->CancelProbesForContext(&context);
+  URLRequestContext context;
+  client_->ActivateDohProbes(&context);
 
-  FastForwardUntilNoTasksRemain();
+  ASSERT_TRUE(transaction_factory_ptr->doh_probes_running());
+
+  client_->CancelDohProbes();
   EXPECT_FALSE(transaction_factory_ptr->doh_probes_running());
 }
 
-TEST_F(DnsClientTest, CancelDohProbesAfterEnabled) {
+TEST_F(DnsClientTest, CancelDohProbes_BeforeConfig) {
   URLRequestContext context;
-  client_->SetRequestContextForProbes(&context);
+  client_->ActivateDohProbes(&context);
+  client_->CancelDohProbes();
 
   client_->SetSystemConfig(ValidConfigWithDoh());
   auto transaction_factory =
@@ -290,11 +287,6 @@ TEST_F(DnsClientTest, CancelDohProbesAfterEnabled) {
   auto* transaction_factory_ptr = transaction_factory.get();
   client_->SetTransactionFactoryForTesting(std::move(transaction_factory));
 
-  client_->StartDohProbesForTesting();
-  FastForwardUntilNoTasksRemain();
-  EXPECT_TRUE(transaction_factory_ptr->doh_probes_running());
-
-  client_->CancelProbesForContext(&context);
   EXPECT_FALSE(transaction_factory_ptr->doh_probes_running());
 }
 
diff --git a/chromium/net/dns/dns_session_unittest.cc b/chromium/net/dns/dns_session_unittest.cc
index 2e898c7f648..ad612c49581 100644
--- a/chromium/net/dns/dns_session_unittest.cc
+++ b/chromium/net/dns/dns_session_unittest.cc
@@ -303,8 +303,6 @@ class TestDnsObserver : public NetworkChangeNotifier::DNSObserver {
  public:
   void OnDNSChanged() override { ++dns_changed_calls_; }
 
-  void OnInitialDNSConfigRead() override { ++dns_changed_calls_; }
-
   int dns_changed_calls() const { return dns_changed_calls_; }
 
  private:
diff --git a/chromium/net/dns/dns_test_util.cc b/chromium/net/dns/dns_test_util.cc
index 5460db1c83a..e41fe81287d 100644
--- a/chromium/net/dns/dns_test_util.cc
+++ b/chromium/net/dns/dns_test_util.cc
@@ -65,20 +65,6 @@ class MockAddressSorter : public AddressSorter {
   }
 };
 
-DnsResourceRecord BuildAddressRecord(std::string name, const IPAddress& ip) {
-  DCHECK(!name.empty());
-  DCHECK(ip.IsValid());
-
-  DnsResourceRecord record;
-  record.name = std::move(name);
-  record.type = ip.IsIPv4() ? dns_protocol::kTypeA : dns_protocol::kTypeAAAA;
-  record.klass = dns_protocol::kClassIN;
-  record.ttl = base::TimeDelta::FromDays(1).InSeconds();
-  record.SetOwnedRdata(net::IPAddressToPackedString(ip));
-
-  return record;
-}
-
 DnsResourceRecord BuildCannonnameRecord(std::string name,
                                         std::string cannonname) {
   DCHECK(!name.empty());
@@ -178,13 +164,125 @@ DnsResourceRecord BuildServiceRecord(std::string name,
   return record;
 }
 
+void AppendU16LengthPrefixed(base::StringPiece in, std::string* out) {
+  DCHECK(out);
+  char buf[2];
+  base::WriteBigEndian(buf, base::checked_cast<uint16_t>(in.size()));
+  out->append(buf, 2);
+  out->insert(out->end(), in.begin(), in.end());
+}
+
+// Builds an ESNI (TLS 1.3 Encrypted Server Name Indication, draft 4) record.
+//
+// An ESNI record associates an "ESNI key object" (an opaque string used
+// by the TLS library) with a collection of IP addresses.
+DnsResourceRecord BuildEsniRecord(std::string name, EsniContent esni_content) {
+  DCHECK(!name.empty());
+
+  DnsResourceRecord record;
+  record.name = std::move(name);
+  record.type = dns_protocol::kExperimentalTypeEsniDraft4;
+  record.klass = dns_protocol::kClassIN;
+  record.ttl = base::TimeDelta::FromDays(1).InSeconds();
+
+  std::string rdata;
+
+  // An esni_content struct corresponding to a single record
+  // should have exactly one key object, along with zero or more addresses
+  // corresponding to the key object.
+  DCHECK_EQ(esni_content.keys().size(), 1u);
+  rdata += *esni_content.keys().begin();
+
+  if (esni_content.keys_for_addresses().empty()) {
+    // No addresses: leave the "dns_extensions" field of the
+    // ESNI record empty and conclude the rdata with the
+    // "dns_extensions" field's length prefix (two zero bytes).
+    rdata.push_back(0);
+    rdata.push_back(0);
+    record.SetOwnedRdata(std::move(rdata));
+    return record;
+  }
+
+  // When the "dns_extensions" field of a draft-4 ESNI record is nonempty,
+  // it stores an IP addresses: more specifically, it contains
+  // - a 16-bit length prefix,
+  // - the 16-bit "extension type" label of the single address_set
+  // extension (the only type of extension) contained in the extensions object,
+  // - a 16-bit length prefix for the address_set extension's contents, and
+  // - the contents of the address_set extension, which is just a list
+  // of type-prefixed network-order IP addresses.
+  //
+  // (See the draft spec for the complete definition.)
+  std::string dns_extensions;
+
+  std::string address_set;
+  char buf[2];
+  base::WriteBigEndian(buf, EsniRecordRdata::kAddressSetExtensionType);
+  address_set.append(buf, 2);
+
+  std::string serialized_addresses;
+  for (const auto& kv : esni_content.keys_for_addresses()) {
+    IPAddress address = kv.first;
+
+    uint8_t address_type = address.IsIPv4() ? 4 : 6;
+    serialized_addresses.push_back(address_type);
+    serialized_addresses.insert(serialized_addresses.end(),
+                                address.bytes().begin(), address.bytes().end());
+  }
+
+  AppendU16LengthPrefixed(serialized_addresses, &address_set);
+  AppendU16LengthPrefixed(address_set, &dns_extensions);
+  rdata.append(dns_extensions);
+
+  record.SetOwnedRdata(std::move(rdata));
+  return record;
+}
+
 }  // namespace
 
+DnsResourceRecord BuildTestAddressRecord(std::string name,
+                                         const IPAddress& ip) {
+  DCHECK(!name.empty());
+  DCHECK(ip.IsValid());
+
+  DnsResourceRecord record;
+  record.name = std::move(name);
+  record.type = ip.IsIPv4() ? dns_protocol::kTypeA : dns_protocol::kTypeAAAA;
+  record.klass = dns_protocol::kClassIN;
+  record.ttl = base::TimeDelta::FromDays(1).InSeconds();
+  record.SetOwnedRdata(net::IPAddressToPackedString(ip));
+
+  return record;
+}
+
+const char kWellFormedEsniKeys[] = {
+    0xff, 0x3,  0x0,  0x1,  0xff, 0x0,  0x24, 0x0,  0x1d, 0x0,  0x20,
+    0xed, 0xed, 0xc8, 0x68, 0xc1, 0x71, 0xd6, 0x9e, 0xa9, 0xf0, 0xa2,
+    0xc9, 0xf5, 0xa9, 0xdc, 0xcf, 0xf9, 0xb8, 0xed, 0x15, 0x5c, 0xc4,
+    0x5a, 0xec, 0x6f, 0xb2, 0x86, 0x14, 0xb7, 0x71, 0x1b, 0x7c, 0x0,
+    0x2,  0x13, 0x1,  0x1,  0x4,  0x0,  0x0};
+const size_t kWellFormedEsniKeysSize = sizeof(kWellFormedEsniKeys);
+
+std::string GenerateWellFormedEsniKeys(base::StringPiece custom_data) {
+  std::string well_formed_esni_keys(kWellFormedEsniKeys,
+                                    kWellFormedEsniKeysSize);
+  // Dead-reckon to the first byte after ESNIKeys.keys.group (0x001d).
+  //
+  // Overwrite at most 0x22 bytes: this is the length of the "keys" field
+  // in the example struct (0x0024, specified as a 16-bit big-endian value
+  // by the index-5 and index-6 bytes), minus 2 because the 0x0, 0x1d bytes
+  // will not be overwritten.
+  custom_data = custom_data.substr(0, 0x22);
+  std::copy(custom_data.begin(), custom_data.end(),
+            well_formed_esni_keys.begin() + 9);
+  return well_formed_esni_keys;
+}
+
 std::unique_ptr<DnsResponse> BuildTestDnsResponse(std::string name,
                                                   const IPAddress& ip) {
   DCHECK(ip.IsValid());
 
-  std::vector<DnsResourceRecord> answers = {BuildAddressRecord(name, ip)};
+  std::vector<DnsResourceRecord> answers = {BuildTestAddressRecord(name, ip)};
   std::string dns_name;
   CHECK(DNSDomainFromDot(name, &dns_name));
   base::Optional<DnsQuery> query(
@@ -205,7 +303,7 @@ std::unique_ptr<DnsResponse> BuildTestDnsResponseWithCname(
 
   std::vector<DnsResourceRecord> answers = {
       BuildCannonnameRecord(name, cannonname),
-      BuildAddressRecord(cannonname, ip)};
+      BuildTestAddressRecord(cannonname, ip)};
   std::string dns_name;
   CHECK(DNSDomainFromDot(name, &dns_name));
   base::Optional<DnsQuery> query(
@@ -287,6 +385,30 @@ std::unique_ptr<DnsResponse> BuildTestDnsServiceResponse(
       std::vector<DnsResourceRecord>() /* additional_records */, query);
 }
 
+std::unique_ptr<DnsResponse> BuildTestDnsEsniResponse(
+    std::string hostname,
+    std::vector<EsniContent> esni_records,
+    std::string answer_name) {
+  if (answer_name.empty())
+    answer_name = hostname;
+
+  std::vector<DnsResourceRecord> answers;
+  answers.reserve(esni_records.size());
+  for (EsniContent& c : esni_records) {
+    answers.push_back(BuildEsniRecord(answer_name, c));
+  }
+
+  std::string dns_name;
+  CHECK(DNSDomainFromDot(hostname, &dns_name));
+  base::Optional<DnsQuery> query(base::in_place, 0, dns_name,
+                                 dns_protocol::kExperimentalTypeEsniDraft4);
+
+  return std::make_unique<DnsResponse>(
+      0, false, std::move(answers),
+      std::vector<DnsResourceRecord>() /* authority_records */,
+      std::vector<DnsResourceRecord>() /* additional_records */, query);
+}
+
 MockDnsClientRule::Result::Result(ResultType type) : type(type) {}
 
 MockDnsClientRule::Result::Result(std::unique_ptr<DnsResponse> response)
@@ -506,6 +628,18 @@ void MockDnsTransactionFactory::CompleteDelayedTransactions() {
   }
 }
 
+bool MockDnsTransactionFactory::CompleteOneDelayedTransactionOfType(
+    DnsQueryType type) {
+  for (base::WeakPtr<MockTransaction>& t : delayed_transactions_) {
+    if (t && t->GetType() == DnsQueryTypeToQtype(type)) {
+      t->FinishDelayedTransaction();
+      t.reset();
+      return true;
+    }
+  }
+  return false;
+}
+
 MockDnsClient::MockDnsClient(DnsConfig config, MockDnsClientRuleList rules)
     : config_(std::move(config)),
       factory_(new MockDnsTransactionFactory(std::move(rules))),
@@ -568,11 +702,17 @@ const DnsHosts* MockDnsClient::GetHosts() const {
   return &config->hosts;
 }
 
-void MockDnsClient::SetRequestContextForProbes(
-    URLRequestContext* url_request_context) {}
+void MockDnsClient::ActivateDohProbes(URLRequestContext* url_request_context) {
+  DCHECK(url_request_context);
+  DCHECK(!probe_context_);
+  probe_context_ = url_request_context;
+  factory_->StartDohProbes(probe_context_, false /* network_change */);
+}
 
-void MockDnsClient::CancelProbesForContext(
-    URLRequestContext* url_request_context) {}
+void MockDnsClient::CancelDohProbes() {
+  factory_->CancelDohProbes();
+  probe_context_ = nullptr;
+}
 
 DnsTransactionFactory* MockDnsClient::GetTransactionFactory() {
   return GetEffectiveConfig() ? factory_.get() : nullptr;
@@ -605,15 +745,14 @@ void MockDnsClient::SetTransactionFactoryForTesting(
   NOTREACHED();
 }
 
-void MockDnsClient::StartDohProbesForTesting() {
-  factory_->StartDohProbes(nullptr /* url_request_context */,
-                           false /* network_change */);
-}
-
 void MockDnsClient::CompleteDelayedTransactions() {
   factory_->CompleteDelayedTransactions();
 }
 
+bool MockDnsClient::CompleteOneDelayedTransactionOfType(DnsQueryType type) {
+  return factory_->CompleteOneDelayedTransactionOfType(type);
+}
+
 base::Optional<DnsConfig> MockDnsClient::BuildEffectiveConfig() {
   if (overrides_.OverridesEverything())
     return overrides_.ApplyOverrides(DnsConfig());
diff --git a/chromium/net/dns/dns_test_util.h b/chromium/net/dns/dns_test_util.h
index 469ec01e486..1f9c61268d4 100644
--- a/chromium/net/dns/dns_test_util.h
+++ b/chromium/net/dns/dns_test_util.h
@@ -180,12 +180,31 @@ static const char* const kT4IpAddresses[] = {"172.217.6.195"};
 static const int kT4TTL = 0x0000012b;
 static const unsigned kT4RecordCount = base::size(kT0IpAddresses);
 
+//--------------------------------------------------------------------
+// A well-formed ESNI (TLS 1.3 Encrypted Server Name Indication,
+// draft 4) keys object ("ESNIKeys" member of the ESNIRecord struct from
+// the spec).
+//
+// (This is cribbed from boringssl SSLTest.ESNIKeysDeserialize (CL 37704/13).)
+extern const char kWellFormedEsniKeys[];
+extern const size_t kWellFormedEsniKeysSize;
+
+// Returns a well-formed ESNI keys object identical to kWellFormedEsniKeys,
+// except that the first 0x22 bytes of |custom_data| are written over
+// fields of the keys object in a manner that leaves length prefixes
+// correct and enum members valid, and so that distinct values of
+// |custom_data| result in distinct returned keys.
+std::string GenerateWellFormedEsniKeys(base::StringPiece custom_data = "");
+
 class AddressSorter;
 class DnsClient;
 class IPAddress;
 class URLRequestContext;
 
-// Build a DNS response that includes address records.
+// Builds an address record for the given name and IP.
+DnsResourceRecord BuildTestAddressRecord(std::string name, const IPAddress& ip);
+
+// Builds a DNS response that includes address records.
 std::unique_ptr<DnsResponse> BuildTestDnsResponse(std::string name,
                                                   const IPAddress& ip);
 std::unique_ptr<DnsResponse> BuildTestDnsResponseWithCname(
@@ -216,6 +235,11 @@ std::unique_ptr<DnsResponse> BuildTestDnsServiceResponse(
     std::vector<TestServiceRecord> service_records,
     std::string answer_name = "");
 
+std::unique_ptr<DnsResponse> BuildTestDnsEsniResponse(
+    std::string hostname,
+    std::vector<EsniContent> esni_records,
+    std::string answer_name = "");
+
 struct MockDnsClientRule {
   enum ResultType {
     NODOMAIN,   // Fail asynchronously with ERR_NAME_NOT_RESOLVED and NXDOMAIN.
@@ -290,6 +314,10 @@ class MockDnsTransactionFactory : public DnsTransactionFactory {
   DnsConfig::SecureDnsMode GetSecureDnsModeForTest() override;
 
   void CompleteDelayedTransactions();
+  // If there are any pending transactions of the given type,
+  // completes one and returns true. Otherwise, returns false.
+  bool CompleteOneDelayedTransactionOfType(DnsQueryType type)
+      WARN_UNUSED_RESULT;
 
   bool doh_probes_running() { return doh_probes_running_; }
 
@@ -318,9 +346,8 @@ class MockDnsClient : public DnsClient {
   bool SetConfigOverrides(DnsConfigOverrides config_overrides) override;
   const DnsConfig* GetEffectiveConfig() const override;
   const DnsHosts* GetHosts() const override;
-  void SetRequestContextForProbes(
-      URLRequestContext* url_request_context) override;
-  void CancelProbesForContext(URLRequestContext* url_request_context) override;
+  void ActivateDohProbes(URLRequestContext* url_request_context) override;
+  void CancelDohProbes() override;
   DnsTransactionFactory* GetTransactionFactory() override;
   AddressSorter* GetAddressSorter() override;
   void IncrementInsecureFallbackFailures() override;
@@ -330,10 +357,13 @@ class MockDnsClient : public DnsClient {
   void SetProbeSuccessForTest(unsigned index, bool success) override;
   void SetTransactionFactoryForTesting(
       std::unique_ptr<DnsTransactionFactory> factory) override;
-  void StartDohProbesForTesting() override;
 
   // Completes all DnsTransactions that were delayed by a rule.
   void CompleteDelayedTransactions();
+  // If there are any pending transactions of the given type,
+  // completes one and returns true. Otherwise, returns false.
+  bool CompleteOneDelayedTransactionOfType(DnsQueryType type)
+      WARN_UNUSED_RESULT;
 
   void set_max_fallback_failures(int max_fallback_failures) {
     max_fallback_failures_ = max_fallback_failures;
@@ -347,6 +377,8 @@ class MockDnsClient : public DnsClient {
     doh_server_available_ = available;
   }
 
+  MockDnsTransactionFactory* factory() { return factory_.get(); }
+
  private:
   base::Optional<DnsConfig> BuildEffectiveConfig();
 
@@ -355,6 +387,7 @@ class MockDnsClient : public DnsClient {
   int max_fallback_failures_ = DnsClient::kMaxInsecureFallbackFailures;
   bool ignore_system_config_changes_ = false;
   bool doh_server_available_ = true;
+  URLRequestContext* probe_context_ = nullptr;
 
   base::Optional<DnsConfig> config_;
   DnsConfigOverrides overrides_;
diff --git a/chromium/net/dns/dns_transaction.cc b/chromium/net/dns/dns_transaction.cc
index be99840a22c..9bb49ef2c9d 100644
--- a/chromium/net/dns/dns_transaction.cc
+++ b/chromium/net/dns/dns_transaction.cc
@@ -395,6 +395,8 @@ class DnsHTTPAttempt : public DnsAttempt, public URLRequest::Delegate {
     }
 
     request_->SetExtraRequestHeaders(extra_request_headers);
+    // Disable secure DNS for any DoH server hostname lookups to avoid deadlock.
+    request_->SetDisableSecureDns(true);
     // Bypass proxy settings and certificate-related network fetches (currently
     // just OCSP and CRL requests) to avoid deadlock. AIA requests and the
     // Negotiate scheme for HTTP authentication may also cause deadlocks, but
@@ -430,6 +432,10 @@ class DnsHTTPAttempt : public DnsAttempt, public URLRequest::Delegate {
     DCHECK_NE(net::ERR_IO_PENDING, net_error);
     std::string content_type;
     if (net_error != OK) {
+      // Update the error code if there was an issue resolving the secure
+      // server hostname.
+      if (IsDnsError(net_error))
+        net_error = ERR_DNS_SECURE_RESOLVER_HOSTNAME_RESOLUTION_FAILED;
       ResponseCompleted(net_error);
       return;
     }
diff --git a/chromium/net/dns/dns_transaction_unittest.cc b/chromium/net/dns/dns_transaction_unittest.cc
index 35a65bff46a..e5209598b61 100644
--- a/chromium/net/dns/dns_transaction_unittest.cc
+++ b/chromium/net/dns/dns_transaction_unittest.cc
@@ -13,7 +13,6 @@
 #include "base/base64url.h"
 #include "base/bind.h"
 #include "base/containers/circular_deque.h"
-#include "base/message_loop/message_loop.h"
 #include "base/optional.h"
 #include "base/rand_util.h"
 #include "base/run_loop.h"
@@ -40,6 +39,7 @@
 #include "net/log/net_log.h"
 #include "net/log/net_log_capture_mode.h"
 #include "net/log/net_log_with_source.h"
+#include "net/log/test_net_log.h"
 #include "net/proxy_resolution/proxy_config_service_fixed.h"
 #include "net/socket/socket_test_util.h"
 #include "net/test/gtest_util.h"
@@ -389,7 +389,7 @@ class TransactionHelper {
   TestURLRequestContext request_context_;
   std::unique_ptr<base::RunLoop> transaction_complete_run_loop_;
   bool completed_;
-  NetLog net_log_;
+  TestNetLog net_log_;
 };
 
 // Callback that allows a test to modify HttpResponseinfo
@@ -770,6 +770,7 @@ class DnsTransactionTestBase : public testing::Test {
     EXPECT_TRUE(server_found);
 
     EXPECT_EQ(PRIVACY_MODE_ENABLED, request->privacy_mode());
+    EXPECT_TRUE(request->disable_secure_dns());
 
     std::string accept;
     EXPECT_TRUE(request->extra_request_headers().GetHeader("Accept", &accept));
@@ -1464,6 +1465,27 @@ TEST_F(DnsTransactionTest, HttpsPostLookupAsync) {
   EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
 }
 
+URLRequestJob* DohJobMakerCallbackFailLookup(URLRequest* request,
+                                             NetworkDelegate* network_delegate,
+                                             SocketDataProvider* data) {
+  URLRequestMockDohJob::MatchQueryData(request, data);
+  return new URLRequestFailedJob(request, network_delegate,
+                                 URLRequestFailedJob::START,
+                                 ERR_NAME_NOT_RESOLVED);
+}
+
+TEST_F(DnsTransactionTest, HttpsPostLookupFailDohServerLookup) {
+  ConfigureDohServers(true /* use_post */);
+  AddQueryAndResponse(0, kT0HostName, kT0Qtype, kT0ResponseDatagram,
+                      base::size(kT0ResponseDatagram), SYNCHRONOUS,
+                      Transport::HTTPS, nullptr /* opt_rdata */,
+                      DnsQuery::PaddingStrategy::BLOCK_LENGTH_128);
+  TransactionHelper helper0(kT0HostName, kT0Qtype, true /* secure */,
+                            ERR_DNS_SECURE_RESOLVER_HOSTNAME_RESOLUTION_FAILED);
+  SetDohJobMakerCallback(base::BindRepeating(DohJobMakerCallbackFailLookup));
+  EXPECT_TRUE(helper0.RunUntilDone(transaction_factory_.get()));
+}
+
 URLRequestJob* DohJobMakerCallbackFailStart(URLRequest* request,
                                             NetworkDelegate* network_delegate,
                                             SocketDataProvider* data) {
diff --git a/chromium/net/dns/dns_util.cc b/chromium/net/dns/dns_util.cc
index 8db4e8f684f..dd010fbf9be 100644
--- a/chromium/net/dns/dns_util.cc
+++ b/chromium/net/dns/dns_util.cc
@@ -144,7 +144,7 @@ const std::vector<DohUpgradeEntry>& GetDohUpgradeList() {
   // DohProviderId histogram suffix list in
   // tools/metrics/histograms/histograms.xml.
   static const base::NoDestructor<std::vector<DohUpgradeEntry>>
-      upgradable_servers({
+      upgradable_servers{{
           DohUpgradeEntry(
               "CleanBrowsingAdult",
               {"185.228.168.10", "185.228.169.11", "2a0d:2a00:1::1",
@@ -177,7 +177,7 @@ const std::vector<DohUpgradeEntry>& GetDohUpgradeList() {
           DohUpgradeEntry("Comcast",
                           {"75.75.75.75", "75.75.76.76", "2001:558:feed::1",
                            "2001:558:feed::2"},
-                          {""} /* DoT hostname */,
+                          {"dot.xfinity.com"} /* DoT hostname */,
                           {"https://doh.xfinity.com/dns-query{?dns}",
                            false /* use_post */}),
           DohUpgradeEntry(
@@ -221,7 +221,7 @@ const std::vector<DohUpgradeEntry>& GetDohUpgradeList() {
               {"9.9.9.9", "149.112.112.112", "2620:fe::fe", "2620:fe::9"},
               {"dns.quad9.net", "dns9.quad9.net"} /* DoT hostname */,
               {"https://dns.quad9.net/dns-query", true /* use_post */}),
-      });
+      }};
   return *upgradable_servers;
 }
 
@@ -401,6 +401,8 @@ uint16_t DnsQueryTypeToQtype(DnsQueryType dns_query_type) {
       return dns_protocol::kTypePTR;
     case DnsQueryType::SRV:
       return dns_protocol::kTypeSRV;
+    case DnsQueryType::ESNI:
+      return dns_protocol::kExperimentalTypeEsniDraft4;
   }
 }
 
diff --git a/chromium/net/dns/dns_util.h b/chromium/net/dns/dns_util.h
index c5d22b17cbc..f5c7c444aec 100644
--- a/chromium/net/dns/dns_util.h
+++ b/chromium/net/dns/dns_util.h
@@ -106,7 +106,7 @@ AddressListDeltaType FindAddressListDeltaType(const AddressList& a,
 NET_EXPORT std::string CreateNamePointer(uint16_t offset);
 
 // Convert a DnsQueryType enum to the wire format integer representation.
-uint16_t DnsQueryTypeToQtype(DnsQueryType dns_query_type);
+NET_EXPORT_PRIVATE uint16_t DnsQueryTypeToQtype(DnsQueryType dns_query_type);
 
 NET_EXPORT DnsQueryType
 AddressFamilyToDnsQueryType(AddressFamily address_family);
diff --git a/chromium/net/dns/esni_content.cc b/chromium/net/dns/esni_content.cc
new file mode 100644
index 00000000000..014d492942b
--- /dev/null
+++ b/chromium/net/dns/esni_content.cc
@@ -0,0 +1,63 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/dns/esni_content.h"
+
+namespace net {
+
+EsniContent::EsniContent() = default;
+EsniContent::EsniContent(const EsniContent& other) {
+  MergeFrom(other);
+}
+EsniContent::EsniContent(EsniContent&& other) = default;
+EsniContent& EsniContent::operator=(const EsniContent& other) {
+  MergeFrom(other);
+  return *this;
+}
+EsniContent& EsniContent::operator=(EsniContent&& other) = default;
+EsniContent::~EsniContent() = default;
+
+bool operator==(const EsniContent& c1, const EsniContent& c2) {
+  return c1.keys() == c2.keys() &&
+         c1.keys_for_addresses() == c2.keys_for_addresses();
+}
+
+const std::set<std::string, EsniContent::StringPieceComparator>&
+EsniContent::keys() const {
+  return keys_;
+}
+
+const std::map<IPAddress, std::set<base::StringPiece>>&
+EsniContent::keys_for_addresses() const {
+  return keys_for_addresses_;
+}
+
+void EsniContent::AddKey(base::StringPiece key) {
+  if (keys_.find(key) == keys_.end())
+    keys_.insert(std::string(key));
+}
+
+void EsniContent::AddKeyForAddress(const IPAddress& address,
+                                   base::StringPiece key) {
+  auto key_it = keys_.find(key);
+  if (key_it == keys_.end()) {
+    bool key_was_added;
+    std::tie(key_it, key_was_added) = keys_.insert(std::string(key));
+    DCHECK(key_was_added);
+  }
+  keys_for_addresses_[address].insert(base::StringPiece(*key_it));
+}
+
+void EsniContent::MergeFrom(const EsniContent& other) {
+  for (const auto& kv : other.keys_for_addresses()) {
+    const IPAddress& address = kv.first;
+    const auto& keys_for_address = kv.second;
+    for (base::StringPiece key : keys_for_address)
+      AddKeyForAddress(address, key);
+  }
+  for (const std::string& key : other.keys())
+    AddKey(key);
+}
+
+}  // namespace net
diff --git a/chromium/net/dns/esni_content.h b/chromium/net/dns/esni_content.h
new file mode 100644
index 00000000000..8c6a8e0d0cc
--- /dev/null
+++ b/chromium/net/dns/esni_content.h
@@ -0,0 +1,84 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_DNS_ESNI_CONTENT_H_
+#define NET_DNS_ESNI_CONTENT_H_
+
+#include <map>
+#include <set>
+#include <string>
+
+#include "base/strings/string_piece.h"
+#include "net/base/ip_address.h"
+#include "net/base/net_export.h"
+
+namespace net {
+
+// An EsniContent struct represents an aggregation of the
+// content of several ESNI (TLS 1.3 Encrypted Server Name Indication,
+// draft 4) resource records.
+//
+// This aggregation contains:
+// (1) The ESNI key objects from each of the ESNI records, and
+// (2) A collection of IP addresses, each of which is associated
+// with one or more of the key objects. (Each key will likely also
+// be associated with several destination addresses.)
+class NET_EXPORT EsniContent {
+ public:
+  EsniContent();
+  EsniContent(const EsniContent& other);
+  EsniContent(EsniContent&& other);
+  EsniContent& operator=(const EsniContent& other);
+  EsniContent& operator=(EsniContent&& other);
+  ~EsniContent();
+
+  // Key objects (which might be up to ~50K in length) are stored
+  // in a collection of std::string; use transparent comparison
+  // to allow checking whether a given base::StringPiece is in
+  // the collection without making copies.
+  struct StringPieceComparator {
+    using is_transparent = int;
+
+    bool operator()(const base::StringPiece lhs,
+                    const base::StringPiece rhs) const {
+      return lhs < rhs;
+    }
+  };
+
+  const std::set<std::string, StringPieceComparator>& keys() const;
+  const std::map<IPAddress, std::set<base::StringPiece>>& keys_for_addresses()
+      const;
+
+  // Adds |key| (if it is not already stored) without associating it
+  // with any particular addresss; if this addition is performed, it
+  // copies the underlying string.
+  void AddKey(base::StringPiece key);
+
+  // Associates a key with an address, copying the underlying string to
+  // the internal collection of keys if it is not already stored.
+  void AddKeyForAddress(const IPAddress& address, base::StringPiece key);
+
+  // Merges the contents of |other|:
+  // 1. unions the collection of stored keys with |other.keys()| and
+  // 2. unions the stored address-key associations with
+  // |other.keys_for_addresses()|.
+  void MergeFrom(const EsniContent& other);
+
+ private:
+  // In order to keep the StringPieces in |keys_for_addresses_| valid,
+  // |keys_| must be of a collection type guaranteeing stable pointers.
+  std::set<std::string, StringPieceComparator> keys_;
+
+  std::map<IPAddress, std::set<base::StringPiece>> keys_for_addresses_;
+};
+
+// Two EsniContent structs are equal if they have the same set of keys, the
+// same set of IP addresses, and the same subset of the keys corresponding to
+// each IP address.
+NET_EXPORT_PRIVATE
+bool operator==(const EsniContent& c1, const EsniContent& c2);
+
+}  // namespace net
+
+#endif  // NET_DNS_ESNI_CONTENT_H_
diff --git a/chromium/net/dns/esni_content_unittest.cc b/chromium/net/dns/esni_content_unittest.cc
new file mode 100644
index 00000000000..50bc5d81dca
--- /dev/null
+++ b/chromium/net/dns/esni_content_unittest.cc
@@ -0,0 +1,170 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/dns/esni_content.h"
+
+#include "base/strings/string_number_conversions.h"
+
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+namespace {
+
+IPAddress MakeIPAddress() {
+  // Introduce some (deterministic) variation in the IP addresses
+  // generated.
+  static uint8_t next_octet = 0;
+  next_octet += 4;
+
+  return IPAddress(next_octet, next_octet + 1, next_octet + 2, next_octet + 3);
+}
+
+// Make sure we can add keys.
+TEST(EsniContentTest, AddKey) {
+  EsniContent c1;
+  c1.AddKey("a");
+  EXPECT_THAT(c1.keys(), ::testing::UnorderedElementsAre("a"));
+  c1.AddKey("a");
+  EXPECT_THAT(c1.keys(), ::testing::UnorderedElementsAre("a"));
+  c1.AddKey("b");
+  EXPECT_THAT(c1.keys(), ::testing::UnorderedElementsAre("a", "b"));
+}
+
+// Make sure we can add key-address pairs.
+TEST(EsniContentTest, AddKeyForAddress) {
+  EsniContent c1;
+  auto address = MakeIPAddress();
+  c1.AddKeyForAddress(address, "a");
+  EXPECT_THAT(c1.keys(), ::testing::UnorderedElementsAre("a"));
+  EXPECT_THAT(c1.keys_for_addresses(),
+              ::testing::UnorderedElementsAre(::testing::Pair(
+                  address, ::testing::UnorderedElementsAre("a"))));
+}
+
+TEST(EsniContentTest, AssociateAddressWithExistingKey) {
+  EsniContent c1;
+  auto address = MakeIPAddress();
+  c1.AddKey("a");
+  c1.AddKeyForAddress(address, "a");
+  EXPECT_THAT(c1.keys(), ::testing::UnorderedElementsAre("a"));
+  EXPECT_THAT(c1.keys_for_addresses(),
+              ::testing::UnorderedElementsAre(::testing::Pair(
+                  address, ::testing::UnorderedElementsAre("a"))));
+}
+
+// Merging to an empty EsniContent should make the result equal the source of
+// the merge.
+TEST(EsniContentTest, MergeToEmpty) {
+  EsniContent c1;
+  c1.AddKey("c");
+  IPAddress address = MakeIPAddress();
+
+  c1.AddKeyForAddress(address, "a");
+  c1.AddKeyForAddress(address, "b");
+  EsniContent empty;
+  empty.MergeFrom(c1);
+  EXPECT_EQ(c1, empty);
+}
+
+TEST(EsniContentTest, MergeFromEmptyNoOp) {
+  EsniContent c1, c2;
+  c1.AddKey("a");
+  c2.AddKey("a");
+  EsniContent empty;
+  c1.MergeFrom(empty);
+  EXPECT_EQ(c1, c2);
+}
+
+// Test that merging multiple keys corresponding to a single address works.
+TEST(EsniContentTest, MergeKeysForSingleHost) {
+  EsniContent c1, c2;
+  IPAddress address = MakeIPAddress();
+
+  c1.AddKeyForAddress(address, "a");
+  c1.AddKeyForAddress(address, "b");
+  c2.AddKeyForAddress(address, "b");
+  c2.AddKeyForAddress(address, "c");
+  c1.MergeFrom(c2);
+
+  EXPECT_THAT(c1.keys(), ::testing::UnorderedElementsAre("a", "b", "c"));
+  EXPECT_THAT(c1.keys_for_addresses(),
+              ::testing::UnorderedElementsAre(::testing::Pair(
+                  address, ::testing::UnorderedElementsAre("a", "b", "c"))));
+}
+
+// Test that merging multiple addresss corresponding to a single key works.
+TEST(EsniContentTest, MergeHostsForSingleKey) {
+  EsniContent c1, c2;
+  IPAddress address = MakeIPAddress();
+  IPAddress second_address = MakeIPAddress();
+  c1.AddKeyForAddress(address, "a");
+  c2.AddKeyForAddress(second_address, "a");
+  c1.MergeFrom(c2);
+
+  EXPECT_THAT(c1.keys(), ::testing::UnorderedElementsAre("a"));
+  EXPECT_THAT(
+      c1.keys_for_addresses(),
+      ::testing::UnorderedElementsAre(
+          ::testing::Pair(address, ::testing::UnorderedElementsAre("a")),
+          ::testing::Pair(second_address,
+                          ::testing::UnorderedElementsAre("a"))));
+}
+
+// Test merging some more complex instances of the class.
+TEST(EsniContentTest, MergeSeveralHostsAndKeys) {
+  EsniContent c1, c2, expected;
+  for (int i = 0; i < 50; ++i) {
+    IPAddress address = MakeIPAddress();
+    std::string key = base::NumberToString(i);
+    switch (i % 3) {
+      case 0:
+        c1.AddKey(key);
+        expected.AddKey(key);
+        break;
+      case 1:
+        c2.AddKey(key);
+        expected.AddKey(key);
+        break;
+    }
+    // Associate each address with a subset of the keys seen so far
+    {
+      int j = 0;
+      for (auto key : c1.keys()) {
+        if (j % 2) {
+          c1.AddKeyForAddress(address, key);
+          expected.AddKeyForAddress(address, key);
+        }
+        ++j;
+      }
+    }
+    {
+      int j = 0;
+      for (auto key : c2.keys()) {
+        if (j % 3 == 1) {
+          c2.AddKeyForAddress(address, key);
+          expected.AddKeyForAddress(address, key);
+        }
+        ++j;
+      }
+    }
+  }
+  {
+    EsniContent merge_dest = c1;
+    EsniContent merge_src = c2;
+    merge_dest.MergeFrom(merge_src);
+    EXPECT_EQ(merge_dest, expected);
+  }
+  {
+    EsniContent merge_dest = c2;
+    EsniContent merge_src = c1;
+    merge_dest.MergeFrom(merge_src);
+    EXPECT_EQ(merge_dest, expected);
+  }
+}
+
+}  // namespace
+
+}  // namespace net
diff --git a/chromium/net/dns/host_cache.cc b/chromium/net/dns/host_cache.cc
index 33e54eccf94..4479c94c1ec 100644
--- a/chromium/net/dns/host_cache.cc
+++ b/chromium/net/dns/host_cache.cc
@@ -38,6 +38,7 @@ const char kDnsQueryTypeKey[] = "dns_query_type";
 const char kFlagsKey[] = "flags";
 const char kHostResolverSourceKey[] = "host_resolver_source";
 const char kSecureKey[] = "secure";
+const char kNetworkIsolationKeyKey[] = "network_isolation_key";
 const char kExpirationKey[] = "expiration";
 const char kTtlKey[] = "ttl";
 const char kNetworkChangesKey[] = "network_changes";
@@ -46,6 +47,7 @@ const char kAddressesKey[] = "addresses";
 const char kTextRecordsKey[] = "text_records";
 const char kHostnameResultsKey[] = "hostname_results";
 const char kHostPortsKey[] = "host_ports";
+const char kEsniDataKey[] = "esni_data";
 
 bool AddressListFromListValue(const base::ListValue* value,
                               base::Optional<AddressList>* out_list) {
@@ -67,6 +69,67 @@ bool AddressListFromListValue(const base::ListValue* value,
   return true;
 }
 
+// Serializes the cache's ESNI content as
+// {
+//   key 0: [addresses for key 0],
+//   ...,
+//   key N: [address for key N]
+// }
+base::Value EsniContentToValue(const EsniContent& content) {
+  base::Value addresses_for_keys_value(base::Value::Type::DICTIONARY);
+
+  for (const auto& key : content.keys()) {
+    addresses_for_keys_value.SetKey(key, base::Value(base::Value::Type::LIST));
+  }
+
+  for (const auto& kv : content.keys_for_addresses()) {
+    const IPAddress& address = kv.first;
+    const auto& keys_for_address = kv.second;
+    for (base::StringPiece key : keys_for_address) {
+      base::Value* addresses_for_key = addresses_for_keys_value.FindKey(key);
+      DCHECK(addresses_for_key);
+      addresses_for_key->Append(address.ToString());
+    }
+  }
+
+  return addresses_for_keys_value;
+}
+
+bool EsniContentFromValue(const base::Value& esni_content_value,
+                          base::Optional<EsniContent>* out_esni_content) {
+  EsniContent content_for_cache;
+
+  // The esni_data cache member is encoded as a
+  // { key: list of associated IP addresses } dictionary.
+  if (!esni_content_value.is_dict())
+    return false;
+
+  for (const auto& kv : esni_content_value.DictItems()) {
+    const std::string& key = kv.first;
+    const base::Value& serialized_addresses = kv.second;
+    if (!serialized_addresses.is_list())
+      return false;
+    if (serialized_addresses.GetList().empty()) {
+      content_for_cache.AddKey(key);
+    } else {
+      for (const base::Value& serialized_address_value :
+           serialized_addresses.GetList()) {
+        if (!serialized_address_value.is_string())
+          return false;
+        const std::string& serialized_address =
+            serialized_address_value.GetString();
+        IPAddress address;
+        if (!address.AssignFromIPLiteral(serialized_address))
+          return false;
+        content_for_cache.AddKeyForAddress(address, key);
+      }
+    }
+  }
+
+  *out_esni_content = std::move(content_for_cache);
+  return true;
+}
+
 template <typename T>
 void MergeLists(base::Optional<T>* target, const base::Optional<T>& source) {
   if (target->has_value() && source) {
@@ -118,23 +181,17 @@ enum HostCache::EraseReason : int {
 HostCache::Key::Key(const std::string& hostname,
                     DnsQueryType dns_query_type,
                     HostResolverFlags host_resolver_flags,
-                    HostResolverSource host_resolver_source)
+                    HostResolverSource host_resolver_source,
+                    const NetworkIsolationKey& network_isolation_key)
     : hostname(hostname),
       dns_query_type(dns_query_type),
       host_resolver_flags(host_resolver_flags),
       host_resolver_source(host_resolver_source),
-      secure(false) {}
+      network_isolation_key(network_isolation_key) {}
 
-HostCache::Key::Key(const std::string& hostname,
-                    AddressFamily address_family,
-                    HostResolverFlags host_resolver_flags)
-    : Key(hostname,
-          AddressFamilyToDnsQueryType(address_family),
-          host_resolver_flags,
-          HostResolverSource::ANY) {}
-
-HostCache::Key::Key()
-    : Key("", DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY) {}
+HostCache::Key::Key() = default;
+HostCache::Key::Key(const Key& key) = default;
+HostCache::Key::Key(Key&& key) = default;
 
 HostCache::Entry::Entry(int error, Source source, base::TimeDelta ttl)
     : error_(error), source_(source), ttl_(ttl) {
@@ -171,9 +228,14 @@ HostCache::Entry HostCache::Entry::MergeEntries(Entry front, Entry back) {
   front.error_ =
       front.error() == OK || back.error() == OK ? OK : ERR_NAME_NOT_RESOLVED;
 
-  MergeLists(&front.addresses_, back.addresses());
+  front.MergeAddressesFrom(back);
   MergeLists(&front.text_records_, back.text_records());
   MergeLists(&front.hostnames_, back.hostnames());
+  if (back.esni_data_ && !front.esni_data_) {
+    front.esni_data_ = std::move(back.esni_data_);
+  } else if (front.esni_data_ && back.esni_data_) {
+    front.esni_data_->MergeFrom(back.esni_data_.value());
+  }
 
   // Use canonical name from |back| iff empty in |front|.
   if (front.addresses() && front.addresses().value().canonical_name().empty() &&
@@ -247,6 +309,7 @@ HostCache::Entry::Entry(const HostCache::Entry& entry,
       addresses_(entry.addresses()),
       text_records_(entry.text_records()),
       hostnames_(entry.hostnames()),
+      esni_data_(entry.esni_data()),
       source_(entry.source()),
       ttl_(entry.ttl()),
       expires_(now + ttl),
@@ -256,6 +319,7 @@ HostCache::Entry::Entry(int error,
                         const base::Optional<AddressList>& addresses,
                         base::Optional<std::vector<std::string>>&& text_records,
                         base::Optional<std::vector<HostPortPair>>&& hostnames,
+                        base::Optional<EsniContent>&& esni_data,
                         Source source,
                         base::TimeTicks expires,
                         int network_changes)
@@ -263,6 +327,7 @@ HostCache::Entry::Entry(int error,
       addresses_(addresses),
       text_records_(std::move(text_records)),
       hostnames_(std::move(hostnames)),
+      esni_data_(std::move(esni_data)),
       source_(source),
       expires_(expires),
       network_changes_(network_changes) {}
@@ -294,6 +359,38 @@ base::Value HostCache::Entry::NetLogParams() const {
   return GetAsValue(false /* include_staleness */);
 }
 
+void HostCache::Entry::MergeAddressesFrom(const HostCache::Entry& source) {
+  MergeLists(&addresses_, source.addresses());
+  if (!addresses_ || addresses_->size() <= 1)
+    return;  // Nothing to do.
+
+  addresses_->Deduplicate();
+
+  auto has_keys = [&](const IPEndPoint& e) {
+    return (esni_data() &&
+            esni_data()->keys_for_addresses().count(e.address())) ||
+           (source.esni_data() &&
+            source.esni_data()->keys_for_addresses().count(e.address()));
+  };
+
+  std::stable_sort(addresses_->begin(), addresses_->end(),
+                   [&](const IPEndPoint& lhs, const IPEndPoint& rhs) {
+                     // Prefer an address with ESNI keys to one without;
+                     // break ties by address family.
+
+                     // Store one lookup's result to avoid repeating the lookup.
+                     bool lhs_has_keys = has_keys(lhs);
+                     if (lhs_has_keys != has_keys(rhs))
+                       return lhs_has_keys;
+
+                     if ((lhs.GetFamily() == ADDRESS_FAMILY_IPV6) !=
+                         (rhs.GetFamily() == ADDRESS_FAMILY_IPV6))
+                       return (lhs.GetFamily() == ADDRESS_FAMILY_IPV6);
+
+                     return false;
+                   });
+}
+
 base::DictionaryValue HostCache::Entry::GetAsValue(
     bool include_staleness) const {
   base::DictionaryValue entry_dict;
@@ -347,6 +444,10 @@ base::DictionaryValue HostCache::Entry::GetAsValue(
       entry_dict.SetKey(kHostnameResultsKey, std::move(hostnames_value));
       entry_dict.SetKey(kHostPortsKey, std::move(host_ports_value));
     }
+
+    if (esni_data()) {
+      entry_dict.SetKey(kEsniDataKey, EsniContentToValue(*esni_data()));
+    }
   }
 
   return entry_dict;
@@ -614,6 +715,11 @@ void HostCache::GetAsListValue(base::ListValue* entry_list,
     const Key& key = pair.first;
     const Entry& entry = pair.second;
 
+    base::Value network_isolation_key_value;
+    // Don't save entries associated with ephemeral NetworkIsolationKeys.
+    if (!key.network_isolation_key.ToValue(&network_isolation_key_value))
+      continue;
+
     auto entry_dict = std::make_unique<base::DictionaryValue>(
         entry.GetAsValue(include_staleness));
 
@@ -623,6 +729,8 @@ void HostCache::GetAsListValue(base::ListValue* entry_list,
     entry_dict->SetInteger(kFlagsKey, key.host_resolver_flags);
     entry_dict->SetInteger(kHostResolverSourceKey,
                            static_cast<int>(key.host_resolver_source));
+    entry_dict->SetKey(kNetworkIsolationKeyKey,
+                       std::move(network_isolation_key_value));
     entry_dict->SetBoolean(kSecureKey, static_cast<bool>(key.secure));
 
     entry_list->Append(std::move(entry_dict));
@@ -677,6 +785,15 @@ bool HostCache::RestoreFromListValue(const base::ListValue& old_cache) {
       host_resolver_source = static_cast<int>(HostResolverSource::ANY);
     }
 
+    const base::Value* network_isolation_key_value =
+        entry_dict->FindKey(kNetworkIsolationKeyKey);
+    NetworkIsolationKey network_isolation_key;
+    if (!network_isolation_key_value ||
+        !NetworkIsolationKey::FromValue(*network_isolation_key_value,
+                                        &network_isolation_key)) {
+      return false;
+    }
+
     bool secure;
     if (!entry_dict->GetBoolean(kSecureKey, &secure)) {
       secure = false;
@@ -687,6 +804,7 @@ bool HostCache::RestoreFromListValue(const base::ListValue& old_cache) {
     const base::ListValue* text_records_value = nullptr;
     const base::ListValue* hostname_records_value = nullptr;
     const base::ListValue* host_ports_value = nullptr;
+    const base::Value* esni_content_value = nullptr;
     if (!entry_dict->GetInteger(kErrorKey, &error)) {
       entry_dict->GetList(kAddressesKey, &addresses_value);
       entry_dict->GetList(kTextRecordsKey, &text_records_value);
@@ -695,6 +813,8 @@ bool HostCache::RestoreFromListValue(const base::ListValue& old_cache) {
           entry_dict->GetList(kHostPortsKey, &host_ports_value)) {
         return false;
       }
+
+      entry_dict->Get(kEsniDataKey, &esni_content_value);
     }
 
     int64_t time_internal;
@@ -743,14 +863,21 @@ bool HostCache::RestoreFromListValue(const base::ListValue& old_cache) {
       }
     }
 
+    base::Optional<EsniContent> esni_content;
+    if (esni_content_value &&
+        !EsniContentFromValue(*esni_content_value, &esni_content)) {
+      return false;
+    }
+
     // Assume an empty address list if we have an address type and no results.
     if (IsAddressType(dns_query_type) && !address_list && !text_records &&
-        !hostname_records) {
+        !hostname_records && !esni_content) {
       address_list.emplace();
     }
 
     Key key(hostname, dns_query_type, flags,
-            static_cast<HostResolverSource>(host_resolver_source));
+            static_cast<HostResolverSource>(host_resolver_source),
+            network_isolation_key);
     key.secure = secure;
 
     // If the key is already in the cache, assume it's more recent and don't
@@ -758,8 +885,9 @@ bool HostCache::RestoreFromListValue(const base::ListValue& old_cache) {
     auto found = entries_.find(key);
     if (found == entries_.end()) {
       AddEntry(key, Entry(error, address_list, std::move(text_records),
-                          std::move(hostname_records), Entry::SOURCE_UNKNOWN,
-                          expiration_time, network_changes_ - 1));
+                          std::move(hostname_records), std::move(esni_content),
+                          Entry::SOURCE_UNKNOWN, expiration_time,
+                          network_changes_ - 1));
       restore_size_++;
     }
   }
diff --git a/chromium/net/dns/host_cache.h b/chromium/net/dns/host_cache.h
index 6ab3f2bbdf3..f0f3c034876 100644
--- a/chromium/net/dns/host_cache.h
+++ b/chromium/net/dns/host_cache.h
@@ -30,7 +30,9 @@
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_export.h"
+#include "net/base/network_isolation_key.h"
 #include "net/dns/dns_util.h"
+#include "net/dns/esni_content.h"
 #include "net/dns/host_resolver_source.h"
 #include "net/dns/public/dns_query_type.h"
 #include "net/log/net_log_capture_mode.h"
@@ -49,24 +51,20 @@ class NET_EXPORT HostCache {
     Key(const std::string& hostname,
         DnsQueryType dns_query_type,
         HostResolverFlags host_resolver_flags,
-        HostResolverSource host_resolver_source);
-    Key(const std::string& hostname,
-        AddressFamily address_family,
-        HostResolverFlags host_resolver_flags);
+        HostResolverSource host_resolver_source,
+        const NetworkIsolationKey& network_isolation_key);
     Key();
+    Key(const Key& key);
+    Key(Key&& key);
 
     // This is a helper used in comparing keys. The order of comparisons of
     // |Key| fields is arbitrary, but the tuple is constructed with
     // |dns_query_type| and |host_resolver_flags| before |hostname| under the
     // assumption that integer comparisons are faster than string comparisons.
-    std::tuple<DnsQueryType,
-               HostResolverFlags,
-               const std::string&,
-               HostResolverSource,
-               bool>
-    GetTuple(const Key* key) const {
+    auto GetTuple(const Key* key) const {
       return std::tie(key->dns_query_type, key->host_resolver_flags,
-                      key->hostname, key->host_resolver_source, key->secure);
+                      key->hostname, key->host_resolver_source,
+                      key->network_isolation_key, key->secure);
     }
 
     bool operator==(const Key& other) const {
@@ -78,10 +76,11 @@ class NET_EXPORT HostCache {
     }
 
     std::string hostname;
-    DnsQueryType dns_query_type;
-    HostResolverFlags host_resolver_flags;
-    HostResolverSource host_resolver_source;
-    bool secure;
+    DnsQueryType dns_query_type = DnsQueryType::UNSPECIFIED;
+    HostResolverFlags host_resolver_flags = 0;
+    HostResolverSource host_resolver_source = HostResolverSource::ANY;
+    NetworkIsolationKey network_isolation_key;
+    bool secure = false;
   };
 
   struct NET_EXPORT EntryStaleness {
@@ -163,6 +162,10 @@ class NET_EXPORT HostCache {
     void set_hostnames(base::Optional<std::vector<HostPortPair>> hostnames) {
       hostnames_ = std::move(hostnames);
     }
+    const base::Optional<EsniContent>& esni_data() const { return esni_data_; }
+    void set_esni_data(base::Optional<EsniContent> esni_data) {
+      esni_data_ = std::move(esni_data);
+    }
     Source source() const { return source_; }
     bool has_ttl() const { return ttl_ >= base::TimeDelta(); }
     base::TimeDelta ttl() const { return ttl_; }
@@ -175,9 +178,15 @@ class NET_EXPORT HostCache {
     int network_changes() const { return network_changes_; }
 
     // Merge |front| and |back|, representing results from multiple
-    // transactions for the same overal host resolution query. On merging result
-    // lists, result elements from |front| will be merged in front of elements
-    // from |back|. Fields that cannot be merged take precedence from |front|.
+    // transactions for the same overall host resolution query.
+    //
+    // - When merging result hostname and text record lists, result
+    // elements from |front| will be merged in front of elements from |back|.
+    // - Merging address lists deduplicates addresses and sorts them in a stable
+    // manner by (breaking ties by continuing down the list):
+    //   1. Addresses with associated ESNI keys precede addresses without
+    //   2. IPv6 addresses precede IPv4 addresses
+    // - Fields that cannot be merged take precedence from |front|.
     static Entry MergeEntries(Entry front, Entry back);
 
     // Creates a value representation of the entry for use with NetLog.
@@ -199,6 +208,7 @@ class NET_EXPORT HostCache {
           const base::Optional<AddressList>& addresses,
           base::Optional<std::vector<std::string>>&& text_results,
           base::Optional<std::vector<HostPortPair>>&& hostnames,
+          base::Optional<EsniContent>&& esni_data,
           Source source,
           base::TimeTicks expires,
           int network_changes);
@@ -210,6 +220,7 @@ class NET_EXPORT HostCache {
     void SetResult(std::vector<HostPortPair> hostnames) {
       hostnames_ = std::move(hostnames);
     }
+    void SetResult(EsniContent esni_data) { esni_data_ = std::move(esni_data); }
 
     int total_hits() const { return total_hits_; }
     int stale_hits() const { return stale_hits_; }
@@ -220,6 +231,22 @@ class NET_EXPORT HostCache {
                       int network_changes,
                       EntryStaleness* out) const;
 
+    // Combines the addresses of |source| with those already stored,
+    // resulting in the following order:
+    //
+    // 1. IPv6 addresses associated with ESNI keys
+    // 2. IPv4 addresses associated with ESNI keys
+    // 3. IPv6 addresses not associated with ESNI keys
+    // 4. IPv4 addresses not associated with ESNI keys
+    //
+    // - Conducts the merge in a stable fashion (other things equal, addresses
+    // from |*this| will precede those from |source|, and addresses earlier in
+    // one entry's list will precede other addresses from later in the same
+    // list).
+    // - Deduplicates the entries during the merge so that |*this|'s
+    // address list will not contain duplicates after the call.
+    void MergeAddressesFrom(const HostCache::Entry& source);
+
     base::DictionaryValue GetAsValue(bool include_staleness) const;
 
     // The resolve results for this entry.
@@ -227,6 +254,7 @@ class NET_EXPORT HostCache {
     base::Optional<AddressList> addresses_;
     base::Optional<std::vector<std::string>> text_records_;
     base::Optional<std::vector<HostPortPair>> hostnames_;
+    base::Optional<EsniContent> esni_data_;
     // Where results were obtained (e.g. DNS lookup, hosts file, etc).
     Source source_ = SOURCE_UNKNOWN;
     // TTL obtained from the nameserver. Negative if unknown.
@@ -323,7 +351,13 @@ class NET_EXPORT HostCache {
 
   // Fills the provided base::ListValue with the contents of the cache for
   // serialization. |entry_list| must be non-null and will be cleared before
-  // adding the cache contents.
+  // adding the cache contents. Entries with ephemeral NetworkIsolationKeys will
+  // not be written to the resulting list.
+  //
+  // TODO(mmenke): This is used both in combination with RestoreFromListValue()
+  // and for NetLog. Update the NetLogViewer's display to handle
+  // NetworkIsolationKeys, and add some way for to get a result with ephemeral
+  // NIKs included.
   void GetAsListValue(base::ListValue* entry_list,
                       bool include_staleness) const;
   // Takes a base::ListValue representing cache entries and stores them in the
diff --git a/chromium/net/dns/host_cache_unittest.cc b/chromium/net/dns/host_cache_unittest.cc
index a9721412217..cf3669146d6 100644
--- a/chromium/net/dns/host_cache_unittest.cc
+++ b/chromium/net/dns/host_cache_unittest.cc
@@ -11,11 +11,22 @@
 #include "base/callback.h"
 #include "base/format_macros.h"
 #include "base/stl_util.h"
+#include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/values.h"
+#include "net/base/network_isolation_key.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
+#include "url/origin.h"
+
+using ::testing::ElementsAre;
+using ::testing::ElementsAreArray;
+using ::testing::Optional;
+using ::testing::Pair;
+using ::testing::Property;
+using ::testing::UnorderedElementsAre;
 
 namespace net {
 
@@ -26,7 +37,7 @@ const int kMaxCacheEntries = 10;
 // Builds a key for |hostname|, defaulting the query type to unspecified.
 HostCache::Key Key(const std::string& hostname) {
   return HostCache::Key(hostname, DnsQueryType::UNSPECIFIED, 0,
-                        HostResolverSource::ANY);
+                        HostResolverSource::ANY, NetworkIsolationKey());
 }
 
 bool FoobarIndexIsOdd(const std::string& foobarx_com) {
@@ -107,6 +118,67 @@ TEST(HostCacheTest, Basic) {
   EXPECT_FALSE(cache.Lookup(key2, now));
 }
 
+// Make sure NetworkIsolationKey is respected.
+TEST(HostCacheTest, NetworkIsolationKey) {
+  const char kHostname[] = "hostname.test";
+  const base::TimeDelta kTTL = base::TimeDelta::FromSeconds(10);
+
+  const url::Origin kOrigin1(
+      url::Origin::Create(GURL("https://origin1.test/")));
+  const NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
+  const url::Origin kOrigin2(
+      url::Origin::Create(GURL("https://origin2.test/")));
+  const NetworkIsolationKey kNetworkIsolationKey2(kOrigin2, kOrigin2);
+
+  HostCache::Key key1(kHostname, DnsQueryType::UNSPECIFIED, 0,
+                      HostResolverSource::ANY, kNetworkIsolationKey1);
+  HostCache::Key key2(kHostname, DnsQueryType::UNSPECIFIED, 0,
+                      HostResolverSource::ANY, kNetworkIsolationKey2);
+  HostCache::Entry entry1 =
+      HostCache::Entry(OK, AddressList(), HostCache::Entry::SOURCE_UNKNOWN);
+  HostCache::Entry entry2 = HostCache::Entry(ERR_FAILED, AddressList(),
+                                             HostCache::Entry::SOURCE_UNKNOWN);
+
+  HostCache cache(kMaxCacheEntries);
+
+  // Start at t=0.
+  base::TimeTicks now;
+
+  EXPECT_EQ(0U, cache.size());
+
+  // Add an entry for kNetworkIsolationKey1.
+  EXPECT_FALSE(cache.Lookup(key1, now));
+  cache.Set(key1, entry1, now, kTTL);
+
+  const std::pair<const HostCache::Key, HostCache::Entry>* result =
+      cache.Lookup(key1, now);
+  ASSERT_TRUE(result);
+  EXPECT_EQ(kNetworkIsolationKey1, result->first.network_isolation_key);
+  EXPECT_EQ(OK, result->second.error());
+  EXPECT_FALSE(cache.Lookup(key2, now));
+  EXPECT_EQ(1U, cache.size());
+
+  // Add a different entry for kNetworkIsolationKey2.
+  cache.Set(key2, entry2, now, 3 * kTTL);
+  result = cache.Lookup(key1, now);
+  ASSERT_TRUE(result);
+  EXPECT_EQ(kNetworkIsolationKey1, result->first.network_isolation_key);
+  EXPECT_EQ(OK, result->second.error());
+  result = cache.Lookup(key2, now);
+  ASSERT_TRUE(result);
+  EXPECT_EQ(kNetworkIsolationKey2, result->first.network_isolation_key);
+  EXPECT_EQ(ERR_FAILED, result->second.error());
+  EXPECT_EQ(2U, cache.size());
+
+  // Advance time so that first entry times out. Second entry should remain.
+  now += 2 * kTTL;
+  EXPECT_FALSE(cache.Lookup(key1, now));
+  result = cache.Lookup(key2, now);
+  ASSERT_TRUE(result);
+  EXPECT_EQ(kNetworkIsolationKey2, result->first.network_isolation_key);
+  EXPECT_EQ(ERR_FAILED, result->second.error());
+}
+
 // Try caching entries for a failed resolve attempt -- since we set the TTL of
 // such entries to 0 it won't store, but it will kick out the previous result.
 TEST(HostCacheTest, NoCacheZeroTTL) {
@@ -210,9 +282,9 @@ TEST(HostCacheTest, DnsQueryTypeIsPartOfKey) {
   base::TimeTicks now;
 
   HostCache::Key key1("foobar.com", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY);
-  HostCache::Key key2("foobar.com", DnsQueryType::A, 0,
-                      HostResolverSource::ANY);
+                      HostResolverSource::ANY, NetworkIsolationKey());
+  HostCache::Key key2("foobar.com", DnsQueryType::A, 0, HostResolverSource::ANY,
+                      NetworkIsolationKey());
   HostCache::Entry entry =
       HostCache::Entry(OK, AddressList(), HostCache::Entry::SOURCE_UNKNOWN);
 
@@ -245,12 +317,13 @@ TEST(HostCacheTest, HostResolverFlagsArePartOfKey) {
   // t=0.
   base::TimeTicks now;
 
-  HostCache::Key key1("foobar.com", DnsQueryType::A, 0,
-                      HostResolverSource::ANY);
+  HostCache::Key key1("foobar.com", DnsQueryType::A, 0, HostResolverSource::ANY,
+                      NetworkIsolationKey());
   HostCache::Key key2("foobar.com", DnsQueryType::A, HOST_RESOLVER_CANONNAME,
-                      HostResolverSource::ANY);
+                      HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Key key3("foobar.com", DnsQueryType::A,
-                      HOST_RESOLVER_LOOPBACK_ONLY, HostResolverSource::ANY);
+                      HOST_RESOLVER_LOOPBACK_ONLY, HostResolverSource::ANY,
+                      NetworkIsolationKey());
   HostCache::Entry entry =
       HostCache::Entry(OK, AddressList(), HostCache::Entry::SOURCE_UNKNOWN);
 
@@ -292,9 +365,9 @@ TEST(HostCacheTest, HostResolverSourceIsPartOfKey) {
   base::TimeTicks now;
 
   HostCache::Key key1("foobar.com", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY);
+                      HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Key key2("foobar.com", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::DNS);
+                      HostResolverSource::DNS, NetworkIsolationKey());
   HostCache::Entry entry =
       HostCache::Entry(OK, AddressList(), HostCache::Entry::SOURCE_UNKNOWN);
 
@@ -328,11 +401,11 @@ TEST(HostCacheTest, SecureIsPartOfKey) {
   base::TimeTicks now;
   HostCache::EntryStaleness stale;
 
-  HostCache::Key key1("foobar.com", DnsQueryType::A, 0,
-                      HostResolverSource::ANY);
+  HostCache::Key key1("foobar.com", DnsQueryType::A, 0, HostResolverSource::ANY,
+                      NetworkIsolationKey());
   key1.secure = true;
-  HostCache::Key key2("foobar.com", DnsQueryType::A, 0,
-                      HostResolverSource::ANY);
+  HostCache::Key key2("foobar.com", DnsQueryType::A, 0, HostResolverSource::ANY,
+                      NetworkIsolationKey());
   key2.secure = false;
   HostCache::Entry entry =
       HostCache::Entry(OK, AddressList(), HostCache::Entry::SOURCE_UNKNOWN);
@@ -374,9 +447,9 @@ TEST(HostCacheTest, PreferLessStaleMoreSecure) {
   HostCache::EntryStaleness stale;
 
   HostCache::Key insecure_key("foobar.com", DnsQueryType::A, 0,
-                              HostResolverSource::ANY);
+                              HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Key secure_key("foobar.com", DnsQueryType::A, 0,
-                            HostResolverSource::ANY);
+                            HostResolverSource::ANY, NetworkIsolationKey());
   secure_key.secure = true;
   HostCache::Entry entry =
       HostCache::Entry(OK, AddressList(), HostCache::Entry::SOURCE_UNKNOWN);
@@ -691,51 +764,61 @@ TEST(HostCacheTest, KeyComparators) {
   };
   std::vector<CacheTestParameters> tests = {
       {HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY),
+                      HostResolverSource::ANY, NetworkIsolationKey()),
        HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY),
+                      HostResolverSource::ANY, NetworkIsolationKey()),
        0},
-      {HostCache::Key("host1", DnsQueryType::A, 0, HostResolverSource::ANY),
+      {HostCache::Key("host1", DnsQueryType::A, 0, HostResolverSource::ANY,
+                      NetworkIsolationKey()),
        HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY),
+                      HostResolverSource::ANY, NetworkIsolationKey()),
        1},
       {HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY),
-       HostCache::Key("host1", DnsQueryType::A, 0, HostResolverSource::ANY),
+                      HostResolverSource::ANY, NetworkIsolationKey()),
+       HostCache::Key("host1", DnsQueryType::A, 0, HostResolverSource::ANY,
+                      NetworkIsolationKey()),
        -1},
       {HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY),
+                      HostResolverSource::ANY, NetworkIsolationKey()),
        HostCache::Key("host2", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY),
+                      HostResolverSource::ANY, NetworkIsolationKey()),
        -1},
-      {HostCache::Key("host1", DnsQueryType::A, 0, HostResolverSource::ANY),
+      {HostCache::Key("host1", DnsQueryType::A, 0, HostResolverSource::ANY,
+                      NetworkIsolationKey()),
        HostCache::Key("host2", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY),
+                      HostResolverSource::ANY, NetworkIsolationKey()),
        1},
       {HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY),
-       HostCache::Key("host2", DnsQueryType::A, 0, HostResolverSource::ANY),
+                      HostResolverSource::ANY, NetworkIsolationKey()),
+       HostCache::Key("host2", DnsQueryType::A, 0, HostResolverSource::ANY,
+                      NetworkIsolationKey()),
        -1},
       {HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY),
+                      HostResolverSource::ANY, NetworkIsolationKey()),
        HostCache::Key("host1", DnsQueryType::UNSPECIFIED,
-                      HOST_RESOLVER_CANONNAME, HostResolverSource::ANY),
+                      HOST_RESOLVER_CANONNAME, HostResolverSource::ANY,
+                      NetworkIsolationKey()),
        -1},
       {HostCache::Key("host1", DnsQueryType::UNSPECIFIED,
-                      HOST_RESOLVER_CANONNAME, HostResolverSource::ANY),
+                      HOST_RESOLVER_CANONNAME, HostResolverSource::ANY,
+                      NetworkIsolationKey()),
        HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
-                      HostResolverSource::ANY),
+                      HostResolverSource::ANY, NetworkIsolationKey()),
        1},
       {HostCache::Key("host1", DnsQueryType::UNSPECIFIED,
-                      HOST_RESOLVER_CANONNAME, HostResolverSource::ANY),
+                      HOST_RESOLVER_CANONNAME, HostResolverSource::ANY,
+                      NetworkIsolationKey()),
        HostCache::Key("host2", DnsQueryType::UNSPECIFIED,
-                      HOST_RESOLVER_CANONNAME, HostResolverSource::ANY),
+                      HOST_RESOLVER_CANONNAME, HostResolverSource::ANY,
+                      NetworkIsolationKey()),
        -1},
   };
-  HostCache::Key insecure_key = HostCache::Key(
-      "host1", DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY);
-  HostCache::Key secure_key = HostCache::Key("host1", DnsQueryType::UNSPECIFIED,
-                                             0, HostResolverSource::ANY);
+  HostCache::Key insecure_key =
+      HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
+  HostCache::Key secure_key =
+      HostCache::Key("host1", DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   secure_key.secure = true;
   tests.emplace_back(insecure_key, secure_key, -1);
 
@@ -854,6 +937,7 @@ TEST(HostCacheTest, SerializeAndDeserialize) {
   EXPECT_TRUE(result1->first.secure);
   ASSERT_TRUE(result1->second.addresses());
   EXPECT_FALSE(result1->second.text_records());
+  EXPECT_FALSE(result1->second.esni_data());
   EXPECT_FALSE(result1->second.hostnames());
   EXPECT_EQ(1u, result1->second.addresses().value().size());
   EXPECT_EQ(address_ipv4,
@@ -900,13 +984,62 @@ TEST(HostCacheTest, SerializeAndDeserialize) {
   EXPECT_EQ(2u, restored_cache.last_restore_size());
 }
 
+TEST(HostCacheTest, SerializeAndDeserializeWithNetworkIsolationKey) {
+  const char kHostname[] = "hostname.test";
+  const base::TimeDelta kTTL = base::TimeDelta::FromSeconds(10);
+  const url::Origin kOrigin(url::Origin::Create(GURL("https://origin.test/")));
+  const NetworkIsolationKey kNetworkIsolationKey(kOrigin, kOrigin);
+  const url::Origin kOpaqueOrigin;
+  const NetworkIsolationKey kOpaqueNetworkIsolationKey(kOpaqueOrigin,
+                                                       kOpaqueOrigin);
+
+  HostCache::Key key1(kHostname, DnsQueryType::UNSPECIFIED, 0,
+                      HostResolverSource::ANY, kNetworkIsolationKey);
+  HostCache::Key key2(kHostname, DnsQueryType::UNSPECIFIED, 0,
+                      HostResolverSource::ANY, kOpaqueNetworkIsolationKey);
+  IPEndPoint endpoint(IPAddress(1, 2, 3, 4), 0);
+
+  HostCache::Entry entry = HostCache::Entry(OK, AddressList(endpoint),
+                                            HostCache::Entry::SOURCE_UNKNOWN);
+
+  base::TimeTicks now;
+  HostCache cache(kMaxCacheEntries);
+
+  cache.Set(key1, entry, now, kTTL);
+  cache.Set(key2, entry, now, kTTL);
+
+  EXPECT_TRUE(cache.Lookup(key1, now));
+  EXPECT_EQ(kNetworkIsolationKey,
+            cache.Lookup(key1, now)->first.network_isolation_key);
+  EXPECT_TRUE(cache.Lookup(key2, now));
+  EXPECT_EQ(kOpaqueNetworkIsolationKey,
+            cache.Lookup(key2, now)->first.network_isolation_key);
+  EXPECT_EQ(2u, cache.size());
+
+  base::ListValue serialized_cache;
+  cache.GetAsListValue(&serialized_cache, /*include_staleness=*/false);
+  HostCache restored_cache(kMaxCacheEntries);
+  EXPECT_TRUE(restored_cache.RestoreFromListValue(serialized_cache));
+  EXPECT_EQ(1u, restored_cache.size());
+
+  HostCache::EntryStaleness stale;
+  const std::pair<const HostCache::Key, HostCache::Entry>* result =
+      restored_cache.LookupStale(key1, now, &stale);
+  ASSERT_TRUE(result);
+  EXPECT_EQ(kNetworkIsolationKey, result->first.network_isolation_key);
+  EXPECT_EQ(kHostname, result->first.hostname);
+  ASSERT_EQ(1u, result->second.addresses().value().size());
+  EXPECT_EQ(endpoint, result->second.addresses().value().front());
+  EXPECT_FALSE(restored_cache.Lookup(key2, now));
+}
+
 TEST(HostCacheTest, SerializeAndDeserialize_Text) {
   base::TimeTicks now;
 
   base::TimeDelta ttl = base::TimeDelta::FromSeconds(99);
   std::vector<std::string> text_records({"foo", "bar"});
-  HostCache::Key key("example.com", DnsQueryType::A, 0,
-                     HostResolverSource::DNS);
+  HostCache::Key key("example.com", DnsQueryType::A, 0, HostResolverSource::DNS,
+                     NetworkIsolationKey());
   key.secure = true;
   HostCache::Entry entry(OK, text_records, HostCache::Entry::SOURCE_DNS, ttl);
   EXPECT_TRUE(entry.text_records());
@@ -920,9 +1053,10 @@ TEST(HostCacheTest, SerializeAndDeserialize_Text) {
   HostCache restored_cache(kMaxCacheEntries);
   restored_cache.RestoreFromListValue(serialized_cache);
 
-  ASSERT_EQ(1u, cache.size());
+  ASSERT_EQ(1u, restored_cache.size());
+  HostCache::EntryStaleness stale;
   const std::pair<const HostCache::Key, HostCache::Entry>* result =
-      cache.Lookup(key, now);
+      restored_cache.LookupStale(key, now, &stale);
   ASSERT_TRUE(result);
   EXPECT_TRUE(result->first.secure);
   EXPECT_FALSE(result->second.addresses());
@@ -931,14 +1065,111 @@ TEST(HostCacheTest, SerializeAndDeserialize_Text) {
   EXPECT_EQ(text_records, result->second.text_records().value());
 }
 
+TEST(HostCacheTest, SerializeAndDeserialize_Esni) {
+  base::TimeTicks now;
+
+  base::TimeDelta ttl = base::TimeDelta::FromSeconds(99);
+  HostCache::Key key("example.com", DnsQueryType::A, 0, HostResolverSource::DNS,
+                     NetworkIsolationKey());
+  key.secure = true;
+
+  const std::string kEsniKey = "a";
+  const std::string kAddresslessEsniKey = "b";
+  const IPAddress kAddressBack(0x20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+                               0);
+  EsniContent esni_content;
+  esni_content.AddKeyForAddress(kAddressBack, kEsniKey);
+  esni_content.AddKey(kAddresslessEsniKey);
+  HostCache::Entry entry(OK, esni_content, HostCache::Entry::SOURCE_DNS, ttl);
+  ASSERT_TRUE(entry.esni_data());
+
+  HostCache cache(kMaxCacheEntries);
+  cache.Set(key, entry, now, ttl);
+  EXPECT_EQ(1u, cache.size());
+
+  base::ListValue serialized_cache;
+  cache.GetAsListValue(&serialized_cache, false /* include_staleness */);
+  HostCache restored_cache(kMaxCacheEntries);
+  restored_cache.RestoreFromListValue(serialized_cache);
+
+  ASSERT_EQ(1u, restored_cache.size());
+  HostCache::EntryStaleness staleness;
+  const std::pair<const HostCache::Key, HostCache::Entry>* result =
+      restored_cache.LookupStale(key, now, &staleness);
+  ASSERT_TRUE(result);
+  EXPECT_TRUE(result->first.secure);
+
+  EXPECT_FALSE(result->second.addresses());
+  EXPECT_FALSE(result->second.text_records());
+  EXPECT_FALSE(result->second.hostnames());
+  EXPECT_THAT(result->second.esni_data(), Optional(esni_content));
+}
+
+class HostCacheMalformedEsniSerializationTest : public ::testing::Test {
+ public:
+  HostCacheMalformedEsniSerializationTest()
+      : serialized_cache_(),
+        // We'll only need one entry.
+        restored_cache_(1) {}
+
+ protected:
+  void SetUp() override {
+    base::TimeTicks now;
+
+    base::TimeDelta ttl = base::TimeDelta::FromSeconds(99);
+    HostCache::Key key("example.com", DnsQueryType::A, 0,
+                       HostResolverSource::DNS, NetworkIsolationKey());
+    key.secure = true;
+
+    const std::string esni_key = "a";
+    const IPAddress kAddressBack(0x20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+                                 0);
+    EsniContent esni_content;
+    esni_content.AddKeyForAddress(kAddressBack, esni_key);
+    HostCache::Entry entry(OK, esni_content, HostCache::Entry::SOURCE_DNS, ttl);
+    ASSERT_TRUE(entry.esni_data());
+    HostCache cache(kMaxCacheEntries);
+    cache.Set(key, entry, now, ttl);
+    EXPECT_EQ(1u, cache.size());
+    cache.GetAsListValue(&serialized_cache_, true /* include_staleness */);
+  }
+
+  base::ListValue serialized_cache_;
+  HostCache restored_cache_;
+};
+
+// The key corresponds to kEsniDataKey from host_cache.cc.
+const char kEsniDataKey[] = "esni_data";
+
+TEST_F(HostCacheMalformedEsniSerializationTest, RejectsNonDictElement) {
+  base::Value non_dict_element(base::Value::Type::LIST);
+
+  base::Value::ListStorage cache_entries = serialized_cache_.TakeList();
+  cache_entries[0].SetKey(kEsniDataKey, std::move(non_dict_element));
+  serialized_cache_ = base::ListValue(std::move(cache_entries));
+
+  EXPECT_FALSE(restored_cache_.RestoreFromListValue(serialized_cache_));
+}
+
+TEST_F(HostCacheMalformedEsniSerializationTest, RejectsNonStringAddress) {
+  base::Value dict_with_non_string_value(base::Value::Type::DICTIONARY);
+  dict_with_non_string_value.SetKey("a", base::Value(1));
+
+  base::Value::ListStorage cache_entries = serialized_cache_.TakeList();
+  cache_entries[0].SetKey(kEsniDataKey, std::move(dict_with_non_string_value));
+  serialized_cache_ = base::ListValue(std::move(cache_entries));
+
+  EXPECT_FALSE(restored_cache_.RestoreFromListValue(serialized_cache_));
+}
+
 TEST(HostCacheTest, SerializeAndDeserialize_Hostname) {
   base::TimeTicks now;
 
   base::TimeDelta ttl = base::TimeDelta::FromSeconds(99);
   std::vector<HostPortPair> hostnames(
       {HostPortPair("example.com", 95), HostPortPair("chromium.org", 122)});
-  HostCache::Key key("example.com", DnsQueryType::A, 0,
-                     HostResolverSource::DNS);
+  HostCache::Key key("example.com", DnsQueryType::A, 0, HostResolverSource::DNS,
+                     NetworkIsolationKey());
   HostCache::Entry entry(OK, hostnames, HostCache::Entry::SOURCE_DNS, ttl);
   EXPECT_TRUE(entry.hostnames());
 
@@ -951,13 +1182,15 @@ TEST(HostCacheTest, SerializeAndDeserialize_Hostname) {
   HostCache restored_cache(kMaxCacheEntries);
   restored_cache.RestoreFromListValue(serialized_cache);
 
-  ASSERT_EQ(1u, cache.size());
+  ASSERT_EQ(1u, restored_cache.size());
+  HostCache::EntryStaleness stale;
   const std::pair<const HostCache::Key, HostCache::Entry>* result =
-      cache.Lookup(key, now);
+      restored_cache.LookupStale(key, now, &stale);
   ASSERT_TRUE(result);
   EXPECT_FALSE(result->first.secure);
   EXPECT_FALSE(result->second.addresses());
   EXPECT_FALSE(result->second.text_records());
+  EXPECT_FALSE(result->second.esni_data());
   ASSERT_TRUE(result->second.hostnames());
   EXPECT_EQ(hostnames, result->second.hostnames().value());
 }
@@ -1062,13 +1295,191 @@ TEST(HostCacheTest, MergeEntries) {
   EXPECT_EQ(OK, result.error());
   EXPECT_EQ(HostCache::Entry::SOURCE_DNS, result.source());
 
+  // Expect the IPv6 address to precede the IPv4 address.
+  EXPECT_THAT(result.addresses(),
+              Optional(Property(&AddressList::endpoints,
+                                ElementsAre(kEndpointBack, kEndpointFront))));
+  EXPECT_THAT(result.text_records(), Optional(ElementsAre("text1", "text2")));
+
+  EXPECT_THAT(result.hostnames(),
+              Optional(ElementsAre(kHostnameFront, kHostnameBack)));
+}
+
+IPAddress MakeIP(base::StringPiece literal) {
+  IPAddress ret;
+  CHECK(ret.AssignFromIPLiteral(literal));
+  return ret;
+}
+
+IPAddressList MakeIPList(std::vector<std::string> my_addresses) {
+  IPAddressList out(my_addresses.size());
+  std::transform(my_addresses.begin(), my_addresses.end(), out.begin(),
+                 &MakeIP);
+  return out;
+}
+
+std::vector<IPEndPoint> MakeEndpoints(std::vector<std::string> my_addresses) {
+  std::vector<IPEndPoint> out(my_addresses.size());
+  std::transform(my_addresses.begin(), my_addresses.end(), out.begin(),
+                 [](auto& s) { return IPEndPoint(MakeIP(s), 0); });
+  return out;
+}
+
+TEST(HostCacheTest, SortsAndDeduplicatesAddresses) {
+  IPAddressList front_addresses = MakeIPList({"0.0.0.1", "0.0.0.1", "0.0.0.2"});
+  IPAddressList back_addresses =
+      MakeIPList({"0.0.0.2", "0.0.0.2", "::3", "::3"});
+
+  HostCache::Entry front(
+      OK, AddressList::CreateFromIPAddressList(front_addresses, "front"),
+      HostCache::Entry::SOURCE_DNS);
+  HostCache::Entry back(
+      OK, AddressList::CreateFromIPAddressList(back_addresses, "back"),
+      HostCache::Entry::SOURCE_DNS);
+
+  HostCache::Entry result =
+      HostCache::Entry::MergeEntries(std::move(front), std::move(back));
+
+  EXPECT_EQ(OK, result.error());
+  EXPECT_EQ(HostCache::Entry::SOURCE_DNS, result.source());
+
+  EXPECT_THAT(
+      result.addresses(),
+      Optional(Property(
+          &AddressList::endpoints,
+          ElementsAreArray(MakeEndpoints({"::3", "0.0.0.1", "0.0.0.2"})))));
+}
+
+TEST(HostCacheTest, PrefersAddressesWithEsniContent) {
+  IPAddressList front_addresses = MakeIPList({"0.0.0.2", "0.0.0.4"});
+  IPAddressList back_addresses =
+      MakeIPList({"0.0.0.2", "0.0.0.2", "::3", "::3", "0.0.0.4"});
+
+  EsniContent esni_content_front, esni_content_back;
+  esni_content_front.AddKeyForAddress(MakeIP("0.0.0.4"), "key for 0.0.0.4");
+  esni_content_back.AddKeyForAddress(MakeIP("::3"), "key for ::3");
+
+  HostCache::Entry front(
+      OK, AddressList::CreateFromIPAddressList(front_addresses, "front"),
+      HostCache::Entry::SOURCE_DNS);
+  front.set_esni_data(esni_content_front);
+  HostCache::Entry back(
+      OK, AddressList::CreateFromIPAddressList(back_addresses, "back"),
+      HostCache::Entry::SOURCE_DNS);
+  back.set_esni_data(esni_content_back);
+
+  HostCache::Entry result =
+      HostCache::Entry::MergeEntries(std::move(front), std::move(back));
+
+  EXPECT_THAT(
+      result.addresses(),
+      Optional(Property(
+          &AddressList::endpoints,
+          ElementsAreArray(MakeEndpoints({"::3", "0.0.0.4", "0.0.0.2"})))));
+
+  EXPECT_THAT(result.esni_data(),
+              Optional(Property(
+                  &EsniContent::keys_for_addresses,
+                  UnorderedElementsAre(
+                      Pair(MakeIP("::3"), UnorderedElementsAre("key for ::3")),
+                      Pair(MakeIP("0.0.0.4"),
+                           UnorderedElementsAre("key for 0.0.0.4"))))));
+}
+
+TEST(HostCacheTest, MergesManyEntriesWithEsniContent) {
+  IPAddressList front_addresses, back_addresses;
+  EsniContent esni_content_front, esni_content_back;
+
+  // Add several IPv4 and IPv6 addresses to both the front and
+  // back ESNI structs and address_lists, and associate some of each
+  // with ESNI keys.
+  const std::string ipv4_prefix = "1.2.3.", ipv6_prefix = "::";
+  for (int i = 0; i < 50; ++i) {
+    IPAddress next =
+        MakeIP((i % 2 ? ipv4_prefix : ipv6_prefix) + base::NumberToString(i));
+    bool is_front = !!(i % 3);
+    if (is_front) {
+      front_addresses.push_back(next);
+    } else {
+      back_addresses.push_back(next);
+    }
+    if (i % 5) {
+      std::string key = base::NumberToString(i % 5);
+      if (is_front) {
+        esni_content_front.AddKeyForAddress(next, key);
+      } else {
+        esni_content_back.AddKeyForAddress(next, key);
+      }
+    }
+  }
+
+  HostCache::Entry front(
+      OK,
+      AddressList::CreateFromIPAddressList(front_addresses, "front_canonname"),
+      HostCache::Entry::SOURCE_DNS);
+  front.set_esni_data(esni_content_front);
+
+  HostCache::Entry back(
+      OK,
+      AddressList::CreateFromIPAddressList(back_addresses, "back_canonname"),
+      HostCache::Entry::SOURCE_DNS);
+  back.set_esni_data(esni_content_back);
+
+  HostCache::Entry result =
+      HostCache::Entry::MergeEntries(std::move(front), std::move(back));
+
   ASSERT_TRUE(result.addresses());
-  EXPECT_THAT(result.addresses().value().endpoints(),
-              testing::ElementsAre(kEndpointFront, kEndpointBack));
-  EXPECT_THAT(result.text_records(),
-              testing::Optional(testing::ElementsAre("text1", "text2")));
-  EXPECT_THAT(result.hostnames(), testing::Optional(testing::ElementsAre(
-                                      kHostnameFront, kHostnameBack)));
+  EXPECT_EQ(result.addresses()->canonical_name(), "front_canonname");
+
+  EXPECT_EQ(result.addresses()->size(),
+            std::set<IPEndPoint>(result.addresses()->begin(),
+                                 result.addresses()->end())
+                .size())
+      << "Addresses should have been deduplicated.";
+
+  ASSERT_TRUE(result.esni_data());
+
+  auto has_keys = [&](const IPEndPoint& e) {
+    return !!result.esni_data()->keys_for_addresses().count(e.address());
+  };
+
+  // Helper for determining whether the resulting addresses are correctly
+  // ordered. Returns true if it's an error for |e2| to come before |e1| in
+  // *results.addresses().
+  auto address_must_precede = [&](const IPEndPoint& e1,
+                                  const IPEndPoint& e2) -> bool {
+    if (has_keys(e1) != has_keys(e2)) {
+      return has_keys(e1) && !has_keys(e2);
+    }
+    if (e1.address().IsIPv6() != e2.address().IsIPv6()) {
+      return e1.address().IsIPv6() && !e2.address().IsIPv6();
+    }
+
+    // If e1 and e2 were in the same input entry, and they're otherwise
+    // tied in the precedence ordering, then their order in the input entry
+    // should be preserved in the output.
+    bool e1_in_front = base::Contains(front_addresses, e1.address());
+    bool e2_in_front = base::Contains(front_addresses, e2.address());
+    bool e1_in_back = base::Contains(back_addresses, e1.address());
+    bool e2_in_back = base::Contains(back_addresses, e2.address());
+    if (e1_in_front == e2_in_front && e1_in_front != e1_in_back &&
+        e2_in_front != e2_in_back) {
+      const IPAddressList common_list =
+          e1_in_front ? front_addresses : back_addresses;
+      return std::find(common_list.begin(), common_list.end(), e1.address()) <
+             std::find(common_list.begin(), common_list.end(), e2.address());
+    }
+    return false;
+  };
+
+  for (size_t i = 0; i < result.addresses()->size() - 1; ++i) {
+    EXPECT_FALSE(address_must_precede((*result.addresses())[i + 1],
+                                      (*result.addresses())[i]));
+  }
+
+  auto esni_content_merged = esni_content_front;
+  esni_content_merged.MergeFrom(esni_content_back);
+  EXPECT_THAT(result.esni_data(), Optional(esni_content_merged));
 }
 
 TEST(HostCacheTest, MergeEntries_frontEmpty) {
@@ -1081,6 +1492,10 @@ TEST(HostCacheTest, MergeEntries_frontEmpty) {
                         HostCache::Entry::SOURCE_DNS,
                         base::TimeDelta::FromHours(4));
   back.set_text_records(std::vector<std::string>{"text2"});
+  EsniContent esni_content_back;
+  const std::string esni_key = "a";
+  esni_content_back.AddKeyForAddress(kAddressBack, esni_key);
+  back.set_esni_data(esni_content_back);
   const HostPortPair kHostnameBack("host", 2);
   back.set_hostnames(std::vector<HostPortPair>{kHostnameBack});
 
@@ -1092,11 +1507,10 @@ TEST(HostCacheTest, MergeEntries_frontEmpty) {
 
   ASSERT_TRUE(result.addresses());
   EXPECT_THAT(result.addresses().value().endpoints(),
-              testing::ElementsAre(kEndpointBack));
-  EXPECT_THAT(result.text_records(),
-              testing::Optional(testing::ElementsAre("text2")));
-  EXPECT_THAT(result.hostnames(),
-              testing::Optional(testing::ElementsAre(kHostnameBack)));
+              ElementsAre(kEndpointBack));
+  EXPECT_THAT(result.text_records(), Optional(ElementsAre("text2")));
+  EXPECT_THAT(result.hostnames(), Optional(ElementsAre(kHostnameBack)));
+  EXPECT_THAT(result.esni_data(), Optional(esni_content_back));
 
   EXPECT_EQ(base::TimeDelta::FromHours(4), result.ttl());
 }
@@ -1108,6 +1522,10 @@ TEST(HostCacheTest, MergeEntries_backEmpty) {
                          HostCache::Entry::SOURCE_DNS,
                          base::TimeDelta::FromMinutes(5));
   front.set_text_records(std::vector<std::string>{"text1"});
+  EsniContent esni_content_front;
+  const std::string esni_key = "a";
+  esni_content_front.AddKeyForAddress(kAddressFront, esni_key);
+  front.set_esni_data(esni_content_front);
   const HostPortPair kHostnameFront("host", 1);
   front.set_hostnames(std::vector<HostPortPair>{kHostnameFront});
 
@@ -1121,11 +1539,10 @@ TEST(HostCacheTest, MergeEntries_backEmpty) {
 
   ASSERT_TRUE(result.addresses());
   EXPECT_THAT(result.addresses().value().endpoints(),
-              testing::ElementsAre(kEndpointFront));
-  EXPECT_THAT(result.text_records(),
-              testing::Optional(testing::ElementsAre("text1")));
-  EXPECT_THAT(result.hostnames(),
-              testing::Optional(testing::ElementsAre(kHostnameFront)));
+              ElementsAre(kEndpointFront));
+  EXPECT_THAT(result.text_records(), Optional(ElementsAre("text1")));
+  EXPECT_THAT(result.hostnames(), Optional(ElementsAre(kHostnameFront)));
+  EXPECT_THAT(result.esni_data(), Optional(esni_content_front));
 
   EXPECT_EQ(base::TimeDelta::FromMinutes(5), result.ttl());
 }
@@ -1143,7 +1560,7 @@ TEST(HostCacheTest, MergeEntries_bothEmpty) {
   EXPECT_FALSE(result.addresses());
   EXPECT_FALSE(result.text_records());
   EXPECT_FALSE(result.hostnames());
-
+  EXPECT_FALSE(result.esni_data());
   EXPECT_FALSE(result.has_ttl());
 }
 
@@ -1222,15 +1639,17 @@ void GetMatchingKeyHelper(const HostCache::Key key, bool expect_match) {
 
 TEST(HostCacheTest, GetMatchingKey_ExactMatch) {
   // Should find match because this mimics the default Key struct.
-  GetMatchingKeyHelper(HostCache::Key("foobar.com", DnsQueryType::UNSPECIFIED,
-                                      0, HostResolverSource::ANY),
-                       true);
+  GetMatchingKeyHelper(
+      HostCache::Key("foobar.com", DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey()),
+      true);
 }
 
 TEST(HostCacheTest, GetMatchingKey_IgnoreSecureField) {
   // Should find match because lookups ignore the secure field.
-  HostCache::Key secure_key = HostCache::Key(
-      "foobar.com", DnsQueryType::UNSPECIFIED, 0, HostResolverSource::ANY);
+  HostCache::Key secure_key =
+      HostCache::Key("foobar.com", DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   secure_key.secure = true;
   GetMatchingKeyHelper(secure_key, true);
 }
@@ -1238,7 +1657,8 @@ TEST(HostCacheTest, GetMatchingKey_IgnoreSecureField) {
 TEST(HostCacheTest, GetMatchingKey_UnsupportedDnsQueryType) {
   // Should not find match because the DnsQueryType field matters.
   GetMatchingKeyHelper(
-      HostCache::Key("foobar.com", DnsQueryType::A, 0, HostResolverSource::ANY),
+      HostCache::Key("foobar.com", DnsQueryType::A, 0, HostResolverSource::ANY,
+                     NetworkIsolationKey()),
       false);
 }
 
@@ -1247,22 +1667,24 @@ TEST(HostCacheTest, GetMatchingKey_UnsupportedHostResolverFlags) {
   GetMatchingKeyHelper(
       HostCache::Key("foobar.com", DnsQueryType::UNSPECIFIED,
                      HOST_RESOLVER_DEFAULT_FAMILY_SET_DUE_TO_NO_IPV6,
-                     HostResolverSource::ANY),
+                     HostResolverSource::ANY, NetworkIsolationKey()),
       false);
 }
 
 TEST(HostCacheTest, GetMatchingKey_UnsupportedHostResolverSource) {
   // Should not find match because the HostResolverSource field matters.
-  GetMatchingKeyHelper(HostCache::Key("foobar.com", DnsQueryType::UNSPECIFIED,
-                                      0, HostResolverSource::DNS),
-                       false);
+  GetMatchingKeyHelper(
+      HostCache::Key("foobar.com", DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::DNS, NetworkIsolationKey()),
+      false);
 }
 
 TEST(HostCacheTest, GetMatchingKey_AlternativeMatch) {
   // Should find match because a lookup with these alternate fields is tried.
-  HostCache::Key secure_key = HostCache::Key(
-      "foobar.com", DnsQueryType::A,
-      HOST_RESOLVER_DEFAULT_FAMILY_SET_DUE_TO_NO_IPV6, HostResolverSource::ANY);
+  HostCache::Key secure_key =
+      HostCache::Key("foobar.com", DnsQueryType::A,
+                     HOST_RESOLVER_DEFAULT_FAMILY_SET_DUE_TO_NO_IPV6,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   secure_key.secure = true;
   GetMatchingKeyHelper(secure_key, true);
 }
diff --git a/chromium/net/dns/host_resolver.cc b/chromium/net/dns/host_resolver.cc
index 9ad065c5044..76b9bc6ec73 100644
--- a/chromium/net/dns/host_resolver.cc
+++ b/chromium/net/dns/host_resolver.cc
@@ -26,12 +26,14 @@ namespace net {
 
 namespace {
 
-class FailingRequestImpl : public HostResolver::ResolveHostRequest {
+class FailingRequestImpl : public HostResolver::ResolveHostRequest,
+                           public HostResolver::ProbeRequest {
  public:
   explicit FailingRequestImpl(int error) : error_(error) {}
   ~FailingRequestImpl() override = default;
 
   int Start(CompletionOnceCallback callback) override { return error_; }
+  int Start() override { return error_; }
 
   const base::Optional<AddressList>& GetAddressResults() const override {
     static base::NoDestructor<base::Optional<AddressList>> nullopt_result;
@@ -52,6 +54,15 @@ class FailingRequestImpl : public HostResolver::ResolveHostRequest {
     return *nullopt_result;
   }
 
+  const base::Optional<EsniContent>& GetEsniResults() const override {
+    static const base::NoDestructor<base::Optional<EsniContent>> nullopt_result;
+    return *nullopt_result;
+  }
+
+  ResolveErrorInfo GetResolveErrorInfo() const override {
+    return ResolveErrorInfo(error_);
+  }
+
   const base::Optional<HostCache::EntryStaleness>& GetStaleInfo()
       const override {
     static const base::NoDestructor<base::Optional<HostCache::EntryStaleness>>
@@ -94,6 +105,22 @@ HostResolver::ResolveHostParameters::ResolveHostParameters(
 
 HostResolver::~HostResolver() = default;
 
+std::unique_ptr<HostResolver::ResolveHostRequest> HostResolver::CreateRequest(
+    const HostPortPair& host,
+    const NetLogWithSource& net_log,
+    const base::Optional<ResolveHostParameters>& optional_parameters) {
+  return CreateRequest(host, NetworkIsolationKey(), net_log,
+                       optional_parameters);
+}
+
+std::unique_ptr<HostResolver::ProbeRequest>
+HostResolver::CreateDohProbeRequest() {
+  // Should be overridden in any HostResolver implementation where this method
+  // may be called.
+  NOTREACHED();
+  return nullptr;
+}
+
 std::unique_ptr<HostResolver::MdnsListener> HostResolver::CreateMdnsListener(
     const HostPortPair& host,
     DnsQueryType query_type) {
@@ -213,6 +240,16 @@ HostResolverFlags HostResolver::ParametersToHostResolverFlags(
   return flags;
 }
 
+// static
+int HostResolver::SquashErrorCode(int error) {
+  if (error == OK || error == ERR_IO_PENDING ||
+      error == ERR_NAME_NOT_RESOLVED) {
+    return error;
+  } else {
+    return ERR_NAME_NOT_RESOLVED;
+  }
+}
+
 HostResolver::HostResolver() = default;
 
 // static
@@ -221,4 +258,10 @@ HostResolver::CreateFailingRequest(int error) {
   return std::make_unique<FailingRequestImpl>(error);
 }
 
+// static
+std::unique_ptr<HostResolver::ProbeRequest>
+HostResolver::CreateFailingProbeRequest(int error) {
+  return std::make_unique<FailingRequestImpl>(error);
+}
+
 }  // namespace net
diff --git a/chromium/net/dns/host_resolver.h b/chromium/net/dns/host_resolver.h
index 0b96a65dea8..092ac6fa19c 100644
--- a/chromium/net/dns/host_resolver.h
+++ b/chromium/net/dns/host_resolver.h
@@ -24,6 +24,7 @@
 #include "net/dns/host_cache.h"
 #include "net/dns/host_resolver_source.h"
 #include "net/dns/public/dns_query_type.h"
+#include "net/dns/public/resolve_error_info.h"
 
 namespace base {
 class Value;
@@ -100,6 +101,20 @@ class NET_EXPORT HostResolver {
     virtual const base::Optional<std::vector<HostPortPair>>&
     GetHostnameResults() const = 0;
 
+    // TLS 1.3 Encrypted Server Name Indication, draft 4 (ESNI,
+    // https://tools.ietf.org/html/draft-ietf-tls-esni-04)
+    // results of the request. Should only be called after
+    // Start() signals completion, either by invoking the callback or by
+    // returning a result other than |ERR_IO_PENDING|.
+    virtual const base::Optional<EsniContent>& GetEsniResults() const = 0;
+
+    // Error info for the request.
+    //
+    // Should only be called after Start() signals completion, either by
+    // invoking the callback or by returning a result other than
+    // |ERR_IO_PENDING|.
+    virtual ResolveErrorInfo GetResolveErrorInfo() const = 0;
+
     // Information about the result's staleness in the host cache. Only
     // available if results were received from the host cache.
     //
@@ -115,6 +130,19 @@ class NET_EXPORT HostResolver {
     virtual void ChangeRequestPriority(RequestPriority priority) {}
   };
 
+  // Handler for an activation of probes controlled by a HostResolver. Created
+  // by HostResolver::CreateDohProbeRequest().
+  class ProbeRequest {
+   public:
+    // Destruction cancels the request and all probes.
+    virtual ~ProbeRequest() {}
+
+    // Activates async running of probes. Always returns ERR_IO_PENDING or an
+    // error from activating probes. No callback as probes will never "complete"
+    // until cancellation.
+    virtual int Start() = 0;
+  };
+
   // Parameter-grouping struct for additional optional parameters for creation
   // of HostResolverManagers and stand-alone HostResolvers.
   struct NET_EXPORT ManagerOptions {
@@ -283,9 +311,23 @@ class NET_EXPORT HostResolver {
   // defaults will be used if passed |base::nullopt|.
   virtual std::unique_ptr<ResolveHostRequest> CreateRequest(
       const HostPortPair& host,
+      const NetworkIsolationKey& network_isolation_key,
       const NetLogWithSource& net_log,
       const base::Optional<ResolveHostParameters>& optional_parameters) = 0;
 
+  // Deprecated version of above method that uses an empty NetworkIsolationKey.
+  //
+  // TODO(mmenke): Once all consumers have been updated to use the other
+  // overload instead, remove this method and make above method pure virtual.
+  virtual std::unique_ptr<ResolveHostRequest> CreateRequest(
+      const HostPortPair& host,
+      const NetLogWithSource& net_log,
+      const base::Optional<ResolveHostParameters>& optional_parameters);
+
+  // Creates a request to probe configured DoH servers to find which can be used
+  // successfully.
+  virtual std::unique_ptr<ProbeRequest> CreateDohProbeRequest();
+
   // Create a listener to watch for updates to an MDNS result.
   virtual std::unique_ptr<MdnsListener> CreateMdnsListener(
       const HostPortPair& host,
@@ -339,12 +381,16 @@ class NET_EXPORT HostResolver {
   static HostResolverFlags ParametersToHostResolverFlags(
       const ResolveHostParameters& parameters);
 
+  // Helper for squashing error code to a small set of DNS error codes.
+  static int SquashErrorCode(int error);
+
  protected:
   HostResolver();
 
   // Utility to create a request implementation that always fails with |error|
   // immediately on start.
   static std::unique_ptr<ResolveHostRequest> CreateFailingRequest(int error);
+  static std::unique_ptr<ProbeRequest> CreateFailingProbeRequest(int error);
 
  private:
   DISALLOW_COPY_AND_ASSIGN(HostResolver);
diff --git a/chromium/net/dns/host_resolver_histograms.cc b/chromium/net/dns/host_resolver_histograms.cc
new file mode 100644
index 00000000000..5f03df0548f
--- /dev/null
+++ b/chromium/net/dns/host_resolver_histograms.cc
@@ -0,0 +1,63 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/dns/host_resolver_histograms.h"
+
+#include "base/metrics/histogram_macros.h"
+
+namespace net {
+
+namespace dns_histograms {
+
+const char kEsniTransactionSuccessHistogram[] =
+    "Net.DNS.DnsTransaction.EsniUnspecTask.SuccessOrTimeout";
+
+const char kNonEsniTotalTimeHistogram[] =
+    "Net.DNS.DnsTransaction.EsniUnspecTask.NonEsniEndToEndElapsed";
+
+const char kEsniTimeHistogramForEsniTasks[] =
+    "Net.DNS.DnsTransaction.EsniTask.EsniTransactionEndToEndElapsed";
+
+const char kEsniTimeHistogramForUnspecTasks[] =
+    "Net.DNS.DnsTransaction.EsniUnspecTask.EsniTransactionEndToEndElapsed";
+
+const char kEsniVersusNonEsniWithEsniLonger[] =
+    "Net.DNS.DnsTransaction.EsniUnspecTask.EsniMinusNonEsni";
+
+const char kEsniVersusNonEsniWithNonEsniLonger[] =
+    "Net.DNS.DnsTransaction.EsniUnspecTask.NonEsniMinusEsni";
+
+void RecordEsniTransactionStatus(EsniSuccessOrTimeout status) {
+  UMA_HISTOGRAM_ENUMERATION(kEsniTransactionSuccessHistogram, status);
+}
+
+void RecordEsniTimeForEsniTask(base::TimeDelta elapsed) {
+  UMA_HISTOGRAM_LONG_TIMES_100(kEsniTimeHistogramForEsniTasks, elapsed);
+}
+
+void RecordEsniTimeForUnspecTask(base::TimeDelta elapsed) {
+  UMA_HISTOGRAM_LONG_TIMES_100(kEsniTimeHistogramForUnspecTasks, elapsed);
+}
+
+void RecordNonEsniTimeForUnspecTask(base::TimeDelta elapsed) {
+  UMA_HISTOGRAM_LONG_TIMES_100(kNonEsniTotalTimeHistogram, elapsed);
+}
+
+void RecordEsniVersusNonEsniTimes(base::TimeDelta esni_elapsed,
+                                  base::TimeDelta non_esni_elapsed) {
+  if (esni_elapsed > non_esni_elapsed) {
+    UMA_HISTOGRAM_LONG_TIMES_100(kEsniVersusNonEsniWithEsniLonger,
+                                 esni_elapsed - non_esni_elapsed);
+  } else {
+    // Choose this timer (arbitrarily) to record the case where the
+    // times are equal; since they are obtained from TickClock::NowTicks(),
+    // this should seldom occur.
+    UMA_HISTOGRAM_LONG_TIMES_100(kEsniVersusNonEsniWithNonEsniLonger,
+                                 non_esni_elapsed - esni_elapsed);
+  }
+}
+
+}  // namespace dns_histograms
+
+}  // namespace net
diff --git a/chromium/net/dns/host_resolver_histograms.h b/chromium/net/dns/host_resolver_histograms.h
new file mode 100644
index 00000000000..4bc9dbcfdbd
--- /dev/null
+++ b/chromium/net/dns/host_resolver_histograms.h
@@ -0,0 +1,68 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_DNS_HOST_RESOLVER_HISTOGRAMS_H_
+#define NET_DNS_HOST_RESOLVER_HISTOGRAMS_H_
+
+#include "base/time/time.h"
+#include "net/base/net_export.h"
+
+namespace net {
+namespace dns_histograms {
+
+// (Histogram names exported for testing.)
+
+// The name of the histogram recording the outcome of ESNI-type
+// transactions. Records successes, DnsTask-level
+// timeouts, and the total number of started transactions.
+NET_EXPORT_PRIVATE extern const char kEsniTransactionSuccessHistogram[];
+
+// The name of the histogram recording the end-to-end aggregate duration
+// of all non-ESNI transactions in DNS tasks with ESNI transactions.
+NET_EXPORT_PRIVATE extern const char kNonEsniTotalTimeHistogram[];
+
+// The names of the histograms recording the total end-to-end elapsed time
+// (from task start) to the completion of successful ESNI transactions,
+// the first for transactions made during DnsQueryType::UNSPECIFIED tasks
+// and the second for transactions made during DnsQueryType::ESNI tasks.
+NET_EXPORT_PRIVATE extern const char kEsniTimeHistogramForUnspecTasks[];
+NET_EXPORT_PRIVATE extern const char kEsniTimeHistogramForEsniTasks[];
+
+// The names of the histograms recording the absolute differences in end-to-end
+// elapsed time between ESNI and non-ESNI transactions in
+// DnsQueryType::UNSPECIFIED tasks. The first covers the case where the task's
+// ESNI transaction completed last, the second the case where non-ESNI
+// transactions completed last.
+NET_EXPORT_PRIVATE extern const char kEsniVersusNonEsniWithEsniLonger[];
+NET_EXPORT_PRIVATE extern const char kEsniVersusNonEsniWithNonEsniLonger[];
+
+// Persisted to histograms. Do not relabel or delete entries.
+enum class EsniSuccessOrTimeout {
+  kSuccess = 0,
+  kTimeout = 1,
+  // To infer the number of failures, record the total
+  // number of started ESNI transactions.
+  kStarted = 2,
+  kMaxValue = kStarted
+};
+
+// Logs |status| to |kEsniTransactionSuccessHistogram|.
+void RecordEsniTransactionStatus(EsniSuccessOrTimeout status);
+
+// Logs the difference between end-to-end ESNI and non-ESNI elapsed
+// times, for UNSPECIFIED-with-ESNI tasks where all transactions
+// complete successfully.
+void RecordEsniVersusNonEsniTimes(base::TimeDelta esni_elapsed,
+                                  base::TimeDelta non_esni_elapsed);
+
+// Logs |elapsed| to the corresponding kEsniTime[...] histogram (see above).
+void RecordEsniTimeForUnspecTask(base::TimeDelta elapsed);
+void RecordNonEsniTimeForUnspecTask(base::TimeDelta elapsed);
+void RecordEsniTimeForEsniTask(base::TimeDelta elapsed);
+
+}  // namespace dns_histograms
+
+}  // namespace net
+
+#endif  // NET_DNS_HOST_RESOLVER_HISTOGRAMS_H_
diff --git a/chromium/net/dns/host_resolver_manager.cc b/chromium/net/dns/host_resolver_manager.cc
index 25e2bcf004c..5d9a9137314 100644
--- a/chromium/net/dns/host_resolver_manager.cc
+++ b/chromium/net/dns/host_resolver_manager.cc
@@ -32,6 +32,7 @@
 #include "base/compiler_specific.h"
 #include "base/containers/linked_list.h"
 #include "base/debug/debugger.h"
+#include "base/feature_list.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/ptr_util.h"
@@ -59,10 +60,12 @@
 #include "build/build_config.h"
 #include "net/base/address_family.h"
 #include "net/base/address_list.h"
+#include "net/base/features.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/request_priority.h"
 #include "net/base/trace_constants.h"
 #include "net/base/url_util.h"
@@ -72,11 +75,13 @@
 #include "net/dns/dns_response.h"
 #include "net/dns/dns_transaction.h"
 #include "net/dns/dns_util.h"
+#include "net/dns/host_resolver_histograms.h"
 #include "net/dns/host_resolver_mdns_listener_impl.h"
 #include "net/dns/host_resolver_mdns_task.h"
 #include "net/dns/host_resolver_proc.h"
 #include "net/dns/mdns_client.h"
 #include "net/dns/public/dns_protocol.h"
+#include "net/dns/public/resolve_error_info.h"
 #include "net/dns/record_parsed.h"
 #include "net/log/net_log.h"
 #include "net/log/net_log_capture_mode.h"
@@ -162,7 +167,7 @@ bool ResemblesMulticastDNSName(const std::string& hostname) {
   const char kSuffix[] = ".local.";
   const size_t kSuffixLen = sizeof(kSuffix) - 1;
   const size_t kSuffixLenTrimmed = kSuffixLen - 1;
-  if (hostname.back() == '.') {
+  if (!hostname.empty() && hostname.back() == '.') {
     return hostname.size() > kSuffixLen &&
            !hostname.compare(hostname.size() - kSuffixLen, kSuffixLen, kSuffix);
   }
@@ -312,19 +317,6 @@ base::Value NetLogDnsTaskFailedParams(const HostCache::Entry& results,
   return std::move(dict);
 }
 
-// Creates NetLog parameters containing the information of the request. Use
-// NetLogRequestInfoCallback if the request is specified via RequestInfo.
-base::Value NetLogRequestParams(const HostPortPair& host) {
-  base::DictionaryValue dict;
-
-  dict.SetString("host", host.ToString());
-  dict.SetInteger("address_family",
-                  static_cast<int>(ADDRESS_FAMILY_UNSPECIFIED));
-  dict.SetBoolean("allow_cached_response", true);
-  dict.SetBoolean("is_speculative", false);
-  return std::move(dict);
-}
-
 // Creates NetLog parameters for the creation of a HostResolverManager::Job.
 base::Value NetLogJobCreationParams(const NetLogSource& source,
                                     const std::string& host) {
@@ -353,26 +345,6 @@ base::Value NetLogIPv6AvailableParams(bool ipv6_available, bool cached) {
 // The logging routines are defined here because some requests are resolved
 // without a Request object.
 
-// Logs when a request has just been started. Overloads for whether or not the
-// request information is specified via a RequestInfo object.
-void LogStartRequest(const NetLogWithSource& source_net_log,
-                     const HostPortPair& host) {
-  source_net_log.BeginEvent(NetLogEventType::HOST_RESOLVER_IMPL_REQUEST,
-                            [&] { return NetLogRequestParams(host); });
-}
-
-// Logs when a request has just completed (before its callback is run).
-void LogFinishRequest(const NetLogWithSource& source_net_log, int net_error) {
-  source_net_log.EndEventWithNetErrorCode(
-      NetLogEventType::HOST_RESOLVER_IMPL_REQUEST, net_error);
-}
-
-// Logs when a request has been cancelled.
-void LogCancelRequest(const NetLogWithSource& source_net_log) {
-  source_net_log.AddEvent(NetLogEventType::CANCELLED);
-  source_net_log.EndEvent(NetLogEventType::HOST_RESOLVER_IMPL_REQUEST);
-}
-
 //-----------------------------------------------------------------------------
 
 // Maximum of 6 concurrent resolver threads (excluding retries).
@@ -516,17 +488,23 @@ bool ResolveLocalHostname(base::StringPiece host, AddressList* address_list) {
 // cancellation is initiated by the Job (OnJobCancelled) vs by the end user
 // (~RequestImpl).
 class HostResolverManager::RequestImpl
-    : public CancellableRequest,
+    : public CancellableResolveHostRequest,
       public base::LinkNode<HostResolverManager::RequestImpl> {
  public:
   RequestImpl(const NetLogWithSource& source_net_log,
               const HostPortPair& request_host,
+              const NetworkIsolationKey& network_isolation_key,
               const base::Optional<ResolveHostParameters>& optional_parameters,
               URLRequestContext* request_context,
               HostCache* host_cache,
               base::WeakPtr<HostResolverManager> resolver)
       : source_net_log_(source_net_log),
         request_host_(request_host),
+        network_isolation_key_(
+            base::FeatureList::IsEnabled(
+                net::features::kSplitHostCacheByNetworkIsolationKey)
+                ? network_isolation_key
+                : NetworkIsolationKey()),
         parameters_(optional_parameters ? optional_parameters.value()
                                         : ResolveHostParameters()),
         request_context_(request_context),
@@ -555,6 +533,7 @@ class HostResolverManager::RequestImpl
     // Parent HostResolver must still be alive to call Start().
     DCHECK(resolver_);
 
+    LogStartRequest();
     int rv = resolver_->Resolve(this);
     DCHECK(!complete_);
     if (rv == ERR_IO_PENDING) {
@@ -563,6 +542,7 @@ class HostResolverManager::RequestImpl
     } else {
       DCHECK(!job_);
       complete_ = true;
+      LogFinishRequest(rv);
     }
     resolver_ = nullptr;
 
@@ -591,6 +571,17 @@ class HostResolverManager::RequestImpl
     return results_ ? results_.value().hostnames() : *nullopt_result;
   }
 
+  const base::Optional<EsniContent>& GetEsniResults() const override {
+    DCHECK(complete_);
+    static const base::NoDestructor<base::Optional<EsniContent>> nullopt_result;
+    return results_ ? results_.value().esni_data() : *nullopt_result;
+  }
+
+  net::ResolveErrorInfo GetResolveErrorInfo() const override {
+    DCHECK(complete_);
+    return error_info_;
+  }
+
   const base::Optional<HostCache::EntryStaleness>& GetStaleInfo()
       const override {
     DCHECK(complete_);
@@ -609,6 +600,8 @@ class HostResolverManager::RequestImpl
     results_ = std::move(results);
   }
 
+  void set_error_info(int error) { error_info_ = ResolveErrorInfo(error); }
+
   void set_stale_info(HostCache::EntryStaleness stale_info) {
     // Should only be called at most once and before request is marked
     // completed.
@@ -636,17 +629,23 @@ class HostResolverManager::RequestImpl
 
     // No results should be set.
     DCHECK(!results_);
+
+    LogCancelRequest();
   }
 
   // Cleans up Job assignment, marks request completed, and calls the completion
   // callback.
   void OnJobCompleted(Job* job, int error) {
+    set_error_info(error);
+
     DCHECK_EQ(job_, job);
     job_ = nullptr;
 
     DCHECK(!complete_);
     complete_ = true;
 
+    LogFinishRequest(error);
+
     DCHECK(callback_);
     std::move(callback_).Run(error);
   }
@@ -658,6 +657,10 @@ class HostResolverManager::RequestImpl
 
   const HostPortPair& request_host() const { return request_host_; }
 
+  const NetworkIsolationKey& network_isolation_key() const {
+    return network_isolation_key_;
+  }
+
   const ResolveHostParameters& parameters() const { return parameters_; }
 
   URLRequestContext* request_context() const { return request_context_; }
@@ -682,9 +685,40 @@ class HostResolverManager::RequestImpl
   }
 
  private:
+  // Logs when a request has just been started.
+  void LogStartRequest() {
+    source_net_log_.BeginEvent(
+        NetLogEventType::HOST_RESOLVER_IMPL_REQUEST, [this] {
+          base::Value dict(base::Value::Type::DICTIONARY);
+          dict.SetStringKey("host", request_host_.ToString());
+          dict.SetIntKey("dns_query_type",
+                         static_cast<int>(parameters_.dns_query_type));
+          dict.SetBoolKey("allow_cached_response",
+                          parameters_.cache_usage !=
+                              ResolveHostParameters::CacheUsage::DISALLOWED);
+          dict.SetBoolKey("is_speculative", parameters_.is_speculative);
+          dict.SetStringKey("network_isolation_key",
+                            network_isolation_key_.ToDebugString());
+          return dict;
+        });
+  }
+
+  // Logs when a request has just completed (before its callback is run).
+  void LogFinishRequest(int net_error) {
+    source_net_log_.EndEventWithNetErrorCode(
+        NetLogEventType::HOST_RESOLVER_IMPL_REQUEST, net_error);
+  }
+
+  // Logs when a request has been cancelled.
+  void LogCancelRequest() {
+    source_net_log_.AddEvent(NetLogEventType::CANCELLED);
+    source_net_log_.EndEvent(NetLogEventType::HOST_RESOLVER_IMPL_REQUEST);
+  }
+
   const NetLogWithSource source_net_log_;
 
   const HostPortPair request_host_;
+  const NetworkIsolationKey network_isolation_key_;
   ResolveHostParameters parameters_;
   URLRequestContext* const request_context_;
   HostCache* const host_cache_;
@@ -702,6 +736,7 @@ class HostResolverManager::RequestImpl
   bool complete_;
   base::Optional<HostCache::Entry> results_;
   base::Optional<HostCache::EntryStaleness> stale_info_;
+  ResolveErrorInfo error_info_;
 
   base::TimeTicks request_time_;
 
@@ -710,6 +745,43 @@ class HostResolverManager::RequestImpl
   DISALLOW_COPY_AND_ASSIGN(RequestImpl);
 };
 
+class HostResolverManager::ProbeRequestImpl : public CancellableProbeRequest {
+ public:
+  ProbeRequestImpl(URLRequestContext* context,
+                   base::WeakPtr<HostResolverManager> resolver)
+      : context_(context), resolver_(resolver) {
+    DCHECK(context_);
+  }
+
+  ProbeRequestImpl(const ProbeRequestImpl&) = delete;
+  ProbeRequestImpl& operator=(const ProbeRequestImpl&) = delete;
+
+  ~ProbeRequestImpl() override { Cancel(); }
+
+  void Cancel() override {
+    if (!needs_cancel_ || !resolver_)
+      return;
+
+    resolver_->CancelDohProbes();
+    needs_cancel_ = false;
+    context_ = nullptr;
+  }
+
+  int Start() override {
+    DCHECK(resolver_);
+    DCHECK(!needs_cancel_);
+
+    resolver_->ActivateDohProbes(context_);
+    needs_cancel_ = true;
+    return ERR_IO_PENDING;
+  }
+
+ private:
+  URLRequestContext* context_;
+  base::WeakPtr<HostResolverManager> resolver_;
+  bool needs_cancel_ = false;
+};
+
 //------------------------------------------------------------------------------
 
 // Calls HostResolverProc in ThreadPool. Performs retries if necessary.
@@ -831,8 +903,8 @@ class HostResolverManager::ProcTask {
       AttemptCompletionCallback completion_callback) {
     AddressList results;
     int os_error = 0;
-    int error = resolver_proc->Resolve(std::move(hostname), address_family,
-                                       flags, &results, &os_error);
+    int error = resolver_proc->Resolve(hostname, address_family, flags,
+                                       &results, &os_error);
 
     network_task_runner->PostTask(
         FROM_HERE, base::BindOnce(std::move(completion_callback), results,
@@ -979,6 +1051,7 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
         secure_dns_mode_(secure_dns_mode),
         delegate_(delegate),
         net_log_(job_net_log),
+        query_type_(query_type),
         num_completed_transactions_(0),
         tick_clock_(tick_clock),
         task_start_time_(tick_clock_->NowTicks()) {
@@ -993,6 +1066,13 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
     } else {
       transactions_needed_.push(DnsQueryType::A);
       transactions_needed_.push(DnsQueryType::AAAA);
+
+      if (secure_ &&
+          base::FeatureList::IsEnabled(features::kRequestEsniDnsRecords)) {
+        transactions_needed_.push(DnsQueryType::ESNI);
+        dns_histograms::RecordEsniTransactionStatus(
+            dns_histograms::EsniSuccessOrTimeout::kStarted);
+      }
     }
     num_needed_transactions_ = transactions_needed_.size();
 
@@ -1012,7 +1092,8 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
   void StartNextTransaction() {
     DCHECK(needs_another_transaction());
 
-    if (transactions_started_.empty())
+    if (num_needed_transactions_ ==
+        static_cast<int>(transactions_needed_.size()))
       net_log_.BeginEvent(NetLogEventType::HOST_RESOLVER_IMPL_DNS_TASK);
 
     DnsQueryType type = transactions_needed_.front();
@@ -1044,12 +1125,43 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
     return trans;
   }
 
+  void OnEsniTransactionTimeout() {
+    // Currently, the ESNI transaction timer only gets started
+    // when all non-ESNI transactions have completed.
+    DCHECK(TaskIsCompleteOrOnlyEsniTransactionsRemain());
+
+    for (size_t i = 0; i < transactions_started_.size(); ++i) {
+      dns_histograms::RecordEsniTransactionStatus(
+          dns_histograms::EsniSuccessOrTimeout::kTimeout);
+    }
+
+    num_completed_transactions_ += transactions_started_.size();
+    DCHECK(num_completed_transactions_ == num_needed_transactions());
+    transactions_started_.clear();
+
+    ProcessResultsOnCompletion();
+  }
+
   void OnTransactionComplete(const base::TimeTicks& start_time,
                              DnsQueryType dns_query_type,
                              DnsTransaction* transaction,
                              int net_error,
                              const DnsResponse* response) {
     DCHECK(transaction);
+
+    // Once control leaves OnTransactionComplete, there's no further
+    // need for the transaction object. On the other hand, since it owns
+    // |*response|, it should stay around while OnTransactionComplete
+    // executes.
+    std::unique_ptr<DnsTransaction> destroy_transaction_on_return;
+    {
+      auto it = transactions_started_.find(transaction);
+      DCHECK(it != transactions_started_.end());
+
+      destroy_transaction_on_return = std::move(*it);
+      transactions_started_.erase(it);
+    }
+
     if (net_error != OK && !(net_error == ERR_NAME_NOT_RESOLVED && response &&
                              response->IsValid())) {
       OnFailure(net_error, DnsResponse::DNS_PARSE_OK, base::nullopt);
@@ -1060,7 +1172,7 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
     HostCache::Entry results(ERR_FAILED, HostCache::Entry::SOURCE_UNKNOWN);
     switch (dns_query_type) {
       case DnsQueryType::UNSPECIFIED:
-        // Should create two separate transactions with specified type.
+        // Should create multiple transactions with specified types.
         NOTREACHED();
         break;
       case DnsQueryType::A:
@@ -1076,6 +1188,9 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
       case DnsQueryType::SRV:
         parse_result = ParseServiceDnsResponse(response, &results);
         break;
+      case DnsQueryType::ESNI:
+        parse_result = ParseEsniDnsResponse(response, &results);
+        break;
     }
     DCHECK_LT(parse_result, DnsResponse::DNS_PARSE_RESULT_MAX);
 
@@ -1091,14 +1206,21 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
 
       switch (dns_query_type) {
         case DnsQueryType::A:
-          // A results in |results| go after other results in |saved_results_|,
-          // so merge |saved_results_| to the front.
+          // Canonical names from A results have lower priority than those
+          // from AAAA results, so merge to the back.
           results = HostCache::Entry::MergeEntries(
               std::move(saved_results_).value(), std::move(results));
           break;
         case DnsQueryType::AAAA:
-          // AAAA results in |results| go before other results in
-          // |saved_results_|, so merge |saved_results_| to the back.
+          // Canonical names from AAAA results take priority over those
+          // from A results, so merge to the front.
+          results = HostCache::Entry::MergeEntries(
+              std::move(results), std::move(saved_results_).value());
+          break;
+        case DnsQueryType::ESNI:
+          // It doesn't matter whether the ESNI record is the "front"
+          // or the "back" argument to the merge, since the logic for
+          // merging addresses from ESNI records is the same in each case.
           results = HostCache::Entry::MergeEntries(
               std::move(results), std::move(saved_results_).value());
           break;
@@ -1108,23 +1230,54 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
       }
     }
 
+    saved_results_ = std::move(results);
+
+    MaybeRecordMetricsOnSuccessfulTransaction(dns_query_type);
+
     // If not all transactions are complete, the task cannot yet be completed
     // and the results so far must be saved to merge with additional results.
     ++num_completed_transactions_;
     if (num_completed_transactions_ < num_needed_transactions()) {
-      saved_results_ = std::move(results);
       delegate_->OnIntermediateTransactionComplete();
+      MaybeStartEsniTimer();
       return;
     }
 
-    // If there are multiple addresses, and at least one is IPv6, need to sort
-    // them.  Note that IPv6 addresses are always put before IPv4 ones, so it's
-    // sufficient to just check the family of the first address.
-    if (results.addresses() && results.addresses().value().size() > 1 &&
-        results.addresses().value()[0].GetFamily() == ADDRESS_FAMILY_IPV6) {
+    // Since all transactions are complete, in particular, all ESNI transactions
+    // are complete (if any were started).
+    esni_cancellation_timer_.Stop();
+
+    ProcessResultsOnCompletion();
+  }
+
+  // Postprocesses the transactions' aggregated results after all
+  // transactions have completed.
+  void ProcessResultsOnCompletion() {
+    DCHECK(saved_results_.has_value());
+    HostCache::Entry results = std::move(*saved_results_);
+
+    // If there are multiple addresses, and at least one is IPv6, need to
+    // sort them.
+    // When there are no ESNI keys in the record, IPv6 addresses are always
+    // put before IPv4 ones, so it's sufficient to just check the family of
+    // the first address.
+    // When there are ESNI keys, there could be ESNI-equipped
+    // IPv4 addresses preceding the first IPv6 address, so it's necessary to
+    // scan the list.
+    bool at_least_one_ipv6_address =
+        results.addresses() && !results.addresses().value().empty() &&
+        (results.addresses().value()[0].GetFamily() == ADDRESS_FAMILY_IPV6 ||
+         (results.esni_data() &&
+          std::any_of(results.addresses().value().begin(),
+                      results.addresses().value().end(), [](auto& e) {
+                        return e.GetFamily() == ADDRESS_FAMILY_IPV6;
+                      })));
+
+    if (at_least_one_ipv6_address) {
       // Sort addresses if needed.  Sort could complete synchronously.
+      AddressList addresses = results.addresses().value();
       client_->GetAddressSorter()->Sort(
-          results.addresses().value(),
+          addresses,
           base::BindOnce(&DnsTask::OnSortComplete, AsWeakPtr(),
                          tick_clock_->NowTicks(), std::move(results), secure_));
       return;
@@ -1146,6 +1299,7 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
       *out_results = HostCache::Entry(ERR_NAME_NOT_RESOLVED, AddressList(),
                                       HostCache::Entry::SOURCE_DNS, ttl);
     } else {
+      addresses.Deduplicate();
       *out_results = HostCache::Entry(OK, std::move(addresses),
                                       HostCache::Entry::SOURCE_DNS, ttl);
     }
@@ -1236,6 +1390,58 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
     return DnsResponse::DNS_PARSE_OK;
   }
 
+  DnsResponse::Result ParseEsniDnsResponse(const DnsResponse* response,
+                                           HostCache::Entry* out_results) {
+    std::vector<std::unique_ptr<const RecordParsed>> records;
+    base::Optional<base::TimeDelta> response_ttl;
+    DnsResponse::Result parse_result = ParseAndFilterResponseRecords(
+        response, dns_protocol::kExperimentalTypeEsniDraft4, &records,
+        &response_ttl);
+
+    if (parse_result != DnsResponse::DNS_PARSE_OK) {
+      *out_results = GetMalformedResponseResult();
+      return parse_result;
+    }
+
+    // Glom the ESNI response records into a single EsniContent;
+    // this also dedups keys and (key, address) associations.
+    EsniContent content;
+    for (const auto& record : records) {
+      const EsniRecordRdata& rdata = *record->rdata<EsniRecordRdata>();
+
+      for (const IPAddress& address : rdata.addresses())
+        content.AddKeyForAddress(address, rdata.esni_keys());
+    }
+
+    // As a first pass, deliberately ignore ESNI records with no addresses
+    // included. Later, the implementation can be extended to handle "at-large"
+    // ESNI keys not specifically associated with collections of addresses.
+    // (We're declining the "...clients MAY initiate..." choice in ESNI draft 4,
+    // Section 4.2.2 Step 2.)
+    if (content.keys_for_addresses().empty()) {
+      *out_results =
+          HostCache::Entry(ERR_NAME_NOT_RESOLVED, EsniContent(),
+                           HostCache::Entry::SOURCE_DNS, response_ttl);
+    } else {
+      AddressList addresses, ipv4_addresses_temporary;
+      addresses.set_canonical_name(hostname_);
+      for (const auto& kv : content.keys_for_addresses())
+        (kv.first.IsIPv6() ? addresses : ipv4_addresses_temporary)
+            .push_back(IPEndPoint(kv.first, 0));
+      addresses.insert(addresses.end(), ipv4_addresses_temporary.begin(),
+                       ipv4_addresses_temporary.end());
+
+      // Store the addresses separately from the ESNI key-address
+      // associations, so that the addresses can be merged later with
+      // addresses from A and AAAA records.
+      *out_results = HostCache::Entry(
+          OK, std::move(content), HostCache::Entry::SOURCE_DNS, response_ttl);
+      out_results->set_addresses(std::move(addresses));
+    }
+
+    return parse_result;
+  }
+
   // Sort service targets per RFC2782.  In summary, sort first by |priority|,
   // lowest first.  For targets with the same priority, secondary sort randomly
   // using |weight| with higher weighted objects more likely to go first.
@@ -1392,6 +1598,97 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
     delegate_->OnDnsTaskComplete(task_start_time_, results, secure_);
   }
 
+  // Returns whether all transactions left to execute are of transaction
+  // type ESNI. (In particular, this is the case if all transactions are
+  // complete.)
+  // Used for logging and starting the ESNI transaction timer (see
+  // MaybeStartEsniTimer).
+  bool TaskIsCompleteOrOnlyEsniTransactionsRemain() const {
+    // Since DoH runs all transactions concurrently and
+    // DnsQueryType::UNSPECIFIED-with-ESNI tasks are only run using DoH,
+    // this method only needs to check the transactions in transactions_started_
+    // because transactions_needed_ is empty from the time the first
+    // transaction is started.
+    DCHECK(transactions_needed_.empty());
+
+    return std::all_of(
+        transactions_started_.begin(), transactions_started_.end(),
+        [&](const std::unique_ptr<DnsTransaction>& p) {
+          DCHECK(p);
+          return p->GetType() == dns_protocol::kExperimentalTypeEsniDraft4;
+        });
+  }
+
+  // If ESNI transactions are being executed as part of this task
+  // and all transactions except the ESNI transactions have finished, and the
+  // ESNI transactions have not finished, starts a timer after which to abort
+  // the ESNI transactions.
+  //
+  // This timer has duration equal to the shorter of two parameterized values:
+  // - a fixed, absolute duration
+  // - a relative duration (as a proportion of the total time taken for
+  // the task's other transactions).
+  void MaybeStartEsniTimer() {
+    DCHECK(!transactions_started_.empty());
+    DCHECK(saved_results_);
+    if (!esni_cancellation_timer_.IsRunning() &&
+        TaskIsCompleteOrOnlyEsniTransactionsRemain()) {
+      base::TimeDelta total_time_taken_for_other_transactions =
+          tick_clock_->NowTicks() - task_start_time_;
+
+      esni_cancellation_timer_.Start(
+          FROM_HERE,
+          std::min(
+              features::EsniDnsMaxAbsoluteAdditionalWait(),
+              total_time_taken_for_other_transactions *
+                  (0.01 *
+                   features::kEsniDnsMaxRelativeAdditionalWaitPercent.Get())),
+          this, &DnsTask::OnEsniTransactionTimeout);
+    }
+  }
+
+  // Records transaction metrics (currently only concerning ESNI records).
+  //
+  // In DnsQueryType::ESNI tasks, records the time taken to complete
+  // the task's single transaction.
+  //
+  // In DnsQueryType::UNSPECIFIED tasks, records:
+  // 1) the end-to-end time elapsed at completion of the ESNI transaction;
+  // 2) the end-to-end time after all non-ESNI transactions.
+  // (The goal is to measure the marginal impact on total task time
+  // caused by adding ESNI queries to DnsQueryType::UNSPECIFIED tasks).
+  void MaybeRecordMetricsOnSuccessfulTransaction(
+      DnsQueryType transaction_type) {
+    auto elapsed = tick_clock_->NowTicks() - task_start_time_;
+
+    if (query_type_ != DnsQueryType::ESNI &&
+        query_type_ != DnsQueryType::UNSPECIFIED) {
+      return;
+    }
+
+    if (query_type_ == DnsQueryType::ESNI) {
+      dns_histograms::RecordEsniTimeForEsniTask(elapsed);
+      return;
+    }
+
+    if (transaction_type == DnsQueryType::ESNI) {
+      dns_histograms::RecordEsniTransactionStatus(
+          dns_histograms::EsniSuccessOrTimeout::kSuccess);
+      dns_histograms::RecordEsniTimeForUnspecTask(elapsed);
+      esni_elapsed_for_logging_ = elapsed;
+    } else if (base::FeatureList::IsEnabled(features::kRequestEsniDnsRecords) &&
+               TaskIsCompleteOrOnlyEsniTransactionsRemain()) {
+      dns_histograms::RecordNonEsniTimeForUnspecTask(elapsed);
+      non_esni_elapsed_for_logging_ = elapsed;
+    }
+
+    if (esni_elapsed_for_logging_ != base::TimeDelta() &&
+        non_esni_elapsed_for_logging_ != base::TimeDelta()) {
+      dns_histograms::RecordEsniVersusNonEsniTimes(
+          esni_elapsed_for_logging_, non_esni_elapsed_for_logging_);
+    }
+  }
+
   DnsClient* client_;
   std::string hostname_;
   URLRequestContext* const request_context_;
@@ -1404,8 +1701,12 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
   Delegate* delegate_;
   const NetLogWithSource net_log_;
 
+  // The overall query type of the task.
+  DnsQueryType query_type_;
+
   base::queue<DnsQueryType> transactions_needed_;
-  base::flat_set<std::unique_ptr<DnsTransaction>> transactions_started_;
+  base::flat_set<std::unique_ptr<DnsTransaction>, base::UniquePtrComparator>
+      transactions_started_;
   int num_needed_transactions_;
   int num_completed_transactions_;
 
@@ -1416,6 +1717,17 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
   const base::TickClock* tick_clock_;
   base::TimeTicks task_start_time_;
 
+  // In order to histogram the relative end-to-end elapsed times of
+  // a task's ESNI and non-ESNI transactions, store the end-to-end time
+  // elapsed from task start to the end of the task's ESNI transaction
+  // (if any) and its final non-ESNI transaction.
+  base::TimeDelta esni_elapsed_for_logging_;
+  base::TimeDelta non_esni_elapsed_for_logging_;
+
+  // Timer for early abort of ESNI transactions. See comments describing
+  // the timeout parameters in net/base/features.h.
+  base::OneShotTimer esni_cancellation_timer_;
+
   DISALLOW_COPY_AND_ASSIGN(DnsTask);
 };
 
@@ -1424,12 +1736,14 @@ class HostResolverManager::DnsTask : public base::SupportsWeakPtr<DnsTask> {
 struct HostResolverManager::JobKey {
   bool operator<(const JobKey& other) const {
     return std::tie(query_type, flags, source, secure_dns_mode, request_context,
-                    hostname) < std::tie(other.query_type, other.flags,
-                                         other.source, other.secure_dns_mode,
-                                         other.request_context, other.hostname);
+                    hostname, network_isolation_key_) <
+           std::tie(other.query_type, other.flags, other.source,
+                    other.secure_dns_mode, other.request_context,
+                    other.hostname, other.network_isolation_key_);
   }
 
   std::string hostname;
+  NetworkIsolationKey network_isolation_key_;
   DnsQueryType query_type;
   HostResolverFlags flags;
   HostResolverSource source;
@@ -1445,6 +1759,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   // request that spawned it.
   Job(const base::WeakPtr<HostResolverManager>& resolver,
       base::StringPiece hostname,
+      const NetworkIsolationKey& network_isolation_key,
       DnsQueryType query_type,
       HostResolverFlags host_resolver_flags,
       HostResolverSource requested_source,
@@ -1459,6 +1774,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
       const base::TickClock* tick_clock)
       : resolver_(resolver),
         hostname_(hostname),
+        network_isolation_key_(network_isolation_key),
         query_type_(query_type),
         host_resolver_flags_(host_resolver_flags),
         requested_source_(requested_source),
@@ -1508,7 +1824,6 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
       RequestImpl* req = requests_.head()->value();
       req->RemoveFromList();
       DCHECK_EQ(this, req->job());
-      LogCancelRequest(req->source_net_log());
       req->OnJobCancelled(this);
     }
   }
@@ -1576,8 +1891,6 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
     DCHECK_EQ(hostname_, request->request_host().host());
     DCHECK(!requests_.empty());
 
-    LogCancelRequest(request->source_net_log());
-
     priority_tracker_.Remove(request->priority());
     net_log_.AddEvent(NetLogEventType::HOST_RESOLVER_IMPL_JOB_REQUEST_DETACH,
                       [&] {
@@ -1774,7 +2087,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
  private:
   HostCache::Key GenerateCacheKey(bool secure) const {
     HostCache::Key cache_key(hostname_, query_type_, host_resolver_flags_,
-                             requested_source_);
+                             requested_source_, network_isolation_key_);
     cache_key.secure = secure;
     return cache_key;
   }
@@ -2229,6 +2542,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
       proc_task_ = nullptr;
       KillDnsTask();
       mdns_task_ = nullptr;
+      job_running_ = false;
 
       if (dispatcher_) {
         // Signal dispatcher that a slot has opened.
@@ -2267,7 +2581,6 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
       req->RemoveFromList();
       DCHECK_EQ(this, req->job());
       // Update the net log and notify registered observers.
-      LogFinishRequest(req->source_net_log(), results.error());
       if (results.did_complete()) {
         // Record effective total time from creation to completion.
         resolver_->RecordTotalTime(
@@ -2295,7 +2608,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
       for (auto* node = requests_.head(); node != requests_.end();
            node = node->next()) {
         if (!node->value()->parameters().is_speculative)
-          node->value()->set_stale_info(std::move(stale_info).value());
+          node->value()->set_stale_info(stale_info.value());
       }
     }
     CompleteRequests(results, base::TimeDelta(), false /* allow_cache */,
@@ -2320,6 +2633,7 @@ class HostResolverManager::Job : public PrioritizedDispatcher::Job,
   base::WeakPtr<HostResolverManager> resolver_;
 
   const std::string hostname_;
+  const NetworkIsolationKey network_isolation_key_;
   const DnsQueryType query_type_;
   const HostResolverFlags host_resolver_flags_;
   const HostResolverSource requested_source_;
@@ -2465,9 +2779,10 @@ HostResolverManager::~HostResolverManager() {
     system_dns_config_notifier_->RemoveObserver(this);
 }
 
-std::unique_ptr<HostResolverManager::CancellableRequest>
+std::unique_ptr<HostResolverManager::CancellableResolveHostRequest>
 HostResolverManager::CreateRequest(
     const HostPortPair& host,
+    const NetworkIsolationKey& network_isolation_key,
     const NetLogWithSource& net_log,
     const base::Optional<ResolveHostParameters>& optional_parameters,
     URLRequestContext* request_context,
@@ -2480,9 +2795,17 @@ HostResolverManager::CreateRequest(
   if (host_cache)
     DCHECK(host_cache_invalidators_.HasObserver(host_cache->invalidator()));
 
-  return std::make_unique<RequestImpl>(net_log, host, optional_parameters,
-                                       request_context, host_cache,
-                                       weak_ptr_factory_.GetWeakPtr());
+  return std::make_unique<RequestImpl>(
+      net_log, host, network_isolation_key, optional_parameters,
+      request_context, host_cache, weak_ptr_factory_.GetWeakPtr());
+}
+
+std::unique_ptr<HostResolverManager::CancellableProbeRequest>
+HostResolverManager::CreateDohProbeRequest(URLRequestContext* context) {
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+
+  return std::make_unique<ProbeRequestImpl>(context,
+                                            weak_ptr_factory_.GetWeakPtr());
 }
 
 std::unique_ptr<HostResolver::MdnsListener>
@@ -2560,23 +2883,6 @@ void HostResolverManager::SetDnsConfigOverrides(DnsConfigOverrides overrides) {
   }
 }
 
-void HostResolverManager::SetRequestContextForProbes(
-    URLRequestContext* url_request_context) {
-  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
-  dns_client_->SetRequestContextForProbes(url_request_context);
-}
-
-void HostResolverManager::CancelProbesForContext(
-    URLRequestContext* url_request_context) {
-  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
-
-  // If no DnsClient, there are no probes to cancel.
-  if (!dns_client_)
-    return;
-
-  dns_client_->CancelProbesForContext(url_request_context);
-}
-
 void HostResolverManager::AddHostCacheInvalidator(
     HostCache::Invalidator* invalidator) {
   host_cache_invalidators_.AddObserver(invalidator);
@@ -2628,6 +2934,11 @@ void HostResolverManager::SetDnsClientForTesting(
   dns_client_ = std::move(dns_client);
 }
 
+void HostResolverManager::SetLastIPv6ProbeResultForTesting(
+    bool last_ipv6_probe_result) {
+  SetLastIPv6ProbeResult(last_ipv6_probe_result);
+}
+
 void HostResolverManager::SetTaskRunnerForTesting(
     scoped_refptr<base::TaskRunner> task_runner) {
   proc_task_runner_ = std::move(task_runner);
@@ -2649,16 +2960,15 @@ int HostResolverManager::Resolve(RequestImpl* request) {
 
   request->set_request_time(tick_clock_->NowTicks());
 
-  LogStartRequest(request->source_net_log(), request->request_host());
-
   DnsQueryType effective_query_type;
   HostResolverFlags effective_host_resolver_flags;
   DnsConfig::SecureDnsMode effective_secure_dns_mode;
   std::deque<TaskType> tasks;
   base::Optional<HostCache::EntryStaleness> stale_info;
   HostCache::Entry results = ResolveLocally(
-      request->request_host().host(), request->parameters().dns_query_type,
-      request->parameters().source, request->host_resolver_flags(),
+      request->request_host().host(), request->network_isolation_key(),
+      request->parameters().dns_query_type, request->parameters().source,
+      request->host_resolver_flags(),
       request->parameters().secure_dns_mode_override,
       request->parameters().cache_usage, request->source_net_log(),
       request->host_cache(), &effective_query_type,
@@ -2673,9 +2983,9 @@ int HostResolverManager::Resolve(RequestImpl* request) {
     }
     if (stale_info && !request->parameters().is_speculative)
       request->set_stale_info(std::move(stale_info).value());
-    LogFinishRequest(request->source_net_log(), results.error());
     RecordTotalTime(request->parameters().is_speculative, true /* from_cache */,
                     effective_secure_dns_mode, base::TimeDelta());
+    request->set_error_info(results.error());
     return results.error();
   }
 
@@ -2686,6 +2996,7 @@ int HostResolverManager::Resolve(RequestImpl* request) {
 
 HostCache::Entry HostResolverManager::ResolveLocally(
     const std::string& hostname,
+    const NetworkIsolationKey& network_isolation_key,
     DnsQueryType dns_query_type,
     HostResolverSource source,
     HostResolverFlags flags,
@@ -2759,7 +3070,8 @@ HostCache::Entry HostResolverManager::ResolveLocally(
        out_tasks->front() == TaskType::INSECURE_CACHE_LOOKUP ||
        out_tasks->front() == TaskType::CACHE_LOOKUP)) {
     HostCache::Key key(hostname, *out_effective_query_type,
-                       *out_effective_host_resolver_flags, source);
+                       *out_effective_host_resolver_flags, source,
+                       network_isolation_key);
 
     if (out_tasks->front() == TaskType::SECURE_CACHE_LOOKUP)
       key.secure = true;
@@ -2805,20 +3117,23 @@ void HostResolverManager::CreateAndStartJob(
     std::deque<TaskType> tasks,
     RequestImpl* request) {
   DCHECK(!tasks.empty());
-  JobKey key = {request->request_host().host(), effective_query_type,
-                effective_host_resolver_flags,  request->parameters().source,
-                effective_secure_dns_mode,      request->request_context()};
+  JobKey key = {
+      request->request_host().host(), request->network_isolation_key(),
+      effective_query_type,           effective_host_resolver_flags,
+      request->parameters().source,   effective_secure_dns_mode,
+      request->request_context()};
 
   auto jobit = jobs_.find(key);
   Job* job;
   if (jobit == jobs_.end()) {
     auto new_job = std::make_unique<Job>(
         weak_ptr_factory_.GetWeakPtr(), request->request_host().host(),
-        effective_query_type, effective_host_resolver_flags,
-        request->parameters().source, request->parameters().cache_usage,
-        effective_secure_dns_mode, request->request_context(),
-        request->host_cache(), std::move(tasks), request->priority(),
-        proc_task_runner_, request->source_net_log(), tick_clock_);
+        request->network_isolation_key(), effective_query_type,
+        effective_host_resolver_flags, request->parameters().source,
+        request->parameters().cache_usage, effective_secure_dns_mode,
+        request->request_context(), request->host_cache(), std::move(tasks),
+        request->priority(), proc_task_runner_, request->source_net_log(),
+        tick_clock_);
     job = new_job.get();
     auto insert_result = jobs_.emplace(std::move(key), std::move(new_job));
     DCHECK(insert_result.second);
@@ -3031,26 +3346,6 @@ DnsConfig::SecureDnsMode HostResolverManager::GetEffectiveSecureDnsMode(
   } else if (config) {
     secure_dns_mode = config->secure_dns_mode;
   }
-
-  // If the query name matches one of the DoH server names, downgrade to OFF to
-  // avoid infinite recursion.
-  // TODO(crbug.com/985589): Add a URLRequest-level parameter to skip DoH that
-  // can be set when a URLRequest to a DoH server is built, and use this
-  // parameters to set |secure_dns_mode_override| in ResolveHostParameters. This
-  // improvement will prevent us from unnecessarily skipping DoH when a
-  // connection to the DoH server has been established but the query happens to
-  // be for a DoH server hostname.
-  if (config) {
-    for (auto& server : config->dns_over_https_servers) {
-      if (hostname.compare(
-              GURL(GetURLFromTemplateWithoutParameters(server.server_template))
-                  .host()) == 0) {
-        secure_dns_mode = DnsConfig::SecureDnsMode::OFF;
-        break;
-      }
-    }
-  }
-
   return secure_dns_mode;
 }
 
@@ -3269,9 +3564,8 @@ bool HostResolverManager::IsIPv6Reachable(const NetLogWithSource& net_log) {
   bool cached = true;
   if ((tick_clock_->NowTicks() - last_ipv6_probe_time_).InMilliseconds() >
       kIPv6ProbePeriodMs) {
-    last_ipv6_probe_result_ =
-        IsGloballyReachable(IPAddress(kIPv6ProbeAddress), net_log);
-    last_ipv6_probe_time_ = tick_clock_->NowTicks();
+    SetLastIPv6ProbeResult(
+        IsGloballyReachable(IPAddress(kIPv6ProbeAddress), net_log));
     cached = false;
   }
   net_log.AddEvent(
@@ -3281,6 +3575,11 @@ bool HostResolverManager::IsIPv6Reachable(const NetLogWithSource& net_log) {
   return last_ipv6_probe_result_;
 }
 
+void HostResolverManager::SetLastIPv6ProbeResult(bool last_ipv6_probe_result) {
+  last_ipv6_probe_result_ = last_ipv6_probe_result;
+  last_ipv6_probe_time_ = tick_clock_->NowTicks();
+}
+
 bool HostResolverManager::IsGloballyReachable(const IPAddress& dest,
                                               const NetLogWithSource& net_log) {
   std::unique_ptr<DatagramClientSocket> socket(
@@ -3509,6 +3808,21 @@ void HostResolverManager::InvalidateCaches() {
 #endif
 }
 
+void HostResolverManager::ActivateDohProbes(
+    URLRequestContext* url_request_context) {
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+  DCHECK(dns_client_);
+
+  dns_client_->ActivateDohProbes(url_request_context);
+}
+
+void HostResolverManager::CancelDohProbes() {
+  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+  DCHECK(dns_client_);
+
+  dns_client_->CancelDohProbes();
+}
+
 void HostResolverManager::RequestImpl::Cancel() {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   if (!job_)
@@ -3517,6 +3831,8 @@ void HostResolverManager::RequestImpl::Cancel() {
   job_->CancelRequest(this);
   job_ = nullptr;
   callback_.Reset();
+
+  LogCancelRequest();
 }
 
 void HostResolverManager::RequestImpl::ChangeRequestPriority(
diff --git a/chromium/net/dns/host_resolver_manager.h b/chromium/net/dns/host_resolver_manager.h
index 7d8f611ade6..a8b03d10982 100644
--- a/chromium/net/dns/host_resolver_manager.h
+++ b/chromium/net/dns/host_resolver_manager.h
@@ -48,6 +48,7 @@ class MDnsClient;
 class MDnsSocketFactory;
 class NetLog;
 class NetLogWithSource;
+class NetworkIsolationKey;
 class URLRequestContext;
 
 // Scheduler and controller of host resolution requests. Because of the global
@@ -90,18 +91,32 @@ class NET_EXPORT HostResolverManager
       public SystemDnsConfigChangeNotifier::Observer {
  public:
   using MdnsListener = HostResolver::MdnsListener;
-  using ResolveHostRequest = HostResolver::ResolveHostRequest;
   using ResolveHostParameters = HostResolver::ResolveHostParameters;
   using SecureDnsMode = DnsConfig::SecureDnsMode;
 
-  class CancellableRequest : public ResolveHostRequest {
+  // A request that allows explicit cancellation before destruction. Enables
+  // callers (e.g. ContextHostResolver) to implement cancellation of requests on
+  // the callers' destruction.
+  class CancellableRequest {
    public:
+    CancellableRequest() = default;
+    CancellableRequest(const CancellableRequest&) = delete;
+    CancellableRequest& operator=(const CancellableRequest&) = delete;
+    virtual ~CancellableRequest() = default;
+
     // If running asynchronously, silently cancels the request as if destroyed.
     // Callbacks will never be invoked. Noop if request is already complete or
     // never started.
     virtual void Cancel() = 0;
   };
 
+  // CancellableRequest versions of different request types.
+  class CancellableResolveHostRequest
+      : public CancellableRequest,
+        public HostResolver::ResolveHostRequest {};
+  class CancellableProbeRequest : public CancellableRequest,
+                                  public HostResolver::ProbeRequest {};
+
   // Creates a HostResolver as specified by |options|. Blocking tasks are run in
   // ThreadPool.
   //
@@ -128,12 +143,17 @@ class NET_EXPORT HostResolverManager
   // specifies any cache usage other than LOCAL_ONLY, there must be a 1:1
   // correspondence between |request_context| and |host_cache|, and both should
   // come from the same ContextHostResolver.
-  std::unique_ptr<CancellableRequest> CreateRequest(
+  std::unique_ptr<CancellableResolveHostRequest> CreateRequest(
       const HostPortPair& host,
+      const NetworkIsolationKey& network_isolation_key,
       const NetLogWithSource& net_log,
       const base::Optional<ResolveHostParameters>& optional_parameters,
       URLRequestContext* request_context,
       HostCache* host_cache);
+  // |request_context| is the context to use for the probes, and it is expected
+  // to be the context of the calling ContextHostResolver.
+  std::unique_ptr<CancellableProbeRequest> CreateDohProbeRequest(
+      URLRequestContext* request_context);
   std::unique_ptr<MdnsListener> CreateMdnsListener(const HostPortPair& host,
                                                    DnsQueryType query_type);
 
@@ -153,16 +173,6 @@ class NET_EXPORT HostResolverManager
   // read from the system for DnsClient resolution.
   void SetDnsConfigOverrides(DnsConfigOverrides overrides);
 
-  // Sets the URLRequestContext to use for issuing DoH probes.
-  // TODO(crbug.com/1006902): Convert DoH probes to an API more consistent with
-  // normal requests with a Request or cancellation handle to control start and
-  // cancel.
-  void SetRequestContextForProbes(URLRequestContext* url_request_context);
-
-  // Iff |url_request_context| is being used for DoH probes, cancels the probes
-  // and clears the set context.
-  void CancelProbesForContext(URLRequestContext* url_request_context);
-
   // Support for invalidating HostCaches on changes to network or DNS
   // configuration. HostCaches should register/deregister invalidators here
   // rather than attempting to listen for relevant network change signals
@@ -201,6 +211,11 @@ class NET_EXPORT HostResolverManager
   // setting DnsConfig.
   void SetDnsClientForTesting(std::unique_ptr<DnsClient> dns_client);
 
+  // Sets the last IPv6 probe result for testing. Uses the standard timeout
+  // duration, so it's up to the test fixture to ensure it doesn't expire by
+  // mocking time, if expiration would pose a problem.
+  void SetLastIPv6ProbeResultForTesting(bool last_ipv6_probe_result);
+
   // Allows the tests to catch slots leaking out of the dispatcher.  One
   // HostResolverManager::Job could occupy multiple PrioritizedDispatcher job
   // slots.
@@ -228,6 +243,7 @@ class NET_EXPORT HostResolverManager
   class LoopbackProbeJob;
   class DnsTask;
   class RequestImpl;
+  class ProbeRequestImpl;
   using JobMap = std::map<JobKey, std::unique_ptr<Job>>;
 
   // Task types that a Job might run.
@@ -264,6 +280,7 @@ class NET_EXPORT HostResolverManager
   // stale cache entries can be returned.
   HostCache::Entry ResolveLocally(
       const std::string& hostname,
+      const NetworkIsolationKey& network_isolation_key,
       DnsQueryType requested_address_family,
       HostResolverSource source,
       HostResolverFlags flags,
@@ -373,6 +390,9 @@ class NET_EXPORT HostResolverManager
   // from the first probe for some time before probing again.
   bool IsIPv6Reachable(const NetLogWithSource& net_log);
 
+  // Sets |last_ipv6_probe_result_| and updates |last_ipv6_probe_time_|.
+  void SetLastIPv6ProbeResult(bool last_ipv6_probe_result);
+
   // Attempts to connect a UDP socket to |dest|:53. Virtual for testing.
   virtual bool IsGloballyReachable(const IPAddress& dest,
                                    const NetLogWithSource& net_log);
@@ -432,6 +452,11 @@ class NET_EXPORT HostResolverManager
 
   void InvalidateCaches();
 
+  // Currently only allows one probe to be started at a time. Must be cancelled
+  // before starting another.
+  void ActivateDohProbes(URLRequestContext* url_request_context);
+  void CancelDohProbes();
+
   // Used for multicast DNS tasks. Created on first use using
   // GetOrCreateMndsClient().
   std::unique_ptr<MDnsSocketFactory> mdns_socket_factory_;
diff --git a/chromium/net/dns/host_resolver_manager_fuzzer.cc b/chromium/net/dns/host_resolver_manager_fuzzer.cc
index b61f0bdba72..2a2828cf66e 100644
--- a/chromium/net/dns/host_resolver_manager_fuzzer.cc
+++ b/chromium/net/dns/host_resolver_manager_fuzzer.cc
@@ -201,7 +201,7 @@ class DnsRequest {
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   {
     FuzzedDataProvider data_provider(data, size);
-    net::TestNetLog net_log;
+    net::RecordingTestNetLog net_log;
 
     net::HostResolver::ManagerOptions options;
     options.max_concurrent_resolves =
diff --git a/chromium/net/dns/host_resolver_manager_unittest.cc b/chromium/net/dns/host_resolver_manager_unittest.cc
index 3bcd8074a5a..7d465e26228 100644
--- a/chromium/net/dns/host_resolver_manager_unittest.cc
+++ b/chromium/net/dns/host_resolver_manager_unittest.cc
@@ -17,6 +17,7 @@
 #include "base/location.h"
 #include "base/macros.h"
 #include "base/memory/ref_counted.h"
+#include "base/numerics/safe_conversions.h"
 #include "base/rand_util.h"
 #include "base/run_loop.h"
 #include "base/sequenced_task_runner.h"
@@ -29,6 +30,8 @@
 #include "base/task/post_task.h"
 #include "base/task/thread_pool/thread_pool_instance.h"
 #include "base/test/bind_test_util.h"
+#include "base/test/metrics/histogram_tester.h"
+#include "base/test/scoped_feature_list.h"
 #include "base/test/simple_test_clock.h"
 #include "base/test/test_mock_time_task_runner.h"
 #include "base/test/test_timeouts.h"
@@ -39,18 +42,22 @@
 #include "base/values.h"
 #include "build/build_config.h"
 #include "net/base/address_list.h"
+#include "net/base/features.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/mock_network_change_notifier.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/dns/dns_client.h"
 #include "net/dns/dns_config.h"
 #include "net/dns/dns_test_util.h"
 #include "net/dns/dns_util.h"
+#include "net/dns/host_resolver_histograms.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/dns/mock_mdns_client.h"
 #include "net/dns/mock_mdns_socket_factory.h"
+#include "net/dns/public/resolve_error_info.h"
 #include "net/dns/test_dns_config_service.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_source_type.h"
@@ -64,6 +71,8 @@
 #include "net/url_request/url_request_test_util.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
+#include "url/origin.h"
 
 #if BUILDFLAG(ENABLE_MDNS)
 #include "net/dns/mdns_client_impl.h"
@@ -72,10 +81,15 @@
 using net::test::IsError;
 using net::test::IsOk;
 using ::testing::_;
+using ::testing::AllOf;
 using ::testing::Between;
 using ::testing::ByMove;
-using ::testing::NotNull;
+using ::testing::Eq;
+using ::testing::Optional;
+using ::testing::Pair;
+using ::testing::Property;
 using ::testing::Return;
+using ::testing::UnorderedElementsAre;
 
 namespace net {
 
@@ -218,6 +232,11 @@ class MockHostResolverProc : public HostResolverProc {
     return copy;
   }
 
+  void ClearCaptureList() {
+    base::AutoLock lock(lock_);
+    capture_list_.clear();
+  }
+
   bool HasBlockedRequests() const {
     base::AutoLock lock(lock_);
     return num_requests_waiting_ > num_slots_available_;
@@ -244,30 +263,40 @@ class ResolveHostResponseHelper {
       base::OnceCallback<void(CompletionOnceCallback completion_callback,
                               int error)>;
 
-  ResolveHostResponseHelper() {}
+  ResolveHostResponseHelper() = default;
   explicit ResolveHostResponseHelper(
-      std::unique_ptr<HostResolverManager::CancellableRequest> request)
+      std::unique_ptr<HostResolverManager::CancellableResolveHostRequest>
+          request)
       : request_(std::move(request)) {
-    result_error_ = request_->Start(base::BindOnce(
+    top_level_result_error_ = request_->Start(base::BindOnce(
         &ResolveHostResponseHelper::OnComplete, base::Unretained(this)));
   }
   ResolveHostResponseHelper(
-      std::unique_ptr<HostResolverManager::CancellableRequest> request,
+      std::unique_ptr<HostResolverManager::CancellableResolveHostRequest>
+          request,
       Callback custom_callback)
       : request_(std::move(request)) {
-    result_error_ = request_->Start(
+    top_level_result_error_ = request_->Start(
         base::BindOnce(std::move(custom_callback),
                        base::BindOnce(&ResolveHostResponseHelper::OnComplete,
                                       base::Unretained(this))));
   }
 
-  bool complete() const { return result_error_ != ERR_IO_PENDING; }
+  bool complete() const { return top_level_result_error_ != ERR_IO_PENDING; }
+
+  int top_level_result_error() {
+    WaitForCompletion();
+    return top_level_result_error_;
+  }
+
   int result_error() {
     WaitForCompletion();
-    return result_error_;
+    return request_->GetResolveErrorInfo().error;
   }
 
-  HostResolverManager::CancellableRequest* request() { return request_.get(); }
+  HostResolverManager::CancellableResolveHostRequest* request() {
+    return request_.get();
+  }
 
   void CancelRequest() {
     DCHECK(request_);
@@ -278,7 +307,7 @@ class ResolveHostResponseHelper {
 
   void OnComplete(int error) {
     DCHECK(!complete());
-    result_error_ = error;
+    top_level_result_error_ = error;
 
     run_loop_.Quit();
   }
@@ -293,8 +322,8 @@ class ResolveHostResponseHelper {
     DCHECK(complete());
   }
 
-  std::unique_ptr<HostResolverManager::CancellableRequest> request_;
-  int result_error_ = ERR_IO_PENDING;
+  std::unique_ptr<HostResolverManager::CancellableResolveHostRequest> request_;
+  int top_level_result_error_ = ERR_IO_PENDING;
   base::RunLoop run_loop_;
 
   DISALLOW_COPY_AND_ASSIGN(ResolveHostResponseHelper);
@@ -474,7 +503,11 @@ class HostResolverManagerTest : public TestWithTaskEnvironment {
  public:
   static const int kDefaultPort = 80;
 
-  HostResolverManagerTest() : proc_(new MockHostResolverProc()) {}
+  explicit HostResolverManagerTest(
+      base::test::TaskEnvironment::TimeSource time_source =
+          base::test::TaskEnvironment::TimeSource::SYSTEM_TIME)
+      : TestWithTaskEnvironment(time_source),
+        proc_(new MockHostResolverProc()) {}
 
   void CreateResolver(bool check_ipv6_on_wifi = true) {
     CreateResolverWithLimitsAndParams(kMaxJobs, DefaultParams(proc_.get()),
@@ -610,10 +643,12 @@ TEST_F(HostResolverManagerTest, AsynchronousLookup) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsOk());
+  EXPECT_THAT(response.top_level_result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("192.168.1.42", 80)));
   EXPECT_FALSE(response.request()->GetStaleInfo());
@@ -623,7 +658,8 @@ TEST_F(HostResolverManagerTest, AsynchronousLookup) {
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
       GetCacheHit(HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
                                  0 /* host_resolver_flags */,
-                                 HostResolverSource::ANY));
+                                 HostResolverSource::ANY,
+                                 NetworkIsolationKey()));
   EXPECT_TRUE(cache_result);
 }
 
@@ -632,8 +668,9 @@ TEST_F(HostResolverManagerTest, JobsClearedOnCompletion) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_EQ(1u, resolver_->num_jobs_for_testing());
 
   EXPECT_THAT(response.result_error(), IsOk());
@@ -645,11 +682,13 @@ TEST_F(HostResolverManagerTest, JobsClearedOnCompletion_MultipleRequests) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("just.testing", 85), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 85), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_EQ(1u, resolver_->num_jobs_for_testing());
 
   EXPECT_THAT(response1.result_error(), IsOk());
@@ -663,8 +702,9 @@ TEST_F(HostResolverManagerTest, JobsClearedOnCompletion_Failure) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_EQ(1u, resolver_->num_jobs_for_testing());
 
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
@@ -675,8 +715,9 @@ TEST_F(HostResolverManagerTest, JobsClearedOnCompletion_Abort) {
   proc_->AddRuleForAllFamilies("just.testing", "192.168.1.42");
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_EQ(1u, resolver_->num_jobs_for_testing());
 
   NetworkChangeNotifier::NotifyObserversOfIPAddressChangeForTests();
@@ -694,13 +735,13 @@ TEST_F(HostResolverManagerTest, DnsQueryType) {
 
   parameters.dns_query_type = DnsQueryType::A;
   ResolveHostResponseHelper v4_response(resolver_->CreateRequest(
-      HostPortPair("host", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
 
   parameters.dns_query_type = DnsQueryType::AAAA;
   ResolveHostResponseHelper v6_response(resolver_->CreateRequest(
-      HostPortPair("host", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
 
   proc_->SignalMultiple(2u);
 
@@ -718,23 +759,23 @@ TEST_F(HostResolverManagerTest, LocalhostIPV4IPV6Lookup) {
 
   parameters.dns_query_type = DnsQueryType::A;
   ResolveHostResponseHelper v6_v4_response(resolver_->CreateRequest(
-      HostPortPair("localhost6", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("localhost6", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(v6_v4_response.result_error(), IsOk());
   EXPECT_THAT(v6_v4_response.request()->GetAddressResults().value().endpoints(),
               testing::IsEmpty());
 
   parameters.dns_query_type = DnsQueryType::AAAA;
   ResolveHostResponseHelper v6_v6_response(resolver_->CreateRequest(
-      HostPortPair("localhost6", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("localhost6", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(v6_v6_response.result_error(), IsOk());
   EXPECT_THAT(v6_v6_response.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("::1", 80)));
 
   ResolveHostResponseHelper v6_unsp_response(resolver_->CreateRequest(
-      HostPortPair("localhost6", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("localhost6", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(v6_unsp_response.result_error(), IsOk());
   EXPECT_THAT(
       v6_unsp_response.request()->GetAddressResults().value().endpoints(),
@@ -742,23 +783,23 @@ TEST_F(HostResolverManagerTest, LocalhostIPV4IPV6Lookup) {
 
   parameters.dns_query_type = DnsQueryType::A;
   ResolveHostResponseHelper v4_v4_response(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(v4_v4_response.result_error(), IsOk());
   EXPECT_THAT(v4_v4_response.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
 
   parameters.dns_query_type = DnsQueryType::AAAA;
   ResolveHostResponseHelper v4_v6_response(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(v4_v6_response.result_error(), IsOk());
   EXPECT_THAT(v4_v6_response.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("::1", 80)));
 
   ResolveHostResponseHelper v4_unsp_response(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(v4_unsp_response.result_error(), IsOk());
   EXPECT_THAT(
       v4_unsp_response.request()->GetAddressResults().value().endpoints(),
@@ -776,8 +817,8 @@ TEST_F(HostResolverManagerTest, ResolveIPLiteralWithHostResolverSystemOnly) {
   HostResolver::ResolveHostParameters parameters;
   parameters.source = HostResolverSource::SYSTEM;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(kIpLiteral, 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair(kIpLiteral, 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
 
   // IP literal resolution is expected to take precedence over source, so the
   // result is expected to be the input IP, not the result IP from the proc rule
@@ -792,8 +833,9 @@ TEST_F(HostResolverManagerTest, EmptyListMeansNameNotResolved) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -808,9 +850,12 @@ TEST_F(HostResolverManagerTest, FailedAsynchronousLookup) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
+  EXPECT_THAT(response.top_level_result_error(),
+              IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetStaleInfo());
 
@@ -820,14 +865,16 @@ TEST_F(HostResolverManagerTest, FailedAsynchronousLookup) {
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
       GetCacheHit(HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
                                  0 /* host_resolver_flags */,
-                                 HostResolverSource::ANY));
+                                 HostResolverSource::ANY,
+                                 NetworkIsolationKey()));
   EXPECT_FALSE(cache_result);
 }
 
 TEST_F(HostResolverManagerTest, AbortedAsynchronousLookup) {
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   ASSERT_FALSE(response0.complete());
   ASSERT_TRUE(proc_->WaitFor(1u));
 
@@ -839,8 +886,9 @@ TEST_F(HostResolverManagerTest, AbortedAsynchronousLookup) {
   // To ensure there was no spurious callback, complete with a new resolver.
   CreateResolver();
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
 
   proc_->SignalMultiple(2u);
 
@@ -852,8 +900,9 @@ TEST_F(HostResolverManagerTest, AbortedAsynchronousLookup) {
 
 TEST_F(HostResolverManagerTest, NumericIPv4Address) {
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("127.1.2.3", 5555), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("127.1.2.3", 5555), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
@@ -864,8 +913,9 @@ TEST_F(HostResolverManagerTest, NumericIPv6Address) {
   // Resolve a plain IPv6 address.  Don't worry about [brackets], because
   // the caller should have removed them.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("2001:db8::1", 5555), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("2001:db8::1", 5555), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
@@ -874,8 +924,9 @@ TEST_F(HostResolverManagerTest, NumericIPv6Address) {
 
 TEST_F(HostResolverManagerTest, EmptyHost) {
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(std::string(), 5555), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair(std::string(), 5555), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -884,8 +935,9 @@ TEST_F(HostResolverManagerTest, EmptyHost) {
 TEST_F(HostResolverManagerTest, EmptyDotsHost) {
   for (int i = 0; i < 16; ++i) {
     ResolveHostResponseHelper response(resolver_->CreateRequest(
-        HostPortPair(std::string(i, '.'), 5555), NetLogWithSource(),
-        base::nullopt, request_context_.get(), host_cache_.get()));
+        HostPortPair(std::string(i, '.'), 5555), NetworkIsolationKey(),
+        NetLogWithSource(), base::nullopt, request_context_.get(),
+        host_cache_.get()));
 
     EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
     EXPECT_FALSE(response.request()->GetAddressResults());
@@ -894,8 +946,9 @@ TEST_F(HostResolverManagerTest, EmptyDotsHost) {
 
 TEST_F(HostResolverManagerTest, LongHost) {
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair(std::string(4097, 'a'), 5555), NetLogWithSource(),
-      base::nullopt, request_context_.get(), host_cache_.get()));
+      HostPortPair(std::string(4097, 'a'), 5555), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -907,24 +960,24 @@ TEST_F(HostResolverManagerTest, DeDupeRequests) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("b", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 81), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("b", 81), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 82), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("a", 82), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 83), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("b", 83), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
 
   for (auto& response : responses) {
     ASSERT_FALSE(response->complete());
@@ -941,24 +994,24 @@ TEST_F(HostResolverManagerTest, CancelMultipleRequests) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("b", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 81), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("b", 81), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 82), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("a", 82), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 83), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("b", 83), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
 
   for (auto& response : responses) {
     ASSERT_FALSE(response->complete());
@@ -990,14 +1043,16 @@ TEST_F(HostResolverManagerTest, CanceledRequestsReleaseJobSlots) {
 
     responses.emplace_back(
         std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-            HostPortPair(hostname, 80), NetLogWithSource(), base::nullopt,
-            request_context_.get(), host_cache_.get())));
+            HostPortPair(hostname, 80), NetworkIsolationKey(),
+            NetLogWithSource(), base::nullopt, request_context_.get(),
+            host_cache_.get())));
     ASSERT_FALSE(responses.back()->complete());
 
     responses.emplace_back(
         std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-            HostPortPair(hostname, 81), NetLogWithSource(), base::nullopt,
-            request_context_.get(), host_cache_.get())));
+            HostPortPair(hostname, 81), NetworkIsolationKey(),
+            NetLogWithSource(), base::nullopt, request_context_.get(),
+            host_cache_.get())));
     ASSERT_FALSE(responses.back()->complete());
   }
 
@@ -1036,27 +1091,28 @@ TEST_F(HostResolverManagerTest, CancelWithinCallback) {
       });
 
   ResolveHostResponseHelper cancelling_response(
-      resolver_->CreateRequest(HostPortPair("a", 80), NetLogWithSource(),
-                               base::nullopt, request_context_.get(),
-                               host_cache_.get()),
+      resolver_->CreateRequest(HostPortPair("a", 80), NetworkIsolationKey(),
+                               NetLogWithSource(), base::nullopt,
+                               request_context_.get(), host_cache_.get()),
       std::move(custom_callback));
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 81), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("a", 81), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 82), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("a", 82), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
 
   proc_->SignalMultiple(2u);  // One for "a". One for "finalrequest".
 
   EXPECT_THAT(cancelling_response.result_error(), IsOk());
 
   ResolveHostResponseHelper final_response(resolver_->CreateRequest(
-      HostPortPair("finalrequest", 70), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("finalrequest", 70), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(final_response.result_error(), IsOk());
 
   for (auto& response : responses) {
@@ -1081,9 +1137,9 @@ TEST_F(HostResolverManagerTest, DeleteWithinCallback) {
       });
 
   ResolveHostResponseHelper deleting_response(
-      resolver_->CreateRequest(HostPortPair("a", 80), NetLogWithSource(),
-                               base::nullopt, request_context_.get(),
-                               host_cache_.get()),
+      resolver_->CreateRequest(HostPortPair("a", 80), NetworkIsolationKey(),
+                               NetLogWithSource(), base::nullopt,
+                               request_context_.get(), host_cache_.get()),
       std::move(custom_callback));
 
   // Start additional requests to be cancelled as part of the first's deletion.
@@ -1091,12 +1147,12 @@ TEST_F(HostResolverManagerTest, DeleteWithinCallback) {
   // request will run first and cancel the rest.
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 81), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("a", 81), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 82), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("a", 82), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
 
   proc_->SignalMultiple(3u);
 
@@ -1125,23 +1181,23 @@ TEST_F(HostResolverManagerTest, DeleteWithinAbortedCallback) {
           });
 
   ResolveHostResponseHelper deleting_response(
-      resolver_->CreateRequest(HostPortPair("a", 80), NetLogWithSource(),
-                               base::nullopt, request_context_.get(),
-                               host_cache_.get()),
+      resolver_->CreateRequest(HostPortPair("a", 80), NetworkIsolationKey(),
+                               NetLogWithSource(), base::nullopt,
+                               request_context_.get(), host_cache_.get()),
       std::move(custom_callback));
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 81), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("a", 81), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 82), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("b", 82), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 83), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("b", 83), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
 
   // Wait for all calls to queue up, trigger abort via IP address change, then
   // signal all the queued requests to let them all try to finish.
@@ -1161,16 +1217,17 @@ TEST_F(HostResolverManagerTest, StartWithinCallback) {
   auto custom_callback = base::BindLambdaForTesting(
       [&](CompletionOnceCallback completion_callback, int error) {
         new_response = std::make_unique<ResolveHostResponseHelper>(
-            resolver_->CreateRequest(
-                HostPortPair("new", 70), NetLogWithSource(), base::nullopt,
-                request_context_.get(), host_cache_.get()));
+            resolver_->CreateRequest(HostPortPair("new", 70),
+                                     NetworkIsolationKey(), NetLogWithSource(),
+                                     base::nullopt, request_context_.get(),
+                                     host_cache_.get()));
         std::move(completion_callback).Run(error);
       });
 
   ResolveHostResponseHelper starting_response(
-      resolver_->CreateRequest(HostPortPair("a", 80), NetLogWithSource(),
-                               base::nullopt, request_context_.get(),
-                               host_cache_.get()),
+      resolver_->CreateRequest(HostPortPair("a", 80), NetworkIsolationKey(),
+                               NetLogWithSource(), base::nullopt,
+                               request_context_.get(), host_cache_.get()),
       std::move(custom_callback));
 
   proc_->SignalMultiple(2u);  // One for "a". One for "new".
@@ -1187,29 +1244,31 @@ TEST_F(HostResolverManagerTest, StartWithinEvictionCallback) {
   auto custom_callback = base::BindLambdaForTesting(
       [&](CompletionOnceCallback completion_callback, int error) {
         new_response = std::make_unique<ResolveHostResponseHelper>(
-            resolver_->CreateRequest(
-                HostPortPair("new", 70), NetLogWithSource(), base::nullopt,
-                request_context_.get(), host_cache_.get()));
+            resolver_->CreateRequest(HostPortPair("new", 70),
+                                     NetworkIsolationKey(), NetLogWithSource(),
+                                     base::nullopt, request_context_.get(),
+                                     host_cache_.get()));
         std::move(completion_callback).Run(error);
       });
 
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("initial", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("initial", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper evictee1_response(
-      resolver_->CreateRequest(HostPortPair("evictee1", 80), NetLogWithSource(),
+      resolver_->CreateRequest(HostPortPair("evictee1", 80),
+                               NetworkIsolationKey(), NetLogWithSource(),
                                base::nullopt, request_context_.get(),
                                host_cache_.get()),
       std::move(custom_callback));
   ResolveHostResponseHelper evictee2_response(resolver_->CreateRequest(
-      HostPortPair("evictee2", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("evictee2", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
 
   // Now one running request ("initial") and two queued requests ("evictee1" and
   // "evictee2"). Any further requests will cause evictions.
   ResolveHostResponseHelper evictor_response(resolver_->CreateRequest(
-      HostPortPair("evictor", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("evictor", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(evictee1_response.result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
 
@@ -1234,17 +1293,19 @@ TEST_F(HostResolverManagerTest, StartWithinEvictionCallback_DoubleEviction) {
   auto custom_callback = base::BindLambdaForTesting(
       [&](CompletionOnceCallback completion_callback, int error) {
         new_response = std::make_unique<ResolveHostResponseHelper>(
-            resolver_->CreateRequest(
-                HostPortPair("new", 70), NetLogWithSource(), base::nullopt,
-                request_context_.get(), host_cache_.get()));
+            resolver_->CreateRequest(HostPortPair("new", 70),
+                                     NetworkIsolationKey(), NetLogWithSource(),
+                                     base::nullopt, request_context_.get(),
+                                     host_cache_.get()));
         std::move(completion_callback).Run(error);
       });
 
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("initial", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("initial", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper evictee_response(
-      resolver_->CreateRequest(HostPortPair("evictee", 80), NetLogWithSource(),
+      resolver_->CreateRequest(HostPortPair("evictee", 80),
+                               NetworkIsolationKey(), NetLogWithSource(),
                                base::nullopt, request_context_.get(),
                                host_cache_.get()),
       std::move(custom_callback));
@@ -1252,8 +1313,8 @@ TEST_F(HostResolverManagerTest, StartWithinEvictionCallback_DoubleEviction) {
   // Now one running request ("initial") and one queued requests ("evictee").
   // Any further requests will cause evictions.
   ResolveHostResponseHelper evictor_response(resolver_->CreateRequest(
-      HostPortPair("evictor", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("evictor", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(evictee_response.result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
 
@@ -1275,29 +1336,31 @@ TEST_F(HostResolverManagerTest, StartWithinEvictionCallback_SameRequest) {
   auto custom_callback = base::BindLambdaForTesting(
       [&](CompletionOnceCallback completion_callback, int error) {
         new_response = std::make_unique<ResolveHostResponseHelper>(
-            resolver_->CreateRequest(
-                HostPortPair("evictor", 70), NetLogWithSource(), base::nullopt,
-                request_context_.get(), host_cache_.get()));
+            resolver_->CreateRequest(HostPortPair("evictor", 70),
+                                     NetworkIsolationKey(), NetLogWithSource(),
+                                     base::nullopt, request_context_.get(),
+                                     host_cache_.get()));
         std::move(completion_callback).Run(error);
       });
 
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("initial", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("initial", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper evictee_response(
-      resolver_->CreateRequest(HostPortPair("evictee", 80), NetLogWithSource(),
+      resolver_->CreateRequest(HostPortPair("evictee", 80),
+                               NetworkIsolationKey(), NetLogWithSource(),
                                base::nullopt, request_context_.get(),
                                host_cache_.get()),
       std::move(custom_callback));
   ResolveHostResponseHelper additional_response(resolver_->CreateRequest(
-      HostPortPair("additional", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("additional", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
 
   // Now one running request ("initial") and two queued requests ("evictee" and
   // "additional"). Any further requests will cause evictions.
   ResolveHostResponseHelper evictor_response(resolver_->CreateRequest(
-      HostPortPair("evictor", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("evictor", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(evictee_response.result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
 
@@ -1316,14 +1379,14 @@ TEST_F(HostResolverManagerTest, BypassCache) {
   proc_->SignalMultiple(2u);
 
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("a", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(initial_response.result_error(), IsOk());
   EXPECT_EQ(1u, proc_->GetCaptureList().size());
 
   ResolveHostResponseHelper cached_response(resolver_->CreateRequest(
-      HostPortPair("a", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(cached_response.result_error(), IsOk());
   // Expect no increase to calls to |proc_| because result was cached.
   EXPECT_EQ(1u, proc_->GetCaptureList().size());
@@ -1332,8 +1395,8 @@ TEST_F(HostResolverManagerTest, BypassCache) {
   parameters.cache_usage =
       HostResolver::ResolveHostParameters::CacheUsage::DISALLOWED;
   ResolveHostResponseHelper cache_bypassed_response(resolver_->CreateRequest(
-      HostPortPair("a", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(cache_bypassed_response.result_error(), IsOk());
   // Expect call to |proc_| because cache was bypassed.
   EXPECT_EQ(2u, proc_->GetCaptureList().size());
@@ -1345,25 +1408,17 @@ TEST_F(HostResolverManagerTest, FlushCacheOnIPAddressChange) {
   proc_->SignalMultiple(2u);  // One before the flush, one after.
 
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("host1", 70), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host1", 70), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(initial_response.result_error(), IsOk());
   EXPECT_EQ(1u, proc_->GetCaptureList().size());
 
   ResolveHostResponseHelper cached_response(resolver_->CreateRequest(
-      HostPortPair("host1", 75), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host1", 75), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(cached_response.result_error(), IsOk());
   EXPECT_EQ(1u, proc_->GetCaptureList().size());  // No expected increase.
 
-  // Verify initial DNS config read does not flush cache.
-  NetworkChangeNotifier::NotifyObserversOfInitialDNSConfigReadForTests();
-  ResolveHostResponseHelper unflushed_response(resolver_->CreateRequest(
-      HostPortPair("host1", 75), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
-  EXPECT_THAT(unflushed_response.result_error(), IsOk());
-  EXPECT_EQ(1u, proc_->GetCaptureList().size());  // No expected increase.
-
   // Flush cache by triggering an IP address change.
   NetworkChangeNotifier::NotifyObserversOfIPAddressChangeForTests();
   base::RunLoop().RunUntilIdle();  // Notification happens async.
@@ -1371,8 +1426,8 @@ TEST_F(HostResolverManagerTest, FlushCacheOnIPAddressChange) {
   // Resolve "host1" again -- this time it won't be served from cache, so it
   // will complete asynchronously.
   ResolveHostResponseHelper flushed_response(resolver_->CreateRequest(
-      HostPortPair("host1", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(flushed_response.result_error(), IsOk());
   EXPECT_EQ(2u, proc_->GetCaptureList().size());  // Expected increase.
 }
@@ -1380,8 +1435,8 @@ TEST_F(HostResolverManagerTest, FlushCacheOnIPAddressChange) {
 // Test that IP address changes send ERR_NETWORK_CHANGED to pending requests.
 TEST_F(HostResolverManagerTest, AbortOnIPAddressChanged) {
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host1", 70), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host1", 70), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
 
   ASSERT_FALSE(response.complete());
   ASSERT_TRUE(proc_->WaitFor(1u));
@@ -1396,24 +1451,6 @@ TEST_F(HostResolverManagerTest, AbortOnIPAddressChanged) {
   EXPECT_EQ(0u, host_cache_->size());
 }
 
-// Test that initial DNS config read signals do not abort pending requests.
-TEST_F(HostResolverManagerTest, DontAbortOnInitialDNSConfigRead) {
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host1", 70), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
-
-  ASSERT_FALSE(response.complete());
-  ASSERT_TRUE(proc_->WaitFor(1u));
-
-  // Triggering initial DNS config read signal.
-  NetworkChangeNotifier::NotifyObserversOfInitialDNSConfigReadForTests();
-  base::RunLoop().RunUntilIdle();  // Notification happens async.
-  proc_->SignalAll();
-
-  EXPECT_THAT(response.result_error(), IsOk());
-  EXPECT_TRUE(response.request()->GetAddressResults());
-}
-
 // Obey pool constraints after IP address has changed.
 TEST_F(HostResolverManagerTest, ObeyPoolConstraintsAfterIPAddressChange) {
   // Runs at most one job at a time.
@@ -1422,16 +1459,16 @@ TEST_F(HostResolverManagerTest, ObeyPoolConstraintsAfterIPAddressChange) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("a", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("b", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("b", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("c", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("c", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
 
   for (auto& response : responses) {
     ASSERT_FALSE(response->complete());
@@ -1464,32 +1501,32 @@ TEST_F(HostResolverManagerTest, AbortOnlyExistingRequestsOnIPAddressChange) {
           std::unique_ptr<ResolveHostResponseHelper>* next_response,
           CompletionOnceCallback completion_callback, int error) {
         *next_response = std::make_unique<ResolveHostResponseHelper>(
-            resolver_->CreateRequest(next_host, NetLogWithSource(),
-                                     base::nullopt, request_context_.get(),
-                                     host_cache_.get()));
+            resolver_->CreateRequest(
+                next_host, NetworkIsolationKey(), NetLogWithSource(),
+                base::nullopt, request_context_.get(), host_cache_.get()));
         std::move(completion_callback).Run(error);
       });
 
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> next_responses(3);
 
   ResolveHostResponseHelper response0(
-      resolver_->CreateRequest(HostPortPair("bbb", 80), NetLogWithSource(),
-                               base::nullopt, request_context_.get(),
-                               host_cache_.get()),
+      resolver_->CreateRequest(HostPortPair("bbb", 80), NetworkIsolationKey(),
+                               NetLogWithSource(), base::nullopt,
+                               request_context_.get(), host_cache_.get()),
       base::BindOnce(custom_callback_template, HostPortPair("zzz", 80),
                      &next_responses[0]));
 
   ResolveHostResponseHelper response1(
-      resolver_->CreateRequest(HostPortPair("eee", 80), NetLogWithSource(),
-                               base::nullopt, request_context_.get(),
-                               host_cache_.get()),
+      resolver_->CreateRequest(HostPortPair("eee", 80), NetworkIsolationKey(),
+                               NetLogWithSource(), base::nullopt,
+                               request_context_.get(), host_cache_.get()),
       base::BindOnce(custom_callback_template, HostPortPair("aaa", 80),
                      &next_responses[1]));
 
   ResolveHostResponseHelper response2(
-      resolver_->CreateRequest(HostPortPair("ccc", 80), NetLogWithSource(),
-                               base::nullopt, request_context_.get(),
-                               host_cache_.get()),
+      resolver_->CreateRequest(HostPortPair("ccc", 80), NetworkIsolationKey(),
+                               NetLogWithSource(), base::nullopt,
+                               request_context_.get(), host_cache_.get()),
       base::BindOnce(custom_callback_template, HostPortPair("eee", 80),
                      &next_responses[2]));
 
@@ -1539,36 +1576,36 @@ TEST_F(HostResolverManagerTest, HigherPriorityRequestsStartedFirst) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req0", 80), NetLogWithSource(), low_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req0", 80), NetworkIsolationKey(), NetLogWithSource(),
+          low_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req1", 80), NetLogWithSource(), medium_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req1", 80), NetworkIsolationKey(), NetLogWithSource(),
+          medium_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req2", 80), NetLogWithSource(), medium_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req2", 80), NetworkIsolationKey(), NetLogWithSource(),
+          medium_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req3", 80), NetLogWithSource(), low_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req3", 80), NetworkIsolationKey(), NetLogWithSource(),
+          low_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req4", 80), NetLogWithSource(), highest_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req4", 80), NetworkIsolationKey(), NetLogWithSource(),
+          highest_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req5", 80), NetLogWithSource(), low_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req5", 80), NetworkIsolationKey(), NetLogWithSource(),
+          low_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req6", 80), NetLogWithSource(), low_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req6", 80), NetworkIsolationKey(), NetLogWithSource(),
+          low_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req5", 80), NetLogWithSource(), highest_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req5", 80), NetworkIsolationKey(), NetLogWithSource(),
+          highest_priority, request_context_.get(), host_cache_.get())));
 
   for (const auto& response : responses) {
     ASSERT_FALSE(response->complete());
@@ -1612,16 +1649,16 @@ TEST_F(HostResolverManagerTest, ChangePriority) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req0", 80), NetLogWithSource(), medium_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req0", 80), NetworkIsolationKey(), NetLogWithSource(),
+          medium_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req1", 80), NetLogWithSource(), low_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req1", 80), NetworkIsolationKey(), NetLogWithSource(),
+          low_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req2", 80), NetLogWithSource(), lowest_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req2", 80), NetworkIsolationKey(), NetLogWithSource(),
+          lowest_priority, request_context_.get(), host_cache_.get())));
 
   // req0 starts immediately; without ChangePriority, req1 and then req2 should
   // run.
@@ -1664,32 +1701,32 @@ TEST_F(HostResolverManagerTest, CancelPendingRequest) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req0", 80), NetLogWithSource(), lowest_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req0", 80), NetworkIsolationKey(), NetLogWithSource(),
+          lowest_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req1", 80), NetLogWithSource(), highest_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req1", 80), NetworkIsolationKey(), NetLogWithSource(),
+          highest_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req2", 80), NetLogWithSource(), medium_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req2", 80), NetworkIsolationKey(), NetLogWithSource(),
+          medium_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req3", 80), NetLogWithSource(), low_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req3", 80), NetworkIsolationKey(), NetLogWithSource(),
+          low_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req4", 80), NetLogWithSource(), highest_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req4", 80), NetworkIsolationKey(), NetLogWithSource(),
+          highest_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req5", 80), NetLogWithSource(), lowest_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req5", 80), NetworkIsolationKey(), NetLogWithSource(),
+          lowest_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req6", 80), NetLogWithSource(), medium_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req6", 80), NetworkIsolationKey(), NetLogWithSource(),
+          medium_priority, request_context_.get(), host_cache_.get())));
 
   // Cancel some requests
   responses[1]->CancelRequest();
@@ -1747,52 +1784,52 @@ TEST_F(HostResolverManagerTest, QueueOverflow) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req0", 80), NetLogWithSource(), lowest_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req0", 80), NetworkIsolationKey(), NetLogWithSource(),
+          lowest_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req1", 80), NetLogWithSource(), highest_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req1", 80), NetworkIsolationKey(), NetLogWithSource(),
+          highest_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req2", 80), NetLogWithSource(), medium_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req2", 80), NetworkIsolationKey(), NetLogWithSource(),
+          medium_priority, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req3", 80), NetLogWithSource(), medium_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req3", 80), NetworkIsolationKey(), NetLogWithSource(),
+          medium_priority, request_context_.get(), host_cache_.get())));
 
   // At this point, there are 3 enqueued jobs (and one "running" job).
   // Insertion of subsequent requests will cause evictions.
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req4", 80), NetLogWithSource(), low_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req4", 80), NetworkIsolationKey(), NetLogWithSource(),
+          low_priority, request_context_.get(), host_cache_.get())));
   EXPECT_THAT(responses[4]->result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));  // Evicts self.
   EXPECT_FALSE(responses[4]->request()->GetAddressResults());
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req5", 80), NetLogWithSource(), medium_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req5", 80), NetworkIsolationKey(), NetLogWithSource(),
+          medium_priority, request_context_.get(), host_cache_.get())));
   EXPECT_THAT(responses[2]->result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
   EXPECT_FALSE(responses[2]->request()->GetAddressResults());
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req6", 80), NetLogWithSource(), highest_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req6", 80), NetworkIsolationKey(), NetLogWithSource(),
+          highest_priority, request_context_.get(), host_cache_.get())));
   EXPECT_THAT(responses[3]->result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
   EXPECT_FALSE(responses[3]->request()->GetAddressResults());
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("req7", 80), NetLogWithSource(), medium_priority,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("req7", 80), NetworkIsolationKey(), NetLogWithSource(),
+          medium_priority, request_context_.get(), host_cache_.get())));
   EXPECT_THAT(responses[5]->result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
   EXPECT_FALSE(responses[5]->request()->GetAddressResults());
@@ -1837,12 +1874,12 @@ TEST_F(HostResolverManagerTest, QueueOverflow_SelfEvict) {
   // requests we make will not complete.
 
   ResolveHostResponseHelper run_response(resolver_->CreateRequest(
-      HostPortPair("run", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("run", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
 
   ResolveHostResponseHelper evict_response(resolver_->CreateRequest(
-      HostPortPair("req1", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("req1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(evict_response.result_error(),
               IsError(ERR_HOST_RESOLVER_QUEUE_TOO_LARGE));
   EXPECT_FALSE(evict_response.request()->GetAddressResults());
@@ -1863,40 +1900,40 @@ TEST_F(HostResolverManagerTest, AddressFamilyWithRawIPs) {
   v6_parameters.dns_query_type = DnsQueryType::AAAA;
 
   ResolveHostResponseHelper v4_v4_request(resolver_->CreateRequest(
-      HostPortPair("127.0.0.1", 80), NetLogWithSource(), v4_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("127.0.0.1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      v4_parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(v4_v4_request.result_error(), IsOk());
   EXPECT_THAT(v4_v4_request.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
 
   ResolveHostResponseHelper v4_v6_request(resolver_->CreateRequest(
-      HostPortPair("127.0.0.1", 80), NetLogWithSource(), v6_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("127.0.0.1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      v6_parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(v4_v6_request.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
 
   ResolveHostResponseHelper v4_unsp_request(resolver_->CreateRequest(
-      HostPortPair("127.0.0.1", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("127.0.0.1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(v4_unsp_request.result_error(), IsOk());
   EXPECT_THAT(
       v4_unsp_request.request()->GetAddressResults().value().endpoints(),
       testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
 
   ResolveHostResponseHelper v6_v4_request(resolver_->CreateRequest(
-      HostPortPair("::1", 80), NetLogWithSource(), v4_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("::1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      v4_parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(v6_v4_request.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
 
   ResolveHostResponseHelper v6_v6_request(resolver_->CreateRequest(
-      HostPortPair("::1", 80), NetLogWithSource(), v6_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("::1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      v6_parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(v6_v6_request.result_error(), IsOk());
   EXPECT_THAT(v6_v6_request.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("::1", 80)));
 
   ResolveHostResponseHelper v6_unsp_request(resolver_->CreateRequest(
-      HostPortPair("::1", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("::1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(v6_unsp_request.result_error(), IsOk());
   EXPECT_THAT(
       v6_unsp_request.request()->GetAddressResults().value().endpoints(),
@@ -1912,8 +1949,9 @@ TEST_F(HostResolverManagerTest, LocalOnly_FromCache) {
 
   // First NONE query expected to complete synchronously with a cache miss.
   ResolveHostResponseHelper cache_miss_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(),
-      source_none_parameters, request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), source_none_parameters, request_context_.get(),
+      host_cache_.get()));
   EXPECT_TRUE(cache_miss_request.complete());
   EXPECT_THAT(cache_miss_request.result_error(), IsError(ERR_DNS_CACHE_MISS));
   EXPECT_FALSE(cache_miss_request.request()->GetAddressResults());
@@ -1921,15 +1959,17 @@ TEST_F(HostResolverManagerTest, LocalOnly_FromCache) {
 
   // Normal query to populate the cache.
   ResolveHostResponseHelper normal_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(normal_request.result_error(), IsOk());
   EXPECT_FALSE(normal_request.request()->GetStaleInfo());
 
   // Second NONE query expected to complete synchronously with cache hit.
   ResolveHostResponseHelper cache_hit_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(),
-      source_none_parameters, request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), source_none_parameters, request_context_.get(),
+      host_cache_.get()));
   EXPECT_TRUE(cache_hit_request.complete());
   EXPECT_THAT(cache_hit_request.result_error(), IsOk());
   EXPECT_THAT(
@@ -1947,8 +1987,9 @@ TEST_F(HostResolverManagerTest, LocalOnly_StaleEntry) {
 
   // First NONE query expected to complete synchronously with a cache miss.
   ResolveHostResponseHelper cache_miss_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(),
-      source_none_parameters, request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), source_none_parameters, request_context_.get(),
+      host_cache_.get()));
   EXPECT_TRUE(cache_miss_request.complete());
   EXPECT_THAT(cache_miss_request.result_error(), IsError(ERR_DNS_CACHE_MISS));
   EXPECT_FALSE(cache_miss_request.request()->GetAddressResults());
@@ -1956,8 +1997,9 @@ TEST_F(HostResolverManagerTest, LocalOnly_StaleEntry) {
 
   // Normal query to populate the cache.
   ResolveHostResponseHelper normal_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(normal_request.result_error(), IsOk());
   EXPECT_FALSE(normal_request.request()->GetStaleInfo());
 
@@ -1965,8 +2007,9 @@ TEST_F(HostResolverManagerTest, LocalOnly_StaleEntry) {
 
   // Second NONE query still expected to complete synchronously with cache miss.
   ResolveHostResponseHelper stale_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(),
-      source_none_parameters, request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), source_none_parameters, request_context_.get(),
+      host_cache_.get()));
   EXPECT_TRUE(stale_request.complete());
   EXPECT_THAT(stale_request.result_error(), IsError(ERR_DNS_CACHE_MISS));
   EXPECT_FALSE(stale_request.request()->GetAddressResults());
@@ -1978,8 +2021,8 @@ TEST_F(HostResolverManagerTest, LocalOnly_FromIp) {
   source_none_parameters.source = HostResolverSource::LOCAL_ONLY;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("1.2.3.4", 56), NetLogWithSource(), source_none_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("1.2.3.4", 56), NetworkIsolationKey(), NetLogWithSource(),
+      source_none_parameters, request_context_.get(), host_cache_.get()));
 
   // Expected to resolve synchronously.
   EXPECT_TRUE(response.complete());
@@ -1996,8 +2039,9 @@ TEST_F(HostResolverManagerTest, LocalOnly_InvalidName) {
   source_none_parameters.source = HostResolverSource::LOCAL_ONLY;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("foo,bar.com", 57), NetLogWithSource(),
-      source_none_parameters, request_context_.get(), host_cache_.get()));
+      HostPortPair("foo,bar.com", 57), NetworkIsolationKey(),
+      NetLogWithSource(), source_none_parameters, request_context_.get(),
+      host_cache_.get()));
 
   // Expected to fail synchronously.
   EXPECT_TRUE(response.complete());
@@ -2011,8 +2055,9 @@ TEST_F(HostResolverManagerTest, LocalOnly_InvalidLocalhost) {
   source_none_parameters.source = HostResolverSource::LOCAL_ONLY;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("foo,bar.localhost", 58), NetLogWithSource(),
-      source_none_parameters, request_context_.get(), host_cache_.get()));
+      HostPortPair("foo,bar.localhost", 58), NetworkIsolationKey(),
+      NetLogWithSource(), source_none_parameters, request_context_.get(),
+      host_cache_.get()));
 
   // Expected to fail synchronously.
   EXPECT_TRUE(response.complete());
@@ -2032,8 +2077,9 @@ TEST_F(HostResolverManagerTest, StaleAllowed) {
 
   // First query expected to complete synchronously as a cache miss.
   ResolveHostResponseHelper cache_miss_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(),
-      stale_allowed_parameters, request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), stale_allowed_parameters, request_context_.get(),
+      host_cache_.get()));
   EXPECT_TRUE(cache_miss_request.complete());
   EXPECT_THAT(cache_miss_request.result_error(), IsError(ERR_DNS_CACHE_MISS));
   EXPECT_FALSE(cache_miss_request.request()->GetAddressResults());
@@ -2041,8 +2087,9 @@ TEST_F(HostResolverManagerTest, StaleAllowed) {
 
   // Normal query to populate cache
   ResolveHostResponseHelper normal_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(normal_request.result_error(), IsOk());
   EXPECT_FALSE(normal_request.request()->GetStaleInfo());
 
@@ -2050,8 +2097,9 @@ TEST_F(HostResolverManagerTest, StaleAllowed) {
 
   // Second NONE query expected to get a stale cache hit.
   ResolveHostResponseHelper stale_request(resolver_->CreateRequest(
-      HostPortPair("just.testing", 84), NetLogWithSource(),
-      stale_allowed_parameters, request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 84), NetworkIsolationKey(),
+      NetLogWithSource(), stale_allowed_parameters, request_context_.get(),
+      host_cache_.get()));
   EXPECT_TRUE(stale_request.complete());
   EXPECT_THAT(stale_request.result_error(), IsOk());
   EXPECT_THAT(stale_request.request()->GetAddressResults().value().endpoints(),
@@ -2070,8 +2118,9 @@ TEST_F(HostResolverManagerTest, StaleAllowed_NonLocal) {
   // Normal non-local resolves should still work normally with the STALE_ALLOWED
   // parameter, and there should be no stale info.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 85), NetLogWithSource(),
-      stale_allowed_parameters, request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 85), NetworkIsolationKey(),
+      NetLogWithSource(), stale_allowed_parameters, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("192.168.2.42", 85)));
@@ -2084,8 +2133,8 @@ TEST_F(HostResolverManagerTest, StaleAllowed_FromIp) {
       HostResolver::ResolveHostParameters::CacheUsage::STALE_ALLOWED;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("1.2.3.4", 57), NetLogWithSource(), stale_allowed_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("1.2.3.4", 57), NetworkIsolationKey(), NetLogWithSource(),
+      stale_allowed_parameters, request_context_.get(), host_cache_.get()));
 
   // Expected to resolve synchronously without stale info.
   EXPECT_TRUE(response.complete());
@@ -2131,8 +2180,8 @@ TEST_F(HostResolverManagerTest, MultipleAttempts) {
 
   // Resolve "host1".
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host1", 70), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host1", 70), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_FALSE(response.complete());
 
   resolver_proc->WaitForNAttemptsToBeBlocked(1);
@@ -2195,8 +2244,8 @@ TEST_F(HostResolverManagerTest, DefaultMaxRetryAttempts) {
   // Resolve "host1". The resolver proc will hang all requests so this
   // resolution should remain stalled until calling SetResolvedAttemptNumber().
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host1", 70), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host1", 70), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_FALSE(response.complete());
 
   // Simulate running the main thread (network task runner) for a long
@@ -2236,8 +2285,8 @@ TEST_F(HostResolverManagerTest, NameCollisionIcann) {
   proc_->SignalMultiple(6u);
 
   ResolveHostResponseHelper single_response(resolver_->CreateRequest(
-      HostPortPair("single", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("single", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(single_response.result_error(),
               IsError(ERR_ICANN_NAME_COLLISION));
   EXPECT_FALSE(single_response.request()->GetAddressResults());
@@ -2246,45 +2295,50 @@ TEST_F(HostResolverManagerTest, NameCollisionIcann) {
   // for failed entries from proc-based resolver. That said, the fixed TTL is 0,
   // so it should never be cached.
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
-      GetCacheHit(HostCache::Key("single", DnsQueryType::UNSPECIFIED,
-                                 0 /* host_resolver_flags */,
-                                 HostResolverSource::ANY));
+      GetCacheHit(HostCache::Key(
+          "single", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+          HostResolverSource::ANY, NetworkIsolationKey()));
   EXPECT_FALSE(cache_result);
 
   ResolveHostResponseHelper multiple_response(resolver_->CreateRequest(
-      HostPortPair("multiple", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("multiple", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(multiple_response.result_error(),
               IsError(ERR_ICANN_NAME_COLLISION));
 
   // Resolving an IP literal of 127.0.53.53 however is allowed.
   ResolveHostResponseHelper literal_response(resolver_->CreateRequest(
-      HostPortPair("127.0.53.53", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("127.0.53.53", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(literal_response.result_error(), IsOk());
 
   // Moreover the address should not be recognized when embedded in an IPv6
   // address.
   ResolveHostResponseHelper ipv6_response(resolver_->CreateRequest(
-      HostPortPair("127.0.53.53", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("127.0.53.53", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(ipv6_response.result_error(), IsOk());
 
   // Try some other IPs which are similar, but NOT an exact match on
   // 127.0.53.53.
   ResolveHostResponseHelper similar_response1(resolver_->CreateRequest(
-      HostPortPair("not_reserved1", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("not_reserved1", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(similar_response1.result_error(), IsOk());
 
   ResolveHostResponseHelper similar_response2(resolver_->CreateRequest(
-      HostPortPair("not_reserved2", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("not_reserved2", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(similar_response2.result_error(), IsOk());
 
   ResolveHostResponseHelper similar_response3(resolver_->CreateRequest(
-      HostPortPair("not_reserved3", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("not_reserved3", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(similar_response3.result_error(), IsOk());
 }
 
@@ -2298,7 +2352,7 @@ TEST_F(HostResolverManagerTest, IsIPv6Reachable) {
       nullptr /* net_log */);
 
   // Verify that two consecutive calls return the same value.
-  TestNetLog test_net_log;
+  RecordingTestNetLog test_net_log;
   NetLogWithSource net_log =
       NetLogWithSource::Make(&test_net_log, NetLogSourceType::NONE);
   bool result1 = IsIPv6Reachable(net_log);
@@ -2323,11 +2377,13 @@ TEST_F(HostResolverManagerTest, IncludeCanonicalName) {
   HostResolver::ResolveHostParameters parameters;
   parameters.include_canonical_name = true;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
   ResolveHostResponseHelper response_no_flag(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
@@ -2346,11 +2402,11 @@ TEST_F(HostResolverManagerTest, LoopbackOnly) {
   HostResolver::ResolveHostParameters parameters;
   parameters.loopback_only = true;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("otherlocal", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("otherlocal", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper response_no_flag(resolver_->CreateRequest(
-      HostPortPair("otherlocal", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("otherlocal", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
@@ -2367,8 +2423,9 @@ TEST_F(HostResolverManagerTest, IsSpeculative) {
   parameters.is_speculative = true;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -2379,8 +2436,9 @@ TEST_F(HostResolverManagerTest, IsSpeculative) {
   // Reresolve without the |is_speculative| flag should immediately return from
   // cache.
   ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("just.testing", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("just.testing", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
 
   EXPECT_THAT(response2.result_error(), IsOk());
   EXPECT_THAT(response2.request()->GetAddressResults().value().endpoints(),
@@ -2652,8 +2710,9 @@ TEST_F(HostResolverManagerTest, Mdns) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   socket_factory_ptr->SimulateReceive(kMdnsResponseA, sizeof(kMdnsResponseA));
   socket_factory_ptr->SimulateReceive(kMdnsResponseAAAA,
@@ -2667,6 +2726,7 @@ TEST_F(HostResolverManagerTest, Mdns) {
           CreateExpected("000a:0000:0000:0000:0001:0002:0003:0004", 80)));
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerTest, Mdns_AaaaOnly) {
@@ -2681,8 +2741,9 @@ TEST_F(HostResolverManagerTest, Mdns_AaaaOnly) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   socket_factory_ptr->SimulateReceive(kMdnsResponseAAAA,
                                       sizeof(kMdnsResponseAAAA));
@@ -2705,8 +2766,9 @@ TEST_F(HostResolverManagerTest, Mdns_Txt) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   socket_factory_ptr->SimulateReceive(kMdnsResponseTxt,
                                       sizeof(kMdnsResponseTxt));
@@ -2716,6 +2778,7 @@ TEST_F(HostResolverManagerTest, Mdns_Txt) {
   EXPECT_THAT(response.request()->GetTextResults(),
               testing::Optional(testing::ElementsAre("foo", "bar")));
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerTest, Mdns_Ptr) {
@@ -2730,8 +2793,9 @@ TEST_F(HostResolverManagerTest, Mdns_Ptr) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 83), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 83), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   socket_factory_ptr->SimulateReceive(kMdnsResponsePtr,
                                       sizeof(kMdnsResponsePtr));
@@ -2739,6 +2803,7 @@ TEST_F(HostResolverManagerTest, Mdns_Ptr) {
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
   EXPECT_THAT(
       response.request()->GetHostnameResults(),
       testing::Optional(testing::ElementsAre(HostPortPair("foo.com", 83))));
@@ -2756,8 +2821,9 @@ TEST_F(HostResolverManagerTest, Mdns_Srv) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 83), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 83), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   socket_factory_ptr->SimulateReceive(kMdnsResponseSrv,
                                       sizeof(kMdnsResponseSrv));
@@ -2765,6 +2831,7 @@ TEST_F(HostResolverManagerTest, Mdns_Srv) {
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
   EXPECT_THAT(
       response.request()->GetHostnameResults(),
       testing::Optional(testing::ElementsAre(HostPortPair("foo.com", 8265))));
@@ -2782,8 +2849,9 @@ TEST_F(HostResolverManagerTest, Mdns_Srv_Unrestricted) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("foo bar(A1B2)._ipps._tcp.local", 83), NetLogWithSource(),
-      parameters, request_context_.get(), host_cache_.get()));
+      HostPortPair("foo bar(A1B2)._ipps._tcp.local", 83), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   socket_factory_ptr->SimulateReceive(kMdnsResponseSrvUnrestricted,
                                       sizeof(kMdnsResponseSrvUnrestricted));
@@ -2791,6 +2859,7 @@ TEST_F(HostResolverManagerTest, Mdns_Srv_Unrestricted) {
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
   EXPECT_THAT(
       response.request()->GetHostnameResults(),
       testing::Optional(testing::ElementsAre(HostPortPair("foo.com", 8265))));
@@ -2808,8 +2877,9 @@ TEST_F(HostResolverManagerTest, Mdns_Srv_Result_Unrestricted) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 83), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 83), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   socket_factory_ptr->SimulateReceive(
       kMdnsResponseSrvUnrestrictedResult,
@@ -2818,6 +2888,7 @@ TEST_F(HostResolverManagerTest, Mdns_Srv_Result_Unrestricted) {
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
   EXPECT_THAT(response.request()->GetHostnameResults(),
               testing::Optional(
                   testing::ElementsAre(HostPortPair("foo bar.local", 8265))));
@@ -2837,8 +2908,9 @@ TEST_F(HostResolverManagerTest, Mdns_Nsec) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   socket_factory_ptr->SimulateReceive(kMdnsResponseNsec,
                                       sizeof(kMdnsResponseNsec));
@@ -2869,8 +2941,9 @@ TEST_F(HostResolverManagerTest, Mdns_NoResponse) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   ASSERT_TRUE(test_task_runner->HasPendingTask());
   test_task_runner->FastForwardBy(MDnsTransaction::kTransactionTimeout +
@@ -2880,6 +2953,7 @@ TEST_F(HostResolverManagerTest, Mdns_NoResponse) {
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 
   test_task_runner->FastForwardUntilNoTasksRemain();
 }
@@ -2907,8 +2981,9 @@ TEST_F(HostResolverManagerTest, Mdns_WrongType) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   // Not the requested type. Should be ignored.
   socket_factory_ptr->SimulateReceive(kMdnsResponseTxt,
@@ -2922,6 +2997,7 @@ TEST_F(HostResolverManagerTest, Mdns_WrongType) {
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 
   test_task_runner->FastForwardUntilNoTasksRemain();
 }
@@ -2950,8 +3026,9 @@ TEST_F(HostResolverManagerTest, Mdns_PartialResults) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   ASSERT_TRUE(test_task_runner->HasPendingTask());
 
@@ -2977,8 +3054,9 @@ TEST_F(HostResolverManagerTest, Mdns_Cancel) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   response.CancelRequest();
 
@@ -3014,8 +3092,9 @@ TEST_F(HostResolverManagerTest, Mdns_PartialFailure) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_FAILED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -3032,8 +3111,9 @@ TEST_F(HostResolverManagerTest, Mdns_ListenFailure) {
   parameters.source = HostResolverSource::MULTICAST_DNS;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      NetLogWithSource(), parameters, request_context_.get(),
+      host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_FAILED));
   EXPECT_FALSE(response.request()->GetAddressResults());
@@ -3050,7 +3130,7 @@ class TestMdnsListenerDelegate : public HostResolver::MdnsListener::Delegate {
       HostResolver::MdnsListener::Delegate::UpdateType update_type,
       DnsQueryType result_type,
       IPEndPoint address) override {
-    address_results_.insert({{update_type, result_type}, std::move(address)});
+    address_results_.insert({{update_type, result_type}, address});
   }
 
   void OnTextResult(
@@ -3384,11 +3464,259 @@ DnsConfig CreateUpgradableDnsConfig() {
   return config;
 }
 
+// Check that entries are written to the cache with the right NIK.
+TEST_F(HostResolverManagerTest, NetworkIsolationKeyWriteToHostCache) {
+  const url::Origin kOrigin1 =
+      url::Origin::Create(GURL("https://origin1.test/"));
+  const url::Origin kOrigin2 =
+      url::Origin::Create(GURL("https://origin2.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
+  const NetworkIsolationKey kNetworkIsolationKey2(kOrigin2, kOrigin2);
+
+  const char kFirstDnsResult[] = "192.168.1.42";
+  const char kSecondDnsResult[] = "192.168.1.43";
+
+  for (bool split_cache_by_network_isolation_key : {false, true}) {
+    base::test::ScopedFeatureList feature_list;
+    if (split_cache_by_network_isolation_key) {
+      feature_list.InitAndEnableFeature(
+          features::kSplitHostCacheByNetworkIsolationKey);
+    } else {
+      feature_list.InitAndDisableFeature(
+          features::kSplitHostCacheByNetworkIsolationKey);
+    }
+    proc_->AddRuleForAllFamilies("just.testing", kFirstDnsResult);
+    proc_->SignalMultiple(1u);
+
+    // Resolve a host using kNetworkIsolationKey1.
+    ResolveHostResponseHelper response1(resolver_->CreateRequest(
+        HostPortPair("just.testing", 80), kNetworkIsolationKey1,
+        NetLogWithSource(), base::nullopt, request_context_.get(),
+        host_cache_.get()));
+    EXPECT_THAT(response1.result_error(), IsOk());
+    EXPECT_THAT(response1.request()->GetAddressResults().value().endpoints(),
+                testing::ElementsAre(CreateExpected(kFirstDnsResult, 80)));
+    EXPECT_FALSE(response1.request()->GetStaleInfo());
+    EXPECT_EQ(1u, proc_->GetCaptureList().size());
+
+    // If the host cache is being split by NetworkIsolationKeys, there should be
+    // an entry in the HostCache with kNetworkIsolationKey1. Otherwise, there
+    // should be an entry with the empy NIK.
+    if (split_cache_by_network_isolation_key) {
+      EXPECT_TRUE(GetCacheHit(
+          HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
+                         0 /* host_resolver_flags */, HostResolverSource::ANY,
+                         kNetworkIsolationKey1)));
+
+      EXPECT_FALSE(GetCacheHit(
+          HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
+                         0 /* host_resolver_flags */, HostResolverSource::ANY,
+                         NetworkIsolationKey())));
+    } else {
+      EXPECT_FALSE(GetCacheHit(
+          HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
+                         0 /* host_resolver_flags */, HostResolverSource::ANY,
+                         kNetworkIsolationKey1)));
+
+      EXPECT_TRUE(GetCacheHit(
+          HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
+                         0 /* host_resolver_flags */, HostResolverSource::ANY,
+                         NetworkIsolationKey())));
+    }
+
+    // There should be no entry using kNetworkIsolationKey2 in either case.
+    EXPECT_FALSE(GetCacheHit(HostCache::Key(
+        "just.testing", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+        HostResolverSource::ANY, kNetworkIsolationKey2)));
+
+    // A request using kNetworkIsolationKey2 should only be served out of the
+    // cache of the cache if |split_cache_by_network_isolation_key| is false. If
+    // it's not served over the network, it is provided a different result.
+    if (split_cache_by_network_isolation_key) {
+      proc_->AddRuleForAllFamilies("just.testing", kSecondDnsResult);
+      proc_->SignalMultiple(1u);
+    }
+    ResolveHostResponseHelper response2(resolver_->CreateRequest(
+        HostPortPair("just.testing", 80), kNetworkIsolationKey2,
+        NetLogWithSource(), base::nullopt, request_context_.get(),
+        host_cache_.get()));
+    EXPECT_THAT(response2.result_error(), IsOk());
+    if (split_cache_by_network_isolation_key) {
+      EXPECT_THAT(response2.request()->GetAddressResults().value().endpoints(),
+                  testing::ElementsAre(CreateExpected(kSecondDnsResult, 80)));
+      EXPECT_FALSE(response2.request()->GetStaleInfo());
+      EXPECT_EQ(2u, proc_->GetCaptureList().size());
+      EXPECT_TRUE(GetCacheHit(
+          HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
+                         0 /* host_resolver_flags */, HostResolverSource::ANY,
+                         kNetworkIsolationKey2)));
+    } else {
+      EXPECT_THAT(response2.request()->GetAddressResults().value().endpoints(),
+                  testing::ElementsAre(CreateExpected(kFirstDnsResult, 80)));
+      EXPECT_TRUE(response2.request()->GetStaleInfo());
+      EXPECT_EQ(1u, proc_->GetCaptureList().size());
+      EXPECT_FALSE(GetCacheHit(
+          HostCache::Key("just.testing", DnsQueryType::UNSPECIFIED,
+                         0 /* host_resolver_flags */, HostResolverSource::ANY,
+                         kNetworkIsolationKey2)));
+    }
+
+    host_cache_->clear();
+    proc_->ClearCaptureList();
+  }
+}
+
+// Check that entries are read to the cache with the right NIK.
+TEST_F(HostResolverManagerTest, NetworkIsolationKeyReadFromHostCache) {
+  const url::Origin kOrigin1 =
+      url::Origin::Create(GURL("https://origin1.test/"));
+  const url::Origin kOrigin2 =
+      url::Origin::Create(GURL("https://origin2.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
+  const NetworkIsolationKey kNetworkIsolationKey2(kOrigin2, kOrigin2);
+
+  struct CacheEntry {
+    NetworkIsolationKey network_isolation_key;
+    const char* cached_ip_address;
+  };
+
+  const CacheEntry kCacheEntries[] = {
+      {NetworkIsolationKey(), "192.168.1.42"},
+      {kNetworkIsolationKey1, "192.168.1.43"},
+      {kNetworkIsolationKey2, "192.168.1.44"},
+  };
+
+  // Add entries to cache for the empty NIK, NIK1, and NIK2. Only the
+  // HostResolverManager obeys features::kSplitHostCacheByNetworkIsolationKey,
+  // so this is fine to do regardless of the feature value.
+  for (const auto& cache_entry : kCacheEntries) {
+    HostCache::Key key("just.testing", DnsQueryType::UNSPECIFIED, 0,
+                       HostResolverSource::ANY,
+                       cache_entry.network_isolation_key);
+    IPAddress address;
+    ASSERT_TRUE(address.AssignFromIPLiteral(cache_entry.cached_ip_address));
+    HostCache::Entry entry =
+        HostCache::Entry(OK, AddressList::CreateFromIPAddress(address, 80),
+                         HostCache::Entry::SOURCE_UNKNOWN);
+    host_cache_->Set(key, entry, base::TimeTicks::Now(),
+                     base::TimeDelta::FromDays(1));
+  }
+
+  for (bool split_cache_by_network_isolation_key : {false, true}) {
+    base::test::ScopedFeatureList feature_list;
+    if (split_cache_by_network_isolation_key) {
+      feature_list.InitAndEnableFeature(
+          features::kSplitHostCacheByNetworkIsolationKey);
+    } else {
+      feature_list.InitAndDisableFeature(
+          features::kSplitHostCacheByNetworkIsolationKey);
+    }
+
+    // A request that uses kNetworkIsolationKey1 will return cache entry 1 if
+    // the NetworkIsolationKeys are being used, and cache entry 0 otherwise.
+    ResolveHostResponseHelper response1(resolver_->CreateRequest(
+        HostPortPair("just.testing", 80), kNetworkIsolationKey1,
+        NetLogWithSource(), base::nullopt, request_context_.get(),
+        host_cache_.get()));
+    EXPECT_THAT(response1.result_error(), IsOk());
+    EXPECT_THAT(response1.request()->GetAddressResults().value().endpoints(),
+                testing::ElementsAre(CreateExpected(
+                    kCacheEntries[split_cache_by_network_isolation_key ? 1 : 0]
+                        .cached_ip_address,
+                    80)));
+    EXPECT_TRUE(response1.request()->GetStaleInfo());
+
+    // A request that uses kNetworkIsolationKey2 will return cache entry 2 if
+    // the NetworkIsolationKeys are being used, and cache entry 0 otherwise.
+    ResolveHostResponseHelper response2(resolver_->CreateRequest(
+        HostPortPair("just.testing", 80), kNetworkIsolationKey2,
+        NetLogWithSource(), base::nullopt, request_context_.get(),
+        host_cache_.get()));
+    EXPECT_THAT(response2.result_error(), IsOk());
+    EXPECT_THAT(response2.request()->GetAddressResults().value().endpoints(),
+                testing::ElementsAre(CreateExpected(
+                    kCacheEntries[split_cache_by_network_isolation_key ? 2 : 0]
+                        .cached_ip_address,
+                    80)));
+    EXPECT_TRUE(response2.request()->GetStaleInfo());
+  }
+}
+
+// Test that two requests made with different NetworkIsolationKeys are not
+// merged if |features::kSplitHostCacheByNetworkIsolationKey| is enabled.
+TEST_F(HostResolverManagerTest, NetworkIsolationKeyTwoRequestsAtOnce) {
+  const url::Origin kOrigin1 =
+      url::Origin::Create(GURL("https://origin1.test/"));
+  const url::Origin kOrigin2 =
+      url::Origin::Create(GURL("https://origin2.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
+  const NetworkIsolationKey kNetworkIsolationKey2(kOrigin2, kOrigin2);
+
+  const char kDnsResult[] = "192.168.1.42";
+
+  for (bool split_cache_by_network_isolation_key : {false, true}) {
+    base::test::ScopedFeatureList feature_list;
+    if (split_cache_by_network_isolation_key) {
+      feature_list.InitAndEnableFeature(
+          features::kSplitHostCacheByNetworkIsolationKey);
+    } else {
+      feature_list.InitAndDisableFeature(
+          features::kSplitHostCacheByNetworkIsolationKey);
+    }
+    proc_->AddRuleForAllFamilies("just.testing", kDnsResult);
+
+    // Start resolving a host using kNetworkIsolationKey1.
+    ResolveHostResponseHelper response1(resolver_->CreateRequest(
+        HostPortPair("just.testing", 80), kNetworkIsolationKey1,
+        NetLogWithSource(), base::nullopt, request_context_.get(),
+        host_cache_.get()));
+    EXPECT_FALSE(response1.complete());
+
+    // Start resolving the same host using kNetworkIsolationKey2.
+    ResolveHostResponseHelper response2(resolver_->CreateRequest(
+        HostPortPair("just.testing", 80), kNetworkIsolationKey2,
+        NetLogWithSource(), base::nullopt, request_context_.get(),
+        host_cache_.get()));
+    EXPECT_FALSE(response2.complete());
+
+    // Wait for and complete the expected number of over-the-wire DNS
+    // resolutions.
+    if (split_cache_by_network_isolation_key) {
+      proc_->WaitFor(2);
+      EXPECT_EQ(2u, proc_->GetCaptureList().size());
+      proc_->SignalMultiple(2u);
+    } else {
+      proc_->WaitFor(1);
+      EXPECT_EQ(1u, proc_->GetCaptureList().size());
+      proc_->SignalMultiple(1u);
+    }
+
+    // Both requests should have completed successfully, with neither served out
+    // of the cache.
+
+    EXPECT_THAT(response1.result_error(), IsOk());
+    EXPECT_THAT(response1.request()->GetAddressResults().value().endpoints(),
+                testing::ElementsAre(CreateExpected(kDnsResult, 80)));
+    EXPECT_FALSE(response1.request()->GetStaleInfo());
+
+    EXPECT_THAT(response2.result_error(), IsOk());
+    EXPECT_THAT(response2.request()->GetAddressResults().value().endpoints(),
+                testing::ElementsAre(CreateExpected(kDnsResult, 80)));
+    EXPECT_FALSE(response2.request()->GetStaleInfo());
+
+    host_cache_->clear();
+    proc_->ClearCaptureList();
+  }
+}
+
 // Specialized fixture for tests of DnsTask.
 class HostResolverManagerDnsTest : public HostResolverManagerTest {
  public:
-  HostResolverManagerDnsTest()
-      : notifier_task_runner_(base::CreateSequencedTaskRunner(
+  explicit HostResolverManagerDnsTest(
+      base::test::TaskEnvironment::TimeSource time_source =
+          base::test::TaskEnvironment::TimeSource::SYSTEM_TIME)
+      : HostResolverManagerTest(time_source),
+        notifier_task_runner_(base::CreateSequencedTaskRunner(
             {base::ThreadPool(), base::MayBlock()})),
         dns_client_(nullptr) {
     auto config_service = std::make_unique<TestDnsConfigService>();
@@ -3556,10 +3884,10 @@ class HostResolverManagerDnsTest : public HostResolverManagerTest {
                          uint16_t qtype,
                          const IPAddress& result_ip,
                          bool delay) {
-    rules->emplace_back(prefix, qtype, false /* secure */,
-                        MockDnsClientRule::Result(
-                            BuildTestDnsResponse(prefix, std::move(result_ip))),
-                        delay);
+    rules->emplace_back(
+        prefix, qtype, false /* secure */,
+        MockDnsClientRule::Result(BuildTestDnsResponse(prefix, result_ip)),
+        delay);
   }
 
   static void AddDnsRule(MockDnsClientRuleList* rules,
@@ -3568,11 +3896,10 @@ class HostResolverManagerDnsTest : public HostResolverManagerTest {
                          IPAddress result_ip,
                          std::string cannonname,
                          bool delay) {
-    rules->emplace_back(
-        prefix, qtype, false /* secure */,
-        MockDnsClientRule::Result(BuildTestDnsResponseWithCname(
-            prefix, std::move(result_ip), std::move(cannonname))),
-        delay);
+    rules->emplace_back(prefix, qtype, false /* secure */,
+                        MockDnsClientRule::Result(BuildTestDnsResponseWithCname(
+                            prefix, result_ip, std::move(cannonname))),
+                        delay);
   }
 
   static void AddSecureDnsRule(MockDnsClientRuleList* rules,
@@ -3634,15 +3961,15 @@ TEST_F(HostResolverManagerDnsTest, FlushCacheOnDnsConfigChange) {
 
   // Resolve to populate the cache.
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("host1", 70), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host1", 70), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(initial_response.result_error(), IsOk());
   EXPECT_EQ(1u, proc_->GetCaptureList().size());
 
   // Result expected to come from the cache.
   ResolveHostResponseHelper cached_response(resolver_->CreateRequest(
-      HostPortPair("host1", 75), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host1", 75), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(cached_response.result_error(), IsOk());
   EXPECT_EQ(1u, proc_->GetCaptureList().size());  // No expected increase.
 
@@ -3651,8 +3978,8 @@ TEST_F(HostResolverManagerDnsTest, FlushCacheOnDnsConfigChange) {
 
   // Expect flushed from cache and therefore served from |proc_|.
   ResolveHostResponseHelper flushed_response(resolver_->CreateRequest(
-      HostPortPair("host1", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(flushed_response.result_error(), IsOk());
   EXPECT_EQ(2u, proc_->GetCaptureList().size());  // Expected increase.
 }
@@ -3667,16 +3994,17 @@ TEST_F(HostResolverManagerDnsTest, DisableAndEnableInsecureDnsClient) {
 
   resolver_->SetInsecureDnsClientEnabled(false);
   ResolveHostResponseHelper response_proc(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 1212), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_succeed", 1212), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response_proc.result_error(), IsOk());
   EXPECT_THAT(response_proc.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("192.168.2.47", 1212)));
 
   resolver_->SetInsecureDnsClientEnabled(true);
   ResolveHostResponseHelper response_dns_client(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 1212), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok_fail", 1212), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response_dns_client.result_error(), IsOk());
   EXPECT_THAT(
       response_dns_client.request()->GetAddressResults().value().endpoints(),
@@ -3694,8 +4022,9 @@ TEST_F(HostResolverManagerDnsTest, UseProcTaskWhenPrivateDnsActive) {
   config.dns_over_tls_active = true;
   ChangeDnsConfig(config);
   ResolveHostResponseHelper response_proc(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 1212), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_succeed", 1212), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response_proc.result_error(), IsOk());
   EXPECT_THAT(response_proc.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("192.168.2.47", 1212)));
@@ -3710,24 +4039,25 @@ TEST_F(HostResolverManagerDnsTest, LocalhostLookup) {
   proc_->AddRuleForAllFamilies("localhost.", "192.168.1.42");
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("foo.localhost", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("foo.localhost", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response0.result_error(), IsOk());
   EXPECT_THAT(response0.request()->GetAddressResults().value().endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
                                             CreateExpected("::1", 80)));
 
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response1.result_error(), IsOk());
   EXPECT_THAT(response1.request()->GetAddressResults().value().endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
                                             CreateExpected("::1", 80)));
 
   ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("localhost.", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("localhost.", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response2.result_error(), IsOk());
   EXPECT_THAT(response2.request()->GetAddressResults().value().endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
@@ -3748,16 +4078,17 @@ TEST_F(HostResolverManagerDnsTest, LocalhostLookupWithHosts) {
   ChangeDnsConfig(config);
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response0.result_error(), IsOk());
   EXPECT_THAT(response0.request()->GetAddressResults().value().endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
                                             CreateExpected("::1", 80)));
 
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("foo.localhost", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("foo.localhost", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response1.result_error(), IsOk());
   EXPECT_THAT(response1.request()->GetAddressResults().value().endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
@@ -3771,8 +4102,8 @@ TEST_F(HostResolverManagerDnsTest, DnsTask) {
 
   // Initially there is no config, so client should not be invoked.
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_FALSE(initial_response.complete());
 
   proc_->SignalMultiple(1u);
@@ -3782,14 +4113,14 @@ TEST_F(HostResolverManagerDnsTest, DnsTask) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("nx_fail", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
 
   proc_->SignalMultiple(4u);
 
@@ -3818,11 +4149,11 @@ TEST_F(HostResolverManagerDnsTest, NoFallbackToProcTask) {
   InvalidateDnsConfig();
   // Initially there is no config, so client should not be invoked.
   ResolveHostResponseHelper initial_response0(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper initial_response1(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   proc_->SignalMultiple(2u);
 
   EXPECT_THAT(initial_response0.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
@@ -3836,11 +4167,11 @@ TEST_F(HostResolverManagerDnsTest, NoFallbackToProcTask) {
   // First request is resolved by MockDnsClient, others should fail due to
   // disabled fallback to ProcTask.
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   proc_->SignalMultiple(6u);
 
   // Resolved by MockDnsClient.
@@ -3856,8 +4187,8 @@ TEST_F(HostResolverManagerDnsTest, NoFallbackToProcTask) {
 TEST_F(HostResolverManagerDnsTest, OnDnsTaskFailureAbortedJob) {
   ChangeDnsConfig(CreateValidDnsConfig());
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("nx_abort", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_abort", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   // Abort all jobs here.
   CreateResolver();
   proc_->SignalMultiple(1u);
@@ -3870,8 +4201,8 @@ TEST_F(HostResolverManagerDnsTest, OnDnsTaskFailureAbortedJob) {
   set_allow_fallback_to_proctask(false);
   ChangeDnsConfig(CreateValidDnsConfig());
   ResolveHostResponseHelper no_fallback_response(resolver_->CreateRequest(
-      HostPortPair("nx_abort", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_abort", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   // Abort all jobs here.
   CreateResolver();
   proc_->SignalMultiple(2u);
@@ -3892,11 +4223,11 @@ TEST_F(HostResolverManagerDnsTest, FallbackBySource_Any) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("nx_fail", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   proc_->SignalMultiple(2u);
 
   EXPECT_THAT(response0.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
@@ -3918,11 +4249,11 @@ TEST_F(HostResolverManagerDnsTest, FallbackBySource_Dns) {
   HostResolver::ResolveHostParameters parameters;
   parameters.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("nx_fail", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   // Nothing should reach |proc_| on success, but let failures through to fail
   // instead of hanging.
   proc_->SignalMultiple(2u);
@@ -3942,11 +4273,11 @@ TEST_F(HostResolverManagerDnsTest, FallbackOnAbortBySource_Any) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   proc_->SignalMultiple(2u);
 
   // Simulate the case when the preference or policy has disabled the insecure
@@ -3973,11 +4304,11 @@ TEST_F(HostResolverManagerDnsTest, FallbackOnAbortBySource_Dns) {
   HostResolver::ResolveHostParameters parameters;
   parameters.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("ok_fail", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok_fail", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   // Nothing should reach |proc_| on success, but let failures through to fail
   // instead of hanging.
   proc_->SignalMultiple(2u);
@@ -4006,8 +4337,8 @@ TEST_F(HostResolverManagerDnsTest,
   secure_parameters.secure_dns_mode_override =
       DnsConfig::SecureDnsMode::AUTOMATIC;
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetLogWithSource(), secure_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
+      secure_parameters, request_context_.get(), host_cache_.get()));
   EXPECT_FALSE(response_secure.complete());
 
   // Simulate the case when the preference or policy has disabled the insecure
@@ -4030,20 +4361,20 @@ TEST_F(HostResolverManagerDnsTest, DnsTaskUnspec) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4ok", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("4ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("6ok", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("6ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4nx", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("4nx", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
 
   proc_->SignalMultiple(4u);
 
@@ -4068,8 +4399,8 @@ TEST_F(HostResolverManagerDnsTest, NameCollisionIcann) {
   // When the resolver returns an A record with 127.0.53.53 it should be
   // mapped to a special error.
   ResolveHostResponseHelper response_ipv4(resolver_->CreateRequest(
-      HostPortPair("4collision", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("4collision", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response_ipv4.result_error(), IsError(ERR_ICANN_NAME_COLLISION));
   EXPECT_FALSE(response_ipv4.request()->GetAddressResults());
 
@@ -4077,8 +4408,8 @@ TEST_F(HostResolverManagerDnsTest, NameCollisionIcann) {
   // work just like any other IP. (Despite having the same suffix, it is not
   // considered special)
   ResolveHostResponseHelper response_ipv6(resolver_->CreateRequest(
-      HostPortPair("6collision", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("6collision", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response_ipv6.result_error(), IsOk());
   EXPECT_THAT(response_ipv6.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("::127.0.53.53", 80)));
@@ -4094,8 +4425,8 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
   proc_->SignalMultiple(1u);  // For the first request which misses.
 
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("nx_ipv4", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_ipv4", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(initial_response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
 
   IPAddress local_ipv4 = IPAddress::IPv4Localhost();
@@ -4112,22 +4443,22 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
   ChangeDnsConfig(config);
 
   ResolveHostResponseHelper response_ipv4(resolver_->CreateRequest(
-      HostPortPair("nx_ipv4", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_ipv4", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response_ipv4.result_error(), IsOk());
   EXPECT_THAT(response_ipv4.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
 
   ResolveHostResponseHelper response_ipv6(resolver_->CreateRequest(
-      HostPortPair("nx_ipv6", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_ipv6", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response_ipv6.result_error(), IsOk());
   EXPECT_THAT(response_ipv6.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("::1", 80)));
 
   ResolveHostResponseHelper response_both(resolver_->CreateRequest(
-      HostPortPair("nx_both", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_both", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response_both.result_error(), IsOk());
   EXPECT_THAT(response_both.request()->GetAddressResults().value().endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
@@ -4138,8 +4469,8 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
 
   parameters.dns_query_type = DnsQueryType::A;
   ResolveHostResponseHelper response_specified_ipv4(resolver_->CreateRequest(
-      HostPortPair("nx_ipv4", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_ipv4", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response_specified_ipv4.result_error(), IsOk());
   EXPECT_THAT(response_specified_ipv4.request()
                   ->GetAddressResults()
@@ -4149,8 +4480,8 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
 
   parameters.dns_query_type = DnsQueryType::AAAA;
   ResolveHostResponseHelper response_specified_ipv6(resolver_->CreateRequest(
-      HostPortPair("nx_ipv6", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_ipv6", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response_specified_ipv6.result_error(), IsOk());
   EXPECT_THAT(response_specified_ipv6.request()
                   ->GetAddressResults()
@@ -4160,8 +4491,8 @@ TEST_F(HostResolverManagerDnsTest, ServeFromHosts) {
 
   // Request with upper case.
   ResolveHostResponseHelper response_upper(resolver_->CreateRequest(
-      HostPortPair("nx_IPV4", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_IPV4", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response_upper.result_error(), IsOk());
   EXPECT_THAT(response_upper.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
@@ -4184,8 +4515,8 @@ TEST_F(HostResolverManagerDnsTest, SkipHostsWithUpcomingProcTask) {
   ChangeDnsConfig(config);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("hosts", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("hosts", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
 }
 
@@ -4201,24 +4532,28 @@ TEST_F(HostResolverManagerDnsTest, BypassDnsTask) {
 
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("ok.local", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("ok.local", 80), NetworkIsolationKey(),
+          NetLogWithSource(), base::nullopt, request_context_.get(),
+          host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("ok.local.", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("ok.local.", 80), NetworkIsolationKey(),
+          NetLogWithSource(), base::nullopt, request_context_.get(),
+          host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("oklocal", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("oklocal", 80), NetworkIsolationKey(),
+          NetLogWithSource(), base::nullopt, request_context_.get(),
+          host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("oklocal.", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("oklocal.", 80), NetworkIsolationKey(),
+          NetLogWithSource(), base::nullopt, request_context_.get(),
+          host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
 
   proc_->SignalMultiple(5u);
 
@@ -4252,8 +4587,9 @@ TEST_F(HostResolverManagerDnsTest, BypassDnsToMdnsWithNonAddress) {
   dns_parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("myhello.local", 80), NetLogWithSource(), dns_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("myhello.local", 80), NetworkIsolationKey(),
+      NetLogWithSource(), dns_parameters, request_context_.get(),
+      host_cache_.get()));
 
   socket_factory_ptr->SimulateReceive(kMdnsResponseTxt,
                                       sizeof(kMdnsResponseTxt));
@@ -4276,14 +4612,14 @@ TEST_F(HostResolverManagerDnsTest, DnsNotBypassedWhenDnsSource) {
   dns_parameters.source = HostResolverSource::DNS;
 
   ResolveHostResponseHelper dns_response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetLogWithSource(), dns_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      dns_parameters, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper dns_local_response(resolver_->CreateRequest(
-      HostPortPair("ok.local", 80), NetLogWithSource(), dns_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok.local", 80), NetworkIsolationKey(), NetLogWithSource(),
+      dns_parameters, request_context_.get(), host_cache_.get()));
   ResolveHostResponseHelper normal_local_response(resolver_->CreateRequest(
-      HostPortPair("ok.local", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok.local", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
 
   proc_->SignalMultiple(3u);
 
@@ -4299,14 +4635,14 @@ TEST_F(HostResolverManagerDnsTest, SystemOnlyBypassesDnsTask) {
   proc_->AddRuleForAllFamilies(std::string(), std::string());
 
   ResolveHostResponseHelper dns_response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
 
   HostResolver::ResolveHostParameters parameters;
   parameters.source = HostResolverSource::SYSTEM;
   ResolveHostResponseHelper system_response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
 
   proc_->SignalMultiple(2u);
 
@@ -4323,8 +4659,8 @@ TEST_F(HostResolverManagerDnsTest,
 
   // Check that DnsTask works.
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("ok_1", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok_1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(initial_response.result_error(), IsOk());
 
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
@@ -4335,8 +4671,9 @@ TEST_F(HostResolverManagerDnsTest,
     proc_->AddRuleForAllFamilies(hostname, "192.168.1.101");
     responses.emplace_back(
         std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-            HostPortPair(hostname, 80), NetLogWithSource(), base::nullopt,
-            request_context_.get(), host_cache_.get())));
+            HostPortPair(hostname, 80), NetworkIsolationKey(),
+            NetLogWithSource(), base::nullopt, request_context_.get(),
+            host_cache_.get())));
   }
 
   proc_->SignalMultiple(responses.size());
@@ -4349,13 +4686,13 @@ TEST_F(HostResolverManagerDnsTest,
   // Insecure DnsTasks should be disabled by now unless explicitly requested via
   // |source|.
   ResolveHostResponseHelper fail_response(resolver_->CreateRequest(
-      HostPortPair("ok_2", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok_2", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   HostResolver::ResolveHostParameters parameters;
   parameters.source = HostResolverSource::DNS;
   ResolveHostResponseHelper dns_response(resolver_->CreateRequest(
-      HostPortPair("ok_2", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok_2", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   proc_->SignalMultiple(2u);
   EXPECT_THAT(fail_response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_THAT(dns_response.result_error(), IsOk());
@@ -4365,15 +4702,15 @@ TEST_F(HostResolverManagerDnsTest,
   secure_parameters.secure_dns_mode_override =
       DnsConfig::SecureDnsMode::AUTOMATIC;
   ResolveHostResponseHelper secure_response(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetLogWithSource(), secure_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
+      secure_parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(secure_response.result_error(), IsOk());
 
   // Check that it is re-enabled after DNS change.
   ChangeDnsConfig(CreateValidDnsConfig());
   ResolveHostResponseHelper reenabled_response(resolver_->CreateRequest(
-      HostPortPair("ok_3", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok_3", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(reenabled_response.result_error(), IsOk());
 }
 
@@ -4390,8 +4727,9 @@ TEST_F(HostResolverManagerDnsTest, DontDisableDnsClientOnSporadicFailure) {
                                         : base::StringPrintf("ok_%u", i);
     responses.emplace_back(
         std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-            HostPortPair(hostname, 80), NetLogWithSource(), base::nullopt,
-            request_context_.get(), host_cache_.get())));
+            HostPortPair(hostname, 80), NetworkIsolationKey(),
+            NetLogWithSource(), base::nullopt, request_context_.get(),
+            host_cache_.get())));
   }
 
   proc_->SignalMultiple(40u);
@@ -4404,8 +4742,8 @@ TEST_F(HostResolverManagerDnsTest, DontDisableDnsClientOnSporadicFailure) {
 
   // DnsTask should still be enabled.
   ResolveHostResponseHelper final_response(resolver_->CreateRequest(
-      HostPortPair("ok_last", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok_last", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(final_response.result_error(), IsOk());
 }
 
@@ -4416,8 +4754,8 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 500), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 500), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsOk());
 
   // Only expect IPv4 results.
@@ -4435,8 +4773,9 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable_InvalidConfig) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("example.com", 500), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("example.com", 500), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
               testing::UnorderedElementsAre(CreateExpected("1.2.3.4", 500),
@@ -4453,8 +4792,8 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable_UseLocalIpv6) {
   ChangeDnsConfig(config);
 
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("ok", 500), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 500), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response1.result_error(), IsOk());
   EXPECT_THAT(response1.request()->GetAddressResults().value().endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 500),
@@ -4465,8 +4804,8 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable_UseLocalIpv6) {
   ChangeDnsConfig(config);
 
   ResolveHostResponseHelper response2(resolver_->CreateRequest(
-      HostPortPair("ok", 500), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 500), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response2.result_error(), IsOk());
   EXPECT_THAT(response2.request()->GetAddressResults().value().endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 500)));
@@ -4486,8 +4825,8 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable_Localhost) {
   // Try without DnsClient.
   resolver_->SetInsecureDnsClientEnabled(false);
   ResolveHostResponseHelper system_response(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(system_response.result_error(), IsOk());
   EXPECT_THAT(
       system_response.request()->GetAddressResults().value().endpoints(),
@@ -4497,8 +4836,8 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable_Localhost) {
   // With DnsClient
   UseMockDnsClient(CreateValidDnsConfig(), CreateDefaultDnsRules());
   ResolveHostResponseHelper builtin_response(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(builtin_response.result_error(), IsOk());
   EXPECT_THAT(
       builtin_response.request()->GetAddressResults().value().endpoints(),
@@ -4511,8 +4850,8 @@ TEST_F(HostResolverManagerDnsTest, Ipv6Unreachable_Localhost) {
   config.use_local_ipv6 = false;
   ChangeDnsConfig(config);
   ResolveHostResponseHelper ipv6_disabled_response(resolver_->CreateRequest(
-      HostPortPair("localhost", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("localhost", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(ipv6_disabled_response.result_error(), IsOk());
   EXPECT_THAT(
       ipv6_disabled_response.request()->GetAddressResults().value().endpoints(),
@@ -4546,21 +4885,22 @@ TEST_F(HostResolverManagerDnsTest, SeparateJobsBySecureDnsMode) {
   parameters_secure_override.secure_dns_mode_override =
       DnsConfig::SecureDnsMode::SECURE;
   ResolveHostResponseHelper secure_response(resolver_->CreateRequest(
-      HostPortPair("a", 80), NetLogWithSource(), parameters_secure_override,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters_secure_override, request_context_.get(), host_cache_.get()));
   EXPECT_EQ(1u, resolver_->num_jobs_for_testing());
 
   ResolveHostResponseHelper automatic_response0(resolver_->CreateRequest(
-      HostPortPair("a", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_EQ(2u, resolver_->num_jobs_for_testing());
 
   HostResolver::ResolveHostParameters parameters_automatic_override;
   parameters_automatic_override.secure_dns_mode_override =
       DnsConfig::SecureDnsMode::AUTOMATIC;
   ResolveHostResponseHelper automatic_response1(resolver_->CreateRequest(
-      HostPortPair("a", 80), NetLogWithSource(), parameters_automatic_override,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("a", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters_automatic_override, request_context_.get(),
+      host_cache_.get()));
   // The AUTOMATIC mode requests should be joined into the same job.
   EXPECT_EQ(2u, resolver_->num_jobs_for_testing());
 
@@ -4588,8 +4928,8 @@ TEST_F(HostResolverManagerDnsTest, CancelWithOneTransactionActive) {
   ChangeDnsConfig(config);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_FALSE(response.complete());
   ASSERT_EQ(1u, num_running_dispatcher_jobs());
 
@@ -4606,8 +4946,8 @@ TEST_F(HostResolverManagerDnsTest, CancelWithOneTransactionActiveOnePending) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_EQ(1u, num_running_dispatcher_jobs());
 
   response.CancelRequest();
@@ -4622,8 +4962,8 @@ TEST_F(HostResolverManagerDnsTest, CancelWithTwoTransactionsActive) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_EQ(2u, num_running_dispatcher_jobs());
 
   response.CancelRequest();
@@ -4648,8 +4988,9 @@ TEST_F(HostResolverManagerDnsTest, DeleteWithActiveTransactions) {
     std::string hostname = base::StringPrintf("ok%i", i);
     responses.emplace_back(
         std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-            HostPortPair(hostname, 80), NetLogWithSource(), base::nullopt,
-            request_context_.get(), host_cache_.get())));
+            HostPortPair(hostname, 80), NetworkIsolationKey(),
+            NetLogWithSource(), base::nullopt, request_context_.get(),
+            host_cache_.get())));
   }
   EXPECT_EQ(10u, num_running_dispatcher_jobs());
 
@@ -4668,8 +5009,8 @@ TEST_F(HostResolverManagerDnsTest, DeleteWithSecureTransactions) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
 
   DestroyResolver();
 
@@ -4681,8 +5022,8 @@ TEST_F(HostResolverManagerDnsTest, DeleteWithCompletedRequests) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
@@ -4701,8 +5042,8 @@ TEST_F(HostResolverManagerDnsTest, ExplicitCancel) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_4ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("4slow_4ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
 
   response.request()->Cancel();
   dns_client_->CompleteDelayedTransactions();
@@ -4711,12 +5052,23 @@ TEST_F(HostResolverManagerDnsTest, ExplicitCancel) {
   EXPECT_FALSE(response.complete());
 }
 
+TEST_F(HostResolverManagerDnsTest, ExplicitCancel_AfterManagerDestruction) {
+  ChangeDnsConfig(CreateValidDnsConfig());
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("4slow_4ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
+
+  DestroyResolver();
+  response.request()->Cancel();
+}
+
 TEST_F(HostResolverManagerDnsTest, ExplicitCancel_Completed) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
@@ -4736,8 +5088,8 @@ TEST_F(HostResolverManagerDnsTest, CancelWithIPv6TransactionActive) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("6slow_ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("6slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_EQ(2u, num_running_dispatcher_jobs());
 
   // The IPv4 request should complete, the IPv6 request is still pending.
@@ -4757,8 +5109,8 @@ TEST_F(HostResolverManagerDnsTest, CancelWithIPv4TransactionPending) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_EQ(2u, num_running_dispatcher_jobs());
 
   // The IPv6 request should complete, the IPv4 request is still pending.
@@ -4796,8 +5148,8 @@ TEST_F(HostResolverManagerDnsTest, CancelWithAutomaticModeTransactionPending) {
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
       HostPortPair("secure_6slow_6nx_insecure_6slow_ok", 80),
-      NetLogWithSource(), base::nullopt, request_context_.get(),
-      host_cache_.get()));
+      NetworkIsolationKey(), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
   EXPECT_EQ(0u, num_running_dispatcher_jobs());
 
   // The secure IPv4 request should complete, the secure IPv6 request is still
@@ -4812,8 +5164,8 @@ TEST_F(HostResolverManagerDnsTest, CancelWithAutomaticModeTransactionPending) {
 
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
       HostPortPair("secure_6slow_6nx_insecure_6slow_ok", 80),
-      NetLogWithSource(), base::nullopt, request_context_.get(),
-      host_cache_.get()));
+      NetworkIsolationKey(), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
   EXPECT_EQ(0u, num_running_dispatcher_jobs());
 
   // The secure IPv4 request should complete, the secure IPv6 request is still
@@ -4845,20 +5197,24 @@ TEST_F(HostResolverManagerDnsTest, AAAACompletesFirst) {
   std::vector<std::unique_ptr<ResolveHostResponseHelper>> responses;
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4slow_ok", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("4slow_ok", 80), NetworkIsolationKey(),
+          NetLogWithSource(), base::nullopt, request_context_.get(),
+          host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4slow_4ok", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("4slow_4ok", 80), NetworkIsolationKey(),
+          NetLogWithSource(), base::nullopt, request_context_.get(),
+          host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4slow_4timeout", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("4slow_4timeout", 80), NetworkIsolationKey(),
+          NetLogWithSource(), base::nullopt, request_context_.get(),
+          host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("4slow_6timeout", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("4slow_6timeout", 80), NetworkIsolationKey(),
+          NetLogWithSource(), base::nullopt, request_context_.get(),
+          host_cache_.get())));
 
   base::RunLoop().RunUntilIdle();
   EXPECT_FALSE(responses[0]->complete());
@@ -4906,8 +5262,9 @@ TEST_F(HostResolverManagerDnsTest, AAAACompletesFirst_AutomaticMode) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("secure_slow_nx_insecure_4slow_ok", 80), NetLogWithSource(),
-      base::nullopt, request_context_.get(), host_cache_.get()));
+      HostPortPair("secure_slow_nx_insecure_4slow_ok", 80),
+      NetworkIsolationKey(), NetLogWithSource(), base::nullopt,
+      request_context_.get(), host_cache_.get()));
   base::RunLoop().RunUntilIdle();
   EXPECT_FALSE(response.complete());
   // Complete the secure transactions.
@@ -4919,9 +5276,10 @@ TEST_F(HostResolverManagerDnsTest, AAAACompletesFirst_AutomaticMode) {
   ASSERT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("127.0.0.1", 80)));
-  HostCache::Key insecure_key = HostCache::Key(
-      "secure_slow_nx_insecure_4slow_ok", DnsQueryType::UNSPECIFIED,
-      0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key insecure_key =
+      HostCache::Key("secure_slow_nx_insecure_4slow_ok",
+                     DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
       GetCacheHit(insecure_key);
   EXPECT_TRUE(!!cache_result);
@@ -4939,16 +5297,16 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic) {
 
   // A successful DoH request should result in a secure cache entry.
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(response_secure.result_error(), IsOk());
   EXPECT_THAT(
       response_secure.request()->GetAddressResults().value().endpoints(),
       testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
                                     CreateExpected("::1", 80)));
-  HostCache::Key secure_key =
-      HostCache::Key("automatic", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key secure_key = HostCache::Key(
+      "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   secure_key.secure = true;
   cache_result = GetCacheHit(secure_key);
   EXPECT_TRUE(!!cache_result);
@@ -4956,8 +5314,9 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic) {
   // A successful plaintext DNS request should result in an insecure cache
   // entry.
   ResolveHostResponseHelper response_insecure(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("insecure_automatic", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   ASSERT_THAT(response_insecure.result_error(), IsOk());
   EXPECT_THAT(
       response_insecure.request()->GetAddressResults().value().endpoints(),
@@ -4965,14 +5324,15 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic) {
                                     CreateExpected("::1", 80)));
   HostCache::Key insecure_key =
       HostCache::Key("insecure_automatic", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+                     0 /* host_resolver_flags */, HostResolverSource::ANY,
+                     NetworkIsolationKey());
   cache_result = GetCacheHit(insecure_key);
   EXPECT_TRUE(!!cache_result);
 
   // Fallback to ProcTask allowed in AUTOMATIC mode.
   ResolveHostResponseHelper response_proc(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   proc_->SignalMultiple(1u);
   EXPECT_THAT(response_proc.result_error(), IsOk());
   EXPECT_THAT(response_proc.request()->GetAddressResults().value().endpoints(),
@@ -4988,15 +5348,17 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_SecureCache) {
   // Populate cache with a secure entry.
   HostCache::Key cached_secure_key =
       HostCache::Key("automatic_cached", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+                     0 /* host_resolver_flags */, HostResolverSource::ANY,
+                     NetworkIsolationKey());
   cached_secure_key.secure = true;
   IPEndPoint kExpectedSecureIP = CreateExpected("192.168.1.102", 80);
   PopulateCache(cached_secure_key, kExpectedSecureIP);
 
   // The secure cache should be checked prior to any DoH request being sent.
   ResolveHostResponseHelper response_secure_cached(resolver_->CreateRequest(
-      HostPortPair("automatic_cached", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("automatic_cached", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response_secure_cached.result_error(), IsOk());
   EXPECT_THAT(
       response_secure_cached.request()->GetAddressResults().value().endpoints(),
@@ -5014,14 +5376,16 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_InsecureCache) {
   // Populate cache with an insecure entry.
   HostCache::Key cached_insecure_key =
       HostCache::Key("insecure_automatic_cached", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+                     0 /* host_resolver_flags */, HostResolverSource::ANY,
+                     NetworkIsolationKey());
   IPEndPoint kExpectedInsecureIP = CreateExpected("192.168.1.103", 80);
   PopulateCache(cached_insecure_key, kExpectedInsecureIP);
 
   // The insecure cache should be checked after DoH requests fail.
   ResolveHostResponseHelper response_insecure_cached(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic_cached", 80), NetLogWithSource(),
-      base::nullopt, request_context_.get(), host_cache_.get()));
+      HostPortPair("insecure_automatic_cached", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response_insecure_cached.result_error(), IsOk());
   EXPECT_THAT(response_insecure_cached.request()
                   ->GetAddressResults()
@@ -5045,20 +5409,23 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Downgrade) {
   // Populate cache with both secure and insecure entries.
   HostCache::Key cached_secure_key =
       HostCache::Key("automatic_cached", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+                     0 /* host_resolver_flags */, HostResolverSource::ANY,
+                     NetworkIsolationKey());
   cached_secure_key.secure = true;
   IPEndPoint kExpectedSecureIP = CreateExpected("192.168.1.102", 80);
   PopulateCache(cached_secure_key, kExpectedSecureIP);
   HostCache::Key cached_insecure_key =
       HostCache::Key("insecure_automatic_cached", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+                     0 /* host_resolver_flags */, HostResolverSource::ANY,
+                     NetworkIsolationKey());
   IPEndPoint kExpectedInsecureIP = CreateExpected("192.168.1.103", 80);
   PopulateCache(cached_insecure_key, kExpectedInsecureIP);
 
   // The secure cache should still be checked first.
   ResolveHostResponseHelper response_cached(resolver_->CreateRequest(
-      HostPortPair("automatic_cached", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("automatic_cached", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response_cached.result_error(), IsOk());
   EXPECT_THAT(
       response_cached.request()->GetAddressResults().value().endpoints(),
@@ -5066,8 +5433,9 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Downgrade) {
 
   // The insecure cache should be checked before any insecure requests are sent.
   ResolveHostResponseHelper insecure_response_cached(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic_cached", 80), NetLogWithSource(),
-      base::nullopt, request_context_.get(), host_cache_.get()));
+      HostPortPair("insecure_automatic_cached", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(insecure_response_cached.result_error(), IsOk());
   EXPECT_THAT(insecure_response_cached.request()
                   ->GetAddressResults()
@@ -5079,15 +5447,15 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Downgrade) {
   // downgraded to OFF. A successful plaintext DNS request should result in an
   // insecure cache entry.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
               testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
                                             CreateExpected("::1", 80)));
-  HostCache::Key key =
-      HostCache::Key("automatic", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key key = HostCache::Key(
+      "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   cache_result = GetCacheHit(key);
   EXPECT_TRUE(!!cache_result);
 }
@@ -5102,24 +5470,24 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Unavailable) {
   // DoH requests should be skipped when there are no available DoH servers
   // in automatic mode. The cached result should be in the insecure cache.
   ResolveHostResponseHelper response_automatic(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(response_automatic.result_error(), IsOk());
   EXPECT_THAT(
       response_automatic.request()->GetAddressResults().value().endpoints(),
       testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
                                     CreateExpected("::1", 80)));
-  HostCache::Key secure_key =
-      HostCache::Key("automatic", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key secure_key = HostCache::Key(
+      "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   secure_key.secure = true;
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
       GetCacheHit(secure_key);
   EXPECT_FALSE(!!cache_result);
 
-  HostCache::Key insecure_key =
-      HostCache::Key("automatic", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key insecure_key = HostCache::Key(
+      "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   cache_result = GetCacheHit(insecure_key);
   EXPECT_TRUE(!!cache_result);
 }
@@ -5134,21 +5502,21 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Unavailable_Fail) {
 
   // Insecure requests that fail should not be cached.
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(response_secure.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
 
-  HostCache::Key secure_key =
-      HostCache::Key("secure", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key secure_key = HostCache::Key(
+      "secure", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   secure_key.secure = true;
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
       GetCacheHit(secure_key);
   EXPECT_FALSE(!!cache_result);
 
-  HostCache::Key insecure_key =
-      HostCache::Key("secure", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key insecure_key = HostCache::Key(
+      "secure", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   cache_result = GetCacheHit(insecure_key);
   EXPECT_FALSE(!!cache_result);
 }
@@ -5160,9 +5528,9 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Stale) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   // Populate cache with insecure entry.
-  HostCache::Key cached_stale_key =
-      HostCache::Key("automatic_stale", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key cached_stale_key = HostCache::Key(
+      "automatic_stale", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   IPEndPoint kExpectedStaleIP = CreateExpected("192.168.1.102", 80);
   PopulateCache(cached_stale_key, kExpectedStaleIP);
   MakeCacheStale();
@@ -5174,8 +5542,9 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_Stale) {
   // The insecure cache should be checked before secure requests are made since
   // stale results are allowed.
   ResolveHostResponseHelper response_stale(resolver_->CreateRequest(
-      HostPortPair("automatic_stale", 80), NetLogWithSource(),
-      stale_allowed_parameters, request_context_.get(), host_cache_.get()));
+      HostPortPair("automatic_stale", 80), NetworkIsolationKey(),
+      NetLogWithSource(), stale_allowed_parameters, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response_stale.result_error(), IsOk());
   EXPECT_THAT(response_stale.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(kExpectedStaleIP));
@@ -5195,16 +5564,16 @@ TEST_F(HostResolverManagerDnsTest,
 
   // The secure part of the dns client should be enabled.
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(response_secure.result_error(), IsOk());
   EXPECT_THAT(
       response_secure.request()->GetAddressResults().value().endpoints(),
       testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
                                     CreateExpected("::1", 80)));
-  HostCache::Key secure_key =
-      HostCache::Key("automatic", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key secure_key = HostCache::Key(
+      "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   secure_key.secure = true;
   cache_result = GetCacheHit(secure_key);
   EXPECT_TRUE(!!cache_result);
@@ -5212,8 +5581,9 @@ TEST_F(HostResolverManagerDnsTest,
   // The insecure part of the dns client is disabled so insecure requests
   // should be skipped.
   ResolveHostResponseHelper response_insecure(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("insecure_automatic", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   proc_->SignalMultiple(1u);
   ASSERT_THAT(response_insecure.result_error(), IsOk());
   EXPECT_THAT(
@@ -5221,21 +5591,24 @@ TEST_F(HostResolverManagerDnsTest,
       testing::ElementsAre(CreateExpected("192.168.1.100", 80)));
   HostCache::Key insecure_key =
       HostCache::Key("insecure_automatic", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+                     0 /* host_resolver_flags */, HostResolverSource::ANY,
+                     NetworkIsolationKey());
   cache_result = GetCacheHit(insecure_key);
   EXPECT_TRUE(!!cache_result);
 
   HostCache::Key cached_insecure_key =
       HostCache::Key("insecure_automatic_cached", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+                     0 /* host_resolver_flags */, HostResolverSource::ANY,
+                     NetworkIsolationKey());
   IPEndPoint kExpectedInsecureIP = CreateExpected("192.168.1.101", 80);
   PopulateCache(cached_insecure_key, kExpectedInsecureIP);
 
   // The insecure cache should still be checked even if the insecure part of
   // the dns client is disabled.
   ResolveHostResponseHelper response_insecure_cached(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic_cached", 80), NetLogWithSource(),
-      base::nullopt, request_context_.get(), host_cache_.get()));
+      HostPortPair("insecure_automatic_cached", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response_insecure_cached.result_error(), IsOk());
   EXPECT_THAT(response_insecure_cached.request()
                   ->GetAddressResults()
@@ -5257,16 +5630,16 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_DotActive) {
 
   // The secure part of the dns client should be enabled.
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(response_secure.result_error(), IsOk());
   EXPECT_THAT(
       response_secure.request()->GetAddressResults().value().endpoints(),
       testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
                                     CreateExpected("::1", 80)));
-  HostCache::Key secure_key =
-      HostCache::Key("automatic", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key secure_key = HostCache::Key(
+      "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   secure_key.secure = true;
   cache_result = GetCacheHit(secure_key);
   EXPECT_TRUE(!!cache_result);
@@ -5274,8 +5647,9 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_DotActive) {
   // Insecure async requests should be skipped since the system resolver
   // requests will be secure.
   ResolveHostResponseHelper response_insecure(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("insecure_automatic", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   proc_->SignalMultiple(1u);
   ASSERT_THAT(response_insecure.result_error(), IsOk());
   EXPECT_THAT(
@@ -5283,20 +5657,23 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Automatic_DotActive) {
       testing::ElementsAre(CreateExpected("192.168.1.100", 80)));
   HostCache::Key insecure_key =
       HostCache::Key("insecure_automatic", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+                     0 /* host_resolver_flags */, HostResolverSource::ANY,
+                     NetworkIsolationKey());
   cache_result = GetCacheHit(insecure_key);
   EXPECT_TRUE(!!cache_result);
 
   HostCache::Key cached_insecure_key =
       HostCache::Key("insecure_automatic_cached", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+                     0 /* host_resolver_flags */, HostResolverSource::ANY,
+                     NetworkIsolationKey());
   IPEndPoint kExpectedInsecureIP = CreateExpected("192.168.1.101", 80);
   PopulateCache(cached_insecure_key, kExpectedInsecureIP);
 
   // The insecure cache should still be checked.
   ResolveHostResponseHelper response_insecure_cached(resolver_->CreateRequest(
-      HostPortPair("insecure_automatic_cached", 80), NetLogWithSource(),
-      base::nullopt, request_context_.get(), host_cache_.get()));
+      HostPortPair("insecure_automatic_cached", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response_insecure_cached.result_error(), IsOk());
   EXPECT_THAT(response_insecure_cached.request()
                   ->GetAddressResults()
@@ -5316,30 +5693,30 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure) {
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result;
 
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(response_secure.result_error(), IsOk());
-  HostCache::Key secure_key =
-      HostCache::Key("secure", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key secure_key = HostCache::Key(
+      "secure", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   secure_key.secure = true;
   cache_result = GetCacheHit(secure_key);
   EXPECT_TRUE(!!cache_result);
 
   ResolveHostResponseHelper response_insecure(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(response_insecure.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
-  HostCache::Key insecure_key =
-      HostCache::Key("ok", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key insecure_key = HostCache::Key(
+      "ok", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   cache_result = GetCacheHit(insecure_key);
   EXPECT_FALSE(!!cache_result);
 
   // Fallback to ProcTask not allowed in SECURE mode.
   ResolveHostResponseHelper response_proc(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   proc_->SignalMultiple(1u);
   EXPECT_THAT(response_proc.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
 }
@@ -5357,12 +5734,12 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure_InsecureAsyncDisabled) {
 
   // The secure part of the dns client should be enabled.
   ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(response_secure.result_error(), IsOk());
-  HostCache::Key secure_key =
-      HostCache::Key("secure", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key secure_key = HostCache::Key(
+      "secure", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   secure_key.secure = true;
   cache_result = GetCacheHit(secure_key);
   EXPECT_TRUE(!!cache_result);
@@ -5378,17 +5755,17 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure_Local_CacheMiss) {
   source_none_parameters.source = HostResolverSource::LOCAL_ONLY;
 
   // Populate cache with an insecure entry.
-  HostCache::Key cached_insecure_key =
-      HostCache::Key("automatic", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key cached_insecure_key = HostCache::Key(
+      "automatic", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   IPEndPoint kExpectedInsecureIP = CreateExpected("192.168.1.102", 80);
   PopulateCache(cached_insecure_key, kExpectedInsecureIP);
 
   // NONE query expected to complete synchronously with a cache miss since
   // the insecure cache should not be checked.
   ResolveHostResponseHelper cache_miss_request(resolver_->CreateRequest(
-      HostPortPair("automatic", 80), NetLogWithSource(), source_none_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("automatic", 80), NetworkIsolationKey(), NetLogWithSource(),
+      source_none_parameters, request_context_.get(), host_cache_.get()));
   EXPECT_TRUE(cache_miss_request.complete());
   EXPECT_THAT(cache_miss_request.result_error(), IsError(ERR_DNS_CACHE_MISS));
   EXPECT_FALSE(cache_miss_request.request()->GetAddressResults());
@@ -5405,9 +5782,9 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure_Local_CacheHit) {
   source_none_parameters.source = HostResolverSource::LOCAL_ONLY;
 
   // Populate cache with a secure entry.
-  HostCache::Key cached_secure_key =
-      HostCache::Key("secure", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+  HostCache::Key cached_secure_key = HostCache::Key(
+      "secure", DnsQueryType::UNSPECIFIED, 0 /* host_resolver_flags */,
+      HostResolverSource::ANY, NetworkIsolationKey());
   cached_secure_key.secure = true;
   IPEndPoint kExpectedSecureIP = CreateExpected("192.168.1.103", 80);
   PopulateCache(cached_secure_key, kExpectedSecureIP);
@@ -5415,8 +5792,8 @@ TEST_F(HostResolverManagerDnsTest, SecureDnsMode_Secure_Local_CacheHit) {
   // NONE query expected to complete synchronously with a cache hit from the
   // secure cache.
   ResolveHostResponseHelper response_cached(resolver_->CreateRequest(
-      HostPortPair("secure", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("secure", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_TRUE(response_cached.complete());
   EXPECT_THAT(response_cached.result_error(), IsOk());
   EXPECT_THAT(
@@ -5431,8 +5808,8 @@ TEST_F(HostResolverManagerDnsTest, SerialResolver) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_FALSE(response.complete());
   EXPECT_EQ(1u, num_running_dispatcher_jobs());
 
@@ -5455,12 +5832,12 @@ TEST_F(HostResolverManagerDnsTest, AAAAStartsAfterOtherJobFinishes) {
   ChangeDnsConfig(CreateValidDnsConfig());
 
   ResolveHostResponseHelper response0(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_EQ(2u, num_running_dispatcher_jobs());
   ResolveHostResponseHelper response1(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_EQ(3u, num_running_dispatcher_jobs());
 
   // Request 0's transactions should complete, starting Request 1's second
@@ -5493,8 +5870,9 @@ TEST_F(HostResolverManagerDnsTest, IPv4EmptyFallback) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("empty_fallback", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("empty_fallback", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
               testing::ElementsAre(CreateExpected("192.168.0.1", 80)));
@@ -5508,8 +5886,9 @@ TEST_F(HostResolverManagerDnsTest, UnspecEmptyFallback) {
   proc_->SignalMultiple(1u);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("empty_fallback", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("empty_fallback", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_THAT(response.request()->GetAddressResults().value().endpoints(),
@@ -5536,17 +5915,19 @@ TEST_F(HostResolverManagerDnsTest, InvalidDnsConfigWithPendingRequests) {
   // First active job gets two slots.
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("slow_nx1", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("slow_nx1", 80), NetworkIsolationKey(),
+          NetLogWithSource(), base::nullopt, request_context_.get(),
+          host_cache_.get())));
   // Next job gets one slot, and waits on another.
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("slow_nx2", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("slow_nx2", 80), NetworkIsolationKey(),
+          NetLogWithSource(), base::nullopt, request_context_.get(),
+          host_cache_.get())));
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
 
   EXPECT_EQ(3u, num_running_dispatcher_jobs());
   for (auto& response : responses) {
@@ -5567,8 +5948,8 @@ TEST_F(HostResolverManagerDnsTest, DontAbortOnInitialDNSConfigRead) {
   // DnsClient is enabled, but there's no DnsConfig, so the request should start
   // using ProcTask.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host1", 70), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host1", 70), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_FALSE(response.complete());
 
   EXPECT_TRUE(proc_->WaitFor(1u));
@@ -5603,8 +5984,8 @@ TEST_F(HostResolverManagerDnsTest,
       proc_->AddRuleForAllFamilies(host, "192.168.0.1");
       failure_responses.emplace_back(
           std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-              HostPortPair(host, 80), NetLogWithSource(), base::nullopt,
-              request_context_.get(), host_cache_.get())));
+              HostPortPair(host, 80), NetworkIsolationKey(), NetLogWithSource(),
+              base::nullopt, request_context_.get(), host_cache_.get())));
       EXPECT_FALSE(failure_responses[i]->complete());
     }
 
@@ -5612,18 +5993,18 @@ TEST_F(HostResolverManagerDnsTest,
     // failures, so should end up using ProcTasks.
     proc_->AddRuleForAllFamilies("slow_ok1", "192.168.0.2");
     ResolveHostResponseHelper response0(resolver_->CreateRequest(
-        HostPortPair("slow_ok1", 80), NetLogWithSource(), base::nullopt,
-        request_context_.get(), host_cache_.get()));
+        HostPortPair("slow_ok1", 80), NetworkIsolationKey(), NetLogWithSource(),
+        base::nullopt, request_context_.get(), host_cache_.get()));
     EXPECT_FALSE(response0.complete());
     proc_->AddRuleForAllFamilies("slow_ok2", "192.168.0.3");
     ResolveHostResponseHelper response1(resolver_->CreateRequest(
-        HostPortPair("slow_ok2", 80), NetLogWithSource(), base::nullopt,
-        request_context_.get(), host_cache_.get()));
+        HostPortPair("slow_ok2", 80), NetworkIsolationKey(), NetLogWithSource(),
+        base::nullopt, request_context_.get(), host_cache_.get()));
     EXPECT_FALSE(response1.complete());
     proc_->AddRuleForAllFamilies("slow_ok3", "192.168.0.4");
     ResolveHostResponseHelper response2(resolver_->CreateRequest(
-        HostPortPair("slow_ok3", 80), NetLogWithSource(), base::nullopt,
-        request_context_.get(), host_cache_.get()));
+        HostPortPair("slow_ok3", 80), NetworkIsolationKey(), NetLogWithSource(),
+        base::nullopt, request_context_.get(), host_cache_.get()));
     EXPECT_FALSE(response2.complete());
 
     // Requests specifying DNS source cannot fallback to ProcTask, so they
@@ -5631,8 +6012,8 @@ TEST_F(HostResolverManagerDnsTest,
     HostResolver::ResolveHostParameters parameters;
     parameters.source = HostResolverSource::DNS;
     ResolveHostResponseHelper response_dns(resolver_->CreateRequest(
-        HostPortPair("4slow_ok", 80), NetLogWithSource(), parameters,
-        request_context_.get(), host_cache_.get()));
+        HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+        parameters, request_context_.get(), host_cache_.get()));
     EXPECT_FALSE(response_dns.complete());
 
     // Requests specifying SYSTEM source should be unaffected by disabling
@@ -5640,8 +6021,8 @@ TEST_F(HostResolverManagerDnsTest,
     proc_->AddRuleForAllFamilies("nx_ok", "192.168.0.5");
     parameters.source = HostResolverSource::SYSTEM;
     ResolveHostResponseHelper response_system(resolver_->CreateRequest(
-        HostPortPair("nx_ok", 80), NetLogWithSource(), parameters,
-        request_context_.get(), host_cache_.get()));
+        HostPortPair("nx_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+        parameters, request_context_.get(), host_cache_.get()));
     EXPECT_FALSE(response_system.complete());
 
     // Secure DnsTasks should not be affected.
@@ -5649,8 +6030,9 @@ TEST_F(HostResolverManagerDnsTest,
     secure_parameters.secure_dns_mode_override =
         DnsConfig::SecureDnsMode::AUTOMATIC;
     ResolveHostResponseHelper response_secure(resolver_->CreateRequest(
-        HostPortPair("automatic", 80), NetLogWithSource(), secure_parameters,
-        request_context_.get(), host_cache_.get()));
+        HostPortPair("automatic", 80), NetworkIsolationKey(),
+        NetLogWithSource(), secure_parameters, request_context_.get(),
+        host_cache_.get()));
     EXPECT_FALSE(response_secure.complete());
 
     proc_->SignalMultiple(maximum_insecure_dns_task_failures() + 4);
@@ -5708,20 +6090,22 @@ TEST_F(HostResolverManagerDnsTest,
   // First active job gets two slots.
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("slow_ok1", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("slow_ok1", 80), NetworkIsolationKey(),
+          NetLogWithSource(), base::nullopt, request_context_.get(),
+          host_cache_.get())));
   EXPECT_FALSE(responses[0]->complete());
   // Next job gets one slot, and waits on another.
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("slow_ok2", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("slow_ok2", 80), NetworkIsolationKey(),
+          NetLogWithSource(), base::nullopt, request_context_.get(),
+          host_cache_.get())));
   EXPECT_FALSE(responses[1]->complete());
   // Next one is queued.
   responses.emplace_back(
       std::make_unique<ResolveHostResponseHelper>(resolver_->CreateRequest(
-          HostPortPair("ok", 80), NetLogWithSource(), base::nullopt,
-          request_context_.get(), host_cache_.get())));
+          HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+          base::nullopt, request_context_.get(), host_cache_.get())));
   EXPECT_FALSE(responses[2]->complete());
 
   EXPECT_EQ(3u, num_running_dispatcher_jobs());
@@ -5754,8 +6138,8 @@ TEST_F(HostResolverManagerDnsTest, DnsCallsWithDisabledDnsClient) {
   HostResolver::ResolveHostParameters params;
   params.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 80), NetLogWithSource(), params,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      params, request_context_.get(), host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
 }
@@ -5772,8 +6156,8 @@ TEST_F(HostResolverManagerDnsTest,
   HostResolver::ResolveHostParameters params;
   params.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 80), NetLogWithSource(), params,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      params, request_context_.get(), host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
 }
@@ -5786,8 +6170,8 @@ TEST_F(HostResolverManagerDnsTest, DnsCallsWithNoDnsConfig) {
   HostResolver::ResolveHostParameters params;
   params.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 80), NetLogWithSource(), params,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      params, request_context_.get(), host_cache_.get()));
 
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
 }
@@ -5814,17 +6198,17 @@ TEST_F(HostResolverManagerDnsTest, NoCheckIpv6OnWifi) {
   proc_->AddRule("h1", ADDRESS_FAMILY_IPV6, "::2");
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("h1", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("h1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   HostResolver::ResolveHostParameters parameters;
   parameters.dns_query_type = DnsQueryType::A;
   ResolveHostResponseHelper v4_response(resolver_->CreateRequest(
-      HostPortPair("h1", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("h1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   parameters.dns_query_type = DnsQueryType::AAAA;
   ResolveHostResponseHelper v6_response(resolver_->CreateRequest(
-      HostPortPair("h1", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("h1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
 
   proc_->SignalMultiple(3u);
 
@@ -5847,16 +6231,16 @@ TEST_F(HostResolverManagerDnsTest, NoCheckIpv6OnWifi) {
   base::RunLoop().RunUntilIdle();  // Wait for NetworkChangeNotifier.
 
   ResolveHostResponseHelper no_wifi_response(resolver_->CreateRequest(
-      HostPortPair("h1", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("h1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   parameters.dns_query_type = DnsQueryType::A;
   ResolveHostResponseHelper no_wifi_v4_response(resolver_->CreateRequest(
-      HostPortPair("h1", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("h1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   parameters.dns_query_type = DnsQueryType::AAAA;
   ResolveHostResponseHelper no_wifi_v6_response(resolver_->CreateRequest(
-      HostPortPair("h1", 80), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("h1", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
 
   proc_->SignalMultiple(3u);
 
@@ -5883,12 +6267,12 @@ TEST_F(HostResolverManagerDnsTest, NotFoundTTL) {
 
   // NODATA
   ResolveHostResponseHelper no_data_response(resolver_->CreateRequest(
-      HostPortPair("empty", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("empty", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(no_data_response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(no_data_response.request()->GetAddressResults());
   HostCache::Key key("empty", DnsQueryType::UNSPECIFIED, 0,
-                     HostResolverSource::ANY);
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::EntryStaleness staleness;
   const std::pair<const HostCache::Key, HostCache::Entry>* cache_result =
       host_cache_->Lookup(key, base::TimeTicks::Now(),
@@ -5899,13 +6283,13 @@ TEST_F(HostResolverManagerDnsTest, NotFoundTTL) {
 
   // NXDOMAIN
   ResolveHostResponseHelper no_domain_response(resolver_->CreateRequest(
-      HostPortPair("nodomain", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nodomain", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(no_domain_response.result_error(),
               IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(no_domain_response.request()->GetAddressResults());
   HostCache::Key nxkey("nodomain", DnsQueryType::UNSPECIFIED, 0,
-                       HostResolverSource::ANY);
+                       HostResolverSource::ANY, NetworkIsolationKey());
   cache_result = host_cache_->Lookup(nxkey, base::TimeTicks::Now(),
                                      false /* ignore_secure */);
   EXPECT_TRUE(!!cache_result);
@@ -5927,15 +6311,16 @@ TEST_F(HostResolverManagerDnsTest, CachedError) {
 
   // Expect cache initially empty.
   ResolveHostResponseHelper cache_miss_response0(resolver_->CreateRequest(
-      HostPortPair("nodomain", 80), NetLogWithSource(), cache_only_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nodomain", 80), NetworkIsolationKey(), NetLogWithSource(),
+      cache_only_parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(cache_miss_response0.result_error(), IsError(ERR_DNS_CACHE_MISS));
   EXPECT_FALSE(cache_miss_response0.request()->GetStaleInfo());
 
   // The cache should not be populate with an error because fallback to ProcTask
   // was available.
   ResolveHostResponseHelper no_domain_response_with_fallback(
-      resolver_->CreateRequest(HostPortPair("nodomain", 80), NetLogWithSource(),
+      resolver_->CreateRequest(HostPortPair("nodomain", 80),
+                               NetworkIsolationKey(), NetLogWithSource(),
                                base::nullopt, request_context_.get(),
                                host_cache_.get()));
   EXPECT_THAT(no_domain_response_with_fallback.result_error(),
@@ -5943,8 +6328,8 @@ TEST_F(HostResolverManagerDnsTest, CachedError) {
 
   // Expect cache still empty.
   ResolveHostResponseHelper cache_miss_response1(resolver_->CreateRequest(
-      HostPortPair("nodomain", 80), NetLogWithSource(), cache_only_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nodomain", 80), NetworkIsolationKey(), NetLogWithSource(),
+      cache_only_parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(cache_miss_response1.result_error(), IsError(ERR_DNS_CACHE_MISS));
   EXPECT_FALSE(cache_miss_response1.request()->GetStaleInfo());
 
@@ -5953,15 +6338,15 @@ TEST_F(HostResolverManagerDnsTest, CachedError) {
 
   // Populate cache with an error.
   ResolveHostResponseHelper no_domain_response(resolver_->CreateRequest(
-      HostPortPair("nodomain", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nodomain", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(no_domain_response.result_error(),
               IsError(ERR_NAME_NOT_RESOLVED));
 
   // Expect the error result can be resolved from the cache.
   ResolveHostResponseHelper cache_hit_response(resolver_->CreateRequest(
-      HostPortPair("nodomain", 80), NetLogWithSource(), cache_only_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nodomain", 80), NetworkIsolationKey(), NetLogWithSource(),
+      cache_only_parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(cache_hit_response.result_error(),
               IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(cache_hit_response.request()->GetStaleInfo().value().is_stale());
@@ -5979,10 +6364,12 @@ TEST_F(HostResolverManagerDnsTest, CachedError_AutomaticMode) {
 
   HostCache::Key insecure_key =
       HostCache::Key("automatic_nodomain", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+                     0 /* host_resolver_flags */, HostResolverSource::ANY,
+                     NetworkIsolationKey());
   HostCache::Key secure_key =
       HostCache::Key("automatic_nodomain", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+                     0 /* host_resolver_flags */, HostResolverSource::ANY,
+                     NetworkIsolationKey());
   secure_key.secure = true;
 
   // Expect cache initially empty.
@@ -5994,8 +6381,9 @@ TEST_F(HostResolverManagerDnsTest, CachedError_AutomaticMode) {
 
   // Populate both secure and insecure caches with an error.
   ResolveHostResponseHelper no_domain_response(resolver_->CreateRequest(
-      HostPortPair("automatic_nodomain", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("automatic_nodomain", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(no_domain_response.result_error(),
               IsError(ERR_NAME_NOT_RESOLVED));
 
@@ -6018,10 +6406,12 @@ TEST_F(HostResolverManagerDnsTest, CachedError_SecureMode) {
 
   HostCache::Key insecure_key =
       HostCache::Key("automatic_nodomain", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+                     0 /* host_resolver_flags */, HostResolverSource::ANY,
+                     NetworkIsolationKey());
   HostCache::Key secure_key =
       HostCache::Key("automatic_nodomain", DnsQueryType::UNSPECIFIED,
-                     0 /* host_resolver_flags */, HostResolverSource::ANY);
+                     0 /* host_resolver_flags */, HostResolverSource::ANY,
+                     NetworkIsolationKey());
   secure_key.secure = true;
 
   // Expect cache initially empty.
@@ -6033,8 +6423,9 @@ TEST_F(HostResolverManagerDnsTest, CachedError_SecureMode) {
 
   // Populate secure cache with an error.
   ResolveHostResponseHelper no_domain_response(resolver_->CreateRequest(
-      HostPortPair("automatic_nodomain", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("automatic_nodomain", 80), NetworkIsolationKey(),
+      NetLogWithSource(), base::nullopt, request_context_.get(),
+      host_cache_.get()));
   EXPECT_THAT(no_domain_response.result_error(),
               IsError(ERR_NAME_NOT_RESOLVED));
 
@@ -6057,8 +6448,8 @@ TEST_F(HostResolverManagerDnsTest, NoCanonicalName) {
   set_allow_fallback_to_proctask(false);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("alias", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("alias", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(response.result_error(), IsOk());
 
   // HostResolver may still give name, but if so, it must be correct.
@@ -6082,8 +6473,8 @@ TEST_F(HostResolverManagerDnsTest, CanonicalName) {
   params.include_canonical_name = true;
   params.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("alias", 80), NetLogWithSource(), params,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("alias", 80), NetworkIsolationKey(), NetLogWithSource(),
+      params, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(response.result_error(), IsOk());
 
   EXPECT_EQ(response.request()->GetAddressResults().value().canonical_name(),
@@ -6105,8 +6496,8 @@ TEST_F(HostResolverManagerDnsTest, CanonicalName_PreferV6) {
   params.include_canonical_name = true;
   params.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("alias", 80), NetLogWithSource(), params,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("alias", 80), NetworkIsolationKey(), NetLogWithSource(),
+      params, request_context_.get(), host_cache_.get()));
   ASSERT_FALSE(response.complete());
   base::RunLoop().RunUntilIdle();
   dns_client_->CompleteDelayedTransactions();
@@ -6128,8 +6519,8 @@ TEST_F(HostResolverManagerDnsTest, CanonicalName_V4Only) {
   params.include_canonical_name = true;
   params.source = HostResolverSource::DNS;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("alias", 80), NetLogWithSource(), params,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("alias", 80), NetworkIsolationKey(), NetLogWithSource(),
+      params, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(response.result_error(), IsOk());
   EXPECT_EQ(response.request()->GetAddressResults().value().canonical_name(),
             "correct");
@@ -6151,14 +6542,67 @@ TEST_F(HostResolverManagerDnsTest, CanonicalNameForcesProc) {
   HostResolver::ResolveHostParameters params;
   params.include_canonical_name = true;
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("nx_succeed", 80), NetLogWithSource(), params,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("nx_succeed", 80), NetworkIsolationKey(), NetLogWithSource(),
+      params, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(response.result_error(), IsOk());
 
   EXPECT_EQ(response.request()->GetAddressResults().value().canonical_name(),
             "canonical");
 }
 
+TEST_F(HostResolverManagerDnsTest, SortsAndDeduplicatesAddresses) {
+  MockDnsClientRuleList rules;
+
+  {
+    std::vector<DnsResourceRecord> answers(
+        3, BuildTestAddressRecord("duplicate", IPAddress::IPv4Localhost()));
+    std::string dns_name;
+    CHECK(DNSDomainFromDot("duplicate", &dns_name));
+    base::Optional<DnsQuery> query(base::in_place, 0, dns_name,
+                                   dns_protocol::kTypeA);
+
+    rules.emplace_back(
+        "duplicate", dns_protocol::kTypeA, false /* secure */,
+        MockDnsClientRule::Result(std::make_unique<DnsResponse>(
+            0, false, std::move(answers),
+            std::vector<DnsResourceRecord>() /* authority_records */,
+            std::vector<DnsResourceRecord>() /* additional_records */, query)),
+        false /* delay */);
+  }
+
+  {
+    std::vector<DnsResourceRecord> answers(
+        3, BuildTestAddressRecord("duplicate", IPAddress::IPv6Localhost()));
+    std::string dns_name;
+    CHECK(DNSDomainFromDot("duplicate", &dns_name));
+    base::Optional<DnsQuery> query(base::in_place, 0, dns_name,
+                                   dns_protocol::kTypeAAAA);
+
+    rules.emplace_back(
+        "duplicate", dns_protocol::kTypeAAAA, false /* secure */,
+        MockDnsClientRule::Result(std::make_unique<DnsResponse>(
+            0, false, std::move(answers),
+            std::vector<DnsResourceRecord>() /* authority_records */,
+            std::vector<DnsResourceRecord>() /* additional_records */, query)),
+        false /* delay */);
+  }
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("duplicate", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
+  ASSERT_THAT(response.result_error(), IsOk());
+
+  EXPECT_THAT(
+      response.request()->GetAddressResults(),
+      testing::Optional(testing::Property(
+          &AddressList::endpoints,
+          testing::ElementsAre(IPEndPoint(IPAddress::IPv6Localhost(), 80),
+                               IPEndPoint(IPAddress::IPv4Localhost(), 80)))));
+}
+
 TEST_F(HostResolverManagerTest, ResolveLocalHostname) {
   AddressList addresses;
 
@@ -6202,33 +6646,6 @@ TEST_F(HostResolverManagerTest, ResolveLocalHostname) {
   EXPECT_FALSE(ResolveLocalHostname("foo.localhoste", &addresses));
 }
 
-TEST_F(HostResolverManagerDnsTest, ResolveDnsOverHttpsServerName) {
-  MockDnsClientRuleList rules;
-  rules.emplace_back(
-      "dns.example2.com", dns_protocol::kTypeA, false /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::OK), false /* delay */);
-  rules.emplace_back(
-      "dns.example2.com", dns_protocol::kTypeAAAA, false /* secure */,
-      MockDnsClientRule::Result(MockDnsClientRule::OK), false /* delay */);
-  CreateResolver();
-  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
-
-  DnsConfigOverrides overrides;
-  std::vector<DnsConfig::DnsOverHttpsServerConfig> doh_servers = {
-      DnsConfig::DnsOverHttpsServerConfig("https://dns.example.com/",
-                                          true /*  use_post */),
-      DnsConfig::DnsOverHttpsServerConfig(
-          "https://dns.example2.com/dns-query{?dns}", false /* use_post */)};
-  overrides.dns_over_https_servers = doh_servers;
-  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::SECURE;
-  resolver_->SetDnsConfigOverrides(overrides);
-
-  ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("dns.example2.com", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
-  ASSERT_THAT(response.result_error(), IsOk());
-}
-
 TEST_F(HostResolverManagerDnsTest, AddDnsOverHttpsServerAfterConfig) {
   DestroyResolver();
   test::ScopedMockNetworkChangeNotifier notifier;
@@ -6417,8 +6834,6 @@ class TestDnsObserver : public NetworkChangeNotifier::DNSObserver {
  public:
   void OnDNSChanged() override { ++dns_changed_calls_; }
 
-  void OnInitialDNSConfigRead() override { ++dns_changed_calls_; }
-
   int dns_changed_calls() const { return dns_changed_calls_; }
 
  private:
@@ -6911,14 +7326,14 @@ TEST_F(HostResolverManagerDnsTest, FlushCacheOnDnsConfigOverridesChange) {
 
   // Populate cache.
   ResolveHostResponseHelper initial_response(resolver_->CreateRequest(
-      HostPortPair("ok", 70), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 70), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(initial_response.result_error(), IsOk());
 
   // Confirm result now cached.
   ResolveHostResponseHelper cached_response(resolver_->CreateRequest(
-      HostPortPair("ok", 75), NetLogWithSource(), local_source_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 75), NetworkIsolationKey(), NetLogWithSource(),
+      local_source_parameters, request_context_.get(), host_cache_.get()));
   ASSERT_THAT(cached_response.result_error(), IsOk());
   ASSERT_TRUE(cached_response.request()->GetStaleInfo());
 
@@ -6929,8 +7344,8 @@ TEST_F(HostResolverManagerDnsTest, FlushCacheOnDnsConfigOverridesChange) {
 
   // Expect no longer cached
   ResolveHostResponseHelper flushed_response(resolver_->CreateRequest(
-      HostPortPair("ok", 80), NetLogWithSource(), local_source_parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      local_source_parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(flushed_response.result_error(), IsError(ERR_DNS_CACHE_MISS));
 }
 
@@ -6946,8 +7361,8 @@ TEST_F(HostResolverManagerDnsTest, CancellationOnBaseConfigChange) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_FALSE(response.complete());
 
   DnsConfig new_config = original_config;
@@ -6971,8 +7386,8 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_FALSE(response.complete());
 
   DnsConfig new_config = original_config;
@@ -6988,8 +7403,8 @@ TEST_F(HostResolverManagerDnsTest,
 TEST_F(HostResolverManagerDnsTest, CancelQueriesOnSettingOverrides) {
   ChangeDnsConfig(CreateValidDnsConfig());
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_FALSE(response.complete());
 
   DnsConfigOverrides overrides;
@@ -7008,8 +7423,8 @@ TEST_F(HostResolverManagerDnsTest,
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_FALSE(response.complete());
 
   resolver_->SetDnsConfigOverrides(overrides);
@@ -7027,8 +7442,8 @@ TEST_F(HostResolverManagerDnsTest, CancelQueriesOnClearingOverrides) {
   resolver_->SetDnsConfigOverrides(overrides);
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_FALSE(response.complete());
 
   resolver_->SetDnsConfigOverrides(DnsConfigOverrides());
@@ -7042,8 +7457,8 @@ TEST_F(HostResolverManagerDnsTest,
        CancelQueriesOnClearingOverrides_NoOverrides) {
   ChangeDnsConfig(CreateValidDnsConfig());
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("4slow_ok", 80), NetLogWithSource(), base::nullopt,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("4slow_ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      base::nullopt, request_context_.get(), host_cache_.get()));
   ASSERT_FALSE(response.complete());
 
   resolver_->SetDnsConfigOverrides(DnsConfigOverrides());
@@ -7072,11 +7487,12 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 
   // Order between separate DNS records is undefined, but each record should
   // stay in order as that order may be meaningful.
@@ -7100,8 +7516,8 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_InvalidConfig) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
 }
 
@@ -7123,12 +7539,13 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_NonexistentDomain) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, TxtQuery_Failure) {
@@ -7149,12 +7566,13 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Failure) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, TxtQuery_Timeout) {
@@ -7175,12 +7593,13 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Timeout) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_TIMED_OUT));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, TxtQuery_Empty) {
@@ -7201,12 +7620,13 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Empty) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, TxtQuery_Malformed) {
@@ -7227,12 +7647,13 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_Malformed) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, TxtQuery_MismatchedName) {
@@ -7250,12 +7671,13 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_MismatchedName) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, TxtQuery_WrongType) {
@@ -7274,12 +7696,13 @@ TEST_F(HostResolverManagerDnsTest, TxtQuery_WrongType) {
 
   // Responses for the wrong type should be ignored.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 // Same as TxtQuery except we specify DNS HostResolverSource instead of relying
@@ -7307,11 +7730,12 @@ TEST_F(HostResolverManagerDnsTest, TxtDnsQuery) {
   parameters.dns_query_type = DnsQueryType::TXT;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 
   // Order between separate DNS records is undefined, but each record should
   // stay in order as that order may be meaningful.
@@ -7340,11 +7764,12 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 
   // Order between separate records is undefined.
   EXPECT_THAT(response.request()->GetHostnameResults(),
@@ -7366,11 +7791,12 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Ip) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("8.8.8.8", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("8.8.8.8", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 
   // Order between separate records is undefined.
   EXPECT_THAT(response.request()->GetHostnameResults(),
@@ -7396,12 +7822,13 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_NonexistentDomain) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, PtrQuery_Failure) {
@@ -7422,12 +7849,13 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Failure) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, PtrQuery_Timeout) {
@@ -7448,12 +7876,13 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Timeout) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_TIMED_OUT));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, PtrQuery_Empty) {
@@ -7474,12 +7903,13 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Empty) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, PtrQuery_Malformed) {
@@ -7500,12 +7930,13 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_Malformed) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, PtrQuery_MismatchedName) {
@@ -7523,12 +7954,13 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_MismatchedName) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, PtrQuery_WrongType) {
@@ -7547,12 +7979,13 @@ TEST_F(HostResolverManagerDnsTest, PtrQuery_WrongType) {
 
   // Responses for the wrong type should be ignored.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 // Same as PtrQuery except we specify DNS HostResolverSource instead of relying
@@ -7574,11 +8007,12 @@ TEST_F(HostResolverManagerDnsTest, PtrDnsQuery) {
   parameters.dns_query_type = DnsQueryType::PTR;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 
   // Order between separate records is undefined.
   EXPECT_THAT(response.request()->GetHostnameResults(),
@@ -7604,11 +8038,12 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 
   // Expect ordered by priority, and random within a priority.
   base::Optional<std::vector<HostPortPair>> results =
@@ -7648,11 +8083,12 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_ZeroWeight) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 
   // Expect ordered by priority, and random within a priority.
   EXPECT_THAT(response.request()->GetHostnameResults(),
@@ -7678,12 +8114,13 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_NonexistentDomain) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, SrvQuery_Failure) {
@@ -7704,12 +8141,13 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Failure) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, SrvQuery_Timeout) {
@@ -7730,12 +8168,13 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Timeout) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_TIMED_OUT));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, SrvQuery_Empty) {
@@ -7756,12 +8195,13 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Empty) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, SrvQuery_Malformed) {
@@ -7782,12 +8222,13 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_Malformed) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, SrvQuery_MismatchedName) {
@@ -7805,12 +8246,13 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_MismatchedName) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 TEST_F(HostResolverManagerDnsTest, SrvQuery_WrongType) {
@@ -7829,12 +8271,13 @@ TEST_F(HostResolverManagerDnsTest, SrvQuery_WrongType) {
 
   // Responses for the wrong type should be ignored.
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("ok", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("ok", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
   EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 }
 
 // Same as SrvQuery except we specify DNS HostResolverSource instead of relying
@@ -7860,11 +8303,12 @@ TEST_F(HostResolverManagerDnsTest, SrvDnsQuery) {
   parameters.dns_query_type = DnsQueryType::SRV;
 
   ResolveHostResponseHelper response(resolver_->CreateRequest(
-      HostPortPair("host", 108), NetLogWithSource(), parameters,
-      request_context_.get(), host_cache_.get()));
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
   EXPECT_THAT(response.result_error(), IsOk());
   EXPECT_FALSE(response.request()->GetAddressResults());
   EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
 
   // Expect ordered by priority, and random within a priority.
   base::Optional<std::vector<HostPortPair>> results =
@@ -7886,4 +8330,984 @@ TEST_F(HostResolverManagerDnsTest, SrvDnsQuery) {
                                             HostPortPair("google.com", 5)));
 }
 
+TEST_F(HostResolverManagerDnsTest, DohProbeRequest) {
+  ChangeDnsConfig(CreateValidDnsConfig());
+
+  EXPECT_FALSE(dns_client_->factory()->doh_probes_running());
+
+  std::unique_ptr<HostResolverManager::CancellableProbeRequest> request =
+      resolver_->CreateDohProbeRequest(request_context_.get());
+  EXPECT_THAT(request->Start(), IsError(ERR_IO_PENDING));
+
+  EXPECT_TRUE(dns_client_->factory()->doh_probes_running());
+
+  request.reset();
+
+  EXPECT_FALSE(dns_client_->factory()->doh_probes_running());
+}
+
+TEST_F(HostResolverManagerDnsTest, DohProbeRequest_ExplicitCancel) {
+  ChangeDnsConfig(CreateValidDnsConfig());
+
+  std::unique_ptr<HostResolverManager::CancellableProbeRequest> request =
+      resolver_->CreateDohProbeRequest(request_context_.get());
+  EXPECT_THAT(request->Start(), IsError(ERR_IO_PENDING));
+  ASSERT_TRUE(dns_client_->factory()->doh_probes_running());
+
+  request->Cancel();
+
+  EXPECT_FALSE(dns_client_->factory()->doh_probes_running());
+}
+
+TEST_F(HostResolverManagerDnsTest, DohProbeRequest_ExplicitCancel_NotStarted) {
+  ChangeDnsConfig(CreateValidDnsConfig());
+
+  std::unique_ptr<HostResolverManager::CancellableProbeRequest> request =
+      resolver_->CreateDohProbeRequest(request_context_.get());
+
+  request->Cancel();
+
+  EXPECT_FALSE(dns_client_->factory()->doh_probes_running());
+}
+
+TEST_F(HostResolverManagerDnsTest,
+       DohProbeRequest_ExplicitCancel_AfterManagerDestruction) {
+  ChangeDnsConfig(CreateValidDnsConfig());
+
+  std::unique_ptr<HostResolverManager::CancellableProbeRequest> request =
+      resolver_->CreateDohProbeRequest(request_context_.get());
+  EXPECT_THAT(request->Start(), IsError(ERR_IO_PENDING));
+  ASSERT_TRUE(dns_client_->factory()->doh_probes_running());
+
+  DestroyResolver();
+  request->Cancel();
+}
+
+TEST_F(HostResolverManagerDnsTest, EsniQuery) {
+  EsniContent c1, c2, c3;
+  IPAddress a1(1, 2, 3, 4), a2(5, 6, 7, 8);
+  IPAddress a3(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1);
+
+  std::string kKey1 = GenerateWellFormedEsniKeys("a");
+  std::string kKey2 = GenerateWellFormedEsniKeys("b");
+  std::string kKey3 = GenerateWellFormedEsniKeys("c");
+
+  c1.AddKey(kKey1);
+
+  c2.AddKeyForAddress(a1, kKey2);
+  c2.AddKeyForAddress(a2, kKey2);
+  c2.AddKeyForAddress(a3, kKey2);
+
+  c3.AddKeyForAddress(a1, kKey3);
+
+  std::vector<EsniContent> esni_records = {c1, c2, c3};
+
+  MockDnsClientRuleList rules;
+  rules.emplace_back("host", dns_protocol::kExperimentalTypeEsniDraft4,
+                     false /* secure */,
+                     MockDnsClientRule::Result(BuildTestDnsEsniResponse(
+                         "host", std::move(esni_records))),
+                     false /* delay */);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+
+  HostResolver::ResolveHostParameters parameters;
+  parameters.dns_query_type = DnsQueryType::ESNI;
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response.result_error(), IsOk());
+
+  EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetTextResults());
+
+  // The IPv6 address |a3| should come first, and the other
+  // addresses should have been deduplicated.
+  EXPECT_THAT(
+      response.request()->GetAddressResults(),
+      Optional(AllOf(Property(&AddressList::endpoints,
+                              UnorderedElementsAre(IPEndPoint(a3, 108),
+                                                   IPEndPoint(a1, 108),
+                                                   IPEndPoint(a2, 108))),
+                     Property(&AddressList::front, IPEndPoint(a3, 108)))));
+
+  // During aggregation of ESNI query results, we drop ESNI keys
+  // with no associated addresses, like key 1 here. (This is an implementation
+  // decision declining a "MAY" behavior from the spec.)
+  // So, we require that only keys 2 and 3 are surfaced.
+  //
+  // The Eq() wrappers are necessary here because keys_for_addresses
+  // returns a container of StringPieces.
+  EXPECT_THAT(
+      response.request()->GetEsniResults(),
+      Optional(AllOf(
+          Property(&EsniContent::keys,
+                   UnorderedElementsAre(Eq(kKey2), Eq(kKey3))),
+          Property(&EsniContent::keys_for_addresses,
+                   UnorderedElementsAre(
+                       Pair(a1, UnorderedElementsAre(Eq(kKey2), Eq(kKey3))),
+                       Pair(a2, UnorderedElementsAre(Eq(kKey2))),
+                       Pair(a3, UnorderedElementsAre(Eq(kKey2))))))));
+}
+
+TEST_F(HostResolverManagerDnsTest, EsniQuery_InvalidConfig) {
+  set_allow_fallback_to_proctask(false);
+  // Set empty DnsConfig.
+  InvalidateDnsConfig();
+
+  HostResolver::ResolveHostParameters parameters;
+  parameters.dns_query_type = DnsQueryType::ESNI;
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response.result_error(), IsError(ERR_DNS_CACHE_MISS));
+}
+
+TEST_F(HostResolverManagerDnsTest, EsniQuery_NonexistentDomain) {
+  // Setup fallback to confirm it is not used for non-address results.
+  set_allow_fallback_to_proctask(true);
+  proc_->AddRuleForAllFamilies("host", "192.168.1.102");
+  proc_->SignalMultiple(1u);
+
+  MockDnsClientRuleList rules;
+  rules.emplace_back("host", dns_protocol::kExperimentalTypeEsniDraft4,
+                     false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::NODOMAIN),
+                     false /* delay */);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+
+  HostResolver::ResolveHostParameters parameters;
+  parameters.dns_query_type = DnsQueryType::ESNI;
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
+  EXPECT_FALSE(response.request()->GetAddressResults());
+  EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
+}
+
+TEST_F(HostResolverManagerDnsTest, EsniQuery_Failure) {
+  // Setup fallback to confirm it is not used for non-address results.
+  set_allow_fallback_to_proctask(true);
+  proc_->AddRuleForAllFamilies("host", "192.168.1.102");
+  proc_->SignalMultiple(1u);
+
+  MockDnsClientRuleList rules;
+  rules.emplace_back(
+      "host", dns_protocol::kExperimentalTypeEsniDraft4, false /* secure */,
+      MockDnsClientRule::Result(MockDnsClientRule::FAIL), false /* delay */);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+
+  HostResolver::ResolveHostParameters parameters;
+  parameters.dns_query_type = DnsQueryType::ESNI;
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
+  EXPECT_FALSE(response.request()->GetAddressResults());
+  EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
+}
+
+TEST_F(HostResolverManagerDnsTest, EsniQuery_Timeout) {
+  // Setup fallback to confirm it is not used for non-address results.
+  set_allow_fallback_to_proctask(true);
+  proc_->AddRuleForAllFamilies("host", "192.168.1.102");
+  proc_->SignalMultiple(1u);
+
+  MockDnsClientRuleList rules;
+  rules.emplace_back(
+      "host", dns_protocol::kExperimentalTypeEsniDraft4, false /* secure */,
+      MockDnsClientRule::Result(MockDnsClientRule::TIMEOUT), false /* delay */);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+
+  HostResolver::ResolveHostParameters parameters;
+  parameters.dns_query_type = DnsQueryType::ESNI;
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response.result_error(), IsError(ERR_DNS_TIMED_OUT));
+  EXPECT_FALSE(response.request()->GetAddressResults());
+  EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
+}
+
+TEST_F(HostResolverManagerDnsTest, EsniQuery_Empty) {
+  // Setup fallback to confirm it is not used for non-address results.
+  set_allow_fallback_to_proctask(true);
+  proc_->AddRuleForAllFamilies("host", "192.168.1.102");
+  proc_->SignalMultiple(1u);
+
+  MockDnsClientRuleList rules;
+  rules.emplace_back(
+      "host", dns_protocol::kExperimentalTypeEsniDraft4, false /* secure */,
+      MockDnsClientRule::Result(MockDnsClientRule::EMPTY), false /* delay */);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+
+  HostResolver::ResolveHostParameters parameters;
+  parameters.dns_query_type = DnsQueryType::ESNI;
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
+  EXPECT_FALSE(response.request()->GetAddressResults());
+  EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
+}
+
+TEST_F(HostResolverManagerDnsTest, EsniQuery_Malformed) {
+  // Setup fallback to confirm it is not used for non-address results.
+  set_allow_fallback_to_proctask(true);
+  proc_->AddRuleForAllFamilies("host", "192.168.1.102");
+  proc_->SignalMultiple(1u);
+
+  MockDnsClientRuleList rules;
+  rules.emplace_back("host", dns_protocol::kExperimentalTypeEsniDraft4,
+                     false /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::MALFORMED),
+                     false /* delay */);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+
+  HostResolver::ResolveHostParameters parameters;
+  parameters.dns_query_type = DnsQueryType::ESNI;
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
+  EXPECT_FALSE(response.request()->GetAddressResults());
+  EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
+}
+
+TEST_F(HostResolverManagerDnsTest, EsniQuery_MismatchedName) {
+  EsniContent content;
+  IPAddress address(1, 2, 3, 4);
+  std::string key = GenerateWellFormedEsniKeys("a");
+  content.AddKeyForAddress(address, key);
+
+  std::vector<EsniContent> esni_records = {content};
+
+  MockDnsClientRuleList rules;
+  rules.emplace_back("host", dns_protocol::kExperimentalTypeEsniDraft4,
+                     false /* secure */,
+                     MockDnsClientRule::Result(BuildTestDnsEsniResponse(
+                         "host", std::move(esni_records), "not.host")),
+                     false /* delay */);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+
+  HostResolver::ResolveHostParameters parameters;
+  parameters.dns_query_type = DnsQueryType::ESNI;
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response.result_error(), IsError(ERR_DNS_MALFORMED_RESPONSE));
+  EXPECT_FALSE(response.request()->GetAddressResults());
+  EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
+}
+
+TEST_F(HostResolverManagerDnsTest, EsniQuery_WrongType) {
+  // Respond to an ESNI query with an A response.
+  MockDnsClientRuleList rules;
+  rules.emplace_back("host", dns_protocol::kExperimentalTypeEsniDraft4,
+                     false /* secure */,
+                     MockDnsClientRule::Result(
+                         BuildTestDnsResponse("host", IPAddress(1, 2, 3, 4))),
+                     false /* delay */);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+
+  HostResolver::ResolveHostParameters parameters;
+  parameters.dns_query_type = DnsQueryType::ESNI;
+
+  // Responses for the wrong type should be ignored.
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("ok", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response.result_error(), IsError(ERR_NAME_NOT_RESOLVED));
+  EXPECT_FALSE(response.request()->GetAddressResults());
+  EXPECT_FALSE(response.request()->GetTextResults());
+  EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetEsniResults());
+}
+
+// Same as EsniQuery except we specify DNS HostResolverSource instead of relying
+// on automatic determination.  Expect same results since DNS should be what we
+// automatically determine, but some slightly different logic paths are
+// involved.
+TEST_F(HostResolverManagerDnsTest, EsniDnsQuery) {
+  EsniContent c1, c2, c3;
+  IPAddress a1(1, 2, 3, 4), a2(5, 6, 7, 8);
+
+  const std::string kKey1 = GenerateWellFormedEsniKeys("a");
+  const std::string kKey2 = GenerateWellFormedEsniKeys("b");
+  const std::string kKey3 = GenerateWellFormedEsniKeys("c");
+
+  c1.AddKey(kKey1);
+
+  c2.AddKeyForAddress(a1, kKey2);
+  c2.AddKeyForAddress(a2, kKey2);
+
+  c3.AddKeyForAddress(a1, kKey3);
+
+  std::vector<EsniContent> esni_records = {c1, c2, c3};
+
+  MockDnsClientRuleList rules;
+  rules.emplace_back("host", dns_protocol::kExperimentalTypeEsniDraft4,
+                     false /* secure */,
+                     MockDnsClientRule::Result(BuildTestDnsEsniResponse(
+                         "host", std::move(esni_records))),
+                     false /* delay */);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+
+  HostResolver::ResolveHostParameters parameters;
+  parameters.source = HostResolverSource::DNS;
+  parameters.dns_query_type = DnsQueryType::ESNI;
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 108), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
+  EXPECT_THAT(response.result_error(), IsOk());
+  EXPECT_FALSE(response.request()->GetHostnameResults());
+  EXPECT_FALSE(response.request()->GetTextResults());
+
+  // The multiple ESNI records should have been merged when parsing
+  // the results.
+  c1.MergeFrom(c2);
+  c1.MergeFrom(c3);
+
+  // The ESNI records' addresses should have been merged into
+  // the address list.
+  ASSERT_TRUE(response.request()->GetAddressResults());
+  EXPECT_THAT(
+      response.request()->GetAddressResults()->endpoints(),
+      testing::UnorderedElementsAre(IPEndPoint(a1, 108), IPEndPoint(a2, 108)));
+
+  ASSERT_TRUE(response.request()->GetEsniResults().has_value());
+
+  // During aggregation of ESNI query results, we drop ESNI keys
+  // with no associated addresses, like key 1 here. (This is an implementation
+  // decision declining a "MAY" behavior from the spec.) So, we require that
+  // only keys 2 and 3 are surfaced.
+  EXPECT_THAT(response.request()->GetEsniResults()->keys(),
+              testing::UnorderedElementsAre(kKey2, kKey3));
+  EXPECT_EQ(response.request()->GetEsniResults()->keys_for_addresses(),
+            c1.keys_for_addresses());
+}
+
+class HostResolverManagerEsniTest : public HostResolverManagerDnsTest {
+ public:
+  HostResolverManagerEsniTest()
+      : HostResolverManagerDnsTest(
+            base::test::TaskEnvironment::TimeSource::MOCK_TIME) {
+    scoped_feature_list_.InitAndEnableFeature(features::kRequestEsniDnsRecords);
+  }
+
+ protected:
+  base::test::ScopedFeatureList scoped_feature_list_;
+
+  // Adds a rule returning a collection of ESNI records such that
+  // - there is a lone key with no associated addresses
+  // - there is an address associated with multiple keys
+  // - there is a key associated with multiple addresses
+  //
+  // Returns a pair containing:
+  // (1) a single merged EsniContent object which should be contained in
+  // the eventual response.
+  // (2) the collection of IPEndPoints corresponding to the
+  // ESNI records' contained addresses; these are expected to
+  // be contained in the eventual response's address list (assuming
+  // no addresses are pruned by the address sorter, which will
+  // be the case in the test, because MockAddressSorter no-ops)
+  struct AddEsniRecordsRuleOptions {
+    bool secure = true, delay = false;
+  };
+  std::pair<EsniContent, std::vector<IPEndPoint>> AddEsniRecordsRule(
+      base::StringPiece hostname,
+      AddEsniRecordsRuleOptions options,
+      MockDnsClientRuleList* rules) {
+    EsniContent c1, c2, c3;
+    IPAddress a1(1, 2, 3, 4);
+    IPAddress a2(5, 6, 7, 8);
+
+    const std::string kKey1 = GenerateWellFormedEsniKeys("a");
+    const std::string kKey2 = GenerateWellFormedEsniKeys("b");
+    const std::string kKey3 = GenerateWellFormedEsniKeys("c");
+
+    c1.AddKey(kKey1);
+
+    c2.AddKeyForAddress(a1, kKey2);
+    c2.AddKeyForAddress(a2, kKey2);
+
+    c3.AddKeyForAddress(a1, kKey3);
+
+    std::vector<EsniContent> esni_records = {c1, c2, c3};
+    rules->emplace_back(std::string(hostname),
+                        dns_protocol::kExperimentalTypeEsniDraft4,
+                        options.secure,
+                        MockDnsClientRule::Result(BuildTestDnsEsniResponse(
+                            std::string(hostname), std::move(esni_records))),
+                        options.delay);
+
+    // Key 1 will be dropped because it corresponds to no addresses;
+    // section 4.2.2 of ESNI draft 4 gives implementors the option to associate
+    // these with all IP addresses received in concurrent A and AAAA responses,
+    // and we choose not to do this.
+    c2.MergeFrom(c3);
+    return std::make_pair(
+        c2, std::vector<IPEndPoint>{IPEndPoint(a1, 80), IPEndPoint(a2, 80)});
+  }
+};
+
+// Check that resolving ESNI queries alongside A and AAAA queries
+// results in a correct aggregation of addresses.
+TEST_F(HostResolverManagerEsniTest, AggregatesResults) {
+  MockDnsClientRuleList rules;
+
+  EsniContent esni_expectation;
+  std::vector<IPEndPoint> expected_addresses;
+  std::tie(esni_expectation, expected_addresses) =
+      AddEsniRecordsRule("host", AddEsniRecordsRuleOptions(), &rules);
+
+  rules.emplace_back("host", dns_protocol::kTypeA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeAAAA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+  // Even though the A and AAAA results' addresses won't have any
+  // associated ESNI keys, they should still be surfaced in GetAddressResults().
+  expected_addresses.push_back(CreateExpected("127.0.0.1", 80));
+  expected_addresses.push_back(CreateExpected("::1", 80));
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostResolver::ResolveHostParameters(), request_context_.get(),
+      host_cache_.get()));
+
+  ASSERT_THAT(response.result_error(), IsOk());
+  EXPECT_THAT(response.request()->GetEsniResults(),
+              testing::Optional(testing::Eq(esni_expectation)));
+  // GetAddressResults() should surface addresses with and without
+  // associated ESNI keys.
+  ASSERT_THAT(response.request()->GetAddressResults()->endpoints(),
+              testing::UnorderedElementsAreArray(expected_addresses));
+}
+
+// Test that addresses with associated ESNI keys are placed
+// first in the order provided to the address sorter.
+// (This corresponds to the order of the address list in the results
+// because MockAddressSorter's sort is a no-op.)
+TEST_F(HostResolverManagerEsniTest, EsniAddressesFirstInOrder) {
+  MockDnsClientRuleList rules;
+
+  EsniContent esni_expectation;
+  std::vector<IPEndPoint> esni_addresses;
+  std::tie(esni_expectation, esni_addresses) =
+      AddEsniRecordsRule("host", AddEsniRecordsRuleOptions(), &rules);
+
+  rules.emplace_back("host", dns_protocol::kTypeA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeAAAA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  HostResolver::ResolveHostParameters parameters;
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
+
+  // Check that the IP addresses with associated
+  // ESNI key objects occupy the initial entries of the
+  // address list returned by the DNS query.
+  ASSERT_THAT(response.result_error(), IsOk());
+  ASSERT_TRUE(response.request()->GetAddressResults());
+  const auto& result_addresses =
+      response.request()->GetAddressResults()->endpoints();
+  for (const IPEndPoint& address_with_esni_keys : esni_addresses) {
+    int index = std::find(result_addresses.begin(), result_addresses.end(),
+                          address_with_esni_keys) -
+                result_addresses.begin();
+
+    // Since this address has associated ESNI keys, it should be in
+    // the first esni_addresses.size() many entries of the result's
+    // address list.
+    ASSERT_TRUE(base::IsValueInRangeForNumericType<size_t>(index));
+    EXPECT_LT(static_cast<size_t>(index), esni_addresses.size());
+  }
+}
+
+TEST_F(HostResolverManagerEsniTest, OnlyMakesRequestOverSecureDns) {
+  // Add some insecurely-accessible ESNI results alongside
+  // the default (insecurely-accessible) IPv4 and IPv6 results
+  // for the "ok" hostname.
+  MockDnsClientRuleList rules = CreateDefaultDnsRules();
+  AddEsniRecordsRuleOptions options;
+  options.secure = false;
+  AddEsniRecordsRule("ok", options, &rules);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("ok", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostResolver::ResolveHostParameters(), request_context_.get(),
+      host_cache_.get()));
+
+  ASSERT_THAT(response.result_error(), IsOk());
+
+  // Since the request wasn't secure, we shouldn't have
+  // queried for any ESNI results.
+  ASSERT_FALSE(response.request()->GetEsniResults());
+}
+
+// Make sure that ESNI queries don't get cancelled *before* the
+// configured timeout, but do get cancelled after it,
+// in the case where the absolute timeout dominates.
+TEST_F(HostResolverManagerEsniTest, RespectsAbsoluteTimeout) {
+  // Add some delayed ESNI, IPv4, and IPv6 results
+  MockDnsClientRuleList rules = CreateDefaultDnsRules();
+  AddEsniRecordsRuleOptions options;
+  options.delay = true;
+  AddEsniRecordsRule("host", options, &rules);
+  rules.emplace_back("host", dns_protocol::kTypeA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     true /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeAAAA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     true /* delay */);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostResolver::ResolveHostParameters(), request_context_.get(),
+      host_cache_.get()));
+
+  base::TimeDelta absolute_timeout =
+      features::EsniDnsMaxAbsoluteAdditionalWait();
+
+  // Let enough time pass during the A and AAAA transactions that the
+  // absolute timeout will be less than the relative timeout.
+  base::TimeDelta a_aaaa_elapsed =
+      50 * (100.0 / features::kEsniDnsMaxRelativeAdditionalWaitPercent.Get()) *
+      absolute_timeout;
+
+  FastForwardBy(a_aaaa_elapsed);
+  ASSERT_TRUE(
+      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::A));
+  ASSERT_TRUE(
+      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
+
+  // Since the A and AAAA queries have only just completed, we shouldn't
+  // have timed out the ESNI query.
+  EXPECT_FALSE(response.complete());
+
+  // After half of the absolute timeout, the query should still be alive.
+  FastForwardBy(0.5 * absolute_timeout);
+
+  // Since the absolute timeout has not yet elapsed, and it is shorter by
+  // design than the relative timeout, we shouldn't
+  // have timed out the ESNI transaction.
+  EXPECT_FALSE(response.complete());
+
+  // After (more than) the timeout has passed, we should have cancelled
+  // the ESNI transaction.
+  FastForwardBy(absolute_timeout);
+  ASSERT_THAT(response.result_error(), IsOk());
+
+  // Since we cancelled the transaction, we shouldn't have any ESNI results.
+  EXPECT_FALSE(response.request()->GetEsniResults());
+}
+
+// Make sure that ESNI queries don't get cancelled *before* the
+// configured timeout, but do get cancelled after it,
+// in the case where the relative timeout dominates.
+TEST_F(HostResolverManagerEsniTest, RespectsRelativeTimeout) {
+  // Add some delayed ESNI, IPv4, and IPv6 results
+  MockDnsClientRuleList rules = CreateDefaultDnsRules();
+  AddEsniRecordsRuleOptions options;
+  options.delay = true;
+  AddEsniRecordsRule("host", options, &rules);
+  rules.emplace_back("host", dns_protocol::kTypeA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeAAAA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     true /* delay */);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostResolver::ResolveHostParameters(), request_context_.get(),
+      host_cache_.get()));
+
+  // Let little enough time pass during the A and AAAA transactions that the
+  // relative timeout will be less than the absolute timeout.
+  base::TimeDelta a_aaaa_elapsed =
+      0.05 * features::EsniDnsMaxAbsoluteAdditionalWait() *
+      (100 / features::kEsniDnsMaxRelativeAdditionalWaitPercent.Get());
+
+  // Since the A and AAAA queries haven't both completed yet, we shouldn't time
+  // out the ESNI query.
+  FastForwardBy(a_aaaa_elapsed);
+
+  // Upon completing the AAAA transaction, the ESNI timer should start
+  ASSERT_TRUE(
+      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
+
+  base::TimeDelta relative_timeout =
+      0.01 * features::kEsniDnsMaxRelativeAdditionalWaitPercent.Get() *
+      a_aaaa_elapsed;
+
+  // After *less* than the relative timeout, the query shouldn't have concluded.
+  FastForwardBy(relative_timeout * 0.5);
+
+  EXPECT_FALSE(response.complete());
+
+  // After more than the relative timeout, the query should conclude by aborting
+  // the ESNI query.
+  FastForwardBy(relative_timeout * 0.5);
+
+  // The task should have completed with a cancelled ESNI query.
+  ASSERT_THAT(response.result_error(), IsOk());
+  EXPECT_FALSE(response.request()->GetEsniResults());
+  ASSERT_TRUE(response.request()->GetAddressResults());
+  EXPECT_THAT(response.request()->GetAddressResults()->endpoints(),
+              testing::UnorderedElementsAre(CreateExpected("127.0.0.1", 80),
+                                            CreateExpected("::1", 80)));
+}
+
+// Test that we still receive delayed A/AAAA records
+// that arrive after a successful (non-delayed) ESNI transaction.
+TEST_F(HostResolverManagerEsniTest, WaitsForSlowAccompanyingQueries) {
+  MockDnsClientRuleList rules;
+
+  EsniContent esni_expectation;
+  std::vector<IPEndPoint> expected_addresses;
+  std::tie(esni_expectation, expected_addresses) =
+      AddEsniRecordsRule("host", AddEsniRecordsRuleOptions(), &rules);
+
+  rules.emplace_back("host", dns_protocol::kTypeA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     true /* delay */);
+  expected_addresses.push_back(CreateExpected("127.0.0.1", 80));
+
+  rules.emplace_back("host", dns_protocol::kTypeAAAA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     true /* delay */);
+  expected_addresses.push_back(CreateExpected("::1", 80));
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostResolver::ResolveHostParameters(), request_context_.get(),
+      host_cache_.get()));
+
+  // Wait quite a long time. (If the timer were erroneously to have been
+  // started, it should expire by the end of this elapsed window.)
+  FastForwardBy(features::EsniDnsMaxAbsoluteAdditionalWait() * 10);
+  dns_client_->CompleteDelayedTransactions();
+
+  EXPECT_THAT(response.result_error(), IsOk());
+  EXPECT_THAT(response.request()->GetEsniResults(),
+              testing::Optional(testing::Eq(esni_expectation)));
+  ASSERT_TRUE(response.request()->GetAddressResults());
+  EXPECT_THAT(response.request()->GetAddressResults()->endpoints(),
+              testing::UnorderedElementsAreArray(expected_addresses));
+}
+
+TEST_F(HostResolverManagerEsniTest, RecordsSuccessMetric) {
+  MockDnsClientRuleList rules;
+  rules.emplace_back("host", dns_protocol::kTypeA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeAAAA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+
+  AddEsniRecordsRule("host", AddEsniRecordsRuleOptions(), &rules);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  base::HistogramTester histograms;
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostResolver::ResolveHostParameters(), request_context_.get(),
+      host_cache_.get()));
+
+  EXPECT_THAT(response.result_error(), IsOk());
+
+  histograms.ExpectTotalCount(dns_histograms::kEsniTransactionSuccessHistogram,
+                              2);
+  histograms.ExpectBucketCount(
+      dns_histograms::kEsniTransactionSuccessHistogram,
+      static_cast<int>(dns_histograms::EsniSuccessOrTimeout::kSuccess), 1);
+  histograms.ExpectBucketCount(
+      dns_histograms::kEsniTransactionSuccessHistogram,
+      static_cast<int>(dns_histograms::EsniSuccessOrTimeout::kStarted), 1);
+}
+
+TEST_F(HostResolverManagerEsniTest, RecordsTimeoutMetric) {
+  MockDnsClientRuleList rules;
+  rules.emplace_back("host", dns_protocol::kTypeA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeAAAA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+
+  // Delay the ESNI record so that it times out.
+  AddEsniRecordsRuleOptions options;
+  options.delay = true;
+  AddEsniRecordsRule("host", options, &rules);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  base::HistogramTester histograms;
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostResolver::ResolveHostParameters(), request_context_.get(),
+      host_cache_.get()));
+
+  // Give the transaction plenty of time to time out.
+  FastForwardBy(features::EsniDnsMaxAbsoluteAdditionalWait() * 5);
+  dns_client_->CompleteDelayedTransactions();
+
+  EXPECT_THAT(response.result_error(), IsOk());
+
+  histograms.ExpectTotalCount(dns_histograms::kEsniTransactionSuccessHistogram,
+                              2);
+  histograms.ExpectBucketCount(
+      dns_histograms::kEsniTransactionSuccessHistogram,
+      static_cast<int>(dns_histograms::EsniSuccessOrTimeout::kTimeout), 1);
+  histograms.ExpectBucketCount(
+      dns_histograms::kEsniTransactionSuccessHistogram,
+      static_cast<int>(dns_histograms::EsniSuccessOrTimeout::kStarted), 1);
+}
+
+TEST_F(HostResolverManagerEsniTest,
+       TimesUnspecTransactionsWhenEsniFinishesFirst) {
+  MockDnsClientRuleList rules;
+  rules.emplace_back("host", dns_protocol::kTypeA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     true /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeAAAA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+
+  AddEsniRecordsRuleOptions options;
+  options.delay = true;
+  AddEsniRecordsRule("host", options, &rules);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  base::HistogramTester histograms;
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostResolver::ResolveHostParameters(), request_context_.get(),
+      host_cache_.get()));
+
+  FastForwardBy(base::TimeDelta::FromMilliseconds(10));
+  ASSERT_TRUE(
+      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::ESNI));
+  FastForwardBy(base::TimeDelta::FromMilliseconds(10));
+  dns_client_->CompleteDelayedTransactions();
+
+  EXPECT_THAT(response.result_error(), IsOk());
+
+  histograms.ExpectTotalCount(dns_histograms::kEsniTimeHistogramForUnspecTasks,
+                              1);
+  histograms.ExpectTotalCount(dns_histograms::kNonEsniTotalTimeHistogram, 1);
+
+  // Expect only a weak inequality because the timer granularity could be coarse
+  // enough that the results end up in the same bucket.
+  EXPECT_LE(
+      histograms.GetAllSamples(dns_histograms::kEsniTimeHistogramForUnspecTasks)
+          .front()
+          .min,
+      histograms.GetAllSamples(dns_histograms::kNonEsniTotalTimeHistogram)
+          .front()
+          .min);
+
+  // Check that the histograms recording the _difference_ in times were
+  // updated correctly.
+  histograms.ExpectTotalCount(
+      dns_histograms::kEsniVersusNonEsniWithNonEsniLonger, 1);
+  histograms.ExpectTotalCount(dns_histograms::kEsniVersusNonEsniWithEsniLonger,
+                              0);
+}
+
+TEST_F(HostResolverManagerEsniTest,
+       TimesUnspecTransactionsWhenEsniFinishesLast) {
+  MockDnsClientRuleList rules;
+  rules.emplace_back("host", dns_protocol::kTypeA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     false /* delay */);
+  rules.emplace_back("host", dns_protocol::kTypeAAAA, true /* secure */,
+                     MockDnsClientRule::Result(MockDnsClientRule::OK),
+                     true /* delay */);
+
+  AddEsniRecordsRuleOptions options;
+  options.delay = true;
+  AddEsniRecordsRule("host", options, &rules);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  base::HistogramTester histograms;
+
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      HostResolver::ResolveHostParameters(), request_context_.get(),
+      host_cache_.get()));
+
+  base::TimeDelta absolute_timeout =
+      features::EsniDnsMaxAbsoluteAdditionalWait();
+
+  // Let enough time pass during the A and AAAA transactions that the
+  // absolute timeout will be equal to the relative timeout: in particular,
+  // waiting an additional half of either of the timeouts' durations shouldn't
+  // lead to the ESNI transaction being cancelled.
+  base::TimeDelta a_aaaa_elapsed =
+      (100.0 / features::kEsniDnsMaxRelativeAdditionalWaitPercent.Get()) *
+      absolute_timeout;
+
+  FastForwardBy(a_aaaa_elapsed);
+  ASSERT_TRUE(
+      dns_client_->CompleteOneDelayedTransactionOfType(DnsQueryType::AAAA));
+
+  // Since the A and AAAA queries have only just completed, we shouldn't
+  // have timed out the ESNI query.
+  EXPECT_FALSE(response.complete());
+
+  // After half of the absolute timeout, the query should still be alive.
+  FastForwardBy(0.5 * absolute_timeout);
+
+  dns_client_->CompleteDelayedTransactions();
+
+  EXPECT_THAT(response.result_error(), IsOk());
+
+  histograms.ExpectTotalCount(dns_histograms::kEsniTimeHistogramForUnspecTasks,
+                              1);
+  histograms.ExpectTotalCount(dns_histograms::kNonEsniTotalTimeHistogram, 1);
+
+  // Expect only a weak inequality because the timer granularity could be coarse
+  // enough that the results end up in the same bucket.
+  EXPECT_LE(
+      histograms.GetAllSamples(dns_histograms::kNonEsniTotalTimeHistogram)
+          .front()
+          .min,
+      histograms.GetAllSamples(dns_histograms::kEsniTimeHistogramForUnspecTasks)
+          .front()
+          .min);
+
+  // Check that the histograms recording the difference in times were
+  // updated correctly.
+  histograms.ExpectTotalCount(dns_histograms::kEsniVersusNonEsniWithEsniLonger,
+                              1);
+  histograms.ExpectTotalCount(
+      dns_histograms::kEsniVersusNonEsniWithNonEsniLonger, 0);
+}
+
+TEST_F(HostResolverManagerEsniTest, TimesEsniTransactions) {
+  MockDnsClientRuleList rules;
+  AddEsniRecordsRule("host", AddEsniRecordsRuleOptions(), &rules);
+
+  CreateResolver();
+  UseMockDnsClient(CreateValidDnsConfig(), std::move(rules));
+  DnsConfigOverrides overrides;
+  overrides.secure_dns_mode = DnsConfig::SecureDnsMode::AUTOMATIC;
+  resolver_->SetDnsConfigOverrides(overrides);
+
+  base::HistogramTester histograms;
+
+  HostResolver::ResolveHostParameters parameters;
+  parameters.dns_query_type = DnsQueryType::ESNI;
+  ResolveHostResponseHelper response(resolver_->CreateRequest(
+      HostPortPair("host", 80), NetworkIsolationKey(), NetLogWithSource(),
+      parameters, request_context_.get(), host_cache_.get()));
+
+  EXPECT_THAT(response.result_error(), IsOk());
+
+  histograms.ExpectTotalCount(dns_histograms::kEsniTimeHistogramForEsniTasks,
+                              1);
+}
+
 }  // namespace net
diff --git a/chromium/net/dns/host_resolver_mdns_listener_impl.cc b/chromium/net/dns/host_resolver_mdns_listener_impl.cc
index cdce694317f..6f18f77414f 100644
--- a/chromium/net/dns/host_resolver_mdns_listener_impl.cc
+++ b/chromium/net/dns/host_resolver_mdns_listener_impl.cc
@@ -72,6 +72,7 @@ void HostResolverMdnsListenerImpl::OnRecordUpdate(
 
   switch (query_type_) {
     case DnsQueryType::UNSPECIFIED:
+    case DnsQueryType::ESNI:
       NOTREACHED();
       break;
     case DnsQueryType::A:
diff --git a/chromium/net/dns/host_resolver_mdns_task.cc b/chromium/net/dns/host_resolver_mdns_task.cc
index 356278b5721..d56dc587044 100644
--- a/chromium/net/dns/host_resolver_mdns_task.cc
+++ b/chromium/net/dns/host_resolver_mdns_task.cc
@@ -197,6 +197,9 @@ HostCache::Entry HostResolverMdnsTask::ParseResult(
   switch (query_type) {
     case DnsQueryType::UNSPECIFIED:
       // Should create two separate transactions with specified type.
+    case DnsQueryType::ESNI:
+      // ESNI queries are not expected to be useful in mDNS, so they're not
+      // supported.
       NOTREACHED();
       return HostCache::Entry(ERR_FAILED, HostCache::Entry::SOURCE_UNKNOWN);
     case DnsQueryType::A:
diff --git a/chromium/net/dns/host_resolver_proc.cc b/chromium/net/dns/host_resolver_proc.cc
index 0824540a63a..7fe8e1d0197 100644
--- a/chromium/net/dns/host_resolver_proc.cc
+++ b/chromium/net/dns/host_resolver_proc.cc
@@ -4,14 +4,16 @@
 
 #include "net/dns/host_resolver_proc.h"
 
+#include <tuple>
+
 #include "build/build_config.h"
 
 #include "base/logging.h"
-#include "base/sys_byteorder.h"
 #include "base/threading/scoped_blocking_call.h"
 #include "net/base/address_list.h"
 #include "net/base/net_errors.h"
 #include "net/base/sys_addrinfo.h"
+#include "net/dns/address_info.h"
 #include "net/dns/dns_reloader.h"
 #include "net/dns/dns_util.h"
 #include "net/dns/host_resolver.h"
@@ -22,43 +24,6 @@
 
 namespace net {
 
-namespace {
-
-bool IsAllLocalhostOfOneFamily(const struct addrinfo* ai) {
-  bool saw_v4_localhost = false;
-  bool saw_v6_localhost = false;
-  for (; ai != nullptr; ai = ai->ai_next) {
-    switch (ai->ai_family) {
-      case AF_INET: {
-        const struct sockaddr_in* addr_in =
-            reinterpret_cast<struct sockaddr_in*>(ai->ai_addr);
-        if ((base::NetToHost32(addr_in->sin_addr.s_addr) & 0xff000000) ==
-            0x7f000000)
-          saw_v4_localhost = true;
-        else
-          return false;
-        break;
-      }
-      case AF_INET6: {
-        const struct sockaddr_in6* addr_in6 =
-            reinterpret_cast<struct sockaddr_in6*>(ai->ai_addr);
-        if (IN6_IS_ADDR_LOOPBACK(&addr_in6->sin6_addr))
-          saw_v6_localhost = true;
-        else
-          return false;
-        break;
-      }
-      default:
-        NOTREACHED();
-        return false;
-    }
-  }
-
-  return saw_v4_localhost != saw_v6_localhost;
-}
-
-}  // namespace
-
 HostResolverProc* HostResolverProc::default_proc_ = nullptr;
 
 HostResolverProc::HostResolverProc(HostResolverProc* previous) {
@@ -121,35 +86,32 @@ HostResolverProc* HostResolverProc::GetDefault() {
   return default_proc_;
 }
 
+namespace {
+
+int AddressFamilyToAF(AddressFamily address_family) {
+  switch (address_family) {
+    case ADDRESS_FAMILY_IPV4:
+      return AF_INET;
+    case ADDRESS_FAMILY_IPV6:
+      return AF_INET6;
+    case ADDRESS_FAMILY_UNSPECIFIED:
+      return AF_UNSPEC;
+  }
+}
+
+}  // namespace
+
 int SystemHostResolverCall(const std::string& host,
                            AddressFamily address_family,
                            HostResolverFlags host_resolver_flags,
                            AddressList* addrlist,
-                           int* os_error) {
+                           int* os_error_opt) {
   // |host| should be a valid domain name. HostResolverImpl::Resolve has checks
   // to fail early if this is not the case.
   DCHECK(IsValidDNSDomain(host));
 
-  if (os_error)
-    *os_error = 0;
-
-  struct addrinfo* ai = nullptr;
   struct addrinfo hints = {0};
-
-  switch (address_family) {
-    case ADDRESS_FAMILY_IPV4:
-      hints.ai_family = AF_INET;
-      break;
-    case ADDRESS_FAMILY_IPV6:
-      hints.ai_family = AF_INET6;
-      break;
-    case ADDRESS_FAMILY_UNSPECIFIED:
-      hints.ai_family = AF_UNSPEC;
-      break;
-    default:
-      NOTREACHED();
-      hints.ai_family = AF_UNSPEC;
-  }
+  hints.ai_family = AddressFamilyToAF(address_family);
 
 #if defined(OS_WIN)
   // DO NOT USE AI_ADDRCONFIG ON WINDOWS.
@@ -179,7 +141,7 @@ int SystemHostResolverCall(const std::string& host,
   hints.ai_flags = AI_ADDRCONFIG;
 #endif
 
-  // On Linux AI_ADDRCONFIG doesn't consider loopback addreses, even if only
+  // On Linux AI_ADDRCONFIG doesn't consider loopback addresses, even if only
   // loopback addresses are configured. So don't use it when there are only
   // loopback addresses.
   if (host_resolver_flags & HOST_RESOLVER_LOOPBACK_ONLY)
@@ -201,14 +163,17 @@ int SystemHostResolverCall(const std::string& host,
     !defined(OS_ANDROID) && !defined(OS_FUCHSIA)
   DnsReloaderMaybeReload();
 #endif
-  int err = getaddrinfo(host.c_str(), nullptr, &hints, &ai);
+  base::Optional<AddressInfo> ai;
+  int err = 0;
+  int os_error = 0;
+  std::tie(ai, err, os_error) = AddressInfo::Get(host, hints);
   bool should_retry = false;
   // If the lookup was restricted (either by address family, or address
   // detection), and the results where all localhost of a single family,
   // maybe we should retry.  There were several bugs related to these
   // issues, for example http://crbug.com/42058 and http://crbug.com/49024
-  if ((hints.ai_family != AF_UNSPEC || hints.ai_flags & AI_ADDRCONFIG) &&
-      err == 0 && IsAllLocalhostOfOneFamily(ai)) {
+  if ((hints.ai_family != AF_UNSPEC || hints.ai_flags & AI_ADDRCONFIG) && ai &&
+      ai->IsAllLocalhostOfOneFamily()) {
     if (host_resolver_flags & HOST_RESOLVER_DEFAULT_FAMILY_SET_DUE_TO_NO_IPV6) {
       hints.ai_family = AF_UNSPEC;
       should_retry = true;
@@ -219,44 +184,16 @@ int SystemHostResolverCall(const std::string& host,
     }
   }
   if (should_retry) {
-    if (ai != nullptr) {
-      freeaddrinfo(ai);
-      ai = nullptr;
-    }
-    err = getaddrinfo(host.c_str(), nullptr, &hints, &ai);
+    std::tie(ai, err, os_error) = AddressInfo::Get(host, hints);
   }
 
-  if (err) {
-#if defined(OS_WIN)
-    err = WSAGetLastError();
-#endif
-
-    // Return the OS error to the caller.
-    if (os_error)
-      *os_error = err;
-
-    // If the call to getaddrinfo() failed because of a system error, report
-    // it separately from ERR_NAME_NOT_RESOLVED.
-#if defined(OS_WIN)
-    if (err != WSAHOST_NOT_FOUND && err != WSANO_DATA)
-      return ERR_NAME_RESOLUTION_FAILED;
-#elif defined(OS_POSIX) && !defined(OS_FREEBSD)
-    if (err != EAI_NONAME && err != EAI_NODATA)
-      return ERR_NAME_RESOLUTION_FAILED;
-#endif
+  if (os_error_opt)
+    *os_error_opt = os_error;
 
-    return ERR_NAME_NOT_RESOLVED;
-  }
-
-#if defined(OS_ANDROID)
-  // Workaround for Android's getaddrinfo leaving ai==NULL without an error.
-  // http://crbug.com/134142
-  if (ai == NULL)
-    return ERR_NAME_NOT_RESOLVED;
-#endif
+  if (!ai)
+    return err;
 
-  *addrlist = AddressList::CreateFromAddrinfo(ai);
-  freeaddrinfo(ai);
+  *addrlist = ai->CreateAddressList();
   return OK;
 }
 
diff --git a/chromium/net/dns/mapped_host_resolver.cc b/chromium/net/dns/mapped_host_resolver.cc
index caa36fa9584..8bbd2f90d70 100644
--- a/chromium/net/dns/mapped_host_resolver.cc
+++ b/chromium/net/dns/mapped_host_resolver.cc
@@ -26,6 +26,7 @@ void MappedHostResolver::OnShutdown() {
 std::unique_ptr<HostResolver::ResolveHostRequest>
 MappedHostResolver::CreateRequest(
     const HostPortPair& host,
+    const NetworkIsolationKey& network_isolation_key,
     const NetLogWithSource& source_net_log,
     const base::Optional<ResolveHostParameters>& optional_parameters) {
   HostPortPair rewritten = host;
@@ -34,7 +35,13 @@ MappedHostResolver::CreateRequest(
   if (rewritten.host() == "~NOTFOUND")
     return CreateFailingRequest(ERR_NAME_NOT_RESOLVED);
 
-  return impl_->CreateRequest(rewritten, source_net_log, optional_parameters);
+  return impl_->CreateRequest(rewritten, network_isolation_key, source_net_log,
+                              optional_parameters);
+}
+
+std::unique_ptr<HostResolver::ProbeRequest>
+MappedHostResolver::CreateDohProbeRequest() {
+  return impl_->CreateDohProbeRequest();
 }
 
 HostCache* MappedHostResolver::GetHostCache() {
diff --git a/chromium/net/dns/mapped_host_resolver.h b/chromium/net/dns/mapped_host_resolver.h
index ce7ec88e435..c27161ab702 100644
--- a/chromium/net/dns/mapped_host_resolver.h
+++ b/chromium/net/dns/mapped_host_resolver.h
@@ -52,9 +52,11 @@ class NET_EXPORT MappedHostResolver : public HostResolver {
   // HostResolver methods:
   std::unique_ptr<ResolveHostRequest> CreateRequest(
       const HostPortPair& host,
+      const NetworkIsolationKey& network_isolation_key,
       const NetLogWithSource& net_log,
       const base::Optional<ResolveHostParameters>& optional_parameters)
       override;
+  std::unique_ptr<ProbeRequest> CreateDohProbeRequest() override;
   HostCache* GetHostCache() override;
   std::unique_ptr<base::Value> GetDnsConfigAsValue() const override;
   void SetRequestContext(URLRequestContext* request_context) override;
diff --git a/chromium/net/dns/mapped_host_resolver_unittest.cc b/chromium/net/dns/mapped_host_resolver_unittest.cc
index 68fc0e3baaf..ecbb6bcb8b0 100644
--- a/chromium/net/dns/mapped_host_resolver_unittest.cc
+++ b/chromium/net/dns/mapped_host_resolver_unittest.cc
@@ -48,7 +48,8 @@ TEST(MappedHostResolverTest, Inclusion) {
   TestCompletionCallback callback;
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("www.google.com", 80),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
   int rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -61,7 +62,8 @@ TEST(MappedHostResolverTest, Inclusion) {
 
   // Try resolving "www.google.com:80". Should be remapped to "baz.com:80".
   request = resolver->CreateRequest(HostPortPair("www.google.com", 80),
-                                    NetLogWithSource(), base::nullopt);
+                                    NetworkIsolationKey(), NetLogWithSource(),
+                                    base::nullopt);
   rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -73,7 +75,8 @@ TEST(MappedHostResolverTest, Inclusion) {
   // Try resolving "foo.com:77". This will NOT be remapped, so result
   // is "foo.com:77".
   request = resolver->CreateRequest(HostPortPair("foo.com", 77),
-                                    NetLogWithSource(), base::nullopt);
+                                    NetworkIsolationKey(), NetLogWithSource(),
+                                    base::nullopt);
   rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -87,7 +90,8 @@ TEST(MappedHostResolverTest, Inclusion) {
 
   // Try resolving "chromium.org:61". Should be remapped to "proxy:99".
   request = resolver->CreateRequest(HostPortPair("chromium.org", 61),
-                                    NetLogWithSource(), base::nullopt);
+                                    NetworkIsolationKey(), NetLogWithSource(),
+                                    base::nullopt);
   rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -120,7 +124,8 @@ TEST(MappedHostResolverTest, Exclusion) {
   // Try resolving "www.google.com". Should not be remapped due to exclusion).
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("www.google.com", 80),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
   int rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -131,7 +136,8 @@ TEST(MappedHostResolverTest, Exclusion) {
 
   // Try resolving "chrome.com:80". Should be remapped to "baz:80".
   request = resolver->CreateRequest(HostPortPair("chrome.com", 80),
-                                    NetLogWithSource(), base::nullopt);
+                                    NetworkIsolationKey(), NetLogWithSource(),
+                                    base::nullopt);
   rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -160,7 +166,8 @@ TEST(MappedHostResolverTest, SetRulesFromString) {
   // Try resolving "www.google.com". Should be remapped to "baz".
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("www.google.com", 80),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
   int rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -171,7 +178,8 @@ TEST(MappedHostResolverTest, SetRulesFromString) {
 
   // Try resolving "chrome.net:80". Should be remapped to "bar:60".
   request = resolver->CreateRequest(HostPortPair("chrome.net", 80),
-                                    NetLogWithSource(), base::nullopt);
+                                    NetworkIsolationKey(), NetLogWithSource(),
+                                    base::nullopt);
   rv = request->Start(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -215,7 +223,8 @@ TEST(MappedHostResolverTest, MapToError) {
   TestCompletionCallback callback1;
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
       resolver->CreateRequest(HostPortPair("www.google.com", 80),
-                              NetLogWithSource(), base::nullopt);
+                              NetworkIsolationKey(), NetLogWithSource(),
+                              base::nullopt);
   int rv = request->Start(callback1.callback());
   EXPECT_THAT(rv, IsError(ERR_NAME_NOT_RESOLVED));
   request.reset();
@@ -223,7 +232,8 @@ TEST(MappedHostResolverTest, MapToError) {
   // Try resolving www.foo.com --> Should succeed.
   TestCompletionCallback callback2;
   request = resolver->CreateRequest(HostPortPair("www.foo.com", 80),
-                                    NetLogWithSource(), base::nullopt);
+                                    NetworkIsolationKey(), NetLogWithSource(),
+                                    base::nullopt);
   rv = request->Start(callback2.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback2.WaitForResult();
diff --git a/chromium/net/dns/mdns_client_unittest.cc b/chromium/net/dns/mdns_client_unittest.cc
index 313ba85b13b..36fed840c39 100644
--- a/chromium/net/dns/mdns_client_unittest.cc
+++ b/chromium/net/dns/mdns_client_unittest.cc
@@ -1362,9 +1362,8 @@ TEST_F(MDnsConnectionSendTest, SendQueued) {
 
 TEST(MDnsSocketTest, CreateSocket) {
   // Verifies that socket creation hasn't been broken.
-  NetLog net_log;
-  auto socket =
-      CreateAndBindMDnsSocket(AddressFamily::ADDRESS_FAMILY_IPV4, 1, &net_log);
+  auto socket = CreateAndBindMDnsSocket(AddressFamily::ADDRESS_FAMILY_IPV4, 1,
+                                        net::NetLog::Get());
   EXPECT_TRUE(socket);
   socket->Close();
 }
diff --git a/chromium/net/dns/mock_host_resolver.cc b/chromium/net/dns/mock_host_resolver.cc
index 152e696e8c2..8fcd1e507c5 100644
--- a/chromium/net/dns/mock_host_resolver.cc
+++ b/chromium/net/dns/mock_host_resolver.cc
@@ -29,6 +29,7 @@
 #include "net/base/net_errors.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/host_cache.h"
+#include "net/dns/public/resolve_error_info.h"
 #include "net/url_request/url_request_context.h"
 
 #if defined(OS_WIN)
@@ -67,13 +68,16 @@ class MockHostResolverBase::RequestImpl
     : public HostResolver::ResolveHostRequest {
  public:
   RequestImpl(const HostPortPair& request_host,
+              const NetworkIsolationKey& network_isolation_key,
               const base::Optional<ResolveHostParameters>& optional_parameters,
               base::WeakPtr<MockHostResolverBase> resolver)
       : request_host_(request_host),
+        network_isolation_key_(network_isolation_key),
         parameters_(optional_parameters ? optional_parameters.value()
                                         : ResolveHostParameters()),
         priority_(parameters_.initial_priority),
         host_resolver_flags_(ParametersToHostResolverFlags(parameters_)),
+        resolve_error_info_(ResolveErrorInfo(ERR_IO_PENDING)),
         id_(0),
         resolver_(resolver),
         complete_(false) {}
@@ -135,6 +139,17 @@ class MockHostResolverBase::RequestImpl
     return *nullopt_result;
   }
 
+  const base::Optional<EsniContent>& GetEsniResults() const override {
+    DCHECK(complete_);
+    static const base::NoDestructor<base::Optional<EsniContent>> nullopt_result;
+    return *nullopt_result;
+  }
+
+  net::ResolveErrorInfo GetResolveErrorInfo() const override {
+    DCHECK(complete_);
+    return resolve_error_info_;
+  }
+
   const base::Optional<HostCache::EntryStaleness>& GetStaleInfo()
       const override {
     DCHECK(complete_);
@@ -145,6 +160,12 @@ class MockHostResolverBase::RequestImpl
     priority_ = priority;
   }
 
+  void SetError(int error) {
+    // Should only be called before request is marked completed.
+    DCHECK(!complete_);
+    resolve_error_info_ = ResolveErrorInfo(error);
+  }
+
   void set_address_results(
       const AddressList& address_results,
       base::Optional<HostCache::EntryStaleness> staleness) {
@@ -162,6 +183,11 @@ class MockHostResolverBase::RequestImpl
     DCHECK_EQ(id_, id);
     id_ = 0;
 
+    // Check that error information has been set and that the top-level error
+    // code is valid.
+    DCHECK(resolve_error_info_.error != ERR_IO_PENDING);
+    DCHECK(error == OK || error == ERR_NAME_NOT_RESOLVED);
+
     DCHECK(!complete_);
     complete_ = true;
 
@@ -171,6 +197,10 @@ class MockHostResolverBase::RequestImpl
 
   const HostPortPair& request_host() const { return request_host_; }
 
+  const NetworkIsolationKey& network_isolation_key() const {
+    return network_isolation_key_;
+  }
+
   const ResolveHostParameters& parameters() const { return parameters_; }
 
   int host_resolver_flags() const { return host_resolver_flags_; }
@@ -190,12 +220,14 @@ class MockHostResolverBase::RequestImpl
 
  private:
   const HostPortPair request_host_;
+  const NetworkIsolationKey network_isolation_key_;
   const ResolveHostParameters parameters_;
   RequestPriority priority_;
   int host_resolver_flags_;
 
   base::Optional<AddressList> address_results_;
   base::Optional<HostCache::EntryStaleness> staleness_;
+  ResolveErrorInfo resolve_error_info_;
 
   // Used while stored with the resolver for async resolution.  Otherwise 0.
   size_t id_;
@@ -209,6 +241,33 @@ class MockHostResolverBase::RequestImpl
   DISALLOW_COPY_AND_ASSIGN(RequestImpl);
 };
 
+class MockHostResolverBase::ProbeRequestImpl
+    : public HostResolver::ProbeRequest {
+ public:
+  explicit ProbeRequestImpl(base::WeakPtr<MockHostResolverBase> resolver)
+      : resolver_(std::move(resolver)) {}
+
+  ProbeRequestImpl(const ProbeRequestImpl&) = delete;
+  ProbeRequestImpl& operator=(const ProbeRequestImpl&) = delete;
+
+  ~ProbeRequestImpl() override {
+    if (resolver_ && resolver_->doh_probe_request_ == this)
+      resolver_->doh_probe_request_ = nullptr;
+  }
+
+  int Start() override {
+    DCHECK(resolver_);
+    DCHECK(!resolver_->doh_probe_request_);
+
+    resolver_->doh_probe_request_ = this;
+
+    return ERR_IO_PENDING;
+  }
+
+ private:
+  base::WeakPtr<MockHostResolverBase> resolver_;
+};
+
 class MockHostResolverBase::MdnsListenerImpl
     : public HostResolver::MdnsListener {
  public:
@@ -292,14 +351,23 @@ void MockHostResolverBase::OnShutdown() {
   // Prevent future requests by clearing resolution rules and the cache.
   rules_map_.clear();
   cache_ = nullptr;
+
+  doh_probe_request_ = nullptr;
 }
 
 std::unique_ptr<HostResolver::ResolveHostRequest>
 MockHostResolverBase::CreateRequest(
     const HostPortPair& host,
+    const NetworkIsolationKey& network_isolation_key,
     const NetLogWithSource& source_net_log,
     const base::Optional<ResolveHostParameters>& optional_parameters) {
-  return std::make_unique<RequestImpl>(host, optional_parameters, AsWeakPtr());
+  return std::make_unique<RequestImpl>(host, network_isolation_key,
+                                       optional_parameters, AsWeakPtr());
+}
+
+std::unique_ptr<HostResolver::ProbeRequest>
+MockHostResolverBase::CreateDohProbeRequest() {
+  return std::make_unique<ProbeRequestImpl>(AsWeakPtr());
 }
 
 std::unique_ptr<HostResolver::MdnsListener>
@@ -314,6 +382,7 @@ HostCache* MockHostResolverBase::GetHostCache() {
 
 int MockHostResolverBase::LoadIntoCache(
     const HostPortPair& host,
+    const NetworkIsolationKey& network_isolation_key,
     const base::Optional<ResolveHostParameters>& optional_parameters) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK(cache_);
@@ -324,7 +393,7 @@ int MockHostResolverBase::LoadIntoCache(
   AddressList addresses;
   base::Optional<HostCache::EntryStaleness> stale_info;
   int rv = ResolveFromIPLiteralOrCache(
-      host, parameters.dns_query_type,
+      host, network_isolation_key, parameters.dns_query_type,
       ParametersToHostResolverFlags(parameters), parameters.source,
       parameters.cache_usage, &addresses, &stale_info);
   if (rv != ERR_DNS_CACHE_MISS) {
@@ -337,9 +406,10 @@ int MockHostResolverBase::LoadIntoCache(
   if (!IsValidDNSDomain(host.host()))
     return ERR_NAME_NOT_RESOLVED;
 
-  return ResolveProc(
-      host, DnsQueryTypeToAddressFamily(parameters.dns_query_type),
-      ParametersToHostResolverFlags(parameters), parameters.source, &addresses);
+  return ResolveProc(host, network_isolation_key,
+                     DnsQueryTypeToAddressFamily(parameters.dns_query_type),
+                     ParametersToHostResolverFlags(parameters),
+                     parameters.source, &addresses);
 }
 
 void MockHostResolverBase::ResolveAllPending() {
@@ -368,12 +438,13 @@ void MockHostResolverBase::ResolveNow(size_t id) {
 
   AddressList addresses;
   int error = ResolveProc(
-      req->request_host(),
+      req->request_host(), req->network_isolation_key(),
       DnsQueryTypeToAddressFamily(req->parameters().dns_query_type),
       req->host_resolver_flags(), req->parameters().source, &addresses);
+  req->SetError(error);
   if (error == OK && !req->parameters().is_speculative)
     req->set_address_results(addresses, base::nullopt);
-  req->OnAsyncCompleted(id, error);
+  req->OnAsyncCompleted(id, SquashErrorCode(error));
 }
 
 void MockHostResolverBase::DetachRequest(size_t id) {
@@ -382,10 +453,9 @@ void MockHostResolverBase::DetachRequest(size_t id) {
   requests_.erase(it);
 }
 
-MockHostResolverBase::RequestImpl* MockHostResolverBase::request(size_t id) {
-  RequestMap::iterator request = requests_.find(id);
-  DCHECK(request != requests_.end());
-  return (*request).second;
+const std::string& MockHostResolverBase::request_host(size_t id) {
+  DCHECK(request(id));
+  return request(id)->request_host().host();
 }
 
 RequestPriority MockHostResolverBase::request_priority(size_t id) {
@@ -393,6 +463,12 @@ RequestPriority MockHostResolverBase::request_priority(size_t id) {
   return request(id)->priority();
 }
 
+const NetworkIsolationKey& MockHostResolverBase::request_network_isolation_key(
+    size_t id) {
+  DCHECK(request(id));
+  return request(id)->network_isolation_key();
+}
+
 void MockHostResolverBase::ResolveOnlyRequestNow() {
   DCHECK_EQ(1u, requests_.size());
   ResolveNow(requests_.begin()->first);
@@ -441,6 +517,12 @@ void MockHostResolverBase::TriggerMdnsListeners(
   }
 }
 
+MockHostResolverBase::RequestImpl* MockHostResolverBase::request(size_t id) {
+  RequestMap::iterator request = requests_.find(id);
+  DCHECK(request != requests_.end());
+  return (*request).second;
+}
+
 // start id from 1 to distinguish from NULL RequestHandle
 MockHostResolverBase::MockHostResolverBase(bool use_caching,
                                            int cache_invalidation_num)
@@ -470,36 +552,44 @@ int MockHostResolverBase::Resolve(RequestImpl* request) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
   last_request_priority_ = request->parameters().initial_priority;
+  last_request_network_isolation_key_ = request->network_isolation_key();
   last_secure_dns_mode_override_ =
       request->parameters().secure_dns_mode_override;
   num_resolve_++;
   AddressList addresses;
   base::Optional<HostCache::EntryStaleness> stale_info;
   int rv = ResolveFromIPLiteralOrCache(
-      request->request_host(), request->parameters().dns_query_type,
-      request->host_resolver_flags(), request->parameters().source,
-      request->parameters().cache_usage, &addresses, &stale_info);
+      request->request_host(), request->network_isolation_key(),
+      request->parameters().dns_query_type, request->host_resolver_flags(),
+      request->parameters().source, request->parameters().cache_usage,
+      &addresses, &stale_info);
+
+  request->SetError(rv);
   if (rv == OK && !request->parameters().is_speculative)
     request->set_address_results(addresses, std::move(stale_info));
   if (rv != ERR_DNS_CACHE_MISS ||
       request->parameters().source == HostResolverSource::LOCAL_ONLY) {
-    return rv;
+    return SquashErrorCode(rv);
   }
 
   // Just like the real resolver, refuse to do anything with invalid
   // hostnames.
-  if (!IsValidDNSDomain(request->request_host().host()))
+  if (!IsValidDNSDomain(request->request_host().host())) {
+    request->SetError(ERR_NAME_NOT_RESOLVED);
     return ERR_NAME_NOT_RESOLVED;
+  }
 
   if (synchronous_mode_) {
     int rv = ResolveProc(
-        request->request_host(),
+        request->request_host(), request->network_isolation_key(),
         DnsQueryTypeToAddressFamily(request->parameters().dns_query_type),
         request->host_resolver_flags(), request->parameters().source,
         &addresses);
+
+    request->SetError(rv);
     if (rv == OK && !request->parameters().is_speculative)
       request->set_address_results(addresses, base::nullopt);
-    return rv;
+    return SquashErrorCode(rv);
   }
 
   // Store the request for asynchronous resolution
@@ -518,6 +608,7 @@ int MockHostResolverBase::Resolve(RequestImpl* request) {
 
 int MockHostResolverBase::ResolveFromIPLiteralOrCache(
     const HostPortPair& host,
+    const NetworkIsolationKey& network_isolation_key,
     DnsQueryType dns_query_type,
     HostResolverFlags flags,
     HostResolverSource source,
@@ -552,7 +643,8 @@ int MockHostResolverBase::ResolveFromIPLiteralOrCache(
     HostResolverSource effective_source =
         source == HostResolverSource::LOCAL_ONLY ? HostResolverSource::ANY
                                                  : source;
-    HostCache::Key key(host.host(), dns_query_type, flags, effective_source);
+    HostCache::Key key(host.host(), dns_query_type, flags, effective_source,
+                       network_isolation_key);
     const std::pair<const HostCache::Key, HostCache::Entry>* cache_result;
     HostCache::EntryStaleness stale_info = HostCache::kNotStale;
     if (cache_usage ==
@@ -587,11 +679,13 @@ int MockHostResolverBase::ResolveFromIPLiteralOrCache(
   return rv;
 }
 
-int MockHostResolverBase::ResolveProc(const HostPortPair& host,
-                                      AddressFamily requested_address_family,
-                                      HostResolverFlags flags,
-                                      HostResolverSource source,
-                                      AddressList* addresses) {
+int MockHostResolverBase::ResolveProc(
+    const HostPortPair& host,
+    const NetworkIsolationKey& network_isolation_key,
+    AddressFamily requested_address_family,
+    HostResolverFlags flags,
+    HostResolverSource source,
+    AddressList* addresses) {
   DCHECK(rules_map_.find(source) != rules_map_.end());
   ++num_non_local_resolves_;
 
@@ -601,7 +695,7 @@ int MockHostResolverBase::ResolveProc(const HostPortPair& host,
   if (cache_.get()) {
     HostCache::Key key(host.host(),
                        AddressFamilyToDnsQueryType(requested_address_family),
-                       flags, source);
+                       flags, source, network_isolation_key);
     // Storing a failure with TTL 0 so that it overwrites previous value.
     base::TimeDelta ttl;
     if (rv == OK) {
@@ -757,6 +851,15 @@ void RuleBasedHostResolverProc::AddSimulatedFailure(
   AddRuleInternal(rule);
 }
 
+void RuleBasedHostResolverProc::AddSimulatedTimeoutFailure(
+    const std::string& host_pattern) {
+  HostResolverFlags flags = HOST_RESOLVER_LOOPBACK_ONLY |
+                            HOST_RESOLVER_DEFAULT_FAMILY_SET_DUE_TO_NO_IPV6;
+  Rule rule(Rule::kResolverTypeFailTimeout, host_pattern,
+            ADDRESS_FAMILY_UNSPECIFIED, flags, std::string(), std::string(), 0);
+  AddRuleInternal(rule);
+}
+
 void RuleBasedHostResolverProc::ClearRules() {
   CHECK(modifications_allowed_);
   base::AutoLock lock(rule_lock_);
@@ -810,6 +913,8 @@ int RuleBasedHostResolverProc::Resolve(const std::string& host,
       switch (r->resolver_type) {
         case Rule::kResolverTypeFail:
           return ERR_NAME_NOT_RESOLVED;
+        case Rule::kResolverTypeFailTimeout:
+          return ERR_DNS_TIMED_OUT;
         case Rule::kResolverTypeSystem:
 #if defined(OS_WIN)
           EnsureWinsockInit();
@@ -887,7 +992,8 @@ RuleBasedHostResolverProc* CreateCatchAllHostResolverProc() {
 // Implementation of ResolveHostRequest that tracks cancellations when the
 // request is destroyed after being started.
 class HangingHostResolver::RequestImpl
-    : public HostResolver::ResolveHostRequest {
+    : public HostResolver::ResolveHostRequest,
+      public HostResolver::ProbeRequest {
  public:
   explicit RequestImpl(base::WeakPtr<HangingHostResolver> resolver)
       : resolver_(resolver) {}
@@ -897,7 +1003,9 @@ class HangingHostResolver::RequestImpl
       resolver_->num_cancellations_++;
   }
 
-  int Start(CompletionOnceCallback callback) override {
+  int Start(CompletionOnceCallback callback) override { return Start(); }
+
+  int Start() override {
     DCHECK(resolver_);
     is_running_ = true;
     return ERR_IO_PENDING;
@@ -917,6 +1025,14 @@ class HangingHostResolver::RequestImpl
     IMMEDIATE_CRASH();
   }
 
+  const base::Optional<EsniContent>& GetEsniResults() const override {
+    IMMEDIATE_CRASH();
+  }
+
+  net::ResolveErrorInfo GetResolveErrorInfo() const override {
+    IMMEDIATE_CRASH();
+  }
+
   const base::Optional<HostCache::EntryStaleness>& GetStaleInfo()
       const override {
     IMMEDIATE_CRASH();
@@ -944,8 +1060,12 @@ void HangingHostResolver::OnShutdown() {
 std::unique_ptr<HostResolver::ResolveHostRequest>
 HangingHostResolver::CreateRequest(
     const HostPortPair& host,
+    const NetworkIsolationKey& network_isolation_key,
     const NetLogWithSource& source_net_log,
     const base::Optional<ResolveHostParameters>& optional_parameters) {
+  last_host_ = host;
+  last_network_isolation_key_ = network_isolation_key;
+
   if (shutting_down_)
     return CreateFailingRequest(ERR_CONTEXT_SHUT_DOWN);
 
@@ -957,6 +1077,14 @@ HangingHostResolver::CreateRequest(
   return std::make_unique<RequestImpl>(weak_ptr_factory_.GetWeakPtr());
 }
 
+std::unique_ptr<HostResolver::ProbeRequest>
+HangingHostResolver::CreateDohProbeRequest() {
+  if (shutting_down_)
+    return CreateFailingProbeRequest(ERR_CONTEXT_SHUT_DOWN);
+
+  return std::make_unique<RequestImpl>(weak_ptr_factory_.GetWeakPtr());
+}
+
 //-----------------------------------------------------------------------------
 
 ScopedDefaultHostResolverProc::ScopedDefaultHostResolverProc() = default;
diff --git a/chromium/net/dns/mock_host_resolver.h b/chromium/net/dns/mock_host_resolver.h
index 61250c89c6f..2be07a2352b 100644
--- a/chromium/net/dns/mock_host_resolver.h
+++ b/chromium/net/dns/mock_host_resolver.h
@@ -20,6 +20,7 @@
 #include "base/synchronization/waitable_event.h"
 #include "base/threading/thread_checker.h"
 #include "net/base/completion_once_callback.h"
+#include "net/base/network_isolation_key.h"
 #include "net/dns/dns_config.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/host_resolver_proc.h"
@@ -83,6 +84,7 @@ class MockHostResolverBase
       public base::SupportsWeakPtr<MockHostResolverBase> {
  private:
   class RequestImpl;
+  class ProbeRequestImpl;
   class MdnsListenerImpl;
 
  public:
@@ -116,9 +118,11 @@ class MockHostResolverBase
   void OnShutdown() override;
   std::unique_ptr<ResolveHostRequest> CreateRequest(
       const HostPortPair& host,
+      const NetworkIsolationKey& network_isolation_key,
       const NetLogWithSource& net_log,
       const base::Optional<ResolveHostParameters>& optional_parameters)
       override;
+  std::unique_ptr<ProbeRequest> CreateDohProbeRequest() override;
   std::unique_ptr<MdnsListener> CreateMdnsListener(
       const HostPortPair& host,
       DnsQueryType query_type) override;
@@ -129,6 +133,7 @@ class MockHostResolverBase
   // with the given parameters. Returns the net error of the cached result.
   int LoadIntoCache(
       const HostPortPair& host,
+      const NetworkIsolationKey& network_isolation_key,
       const base::Optional<ResolveHostParameters>& optional_parameters);
 
   // Returns true if there are pending requests that can be resolved by invoking
@@ -154,12 +159,15 @@ class MockHostResolverBase
   // Detach cancelled request.
   void DetachRequest(size_t id);
 
-  // Returns the request with the given id.
-  RequestImpl* request(size_t id);
+  // Returns the hostname of the request with the given id.
+  const std::string& request_host(size_t id);
 
   // Returns the priority of the request with the given id.
   RequestPriority request_priority(size_t id);
 
+  // Returns NetworkIsolationKey of the request with the given id.
+  const NetworkIsolationKey& request_network_isolation_key(size_t id);
+
   // Like ResolveNow, but doesn't take an ID. DCHECKs if there's more than one
   // pending request.
   void ResolveOnlyRequestNow();
@@ -183,13 +191,22 @@ class MockHostResolverBase
     return last_request_priority_;
   }
 
+  // Returns the NetworkIsolationKey passed in to the last call to Resolve() (or
+  // base::nullopt if Resolve() hasn't been called yet).
+  const base::Optional<NetworkIsolationKey>&
+  last_request_network_isolation_key() {
+    return last_request_network_isolation_key_;
+  }
+
   // Returns the SecureDnsMode override of the last call to Resolve() (or
   // base::nullopt if Resolve() hasn't been called yet).
-  base::Optional<DnsConfig::SecureDnsMode> last_secure_dns_mode_override()
-      const {
+  const base::Optional<DnsConfig::SecureDnsMode>&
+  last_secure_dns_mode_override() const {
     return last_secure_dns_mode_override_;
   }
 
+  bool IsDohProbeRunning() const { return !!doh_probe_request_; }
+
   void TriggerMdnsListeners(const HostPortPair& host,
                             DnsQueryType query_type,
                             MdnsListener::Delegate::UpdateType update_type,
@@ -217,6 +234,9 @@ class MockHostResolverBase
 
   typedef std::map<size_t, RequestImpl*> RequestMap;
 
+  // Returns the request with the given id.
+  RequestImpl* request(size_t id);
+
   // If > 0, |cache_invalidation_num| is the number of times a cached entry can
   // be read before it invalidates itself. Useful to force cache expiration
   // scenarios.
@@ -230,6 +250,7 @@ class MockHostResolverBase
   // DNS_CACHE_MISS if failed.
   int ResolveFromIPLiteralOrCache(
       const HostPortPair& host,
+      const NetworkIsolationKey& network_isolation_key,
       DnsQueryType dns_query_type,
       HostResolverFlags flags,
       HostResolverSource source,
@@ -238,6 +259,7 @@ class MockHostResolverBase
       base::Optional<HostCache::EntryStaleness>* stale_info);
   // Resolve via |proc_|.
   int ResolveProc(const HostPortPair& host,
+                  const NetworkIsolationKey& network_isolation_key,
                   AddressFamily requested_address_family,
                   HostResolverFlags flags,
                   HostResolverSource source,
@@ -247,6 +269,7 @@ class MockHostResolverBase
   void RemoveCancelledListener(MdnsListenerImpl* listener);
 
   RequestPriority last_request_priority_;
+  base::Optional<NetworkIsolationKey> last_request_network_isolation_key_;
   base::Optional<DnsConfig::SecureDnsMode> last_secure_dns_mode_override_;
   bool synchronous_mode_;
   bool ondemand_mode_;
@@ -263,6 +286,7 @@ class MockHostResolverBase
   // RemoveCancelledListener().
   RequestMap requests_;
   size_t next_request_id_;
+  ProbeRequestImpl* doh_probe_request_ = nullptr;
   std::set<MdnsListenerImpl*> listeners_;
 
   size_t num_resolve_;
@@ -378,6 +402,9 @@ class RuleBasedHostResolverProc : public HostResolverProc {
   // Simulate a lookup failure for |host| (it also can be a pattern).
   void AddSimulatedFailure(const std::string& host);
 
+  // Simulate a lookup timeout failure for |host| (it also can be a pattern).
+  void AddSimulatedTimeoutFailure(const std::string& host);
+
   // Deletes all the rules that have been added.
   void ClearRules();
 
@@ -396,6 +423,7 @@ class RuleBasedHostResolverProc : public HostResolverProc {
   struct Rule {
     enum ResolverType {
       kResolverTypeFail,
+      kResolverTypeFailTimeout,
       // TODO(mmenke): Is it really reasonable for a "mock" host resolver to
       // fall back to the system resolver?
       kResolverTypeSystem,
@@ -451,16 +479,30 @@ class HangingHostResolver : public HostResolver {
   void OnShutdown() override;
   std::unique_ptr<ResolveHostRequest> CreateRequest(
       const HostPortPair& host,
+      const NetworkIsolationKey& network_isolation_key,
       const NetLogWithSource& net_log,
       const base::Optional<ResolveHostParameters>& optional_parameters)
       override;
 
+  std::unique_ptr<ProbeRequest> CreateDohProbeRequest() override;
+
   // Use to detect cancellations since there's otherwise no externally-visible
   // differentiation between a cancelled and a hung task.
   int num_cancellations() const { return num_cancellations_; }
 
+  // Return the corresponding values passed to the most recent call to
+  // CreateRequest()
+  const HostPortPair& last_host() const { return last_host_; }
+  const NetworkIsolationKey& last_network_isolation_key() const {
+    return last_network_isolation_key_;
+  }
+
  private:
   class RequestImpl;
+  class ProbeRequestImpl;
+
+  HostPortPair last_host_;
+  NetworkIsolationKey last_network_isolation_key_;
 
   int num_cancellations_ = 0;
   bool shutting_down_ = false;
diff --git a/chromium/net/dns/public/BUILD.gn b/chromium/net/dns/public/BUILD.gn
index 9617ed066d4..e1ce365c93e 100644
--- a/chromium/net/dns/public/BUILD.gn
+++ b/chromium/net/dns/public/BUILD.gn
@@ -17,6 +17,8 @@ source_set("public") {
     "dns_protocol.h",
     "dns_query_type.cc",
     "dns_query_type.h",
+    "resolve_error_info.cc",
+    "resolve_error_info.h",
     "util.cc",
     "util.h",
   ]
diff --git a/chromium/net/dns/public/dns_query_type.h b/chromium/net/dns/public/dns_query_type.h
index c00d591fc67..7d407a62d01 100644
--- a/chromium/net/dns/public/dns_query_type.h
+++ b/chromium/net/dns/public/dns_query_type.h
@@ -13,11 +13,21 @@ namespace net {
 // DNS query type for HostResolver requests.
 // See:
 // https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4
-enum class DnsQueryType { UNSPECIFIED, A, AAAA, TXT, PTR, SRV, MAX = SRV };
+enum class DnsQueryType {
+  UNSPECIFIED,
+  A,
+  AAAA,
+  TXT,
+  PTR,
+  SRV,
+  ESNI,
+  MAX = ESNI
+};
 
 const DnsQueryType kDnsQueryTypes[] = {
     DnsQueryType::UNSPECIFIED, DnsQueryType::A,   DnsQueryType::AAAA,
-    DnsQueryType::TXT,         DnsQueryType::PTR, DnsQueryType::SRV};
+    DnsQueryType::TXT,         DnsQueryType::PTR, DnsQueryType::SRV,
+    DnsQueryType::ESNI};
 
 static_assert(base::size(kDnsQueryTypes) ==
                   static_cast<unsigned>(DnsQueryType::MAX) + 1,
diff --git a/chromium/net/dns/public/resolve_error_info.cc b/chromium/net/dns/public/resolve_error_info.cc
new file mode 100644
index 00000000000..9a1b499ee60
--- /dev/null
+++ b/chromium/net/dns/public/resolve_error_info.cc
@@ -0,0 +1,34 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/dns/public/resolve_error_info.h"
+
+namespace net {
+
+ResolveErrorInfo::ResolveErrorInfo() {}
+
+ResolveErrorInfo::ResolveErrorInfo(int resolve_error) {
+  error = resolve_error;
+}
+
+ResolveErrorInfo::ResolveErrorInfo(const ResolveErrorInfo& resolve_error_info) =
+    default;
+
+ResolveErrorInfo::ResolveErrorInfo(ResolveErrorInfo&& other) = default;
+
+ResolveErrorInfo& ResolveErrorInfo::operator=(const ResolveErrorInfo& other) =
+    default;
+
+ResolveErrorInfo& ResolveErrorInfo::operator=(ResolveErrorInfo&& other) =
+    default;
+
+bool ResolveErrorInfo::operator==(const ResolveErrorInfo& other) const {
+  return error == other.error;
+}
+
+bool ResolveErrorInfo::operator!=(const ResolveErrorInfo& other) const {
+  return !(*this == other);
+}
+
+}  // namespace net
diff --git a/chromium/net/dns/public/resolve_error_info.h b/chromium/net/dns/public/resolve_error_info.h
new file mode 100644
index 00000000000..b108fa7936d
--- /dev/null
+++ b/chromium/net/dns/public/resolve_error_info.h
@@ -0,0 +1,31 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_DNS_PUBLIC_RESOLVE_ERROR_INFO_H_
+#define NET_DNS_PUBLIC_RESOLVE_ERROR_INFO_H_
+
+#include "net/base/net_errors.h"
+#include "net/base/net_export.h"
+
+namespace net {
+
+// Host resolution error info.
+struct NET_EXPORT ResolveErrorInfo {
+  ResolveErrorInfo();
+  ResolveErrorInfo(int resolve_error);
+  ResolveErrorInfo(const ResolveErrorInfo& resolve_error_info);
+  ResolveErrorInfo(ResolveErrorInfo&& other);
+
+  ResolveErrorInfo& operator=(const ResolveErrorInfo& other);
+  ResolveErrorInfo& operator=(ResolveErrorInfo&& other);
+
+  bool operator==(const ResolveErrorInfo& other) const;
+  bool operator!=(const ResolveErrorInfo& other) const;
+
+  int error = net::OK;
+};
+
+}  // namespace net
+
+#endif  // NET_DNS_PUBLIC_RESOLVE_ERROR_INFO_H_
diff --git a/chromium/net/dns/record_parsed.cc b/chromium/net/dns/record_parsed.cc
index d5492e619ad..8b77b6664c9 100644
--- a/chromium/net/dns/record_parsed.cc
+++ b/chromium/net/dns/record_parsed.cc
@@ -62,6 +62,9 @@ std::unique_ptr<const RecordParsed> RecordParsed::CreateFrom(
     case OptRecordRdata::kType:
       rdata = OptRecordRdata::Create(record.rdata, *parser);
       break;
+    case EsniRecordRdata::kType:
+      rdata = EsniRecordRdata::Create(record.rdata, *parser);
+      break;
     default:
       DVLOG(1) << "Unknown RData type for received record: " << record.type;
       return std::unique_ptr<const RecordParsed>();
diff --git a/chromium/net/dns/record_rdata_unittest.cc b/chromium/net/dns/record_rdata_unittest.cc
index eb8e4763389..e245c67be05 100644
--- a/chromium/net/dns/record_rdata_unittest.cc
+++ b/chromium/net/dns/record_rdata_unittest.cc
@@ -9,6 +9,7 @@
 
 #include "base/big_endian.h"
 #include "net/dns/dns_response.h"
+#include "net/dns/dns_test_util.h"
 #include "net/test/gtest_util.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -129,14 +130,6 @@ TEST(RecordRdataTest, ParseCnameRecord) {
   ASSERT_TRUE(record_obj->IsEqual(record_obj.get()));
 }
 
-// Cribbed from boringssl SSLTest.ESNIKeysDeserialize (CL 37704/13)
-const char kWellFormedEsniKeys[] = {
-    0xff, 0x3,  0x0,  0x0,  0x0,  0x24, 0x0,  0x1d, 0x0,  0x20,
-    0xed, 0xed, 0xc8, 0x68, 0xc1, 0x71, 0xd6, 0x9e, 0xa9, 0xf0,
-    0xa2, 0xc9, 0xf5, 0xa9, 0xdc, 0xcf, 0xf9, 0xb8, 0xed, 0x15,
-    0x5c, 0xc4, 0x5a, 0xec, 0x6f, 0xb2, 0x86, 0x14, 0xb7, 0x71,
-    0x1b, 0x7c, 0x0,  0x2,  0x13, 0x1,  0x1,  0x4,  0x0,  0x0};
-
 // Appends a well-formed ESNIKeys struct to the stream owned by "writer".
 // Returns the length, in bytes, of this struct, or 0 on error.
 //
@@ -144,7 +137,7 @@ const char kWellFormedEsniKeys[] = {
 // ESNIKeys struct has positive length.)
 void AppendWellFormedEsniKeys(base::BigEndianWriter* writer) {
   CHECK(writer);
-  writer->WriteBytes(kWellFormedEsniKeys, sizeof(kWellFormedEsniKeys));
+  writer->WriteBytes(kWellFormedEsniKeys, kWellFormedEsniKeysSize);
 }
 
 // This helper checks |keys| against the well-formed sample ESNIKeys
@@ -152,8 +145,8 @@ void AppendWellFormedEsniKeys(base::BigEndianWriter* writer) {
 // kWellFormedEsniKeys to a StringPiece (it's a byte array, not a
 // null-terminated string).
 void ExpectMatchesSampleKeys(base::StringPiece keys) {
-  EXPECT_EQ(keys, base::StringPiece(kWellFormedEsniKeys,
-                                    sizeof(kWellFormedEsniKeys)));
+  EXPECT_EQ(keys,
+            base::StringPiece(kWellFormedEsniKeys, kWellFormedEsniKeysSize));
 }
 
 // Appends an IP address in network byte order, prepended by one byte
@@ -217,7 +210,7 @@ TEST(RecordRdataTest, ParseEsniRecordNoExtensions) {
   ASSERT_THAT(record_obj, NotNull());
   EXPECT_TRUE(record_obj->IsEqual(record_obj.get()));
   EXPECT_EQ(record_obj->esni_keys(),
-            std::string(kWellFormedEsniKeys, sizeof(kWellFormedEsniKeys)));
+            std::string(kWellFormedEsniKeys, kWellFormedEsniKeysSize));
   EXPECT_EQ(record_obj->Type(), dns_protocol::kExperimentalTypeEsniDraft4);
 }
 
diff --git a/chromium/net/docs/bug-triage.md b/chromium/net/docs/bug-triage.md
index 4be9c9474e1..25348795d97 100644
--- a/chromium/net/docs/bug-triage.md
+++ b/chromium/net/docs/bug-triage.md
@@ -14,8 +14,8 @@ generating and modifying shifts
 
 ### Required, in rough order of priority:
 * Identify new network bugs on the tracker.
-* Investigate recent Internals>Network issues with no subcomponent.
-* Follow up on Needs-Feedback issues for all network components.
+* Investigate recent `Internals>Network` issues with no subcomponent.
+* Follow up on `Needs-Feedback` issues for all network components.
 * Identify and file bugs for significant new crashers.
 
 ### Best effort, also in rough priority order:
@@ -42,7 +42,7 @@ uniform, predictable two day commitment for all triagers.
     for suspected network bugs, a network component assigned and a
     chrome://net-export/ log requested.  Suggested text: "Please collect and
     attach a chrome://net-export log. Instructions can be found here:
-    https://sites.google.com/a/chromium.org/dev/for-testers/providing-network-details".
+    https://chromium.org/for-testers/providing-network-details".
     A link to the instructions appears on net-export, for easy reference.
     When asking for a log or more details, attach the Needs-Feedback label.
 
@@ -55,16 +55,16 @@ uniform, predictable two day commitment for all triagers.
   and major crashers.  This will generally take up the majority of your time as
   triager. Continue digging until you can do one of the following:
 
-    * Mark it as *WontFix* (working as intended, obsolete issue) or a
+    * Mark it as `WontFix` (working as intended, obsolete issue) or a
       duplicate.
 
     * Mark it as a feature request.
 
-    * Mark it as Needs-Feedback.
+    * Mark it as `Needs-Feedback`.
 
-    * Remove the Internals>Network component, replacing it with at least one
+    * Remove the `Internals>Network` component, replacing it with at least one
       more specific network component or non-network component. Replacing the
-      Internals>Network component gets it off the next triager's radar, and
+      `Internals>Network` component gets it off the next triager's radar, and
       in front of someone more familiar with the relevant code.  Note that
       due to the way the bug report wizard works, a lot of bugs incorrectly end
       up with the network component.
@@ -83,7 +83,7 @@ uniform, predictable two day commitment for all triagers.
     * Remove label once feedback is provided.  Continue to investigate, if
       the previous section applies.
 
-    * If the Needs-Feedback label has been present for one week, ping the
+    * If the `Needs-Feedback` label has been present for one week, ping the
       reporter.
 
     * Archive after two weeks with no feedback, telling users to file a new
@@ -95,7 +95,7 @@ uniform, predictable two day commitment for all triagers.
 
 ### Best Effort (As you have time):
 
-* Investigate old bugs, and bugs associated with Internals>Network
+* Investigate old bugs, and bugs associated with `Internals>Network`
   subcomponents.
 
 * Investigate unowned and owned but forgotten net/ crashers that are still
diff --git a/chromium/net/docs/code-patterns.md b/chromium/net/docs/code-patterns.md
index 2b89459a220..97ee64a6c31 100644
--- a/chromium/net/docs/code-patterns.md
+++ b/chromium/net/docs/code-patterns.md
@@ -210,7 +210,7 @@ The characteristics of the DoLoop pattern are:
                result = DoLoop(result);
 
                if (result != ERR_IO_PENDING && !callback_.is_null())
-                 base::ResetAndReturn(&callback_).Run(result);
+                 std::move(callback_).Run(result);
              }
     
 *   The DoLoop pattern has no concept of different events arriving for
diff --git a/chromium/net/docs/life-of-a-feature.md b/chromium/net/docs/life-of-a-feature.md
index 5d5b7831cda..54ddd50b7fc 100644
--- a/chromium/net/docs/life-of-a-feature.md
+++ b/chromium/net/docs/life-of-a-feature.md
@@ -224,8 +224,7 @@ callback may result in the deletion of the current (calling) object. As
 further expanded upon in [Code Patterns](code-patterns.md), features and
 changes should be designed such that any callback invocation is the last
 bit of code executed, and that the callback is accessed via the stack (such
-as through the use of either `base::ResetAndReturn(callback_).Run()` or
-`std::move(callback_).Run()`.
+as through the use of `std::move(callback_).Run()`.
 
 ### Specs: What Are They Good For
 
diff --git a/chromium/net/docs/proxy.md b/chromium/net/docs/proxy.md
index 967f79aa894..b401ad13687 100644
--- a/chromium/net/docs/proxy.md
+++ b/chromium/net/docs/proxy.md
@@ -808,3 +808,33 @@ after finding the first candidate IP, so multiple IPs may be returned.
 Note that short-circuiting happens whenever steps 1-3 find a candidate IP. So
 for example if at least one IP address was discovered by checking routes to
 public Internet, only those IPs will be returned, and steps 2-3 will not run.
+
+## Android quirks
+
+Proxy resolving via PAC works differently on Android than other desktop Chrome
+platforms:
+
+* Android Chrome uses the same Chromium PAC resolver, however does not run it
+  out-of-process as on Desktop Chrome. This architectural difference is
+  due to the higher process cost on Android, and means Android Chrome is more
+  susceptible to malicious PAC scripts. The other consequence is that Android
+  Chrome can have distinct regressions from Desktop Chrome as the service setup
+  is quite different (and most `browser_tests` are not run on Android either).
+
+* [WebView does not use Chrome's PAC
+  resolver](https://bugs.chromium.org/p/chromium/issues/detail?id=989667).
+  Instead Android WebView uses the Android system's PAC resolver, which is less
+  optimized and uses an old build of V8. When the system is configured to use
+  PAC, Android WebView's net code will see the proxy settings as being a
+  single HTTP proxy on `localhost`. The system localhost proxy will in turn
+  evaluate the PAC script and forward the HTTP request on to the resolved
+  proxy. This translation has a number of effects, including what proxy
+  schemes are supported, the maximum connection limits, how proxy fallback
+  works, and overall performance (the current Android PAC evaluator blocks on
+  DNS).
+
+* Android system log messages for `PacProcessor` are not related to Chrome or
+  its PAC evaluator. Rather, these are log messages generated by the Android
+  system's PAC implementation. This confusion can arise when users add
+  `alert()` to debug PAC script logic, and then refer to output in `logcat` to
+  try and diagnose a resolving issue in Android Chrome.
diff --git a/chromium/net/extras/sqlite/OWNERS b/chromium/net/extras/sqlite/OWNERS
index 5b2fdf3f2f4..3929ea0912f 100644
--- a/chromium/net/extras/sqlite/OWNERS
+++ b/chromium/net/extras/sqlite/OWNERS
@@ -1 +1,7 @@
 pwnall@chromium.org
+
+per-file sqlite_persistent_cookie_store*=file://net/cookies/OWNERS
+per-file sqlite_persistent_reporting_and_nel_store*=file://net/reporting/OWNERS
+per-file sqlite_persistent_reporting_and_nel_store*=file://net/network_error_logging/OWNERS
+
+# Component: Internals>Storage
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.cc b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.cc
index 289f6a33dcf..26ed5f2ad0d 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.cc
+++ b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store.cc
@@ -158,6 +158,7 @@ namespace {
 
 // Version number of the database.
 //
+// Version 12 - 2019/11/20 - https://crrev.com/c/1898301
 // Version 11 - 2019/04/17 - https://crrev.com/c/1570416
 // Version 10 - 2018/02/13 - https://crrev.com/c/906675
 // Version 9  - 2015/04/17 - https://codereview.chromium.org/1083623003
@@ -169,11 +170,16 @@ namespace {
 // Version 5  - 2011/12/05 - https://codereview.chromium.org/8533013
 // Version 4  - 2009/09/01 - https://codereview.chromium.org/183021
 //
+// Version 12 adds a column for "source_scheme" to store whether the
+// cookie was set from a URL with a cryptographic scheme.
+//
 // Version 11 renames the "firstpartyonly" column to "samesite", and changes any
 // stored values of kCookieSameSiteNoRestriction into
 // kCookieSameSiteUnspecified to reflect the fact that those cookies were set
-// without a SameSite attribute specified. A value of kCookieSameSiteExtended
-// for "samesite" is now also supported.
+// without a SameSite attribute specified. Support for a value of
+// kCookieSameSiteExtended for "samesite" was added, however, that value is now
+// deprecated and is mapped to CookieSameSite::UNSPECIFIED when loading from the
+// database.
 //
 // Version 10 removes the uniqueness constraint on the creation time (which
 // was not propagated up the stack and caused problems in
@@ -215,8 +221,8 @@ namespace {
 // Version 3 updated the database to include the last access time, so we can
 // expire them in decreasing order of use when we've reached the maximum
 // number of cookies.
-const int kCurrentVersionNumber = 11;
-const int kCompatibleVersionNumber = 11;
+const int kCurrentVersionNumber = 12;
+const int kCompatibleVersionNumber = 12;
 
 }  // namespace
 
@@ -269,8 +275,9 @@ class SQLitePersistentCookieStore::Backend
   void LoadCookiesForKey(const std::string& domain,
                          LoadedCallback loaded_callback);
 
-  // Steps through all results of |smt|, makes a cookie from each, and adds the
-  // cookie to |cookies|. Returns true if everything loaded successfully.
+  // Steps through all results of |statement|, makes a cookie from each, and
+  // adds the cookie to |cookies|. Returns true if everything loaded
+  // successfully.
   bool MakeCookiesFromSQLStatement(
       std::vector<std::unique_ptr<CanonicalCookie>>* cookies,
       sql::Statement* statement);
@@ -477,6 +484,7 @@ enum DBCookieSameSite {
   kCookieSameSiteNoRestriction = 0,
   kCookieSameSiteLax = 1,
   kCookieSameSiteStrict = 2,
+  // Deprecated, mapped to kCookieSameSiteUnspecified.
   kCookieSameSiteExtended = 3
 };
 
@@ -488,8 +496,6 @@ DBCookieSameSite CookieSameSiteToDBCookieSameSite(CookieSameSite value) {
       return kCookieSameSiteLax;
     case CookieSameSite::STRICT_MODE:
       return kCookieSameSiteStrict;
-    case CookieSameSite::EXTENDED_MODE:
-      return kCookieSameSiteExtended;
     case CookieSameSite::UNSPECIFIED:
       return kCookieSameSiteUnspecified;
   }
@@ -507,9 +513,8 @@ CookieSameSite DBCookieSameSiteToCookieSameSite(DBCookieSameSite value) {
     case kCookieSameSiteStrict:
       samesite = CookieSameSite::STRICT_MODE;
       break;
+    // SameSite=Extended is deprecated, so we map to UNSPECIFIED.
     case kCookieSameSiteExtended:
-      samesite = CookieSameSite::EXTENDED_MODE;
-      break;
     case kCookieSameSiteUnspecified:
       samesite = CookieSameSite::UNSPECIFIED;
       break;
@@ -517,6 +522,19 @@ CookieSameSite DBCookieSameSiteToCookieSameSite(DBCookieSameSite value) {
   return samesite;
 }
 
+CookieSourceScheme DBToCookieSourceScheme(int value) {
+  int enum_max_value = static_cast<int>(CookieSourceScheme::kMaxValue);
+
+  if (value < 0 || value > enum_max_value) {
+    DLOG(WARNING) << "DB read of cookie's source scheme is invalid. Resetting "
+                     "value to unset.";
+    value = static_cast<int>(
+        CookieSourceScheme::kUnset);  // Reset value to a known, useful, state.
+  }
+
+  return static_cast<CookieSourceScheme>(value);
+}
+
 // Increments a specified TimeDelta by the duration between this object's
 // constructor and destructor. Not thread safe. Multiple instances may be
 // created with the same delta instance as long as their lifetimes are nested.
@@ -598,6 +616,38 @@ bool CreateV11Schema(sql::Database* db) {
   return true;
 }
 
+// Initializes the cookies table, returning true on success.
+// The table cannot exist when calling this function.
+bool CreateV12Schema(sql::Database* db) {
+  DCHECK(!db->DoesTableExist("cookies"));
+
+  std::string stmt(base::StringPrintf(
+      "CREATE TABLE cookies("
+      "creation_utc INTEGER NOT NULL,"
+      "host_key TEXT NOT NULL,"
+      "name TEXT NOT NULL,"
+      "value TEXT NOT NULL,"
+      "path TEXT NOT NULL,"
+      "expires_utc INTEGER NOT NULL,"
+      "is_secure INTEGER NOT NULL,"
+      "is_httponly INTEGER NOT NULL,"
+      "last_access_utc INTEGER NOT NULL,"
+      "has_expires INTEGER NOT NULL DEFAULT 1,"
+      "is_persistent INTEGER NOT NULL DEFAULT 1,"
+      "priority INTEGER NOT NULL DEFAULT %d,"
+      "encrypted_value BLOB DEFAULT '',"
+      "samesite INTEGER NOT NULL DEFAULT %d,"
+      "source_scheme INTEGER NOT NULL DEFAULT %d,"
+      "UNIQUE (host_key, name, path))",
+      CookiePriorityToDBCookiePriority(COOKIE_PRIORITY_DEFAULT),
+      CookieSameSiteToDBCookieSameSite(CookieSameSite::UNSPECIFIED),
+      static_cast<int>(CookieSourceScheme::kUnset)));
+  if (!db->Execute(stmt.c_str()))
+    return false;
+
+  return true;
+}
+
 }  // namespace
 
 void SQLitePersistentCookieStore::Backend::Load(
@@ -751,7 +801,7 @@ bool SQLitePersistentCookieStore::Backend::CreateDatabaseSchema() {
   if (db()->DoesTableExist("cookies"))
     return true;
 
-  return CreateV11Schema(db());
+  return CreateV12Schema(db());
 }
 
 bool SQLitePersistentCookieStore::Backend::DoInitializeDatabase() {
@@ -823,20 +873,23 @@ bool SQLitePersistentCookieStore::Backend::LoadCookiesForDomains(
   DCHECK(background_task_runner()->RunsTasksInCurrentSequence());
 
   sql::Statement smt, del_smt;
+  // TODO(chlily): These are out of order with respect to the schema
+  // declaration. Fix this.
   if (restore_old_session_cookies_) {
     smt.Assign(db()->GetCachedStatement(
         SQL_FROM_HERE,
         "SELECT creation_utc, host_key, name, value, encrypted_value, path, "
         "expires_utc, is_secure, is_httponly, samesite, "
-        "last_access_utc, has_expires, is_persistent, priority "
+        "last_access_utc, has_expires, is_persistent, priority, "
+        "source_scheme "
         "FROM cookies WHERE host_key = ?"));
   } else {
     smt.Assign(db()->GetCachedStatement(
         SQL_FROM_HERE,
         "SELECT creation_utc, host_key, name, value, encrypted_value, path, "
         "expires_utc, is_secure, is_httponly, samesite, last_access_utc, "
-        "has_expires, is_persistent, priority FROM cookies WHERE host_key = ? "
-        "AND is_persistent = 1"));
+        "has_expires, is_persistent, priority, source_scheme "
+        "FROM cookies WHERE host_key = ? AND is_persistent = 1"));
   }
   del_smt.Assign(db()->GetCachedStatement(
       SQL_FROM_HERE, "DELETE FROM cookies WHERE host_key = ?"));
@@ -909,12 +962,13 @@ bool SQLitePersistentCookieStore::Backend::MakeCookiesFromSQLStatement(
         Time::FromInternalValue(smt.ColumnInt64(0)),   // creation_utc
         Time::FromInternalValue(smt.ColumnInt64(6)),   // expires_utc
         Time::FromInternalValue(smt.ColumnInt64(10)),  // last_access_utc
-        smt.ColumnInt(7) != 0,                         // secure
-        smt.ColumnInt(8) != 0,                         // http_only
+        smt.ColumnBool(7),                             // secure
+        smt.ColumnBool(8),                             // http_only
         DBCookieSameSiteToCookieSameSite(
             static_cast<DBCookieSameSite>(smt.ColumnInt(9))),  // samesite
         DBCookiePriorityToCookiePriority(
-            static_cast<DBCookiePriority>(smt.ColumnInt(13)))));  // priority
+            static_cast<DBCookiePriority>(smt.ColumnInt(13))),  // priority
+        DBToCookieSourceScheme(smt.ColumnInt(14))));            // source_scheme
     DLOG_IF(WARNING, cc->CreationDate() > Time::Now())
         << L"CreationDate too recent";
     if (cc->IsCanonical()) {
@@ -1021,6 +1075,26 @@ SQLitePersistentCookieStore::Backend::DoMigrateDatabaseSchema() {
     transaction.Commit();
   }
 
+  if (cur_version == 11) {
+    SCOPED_UMA_HISTOGRAM_TIMER("Cookie.TimeDatabaseMigrationToV12");
+    sql::Transaction transaction(db());
+    if (!transaction.Begin())
+      return base::nullopt;
+
+    std::string update_stmt(
+        base::StringPrintf("ALTER TABLE cookies ADD COLUMN source_scheme "
+                           "INTEGER NOT NULL DEFAULT %d;",
+                           static_cast<int>(CookieSourceScheme::kUnset)));
+    if (!db()->Execute(update_stmt.c_str()))
+      return base::nullopt;
+
+    ++cur_version;
+    meta_table()->SetVersionNumber(cur_version);
+    meta_table()->SetCompatibleVersionNumber(
+        std::min(cur_version, kCompatibleVersionNumber));
+    transaction.Commit();
+  }
+
   // Put future migration cases here.
 
   return base::make_optional(cur_version);
@@ -1123,8 +1197,9 @@ void SQLitePersistentCookieStore::Backend::DoCommit() {
       // declaration. Fix this.
       "INSERT INTO cookies (creation_utc, host_key, name, value, "
       "encrypted_value, path, expires_utc, is_secure, is_httponly, "
-      "samesite, last_access_utc, has_expires, is_persistent, priority) "
-      "VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?)"));
+      "samesite, last_access_utc, has_expires, is_persistent, priority,"
+      "source_scheme) "
+      "VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)"));
   if (!add_smt.is_valid())
     return;
 
@@ -1184,6 +1259,7 @@ void SQLitePersistentCookieStore::Backend::DoCommit() {
           add_smt.BindInt(12, po->cc().IsPersistent());
           add_smt.BindInt(
               13, CookiePriorityToDBCookiePriority(po->cc().Priority()));
+          add_smt.BindInt(14, static_cast<int>(po->cc().SourceScheme()));
           if (!add_smt.Run()) {
             DLOG(WARNING) << "Could not add a cookie to the DB.";
             RecordCookieCommitProblem(COOKIE_COMMIT_PROBLEM_ADD);
diff --git a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc
index 25edec09a82..51c933be895 100644
--- a/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc
+++ b/chromium/net/extras/sqlite/sqlite_persistent_cookie_store_unittest.cc
@@ -217,7 +217,7 @@ class SQLitePersistentCookieStoreTest : public TestWithTaskEnvironment {
   base::ScopedTempDir temp_dir_;
   scoped_refptr<SQLitePersistentCookieStore> store_;
   std::unique_ptr<CookieCryptor> cookie_crypto_delegate_;
-  BoundTestNetLog net_log_;
+  RecordingBoundTestNetLog net_log_;
 };
 
 TEST_F(SQLitePersistentCookieStoreTest, TestInvalidMetaTableRecovery) {
@@ -388,7 +388,7 @@ TEST_F(SQLitePersistentCookieStoreTest, TestLoadCookiesForKey) {
   background_task_runner_->PostTask(
       FROM_HERE, base::BindOnce(&SQLitePersistentCookieStoreTest::WaitOnDBEvent,
                                 base::Unretained(this)));
-  BoundTestNetLog net_log;
+  RecordingBoundTestNetLog net_log;
   store_->Load(base::BindOnce(&SQLitePersistentCookieStoreTest::OnLoaded,
                               base::Unretained(this)),
                net_log.bound());
@@ -761,7 +761,7 @@ TEST_F(SQLitePersistentCookieStoreTest, SameSiteIsPersistent) {
 
   InitializeStore(false, true);
 
-  // Add a non-samesite cookie.
+  // Add a non-samesite persistent cookie.
   store_->AddCookie(CanonicalCookie(
       kNoneName, kCookieValue, kDomain, kCookiePath,
       base::Time::Now() - base::TimeDelta::FromMinutes(1),
@@ -805,8 +805,47 @@ TEST_F(SQLitePersistentCookieStoreTest, SameSiteIsPersistent) {
 
   ASSERT_EQ(1u, cookie_map.count(kStrictName));
   EXPECT_EQ(CookieSameSite::STRICT_MODE, cookie_map[kStrictName]->SameSite());
+}
 
-  cookies.clear();
+TEST_F(SQLitePersistentCookieStoreTest, SameSiteExtendedTreatedAsUnspecified) {
+  constexpr char kDomain[] = "sessioncookie.com";
+  constexpr char kExtendedName[] = "extended";
+  constexpr char kCookieValue[] = "value";
+  constexpr char kCookiePath[] = "/";
+
+  InitializeStore(false, true);
+
+  // Add an extended-samesite persistent cookie by first adding a strict-same
+  // site cookie, then turning that into the legacy extended-samesite state with
+  // direct SQL DB access.
+  store_->AddCookie(CanonicalCookie(
+      kExtendedName, kCookieValue, kDomain, kCookiePath,
+      base::Time::Now() - base::TimeDelta::FromMinutes(1),
+      base::Time::Now() + base::TimeDelta::FromDays(1), base::Time(), false,
+      false, CookieSameSite::STRICT_MODE, COOKIE_PRIORITY_DEFAULT));
+
+  // Force the store to write its data to the disk.
+  DestroyStore();
+
+  // Open db
+  sql::Database connection;
+  ASSERT_TRUE(connection.Open(temp_dir_.GetPath().Append(kCookieFilename)));
+  std::string update_stmt(
+      "UPDATE cookies SET samesite=3"  // 3 is Extended.
+      " WHERE samesite=2"              // 2 is Strict.
+  );
+  ASSERT_TRUE(connection.Execute(update_stmt.c_str()));
+  connection.Close();
+
+  // Create a store that loads session cookie and test that the
+  // SameSite=Extended attribute values is ignored.
+  CanonicalCookieVector cookies;
+  CreateAndLoad(false, true, &cookies);
+  ASSERT_EQ(1U, cookies.size());
+
+  // Validate that the cookie has the correct SameSite.
+  EXPECT_EQ(kExtendedName, cookies[0]->Name());
+  EXPECT_EQ(CookieSameSite::UNSPECIFIED, cookies[0]->SameSite());
 }
 
 TEST_F(SQLitePersistentCookieStoreTest, UpdateToEncryption) {
@@ -1229,17 +1268,17 @@ TEST_F(SQLitePersistentCookieStoreTest, KeyInconsistency) {
   std::unique_ptr<CookieMonster> cookie_monster =
       std::make_unique<CookieMonster>(store_.get(), nullptr);
   ResultSavingCookieCallback<bool> cookie_scheme_callback1;
-  cookie_monster->SetCookieableSchemes({"gopher", "http"},
+  cookie_monster->SetCookieableSchemes({"ftp", "http"},
                                        cookie_scheme_callback1.MakeCallback());
   cookie_scheme_callback1.WaitUntilDone();
   EXPECT_TRUE(cookie_scheme_callback1.result());
   ResultSavingCookieCallback<CanonicalCookie::CookieInclusionStatus>
       set_cookie_callback;
   auto cookie = CanonicalCookie::Create(
-      GURL("gopher://subdomain.gopheriffic.com/page"), "A=B; max-age=3600",
+      GURL("ftp://subdomain.ftperiffic.com/page"), "A=B; max-age=3600",
       base::Time::Now(), base::nullopt /* server_time */);
   cookie_monster->SetCanonicalCookieAsync(
-      std::move(cookie), "gopher", CookieOptions(),
+      std::move(cookie), "ftp", CookieOptions::MakeAllInclusive(),
       base::BindOnce(&ResultSavingCookieCallback<
                          CanonicalCookie::CookieInclusionStatus>::Run,
                      base::Unretained(&set_cookie_callback)));
@@ -1256,7 +1295,7 @@ TEST_F(SQLitePersistentCookieStoreTest, KeyInconsistency) {
         "A=B; max-age=3600", base::Time::Now(),
         base::nullopt /* server_time */);
     cookie_monster->SetCanonicalCookieAsync(
-        std::move(canonical_cookie), "http", CookieOptions(),
+        std::move(canonical_cookie), "http", CookieOptions::MakeAllInclusive(),
         base::BindOnce(&ResultSavingCookieCallback<
                            CanonicalCookie::CookieInclusionStatus>::Run,
                        base::Unretained(&set_cookie_callback2)));
@@ -1276,7 +1315,7 @@ TEST_F(SQLitePersistentCookieStoreTest, KeyInconsistency) {
   Create(false, false, true /* want current thread to invoke cookie monster */);
   cookie_monster = std::make_unique<CookieMonster>(store_.get(), nullptr);
   ResultSavingCookieCallback<bool> cookie_scheme_callback2;
-  cookie_monster->SetCookieableSchemes({"gopher", "http"},
+  cookie_monster->SetCookieableSchemes({"ftp", "http"},
                                        cookie_scheme_callback2.MakeCallback());
   cookie_scheme_callback2.WaitUntilDone();
   EXPECT_TRUE(cookie_scheme_callback2.result());
@@ -1284,14 +1323,15 @@ TEST_F(SQLitePersistentCookieStoreTest, KeyInconsistency) {
   // Now try to get the cookie back.
   GetCookieListCallback get_callback;
   cookie_monster->GetCookieListWithOptionsAsync(
-      GURL("gopher://subdomain.gopheriffic.com/page"), CookieOptions(),
+      GURL("ftp://subdomain.ftperiffic.com/page"),
+      CookieOptions::MakeAllInclusive(),
       base::BindOnce(&GetCookieListCallback::Run,
                      base::Unretained(&get_callback)));
   get_callback.WaitUntilDone();
   ASSERT_EQ(1u, get_callback.cookies().size());
   EXPECT_EQ("A", get_callback.cookies()[0].Name());
   EXPECT_EQ("B", get_callback.cookies()[0].Value());
-  EXPECT_EQ("subdomain.gopheriffic.com", get_callback.cookies()[0].Domain());
+  EXPECT_EQ("subdomain.ftperiffic.com", get_callback.cookies()[0].Domain());
 }
 
 TEST_F(SQLitePersistentCookieStoreTest, OpsIfInitFailed) {
@@ -1311,7 +1351,7 @@ TEST_F(SQLitePersistentCookieStoreTest, OpsIfInitFailed) {
                                         "A=B; max-age=3600", base::Time::Now(),
                                         base::nullopt /* server_time */);
   cookie_monster->SetCanonicalCookieAsync(
-      std::move(cookie), "http", CookieOptions(),
+      std::move(cookie), "http", CookieOptions::MakeAllInclusive(),
       base::BindOnce(&ResultSavingCookieCallback<
                          CanonicalCookie::CookieInclusionStatus>::Run,
                      base::Unretained(&set_cookie_callback)));
@@ -1439,7 +1479,8 @@ bool CreateV10Schema(sql::Database* db) {
       "is_persistent INTEGER NOT NULL DEFAULT 1,"
       "priority INTEGER NOT NULL DEFAULT 1,"  // COOKIE_PRIORITY_DEFAULT
       "encrypted_value BLOB DEFAULT '',"
-      "firstpartyonly INTEGER NOT NULL DEFAULT 0 "  // NO_RESTRICTION
+      "firstpartyonly INTEGER NOT NULL DEFAULT 0,"  // NO_RESTRICTION
+      "UNIQUE (host_key, name, path)"
       ")");
   if (!db->Execute(stmt.c_str()))
     return false;
@@ -1592,4 +1633,188 @@ TEST_F(SQLitePersistentCookieStoreTest, UpgradeToSchemaVersion11) {
   ConfirmV10CookiesFromDB(std::move(read_in_cookies));
 }
 
+bool CreateV11Schema(sql::Database* db) {
+  sql::MetaTable meta_table;
+  if (!meta_table.Init(db, /* version = */ 11,
+                       /* earliest compatible version = */ 11)) {
+    return false;
+  }
+
+  // Version 11 schema
+  std::string stmt(
+      "CREATE TABLE cookies("
+      "creation_utc INTEGER NOT NULL,"
+      "host_key TEXT NOT NULL,"
+      "name TEXT NOT NULL,"
+      "value TEXT NOT NULL,"
+      "path TEXT NOT NULL,"
+      "expires_utc INTEGER NOT NULL,"
+      "is_secure INTEGER NOT NULL,"
+      "is_httponly INTEGER NOT NULL,"
+      "last_access_utc INTEGER NOT NULL,"
+      "has_expires INTEGER NOT NULL DEFAULT 1,"
+      "is_persistent INTEGER NOT NULL DEFAULT 1,"
+      "priority INTEGER NOT NULL DEFAULT 1,"  // COOKIE_PRIORITY_DEFAULT
+      "encrypted_value BLOB DEFAULT '',"
+      "samesite INTEGER NOT NULL DEFAULT -1,"  // UNSPECIFIED
+      "UNIQUE (host_key, name, path))");
+  if (!db->Execute(stmt.c_str()))
+    return false;
+
+  return true;
+}
+
+bool AddV11CookiesToDBImpl(sql::Database* db,
+                           const std::vector<CanonicalCookie>& cookies);
+
+// Add a selection of cookies to the DB.
+bool AddV11CookiesToDB(sql::Database* db) {
+  static base::Time now = base::Time::Now();
+
+  std::vector<CanonicalCookie> cookies;
+  // Note: These are all constructed with the default value of
+  // is_source_scheme_secure, which is false, but that doesn't matter because
+  // v11 doesn't store that info.
+  cookies.push_back(CanonicalCookie("A", "B", "example.com", "/", now, now, now,
+                                    true /* secure */, false /* httponly */,
+                                    CookieSameSite::UNSPECIFIED,
+                                    COOKIE_PRIORITY_DEFAULT));
+  cookies.push_back(CanonicalCookie("C", "B", "example.com", "/", now, now, now,
+                                    true /* secure */, false /* httponly */,
+                                    CookieSameSite::UNSPECIFIED,
+                                    COOKIE_PRIORITY_DEFAULT));
+  cookies.push_back(
+      CanonicalCookie("A", "B", "example2.com", "/", now, now, now,
+                      true /* secure */, false /* httponly */,
+                      CookieSameSite::UNSPECIFIED, COOKIE_PRIORITY_DEFAULT));
+  cookies.push_back(
+      CanonicalCookie("C", "B", "example2.com", "/", now, now, now,
+                      false /* secure */, false /* httponly */,
+                      CookieSameSite::UNSPECIFIED, COOKIE_PRIORITY_DEFAULT));
+  cookies.push_back(
+      CanonicalCookie("A", "B", "example.com", "/path", now, now, now,
+                      false /* secure */, false /* httponly */,
+                      CookieSameSite::UNSPECIFIED, COOKIE_PRIORITY_DEFAULT));
+  cookies.push_back(
+      CanonicalCookie("C", "B", "example.com", "/path", now, now, now,
+                      false /* secure */, false /* httponly */,
+                      CookieSameSite::UNSPECIFIED, COOKIE_PRIORITY_DEFAULT));
+  return AddV11CookiesToDBImpl(db, cookies);
+}
+
+bool AddV11CookiesToDBImpl(sql::Database* db,
+                           const std::vector<CanonicalCookie>& cookies) {
+  sql::Statement add_smt(db->GetCachedStatement(
+      SQL_FROM_HERE,
+      "INSERT INTO cookies (creation_utc, host_key, name, value, "
+      "encrypted_value, path, expires_utc, is_secure, is_httponly, "
+      "samesite, last_access_utc, has_expires, is_persistent, priority)"
+      "VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?)"));
+  if (!add_smt.is_valid())
+    return false;
+  sql::Transaction transaction(db);
+  transaction.Begin();
+  for (size_t i = 0; i < cookies.size(); ++i) {
+    add_smt.Reset(true);
+    add_smt.BindInt64(
+        0,
+        cookies[i].CreationDate().ToDeltaSinceWindowsEpoch().InMicroseconds());
+    add_smt.BindString(1, cookies[i].Domain());
+    add_smt.BindString(2, cookies[i].Name());
+    add_smt.BindString(3, cookies[i].Value());
+    add_smt.BindBlob(4, "", 0);  // encrypted_value
+    add_smt.BindString(5, cookies[i].Path());
+    add_smt.BindInt64(
+        6, cookies[i].ExpiryDate().ToDeltaSinceWindowsEpoch().InMicroseconds());
+    add_smt.BindInt(7, cookies[i].IsSecure());
+    add_smt.BindInt(8, cookies[i].IsHttpOnly());
+    // Note that this and Priority() below nominally rely on the enums in
+    // sqlite_persistent_cookie_store.cc having the same values as the
+    // ones in ../../cookies/cookie_constants.h.  But nothing in this test
+    // relies on that equivalence, so it's not worth the hassle to guarantee
+    // that.
+    add_smt.BindInt(9, static_cast<int>(cookies[i].SameSite()));
+    add_smt.BindInt64(10, cookies[i]
+                              .LastAccessDate()
+                              .ToDeltaSinceWindowsEpoch()
+                              .InMicroseconds());
+    add_smt.BindInt(11, cookies[i].IsPersistent());
+    add_smt.BindInt(12, cookies[i].IsPersistent());
+    add_smt.BindInt(13, static_cast<int>(cookies[i].Priority()));
+    if (!add_smt.Run())
+      return false;
+  }
+  if (!transaction.Commit())
+    return false;
+
+  return true;
+}
+
+// Confirm the cookie list passed in has the above cookies in it.
+void ConfirmV11CookiesFromDB(
+    std::vector<std::unique_ptr<CanonicalCookie>> read_in_cookies) {
+  std::sort(read_in_cookies.begin(), read_in_cookies.end(), &CompareCookies);
+  int i = 0;
+  EXPECT_EQ("A", read_in_cookies[i]->Name());
+  EXPECT_EQ("B", read_in_cookies[i]->Value());
+  EXPECT_EQ("example.com", read_in_cookies[i]->Domain());
+  EXPECT_EQ("/", read_in_cookies[i]->Path());
+  EXPECT_TRUE(read_in_cookies[i]->IsSecure());
+  EXPECT_EQ(CookieSourceScheme::kUnset, read_in_cookies[i]->SourceScheme());
+
+  i++;
+  EXPECT_EQ("A", read_in_cookies[i]->Name());
+  EXPECT_EQ("B", read_in_cookies[i]->Value());
+  EXPECT_EQ("example.com", read_in_cookies[i]->Domain());
+  EXPECT_EQ("/path", read_in_cookies[i]->Path());
+  EXPECT_FALSE(read_in_cookies[i]->IsSecure());
+  EXPECT_EQ(CookieSourceScheme::kUnset, read_in_cookies[i]->SourceScheme());
+
+  i++;
+  EXPECT_EQ("A", read_in_cookies[i]->Name());
+  EXPECT_EQ("B", read_in_cookies[i]->Value());
+  EXPECT_EQ("example2.com", read_in_cookies[i]->Domain());
+  EXPECT_EQ("/", read_in_cookies[i]->Path());
+  EXPECT_TRUE(read_in_cookies[i]->IsSecure());
+  EXPECT_EQ(CookieSourceScheme::kUnset, read_in_cookies[i]->SourceScheme());
+
+  i++;
+  EXPECT_EQ("C", read_in_cookies[i]->Name());
+  EXPECT_EQ("B", read_in_cookies[i]->Value());
+  EXPECT_EQ("example.com", read_in_cookies[i]->Domain());
+  EXPECT_EQ("/", read_in_cookies[i]->Path());
+  EXPECT_TRUE(read_in_cookies[i]->IsSecure());
+  EXPECT_EQ(CookieSourceScheme::kUnset, read_in_cookies[i]->SourceScheme());
+
+  i++;
+  EXPECT_EQ("C", read_in_cookies[i]->Name());
+  EXPECT_EQ("B", read_in_cookies[i]->Value());
+  EXPECT_EQ("example.com", read_in_cookies[i]->Domain());
+  EXPECT_EQ("/path", read_in_cookies[i]->Path());
+  EXPECT_FALSE(read_in_cookies[i]->IsSecure());
+  EXPECT_EQ(CookieSourceScheme::kUnset, read_in_cookies[i]->SourceScheme());
+
+  i++;
+  EXPECT_EQ("C", read_in_cookies[i]->Name());
+  EXPECT_EQ("B", read_in_cookies[i]->Value());
+  EXPECT_EQ("example2.com", read_in_cookies[i]->Domain());
+  EXPECT_EQ("/", read_in_cookies[i]->Path());
+  EXPECT_FALSE(read_in_cookies[i]->IsSecure());
+  EXPECT_EQ(CookieSourceScheme::kUnset, read_in_cookies[i]->SourceScheme());
+}
+
+// Confirm that source_scheme gets added and is set to "Unset".
+TEST_F(SQLitePersistentCookieStoreTest, UpgradeToSchemaVersion12) {
+  // Open db
+  sql::Database connection;
+  ASSERT_TRUE(connection.Open(temp_dir_.GetPath().Append(kCookieFilename)));
+  ASSERT_TRUE(CreateV11Schema(&connection));
+  ASSERT_TRUE(AddV11CookiesToDB(&connection));
+  connection.Close();
+
+  std::vector<std::unique_ptr<CanonicalCookie>> read_in_cookies;
+  CreateAndLoad(false, false, &read_in_cookies);
+  ConfirmV11CookiesFromDB(std::move(read_in_cookies));
+}
+
 }  // namespace net
diff --git a/chromium/net/filter/filter_source_stream.cc b/chromium/net/filter/filter_source_stream.cc
index d3f0189188d..dae553e2eed 100644
--- a/chromium/net/filter/filter_source_stream.cc
+++ b/chromium/net/filter/filter_source_stream.cc
@@ -73,6 +73,10 @@ std::string FilterSourceStream::Description() const {
   return next_type_string + "," + GetTypeAsString();
 }
 
+bool FilterSourceStream::MayHaveMoreBytes() const {
+  return !upstream_end_reached_;
+}
+
 FilterSourceStream::SourceType FilterSourceStream::ParseEncodingType(
     const std::string& encoding) {
   if (encoding.empty()) {
diff --git a/chromium/net/filter/filter_source_stream.h b/chromium/net/filter/filter_source_stream.h
index 75cddc165b9..dadc8ccc36b 100644
--- a/chromium/net/filter/filter_source_stream.h
+++ b/chromium/net/filter/filter_source_stream.h
@@ -32,11 +32,12 @@ class NET_EXPORT_PRIVATE FilterSourceStream : public SourceStream {
 
   ~FilterSourceStream() override;
 
+  // SourceStream implementation.
   int Read(IOBuffer* read_buffer,
            int read_buffer_size,
            CompletionOnceCallback callback) override;
-
   std::string Description() const override;
+  bool MayHaveMoreBytes() const override;
 
   static SourceType ParseEncodingType(const std::string& encoding);
 
diff --git a/chromium/net/filter/fuzzed_source_stream.cc b/chromium/net/filter/fuzzed_source_stream.cc
index 66e2f2877db..81e5cc5fe23 100644
--- a/chromium/net/filter/fuzzed_source_stream.cc
+++ b/chromium/net/filter/fuzzed_source_stream.cc
@@ -73,6 +73,10 @@ std::string FuzzedSourceStream::Description() const {
   return "";
 }
 
+bool FuzzedSourceStream::MayHaveMoreBytes() const {
+  return !end_returned_;
+}
+
 void FuzzedSourceStream::OnReadComplete(CompletionOnceCallback callback,
                                         const std::string& fuzzed_data,
                                         scoped_refptr<IOBuffer> read_buf,
diff --git a/chromium/net/filter/fuzzed_source_stream.h b/chromium/net/filter/fuzzed_source_stream.h
index fea1ee3b218..e87c56ff238 100644
--- a/chromium/net/filter/fuzzed_source_stream.h
+++ b/chromium/net/filter/fuzzed_source_stream.h
@@ -32,6 +32,7 @@ class FuzzedSourceStream : public SourceStream {
            int buffer_size,
            CompletionOnceCallback callback) override;
   std::string Description() const override;
+  bool MayHaveMoreBytes() const override;
 
  private:
   void OnReadComplete(CompletionOnceCallback callback,
diff --git a/chromium/net/filter/gzip_source_stream_fuzzer.cc b/chromium/net/filter/gzip_source_stream_fuzzer.cc
index 7a8c250ae4c..491732eff56 100644
--- a/chromium/net/filter/gzip_source_stream_fuzzer.cc
+++ b/chromium/net/filter/gzip_source_stream_fuzzer.cc
@@ -7,8 +7,8 @@
 #include <fuzzer/FuzzedDataProvider.h>
 
 #include <algorithm>
+#include <memory>
 
-#include "base/logging.h"
 #include "base/memory/ref_counted.h"
 #include "net/base/io_buffer.h"
 #include "net/base/test_completion_callback.h"
@@ -18,16 +18,15 @@
 //
 // |data| is used to create a FuzzedSourceStream.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  net::TestCompletionCallback callback;
   FuzzedDataProvider data_provider(data, size);
-  std::unique_ptr<net::FuzzedSourceStream> fuzzed_source_stream(
-      new net::FuzzedSourceStream(&data_provider));
+  auto fuzzed_source_stream =
+      std::make_unique<net::FuzzedSourceStream>(&data_provider);
 
-  // Gzip has a maximum compression ratio of 1032x. While, strictly speaking,
-  // linear, this means the fuzzer will often get stuck. Stop reading at a more
-  // modest compression ratio of 2x, or 512 KiB, whichever is larger. See
-  // https://crbug.com/921075.
-  size_t max_output = std::max(2u * size, static_cast<size_t>(512 * 1024));
+  // Bound the total number of reads. Gzip has a maximum compression ratio of
+  // 1032x. While, strictly speaking, linear, this means the fuzzer will often
+  // get stuck. Bound the number of reads rather than the size of the output
+  // because lots of 1-byte chunks is also a problem.
+  const size_t kMaxReads = 10 * 1024;
 
   const net::SourceStream::SourceType kGzipTypes[] = {
       net::SourceStream::TYPE_GZIP, net::SourceStream::TYPE_DEFLATE};
@@ -35,20 +34,19 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
       data_provider.PickValueInArray(kGzipTypes);
   std::unique_ptr<net::GzipSourceStream> gzip_stream =
       net::GzipSourceStream::Create(std::move(fuzzed_source_stream), type);
-  size_t bytes_read = 0;
-  while (true) {
+  size_t num_reads = 0;
+  while (num_reads < kMaxReads) {
     scoped_refptr<net::IOBufferWithSize> io_buffer =
         base::MakeRefCounted<net::IOBufferWithSize>(64);
+    net::TestCompletionCallback callback;
     int result = gzip_stream->Read(io_buffer.get(), io_buffer->size(),
                                    callback.callback());
+    ++num_reads;
+
     // Releasing the pointer to IOBuffer immediately is more likely to lead to a
     // use-after-free.
     io_buffer = nullptr;
-    result = callback.GetResult(result);
-    if (result <= 0)
-      break;
-    bytes_read += static_cast<size_t>(result);
-    if (bytes_read >= max_output)
+    if (callback.GetResult(result) <= 0)
       break;
   }
 
diff --git a/chromium/net/filter/mock_source_stream.cc b/chromium/net/filter/mock_source_stream.cc
index d225c7bc7fc..2e898360a1c 100644
--- a/chromium/net/filter/mock_source_stream.cc
+++ b/chromium/net/filter/mock_source_stream.cc
@@ -12,12 +12,7 @@
 
 namespace net {
 
-MockSourceStream::MockSourceStream()
-    : SourceStream(SourceStream::TYPE_NONE),
-      read_one_byte_at_a_time_(false),
-      awaiting_completion_(false),
-      dest_buffer_(nullptr),
-      dest_buffer_size_(0) {}
+MockSourceStream::MockSourceStream() : SourceStream(SourceStream::TYPE_NONE) {}
 
 MockSourceStream::~MockSourceStream() {
   DCHECK(!awaiting_completion_);
@@ -53,6 +48,12 @@ std::string MockSourceStream::Description() const {
   return "";
 }
 
+bool MockSourceStream::MayHaveMoreBytes() const {
+  if (always_report_has_more_bytes_)
+    return true;
+  return !results_.empty();
+}
+
 MockSourceStream::QueuedResult::QueuedResult(const char* data,
                                              int len,
                                              Error error,
diff --git a/chromium/net/filter/mock_source_stream.h b/chromium/net/filter/mock_source_stream.h
index 9e341b06400..2f6135f9ff0 100644
--- a/chromium/net/filter/mock_source_stream.h
+++ b/chromium/net/filter/mock_source_stream.h
@@ -35,6 +35,7 @@ class MockSourceStream : public SourceStream {
            int buffer_size,
            CompletionOnceCallback callback) override;
   std::string Description() const override;
+  bool MayHaveMoreBytes() const override;
 
   // Enqueues a result to be returned by |Read|. This method does not make a
   // copy of |data|, so |data| must outlive this object. If |mode| is SYNC,
@@ -55,6 +56,10 @@ class MockSourceStream : public SourceStream {
     read_one_byte_at_a_time_ = read_one_byte_at_a_time;
   }
 
+  void set_always_report_has_more_bytes(bool always_report_has_more_bytes) {
+    always_report_has_more_bytes_ = always_report_has_more_bytes;
+  }
+
   // Returns true if a read is waiting to be completed.
   bool awaiting_completion() const { return awaiting_completion_; }
 
@@ -68,12 +73,13 @@ class MockSourceStream : public SourceStream {
     const Mode mode;
   };
 
-  bool read_one_byte_at_a_time_;
+  bool read_one_byte_at_a_time_ = false;
+  bool always_report_has_more_bytes_ = true;
   base::queue<QueuedResult> results_;
-  bool awaiting_completion_;
+  bool awaiting_completion_ = false;
   scoped_refptr<IOBuffer> dest_buffer_;
   CompletionOnceCallback callback_;
-  int dest_buffer_size_;
+  int dest_buffer_size_ = 0;
 
   DISALLOW_COPY_AND_ASSIGN(MockSourceStream);
 };
diff --git a/chromium/net/filter/source_stream.h b/chromium/net/filter/source_stream.h
index 12d834d6054..1ae74e495bb 100644
--- a/chromium/net/filter/source_stream.h
+++ b/chromium/net/filter/source_stream.h
@@ -54,6 +54,12 @@ class NET_EXPORT_PRIVATE SourceStream {
   // logging.
   virtual std::string Description() const = 0;
 
+  // Returns true if there may be more bytes to read in this source stream.
+  // This is not a guarantee that there are more bytes (in the case that
+  // the stream doesn't know).  However, if this returns false, then the stream
+  // is guaranteed to be complete.
+  virtual bool MayHaveMoreBytes() const = 0;
+
   SourceType type() const { return type_; }
 
  private:
diff --git a/chromium/net/ftp/ftp_directory_listing_parser_unittest.cc b/chromium/net/ftp/ftp_directory_listing_parser_unittest.cc
index 487aa5f0493..de08f994785 100644
--- a/chromium/net/ftp/ftp_directory_listing_parser_unittest.cc
+++ b/chromium/net/ftp/ftp_directory_listing_parser_unittest.cc
@@ -176,7 +176,7 @@ const FtpTestParam kTestParams[] = {
     {"dir-listing-windows-2", OK},
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          FtpDirectoryListingParserTest,
                          testing::ValuesIn(kTestParams),
                          TestName);
diff --git a/chromium/net/ftp/ftp_network_transaction.cc b/chromium/net/ftp/ftp_network_transaction.cc
index a24102f0b6c..b42305afe41 100644
--- a/chromium/net/ftp/ftp_network_transaction.cc
+++ b/chromium/net/ftp/ftp_network_transaction.cc
@@ -20,6 +20,7 @@
 #include "net/base/escape.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/parse_number.h"
 #include "net/base/port_util.h"
 #include "net/base/url_util.h"
@@ -662,8 +663,11 @@ int FtpNetworkTransaction::DoLoop(int result) {
 int FtpNetworkTransaction::DoCtrlResolveHost() {
   next_state_ = STATE_CTRL_RESOLVE_HOST_COMPLETE;
 
-  resolve_request_ = resolver_->CreateRequest(
-      HostPortPair::FromURL(request_->url), net_log_, base::nullopt);
+  // Using an empty NetworkIsolationKey here, since FTP support is deprecated,
+  // and should go away soon.
+  resolve_request_ =
+      resolver_->CreateRequest(HostPortPair::FromURL(request_->url),
+                               NetworkIsolationKey(), net_log_, base::nullopt);
   return resolve_request_->Start(base::BindOnce(
       &FtpNetworkTransaction::OnIOComplete, base::Unretained(this)));
 }
diff --git a/chromium/net/http/bidirectional_stream_unittest.cc b/chromium/net/http/bidirectional_stream_unittest.cc
index 0e8e18c3c6f..70e734b168d 100644
--- a/chromium/net/http/bidirectional_stream_unittest.cc
+++ b/chromium/net/http/bidirectional_stream_unittest.cc
@@ -438,7 +438,7 @@ class BidirectionalStreamTest : public TestWithTaskEnvironment {
     session_ = CreateSpdySession(http_session_.get(), key, net_log_.bound());
   }
 
-  BoundTestNetLog net_log_;
+  RecordingBoundTestNetLog net_log_;
   SpdyTestUtil spdy_util_;
   SpdySessionDependencies session_deps_;
   const GURL default_url_;
diff --git a/chromium/net/http/http_auth.cc b/chromium/net/http/http_auth.cc
index 5381f1b6865..57d4c9029ef 100644
--- a/chromium/net/http/http_auth.cc
+++ b/chromium/net/http/http_auth.cc
@@ -81,7 +81,7 @@ HttpAuth::AuthorizationResult HttpAuth::HandleChallengeResponse(
   HttpAuth::Scheme current_scheme = handler->auth_scheme();
   if (disabled_schemes.find(current_scheme) != disabled_schemes.end())
     return HttpAuth::AUTHORIZATION_RESULT_REJECT;
-  std::string current_scheme_name = SchemeToString(current_scheme);
+  const char* current_scheme_name = SchemeToString(current_scheme);
   const std::string header_name = GetChallengeHeaderName(target);
   size_t iter = 0;
   std::string challenge;
@@ -90,8 +90,7 @@ HttpAuth::AuthorizationResult HttpAuth::HandleChallengeResponse(
   while (response_headers.EnumerateHeader(&iter, header_name, &challenge)) {
     HttpAuthChallengeTokenizer challenge_tokens(challenge.begin(),
                                                 challenge.end());
-    if (!base::LowerCaseEqualsASCII(challenge_tokens.scheme(),
-                                    current_scheme_name))
+    if (challenge_tokens.auth_scheme() != current_scheme_name)
       continue;
     authorization_result = handler->HandleAnotherChallenge(&challenge_tokens);
     if (authorization_result != HttpAuth::AUTHORIZATION_RESULT_INVALID) {
diff --git a/chromium/net/http/http_auth_cache.cc b/chromium/net/http/http_auth_cache.cc
index ae5ccb22186..720c97605cd 100644
--- a/chromium/net/http/http_auth_cache.cc
+++ b/chromium/net/http/http_auth_cache.cc
@@ -65,27 +65,52 @@ struct IsEnclosedBy {
 
 namespace net {
 
-HttpAuthCache::HttpAuthCache() = default;
+HttpAuthCache::HttpAuthCache(bool key_server_entries_by_network_isolation_key)
+    : key_server_entries_by_network_isolation_key_(
+          key_server_entries_by_network_isolation_key) {}
 
 HttpAuthCache::~HttpAuthCache() = default;
 
+void HttpAuthCache::SetKeyServerEntriesByNetworkIsolationKey(
+    bool key_server_entries_by_network_isolation_key) {
+  if (key_server_entries_by_network_isolation_key_ ==
+      key_server_entries_by_network_isolation_key) {
+    return;
+  }
+
+  key_server_entries_by_network_isolation_key_ =
+      key_server_entries_by_network_isolation_key;
+  base::EraseIf(entries_, [](EntryMap::value_type& entry_map_pair) {
+    return entry_map_pair.first.target == HttpAuth::AUTH_SERVER;
+  });
+}
+
 // Performance: O(logN+n), where N is the total number of entries, n is the
-// number of realm entries for the given origin.
-HttpAuthCache::Entry* HttpAuthCache::Lookup(const GURL& origin,
-                                            const std::string& realm,
-                                            HttpAuth::Scheme scheme) {
-  EntryMap::iterator entry_it = LookupEntryIt(origin, realm, scheme);
+// number of realm entries for the given origin, target, and with a matching
+// NetworkIsolationKey.
+HttpAuthCache::Entry* HttpAuthCache::Lookup(
+    const GURL& origin,
+    HttpAuth::Target target,
+    const std::string& realm,
+    HttpAuth::Scheme scheme,
+    const NetworkIsolationKey& network_isolation_key) {
+  EntryMap::iterator entry_it =
+      LookupEntryIt(origin, target, realm, scheme, network_isolation_key);
   if (entry_it == entries_.end())
     return nullptr;
   return &(entry_it->second);
 }
 
 // Performance: O(logN+n*m), where N is the total number of entries, n is the
-// number of realm entries for the given origin, m is the number of path entries
-// per realm. Both n amd m are expected to be small; m is kept small because
-// AddPath() only keeps the shallowest entry.
-HttpAuthCache::Entry* HttpAuthCache::LookupByPath(const GURL& origin,
-                                                  const std::string& path) {
+// number of realm entries for the given origin, target, and
+// NetworkIsolationKey, m is the number of path entries per realm. Both n and m
+// are expected to be small; m is kept small because AddPath() only keeps the
+// shallowest entry.
+HttpAuthCache::Entry* HttpAuthCache::LookupByPath(
+    const GURL& origin,
+    HttpAuth::Target target,
+    const NetworkIsolationKey& network_isolation_key,
+    const std::string& path) {
 #if DCHECK_IS_ON()
   CheckOriginIsValid(origin);
   CheckPathIsValid(path);
@@ -98,7 +123,9 @@ HttpAuthCache::Entry* HttpAuthCache::LookupByPath(const GURL& origin,
   std::string parent_dir = GetParentDirectory(path);
 
   // Linear scan through the <scheme, realm> entries for the given origin.
-  auto entry_range = entries_.equal_range(origin);
+  auto entry_range = entries_.equal_range(
+      EntryMapKey(origin, target, network_isolation_key,
+                  key_server_entries_by_network_isolation_key_));
   auto best_match_it = entries_.end();
   size_t best_match_length = 0;
   for (auto it = entry_range.first; it != entry_range.second; ++it) {
@@ -119,12 +146,15 @@ HttpAuthCache::Entry* HttpAuthCache::LookupByPath(const GURL& origin,
   return nullptr;
 }
 
-HttpAuthCache::Entry* HttpAuthCache::Add(const GURL& origin,
-                                         const std::string& realm,
-                                         HttpAuth::Scheme scheme,
-                                         const std::string& auth_challenge,
-                                         const AuthCredentials& credentials,
-                                         const std::string& path) {
+HttpAuthCache::Entry* HttpAuthCache::Add(
+    const GURL& origin,
+    HttpAuth::Target target,
+    const std::string& realm,
+    HttpAuth::Scheme scheme,
+    const NetworkIsolationKey& network_isolation_key,
+    const std::string& auth_challenge,
+    const AuthCredentials& credentials,
+    const std::string& path) {
 #if DCHECK_IS_ON()
   CheckOriginIsValid(origin);
   CheckPathIsValid(path);
@@ -133,21 +163,29 @@ HttpAuthCache::Entry* HttpAuthCache::Add(const GURL& origin,
   base::TimeTicks now_ticks = tick_clock_->NowTicks();
 
   // Check for existing entry (we will re-use it if present).
-  HttpAuthCache::Entry* entry = Lookup(origin, realm, scheme);
+  HttpAuthCache::Entry* entry =
+      Lookup(origin, target, realm, scheme, network_isolation_key);
   if (!entry) {
     bool evicted = false;
     // Failsafe to prevent unbounded memory growth of the cache.
     //
-    // Data collected in June of 2019 indicate that the eviction rate is at
-    // around 0.05%. I.e. 0.05% of the time the number of entries in the cache
-    // exceed kMaxNumRealmEntries. The evicted entry is roughly half an hour old
-    // (median), and it's been around 25 minutes since its last use (median).
+    // Data was collected in June of 2019, before entries were keyed on either
+    // HttpAuth::Target or NetworkIsolationKey. That data indicated that the
+    // eviction rate was at around 0.05%. I.e. 0.05% of the time the number of
+    // entries in the cache exceed kMaxNumRealmEntries. The evicted entry is
+    // roughly half an hour old (median), and it's been around 25 minutes since
+    // its last use (median).
     if (entries_.size() >= kMaxNumRealmEntries) {
       DLOG(WARNING) << "Num auth cache entries reached limit -- evicting";
       EvictLeastRecentlyUsedEntry();
       evicted = true;
     }
-    entry = &(entries_.emplace(std::make_pair(origin, Entry()))->second);
+    entry = &(entries_
+                  .emplace(std::make_pair(
+                      EntryMapKey(origin, target, network_isolation_key,
+                                  key_server_entries_by_network_isolation_key_),
+                      Entry()))
+                  ->second);
     entry->origin_ = origin;
     entry->realm_ = realm;
     entry->scheme_ = scheme;
@@ -245,10 +283,13 @@ bool HttpAuthCache::Entry::HasEnclosingPath(const std::string& dir,
 }
 
 bool HttpAuthCache::Remove(const GURL& origin,
+                           HttpAuth::Target target,
                            const std::string& realm,
                            HttpAuth::Scheme scheme,
+                           const NetworkIsolationKey& network_isolation_key,
                            const AuthCredentials& credentials) {
-  EntryMap::iterator entry_it = LookupEntryIt(origin, realm, scheme);
+  EntryMap::iterator entry_it =
+      LookupEntryIt(origin, target, realm, scheme, network_isolation_key);
   if (entry_it == entries_.end())
     return false;
   Entry& entry = entry_it->second;
@@ -274,11 +315,15 @@ void HttpAuthCache::ClearAllEntries() {
   entries_.clear();
 }
 
-bool HttpAuthCache::UpdateStaleChallenge(const GURL& origin,
-                                         const std::string& realm,
-                                         HttpAuth::Scheme scheme,
-                                         const std::string& auth_challenge) {
-  HttpAuthCache::Entry* entry = Lookup(origin, realm, scheme);
+bool HttpAuthCache::UpdateStaleChallenge(
+    const GURL& origin,
+    HttpAuth::Target target,
+    const std::string& realm,
+    HttpAuth::Scheme scheme,
+    const NetworkIsolationKey& network_isolation_key,
+    const std::string& auth_challenge) {
+  HttpAuthCache::Entry* entry =
+      Lookup(origin, target, realm, scheme, network_isolation_key);
   if (!entry)
     return false;
   entry->UpdateStaleChallenge(auth_challenge);
@@ -286,12 +331,21 @@ bool HttpAuthCache::UpdateStaleChallenge(const GURL& origin,
   return true;
 }
 
-void HttpAuthCache::UpdateAllFrom(const HttpAuthCache& other) {
+void HttpAuthCache::CopyProxyEntriesFrom(const HttpAuthCache& other) {
   for (auto it = other.entries_.begin(); it != other.entries_.end(); ++it) {
-    // Add an Entry with one of the original entry's paths.
     const Entry& e = it->second;
+
+    // Skip non-proxy entries.
+    if (it->first.target != HttpAuth::AUTH_PROXY)
+      continue;
+
+    // Sanity check - proxy entries should have an empty NetworkIsolationKey.
+    DCHECK_EQ(NetworkIsolationKey(), it->first.network_isolation_key);
+
+    // Add an Entry with one of the original entry's paths.
     DCHECK(e.paths_.size() > 0);
-    Entry* entry = Add(e.origin(), e.realm(), e.scheme(), e.auth_challenge(),
+    Entry* entry = Add(e.origin(), it->first.target, e.realm(), e.scheme(),
+                       it->first.network_isolation_key, e.auth_challenge(),
                        e.credentials(), e.paths_.back());
     // Copy all other paths.
     for (auto it2 = std::next(e.paths_.rbegin()); it2 != e.paths_.rend(); ++it2)
@@ -301,20 +355,44 @@ void HttpAuthCache::UpdateAllFrom(const HttpAuthCache& other) {
   }
 }
 
+HttpAuthCache::EntryMapKey::EntryMapKey(
+    const GURL& url,
+    HttpAuth::Target target,
+    const NetworkIsolationKey& network_isolation_key,
+    bool key_server_entries_by_network_isolation_key)
+    : url(url),
+      target(target),
+      network_isolation_key(target == HttpAuth::AUTH_SERVER &&
+                                    key_server_entries_by_network_isolation_key
+                                ? network_isolation_key
+                                : NetworkIsolationKey()) {}
+
+HttpAuthCache::EntryMapKey::~EntryMapKey() = default;
+
+bool HttpAuthCache::EntryMapKey::operator<(const EntryMapKey& other) const {
+  return std::tie(url, target, network_isolation_key) <
+         std::tie(other.url, other.target, other.network_isolation_key);
+}
+
 size_t HttpAuthCache::GetEntriesSizeForTesting() {
   return entries_.size();
 }
 
 HttpAuthCache::EntryMap::iterator HttpAuthCache::LookupEntryIt(
     const GURL& origin,
+    HttpAuth::Target target,
     const std::string& realm,
-    HttpAuth::Scheme scheme) {
+    HttpAuth::Scheme scheme,
+    const NetworkIsolationKey& network_isolation_key) {
 #if DCHECK_IS_ON()
   CheckOriginIsValid(origin);
 #endif
 
-  // Linear scan through the <scheme, realm> entries for the given origin.
-  auto entry_range = entries_.equal_range(origin);
+  // Linear scan through the <scheme, realm> entries for the given origin and
+  // NetworkIsolationKey.
+  auto entry_range = entries_.equal_range(
+      EntryMapKey(origin, target, network_isolation_key,
+                  key_server_entries_by_network_isolation_key_));
   for (auto it = entry_range.first; it != entry_range.second; ++it) {
     Entry& entry = it->second;
     DCHECK(entry.origin() == origin);
diff --git a/chromium/net/http/http_auth_cache.h b/chromium/net/http/http_auth_cache.h
index 48bce5eafb3..c9c5d7983bc 100644
--- a/chromium/net/http/http_auth_cache.h
+++ b/chromium/net/http/http_auth_cache.h
@@ -17,6 +17,7 @@
 #include "base/time/default_tick_clock.h"
 #include "base/time/time.h"
 #include "net/base/net_export.h"
+#include "net/base/network_isolation_key.h"
 #include "net/http/http_auth.h"
 #include "url/gurl.h"
 
@@ -121,20 +122,32 @@ class NET_EXPORT HttpAuthCache {
   enum { kMaxNumPathsPerRealmEntry = 10 };
   enum { kMaxNumRealmEntries = 20 };
 
-  HttpAuthCache();
+  // If |key_server_entries_by_network_isolation_key| is true, all
+  // HttpAuth::AUTH_SERVER operations are keyed by NetworkIsolationKey.
+  // Otherwise, NetworkIsolationKey arguments are ignored.
+  explicit HttpAuthCache(bool key_server_entries_by_network_isolation_key);
   ~HttpAuthCache();
 
+  // Sets whether server entries are keyed by NetworkIsolationKey.
+  // If this results in changing the value of the setting, all current server
+  // entries are deleted.
+  void SetKeyServerEntriesByNetworkIsolationKey(
+      bool key_server_entries_by_network_isolation_key);
+
   // Find the realm entry on server |origin| for realm |realm| and
   // scheme |scheme|. If a matching entry is found, move it up by one place
   // in the entries list, so that more frequently used entries migrate to the
   // front of the list.
   //   |origin| - the {scheme, host, port} of the server.
+  //   |target| - whether this is for server or proxy auth.
   //   |realm|  - case sensitive realm string.
   //   |scheme| - the authentication scheme (i.e. basic, negotiate).
   //   returns  - the matched entry or nullptr.
   Entry* Lookup(const GURL& origin,
+                HttpAuth::Target target,
                 const std::string& realm,
-                HttpAuth::Scheme scheme);
+                HttpAuth::Scheme scheme,
+                const NetworkIsolationKey& network_isolation_key);
 
   // Find the entry on server |origin| whose protection space includes
   // |path|. This uses the assumption in RFC 2617 section 2 that deeper
@@ -145,7 +158,10 @@ class NET_EXPORT HttpAuthCache {
   //   |path|   - absolute path of the resource, or empty string in case of
   //              proxy auth (which does not use the concept of paths).
   //   returns  - the matched entry or nullptr.
-  Entry* LookupByPath(const GURL& origin, const std::string& path);
+  Entry* LookupByPath(const GURL& origin,
+                      HttpAuth::Target target,
+                      const NetworkIsolationKey& network_isolation_key,
+                      const std::string& path);
 
   // Add an entry on server |origin| for realm |handler->realm()| and
   // scheme |handler->scheme()|.  If an entry for this (realm,scheme)
@@ -159,8 +175,10 @@ class NET_EXPORT HttpAuthCache {
   //                space; this will be added to the list of known paths.
   //   returns    - the entry that was just added/updated.
   Entry* Add(const GURL& origin,
+             HttpAuth::Target target,
              const std::string& realm,
              HttpAuth::Scheme scheme,
+             const NetworkIsolationKey& network_isolation_key,
              const std::string& auth_challenge,
              const AuthCredentials& credentials,
              const std::string& path);
@@ -173,8 +191,10 @@ class NET_EXPORT HttpAuthCache {
   //   |credentials| - the credentials to match.
   //   returns    - true if an entry was removed.
   bool Remove(const GURL& origin,
+              HttpAuth::Target target,
               const std::string& realm,
               HttpAuth::Scheme scheme,
+              const NetworkIsolationKey& network_isolation_key,
               const AuthCredentials& credentials);
 
   // Clears cache entries added since |begin_time| or all entries if
@@ -190,12 +210,17 @@ class NET_EXPORT HttpAuthCache {
   // |UpdateStaleChallenge()| returns true if a matching entry exists in the
   // cache, false otherwise.
   bool UpdateStaleChallenge(const GURL& origin,
+                            HttpAuth::Target target,
                             const std::string& realm,
                             HttpAuth::Scheme scheme,
+                            const NetworkIsolationKey& network_isolation_key,
                             const std::string& auth_challenge);
 
-  // Copies all entries from |other| cache.
-  void UpdateAllFrom(const HttpAuthCache& other);
+  // Copies all entries from |other| cache with a target of
+  // HttpAuth::AUTH_PROXY. |this| and |other| need not have the same
+  // |key_server_entries_by_network_isolation_key_| value, since proxy
+  // credentials are not keyed on NetworkIsolationKey.
+  void CopyProxyEntriesFrom(const HttpAuthCache& other);
 
   size_t GetEntriesSizeForTesting();
   void set_tick_clock_for_testing(const base::TickClock* tick_clock) {
@@ -203,17 +228,47 @@ class NET_EXPORT HttpAuthCache {
   }
   void set_clock_for_testing(const base::Clock* clock) { clock_ = clock; }
 
+  bool key_server_entries_by_network_isolation_key() const {
+    return key_server_entries_by_network_isolation_key_;
+  }
+
  private:
-  using EntryMap = std::multimap<GURL, Entry>;
-  EntryMap entries_;
+  struct EntryMapKey {
+    EntryMapKey(const GURL& url,
+                HttpAuth::Target target,
+                const NetworkIsolationKey& network_isolation_key,
+                bool key_server_entries_by_network_isolation_key);
+    ~EntryMapKey();
+
+    bool operator<(const EntryMapKey& other) const;
+
+    GURL url;
+    HttpAuth::Target target;
+    // Empty if |key_server_entries_by_network_isolation_key| is false, |target|
+    // is HttpAuth::AUTH_PROXY, or an empty NetworkIsolationKey is passed in to
+    // the EntryMap constructor.
+    NetworkIsolationKey network_isolation_key;
+  };
+
+  using EntryMap = std::multimap<EntryMapKey, Entry>;
 
   const base::TickClock* tick_clock_ = base::DefaultTickClock::GetInstance();
   const base::Clock* clock_ = base::DefaultClock::GetInstance();
 
-  EntryMap::iterator LookupEntryIt(const GURL& origin,
-                                   const std::string& realm,
-                                   HttpAuth::Scheme scheme);
+  EntryMap::iterator LookupEntryIt(
+      const GURL& origin,
+      HttpAuth::Target target,
+      const std::string& realm,
+      HttpAuth::Scheme scheme,
+      const NetworkIsolationKey& network_isolation_key);
+
   void EvictLeastRecentlyUsedEntry();
+
+  bool key_server_entries_by_network_isolation_key_;
+
+  EntryMap entries_;
+
+  DISALLOW_COPY_AND_ASSIGN(HttpAuthCache);
 };
 
 // An authentication realm entry.
diff --git a/chromium/net/http/http_auth_cache_unittest.cc b/chromium/net/http/http_auth_cache_unittest.cc
index f54049b977d..2e496c3d1fa 100644
--- a/chromium/net/http/http_auth_cache_unittest.cc
+++ b/chromium/net/http/http_auth_cache_unittest.cc
@@ -11,8 +11,10 @@
 #include "base/test/simple_test_clock.h"
 #include "base/test/simple_test_tick_clock.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/http/http_auth_cache.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/origin.h"
 
 using base::ASCIIToUTF16;
 
@@ -46,59 +48,71 @@ AuthCredentials CreateASCIICredentials(const char* username,
 TEST(HttpAuthCacheTest, Basic) {
   GURL origin("http://www.google.com");
   GURL origin2("http://www.foobar.com");
-  HttpAuthCache cache;
+  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
   HttpAuthCache::Entry* entry;
 
   // Add cache entries for 4 realms: "Realm1", "Realm2", "Realm3" and
   // "Realm4"
 
-  cache.Add(origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC, "Basic realm=Realm1",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "Basic realm=Realm1",
             CreateASCIICredentials("realm1-user", "realm1-password"),
             "/foo/bar/index.html");
 
-  cache.Add(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC, "Basic realm=Realm2",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm2, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "Basic realm=Realm2",
             CreateASCIICredentials("realm2-user", "realm2-password"),
             "/foo2/index.html");
 
   cache.Add(
-      origin, kRealm3, HttpAuth::AUTH_SCHEME_BASIC, "Basic realm=Realm3",
+      origin, HttpAuth::AUTH_SERVER, kRealm3, HttpAuth::AUTH_SCHEME_BASIC,
+      NetworkIsolationKey(), "Basic realm=Realm3",
       CreateASCIICredentials("realm3-basic-user", "realm3-basic-password"),
       std::string());
 
   cache.Add(
-      origin, kRealm3, HttpAuth::AUTH_SCHEME_DIGEST, "Digest realm=Realm3",
+      origin, HttpAuth::AUTH_SERVER, kRealm3, HttpAuth::AUTH_SCHEME_DIGEST,
+      NetworkIsolationKey(), "Digest realm=Realm3",
       CreateASCIICredentials("realm3-digest-user", "realm3-digest-password"),
       "/baz/index.html");
 
   cache.Add(
-      origin, kRealm4, HttpAuth::AUTH_SCHEME_BASIC, "Basic realm=Realm4",
+      origin, HttpAuth::AUTH_SERVER, kRealm4, HttpAuth::AUTH_SCHEME_BASIC,
+      NetworkIsolationKey(), "Basic realm=Realm4",
       CreateASCIICredentials("realm4-basic-user", "realm4-basic-password"),
       "/");
 
-  cache.Add(origin2, kRealm5, HttpAuth::AUTH_SCHEME_BASIC, "Basic realm=Realm5",
+  cache.Add(origin2, HttpAuth::AUTH_SERVER, kRealm5,
+            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+            "Basic realm=Realm5",
             CreateASCIICredentials("realm5-user", "realm5-password"), "/");
   cache.Add(
-      origin2, kRealm3, HttpAuth::AUTH_SCHEME_BASIC, "Basic realm=Realm3",
+      origin2, HttpAuth::AUTH_SERVER, kRealm3, HttpAuth::AUTH_SCHEME_BASIC,
+      NetworkIsolationKey(), "Basic realm=Realm3",
       CreateASCIICredentials("realm3-basic-user", "realm3-basic-password"),
       std::string());
 
   // There is no Realm5 in origin
-  entry = cache.Lookup(origin, kRealm5, HttpAuth::AUTH_SCHEME_BASIC);
+  entry = cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm5,
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
   EXPECT_FALSE(entry);
 
   // While Realm3 does exist, the origin scheme is wrong.
-  entry = cache.Lookup(GURL("https://www.google.com"), kRealm3,
-                       HttpAuth::AUTH_SCHEME_BASIC);
+  entry =
+      cache.Lookup(GURL("https://www.google.com"), HttpAuth::AUTH_SERVER,
+                   kRealm3, HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
   EXPECT_FALSE(entry);
 
   // Realm, origin scheme ok, authentication scheme wrong
-  entry = cache.Lookup
-      (GURL("http://www.google.com"), kRealm1, HttpAuth::AUTH_SCHEME_DIGEST);
+  entry = cache.Lookup(GURL("http://www.google.com"), HttpAuth::AUTH_SERVER,
+                       kRealm1, HttpAuth::AUTH_SCHEME_DIGEST,
+                       NetworkIsolationKey());
   EXPECT_FALSE(entry);
 
   // Valid lookup by origin, realm, scheme.
-  entry = cache.Lookup(
-      GURL("http://www.google.com:80"), kRealm3, HttpAuth::AUTH_SCHEME_BASIC);
+  entry =
+      cache.Lookup(GURL("http://www.google.com:80"), HttpAuth::AUTH_SERVER,
+                   kRealm3, HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
   ASSERT_TRUE(entry);
   EXPECT_EQ(HttpAuth::AUTH_SCHEME_BASIC, entry->scheme());
   EXPECT_EQ(kRealm3, entry->realm());
@@ -108,15 +122,17 @@ TEST(HttpAuthCacheTest, Basic) {
             entry->credentials().password());
 
   // Same realm, scheme with different origins
-  HttpAuthCache::Entry* entry2 = cache.Lookup(
-      GURL("http://www.foobar.com:80"), kRealm3, HttpAuth::AUTH_SCHEME_BASIC);
+  HttpAuthCache::Entry* entry2 =
+      cache.Lookup(GURL("http://www.foobar.com:80"), HttpAuth::AUTH_SERVER,
+                   kRealm3, HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
   ASSERT_TRUE(entry2);
   EXPECT_NE(entry, entry2);
 
   // Valid lookup by origin, realm, scheme when there's a duplicate
   // origin, realm in the cache
-  entry = cache.Lookup(
-      GURL("http://www.google.com:80"), kRealm3, HttpAuth::AUTH_SCHEME_DIGEST);
+  entry = cache.Lookup(GURL("http://www.google.com:80"), HttpAuth::AUTH_SERVER,
+                       kRealm3, HttpAuth::AUTH_SCHEME_DIGEST,
+                       NetworkIsolationKey());
   ASSERT_TRUE(entry);
   EXPECT_EQ(HttpAuth::AUTH_SCHEME_DIGEST, entry->scheme());
   EXPECT_EQ(kRealm3, entry->realm());
@@ -127,7 +143,8 @@ TEST(HttpAuthCacheTest, Basic) {
             entry->credentials().password());
 
   // Valid lookup by realm.
-  entry = cache.Lookup(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC);
+  entry = cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm2,
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
   ASSERT_TRUE(entry);
   EXPECT_EQ(HttpAuth::AUTH_SCHEME_BASIC, entry->scheme());
   EXPECT_EQ(kRealm2, entry->realm());
@@ -137,9 +154,11 @@ TEST(HttpAuthCacheTest, Basic) {
 
   // Check that subpaths are recognized.
   HttpAuthCache::Entry* p_realm2_entry =
-      cache.Lookup(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC);
+      cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm2,
+                   HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
   HttpAuthCache::Entry* p_realm4_entry =
-      cache.Lookup(origin, kRealm4, HttpAuth::AUTH_SCHEME_BASIC);
+      cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm4,
+                   HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
   EXPECT_TRUE(p_realm2_entry);
   EXPECT_TRUE(p_realm4_entry);
   HttpAuthCache::Entry realm2_entry = *p_realm2_entry;
@@ -147,56 +166,398 @@ TEST(HttpAuthCacheTest, Basic) {
   // Realm4 applies to '/' and Realm2 applies to '/foo2/'.
   // LookupByPath() should return the closest enclosing path.
   // Positive tests:
-  entry = cache.LookupByPath(origin, "/foo2/index.html");
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), "/foo2/index.html");
   EXPECT_TRUE(realm2_entry.IsEqualForTesting(*entry));
-  entry = cache.LookupByPath(origin, "/foo2/foobar.html");
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), "/foo2/foobar.html");
   EXPECT_TRUE(realm2_entry.IsEqualForTesting(*entry));
-  entry = cache.LookupByPath(origin, "/foo2/bar/index.html");
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), "/foo2/bar/index.html");
   EXPECT_TRUE(realm2_entry.IsEqualForTesting(*entry));
-  entry = cache.LookupByPath(origin, "/foo2/");
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), "/foo2/");
   EXPECT_TRUE(realm2_entry.IsEqualForTesting(*entry));
-  entry = cache.LookupByPath(origin, "/foo2");
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), "/foo2");
   EXPECT_TRUE(realm4_entry.IsEqualForTesting(*entry));
-  entry = cache.LookupByPath(origin, "/");
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), "/");
   EXPECT_TRUE(realm4_entry.IsEqualForTesting(*entry));
 
   // Negative tests:
-  entry = cache.LookupByPath(origin, "/foo3/index.html");
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), "/foo3/index.html");
   EXPECT_FALSE(realm2_entry.IsEqualForTesting(*entry));
-  entry = cache.LookupByPath(origin, std::string());
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), std::string());
   EXPECT_FALSE(realm2_entry.IsEqualForTesting(*entry));
 
   // Confirm we find the same realm, different auth scheme by path lookup
   HttpAuthCache::Entry* p_realm3_digest_entry =
-      cache.Lookup(origin, kRealm3, HttpAuth::AUTH_SCHEME_DIGEST);
+      cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm3,
+                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey());
   EXPECT_TRUE(p_realm3_digest_entry);
   HttpAuthCache::Entry realm3_digest_entry = *p_realm3_digest_entry;
-  entry = cache.LookupByPath(origin, "/baz/index.html");
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), "/baz/index.html");
   EXPECT_TRUE(realm3_digest_entry.IsEqualForTesting(*entry));
-  entry = cache.LookupByPath(origin, "/baz/");
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), "/baz/");
   EXPECT_TRUE(realm3_digest_entry.IsEqualForTesting(*entry));
-  entry = cache.LookupByPath(origin, "/baz");
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), "/baz");
   EXPECT_FALSE(realm3_digest_entry.IsEqualForTesting(*entry));
 
   // Confirm we find the same realm, different auth scheme by path lookup
   HttpAuthCache::Entry* p_realm3DigestEntry =
-      cache.Lookup(origin, kRealm3, HttpAuth::AUTH_SCHEME_DIGEST);
+      cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm3,
+                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey());
   EXPECT_TRUE(p_realm3DigestEntry);
   HttpAuthCache::Entry realm3DigestEntry = *p_realm3DigestEntry;
-  entry = cache.LookupByPath(origin, "/baz/index.html");
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), "/baz/index.html");
   EXPECT_TRUE(realm3DigestEntry.IsEqualForTesting(*entry));
-  entry = cache.LookupByPath(origin, "/baz/");
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), "/baz/");
   EXPECT_TRUE(realm3DigestEntry.IsEqualForTesting(*entry));
-  entry = cache.LookupByPath(origin, "/baz");
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), "/baz");
   EXPECT_FALSE(realm3DigestEntry.IsEqualForTesting(*entry));
 
   // Lookup using empty path (may be used for proxy).
-  entry = cache.LookupByPath(origin, std::string());
+  entry = cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                             NetworkIsolationKey(), std::string());
   EXPECT_TRUE(entry);
   EXPECT_EQ(HttpAuth::AUTH_SCHEME_BASIC, entry->scheme());
   EXPECT_EQ(kRealm3, entry->realm());
 }
 
+// Make sure server and proxy credentials are treated separately.
+TEST(HttpAuthCacheTest, SeparateByTarget) {
+  const base::string16 kServerUser = ASCIIToUTF16("server_user");
+  const base::string16 kServerPass = ASCIIToUTF16("server_pass");
+  const base::string16 kProxyUser = ASCIIToUTF16("proxy_user");
+  const base::string16 kProxyPass = ASCIIToUTF16("proxy_pass");
+
+  const char kServerPath[] = "/foo/bar/index.html";
+
+  GURL origin("http://www.google.com");
+  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
+  HttpAuthCache::Entry* entry;
+
+  // Add AUTH_SERVER entry.
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "Basic realm=Realm1",
+            AuthCredentials(kServerUser, kServerPass), kServerPath);
+
+  // Make sure credentials are only accessible with AUTH_SERVER target.
+  entry = cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+  ASSERT_TRUE(entry);
+  EXPECT_EQ(entry->credentials().username(), kServerUser);
+  EXPECT_EQ(entry->credentials().password(), kServerPass);
+  EXPECT_EQ(entry, cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                                      NetworkIsolationKey(), kServerPath));
+  EXPECT_FALSE(cache.Lookup(origin, HttpAuth::AUTH_PROXY, kRealm1,
+                            HttpAuth::AUTH_SCHEME_BASIC,
+                            NetworkIsolationKey()));
+  EXPECT_FALSE(cache.LookupByPath(origin, HttpAuth::AUTH_PROXY,
+                                  NetworkIsolationKey(), kServerPath));
+
+  // Add AUTH_PROXY entry with same origin and realm but different credentials.
+  cache.Add(origin, HttpAuth::AUTH_PROXY, kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "Basic realm=Realm1",
+            AuthCredentials(kProxyUser, kProxyPass), "/");
+
+  // Make sure credentials are only accessible with the corresponding target.
+  entry = cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+  ASSERT_TRUE(entry);
+  EXPECT_EQ(entry->credentials().username(), kServerUser);
+  EXPECT_EQ(entry->credentials().password(), kServerPass);
+  EXPECT_EQ(entry, cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                                      NetworkIsolationKey(), kServerPath));
+  entry = cache.Lookup(origin, HttpAuth::AUTH_PROXY, kRealm1,
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+  ASSERT_TRUE(entry);
+  EXPECT_EQ(entry->credentials().username(), kProxyUser);
+  EXPECT_EQ(entry->credentials().password(), kProxyPass);
+  EXPECT_EQ(entry, cache.LookupByPath(origin, HttpAuth::AUTH_PROXY,
+                                      NetworkIsolationKey(), "/"));
+
+  // Remove the AUTH_SERVER entry.
+  EXPECT_TRUE(cache.Remove(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                           HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                           AuthCredentials(kServerUser, kServerPass)));
+
+  // Verify that only the AUTH_SERVER entry was removed.
+  EXPECT_FALSE(cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                            HttpAuth::AUTH_SCHEME_BASIC,
+                            NetworkIsolationKey()));
+  EXPECT_FALSE(cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                                  NetworkIsolationKey(), kServerPath));
+  entry = cache.Lookup(origin, HttpAuth::AUTH_PROXY, kRealm1,
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+  ASSERT_TRUE(entry);
+  EXPECT_EQ(entry->credentials().username(), kProxyUser);
+  EXPECT_EQ(entry->credentials().password(), kProxyPass);
+  EXPECT_EQ(entry, cache.LookupByPath(origin, HttpAuth::AUTH_PROXY,
+                                      NetworkIsolationKey(), "/"));
+
+  // Remove the AUTH_PROXY entry.
+  EXPECT_TRUE(cache.Remove(origin, HttpAuth::AUTH_PROXY, kRealm1,
+                           HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                           AuthCredentials(kProxyUser, kProxyPass)));
+
+  // Verify that neither entry remains.
+  EXPECT_FALSE(cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                            HttpAuth::AUTH_SCHEME_BASIC,
+                            NetworkIsolationKey()));
+  EXPECT_FALSE(cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                                  NetworkIsolationKey(), kServerPath));
+  EXPECT_FALSE(cache.Lookup(origin, HttpAuth::AUTH_PROXY, kRealm1,
+                            HttpAuth::AUTH_SCHEME_BASIC,
+                            NetworkIsolationKey()));
+  EXPECT_FALSE(cache.LookupByPath(origin, HttpAuth::AUTH_PROXY,
+                                  NetworkIsolationKey(), "/"));
+}
+
+// Make sure server credentials with different NetworkIsolationKeys are treated
+// separately if |key_entries_by_network_isolation_key| is set to true.
+TEST(HttpAuthCacheTest, SeparateServersByNetworkIsolationKey) {
+  const url::Origin kOrigin1 = url::Origin::Create(GURL("https://foo.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
+  const url::Origin kOrigin2 = url::Origin::Create(GURL("https://bar.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey2(kOrigin2, kOrigin2);
+
+  GURL kPseudoOrigin("http://www.google.com");
+  const char kPath[] = "/";
+
+  const base::string16 kUser1 = ASCIIToUTF16("user1");
+  const base::string16 kPass1 = ASCIIToUTF16("pass1");
+  const base::string16 kUser2 = ASCIIToUTF16("user2");
+  const base::string16 kPass2 = ASCIIToUTF16("pass2");
+
+  for (bool key_entries_by_network_isolation_key : {false, true}) {
+    HttpAuthCache cache(key_entries_by_network_isolation_key);
+    HttpAuthCache::Entry* entry;
+
+    // Add entry for kNetworkIsolationKey1.
+    cache.Add(kPseudoOrigin, HttpAuth::AUTH_SERVER, kRealm1,
+              HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1,
+              "Basic realm=Realm1", AuthCredentials(kUser1, kPass1), kPath);
+
+    entry = cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_SERVER, kRealm1,
+                         HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+    ASSERT_TRUE(entry);
+    EXPECT_EQ(entry->credentials().username(), kUser1);
+    EXPECT_EQ(entry->credentials().password(), kPass1);
+    EXPECT_EQ(entry, cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_SERVER,
+                                        kNetworkIsolationKey1, kPath));
+    if (key_entries_by_network_isolation_key) {
+      EXPECT_FALSE(cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_SERVER, kRealm1,
+                                HttpAuth::AUTH_SCHEME_BASIC,
+                                kNetworkIsolationKey2));
+      EXPECT_FALSE(cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_SERVER,
+                                      kNetworkIsolationKey2, kPath));
+    } else {
+      EXPECT_EQ(entry, cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_SERVER,
+                                    kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+                                    kNetworkIsolationKey2));
+      EXPECT_EQ(entry, cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_SERVER,
+                                          kNetworkIsolationKey2, kPath));
+    }
+
+    // Add entry for kNetworkIsolationKey2.
+    cache.Add(kPseudoOrigin, HttpAuth::AUTH_SERVER, kRealm1,
+              HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2,
+              "Basic realm=Realm1", AuthCredentials(kUser2, kPass2), kPath);
+
+    entry = cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_SERVER, kRealm1,
+                         HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2);
+    ASSERT_TRUE(entry);
+    EXPECT_EQ(entry->credentials().username(), kUser2);
+    EXPECT_EQ(entry->credentials().password(), kPass2);
+    EXPECT_EQ(entry, cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_SERVER,
+                                        kNetworkIsolationKey2, kPath));
+    entry = cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_SERVER, kRealm1,
+                         HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+    ASSERT_TRUE(entry);
+    EXPECT_EQ(entry, cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_SERVER,
+                                        kNetworkIsolationKey1, kPath));
+    if (key_entries_by_network_isolation_key) {
+      EXPECT_EQ(entry->credentials().username(), kUser1);
+      EXPECT_EQ(entry->credentials().password(), kPass1);
+    } else {
+      EXPECT_EQ(entry->credentials().username(), kUser2);
+      EXPECT_EQ(entry->credentials().password(), kPass2);
+    }
+
+    // Remove the entry that was just added.
+    EXPECT_TRUE(cache.Remove(kPseudoOrigin, HttpAuth::AUTH_SERVER, kRealm1,
+                             HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2,
+                             AuthCredentials(kUser2, kPass2)));
+
+    EXPECT_FALSE(cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_SERVER, kRealm1,
+                              HttpAuth::AUTH_SCHEME_BASIC,
+                              kNetworkIsolationKey2));
+    EXPECT_FALSE(cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_SERVER,
+                                    kNetworkIsolationKey2, kPath));
+    if (key_entries_by_network_isolation_key) {
+      entry = cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_SERVER, kRealm1,
+                           HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+      ASSERT_TRUE(entry);
+      EXPECT_EQ(entry->credentials().username(), kUser1);
+      EXPECT_EQ(entry->credentials().password(), kPass1);
+      EXPECT_EQ(entry, cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_SERVER,
+                                          kNetworkIsolationKey1, kPath));
+    } else {
+      EXPECT_FALSE(cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_SERVER, kRealm1,
+                                HttpAuth::AUTH_SCHEME_BASIC,
+                                kNetworkIsolationKey1));
+      EXPECT_FALSE(cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_SERVER,
+                                      kNetworkIsolationKey1, kPath));
+    }
+  }
+}
+
+// Make sure added proxy credentials ignore NetworkIsolationKey, even if if
+// |key_entries_by_network_isolation_key| is set to true.
+TEST(HttpAuthCacheTest, NeverSeparateProxiesByNetworkIsolationKey) {
+  const url::Origin kOrigin1 = url::Origin::Create(GURL("https://foo.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
+  const url::Origin kOrigin2 = url::Origin::Create(GURL("https://bar.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey2(kOrigin2, kOrigin2);
+
+  GURL kPseudoOrigin("http://www.google.com");
+  const char kPath[] = "/";
+
+  const base::string16 kUser1 = ASCIIToUTF16("user1");
+  const base::string16 kPass1 = ASCIIToUTF16("pass1");
+  const base::string16 kUser2 = ASCIIToUTF16("user2");
+  const base::string16 kPass2 = ASCIIToUTF16("pass2");
+
+  for (bool key_entries_by_network_isolation_key : {false, true}) {
+    HttpAuthCache cache(key_entries_by_network_isolation_key);
+    HttpAuthCache::Entry* entry;
+
+    // Add entry for kNetworkIsolationKey1.
+    cache.Add(kPseudoOrigin, HttpAuth::AUTH_PROXY, kRealm1,
+              HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1,
+              "Basic realm=Realm1", AuthCredentials(kUser1, kPass1), kPath);
+
+    entry = cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_PROXY, kRealm1,
+                         HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+    ASSERT_TRUE(entry);
+    EXPECT_EQ(entry->credentials().username(), kUser1);
+    EXPECT_EQ(entry->credentials().password(), kPass1);
+    EXPECT_EQ(entry, cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_PROXY,
+                                        kNetworkIsolationKey1, kPath));
+    EXPECT_EQ(entry,
+              cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_PROXY, kRealm1,
+                           HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+    EXPECT_EQ(entry, cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_PROXY,
+                                        kNetworkIsolationKey2, kPath));
+
+    // Add entry for kNetworkIsolationKey2. It should overwrite the entry for
+    // kNetworkIsolationKey1.
+    cache.Add(kPseudoOrigin, HttpAuth::AUTH_PROXY, kRealm1,
+              HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2,
+              "Basic realm=Realm1", AuthCredentials(kUser2, kPass2), kPath);
+
+    entry = cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_PROXY, kRealm1,
+                         HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2);
+    ASSERT_TRUE(entry);
+    EXPECT_EQ(entry->credentials().username(), kUser2);
+    EXPECT_EQ(entry->credentials().password(), kPass2);
+    EXPECT_EQ(entry, cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_PROXY,
+                                        kNetworkIsolationKey2, kPath));
+    EXPECT_EQ(entry,
+              cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_PROXY, kRealm1,
+                           HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1));
+    EXPECT_EQ(entry, cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_PROXY,
+                                        kNetworkIsolationKey1, kPath));
+
+    // Remove the entry that was just added using an empty NetworkIsolationKey.
+    EXPECT_TRUE(cache.Remove(kPseudoOrigin, HttpAuth::AUTH_PROXY, kRealm1,
+                             HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                             AuthCredentials(kUser2, kPass2)));
+
+    EXPECT_FALSE(cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_PROXY, kRealm1,
+                              HttpAuth::AUTH_SCHEME_BASIC,
+                              kNetworkIsolationKey2));
+    EXPECT_FALSE(cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_PROXY,
+                                    kNetworkIsolationKey2, kPath));
+    EXPECT_FALSE(cache.Lookup(kPseudoOrigin, HttpAuth::AUTH_PROXY, kRealm1,
+                              HttpAuth::AUTH_SCHEME_BASIC,
+                              kNetworkIsolationKey1));
+    EXPECT_FALSE(cache.LookupByPath(kPseudoOrigin, HttpAuth::AUTH_PROXY,
+                                    kNetworkIsolationKey1, kPath));
+  }
+}
+
+// Test that SetKeyServerEntriesByNetworkIsolationKey() deletes server
+// credentials when it toggles the setting. This test uses an empty
+// NetworkIsolationKey() for all entries, as the interesting part of this method
+// is what type entries are deleted, which doesn't depend on the
+// NetworkIsolationKey the entries use.
+TEST(HttpAuthCacheTest, SetKeyServerEntriesByNetworkIsolationKey) {
+  GURL kOrigin("http://www.google.com");
+  const char kPath[] = "/";
+
+  const base::string16 kUser1 = ASCIIToUTF16("user1");
+  const base::string16 kPass1 = ASCIIToUTF16("pass1");
+  const base::string16 kUser2 = ASCIIToUTF16("user2");
+  const base::string16 kPass2 = ASCIIToUTF16("pass2");
+
+  for (bool initially_key_entries_by_network_isolation_key : {false, true}) {
+    for (bool to_key_entries_by_network_isolation_key : {false, true}) {
+      HttpAuthCache cache(initially_key_entries_by_network_isolation_key);
+      EXPECT_EQ(initially_key_entries_by_network_isolation_key,
+                cache.key_server_entries_by_network_isolation_key());
+
+      cache.Add(kOrigin, HttpAuth::AUTH_PROXY, kRealm1,
+                HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                "Basic realm=Realm1", AuthCredentials(kUser1, kPass1), kPath);
+      cache.Add(kOrigin, HttpAuth::AUTH_SERVER, kRealm1,
+                HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                "Basic realm=Realm1", AuthCredentials(kUser2, kPass2), kPath);
+
+      EXPECT_TRUE(cache.Lookup(kOrigin, HttpAuth::AUTH_PROXY, kRealm1,
+                               HttpAuth::AUTH_SCHEME_BASIC,
+                               NetworkIsolationKey()));
+      EXPECT_TRUE(cache.Lookup(kOrigin, HttpAuth::AUTH_SERVER, kRealm1,
+                               HttpAuth::AUTH_SCHEME_BASIC,
+                               NetworkIsolationKey()));
+
+      cache.SetKeyServerEntriesByNetworkIsolationKey(
+          to_key_entries_by_network_isolation_key);
+      EXPECT_EQ(to_key_entries_by_network_isolation_key,
+                cache.key_server_entries_by_network_isolation_key());
+
+      // AUTH_PROXY credentials should always remain in the cache.
+      HttpAuthCache::Entry* entry = cache.LookupByPath(
+          kOrigin, HttpAuth::AUTH_PROXY, NetworkIsolationKey(), kPath);
+      ASSERT_TRUE(entry);
+      EXPECT_EQ(entry->credentials().username(), kUser1);
+      EXPECT_EQ(entry->credentials().password(), kPass1);
+
+      entry = cache.LookupByPath(kOrigin, HttpAuth::AUTH_SERVER,
+                                 NetworkIsolationKey(), kPath);
+      // AUTH_SERVER credentials should only remain in the cache if the proxy
+      // configuration changes.
+      EXPECT_EQ(initially_key_entries_by_network_isolation_key ==
+                    to_key_entries_by_network_isolation_key,
+                !!entry);
+      if (entry) {
+        EXPECT_EQ(entry->credentials().username(), kUser2);
+        EXPECT_EQ(entry->credentials().password(), kPass2);
+      }
+    }
+  }
+}
+
 TEST(HttpAuthCacheTest, AddPath) {
   HttpAuthCache::Entry entry;
 
@@ -232,21 +593,25 @@ TEST(HttpAuthCacheTest, AddPath) {
 // Calling Add when the realm entry already exists, should append that
 // path.
 TEST(HttpAuthCacheTest, AddToExistingEntry) {
-  HttpAuthCache cache;
+  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
   GURL origin("http://www.foobar.com:70");
   const std::string kAuthChallenge = "Basic realm=MyRealm";
   const std::string kRealm = "MyRealm";
 
-  HttpAuthCache::Entry* orig_entry =
-      cache.Add(origin, kRealm, HttpAuth::AUTH_SCHEME_BASIC, kAuthChallenge,
-                CreateASCIICredentials("user1", "password1"), "/x/y/z/");
-  cache.Add(origin, kRealm, HttpAuth::AUTH_SCHEME_BASIC, kAuthChallenge,
+  HttpAuthCache::Entry* orig_entry = cache.Add(
+      origin, HttpAuth::AUTH_SERVER, kRealm, HttpAuth::AUTH_SCHEME_BASIC,
+      NetworkIsolationKey(), kAuthChallenge,
+      CreateASCIICredentials("user1", "password1"), "/x/y/z/");
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), kAuthChallenge,
             CreateASCIICredentials("user2", "password2"), "/z/y/x/");
-  cache.Add(origin, kRealm, HttpAuth::AUTH_SCHEME_BASIC, kAuthChallenge,
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), kAuthChallenge,
             CreateASCIICredentials("user3", "password3"), "/z/y");
 
   HttpAuthCache::Entry* entry =
-      cache.Lookup(origin, kRealm, HttpAuth::AUTH_SCHEME_BASIC);
+      cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm,
+                   HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
 
   EXPECT_TRUE(entry == orig_entry);
   EXPECT_EQ(ASCIIToUTF16("user3"), entry->credentials().username());
@@ -260,68 +625,74 @@ TEST(HttpAuthCacheTest, AddToExistingEntry) {
 TEST(HttpAuthCacheTest, Remove) {
   GURL origin("http://foobar2.com");
 
-  HttpAuthCache cache;
-  cache.Add(origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm1",
+  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm1",
             AuthCredentials(kAlice, k123), "/");
-  cache.Add(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm2",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm2, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm2",
             CreateASCIICredentials("bob", "princess"), "/");
-  cache.Add(origin, kRealm3, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm3",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm3, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm3",
             AuthCredentials(kAdmin, kPassword), "/");
-  cache.Add(origin, kRealm3, HttpAuth::AUTH_SCHEME_DIGEST,
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm3,
+            HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
             "digest realm=Realm3", AuthCredentials(kRoot, kWileCoyote), "/");
 
   // Fails, because there is no realm "Realm5".
-  EXPECT_FALSE(cache.Remove(
-      origin, kRealm5, HttpAuth::AUTH_SCHEME_BASIC,
-      AuthCredentials(kAlice, k123)));
+  EXPECT_FALSE(cache.Remove(origin, HttpAuth::AUTH_SERVER, kRealm5,
+                            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                            AuthCredentials(kAlice, k123)));
 
   // Fails because the origin is wrong.
   EXPECT_FALSE(cache.Remove(GURL("http://foobar2.com:100"),
-                            kRealm1,
-                            HttpAuth::AUTH_SCHEME_BASIC,
+                            HttpAuth::AUTH_SERVER, kRealm1,
+                            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
                             AuthCredentials(kAlice, k123)));
 
   // Fails because the username is wrong.
-  EXPECT_FALSE(cache.Remove(
-      origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
-      AuthCredentials(kAlice2, k123)));
+  EXPECT_FALSE(cache.Remove(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                            AuthCredentials(kAlice2, k123)));
 
   // Fails because the password is wrong.
-  EXPECT_FALSE(cache.Remove(
-      origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
-      AuthCredentials(kAlice, k1234)));
+  EXPECT_FALSE(cache.Remove(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                            AuthCredentials(kAlice, k1234)));
 
   // Fails because the authentication type is wrong.
-  EXPECT_FALSE(cache.Remove(
-      origin, kRealm1, HttpAuth::AUTH_SCHEME_DIGEST,
-      AuthCredentials(kAlice, k123)));
+  EXPECT_FALSE(cache.Remove(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                            HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
+                            AuthCredentials(kAlice, k123)));
 
   // Succeeds.
-  EXPECT_TRUE(cache.Remove(
-      origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
-      AuthCredentials(kAlice, k123)));
+  EXPECT_TRUE(cache.Remove(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                           HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                           AuthCredentials(kAlice, k123)));
 
   // Fails because we just deleted the entry!
-  EXPECT_FALSE(cache.Remove(
-      origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
-      AuthCredentials(kAlice, k123)));
+  EXPECT_FALSE(cache.Remove(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                            HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                            AuthCredentials(kAlice, k123)));
 
   // Succeed when there are two authentication types for the same origin,realm.
-  EXPECT_TRUE(cache.Remove(
-      origin, kRealm3, HttpAuth::AUTH_SCHEME_DIGEST,
-      AuthCredentials(kRoot, kWileCoyote)));
+  EXPECT_TRUE(cache.Remove(origin, HttpAuth::AUTH_SERVER, kRealm3,
+                           HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
+                           AuthCredentials(kRoot, kWileCoyote)));
 
   // Succeed as above, but when entries were added in opposite order
-  cache.Add(origin, kRealm3, HttpAuth::AUTH_SCHEME_DIGEST,
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm3,
+            HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
             "digest realm=Realm3", AuthCredentials(kRoot, kWileCoyote), "/");
-  EXPECT_TRUE(cache.Remove(
-      origin, kRealm3, HttpAuth::AUTH_SCHEME_BASIC,
-      AuthCredentials(kAdmin, kPassword)));
+  EXPECT_TRUE(cache.Remove(origin, HttpAuth::AUTH_SERVER, kRealm3,
+                           HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                           AuthCredentials(kAdmin, kPassword)));
 
   // Make sure that removing one entry still leaves the other available for
   // lookup.
-  HttpAuthCache::Entry* entry = cache.Lookup(
-      origin, kRealm3, HttpAuth::AUTH_SCHEME_DIGEST);
+  HttpAuthCache::Entry* entry =
+      cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm3,
+                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey());
   EXPECT_FALSE(nullptr == entry);
 }
 
@@ -333,21 +704,26 @@ TEST(HttpAuthCacheTest, ClearEntriesAddedSince) {
   base::SimpleTestClock test_clock;
   test_clock.SetNow(start_time);
 
-  HttpAuthCache cache;
+  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
   cache.set_clock_for_testing(&test_clock);
 
-  cache.Add(origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm1",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm1",
             AuthCredentials(kAlice, k123), "/");
-  cache.Add(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm2",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm2, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm2",
             AuthCredentials(kRoot, kWileCoyote), "/");
 
   test_clock.Advance(base::TimeDelta::FromSeconds(10));  // Time now 12:00:10
-  cache.Add(origin, kRealm3, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm3",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm3, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm3",
             AuthCredentials(kAlice2, k1234), "/");
-  cache.Add(origin, kRealm4, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm4",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm4, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm4",
             AuthCredentials(kUsername, kPassword), "/");
   // Add path to existing entry.
-  cache.Add(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm2",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm2, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm2",
             AuthCredentials(kAdmin, kPassword), "/baz/");
 
   base::Time test_time;
@@ -356,25 +732,33 @@ TEST(HttpAuthCacheTest, ClearEntriesAddedSince) {
 
   // Realms 1 and 2 are older than 12:00:05 and should not be cleared
   EXPECT_NE(nullptr,
-            cache.Lookup(origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
   EXPECT_NE(nullptr,
-            cache.Lookup(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm2,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
   // Creation time is set for a whole entry rather than for a particular path.
   // Path added within the requested duration isn't be removed.
-  EXPECT_NE(nullptr, cache.LookupByPath(origin, "/baz/"));
+  EXPECT_NE(nullptr, cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                                        NetworkIsolationKey(), "/baz/"));
 
   // Realms 3 and 4 are newer than 12:00:05 and should be cleared.
   EXPECT_EQ(nullptr,
-            cache.Lookup(origin, kRealm3, HttpAuth::AUTH_SCHEME_BASIC));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm3,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
   EXPECT_EQ(nullptr,
-            cache.Lookup(origin, kRealm4, HttpAuth::AUTH_SCHEME_BASIC));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm4,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
 
   cache.ClearEntriesAddedSince(start_time - base::TimeDelta::FromSeconds(1));
   EXPECT_EQ(nullptr,
-            cache.Lookup(origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
   EXPECT_EQ(nullptr,
-            cache.Lookup(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC));
-  EXPECT_EQ(nullptr, cache.LookupByPath(origin, "/baz/"));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm2,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
+  EXPECT_EQ(nullptr, cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                                        NetworkIsolationKey(), "/baz/"));
 }
 
 TEST(HttpAuthCacheTest, ClearEntriesAddedSinceWithNullTime) {
@@ -383,35 +767,45 @@ TEST(HttpAuthCacheTest, ClearEntriesAddedSinceWithNullTime) {
   base::SimpleTestClock test_clock;
   test_clock.SetNow(base::Time::Now());
 
-  HttpAuthCache cache;
+  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
   cache.set_clock_for_testing(&test_clock);
 
-  cache.Add(origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm1",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm1",
             AuthCredentials(kAlice, k123), "/");
-  cache.Add(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm2",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm2, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm2",
             AuthCredentials(kRoot, kWileCoyote), "/");
 
   test_clock.Advance(base::TimeDelta::FromSeconds(10));
-  cache.Add(origin, kRealm3, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm3",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm3, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm3",
             AuthCredentials(kAlice2, k1234), "/");
-  cache.Add(origin, kRealm4, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm4",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm4, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm4",
             AuthCredentials(kUsername, kPassword), "/");
   // Add path to existing entry.
-  cache.Add(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm2",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm2, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm2",
             AuthCredentials(kAdmin, kPassword), "/baz/");
 
   cache.ClearEntriesAddedSince(base::Time());
 
   // All entries should be cleared.
   EXPECT_EQ(nullptr,
-            cache.Lookup(origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
   EXPECT_EQ(nullptr,
-            cache.Lookup(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC));
-  EXPECT_EQ(nullptr, cache.LookupByPath(origin, "/baz/"));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm2,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
+  EXPECT_EQ(nullptr, cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                                        NetworkIsolationKey(), "/baz/"));
   EXPECT_EQ(nullptr,
-            cache.Lookup(origin, kRealm3, HttpAuth::AUTH_SCHEME_BASIC));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm3,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
   EXPECT_EQ(nullptr,
-            cache.Lookup(origin, kRealm4, HttpAuth::AUTH_SCHEME_BASIC));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm4,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
 }
 
 TEST(HttpAuthCacheTest, ClearAllEntries) {
@@ -420,21 +814,26 @@ TEST(HttpAuthCacheTest, ClearAllEntries) {
   base::SimpleTestClock test_clock;
   test_clock.SetNow(base::Time::Now());
 
-  HttpAuthCache cache;
+  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
   cache.set_clock_for_testing(&test_clock);
 
-  cache.Add(origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm1",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm1",
             AuthCredentials(kAlice, k123), "/");
-  cache.Add(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm2",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm2, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm2",
             AuthCredentials(kRoot, kWileCoyote), "/");
 
   test_clock.Advance(base::TimeDelta::FromSeconds(10));
-  cache.Add(origin, kRealm3, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm3",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm3, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm3",
             AuthCredentials(kAlice2, k1234), "/");
-  cache.Add(origin, kRealm4, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm4",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm4, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm4",
             AuthCredentials(kUsername, kPassword), "/");
   // Add path to existing entry.
-  cache.Add(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC, "basic realm=Realm2",
+  cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm2, HttpAuth::AUTH_SCHEME_BASIC,
+            NetworkIsolationKey(), "basic realm=Realm2",
             AuthCredentials(kAdmin, kPassword), "/baz/");
 
   test_clock.Advance(base::TimeDelta::FromSeconds(55));
@@ -442,21 +841,27 @@ TEST(HttpAuthCacheTest, ClearAllEntries) {
 
   // All entries should be cleared.
   EXPECT_EQ(nullptr,
-            cache.Lookup(origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
   EXPECT_EQ(nullptr,
-            cache.Lookup(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC));
-  EXPECT_EQ(nullptr, cache.LookupByPath(origin, "/baz/"));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm2,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
+  EXPECT_EQ(nullptr, cache.LookupByPath(origin, HttpAuth::AUTH_SERVER,
+                                        NetworkIsolationKey(), "/baz/"));
   EXPECT_EQ(nullptr,
-            cache.Lookup(origin, kRealm3, HttpAuth::AUTH_SCHEME_BASIC));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm3,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
   EXPECT_EQ(nullptr,
-            cache.Lookup(origin, kRealm4, HttpAuth::AUTH_SCHEME_BASIC));
+            cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm4,
+                         HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey()));
 }
 
 TEST(HttpAuthCacheTest, UpdateStaleChallenge) {
-  HttpAuthCache cache;
+  HttpAuthCache cache(false /* key_entries_by_network_isolation_key */);
   GURL origin("http://foobar2.com");
   HttpAuthCache::Entry* entry_pre = cache.Add(
-      origin, kRealm1, HttpAuth::AUTH_SCHEME_DIGEST,
+      origin, HttpAuth::AUTH_SERVER, kRealm1, HttpAuth::AUTH_SCHEME_DIGEST,
+      NetworkIsolationKey(),
       "Digest realm=Realm1,"
       "nonce=\"s3MzvFhaBAA=4c520af5acd9d8d7ae26947529d18c8eae1e98f4\"",
       CreateASCIICredentials("realm-digest-user", "realm-digest-password"),
@@ -468,7 +873,8 @@ TEST(HttpAuthCacheTest, UpdateStaleChallenge) {
   EXPECT_EQ(4, entry_pre->IncrementNonceCount());
 
   bool update_success = cache.UpdateStaleChallenge(
-      origin, kRealm1, HttpAuth::AUTH_SCHEME_DIGEST,
+      origin, HttpAuth::AUTH_SERVER, kRealm1, HttpAuth::AUTH_SCHEME_DIGEST,
+      NetworkIsolationKey(),
       "Digest realm=Realm1,"
       "nonce=\"claGgoRXBAA=7583377687842fdb7b56ba0555d175baa0b800e3\","
       "stale=\"true\"");
@@ -477,65 +883,84 @@ TEST(HttpAuthCacheTest, UpdateStaleChallenge) {
   // After the stale update, the entry should still exist in the cache and
   // the nonce count should be reset to 0.
   HttpAuthCache::Entry* entry_post =
-      cache.Lookup(origin, kRealm1, HttpAuth::AUTH_SCHEME_DIGEST);
+      cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey());
   ASSERT_TRUE(entry_post != nullptr);
   EXPECT_EQ(2, entry_post->IncrementNonceCount());
 
   // UpdateStaleChallenge will fail if an entry doesn't exist in the cache.
   bool update_failure = cache.UpdateStaleChallenge(
-      origin, kRealm2, HttpAuth::AUTH_SCHEME_DIGEST,
+      origin, HttpAuth::AUTH_SERVER, kRealm2, HttpAuth::AUTH_SCHEME_DIGEST,
+      NetworkIsolationKey(),
       "Digest realm=Realm2,"
       "nonce=\"claGgoRXBAA=7583377687842fdb7b56ba0555d175baa0b800e3\","
       "stale=\"true\"");
   EXPECT_FALSE(update_failure);
 }
 
-TEST(HttpAuthCacheTest, UpdateAllFrom) {
+TEST(HttpAuthCacheTest, CopyProxyEntriesFrom) {
   GURL origin("http://example.com");
   std::string path("/some/path");
   std::string another_path("/another/path");
 
-  HttpAuthCache first_cache;
+  HttpAuthCache first_cache(false /* key_entries_by_network_isolation_key */);
   HttpAuthCache::Entry* entry;
 
-  first_cache.Add(origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC,
+  first_cache.Add(origin, HttpAuth::AUTH_PROXY, kRealm1,
+                  HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
                   "basic realm=Realm1", AuthCredentials(kAlice, k123), path);
-  first_cache.Add(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC,
+  first_cache.Add(origin, HttpAuth::AUTH_PROXY, kRealm2,
+                  HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
                   "basic realm=Realm2", AuthCredentials(kAlice2, k1234), path);
-  first_cache.Add(origin, kRealm3, HttpAuth::AUTH_SCHEME_DIGEST,
+  first_cache.Add(origin, HttpAuth::AUTH_PROXY, kRealm3,
+                  HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
                   "digest realm=Realm3", AuthCredentials(kRoot, kWileCoyote),
                   path);
-  entry = first_cache.Add(origin, kRealm3, HttpAuth::AUTH_SCHEME_DIGEST,
+  entry = first_cache.Add(origin, HttpAuth::AUTH_PROXY, kRealm3,
+                          HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
                           "digest realm=Realm3",
                           AuthCredentials(kRoot, kWileCoyote), another_path);
 
   EXPECT_EQ(2, entry->IncrementNonceCount());
 
-  HttpAuthCache second_cache;
+  // Server entry, which should not be copied.
+  first_cache.Add(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                  HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+                  "basic realm=Realm1", AuthCredentials(kAlice, k123), path);
+
+  HttpAuthCache second_cache(false /* key_entries_by_network_isolation_key */);
   // Will be overwritten by kRoot:kWileCoyote.
-  second_cache.Add(origin, kRealm3, HttpAuth::AUTH_SCHEME_DIGEST,
+  second_cache.Add(origin, HttpAuth::AUTH_PROXY, kRealm3,
+                   HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey(),
                    "digest realm=Realm3", AuthCredentials(kAlice2, k1234),
                    path);
   // Should be left intact.
-  second_cache.Add(origin, kRealm4, HttpAuth::AUTH_SCHEME_BASIC,
+  second_cache.Add(origin, HttpAuth::AUTH_PROXY, kRealm4,
+                   HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
                    "basic realm=Realm4", AuthCredentials(kAdmin, kRoot), path);
 
-  second_cache.UpdateAllFrom(first_cache);
+  second_cache.CopyProxyEntriesFrom(first_cache);
 
   // Copied from first_cache.
-  entry = second_cache.Lookup(origin, kRealm1, HttpAuth::AUTH_SCHEME_BASIC);
+  entry =
+      second_cache.Lookup(origin, HttpAuth::AUTH_PROXY, kRealm1,
+                          HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
   EXPECT_TRUE(nullptr != entry);
   EXPECT_EQ(kAlice, entry->credentials().username());
   EXPECT_EQ(k123, entry->credentials().password());
 
   // Copied from first_cache.
-  entry = second_cache.Lookup(origin, kRealm2, HttpAuth::AUTH_SCHEME_BASIC);
+  entry =
+      second_cache.Lookup(origin, HttpAuth::AUTH_PROXY, kRealm2,
+                          HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
   EXPECT_TRUE(nullptr != entry);
   EXPECT_EQ(kAlice2, entry->credentials().username());
   EXPECT_EQ(k1234, entry->credentials().password());
 
   // Overwritten from first_cache.
-  entry = second_cache.Lookup(origin, kRealm3, HttpAuth::AUTH_SCHEME_DIGEST);
+  entry =
+      second_cache.Lookup(origin, HttpAuth::AUTH_PROXY, kRealm3,
+                          HttpAuth::AUTH_SCHEME_DIGEST, NetworkIsolationKey());
   EXPECT_TRUE(nullptr != entry);
   EXPECT_EQ(kRoot, entry->credentials().username());
   EXPECT_EQ(kWileCoyote, entry->credentials().password());
@@ -543,23 +968,36 @@ TEST(HttpAuthCacheTest, UpdateAllFrom) {
   EXPECT_EQ(3, entry->IncrementNonceCount());
 
   // All paths should get copied.
-  entry = second_cache.LookupByPath(origin, another_path);
+  entry = second_cache.LookupByPath(origin, HttpAuth::AUTH_PROXY,
+                                    NetworkIsolationKey(), another_path);
   EXPECT_TRUE(nullptr != entry);
   EXPECT_EQ(kRoot, entry->credentials().username());
   EXPECT_EQ(kWileCoyote, entry->credentials().password());
 
   // Left intact in second_cache.
-  entry = second_cache.Lookup(origin, kRealm4, HttpAuth::AUTH_SCHEME_BASIC);
+  entry =
+      second_cache.Lookup(origin, HttpAuth::AUTH_PROXY, kRealm4,
+                          HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
   EXPECT_TRUE(nullptr != entry);
   EXPECT_EQ(kAdmin, entry->credentials().username());
   EXPECT_EQ(kRoot, entry->credentials().password());
+
+  // AUTH_SERVER entry should not have been copied from first_cache.
+  EXPECT_TRUE(first_cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                                 HttpAuth::AUTH_SCHEME_BASIC,
+                                 NetworkIsolationKey()));
+  EXPECT_FALSE(second_cache.Lookup(origin, HttpAuth::AUTH_SERVER, kRealm1,
+                                   HttpAuth::AUTH_SCHEME_BASIC,
+                                   NetworkIsolationKey()));
 }
 
 // Test fixture class for eviction tests (contains helpers for bulk
 // insertion and existence testing).
 class HttpAuthCacheEvictionTest : public testing::Test {
  protected:
-  HttpAuthCacheEvictionTest() : origin_("http://www.google.com") { }
+  HttpAuthCacheEvictionTest()
+      : origin_("http://www.google.com"),
+        cache_(false /* key_entries_by_network_isolation_key */) {}
 
   std::string GenerateRealm(int realm_i) {
     return base::StringPrintf("Realm %d", realm_i);
@@ -574,18 +1012,16 @@ class HttpAuthCacheEvictionTest : public testing::Test {
   }
 
   void AddPathToRealm(int realm_i, int path_i) {
-    cache_.Add(origin_,
-               GenerateRealm(realm_i),
-               HttpAuth::AUTH_SCHEME_BASIC,
-               std::string(),
-               AuthCredentials(kUsername, kPassword),
+    cache_.Add(origin_, HttpAuth::AUTH_SERVER, GenerateRealm(realm_i),
+               HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+               std::string(), AuthCredentials(kUsername, kPassword),
                GeneratePath(realm_i, path_i));
   }
 
   void CheckRealmExistence(int realm_i, bool exists) {
     const HttpAuthCache::Entry* entry =
-        cache_.Lookup(
-            origin_, GenerateRealm(realm_i), HttpAuth::AUTH_SCHEME_BASIC);
+        cache_.Lookup(origin_, HttpAuth::AUTH_SERVER, GenerateRealm(realm_i),
+                      HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
     if (exists) {
       EXPECT_FALSE(entry == nullptr);
       EXPECT_EQ(GenerateRealm(realm_i), entry->realm());
@@ -595,8 +1031,9 @@ class HttpAuthCacheEvictionTest : public testing::Test {
   }
 
   void CheckPathExistence(int realm_i, int path_i, bool exists) {
-    const HttpAuthCache::Entry* entry =
-        cache_.LookupByPath(origin_, GeneratePath(realm_i, path_i));
+    const HttpAuthCache::Entry* entry = cache_.LookupByPath(
+        origin_, HttpAuth::AUTH_SERVER, NetworkIsolationKey(),
+        GeneratePath(realm_i, path_i));
     if (exists) {
       EXPECT_FALSE(entry == nullptr);
       EXPECT_EQ(GenerateRealm(realm_i), entry->realm());
diff --git a/chromium/net/http/http_auth_challenge_tokenizer.cc b/chromium/net/http/http_auth_challenge_tokenizer.cc
index dfeb6325fe2..226dbcf9e7d 100644
--- a/chromium/net/http/http_auth_challenge_tokenizer.cc
+++ b/chromium/net/http/http_auth_challenge_tokenizer.cc
@@ -4,6 +4,7 @@
 
 #include "net/http/http_auth_challenge_tokenizer.h"
 
+#include "base/strings/string_piece.h"
 #include "base/strings/string_tokenizer.h"
 
 namespace net {
@@ -13,8 +14,6 @@ HttpAuthChallengeTokenizer::HttpAuthChallengeTokenizer(
     std::string::const_iterator end)
     : begin_(begin),
       end_(end),
-      scheme_begin_(begin),
-      scheme_end_(begin),
       params_begin_(end),
       params_end_(end) {
   Init(begin, end);
@@ -52,10 +51,10 @@ void HttpAuthChallengeTokenizer::Init(std::string::const_iterator begin,
   }
 
   // Save the scheme's position.
-  scheme_begin_ = tok.token_begin();
-  scheme_end_ = tok.token_end();
+  lower_case_scheme_ =
+      base::ToLowerASCII(base::StringPiece(tok.token_begin(), tok.token_end()));
 
-  params_begin_ = scheme_end_;
+  params_begin_ = tok.token_end();
   params_end_ = end;
   HttpUtil::TrimLWS(&params_begin_, &params_end_);
 }
diff --git a/chromium/net/http/http_auth_challenge_tokenizer.h b/chromium/net/http/http_auth_challenge_tokenizer.h
index fe8f6b06fa7..400817855af 100644
--- a/chromium/net/http/http_auth_challenge_tokenizer.h
+++ b/chromium/net/http/http_auth_challenge_tokenizer.h
@@ -7,6 +7,7 @@
 
 #include <string>
 
+#include "base/strings/string_piece.h"
 #include "net/base/net_export.h"
 #include "net/http/http_util.h"
 
@@ -31,12 +32,9 @@ class NET_EXPORT_PRIVATE HttpAuthChallengeTokenizer {
     return std::string(begin_, end_);
   }
 
-  // Get the auth scheme of the challenge.
-  std::string::const_iterator scheme_begin() const { return scheme_begin_; }
-  std::string::const_iterator scheme_end() const { return scheme_end_; }
-  std::string scheme() const {
-    return std::string(scheme_begin_, scheme_end_);
-  }
+  // Get the authenthication scheme of the challenge. The returned scheme is
+  // always lowercase.
+  const std::string& auth_scheme() const { return lower_case_scheme_; }
 
   std::string::const_iterator params_begin() const { return params_begin_; }
   std::string::const_iterator params_end() const { return params_end_; }
@@ -50,11 +48,10 @@ class NET_EXPORT_PRIVATE HttpAuthChallengeTokenizer {
   std::string::const_iterator begin_;
   std::string::const_iterator end_;
 
-  std::string::const_iterator scheme_begin_;
-  std::string::const_iterator scheme_end_;
-
   std::string::const_iterator params_begin_;
   std::string::const_iterator params_end_;
+
+  std::string lower_case_scheme_;
 };
 
 }  // namespace net
diff --git a/chromium/net/http/http_auth_challenge_tokenizer_unittest.cc b/chromium/net/http/http_auth_challenge_tokenizer_unittest.cc
index 2cf657a17f5..8921fb99422 100644
--- a/chromium/net/http/http_auth_challenge_tokenizer_unittest.cc
+++ b/chromium/net/http/http_auth_challenge_tokenizer_unittest.cc
@@ -14,7 +14,7 @@ TEST(HttpAuthChallengeTokenizerTest, Basic) {
   HttpUtil::NameValuePairsIterator parameters = challenge.param_pairs();
 
   EXPECT_TRUE(parameters.valid());
-  EXPECT_EQ(std::string("Basic"), challenge.scheme());
+  EXPECT_EQ(std::string("basic"), challenge.auth_scheme());
   EXPECT_TRUE(parameters.GetNext());
   EXPECT_TRUE(parameters.valid());
   EXPECT_EQ(std::string("realm"), parameters.name());
@@ -30,7 +30,7 @@ TEST(HttpAuthChallengeTokenizerTest, NoQuotes) {
   HttpUtil::NameValuePairsIterator parameters = challenge.param_pairs();
 
   EXPECT_TRUE(parameters.valid());
-  EXPECT_EQ(std::string("Basic"), challenge.scheme());
+  EXPECT_EQ(std::string("basic"), challenge.auth_scheme());
   EXPECT_TRUE(parameters.GetNext());
   EXPECT_TRUE(parameters.valid());
   EXPECT_EQ(std::string("realm"), parameters.name());
@@ -46,7 +46,7 @@ TEST(HttpAuthChallengeTokenizerTest, MismatchedQuotes) {
   HttpUtil::NameValuePairsIterator parameters = challenge.param_pairs();
 
   EXPECT_TRUE(parameters.valid());
-  EXPECT_EQ(std::string("Basic"), challenge.scheme());
+  EXPECT_EQ(std::string("basic"), challenge.auth_scheme());
   EXPECT_TRUE(parameters.GetNext());
   EXPECT_TRUE(parameters.valid());
   EXPECT_EQ(std::string("realm"), parameters.name());
@@ -62,7 +62,7 @@ TEST(HttpAuthChallengeTokenizerTest, MismatchedQuotesNoValue) {
   HttpUtil::NameValuePairsIterator parameters = challenge.param_pairs();
 
   EXPECT_TRUE(parameters.valid());
-  EXPECT_EQ(std::string("Basic"), challenge.scheme());
+  EXPECT_EQ(std::string("basic"), challenge.auth_scheme());
   EXPECT_TRUE(parameters.GetNext());
   EXPECT_TRUE(parameters.valid());
   EXPECT_EQ(std::string("realm"), parameters.name());
@@ -79,7 +79,7 @@ TEST(HttpAuthChallengeTokenizerTest, MismatchedQuotesSpaces) {
   HttpUtil::NameValuePairsIterator parameters = challenge.param_pairs();
 
   EXPECT_TRUE(parameters.valid());
-  EXPECT_EQ(std::string("Basic"), challenge.scheme());
+  EXPECT_EQ(std::string("basic"), challenge.auth_scheme());
   EXPECT_TRUE(parameters.GetNext());
   EXPECT_TRUE(parameters.valid());
   EXPECT_EQ(std::string("realm"), parameters.name());
@@ -96,7 +96,7 @@ TEST(HttpAuthChallengeTokenizerTest, MismatchedQuotesMultiple) {
   HttpUtil::NameValuePairsIterator parameters = challenge.param_pairs();
 
   EXPECT_TRUE(parameters.valid());
-  EXPECT_EQ(std::string("Digest"), challenge.scheme());
+  EXPECT_EQ(std::string("digest"), challenge.auth_scheme());
   EXPECT_TRUE(parameters.GetNext());
   EXPECT_TRUE(parameters.valid());
   EXPECT_EQ(std::string("qop"), parameters.name());
@@ -120,7 +120,7 @@ TEST(HttpAuthChallengeTokenizerTest, NoValue) {
   HttpUtil::NameValuePairsIterator parameters = challenge.param_pairs();
 
   EXPECT_TRUE(parameters.valid());
-  EXPECT_EQ(std::string("Digest"), challenge.scheme());
+  EXPECT_EQ(std::string("digest"), challenge.auth_scheme());
   EXPECT_FALSE(parameters.GetNext());
   EXPECT_FALSE(parameters.valid());
 }
@@ -134,7 +134,7 @@ TEST(HttpAuthChallengeTokenizerTest, Multiple) {
   HttpUtil::NameValuePairsIterator parameters = challenge.param_pairs();
 
   EXPECT_TRUE(parameters.valid());
-  EXPECT_EQ(std::string("Digest"), challenge.scheme());
+  EXPECT_EQ(std::string("digest"), challenge.auth_scheme());
   EXPECT_TRUE(parameters.GetNext());
   EXPECT_TRUE(parameters.valid());
   EXPECT_EQ(std::string("algorithm"), parameters.name());
@@ -159,7 +159,7 @@ TEST(HttpAuthChallengeTokenizerTest, NoProperty) {
   HttpUtil::NameValuePairsIterator parameters = challenge.param_pairs();
 
   EXPECT_TRUE(parameters.valid());
-  EXPECT_EQ(std::string("NTLM"), challenge.scheme());
+  EXPECT_EQ(std::string("ntlm"), challenge.auth_scheme());
   EXPECT_FALSE(parameters.GetNext());
 }
 
@@ -169,7 +169,7 @@ TEST(HttpAuthChallengeTokenizerTest, Base64) {
   HttpAuthChallengeTokenizer challenge(challenge_str.begin(),
                                        challenge_str.end());
 
-  EXPECT_EQ(std::string("NTLM"), challenge.scheme());
+  EXPECT_EQ(std::string("ntlm"), challenge.auth_scheme());
   // Notice the two equal statements below due to padding removal.
   EXPECT_EQ(std::string("SGVsbG8sIFdvcmxkCg=="), challenge.base64_param());
 }
diff --git a/chromium/net/http/http_auth_controller.cc b/chromium/net/http/http_auth_controller.cc
index 2442e7b726a..1ef08d8c87a 100644
--- a/chromium/net/http/http_auth_controller.cc
+++ b/chromium/net/http/http_auth_controller.cc
@@ -139,16 +139,16 @@ base::Value ControllerParamsToValue(HttpAuth::Target target, const GURL& url) {
 HttpAuthController::HttpAuthController(
     HttpAuth::Target target,
     const GURL& auth_url,
+    const NetworkIsolationKey& network_isolation_key,
     HttpAuthCache* http_auth_cache,
     HttpAuthHandlerFactory* http_auth_handler_factory,
-    HostResolver* host_resolver,
-    HttpAuthPreferences::DefaultCredentials allow_default_credentials)
+    HostResolver* host_resolver)
     : target_(target),
       auth_url_(auth_url),
       auth_origin_(auth_url.GetOrigin()),
       auth_path_(auth_url.path()),
+      network_isolation_key_(network_isolation_key),
       embedded_identity_used_(false),
-      allow_default_credentials_(allow_default_credentials),
       default_credentials_used_(false),
       http_auth_cache_(http_auth_cache),
       http_auth_handler_factory_(http_auth_handler_factory),
@@ -220,8 +220,8 @@ bool HttpAuthController::SelectPreemptiveAuth(
   // is expected to be fast. LookupByPath() is fast in the common case, since
   // the number of http auth cache entries is expected to be very small.
   // (For most users in fact, it will be 0.)
-  HttpAuthCache::Entry* entry =
-      http_auth_cache_->LookupByPath(auth_origin_, auth_path_);
+  HttpAuthCache::Entry* entry = http_auth_cache_->LookupByPath(
+      auth_origin_, target_, network_isolation_key_, auth_path_);
   if (!entry)
     return false;
 
@@ -292,10 +292,10 @@ int HttpAuthController::HandleAuthChallenge(
         InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
         break;
       case HttpAuth::AUTHORIZATION_RESULT_STALE:
-        if (http_auth_cache_->UpdateStaleChallenge(auth_origin_,
-                                                   handler_->realm(),
-                                                   handler_->auth_scheme(),
-                                                   challenge_used)) {
+        if (http_auth_cache_->UpdateStaleChallenge(
+                auth_origin_, target_, handler_->realm(),
+                handler_->auth_scheme(), network_isolation_key_,
+                challenge_used)) {
           InvalidateCurrentHandler(INVALIDATE_HANDLER);
         } else {
           // It's possible that a server could incorrectly issue a stale
@@ -420,9 +420,10 @@ void HttpAuthController::ResetAuth(const AuthCredentials& credentials) {
     case HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS:
       break;
     default:
-      http_auth_cache_->Add(auth_origin_, handler_->realm(),
-                            handler_->auth_scheme(), handler_->challenge(),
-                            identity_.credentials, auth_path_);
+      http_auth_cache_->Add(auth_origin_, target_, handler_->realm(),
+                            handler_->auth_scheme(), network_isolation_key_,
+                            handler_->challenge(), identity_.credentials,
+                            auth_path_);
       break;
   }
 }
@@ -469,8 +470,9 @@ void HttpAuthController::InvalidateRejectedAuthFromCache() {
   // Clear the cache entry for the identity we just failed on.
   // Note: we require the credentials to match before invalidating
   // since the entry in the cache may be newer than what we used last time.
-  http_auth_cache_->Remove(auth_origin_, handler_->realm(),
-                           handler_->auth_scheme(), identity_.credentials);
+  http_auth_cache_->Remove(auth_origin_, target_, handler_->realm(),
+                           handler_->auth_scheme(), network_isolation_key_,
+                           identity_.credentials);
 }
 
 void HttpAuthController::PrepareIdentityForReuse() {
@@ -520,8 +522,8 @@ bool HttpAuthController::SelectNextAuthIdentityToTry() {
 
   // Check the auth cache for a realm entry.
   HttpAuthCache::Entry* entry =
-      http_auth_cache_->Lookup(auth_origin_, handler_->realm(),
-                               handler_->auth_scheme());
+      http_auth_cache_->Lookup(auth_origin_, target_, handler_->realm(),
+                               handler_->auth_scheme(), network_isolation_key_);
 
   if (entry) {
     identity_.source = HttpAuth::IDENT_SRC_REALM_LOOKUP;
@@ -535,12 +537,7 @@ bool HttpAuthController::SelectNextAuthIdentityToTry() {
   // infinite loop. We use default credentials after checking the auth cache so
   // that if single sign-on doesn't work, we won't try default credentials for
   // future transactions.
-  if (!default_credentials_used_ && handler_->AllowsDefaultCredentials() &&
-      // TODO(https://crbug.com/458508): Refactor |AllowsDefaultCredentials|
-      // to internally process |allow_default_credentials_| once it is
-      // passed along with the other |HttpAuthPreferences|.
-      allow_default_credentials_ ==
-          HttpAuthPreferences::ALLOW_DEFAULT_CREDENTIALS) {
+  if (!default_credentials_used_ && handler_->AllowsDefaultCredentials()) {
     identity_.source = HttpAuth::IDENT_SRC_DEFAULT_CREDENTIALS;
     identity_.invalid = false;
     default_credentials_used_ = true;
diff --git a/chromium/net/http/http_auth_controller.h b/chromium/net/http/http_auth_controller.h
index 414554f4510..3a47c430589 100644
--- a/chromium/net/http/http_auth_controller.h
+++ b/chromium/net/http/http_auth_controller.h
@@ -14,6 +14,7 @@
 #include "base/threading/thread_checker.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/net_export.h"
+#include "net/base/network_isolation_key.h"
 #include "net/http/http_auth.h"
 #include "net/http/http_auth_preferences.h"
 #include "net/log/net_log_with_source.h"
@@ -59,6 +60,10 @@ class NET_EXPORT_PRIVATE HttpAuthController
   //       If |target| is PROXY, then |auth_url| should have no hierarchical
   //       part since that is meaningless.
   //
+  // * |network_isolation_key| specifies the NetworkIsolationKey associated with
+  //       the resource load. Depending on settings, credentials may be scoped
+  //       to a single NetworkIsolationKey.
+  //
   // * |http_auth_cache| specifies the credentials cache to use. During
   //       authentication if explicit (user-provided) credentials are used and
   //       they can be cached to respond to authentication challenges in the
@@ -78,13 +83,12 @@ class NET_EXPORT_PRIVATE HttpAuthController
   //
   // * |allow_default_credentials| is used for determining if the current
   //       context allows ambient authentication using default credentials.
-  HttpAuthController(
-      HttpAuth::Target target,
-      const GURL& auth_url,
-      HttpAuthCache* http_auth_cache,
-      HttpAuthHandlerFactory* http_auth_handler_factory,
-      HostResolver* host_resolver,
-      HttpAuthPreferences::DefaultCredentials allow_default_credentials);
+  HttpAuthController(HttpAuth::Target target,
+                     const GURL& auth_url,
+                     const NetworkIsolationKey& network_isolation_key,
+                     HttpAuthCache* http_auth_cache,
+                     HttpAuthHandlerFactory* http_auth_handler_factory,
+                     HostResolver* host_resolver);
 
   // Generate an authentication token for |target| if necessary. The return
   // value is a net error code. |OK| will be returned both in the case that
@@ -197,6 +201,9 @@ class NET_EXPORT_PRIVATE HttpAuthController
   // For proxy authentication the path is empty.
   const std::string auth_path_;
 
+  // NetworkIsolationKey assocaied with the request.
+  const NetworkIsolationKey network_isolation_key_;
+
   // |handler_| encapsulates the logic for the particular auth-scheme.
   // This includes the challenge's parameters. If nullptr, then there is no
   // associated auth handler.
@@ -219,13 +226,6 @@ class NET_EXPORT_PRIVATE HttpAuthController
   // preventing an infinite auth restart loop.
   bool embedded_identity_used_;
 
-  // If the current context allows ambient authentication using default
-  // credentials.
-  // TODO(https://crbug.com/458508): Refactor |allow_default_credentials_|
-  // to be passed along with the other |HttpAuthPreferences|, rather then being
-  // passed directly to |HttpAuthController|.
-  HttpAuthPreferences::DefaultCredentials allow_default_credentials_;
-
   // True if default credentials have already been tried for this transaction
   // in response to an HTTP authentication challenge.
   bool default_credentials_used_;
diff --git a/chromium/net/http/http_auth_controller_unittest.cc b/chromium/net/http/http_auth_controller_unittest.cc
index 7e654baaf82..1f78cacf18d 100644
--- a/chromium/net/http/http_auth_controller_unittest.cc
+++ b/chromium/net/http/http_auth_controller_unittest.cc
@@ -56,7 +56,8 @@ void RunSingleRoundAuthTest(
     int expected_controller_rv,
     SchemeState scheme_state,
     const NetLogWithSource& net_log = NetLogWithSource()) {
-  HttpAuthCache dummy_auth_cache;
+  HttpAuthCache dummy_auth_cache(
+      false /* key_server_entries_by_network_isolation_key */);
 
   HttpRequestInfo request;
   request.method = "GET";
@@ -75,10 +76,11 @@ void RunSingleRoundAuthTest(
   auth_handler_factory.set_do_init_from_challenge(true);
   auto host_resolver = std::make_unique<MockHostResolver>();
 
-  scoped_refptr<HttpAuthController> controller(new HttpAuthController(
-      HttpAuth::AUTH_PROXY, GURL("http://example.com"), &dummy_auth_cache,
-      &auth_handler_factory, host_resolver.get(),
-      HttpAuthPreferences::ALLOW_DEFAULT_CREDENTIALS));
+  scoped_refptr<HttpAuthController> controller(
+      base::MakeRefCounted<HttpAuthController>(
+          HttpAuth::AUTH_PROXY, GURL("http://example.com"),
+          NetworkIsolationKey(), &dummy_auth_cache, &auth_handler_factory,
+          host_resolver.get()));
   SSLInfo null_ssl_info;
   ASSERT_EQ(OK, controller->HandleAuthChallenge(headers, null_ssl_info, false,
                                                 false, net_log));
@@ -135,7 +137,7 @@ TEST(HttpAuthControllerTest, PermanentErrors) {
 // Verify that the controller logs appropriate lifetime events.
 TEST(HttpAuthControllerTest, Logging) {
   base::test::TaskEnvironment task_environment;
-  BoundTestNetLog net_log;
+  RecordingBoundTestNetLog net_log;
 
   RunSingleRoundAuthTest(RUN_HANDLER_SYNC, OK, OK, SCHEME_IS_ENABLED,
                          net_log.bound());
@@ -187,7 +189,7 @@ TEST(HttpAuthControllerTest, NoExplicitCredentialsAllowed) {
       set_allows_explicit_credentials(false);
       set_connection_based(true);
       // Pretend to be SCHEME_BASIC so we can test failover logic.
-      if (challenge->scheme() == "Basic") {
+      if (challenge->auth_scheme() == "basic") {
         auth_scheme_ = HttpAuth::AUTH_SCHEME_BASIC;
         --score_;  // Reduce score, so we rank below Mock.
         set_allows_explicit_credentials(true);
@@ -213,7 +215,8 @@ TEST(HttpAuthControllerTest, NoExplicitCredentialsAllowed) {
   };
 
   NetLogWithSource dummy_log;
-  HttpAuthCache dummy_auth_cache;
+  HttpAuthCache dummy_auth_cache(
+      false /* key_server_entries_by_network_isolation_key */);
   HttpRequestInfo request;
   request.method = "GET";
   request.url = GURL("http://example.com");
@@ -258,10 +261,11 @@ TEST(HttpAuthControllerTest, NoExplicitCredentialsAllowed) {
 
   auto host_resolver = std::make_unique<MockHostResolver>();
 
-  scoped_refptr<HttpAuthController> controller(new HttpAuthController(
-      HttpAuth::AUTH_SERVER, GURL("http://example.com"), &dummy_auth_cache,
-      &auth_handler_factory, host_resolver.get(),
-      HttpAuthPreferences::ALLOW_DEFAULT_CREDENTIALS));
+  scoped_refptr<HttpAuthController> controller(
+      base::MakeRefCounted<HttpAuthController>(
+          HttpAuth::AUTH_SERVER, GURL("http://example.com"),
+          NetworkIsolationKey(), &dummy_auth_cache, &auth_handler_factory,
+          host_resolver.get()));
   SSLInfo null_ssl_info;
   ASSERT_EQ(OK, controller->HandleAuthChallenge(headers, null_ssl_info, false,
                                                 false, dummy_log));
diff --git a/chromium/net/http/http_auth_gssapi_posix.cc b/chromium/net/http/http_auth_gssapi_posix.cc
index e12a7839888..1b12032fa5a 100644
--- a/chromium/net/http/http_auth_gssapi_posix.cc
+++ b/chromium/net/http/http_auth_gssapi_posix.cc
@@ -20,6 +20,7 @@
 #include "base/threading/thread_restrictions.h"
 #include "base/values.h"
 #include "net/base/net_errors.h"
+#include "net/http/http_auth.h"
 #include "net/http/http_auth_gssapi_posix.h"
 #include "net/http/http_auth_multi_round_parse.h"
 #include "net/log/net_log_event_type.h"
@@ -645,13 +646,8 @@ ScopedSecurityContext::~ScopedSecurityContext() {
   }
 }
 
-HttpAuthGSSAPI::HttpAuthGSSAPI(GSSAPILibrary* library,
-                               const std::string& scheme,
-                               gss_OID gss_oid)
-    : scheme_(scheme),
-      gss_oid_(gss_oid),
-      library_(library),
-      scoped_sec_context_(library) {
+HttpAuthGSSAPI::HttpAuthGSSAPI(GSSAPILibrary* library, gss_OID gss_oid)
+    : gss_oid_(gss_oid), library_(library), scoped_sec_context_(library) {
   DCHECK(library_);
 }
 
@@ -678,10 +674,11 @@ void HttpAuthGSSAPI::SetDelegation(DelegationType delegation_type) {
 HttpAuth::AuthorizationResult HttpAuthGSSAPI::ParseChallenge(
     HttpAuthChallengeTokenizer* tok) {
   if (scoped_sec_context_.get() == GSS_C_NO_CONTEXT) {
-    return net::ParseFirstRoundChallenge(scheme_, tok);
+    return net::ParseFirstRoundChallenge(HttpAuth::AUTH_SCHEME_NEGOTIATE, tok);
   }
   std::string encoded_auth_token;
-  return net::ParseLaterRoundChallenge(scheme_, tok, &encoded_auth_token,
+  return net::ParseLaterRoundChallenge(HttpAuth::AUTH_SCHEME_NEGOTIATE, tok,
+                                       &encoded_auth_token,
                                        &decoded_server_auth_token_);
 }
 
@@ -710,7 +707,7 @@ int HttpAuthGSSAPI::GenerateAuthToken(const AuthCredentials* credentials,
                            output_token.length);
   std::string encode_output;
   base::Base64Encode(encode_input, &encode_output);
-  *auth_token = scheme_ + " " + encode_output;
+  *auth_token = "Negotiate " + encode_output;
   return OK;
 }
 
diff --git a/chromium/net/http/http_auth_gssapi_posix.h b/chromium/net/http/http_auth_gssapi_posix.h
index c118e5b1706..6340b627d96 100644
--- a/chromium/net/http/http_auth_gssapi_posix.h
+++ b/chromium/net/http/http_auth_gssapi_posix.h
@@ -15,7 +15,7 @@
 #include "net/base/completion_once_callback.h"
 #include "net/base/net_export.h"
 #include "net/http/http_auth.h"
-#include "net/http/http_negotiate_auth_system.h"
+#include "net/http/http_auth_mechanism.h"
 
 #if defined(OS_MACOSX)
 #include <GSS/gssapi.h>
@@ -217,14 +217,13 @@ class ScopedSecurityContext {
 
 
 // TODO(ahendrickson): Share code with HttpAuthSSPI.
-class NET_EXPORT_PRIVATE HttpAuthGSSAPI : public HttpNegotiateAuthSystem {
+class NET_EXPORT_PRIVATE HttpAuthGSSAPI : public HttpAuthMechanism {
  public:
   HttpAuthGSSAPI(GSSAPILibrary* library,
-                 const std::string& scheme,
                  const gss_OID gss_oid);
   ~HttpAuthGSSAPI() override;
 
-  // HttpNegotiateAuthSystem implementation:
+  // HttpAuthMechanism implementation:
   bool Init(const NetLogWithSource& net_log) override;
   bool NeedsIdentity() const override;
   bool AllowsExplicitCredentials() const override;
@@ -245,7 +244,6 @@ class NET_EXPORT_PRIVATE HttpAuthGSSAPI : public HttpNegotiateAuthSystem {
                            gss_buffer_t out_token,
                            const NetLogWithSource& net_log);
 
-  std::string scheme_;
   gss_OID gss_oid_;
   GSSAPILibrary* library_;
   std::string decoded_server_auth_token_;
diff --git a/chromium/net/http/http_auth_gssapi_posix_unittest.cc b/chromium/net/http/http_auth_gssapi_posix_unittest.cc
index 27dbfab3f6a..b9211485dfa 100644
--- a/chromium/net/http/http_auth_gssapi_posix_unittest.cc
+++ b/chromium/net/http/http_auth_gssapi_posix_unittest.cc
@@ -89,7 +89,7 @@ void UnexpectedCallback(int result) {
 }  // namespace
 
 TEST(HttpAuthGSSAPIPOSIXTest, GSSAPIStartup) {
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   // TODO(ahendrickson): Manipulate the libraries and paths to test each of the
   // libraries we expect, and also whether or not they have the interface
   // functions we want.
@@ -115,7 +115,7 @@ TEST(HttpAuthGSSAPIPOSIXTest, GSSAPIStartup) {
 }
 
 TEST(HttpAuthGSSAPIPOSIXTest, CustomLibraryMissing) {
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
 
   std::unique_ptr<GSSAPILibrary> gssapi(
       new GSSAPISharedLibrary("/this/library/does/not/exist"));
@@ -131,7 +131,7 @@ TEST(HttpAuthGSSAPIPOSIXTest, CustomLibraryMissing) {
 }
 
 TEST(HttpAuthGSSAPIPOSIXTest, CustomLibraryExists) {
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   base::FilePath module;
   ASSERT_TRUE(base::PathService::Get(base::DIR_MODULE, &module));
   auto basename = base::GetNativeLibraryName("test_gssapi");
@@ -151,7 +151,7 @@ TEST(HttpAuthGSSAPIPOSIXTest, CustomLibraryExists) {
 }
 
 TEST(HttpAuthGSSAPIPOSIXTest, CustomLibraryMethodsMissing) {
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   base::FilePath module;
   ASSERT_TRUE(base::PathService::Get(base::DIR_MODULE, &module));
   auto basename = base::GetNativeLibraryName("test_badgssapi");
@@ -268,8 +268,7 @@ TEST(HttpAuthGSSAPIPOSIXTest, GSSAPICycle) {
 TEST(HttpAuthGSSAPITest, ParseChallenge_FirstRound) {
   // The first round should just consist of an unadorned "Negotiate" header.
   test::MockGSSAPILibrary mock_library;
-  HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate",
-                             CHROME_GSS_SPNEGO_MECH_OID_DESC);
+  HttpAuthGSSAPI auth_gssapi(&mock_library, CHROME_GSS_SPNEGO_MECH_OID_DESC);
   std::string challenge_text = "Negotiate";
   HttpAuthChallengeTokenizer challenge(challenge_text.begin(),
                                        challenge_text.end());
@@ -278,12 +277,11 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_FirstRound) {
 }
 
 TEST(HttpAuthGSSAPITest, ParseChallenge_TwoRounds) {
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   // The first round should just have "Negotiate", and the second round should
   // have a valid base64 token associated with it.
   test::MockGSSAPILibrary mock_library;
-  HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate",
-                             CHROME_GSS_SPNEGO_MECH_OID_DESC);
+  HttpAuthGSSAPI auth_gssapi(&mock_library, CHROME_GSS_SPNEGO_MECH_OID_DESC);
   std::string first_challenge_text = "Negotiate";
   HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
                                              first_challenge_text.end());
@@ -323,8 +321,7 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_UnexpectedTokenFirstRound) {
   // If the first round challenge has an additional authentication token, it
   // should be treated as an invalid challenge from the server.
   test::MockGSSAPILibrary mock_library;
-  HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate",
-                             CHROME_GSS_SPNEGO_MECH_OID_DESC);
+  HttpAuthGSSAPI auth_gssapi(&mock_library, CHROME_GSS_SPNEGO_MECH_OID_DESC);
   std::string challenge_text = "Negotiate Zm9vYmFy";
   HttpAuthChallengeTokenizer challenge(challenge_text.begin(),
                                        challenge_text.end());
@@ -336,8 +333,7 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_MissingTokenSecondRound) {
   // If a later-round challenge is simply "Negotiate", it should be treated as
   // an authentication challenge rejection from the server or proxy.
   test::MockGSSAPILibrary mock_library;
-  HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate",
-                             CHROME_GSS_SPNEGO_MECH_OID_DESC);
+  HttpAuthGSSAPI auth_gssapi(&mock_library, CHROME_GSS_SPNEGO_MECH_OID_DESC);
   std::string first_challenge_text = "Negotiate";
   HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
                                              first_challenge_text.end());
@@ -361,8 +357,7 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_NonBase64EncodedToken) {
   // If a later-round challenge has an invalid base64 encoded token, it should
   // be treated as an invalid challenge.
   test::MockGSSAPILibrary mock_library;
-  HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate",
-                             CHROME_GSS_SPNEGO_MECH_OID_DESC);
+  HttpAuthGSSAPI auth_gssapi(&mock_library, CHROME_GSS_SPNEGO_MECH_OID_DESC);
   std::string first_challenge_text = "Negotiate";
   HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
                                              first_challenge_text.end());
diff --git a/chromium/net/http/http_auth_handler_basic.cc b/chromium/net/http/http_auth_handler_basic.cc
index 2b314ffdc49..696aaf0e8dc 100644
--- a/chromium/net/http/http_auth_handler_basic.cc
+++ b/chromium/net/http/http_auth_handler_basic.cc
@@ -65,8 +65,7 @@ bool HttpAuthHandlerBasic::Init(HttpAuthChallengeTokenizer* challenge,
 
 bool HttpAuthHandlerBasic::ParseChallenge(
     HttpAuthChallengeTokenizer* challenge) {
-  // Verify the challenge's auth-scheme.
-  if (!base::LowerCaseEqualsASCII(challenge->scheme(), kBasicAuthScheme))
+  if (challenge->auth_scheme() != kBasicAuthScheme)
     return false;
 
   std::string realm;
diff --git a/chromium/net/http/http_auth_handler_basic.h b/chromium/net/http/http_auth_handler_basic.h
index fea702497d8..6f4a00950a0 100644
--- a/chromium/net/http/http_auth_handler_basic.h
+++ b/chromium/net/http/http_auth_handler_basic.h
@@ -46,7 +46,7 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerBasic : public HttpAuthHandler {
       HttpAuthChallengeTokenizer* challenge) override;
 
  private:
-  ~HttpAuthHandlerBasic() override {}
+  ~HttpAuthHandlerBasic() override = default;
 
   bool ParseChallenge(HttpAuthChallengeTokenizer* challenge);
 };
diff --git a/chromium/net/http/http_auth_handler_basic_fuzzer.cc b/chromium/net/http/http_auth_handler_basic_fuzzer.cc
new file mode 100644
index 00000000000..5c1b7b24993
--- /dev/null
+++ b/chromium/net/http/http_auth_handler_basic_fuzzer.cc
@@ -0,0 +1,30 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <memory>
+#include <string>
+
+#include "net/dns/mock_host_resolver.h"
+#include "net/http/http_auth_handler.h"
+#include "net/http/http_auth_handler_basic.h"
+#include "net/log/net_log_with_source.h"
+#include "net/ssl/ssl_info.h"
+#include "url/gurl.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  std::string input(reinterpret_cast<const char*>(data), size);
+  std::string challenge = "Basic " + input;
+
+  // Dummies
+  net::SSLInfo null_ssl_info;
+  GURL origin("https://foo.test/");
+  auto host_resolver = std::make_unique<net::MockHostResolver>();
+  std::unique_ptr<net::HttpAuthHandler> basic;
+
+  net::HttpAuthHandlerBasic::Factory factory;
+  factory.CreateAuthHandlerFromString(
+      challenge, net::HttpAuth::AUTH_SERVER, null_ssl_info, origin,
+      net::NetLogWithSource(), host_resolver.get(), &basic);
+  return 0;
+}
diff --git a/chromium/net/http/http_auth_handler_digest.cc b/chromium/net/http/http_auth_handler_digest.cc
index 058f184389f..64c2f6de57d 100644
--- a/chromium/net/http/http_auth_handler_digest.cc
+++ b/chromium/net/http/http_auth_handler_digest.cc
@@ -139,7 +139,7 @@ HttpAuth::AuthorizationResult HttpAuthHandlerDigest::HandleAnotherChallengeImpl(
   // to differentiate between stale and rejected responses.
   // Note that the state of the current handler is not mutated - this way if
   // there is a rejection the realm hasn't changed.
-  if (!base::LowerCaseEqualsASCII(challenge->scheme(), kDigestAuthScheme))
+  if (challenge->auth_scheme() != kDigestAuthScheme)
     return HttpAuth::AUTHORIZATION_RESULT_INVALID;
 
   HttpUtil::NameValuePairsIterator parameters = challenge->param_pairs();
@@ -203,7 +203,7 @@ bool HttpAuthHandlerDigest::ParseChallenge(
   realm_ = original_realm_ = nonce_ = domain_ = opaque_ = std::string();
 
   // FAIL -- Couldn't match auth-scheme.
-  if (!base::LowerCaseEqualsASCII(challenge->scheme(), kDigestAuthScheme))
+  if (challenge->auth_scheme() != kDigestAuthScheme)
     return false;
 
   HttpUtil::NameValuePairsIterator parameters = challenge->param_pairs();
diff --git a/chromium/net/http/http_auth_handler_digest_fuzzer.cc b/chromium/net/http/http_auth_handler_digest_fuzzer.cc
new file mode 100644
index 00000000000..caaf1fd8c39
--- /dev/null
+++ b/chromium/net/http/http_auth_handler_digest_fuzzer.cc
@@ -0,0 +1,41 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <fuzzer/FuzzedDataProvider.h>
+
+#include <memory>
+#include <string>
+
+#include "net/dns/mock_host_resolver.h"
+#include "net/http/http_auth_challenge_tokenizer.h"
+#include "net/http/http_auth_handler.h"
+#include "net/http/http_auth_handler_digest.h"
+#include "net/log/net_log_with_source.h"
+#include "net/ssl/ssl_info.h"
+#include "url/gurl.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  FuzzedDataProvider data_provider{data, size};
+
+  std::string challenge =
+      "Digest " + data_provider.ConsumeRandomLengthString(500);
+
+  // Dummies
+  net::SSLInfo null_ssl_info;
+  GURL origin("https://foo.test/");
+  auto host_resolver = std::make_unique<net::MockHostResolver>();
+  std::unique_ptr<net::HttpAuthHandler> handler;
+
+  net::HttpAuthHandlerDigest::Factory factory;
+  factory.CreateAuthHandlerFromString(
+      challenge, net::HttpAuth::AUTH_SERVER, null_ssl_info, origin,
+      net::NetLogWithSource(), host_resolver.get(), &handler);
+
+  if (handler) {
+    auto followup = "Digest " + data_provider.ConsumeRemainingBytesAsString();
+    net::HttpAuthChallengeTokenizer tokenizer{followup.begin(), followup.end()};
+    handler->HandleAnotherChallenge(&tokenizer);
+  }
+  return 0;
+}
diff --git a/chromium/net/http/http_auth_handler_factory.cc b/chromium/net/http/http_auth_handler_factory.cc
index 34a9cb5e02a..05a7a8c21a8 100644
--- a/chromium/net/http/http_auth_handler_factory.cc
+++ b/chromium/net/http/http_auth_handler_factory.cc
@@ -109,7 +109,7 @@ HttpAuthHandlerFactory::CreateDefault(
 #endif
 #if BUILDFLAG(USE_KERBEROS)
     ,
-    NegotiateAuthSystemFactory negotiate_auth_system_factory
+    HttpAuthMechanismFactory negotiate_auth_system_factory
 #endif
 ) {
   std::vector<std::string> auth_types(std::begin(kDefaultAuthSchemes),
@@ -137,7 +137,7 @@ HttpAuthHandlerRegistryFactory::Create(
 #endif
 #if BUILDFLAG(USE_KERBEROS)
     ,
-    NegotiateAuthSystemFactory negotiate_auth_system_factory
+    HttpAuthMechanismFactory negotiate_auth_system_factory
 #endif
 ) {
   std::set<std::string> auth_schemes_set(auth_schemes.begin(),
@@ -200,13 +200,12 @@ int HttpAuthHandlerRegistryFactory::CreateAuthHandler(
     const NetLogWithSource& net_log,
     HostResolver* host_resolver,
     std::unique_ptr<HttpAuthHandler>* handler) {
-  std::string scheme = challenge->scheme();
+  auto scheme = challenge->auth_scheme();
   if (scheme.empty()) {
     handler->reset();
     return ERR_INVALID_RESPONSE;
   }
-  std::string lower_scheme = base::ToLowerASCII(scheme);
-  auto it = factory_map_.find(lower_scheme);
+  auto it = factory_map_.find(scheme);
   if (it == factory_map_.end()) {
     handler->reset();
     return ERR_UNSUPPORTED_AUTH_SCHEME;
diff --git a/chromium/net/http/http_auth_handler_factory.h b/chromium/net/http/http_auth_handler_factory.h
index f4f985e3a25..c38a368fe3d 100644
--- a/chromium/net/http/http_auth_handler_factory.h
+++ b/chromium/net/http/http_auth_handler_factory.h
@@ -14,7 +14,7 @@
 #include "build/build_config.h"
 #include "net/base/net_export.h"
 #include "net/http/http_auth.h"
-#include "net/http/http_negotiate_auth_system.h"
+#include "net/http/http_auth_mechanism.h"
 #include "net/http/url_security_manager.h"
 #include "net/net_buildflags.h"
 
@@ -127,12 +127,6 @@ class NET_EXPORT HttpAuthHandlerFactory {
       HostResolver* host_resolver,
       std::unique_ptr<HttpAuthHandler>* handler);
 
-  // Factory callback to create the auth system used for Negotiate
-  // authentication.
-  using NegotiateAuthSystemFactory =
-      base::RepeatingCallback<std::unique_ptr<net::HttpNegotiateAuthSystem>(
-          const net::HttpAuthPreferences*)>;
-
   // Creates a standard HttpAuthHandlerRegistryFactory. The caller is
   // responsible for deleting the factory.
   // The default factory supports Basic, Digest, NTLM, and Negotiate schemes.
@@ -147,8 +141,8 @@ class NET_EXPORT HttpAuthHandlerFactory {
 #endif
 #if BUILDFLAG(USE_KERBEROS)
       ,
-      NegotiateAuthSystemFactory negotiate_auth_system_factory =
-          NegotiateAuthSystemFactory()
+      HttpAuthMechanismFactory negotiate_auth_system_factory =
+          HttpAuthMechanismFactory()
 #endif
   );
 
@@ -209,8 +203,8 @@ class NET_EXPORT HttpAuthHandlerRegistryFactory
 #endif
 #if BUILDFLAG(USE_KERBEROS)
       ,
-      NegotiateAuthSystemFactory negotiate_auth_system_factory =
-          NegotiateAuthSystemFactory()
+      HttpAuthMechanismFactory negotiate_auth_system_factory =
+          HttpAuthMechanismFactory()
 #endif
   );
 
diff --git a/chromium/net/http/http_auth_handler_mock.cc b/chromium/net/http/http_auth_handler_mock.cc
index 2f051cedddf..dd3000d5b65 100644
--- a/chromium/net/http/http_auth_handler_mock.cc
+++ b/chromium/net/http/http_auth_handler_mock.cc
@@ -121,7 +121,7 @@ HttpAuth::AuthorizationResult HttpAuthHandlerMock::HandleAnotherChallengeImpl(
     return HttpAuth::AUTHORIZATION_RESULT_REJECT;
   }
 
-  if (!base::LowerCaseEqualsASCII(challenge->scheme(), "mock")) {
+  if (challenge->auth_scheme() != "mock") {
     state_ = State::DONE;
     return HttpAuth::AUTHORIZATION_RESULT_INVALID;
   }
diff --git a/chromium/net/http/http_auth_handler_negotiate.cc b/chromium/net/http/http_auth_handler_negotiate.cc
index 0fea59a8ad0..e6efffe07e7 100644
--- a/chromium/net/http/http_auth_handler_negotiate.cc
+++ b/chromium/net/http/http_auth_handler_negotiate.cc
@@ -19,6 +19,7 @@
 #include "net/base/net_errors.h"
 #include "net/cert/x509_util.h"
 #include "net/dns/host_resolver.h"
+#include "net/http/http_auth.h"
 #include "net/http/http_auth_filter.h"
 #include "net/http/http_auth_preferences.h"
 #include "net/log/net_log_capture_mode.h"
@@ -47,21 +48,21 @@ base::Value NetLogParameterChannelBindings(
 
 // Uses |negotiate_auth_system_factory| to create the auth system, otherwise
 // creates the default auth system for each platform.
-std::unique_ptr<HttpNegotiateAuthSystem> CreateAuthSystem(
+std::unique_ptr<HttpAuthMechanism> CreateAuthSystem(
 #if !defined(OS_ANDROID)
     HttpAuthHandlerNegotiate::AuthLibrary* auth_library,
 #endif
     const HttpAuthPreferences* prefs,
-    HttpAuthHandlerFactory::NegotiateAuthSystemFactory
-        negotiate_auth_system_factory) {
+    HttpAuthMechanismFactory negotiate_auth_system_factory) {
   if (negotiate_auth_system_factory)
     return negotiate_auth_system_factory.Run(prefs);
 #if defined(OS_ANDROID)
   return std::make_unique<net::android::HttpAuthNegotiateAndroid>(prefs);
 #elif defined(OS_WIN)
-  return std::make_unique<HttpAuthSSPI>(auth_library, "Negotiate");
+  return std::make_unique<HttpAuthSSPI>(auth_library,
+                                        HttpAuth::AUTH_SCHEME_NEGOTIATE);
 #elif defined(OS_POSIX)
-  return std::make_unique<HttpAuthGSSAPI>(auth_library, "Negotiate",
+  return std::make_unique<HttpAuthGSSAPI>(auth_library,
                                           CHROME_GSS_SPNEGO_MECH_OID_DESC);
 #endif
 }
@@ -69,7 +70,7 @@ std::unique_ptr<HttpNegotiateAuthSystem> CreateAuthSystem(
 }  // namespace
 
 HttpAuthHandlerNegotiate::Factory::Factory(
-    NegotiateAuthSystemFactory negotiate_auth_system_factory)
+    HttpAuthMechanismFactory negotiate_auth_system_factory)
     : negotiate_auth_system_factory_(negotiate_auth_system_factory) {}
 
 HttpAuthHandlerNegotiate::Factory::~Factory() = default;
@@ -138,7 +139,7 @@ int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler(
 }
 
 HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate(
-    std::unique_ptr<HttpNegotiateAuthSystem> auth_system,
+    std::unique_ptr<HttpAuthMechanism> auth_system,
     const HttpAuthPreferences* prefs,
     HostResolver* resolver)
     : auth_system_(std::move(auth_system)),
diff --git a/chromium/net/http/http_auth_handler_negotiate.h b/chromium/net/http/http_auth_handler_negotiate.h
index 4cf1df9fcc3..e9c98d1c1ff 100644
--- a/chromium/net/http/http_auth_handler_negotiate.h
+++ b/chromium/net/http/http_auth_handler_negotiate.h
@@ -15,7 +15,7 @@
 #include "net/dns/host_resolver.h"
 #include "net/http/http_auth_handler.h"
 #include "net/http/http_auth_handler_factory.h"
-#include "net/http/http_negotiate_auth_system.h"
+#include "net/http/http_auth_mechanism.h"
 
 #if defined(OS_ANDROID)
 #include "net/android/http_auth_negotiate_android.h"
@@ -44,7 +44,7 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerNegotiate : public HttpAuthHandler {
 
   class NET_EXPORT_PRIVATE Factory : public HttpAuthHandlerFactory {
    public:
-    explicit Factory(NegotiateAuthSystemFactory negotiate_auth_system_factory);
+    explicit Factory(HttpAuthMechanismFactory negotiate_auth_system_factory);
     ~Factory() override;
 
 #if !defined(OS_ANDROID)
@@ -71,14 +71,14 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerNegotiate : public HttpAuthHandler {
                           std::unique_ptr<HttpAuthHandler>* handler) override;
 
    private:
-    NegotiateAuthSystemFactory negotiate_auth_system_factory_;
+    HttpAuthMechanismFactory negotiate_auth_system_factory_;
     bool is_unsupported_ = false;
 #if !defined(OS_ANDROID)
     std::unique_ptr<AuthLibrary> auth_library_;
 #endif  // !defined(OS_ANDROID)
   };
 
-  HttpAuthHandlerNegotiate(std::unique_ptr<HttpNegotiateAuthSystem> auth_system,
+  HttpAuthHandlerNegotiate(std::unique_ptr<HttpAuthMechanism> auth_system,
                            const HttpAuthPreferences* prefs,
                            HostResolver* host_resolver);
 
@@ -123,7 +123,7 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerNegotiate : public HttpAuthHandler {
   int DoGenerateAuthTokenComplete(int rv);
   HttpAuth::DelegationType GetDelegationType() const;
 
-  std::unique_ptr<HttpNegotiateAuthSystem> auth_system_;
+  std::unique_ptr<HttpAuthMechanism> auth_system_;
   HostResolver* const resolver_;
 
   // Members which are needed for DNS lookup + SPN.
diff --git a/chromium/net/http/http_auth_handler_negotiate_unittest.cc b/chromium/net/http/http_auth_handler_negotiate_unittest.cc
index c0536be6553..a94c5e40dd5 100644
--- a/chromium/net/http/http_auth_handler_negotiate_unittest.cc
+++ b/chromium/net/http/http_auth_handler_negotiate_unittest.cc
@@ -16,6 +16,7 @@
 #include "net/base/net_errors.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/mock_host_resolver.h"
+#include "net/http/http_auth_mechanism.h"
 #include "net/http/http_request_info.h"
 #include "net/http/mock_allow_http_auth_preferences.h"
 #include "net/log/net_log_with_source.h"
@@ -62,8 +63,8 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest,
         "alias", "10.0.0.2", "canonical.example.com");
 
     http_auth_preferences_.reset(new MockAllowHttpAuthPreferences());
-    factory_.reset(new HttpAuthHandlerNegotiate::Factory(
-        net::HttpAuthHandlerFactory::NegotiateAuthSystemFactory()));
+    factory_.reset(
+        new HttpAuthHandlerNegotiate::Factory(HttpAuthMechanismFactory()));
     factory_->set_http_auth_preferences(http_auth_preferences_.get());
 #if defined(OS_ANDROID)
     http_auth_preferences_->set_auth_android_negotiate_account_type(
@@ -388,8 +389,7 @@ TEST_F(HttpAuthHandlerNegotiateTest, NoKerberosCredentials) {
 TEST_F(HttpAuthHandlerNegotiateTest, MissingGSSAPI) {
   MockAllowHttpAuthPreferences http_auth_preferences;
   std::unique_ptr<HttpAuthHandlerNegotiate::Factory> negotiate_factory(
-      new HttpAuthHandlerNegotiate::Factory(
-          net::HttpAuthHandlerFactory::NegotiateAuthSystemFactory()));
+      new HttpAuthHandlerNegotiate::Factory(HttpAuthMechanismFactory()));
   negotiate_factory->set_http_auth_preferences(&http_auth_preferences);
   negotiate_factory->set_library(
       std::make_unique<GSSAPISharedLibrary>("/this/library/does/not/exist"));
@@ -425,12 +425,12 @@ TEST_F(HttpAuthHandlerNegotiateTest, AllowGssapiLibraryLoad) {
 
 #endif  // defined(OS_POSIX)
 
-class TestAuthSystem : public HttpNegotiateAuthSystem {
+class TestAuthSystem : public HttpAuthMechanism {
  public:
   TestAuthSystem() = default;
   ~TestAuthSystem() override = default;
 
-  // HttpNegotiateAuthSystem implementation:
+  // HttpAuthMechanism implementation:
   bool Init(const NetLogWithSource&) override { return true; }
   bool NeedsIdentity() const override { return true; }
   bool AllowsExplicitCredentials() const override { return true; }
@@ -454,11 +454,11 @@ class TestAuthSystem : public HttpNegotiateAuthSystem {
 };
 
 TEST_F(HttpAuthHandlerNegotiateTest, OverrideAuthSystem) {
-  auto negotiate_factory = std::make_unique<HttpAuthHandlerNegotiate::Factory>(
-      base::BindRepeating([](const HttpAuthPreferences*)
-                              -> std::unique_ptr<HttpNegotiateAuthSystem> {
-        return std::make_unique<TestAuthSystem>();
-      }));
+  auto negotiate_factory =
+      std::make_unique<HttpAuthHandlerNegotiate::Factory>(base::BindRepeating(
+          [](const HttpAuthPreferences*) -> std::unique_ptr<HttpAuthMechanism> {
+            return std::make_unique<TestAuthSystem>();
+          }));
   negotiate_factory->set_http_auth_preferences(http_auth_preferences());
 #if defined(OS_WIN)
   negotiate_factory->set_library(
diff --git a/chromium/net/http/http_auth_handler_ntlm.cc b/chromium/net/http/http_auth_handler_ntlm.cc
index 5dd7093d71b..5eac67e7c9d 100644
--- a/chromium/net/http/http_auth_handler_ntlm.cc
+++ b/chromium/net/http/http_auth_handler_ntlm.cc
@@ -6,21 +6,17 @@
 
 #include <utility>
 
-#if !defined(NTLM_SSPI)
-#include "base/base64.h"
-#endif
-#include "base/logging.h"
-#include "base/strings/string_util.h"
-#include "base/strings/utf_string_conversions.h"
-#include "net/base/net_errors.h"
 #include "net/base/url_util.h"
 #include "net/cert/x509_util.h"
-#include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/http_auth_scheme.h"
-#include "net/http/http_response_info.h"
+#include "net/ssl/ssl_info.h"
 
 namespace net {
 
+HttpAuthHandlerNTLM::Factory::Factory() = default;
+
+HttpAuthHandlerNTLM::Factory::~Factory() = default;
+
 bool HttpAuthHandlerNTLM::Init(HttpAuthChallengeTokenizer* tok,
                                const SSLInfo& ssl_info) {
   auth_scheme_ = HttpAuth::AUTH_SCHEME_NTLM;
@@ -34,108 +30,11 @@ bool HttpAuthHandlerNTLM::Init(HttpAuthChallengeTokenizer* tok,
   return ParseChallenge(tok, true) == HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
 }
 
-int HttpAuthHandlerNTLM::GenerateAuthTokenImpl(
-    const AuthCredentials* credentials,
-    const HttpRequestInfo* request,
-    CompletionOnceCallback callback,
-    std::string* auth_token) {
-#if defined(NTLM_SSPI)
-  return auth_sspi_.GenerateAuthToken(credentials, CreateSPN(origin_),
-                                      channel_bindings_, auth_token, net_log(),
-                                      std::move(callback));
-#else  // !defined(NTLM_SSPI)
-  // TODO(cbentzel): Shouldn't be hitting this case.
-  if (!credentials) {
-    LOG(ERROR) << "Username and password are expected to be non-nullptr.";
-    return ERR_MISSING_AUTH_CREDENTIALS;
-  }
-
-  // The username may be in the form "DOMAIN\user".  Parse it into the two
-  // components.
-  base::string16 domain;
-  base::string16 user;
-  const base::string16& username = credentials->username();
-  const base::char16 backslash_character = '\\';
-  size_t backslash_idx = username.find(backslash_character);
-  if (backslash_idx == base::string16::npos) {
-    user = username;
-  } else {
-    domain = username.substr(0, backslash_idx);
-    user = username.substr(backslash_idx + 1);
-  }
-  domain_ = domain;
-  credentials_.Set(user, credentials->password());
-
-  std::string decoded_auth_data;
-  if (auth_data_.empty()) {
-    // There is no |auth_data_| because the client sends the first message.
-    int rv = InitializeBeforeFirstChallenge();
-    if (rv != OK)
-      return rv;
-  } else {
-    // When |auth_data_| is present it contains the Challenge message.
-    if (!base::Base64Decode(auth_data_, &decoded_auth_data)) {
-      LOG(ERROR) << "Unexpected problem Base64 decoding.";
-      return ERR_UNEXPECTED;
-    }
-  }
-
-  std::vector<uint8_t> next_token =
-      GetNextToken(base::as_bytes(base::make_span(decoded_auth_data)));
-  if (next_token.empty())
-    return ERR_UNEXPECTED;
-
-  // Base64 encode data in output buffer and prepend "NTLM ".
-  std::string encode_output;
-  base::Base64Encode(
-      base::StringPiece(reinterpret_cast<const char*>(next_token.data()),
-                        next_token.size()),
-      &encode_output);
-
-  *auth_token = std::string("NTLM ") + encode_output;
-  return OK;
-#endif
-}
-
 HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::HandleAnotherChallengeImpl(
     HttpAuthChallengeTokenizer* challenge) {
   return ParseChallenge(challenge, false);
 }
 
-// The NTLM challenge header looks like:
-//   WWW-Authenticate: NTLM auth-data
-HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::ParseChallenge(
-    HttpAuthChallengeTokenizer* tok, bool initial_challenge) {
-#if defined(NTLM_SSPI)
-  // auth_sspi_ contains state for whether or not this is the initial challenge.
-  return auth_sspi_.ParseChallenge(tok);
-#else
-  // TODO(cbentzel): Most of the logic between SSPI, GSSAPI, and portable NTLM
-  // authentication parsing could probably be shared - just need to know if
-  // there was previously a challenge round.
-  // TODO(cbentzel): Write a test case to validate that auth_data_ is left empty
-  // in all failure conditions.
-  auth_data_.clear();
-
-  // Verify the challenge's auth-scheme.
-  if (!base::LowerCaseEqualsASCII(tok->scheme(), kNtlmAuthScheme))
-    return HttpAuth::AUTHORIZATION_RESULT_INVALID;
-
-  std::string base64_param = tok->base64_param();
-  if (base64_param.empty()) {
-    if (!initial_challenge)
-      return HttpAuth::AUTHORIZATION_RESULT_REJECT;
-    return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
-  } else {
-    if (initial_challenge)
-      return HttpAuth::AUTHORIZATION_RESULT_INVALID;
-  }
-
-  auth_data_ = base64_param;
-  return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
-#endif  // defined(NTLM_SSPI)
-}
-
 // static
 std::string HttpAuthHandlerNTLM::CreateSPN(const GURL& origin) {
   // The service principal name of the destination server.  See
diff --git a/chromium/net/http/http_auth_handler_ntlm.h b/chromium/net/http/http_auth_handler_ntlm.h
index b4870715971..82d35de910d 100644
--- a/chromium/net/http/http_auth_handler_ntlm.h
+++ b/chromium/net/http/http_auth_handler_ntlm.h
@@ -41,18 +41,6 @@
 
 namespace net {
 
-#if defined(NTLM_PORTABLE)
-// These values are persisted to logs. Entries should not be renumbered and
-// numeric values should never be reused.
-enum class NtlmV2Usage : int {
-  kDisabledOverInsecure = 0,
-  kDisabledOverSecure,
-  kEnabledOverInsecure,
-  kEnabledOverSecure,
-  kMaxValue = kEnabledOverSecure
-};
-#endif
-
 class HttpAuthPreferences;
 
 // Code for handling HTTP NTLM authentication.
@@ -143,10 +131,6 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerNTLM : public HttpAuthHandler {
   bool AllowsDefaultCredentials() override;
 
  protected:
-  // This function acquires a credentials handle in the SSPI implementation.
-  // It does nothing in the portable implementation.
-  int InitializeBeforeFirstChallenge();
-
   // HttpAuthHandler
   bool Init(HttpAuthChallengeTokenizer* tok, const SSLInfo& ssl_info) override;
   int GenerateAuthTokenImpl(const AuthCredentials* credentials,
@@ -179,7 +163,7 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerNTLM : public HttpAuthHandler {
   static std::string CreateSPN(const GURL& origin);
 
 #if defined(NTLM_SSPI)
-  HttpAuthSSPI auth_sspi_;
+  HttpAuthSSPI mechanism_;
 #elif defined(NTLM_PORTABLE)
   ntlm::NtlmClient ntlm_client_;
 #endif
@@ -194,9 +178,9 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerNTLM : public HttpAuthHandler {
   AuthCredentials credentials_;
   std::string channel_bindings_;
 
-  // The base64-encoded string following "NTLM" in the "WWW-Authenticate" or
-  // "Proxy-Authenticate" response header.
-  std::string auth_data_;
+  // Decoded authentication token that the server returned as part of an NTLM
+  // challenge.
+  std::string challenge_token_;
 
 #if defined(NTLM_SSPI)
   const HttpAuthPreferences* http_auth_preferences_;
diff --git a/chromium/net/http/http_auth_handler_ntlm_portable.cc b/chromium/net/http/http_auth_handler_ntlm_portable.cc
index 3a52b57551f..37022cd4b2b 100644
--- a/chromium/net/http/http_auth_handler_ntlm_portable.cc
+++ b/chromium/net/http/http_auth_handler_ntlm_portable.cc
@@ -4,14 +4,19 @@
 
 #include "net/http/http_auth_handler_ntlm.h"
 
+#include "base/base64.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/rand_util.h"
 #include "base/time/time.h"
 #include "net/base/net_errors.h"
 #include "net/base/network_interfaces.h"
 #include "net/dns/host_resolver.h"
+#include "net/http/http_auth.h"
+#include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/http_auth_handler_ntlm.h"
+#include "net/http/http_auth_multi_round_parse.h"
 #include "net/http/http_auth_preferences.h"
+#include "net/http/http_auth_scheme.h"
 #include "net/ssl/ssl_info.h"
 
 namespace net {
@@ -26,16 +31,33 @@ void GenerateRandom(uint8_t* output, size_t n) {
   base::RandBytes(output, n);
 }
 
-void RecordNtlmV2Usage(bool is_v2, bool is_secure) {
-  auto bucket = is_v2 ? is_secure ? NtlmV2Usage::kEnabledOverSecure
-                                  : NtlmV2Usage::kEnabledOverInsecure
-                      : is_secure ? NtlmV2Usage::kDisabledOverSecure
-                                  : NtlmV2Usage::kDisabledOverInsecure;
-  UMA_HISTOGRAM_ENUMERATION("Net.HttpAuthNtlmV2Usage", bucket);
-}
-
 }  // namespace
 
+int HttpAuthHandlerNTLM::Factory::CreateAuthHandler(
+    HttpAuthChallengeTokenizer* challenge,
+    HttpAuth::Target target,
+    const SSLInfo& ssl_info,
+    const GURL& origin,
+    CreateReason reason,
+    int digest_nonce_count,
+    const NetLogWithSource& net_log,
+    HostResolver* host_resolver,
+    std::unique_ptr<HttpAuthHandler>* handler) {
+  if (reason == CREATE_PREEMPTIVE)
+    return ERR_UNSUPPORTED_AUTH_SCHEME;
+  // TODO(cbentzel): Move towards model of parsing in the factory
+  //                 method and only constructing when valid.
+  // NOTE: Default credentials are not supported for the portable implementation
+  // of NTLM.
+  std::unique_ptr<HttpAuthHandler> tmp_handler(
+      new HttpAuthHandlerNTLM(http_auth_preferences()));
+  if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info, origin,
+                                      net_log))
+    return ERR_INVALID_RESPONSE;
+  handler->swap(tmp_handler);
+  return OK;
+}
+
 // static
 HttpAuthHandlerNTLM::GetMSTimeProc HttpAuthHandlerNTLM::get_ms_time_proc_ =
     GetMSTime;
@@ -55,10 +77,10 @@ HttpAuthHandlerNTLM::HttpAuthHandlerNTLM(
                                 : true)) {}
 
 bool HttpAuthHandlerNTLM::NeedsIdentity() {
-  // This gets called for each round-trip.  Only require identity on
-  // the first call (when auth_data_ is empty).  On subsequent calls,
-  // we use the initially established identity.
-  return auth_data_.empty();
+  // This gets called for each round-trip. Only require identity on the first
+  // call (when challenge_token_ is empty). On subsequent calls, we use the
+  // initially established identity.
+  return challenge_token_.empty();
 }
 
 bool HttpAuthHandlerNTLM::AllowsDefaultCredentials() {
@@ -67,7 +89,46 @@ bool HttpAuthHandlerNTLM::AllowsDefaultCredentials() {
   return false;
 }
 
-int HttpAuthHandlerNTLM::InitializeBeforeFirstChallenge() {
+int HttpAuthHandlerNTLM::GenerateAuthTokenImpl(
+    const AuthCredentials* credentials,
+    const HttpRequestInfo* request,
+    CompletionOnceCallback callback,
+    std::string* auth_token) {
+  // TODO(cbentzel): Shouldn't be hitting this case.
+  if (!credentials) {
+    LOG(ERROR) << "Username and password are expected to be non-nullptr.";
+    return ERR_MISSING_AUTH_CREDENTIALS;
+  }
+
+  // The username may be in the form "DOMAIN\user".  Parse it into the two
+  // components.
+  base::string16 domain;
+  base::string16 user;
+  const base::string16& username = credentials->username();
+  const base::char16 backslash_character = '\\';
+  size_t backslash_idx = username.find(backslash_character);
+  if (backslash_idx == base::string16::npos) {
+    user = username;
+  } else {
+    domain = username.substr(0, backslash_idx);
+    user = username.substr(backslash_idx + 1);
+  }
+  domain_ = domain;
+  credentials_.Set(user, credentials->password());
+
+  std::vector<uint8_t> next_token =
+      GetNextToken(base::as_bytes(base::make_span(challenge_token_)));
+  if (next_token.empty())
+    return ERR_UNEXPECTED;
+
+  // Base64 encode data in output buffer and prepend "NTLM ".
+  std::string encode_output;
+  base::Base64Encode(
+      base::StringPiece(reinterpret_cast<const char*>(next_token.data()),
+                        next_token.size()),
+      &encode_output);
+
+  *auth_token = std::string("NTLM ") + encode_output;
   return OK;
 }
 
@@ -97,10 +158,6 @@ HttpAuthHandlerNTLM::HostNameProc HttpAuthHandlerNTLM::SetHostNameProc(
   return old_proc;
 }
 
-HttpAuthHandlerNTLM::Factory::Factory() = default;
-
-HttpAuthHandlerNTLM::Factory::~Factory() = default;
-
 std::vector<uint8_t> HttpAuthHandlerNTLM::GetNextToken(
     base::span<const uint8_t> in_token) {
   // If in_token is non-empty, then assume it contains a challenge message,
@@ -123,32 +180,17 @@ std::vector<uint8_t> HttpAuthHandlerNTLM::GetNextToken(
       in_token);
 }
 
-int HttpAuthHandlerNTLM::Factory::CreateAuthHandler(
-    HttpAuthChallengeTokenizer* challenge,
-    HttpAuth::Target target,
-    const SSLInfo& ssl_info,
-    const GURL& origin,
-    CreateReason reason,
-    int digest_nonce_count,
-    const NetLogWithSource& net_log,
-    HostResolver* host_resolver,
-    std::unique_ptr<HttpAuthHandler>* handler) {
-  if (reason == CREATE_PREEMPTIVE)
-    return ERR_UNSUPPORTED_AUTH_SCHEME;
-  // TODO(cbentzel): Move towards model of parsing in the factory
-  //                 method and only constructing when valid.
-  // NOTE: Default credentials are not supported for the portable implementation
-  // of NTLM.
-  std::unique_ptr<HttpAuthHandler> tmp_handler(
-      new HttpAuthHandlerNTLM(http_auth_preferences()));
-  if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info, origin,
-                                      net_log))
-    return ERR_INVALID_RESPONSE;
-  RecordNtlmV2Usage(
-      http_auth_preferences() ? http_auth_preferences()->NtlmV2Enabled() : true,
-      ssl_info.is_valid());
-  handler->swap(tmp_handler);
-  return OK;
+HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::ParseChallenge(
+    HttpAuthChallengeTokenizer* tok,
+    bool initial_challenge) {
+  challenge_token_.clear();
+
+  if (initial_challenge)
+    return ParseFirstRoundChallenge(HttpAuth::Scheme::AUTH_SCHEME_NTLM, tok);
+
+  std::string encoded_token;
+  return ParseLaterRoundChallenge(HttpAuth::Scheme::AUTH_SCHEME_NTLM, tok,
+                                  &encoded_token, &challenge_token_);
 }
 
 }  // namespace net
diff --git a/chromium/net/http/http_auth_handler_ntlm_portable_unittest.cc b/chromium/net/http/http_auth_handler_ntlm_portable_unittest.cc
index c48b815dd6a..24805a744d8 100644
--- a/chromium/net/http/http_auth_handler_ntlm_portable_unittest.cc
+++ b/chromium/net/http/http_auth_handler_ntlm_portable_unittest.cc
@@ -9,7 +9,6 @@
 #include "base/stl_util.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
-#include "base/test/metrics/histogram_tester.h"
 #include "build/build_config.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/mock_host_resolver.h"
@@ -164,11 +163,8 @@ class HttpAuthHandlerNtlmPortableTest : public PlatformTest {
 };
 
 TEST_F(HttpAuthHandlerNtlmPortableTest, SimpleConstruction) {
-  base::HistogramTester histogram_tester;
   ASSERT_EQ(OK, CreateHandler());
   ASSERT_TRUE(GetAuthHandler() != nullptr);
-  histogram_tester.ExpectBucketCount("Net.HttpAuthNtlmV2Usage",
-                                     NtlmV2Usage::kDisabledOverInsecure, 1);
 }
 
 TEST_F(HttpAuthHandlerNtlmPortableTest, DoNotAllowDefaultCreds) {
@@ -206,9 +202,8 @@ TEST_F(HttpAuthHandlerNtlmPortableTest, InvalidBase64Encoding) {
   ASSERT_EQ(OK, GetGenerateAuthTokenResult());
 
   // Token isn't valid base64.
-  ASSERT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
+  ASSERT_EQ(HttpAuth::AUTHORIZATION_RESULT_INVALID,
             HandleAnotherChallenge("NTLM !!!!!!!!!!!!!"));
-  ASSERT_EQ(ERR_UNEXPECTED, GetGenerateAuthTokenResult());
 }
 
 TEST_F(HttpAuthHandlerNtlmPortableTest, CantChangeSchemeMidway) {
@@ -221,7 +216,6 @@ TEST_F(HttpAuthHandlerNtlmPortableTest, CantChangeSchemeMidway) {
 }
 
 TEST_F(HttpAuthHandlerNtlmPortableTest, NtlmV1AuthenticationSuccess) {
-  base::HistogramTester histogram_tester;
   HttpAuthHandlerNTLM::ScopedProcSetter proc_setter(MockGetMSTime, MockRandom,
                                                     MockGetHostName);
   ASSERT_EQ(OK, CreateHandler());
@@ -241,8 +235,6 @@ TEST_F(HttpAuthHandlerNtlmPortableTest, NtlmV1AuthenticationSuccess) {
   ASSERT_EQ(0, memcmp(decoded.data(),
                       ntlm::test::kExpectedAuthenticateMsgSpecResponseV1,
                       decoded.size()));
-  histogram_tester.ExpectBucketCount("Net.HttpAuthNtlmV2Usage",
-                                     NtlmV2Usage::kDisabledOverInsecure, 1);
 }
 
 }  // namespace net
diff --git a/chromium/net/http/http_auth_handler_ntlm_win.cc b/chromium/net/http/http_auth_handler_ntlm_win.cc
index 9c4c8ff4ebe..5d73998a5d8 100644
--- a/chromium/net/http/http_auth_handler_ntlm_win.cc
+++ b/chromium/net/http/http_auth_handler_ntlm_win.cc
@@ -12,36 +12,12 @@
 #include "base/strings/string_util.h"
 #include "net/base/net_errors.h"
 #include "net/dns/host_resolver.h"
+#include "net/http/http_auth.h"
 #include "net/http/http_auth_preferences.h"
 #include "net/http/http_auth_sspi_win.h"
 
 namespace net {
 
-HttpAuthHandlerNTLM::HttpAuthHandlerNTLM(
-    SSPILibrary* sspi_library,
-    const HttpAuthPreferences* http_auth_preferences)
-    : auth_sspi_(sspi_library, "NTLM"),
-      http_auth_preferences_(http_auth_preferences) {}
-
-HttpAuthHandlerNTLM::~HttpAuthHandlerNTLM() {
-}
-
-// Require identity on first pass instead of second.
-bool HttpAuthHandlerNTLM::NeedsIdentity() {
-  return auth_sspi_.NeedsIdentity();
-}
-
-bool HttpAuthHandlerNTLM::AllowsDefaultCredentials() {
-  if (target_ == HttpAuth::AUTH_PROXY)
-    return true;
-  if (!http_auth_preferences_)
-    return false;
-  return http_auth_preferences_->CanUseDefaultCredentials(origin_);
-}
-
-HttpAuthHandlerNTLM::Factory::Factory() {}
-HttpAuthHandlerNTLM::Factory::~Factory() {}
-
 int HttpAuthHandlerNTLM::Factory::CreateAuthHandler(
     HttpAuthChallengeTokenizer* challenge,
     HttpAuth::Target target,
@@ -65,4 +41,43 @@ int HttpAuthHandlerNTLM::Factory::CreateAuthHandler(
   return OK;
 }
 
+HttpAuthHandlerNTLM::HttpAuthHandlerNTLM(
+    SSPILibrary* sspi_library,
+    const HttpAuthPreferences* http_auth_preferences)
+    : mechanism_(sspi_library, HttpAuth::AUTH_SCHEME_NTLM),
+      http_auth_preferences_(http_auth_preferences) {}
+
+int HttpAuthHandlerNTLM::GenerateAuthTokenImpl(
+    const AuthCredentials* credentials,
+    const HttpRequestInfo* request,
+    CompletionOnceCallback callback,
+    std::string* auth_token) {
+  return mechanism_.GenerateAuthToken(credentials, CreateSPN(origin_),
+                                      channel_bindings_, auth_token, net_log(),
+                                      std::move(callback));
+}
+
+HttpAuthHandlerNTLM::~HttpAuthHandlerNTLM() {
+}
+
+// Require identity on first pass instead of second.
+bool HttpAuthHandlerNTLM::NeedsIdentity() {
+  return mechanism_.NeedsIdentity();
+}
+
+bool HttpAuthHandlerNTLM::AllowsDefaultCredentials() {
+  if (target_ == HttpAuth::AUTH_PROXY)
+    return true;
+  if (!http_auth_preferences_)
+    return false;
+  return http_auth_preferences_->CanUseDefaultCredentials(origin_);
+}
+
+HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::ParseChallenge(
+    HttpAuthChallengeTokenizer* tok,
+    bool initial_challenge) {
+  // mechanism_ contains state for whether or not this is the initial challenge.
+  return mechanism_.ParseChallenge(tok);
+}
+
 }  // namespace net
diff --git a/chromium/net/http/http_auth_handler_unittest.cc b/chromium/net/http/http_auth_handler_unittest.cc
index aeca24a1f1d..fed58146ca8 100644
--- a/chromium/net/http/http_auth_handler_unittest.cc
+++ b/chromium/net/http/http_auth_handler_unittest.cc
@@ -36,7 +36,7 @@ TEST(HttpAuthHandlerTest, NetLog) {
       TestCompletionCallback test_callback;
       HttpAuthChallengeTokenizer tokenizer(challenge.begin(), challenge.end());
       HttpAuthHandlerMock mock_handler;
-      BoundTestNetLog test_net_log;
+      RecordingBoundTestNetLog test_net_log;
 
       // set_connection_based(true) indicates that the HandleAnotherChallenge()
       // call after GenerateAuthToken() is expected and does not result in
diff --git a/chromium/net/http/http_negotiate_auth_system.h b/chromium/net/http/http_auth_mechanism.h
index 15dcc6c4425..85d404be2c8 100644
--- a/chromium/net/http/http_negotiate_auth_system.h
+++ b/chromium/net/http/http_auth_mechanism.h
@@ -2,9 +2,12 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef NET_HTTP_HTTP_NEGOTIATE_AUTH_SYSTEM_H_
-#define NET_HTTP_HTTP_NEGOTIATE_AUTH_SYSTEM_H_
+#ifndef NET_HTTP_HTTP_AUTH_MECHANISM_H_
+#define NET_HTTP_HTTP_AUTH_MECHANISM_H_
 
+#include <memory>
+
+#include "base/callback_forward.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/net_export.h"
 #include "net/http/http_auth.h"
@@ -13,11 +16,12 @@ namespace net {
 
 class AuthCredentials;
 class HttpAuthChallengeTokenizer;
+class HttpAuthPreferences;
 class NetLogWithSource;
 
-class NET_EXPORT_PRIVATE HttpNegotiateAuthSystem {
+class NET_EXPORT_PRIVATE HttpAuthMechanism {
  public:
-  virtual ~HttpNegotiateAuthSystem() = default;
+  virtual ~HttpAuthMechanism() = default;
 
   virtual bool Init(const NetLogWithSource& net_log) = 0;
 
@@ -67,6 +71,11 @@ class NET_EXPORT_PRIVATE HttpNegotiateAuthSystem {
   virtual void SetDelegation(HttpAuth::DelegationType delegation_type) = 0;
 };
 
+// Factory is just a callback that returns a unique_ptr.
+using HttpAuthMechanismFactory =
+    base::RepeatingCallback<std::unique_ptr<HttpAuthMechanism>(
+        const HttpAuthPreferences*)>;
+
 }  // namespace net
 
-#endif  // NET_HTTP_HTTP_NEGOTIATE_AUTH_SYSTEM_H_
+#endif  // NET_HTTP_HTTP_AUTH_MECHANISM_H_
diff --git a/chromium/net/http/http_auth_multi_round_parse.cc b/chromium/net/http/http_auth_multi_round_parse.cc
index 1d0edac08b8..915db115a3a 100644
--- a/chromium/net/http/http_auth_multi_round_parse.cc
+++ b/chromium/net/http/http_auth_multi_round_parse.cc
@@ -2,30 +2,28 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "net/http/http_auth_multi_round_parse.h"
+
 #include "base/base64.h"
+#include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
-#include "net/http/http_auth_multi_round_parse.h"
 
 namespace net {
 
 namespace {
 
 // Check that the scheme in the challenge matches the expected scheme
-bool SchemeIsValid(const std::string& scheme,
+bool SchemeIsValid(HttpAuth::Scheme scheme,
                    HttpAuthChallengeTokenizer* challenge) {
-  // There is no guarantee that challenge->scheme() is valid ASCII, but
-  // LowerCaseEqualsASCII will do the right thing even if it isn't.
-  return base::LowerCaseEqualsASCII(challenge->scheme(),
-                                    base::ToLowerASCII(scheme));
+  return challenge->auth_scheme() == HttpAuth::SchemeToString(scheme);
 }
 
 }  // namespace
 
 HttpAuth::AuthorizationResult ParseFirstRoundChallenge(
-    const std::string& scheme,
+    HttpAuth::Scheme scheme,
     HttpAuthChallengeTokenizer* challenge) {
-  // Verify the challenge's auth-scheme.
   if (!SchemeIsValid(scheme, challenge))
     return HttpAuth::AUTHORIZATION_RESULT_INVALID;
 
@@ -37,11 +35,10 @@ HttpAuth::AuthorizationResult ParseFirstRoundChallenge(
 }
 
 HttpAuth::AuthorizationResult ParseLaterRoundChallenge(
-    const std::string& scheme,
+    HttpAuth::Scheme scheme,
     HttpAuthChallengeTokenizer* challenge,
     std::string* encoded_token,
     std::string* decoded_token) {
-  // Verify the challenge's auth-scheme.
   if (!SchemeIsValid(scheme, challenge))
     return HttpAuth::AUTHORIZATION_RESULT_INVALID;
 
@@ -49,7 +46,6 @@ HttpAuth::AuthorizationResult ParseLaterRoundChallenge(
   if (encoded_token->empty())
     return HttpAuth::AUTHORIZATION_RESULT_REJECT;
 
-  // Make sure the additional token is base64 encoded.
   if (!base::Base64Decode(*encoded_token, decoded_token))
     return HttpAuth::AUTHORIZATION_RESULT_INVALID;
   return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
diff --git a/chromium/net/http/http_auth_multi_round_parse.h b/chromium/net/http/http_auth_multi_round_parse.h
index 2fb63473d1a..034444e6cd4 100644
--- a/chromium/net/http/http_auth_multi_round_parse.h
+++ b/chromium/net/http/http_auth_multi_round_parse.h
@@ -7,6 +7,7 @@
 
 #include <string>
 
+#include "base/strings/string_piece.h"
 #include "net/base/net_export.h"
 #include "net/http/http_auth.h"
 
@@ -15,11 +16,11 @@ namespace net {
 class HttpAuthChallengeTokenizer;
 
 NET_EXPORT_PRIVATE HttpAuth::AuthorizationResult ParseFirstRoundChallenge(
-    const std::string& scheme,
+    HttpAuth::Scheme scheme,
     HttpAuthChallengeTokenizer* challenge);
 
 NET_EXPORT_PRIVATE HttpAuth::AuthorizationResult ParseLaterRoundChallenge(
-    const std::string& scheme,
+    HttpAuth::Scheme scheme,
     HttpAuthChallengeTokenizer* challenge,
     std::string* encoded_token,
     std::string* decoded_token);
diff --git a/chromium/net/http/http_auth_multi_round_parse_unittest.cc b/chromium/net/http/http_auth_multi_round_parse_unittest.cc
index 7692abf6421..aa078d06bcb 100644
--- a/chromium/net/http/http_auth_multi_round_parse_unittest.cc
+++ b/chromium/net/http/http_auth_multi_round_parse_unittest.cc
@@ -2,8 +2,12 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/http_auth_multi_round_parse.h"
+
+#include "base/strings/string_util.h"
+#include "net/http/http_auth.h"
+#include "net/http/http_auth_challenge_tokenizer.h"
+#include "net/http/http_auth_scheme.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
@@ -11,11 +15,12 @@ namespace net {
 TEST(HttpAuthHandlerNegotiateParseTest, ParseFirstRoundChallenge) {
   // The first round should just consist of an unadorned header with the scheme
   // name.
-  std::string challenge_text = "DummyScheme";
+  std::string challenge_text = "Negotiate";
   HttpAuthChallengeTokenizer challenge(challenge_text.begin(),
                                        challenge_text.end());
-  EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
-            ParseFirstRoundChallenge("dummyscheme", &challenge));
+  EXPECT_EQ(
+      HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
+      ParseFirstRoundChallenge(HttpAuth::AUTH_SCHEME_NEGOTIATE, &challenge));
 }
 
 TEST(HttpAuthHandlerNegotiateParseTest,
@@ -25,8 +30,9 @@ TEST(HttpAuthHandlerNegotiateParseTest,
   std::string challenge_text = "Negotiate Zm9vYmFy";
   HttpAuthChallengeTokenizer challenge(challenge_text.begin(),
                                        challenge_text.end());
-  EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_INVALID,
-            ParseFirstRoundChallenge("negotiate", &challenge));
+  EXPECT_EQ(
+      HttpAuth::AUTHORIZATION_RESULT_INVALID,
+      ParseFirstRoundChallenge(HttpAuth::AUTH_SCHEME_NEGOTIATE, &challenge));
 }
 
 TEST(HttpAuthHandlerNegotiateParseTest,
@@ -34,8 +40,9 @@ TEST(HttpAuthHandlerNegotiateParseTest,
   std::string challenge_text = "DummyScheme";
   HttpAuthChallengeTokenizer challenge(challenge_text.begin(),
                                        challenge_text.end());
-  EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_INVALID,
-            ParseFirstRoundChallenge("negotiate", &challenge));
+  EXPECT_EQ(
+      HttpAuth::AUTHORIZATION_RESULT_INVALID,
+      ParseFirstRoundChallenge(HttpAuth::AUTH_SCHEME_NEGOTIATE, &challenge));
 }
 
 TEST(HttpAuthHandlerNegotiateParseTest, ParseLaterRoundChallenge) {
@@ -45,9 +52,10 @@ TEST(HttpAuthHandlerNegotiateParseTest, ParseLaterRoundChallenge) {
                                        challenge_text.end());
   std::string encoded_token;
   std::string decoded_token;
-  EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
-            ParseLaterRoundChallenge("negotiate", &challenge, &encoded_token,
-                                     &decoded_token));
+  EXPECT_EQ(
+      HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
+      ParseLaterRoundChallenge(HttpAuth::AUTH_SCHEME_NEGOTIATE, &challenge,
+                               &encoded_token, &decoded_token));
   EXPECT_EQ("Zm9vYmFy", encoded_token);
   EXPECT_EQ("foobar", decoded_token);
 }
@@ -59,9 +67,10 @@ TEST(HttpAuthHandlerNegotiateParseTest,
                                        challenge_text.end());
   std::string encoded_token;
   std::string decoded_token;
-  EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_REJECT,
-            ParseLaterRoundChallenge("negotiate", &challenge, &encoded_token,
-                                     &decoded_token));
+  EXPECT_EQ(
+      HttpAuth::AUTHORIZATION_RESULT_REJECT,
+      ParseLaterRoundChallenge(HttpAuth::AUTH_SCHEME_NEGOTIATE, &challenge,
+                               &encoded_token, &decoded_token));
 }
 
 TEST(HttpAuthHandlerNegotiateParseTest,
@@ -71,9 +80,19 @@ TEST(HttpAuthHandlerNegotiateParseTest,
                                        challenge_text.end());
   std::string encoded_token;
   std::string decoded_token;
-  EXPECT_EQ(HttpAuth::AUTHORIZATION_RESULT_INVALID,
-            ParseLaterRoundChallenge("negotiate", &challenge, &encoded_token,
-                                     &decoded_token));
+  EXPECT_EQ(
+      HttpAuth::AUTHORIZATION_RESULT_INVALID,
+      ParseLaterRoundChallenge(HttpAuth::AUTH_SCHEME_NEGOTIATE, &challenge,
+                               &encoded_token, &decoded_token));
+}
+
+// The parser assumes that all authentication scheme names are lowercase.
+TEST(HttpAuthHandlerNegotiateParseTest, AllSchemesAreCanonical) {
+  EXPECT_EQ(base::ToLowerASCII(kBasicAuthScheme), kBasicAuthScheme);
+  EXPECT_EQ(base::ToLowerASCII(kDigestAuthScheme), kDigestAuthScheme);
+  EXPECT_EQ(base::ToLowerASCII(kNtlmAuthScheme), kNtlmAuthScheme);
+  EXPECT_EQ(base::ToLowerASCII(kNegotiateAuthScheme), kNegotiateAuthScheme);
+  EXPECT_EQ(base::ToLowerASCII(kMockAuthScheme), kMockAuthScheme);
 }
 
 }  // namespace net
diff --git a/chromium/net/http/http_auth_preferences.cc b/chromium/net/http/http_auth_preferences.cc
index 15ab440c0df..c0e4539c46e 100644
--- a/chromium/net/http/http_auth_preferences.cc
+++ b/chromium/net/http/http_auth_preferences.cc
@@ -47,7 +47,8 @@ bool HttpAuthPreferences::AllowGssapiLibraryLoad() const {
 
 bool HttpAuthPreferences::CanUseDefaultCredentials(
     const GURL& auth_origin) const {
-  return security_manager_->CanUseDefaultCredentials(auth_origin);
+  return allow_default_credentials_ == ALLOW_DEFAULT_CREDENTIALS &&
+         security_manager_->CanUseDefaultCredentials(auth_origin);
 }
 
 using DelegationType = HttpAuth::DelegationType;
@@ -63,6 +64,10 @@ DelegationType HttpAuthPreferences::GetDelegationType(
   return DelegationType::kUnconstrained;
 }
 
+void HttpAuthPreferences::SetAllowDefaultCredentials(DefaultCredentials creds) {
+  allow_default_credentials_ = creds;
+}
+
 void HttpAuthPreferences::SetServerAllowlist(
     const std::string& server_allowlist) {
   std::unique_ptr<HttpAuthFilter> allowlist;
diff --git a/chromium/net/http/http_auth_preferences.h b/chromium/net/http/http_auth_preferences.h
index 8045bdd6f81..f59c36aa8a2 100644
--- a/chromium/net/http/http_auth_preferences.h
+++ b/chromium/net/http/http_auth_preferences.h
@@ -79,6 +79,8 @@ class NET_EXPORT HttpAuthPreferences {
 
   void SetDelegateAllowlist(const std::string& delegate_allowlist);
 
+  void SetAllowDefaultCredentials(DefaultCredentials creds);
+
 #if defined(OS_ANDROID)
   void set_auth_android_negotiate_account_type(
       const std::string& account_type) {
@@ -91,6 +93,8 @@ class NET_EXPORT HttpAuthPreferences {
   bool negotiate_disable_cname_lookup_ = false;
   bool negotiate_enable_port_ = false;
 
+  DefaultCredentials allow_default_credentials_ = ALLOW_DEFAULT_CREDENTIALS;
+
 #if defined(OS_POSIX) || defined(OS_FUCHSIA)
   bool ntlm_v2_enabled_ = true;
 #endif
diff --git a/chromium/net/http/http_auth_sspi_win.cc b/chromium/net/http/http_auth_sspi_win.cc
index 5ecaa96c99c..32836e0f419 100644
--- a/chromium/net/http/http_auth_sspi_win.cc
+++ b/chromium/net/http/http_auth_sspi_win.cc
@@ -355,11 +355,13 @@ SECURITY_STATUS SSPILibraryDefault::FreeContextBuffer(PVOID pvContextBuffer) {
   return ::FreeContextBuffer(pvContextBuffer);
 }
 
-HttpAuthSSPI::HttpAuthSSPI(SSPILibrary* library, const std::string& scheme)
+HttpAuthSSPI::HttpAuthSSPI(SSPILibrary* library, HttpAuth::Scheme scheme)
     : library_(library),
       scheme_(scheme),
       delegation_type_(DelegationType::kNone) {
   DCHECK(library_);
+  DCHECK(scheme_ == HttpAuth::AUTH_SCHEME_NEGOTIATE ||
+         scheme_ == HttpAuth::AUTH_SCHEME_NTLM);
   SecInvalidateHandle(&cred_);
   SecInvalidateHandle(&ctxt_);
 }
@@ -437,7 +439,11 @@ int HttpAuthSSPI::GenerateAuthToken(const AuthCredentials* credentials,
   base::Base64Encode(encode_input, &encode_output);
   // OK, we are done with |out_buf|
   free(out_buf);
-  *auth_token = scheme_ + " " + encode_output;
+  if (scheme_ == HttpAuth::AUTH_SCHEME_NEGOTIATE) {
+    *auth_token = "Negotiate " + encode_output;
+  } else {
+    *auth_token = "NTLM " + encode_output;
+  }
   return OK;
 }
 
@@ -507,7 +513,7 @@ int HttpAuthSSPI::GetNextSecurityToken(const std::string& spn,
     sec_channel_bindings_buffer.resize(sizeof(SEC_CHANNEL_BINDINGS));
     SEC_CHANNEL_BINDINGS* bindings_desc =
         reinterpret_cast<SEC_CHANNEL_BINDINGS*>(
-            &sec_channel_bindings_buffer.front());
+            sec_channel_bindings_buffer.data());
     bindings_desc->cbApplicationDataLength = channel_bindings.size();
     bindings_desc->dwApplicationDataOffset = sizeof(SEC_CHANNEL_BINDINGS);
     sec_channel_bindings_buffer.insert(sec_channel_bindings_buffer.end(),
@@ -519,7 +525,7 @@ int HttpAuthSSPI::GetNextSecurityToken(const std::string& spn,
     SecBuffer& sec_buffer = in_buffers[in_buffer_desc.cBuffers++];
     sec_buffer.BufferType = SECBUFFER_CHANNEL_BINDINGS;
     sec_buffer.cbBuffer = sec_channel_bindings_buffer.size();
-    sec_buffer.pvBuffer = &sec_channel_bindings_buffer.front();
+    sec_buffer.pvBuffer = sec_channel_bindings_buffer.data();
   }
 
   if (in_buffer_desc.cBuffers > 0)
diff --git a/chromium/net/http/http_auth_sspi_win.h b/chromium/net/http/http_auth_sspi_win.h
index 8fa3fddb380..3955d720f39 100644
--- a/chromium/net/http/http_auth_sspi_win.h
+++ b/chromium/net/http/http_auth_sspi_win.h
@@ -21,7 +21,7 @@
 #include "net/base/net_errors.h"
 #include "net/base/net_export.h"
 #include "net/http/http_auth.h"
-#include "net/http/http_negotiate_auth_system.h"
+#include "net/http/http_auth_mechanism.h"
 
 namespace net {
 
@@ -142,12 +142,12 @@ class SSPILibraryDefault : public SSPILibrary {
   SECURITY_STATUS FreeContextBuffer(PVOID pvContextBuffer) override;
 };
 
-class NET_EXPORT_PRIVATE HttpAuthSSPI : public HttpNegotiateAuthSystem {
+class NET_EXPORT_PRIVATE HttpAuthSSPI : public HttpAuthMechanism {
  public:
-  HttpAuthSSPI(SSPILibrary* sspi_library, const std::string& scheme);
+  HttpAuthSSPI(SSPILibrary* sspi_library, HttpAuth::Scheme scheme);
   ~HttpAuthSSPI() override;
 
-  // HttpNegotiateAuthSystem implementation:
+  // HttpAuthMechanism implementation:
   bool Init(const NetLogWithSource& net_log) override;
   bool NeedsIdentity() const override;
   bool AllowsExplicitCredentials() const override;
@@ -176,7 +176,7 @@ class NET_EXPORT_PRIVATE HttpAuthSSPI : public HttpNegotiateAuthSystem {
   void ResetSecurityContext();
 
   SSPILibrary* library_;
-  std::string scheme_;
+  HttpAuth::Scheme scheme_;
   std::string decoded_server_auth_token_;
   CredHandle cred_;
   CtxtHandle ctxt_;
diff --git a/chromium/net/http/http_auth_sspi_win_unittest.cc b/chromium/net/http/http_auth_sspi_win_unittest.cc
index c3b3ec960b4..09ddf1d6593 100644
--- a/chromium/net/http/http_auth_sspi_win_unittest.cc
+++ b/chromium/net/http/http_auth_sspi_win_unittest.cc
@@ -10,6 +10,7 @@
 #include "base/bind.h"
 #include "base/json/json_reader.h"
 #include "net/base/net_errors.h"
+#include "net/http/http_auth.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/mock_sspi_library_win.h"
 #include "net/log/net_log_entry.h"
@@ -81,7 +82,7 @@ TEST(HttpAuthSSPITest, DetermineMaxTokenLength_InvalidPackage) {
 TEST(HttpAuthSSPITest, ParseChallenge_FirstRound) {
   // The first round should just consist of an unadorned "Negotiate" header.
   MockSSPILibrary mock_library{NEGOSSP_NAME};
-  HttpAuthSSPI auth_sspi(&mock_library, "Negotiate");
+  HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
   std::string challenge_text = "Negotiate";
   HttpAuthChallengeTokenizer challenge(challenge_text.begin(),
                                        challenge_text.end());
@@ -93,7 +94,7 @@ TEST(HttpAuthSSPITest, ParseChallenge_TwoRounds) {
   // The first round should just have "Negotiate", and the second round should
   // have a valid base64 token associated with it.
   MockSSPILibrary mock_library{NEGOSSP_NAME};
-  HttpAuthSSPI auth_sspi(&mock_library, "Negotiate");
+  HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
   std::string first_challenge_text = "Negotiate";
   HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
                                              first_challenge_text.end());
@@ -118,7 +119,7 @@ TEST(HttpAuthSSPITest, ParseChallenge_UnexpectedTokenFirstRound) {
   // If the first round challenge has an additional authentication token, it
   // should be treated as an invalid challenge from the server.
   MockSSPILibrary mock_library{NEGOSSP_NAME};
-  HttpAuthSSPI auth_sspi(&mock_library, "Negotiate");
+  HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
   std::string challenge_text = "Negotiate Zm9vYmFy";
   HttpAuthChallengeTokenizer challenge(challenge_text.begin(),
                                        challenge_text.end());
@@ -130,7 +131,7 @@ TEST(HttpAuthSSPITest, ParseChallenge_MissingTokenSecondRound) {
   // If a later-round challenge is simply "Negotiate", it should be treated as
   // an authentication challenge rejection from the server or proxy.
   MockSSPILibrary mock_library{NEGOSSP_NAME};
-  HttpAuthSSPI auth_sspi(&mock_library, "Negotiate");
+  HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
   std::string first_challenge_text = "Negotiate";
   HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
                                              first_challenge_text.end());
@@ -153,7 +154,7 @@ TEST(HttpAuthSSPITest, ParseChallenge_NonBase64EncodedToken) {
   // If a later-round challenge has an invalid base64 encoded token, it should
   // be treated as an invalid challenge.
   MockSSPILibrary mock_library{NEGOSSP_NAME};
-  HttpAuthSSPI auth_sspi(&mock_library, "Negotiate");
+  HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
   std::string first_challenge_text = "Negotiate";
   HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
                                              first_challenge_text.end());
@@ -175,7 +176,7 @@ TEST(HttpAuthSSPITest, ParseChallenge_NonBase64EncodedToken) {
 // Runs through a full handshake against the MockSSPILibrary.
 TEST(HttpAuthSSPITest, GenerateAuthToken_FullHandshake_AmbientCreds) {
   MockSSPILibrary mock_library{NEGOSSP_NAME};
-  HttpAuthSSPI auth_sspi(&mock_library, "Negotiate");
+  HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
   std::string first_challenge_text = "Negotiate";
   HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
                                              first_challenge_text.end());
@@ -214,9 +215,9 @@ TEST(HttpAuthSSPITest, GenerateAuthToken_FullHandshake_AmbientCreds) {
 
 // Test NetLogs produced while going through a full Negotiate handshake.
 TEST(HttpAuthSSPITest, GenerateAuthToken_FullHandshake_AmbientCreds_Logging) {
-  BoundTestNetLog net_log;
+  RecordingBoundTestNetLog net_log;
   MockSSPILibrary mock_library{NEGOSSP_NAME};
-  HttpAuthSSPI auth_sspi(&mock_library, "Negotiate");
+  HttpAuthSSPI auth_sspi(&mock_library, HttpAuth::AUTH_SCHEME_NEGOTIATE);
   std::string first_challenge_text = "Negotiate";
   HttpAuthChallengeTokenizer first_challenge(first_challenge_text.begin(),
                                              first_challenge_text.end());
diff --git a/chromium/net/http/http_basic_stream.cc b/chromium/net/http/http_basic_stream.cc
index d7cb43ea4f2..b2bb7fd1958 100644
--- a/chromium/net/http/http_basic_stream.cc
+++ b/chromium/net/http/http_basic_stream.cc
@@ -6,6 +6,7 @@
 
 #include <utility>
 
+#include "base/bind.h"
 #include "net/http/http_raw_request_headers.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_body_drainer.h"
@@ -31,7 +32,10 @@ int HttpBasicStream::InitializeStream(const HttpRequestInfo* request_info,
   state_.Initialize(request_info, priority, net_log);
   int ret = OK;
   if (!can_send_early) {
-    ret = parser()->ConfirmHandshake(std::move(callback));
+    // parser() cannot outlive |this|, so we can use base::Unretained().
+    ret = parser()->ConfirmHandshake(
+        base::BindOnce(&HttpBasicStream::OnHandshakeConfirmed,
+                       base::Unretained(this), std::move(callback)));
   }
   return ret;
 }
@@ -125,6 +129,14 @@ bool HttpBasicStream::GetLoadTimingInfo(
     return false;
   }
 
+  // If the request waited for handshake confirmation, shift |ssl_end| to
+  // include that time.
+  if (!load_timing_info->connect_timing.ssl_end.is_null() &&
+      !confirm_handshake_end_.is_null()) {
+    load_timing_info->connect_timing.ssl_end = confirm_handshake_end_;
+    load_timing_info->connect_timing.connect_end = confirm_handshake_end_;
+  }
+
   load_timing_info->receive_headers_start = parser()->response_start_time();
   return true;
 }
@@ -180,4 +192,15 @@ void HttpBasicStream::SetRequestHeadersCallback(
   request_headers_callback_ = std::move(callback);
 }
 
+void HttpBasicStream::OnHandshakeConfirmed(CompletionOnceCallback callback,
+                                           int rv) {
+  if (rv == OK) {
+    // Note this time is only recorded if ConfirmHandshake() completed
+    // asynchronously. If it was synchronous, GetLoadTimingInfo() assumes the
+    // handshake was already confirmed or there was nothing to confirm.
+    confirm_handshake_end_ = base::TimeTicks::Now();
+  }
+  std::move(callback).Run(rv);
+}
+
 }  // namespace net
diff --git a/chromium/net/http/http_basic_stream.h b/chromium/net/http/http_basic_stream.h
index 744b2f7a5b9..f5944f10d4a 100644
--- a/chromium/net/http/http_basic_stream.h
+++ b/chromium/net/http/http_basic_stream.h
@@ -15,6 +15,7 @@
 #include <string>
 
 #include "base/macros.h"
+#include "base/time/time.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/net_export.h"
 #include "net/http/http_basic_state.h"
@@ -93,7 +94,10 @@ class NET_EXPORT_PRIVATE HttpBasicStream : public HttpStream {
  private:
   HttpStreamParser* parser() const { return state_.parser(); }
 
+  void OnHandshakeConfirmed(CompletionOnceCallback callback, int rv);
+
   HttpBasicState state_;
+  base::TimeTicks confirm_handshake_end_;
   RequestHeadersCallback request_headers_callback_;
 
   DISALLOW_COPY_AND_ASSIGN(HttpBasicStream);
diff --git a/chromium/net/http/http_cache.cc b/chromium/net/http/http_cache.cc
index e5fb2f88a1e..ba99d7c1c26 100644
--- a/chromium/net/http/http_cache.cc
+++ b/chromium/net/http/http_cache.cc
@@ -82,16 +82,20 @@ int HttpCache::DefaultBackend::CreateBackend(
     std::unique_ptr<disk_cache::Backend>* backend,
     CompletionOnceCallback callback) {
   DCHECK_GE(max_bytes_, 0);
+  // TODO(crbug.com/1002220): Implement a forced reset for the http_cache when
+  // the Finch experiment status changes the cache configuration.
 #if defined(OS_ANDROID)
   if (app_status_listener_) {
     return disk_cache::CreateCacheBackend(
-        type_, backend_type_, path_, max_bytes_, true, net_log, backend,
+        type_, backend_type_, path_, max_bytes_,
+        disk_cache::ResetHandling::kResetOnError, net_log, backend,
         std::move(callback), app_status_listener_);
   }
 #endif
-  return disk_cache::CreateCacheBackend(type_, backend_type_, path_, max_bytes_,
-                                        true, net_log, backend,
-                                        std::move(callback));
+  return disk_cache::CreateCacheBackend(
+      type_, backend_type_, path_, max_bytes_,
+      disk_cache::ResetHandling::kResetOnError, net_log, backend,
+      std::move(callback));
 }
 
 #if defined(OS_ANDROID)
@@ -444,6 +448,7 @@ std::string HttpCache::GetResourceURLFromHttpCacheKey(const std::string& key) {
   return key;
 }
 
+// static
 std::string HttpCache::GenerateCacheKeyForTest(const HttpRequestInfo* request) {
   return GenerateCacheKey(request);
 }
@@ -520,6 +525,7 @@ int HttpCache::GetBackendForTransaction(Transaction* transaction) {
   return ERR_IO_PENDING;
 }
 
+// static
 // Generate a key that can be used inside the cache.
 std::string HttpCache::GenerateCacheKey(const HttpRequestInfo* request) {
   std::string isolation_key;
@@ -540,7 +546,6 @@ std::string HttpCache::GenerateCacheKey(const HttpRequestInfo* request) {
   // concatenate with the network isolation key if we are splitting the cache.
   std::string url = isolation_key + HttpUtil::SpecForRequest(request->url);
 
-  DCHECK_NE(DISABLE, mode_);
   // No valid URL can begin with numerals, so we should not have to worry
   // about collisions with normal URLs.
   if (request->upload_data_stream &&
diff --git a/chromium/net/http/http_cache.h b/chromium/net/http/http_cache.h
index c08c41050d3..a0bbaba9eec 100644
--- a/chromium/net/http/http_cache.h
+++ b/chromium/net/http/http_cache.h
@@ -268,7 +268,7 @@ class NET_EXPORT HttpCache : public HttpTransactionFactory {
   static std::string GetResourceURLFromHttpCacheKey(const std::string& key);
 
   // Function to generate cache key for testing.
-  std::string GenerateCacheKeyForTest(const HttpRequestInfo* request);
+  static std::string GenerateCacheKeyForTest(const HttpRequestInfo* request);
 
  private:
   // Types --------------------------------------------------------------------
@@ -315,6 +315,7 @@ class NET_EXPORT HttpCache : public HttpTransactionFactory {
   FRIEND_TEST_ALL_PREFIXES(HttpCacheTest, SplitCacheWithFrameOrigin);
   FRIEND_TEST_ALL_PREFIXES(HttpCacheTest, NonSplitCache);
   FRIEND_TEST_ALL_PREFIXES(HttpCacheTest, SplitCache);
+  FRIEND_TEST_ALL_PREFIXES(HttpCacheTest, SplitCacheWithRegistrableDomain);
 
   using TransactionList = std::list<Transaction*>;
   using TransactionSet = std::unordered_set<Transaction*>;
@@ -417,7 +418,7 @@ class NET_EXPORT HttpCache : public HttpTransactionFactory {
   int GetBackendForTransaction(Transaction* transaction);
 
   // Generates the cache key for this request.
-  std::string GenerateCacheKey(const HttpRequestInfo*);
+  static std::string GenerateCacheKey(const HttpRequestInfo*);
 
   // Dooms the entry selected by |key|, if it is currently in the list of active
   // entries.
diff --git a/chromium/net/http/http_cache_lookup_manager.cc b/chromium/net/http/http_cache_lookup_manager.cc
index d2d43f89470..1e71a417ef9 100644
--- a/chromium/net/http/http_cache_lookup_manager.cc
+++ b/chromium/net/http/http_cache_lookup_manager.cc
@@ -45,6 +45,7 @@ int HttpCacheLookupManager::LookupTransaction::StartLookup(
   });
 
   request_->url = push_helper_->GetURL();
+  request_->network_isolation_key = push_helper_->GetNetworkIsolationKey();
   request_->method = "GET";
   request_->load_flags = LOAD_ONLY_FROM_CACHE | LOAD_SKIP_CACHE_VALIDATION;
   cache->CreateTransaction(DEFAULT_PRIORITY, &transaction_);
diff --git a/chromium/net/http/http_cache_lookup_manager_unittest.cc b/chromium/net/http/http_cache_lookup_manager_unittest.cc
index a7a3bd44dad..549bba5fa7e 100644
--- a/chromium/net/http/http_cache_lookup_manager_unittest.cc
+++ b/chromium/net/http/http_cache_lookup_manager_unittest.cc
@@ -16,6 +16,7 @@
 #include "net/http/mock_http_cache.h"
 #include "net/test/gtest_util.h"
 #include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest-param-test.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 using net::test::IsOk;
@@ -26,14 +27,27 @@ namespace {
 
 class MockServerPushHelper : public ServerPushDelegate::ServerPushHelper {
  public:
-  explicit MockServerPushHelper(const GURL& url) : request_url_(url) {}
+  explicit MockServerPushHelper(const GURL& url)
+      : request_url_(url),
+        network_isolation_key_(url::Origin::Create(url),
+                               url::Origin::Create(url)) {}
 
   const GURL& GetURL() const override { return request_url_; }
 
+  NetworkIsolationKey GetNetworkIsolationKey() const override {
+    return network_isolation_key_;
+  }
+
+  void set_network_isolation_key(
+      const net::NetworkIsolationKey& network_isolation_key) {
+    network_isolation_key_ = network_isolation_key;
+  }
+
   MOCK_METHOD0(Cancel, void());
 
  private:
   const GURL request_url_;
+  NetworkIsolationKey network_isolation_key_;
 };
 
 std::unique_ptr<MockTransaction> CreateMockTransaction(const GURL& url) {
@@ -136,13 +150,17 @@ TEST(HttpCacheLookupManagerTest, ServerPushDoNotCreateCacheEntry) {
   EXPECT_EQ(0, mock_cache.disk_cache()->create_count());
 }
 
-TEST(HttpCacheLookupManagerTest, ServerPushHitCache) {
-  // Skip test if split cache is enabled, as it breaks push.
-  // crbug.com/1009619
-  if (base::FeatureList::IsEnabled(
-          net::features::kSplitCacheByNetworkIsolationKey)) {
-    return;
-  }
+// Parameterized by whether the network isolation key are the same for the
+// server push and corresponding cache entry.
+class HttpCacheLookupManagerTest_NetworkIsolationKey
+    : public ::testing::Test,
+      public ::testing::WithParamInterface<
+          bool /* use_same_network_isolation_key */> {};
+
+TEST_P(HttpCacheLookupManagerTest_NetworkIsolationKey, ServerPushCacheStatus) {
+  bool use_same_network_isolation_key = GetParam();
+  bool split_cache_enabled = base::FeatureList::IsEnabled(
+      net::features::kSplitCacheByNetworkIsolationKey);
 
   base::test::TaskEnvironment task_environment;
   MockHttpCache mock_cache;
@@ -163,32 +181,41 @@ TEST(HttpCacheLookupManagerTest, ServerPushHitCache) {
 
   std::unique_ptr<MockServerPushHelper> push_helper =
       std::make_unique<MockServerPushHelper>(request_url);
+  if (!use_same_network_isolation_key) {
+    url::Origin origin = url::Origin::Create(GURL("http://www.abc.com"));
+    push_helper->set_network_isolation_key(
+        net::NetworkIsolationKey(origin, origin));
+  }
+
   MockServerPushHelper* push_helper_ptr = push_helper.get();
 
-  // Receive a server push and should cancel the push.
-  EXPECT_CALL(*push_helper_ptr, Cancel()).Times(1);
+  int expected_cancel_times =
+      use_same_network_isolation_key || !split_cache_enabled ? 1 : 0;
+  EXPECT_CALL(*push_helper_ptr, Cancel()).Times(expected_cancel_times);
   push_delegate.OnPush(std::move(push_helper), NetLogWithSource());
   base::RunLoop().RunUntilIdle();
 
   // Make sure no new net layer transaction is created.
   EXPECT_EQ(1, mock_cache.network_layer()->transaction_count());
-  EXPECT_EQ(1, mock_cache.disk_cache()->open_count());
+
+  int expected_open_count =
+      use_same_network_isolation_key || !split_cache_enabled ? 1 : 0;
+  EXPECT_EQ(expected_open_count, mock_cache.disk_cache()->open_count());
+
   EXPECT_EQ(1, mock_cache.disk_cache()->create_count());
 
   RemoveMockTransaction(mock_trans.get());
 }
 
+INSTANTIATE_TEST_SUITE_P(
+    /* no prefix */,
+    HttpCacheLookupManagerTest_NetworkIsolationKey,
+    ::testing::Bool());
+
 // Test when a server push is received while the HttpCacheLookupManager has a
 // pending lookup transaction for the same URL, the new server push will not
 // send a new lookup transaction and should not be canceled.
 TEST(HttpCacheLookupManagerTest, ServerPushPendingLookup) {
-  // Skip test if split cache is enabled, as it breaks push.
-  // crbug.com/1009619
-  if (base::FeatureList::IsEnabled(
-          net::features::kSplitCacheByNetworkIsolationKey)) {
-    return;
-  }
-
   base::test::TaskEnvironment task_environment;
   MockHttpCache mock_cache;
   HttpCacheLookupManager push_delegate(mock_cache.http_cache());
@@ -234,13 +261,6 @@ TEST(HttpCacheLookupManagerTest, ServerPushPendingLookup) {
 
 // Test the server push lookup is based on the full url.
 TEST(HttpCacheLookupManagerTest, ServerPushLookupOnUrl) {
-  // Skip test if split cache is enabled, as it breaks push.
-  // crbug.com/1009619
-  if (base::FeatureList::IsEnabled(
-          net::features::kSplitCacheByNetworkIsolationKey)) {
-    return;
-  }
-
   base::test::TaskEnvironment task_environment;
   MockHttpCache mock_cache;
   HttpCacheLookupManager push_delegate(mock_cache.http_cache());
diff --git a/chromium/net/http/http_cache_transaction.cc b/chromium/net/http/http_cache_transaction.cc
index b7a72ba1c10..2973940d197 100644
--- a/chromium/net/http/http_cache_transaction.cc
+++ b/chromium/net/http/http_cache_transaction.cc
@@ -3041,9 +3041,13 @@ int HttpCache::Transaction::DoSetupEntryForRead() {
   }
 
   if (partial_) {
-    if (truncated_ || is_sparse_ || !invalid_range_) {
+    if (truncated_ || is_sparse_ ||
+        (!invalid_range_ && (response_.headers->response_code() == 200 ||
+                             response_.headers->response_code() == 206))) {
       // We are going to return the saved response headers to the caller, so
-      // we may need to adjust them first.
+      // we may need to adjust them first. In cases we are handling a range
+      // request to a regular entry, we want the response to be a 200 or 206,
+      // since others can't really be turned into a 206.
       TransitionToState(STATE_PARTIAL_HEADERS_RECEIVED);
       return OK;
     } else {
diff --git a/chromium/net/http/http_cache_unittest.cc b/chromium/net/http/http_cache_unittest.cc
index 3838a85a5b2..68480625ed2 100644
--- a/chromium/net/http/http_cache_unittest.cc
+++ b/chromium/net/http/http_cache_unittest.cc
@@ -391,12 +391,14 @@ class RangeTransactionServer {
     not_modified_ = false;
     modified_ = false;
     bad_200_ = false;
+    redirect_ = false;
     length_ = 80;
   }
   ~RangeTransactionServer() {
     not_modified_ = false;
     modified_ = false;
     bad_200_ = false;
+    redirect_ = false;
     length_ = 80;
   }
 
@@ -412,6 +414,9 @@ class RangeTransactionServer {
   // Sets how long the resource is. (Default is 80)
   void set_length(int64_t length) { length_ = length; }
 
+  // Sets whether to return a 301 instead of normal return.
+  void set_redirect(bool redirect) { redirect_ = redirect; }
+
   // Other than regular range related behavior (and the flags mentioned above),
   // the server reacts to requests headers like so:
   //   X-Require-Mock-Auth -> return 401.
@@ -428,12 +433,14 @@ class RangeTransactionServer {
   static bool not_modified_;
   static bool modified_;
   static bool bad_200_;
+  static bool redirect_;
   static int64_t length_;
   DISALLOW_COPY_AND_ASSIGN(RangeTransactionServer);
 };
 bool RangeTransactionServer::not_modified_ = false;
 bool RangeTransactionServer::modified_ = false;
 bool RangeTransactionServer::bad_200_ = false;
+bool RangeTransactionServer::redirect_ = false;
 int64_t RangeTransactionServer::length_ = 80;
 
 // A dummy extra header that must be preserved on a given request.
@@ -472,6 +479,13 @@ void RangeTransactionServer::RangeHandler(const HttpRequestInfo* request,
     return;
   }
 
+  if (redirect_) {
+    response_status->assign("HTTP/1.1 301 Moved Permanently");
+    response_headers->assign("Location: /elsewhere\nContent-Length: 5");
+    response_data->assign("12345");
+    return;
+  }
+
   if (not_modified_) {
     response_status->assign("HTTP/1.1 304 Not Modified");
     response_data->clear();
@@ -546,15 +560,25 @@ void RangeTransactionServer::RangeHandler(const HttpRequestInfo* request,
 }
 
 const MockTransaction kRangeGET_TransactionOK = {
-    "http://www.google.com/range", "GET", base::Time(),
-    "Range: bytes = 40-49\r\n" EXTRA_HEADER, LOAD_NORMAL,
+    "http://www.google.com/range",
+    "GET",
+    base::Time(),
+    "Range: bytes = 40-49\r\n" EXTRA_HEADER,
+    LOAD_NORMAL,
     "HTTP/1.1 206 Partial Content",
     "Last-Modified: Sat, 18 Apr 2007 01:10:43 GMT\n"
     "ETag: \"foo\"\n"
     "Accept-Ranges: bytes\n"
     "Content-Length: 10\n",
-    base::Time(), "rg: 40-49 ", TEST_MODE_NORMAL,
-    &RangeTransactionServer::RangeHandler, nullptr, nullptr, 0, 0, OK};
+    base::Time(),
+    "rg: 40-49 ",
+    TEST_MODE_NORMAL,
+    &RangeTransactionServer::RangeHandler,
+    nullptr,
+    nullptr,
+    0,
+    0,
+    OK};
 
 const char kFullRangeData[] =
     "rg: 00-09 rg: 10-19 rg: 20-29 rg: 30-39 "
@@ -583,8 +607,8 @@ void Verify206Response(const std::string& response, int start, int end) {
 void CreateTruncatedEntry(std::string raw_headers, MockHttpCache* cache) {
   // Create a disk cache entry that stores an incomplete resource.
   disk_cache::Entry* entry;
-  ASSERT_TRUE(
-      cache->CreateBackendEntry(kRangeGET_TransactionOK.url, &entry, nullptr));
+  MockHttpRequest request(kRangeGET_TransactionOK);
+  ASSERT_TRUE(cache->CreateBackendEntry(request.CacheKey(), &entry, nullptr));
 
   HttpResponseInfo response;
   response.response_time = base::Time::Now();
@@ -685,13 +709,13 @@ bool ShouldIgnoreLogEntry(const NetLogEntry& entry) {
 // Gets the entries from |net_log| created by the cache layer and asserted on in
 // these tests.
 std::vector<NetLogEntry> GetFilteredNetLogEntries(
-    const BoundTestNetLog& net_log) {
+    const RecordingBoundTestNetLog& net_log) {
   auto entries = net_log.GetEntries();
   base::EraseIf(entries, ShouldIgnoreLogEntry);
   return entries;
 }
 
-bool LogContainsEventType(const BoundTestNetLog& log,
+bool LogContainsEventType(const RecordingBoundTestNetLog& log,
                           NetLogEventType expected) {
   return !log.GetEntriesWithType(expected).empty();
 }
@@ -782,7 +806,7 @@ TEST_F(HttpCacheTest, GetBackend) {
 
 TEST_F(HttpCacheTest, SimpleGET) {
   MockHttpCache cache;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
 
   // Write to the cache.
@@ -848,7 +872,7 @@ TEST_F(HttpCacheTest, SimpleGETNoDiskCache) {
 
   cache.disk_cache()->set_fail_requests(true);
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
 
   // Read from the network, and don't use the cache.
@@ -958,7 +982,7 @@ TEST_F(HttpCacheTest, SimpleGETWithDiskFailures2) {
 
   // We have to open the entry again to propagate the failure flag.
   disk_cache::Entry* en;
-  ASSERT_TRUE(cache.OpenBackendEntry(kSimpleGET_Transaction.url, &en));
+  ASSERT_TRUE(cache.OpenBackendEntry(request.CacheKey(), &en));
   en->Close();
 
   ReadAndVerifyTransaction(c->trans.get(), kSimpleGET_Transaction);
@@ -1016,7 +1040,7 @@ TEST_F(HttpCacheTest, SimpleGETWithDiskFailures3) {
 TEST_F(HttpCacheTest, SimpleGET_LoadOnlyFromCache_Hit) {
   MockHttpCache cache;
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
 
   // Write to the cache.
@@ -1180,7 +1204,7 @@ TEST_F(HttpCacheTest, SimpleGET_LoadPreferringCache_VaryMismatch) {
   // the network again.
   transaction.load_flags |= LOAD_SKIP_CACHE_VALIDATION;
   transaction.request_headers = "Foo: none\r\n";
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   RunTransactionTestAndGetTiming(cache.http_cache(), transaction, log.bound(),
                                  &load_timing_info);
@@ -1207,7 +1231,7 @@ TEST_F(HttpCacheTest, SimpleGET_LoadSkipCacheValidation_VaryStar) {
   // Attempt to read from the cache... we will still load it from network,
   // since Vary: * doesn't match.
   transaction.load_flags |= LOAD_SKIP_CACHE_VALIDATION;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   RunTransactionTestAndGetTiming(cache.http_cache(), transaction, log.bound(),
                                  &load_timing_info);
@@ -1349,7 +1373,7 @@ TEST_F(HttpCacheTest, SimpleGET_LoadBypassCache) {
   MockTransaction transaction(kSimpleGET_Transaction);
   transaction.load_flags |= LOAD_BYPASS_CACHE;
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
 
   // Write to the cache.
@@ -1431,7 +1455,7 @@ TEST_F(HttpCacheTest, SimpleGET_LoadValidateCache) {
   transaction.load_flags |= LOAD_VALIDATE_CACHE;
 
   HttpResponseInfo response_info;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), transaction, &response_info, log.bound(),
@@ -1473,7 +1497,7 @@ TEST_F(HttpCacheTest, SimpleGET_UnusedSincePrefetch) {
   // A normal load does not have |unused_since_prefetch| set.
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), kSimpleGET_Transaction, &response_info,
-      BoundTestNetLog().bound(), nullptr);
+      RecordingBoundTestNetLog().bound(), nullptr);
   EXPECT_FALSE(response_info.unused_since_prefetch);
   EXPECT_FALSE(response_info.was_cached);
 
@@ -1482,28 +1506,28 @@ TEST_F(HttpCacheTest, SimpleGET_UnusedSincePrefetch) {
   prefetch_transaction.load_flags |= LOAD_PREFETCH;
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), prefetch_transaction, &response_info,
-      BoundTestNetLog().bound(), nullptr);
+      RecordingBoundTestNetLog().bound(), nullptr);
   EXPECT_FALSE(response_info.unused_since_prefetch);
   EXPECT_TRUE(response_info.was_cached);
 
   // A duplicated prefetch has |unused_since_prefetch| set.
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), prefetch_transaction, &response_info,
-      BoundTestNetLog().bound(), nullptr);
+      RecordingBoundTestNetLog().bound(), nullptr);
   EXPECT_TRUE(response_info.unused_since_prefetch);
   EXPECT_TRUE(response_info.was_cached);
 
   // |unused_since_prefetch| is still true after two prefetches in a row.
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), kSimpleGET_Transaction, &response_info,
-      BoundTestNetLog().bound(), nullptr);
+      RecordingBoundTestNetLog().bound(), nullptr);
   EXPECT_TRUE(response_info.unused_since_prefetch);
   EXPECT_TRUE(response_info.was_cached);
 
   // The resource has now been used, back to normal behavior.
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), kSimpleGET_Transaction, &response_info,
-      BoundTestNetLog().bound(), nullptr);
+      RecordingBoundTestNetLog().bound(), nullptr);
   EXPECT_FALSE(response_info.unused_since_prefetch);
   EXPECT_TRUE(response_info.was_cached);
 }
@@ -1519,7 +1543,7 @@ TEST_F(HttpCacheTest, SimpleGET_RestrictedPrefetchIsRestrictedUntilReuse) {
   // A normal load does not have |restricted_prefetch| set.
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), kTypicalGET_Transaction, &response_info,
-      BoundTestNetLog().bound(), nullptr);
+      RecordingBoundTestNetLog().bound(), nullptr);
   EXPECT_FALSE(response_info.restricted_prefetch);
   EXPECT_FALSE(response_info.was_cached);
   EXPECT_TRUE(response_info.network_accessed);
@@ -1530,7 +1554,7 @@ TEST_F(HttpCacheTest, SimpleGET_RestrictedPrefetchIsRestrictedUntilReuse) {
   prefetch_transaction.load_flags |= LOAD_RESTRICTED_PREFETCH;
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), prefetch_transaction, &response_info,
-      BoundTestNetLog().bound(), nullptr);
+      RecordingBoundTestNetLog().bound(), nullptr);
   EXPECT_TRUE(response_info.restricted_prefetch);
   EXPECT_FALSE(response_info.was_cached);
   EXPECT_TRUE(response_info.network_accessed);
@@ -1544,7 +1568,7 @@ TEST_F(HttpCacheTest, SimpleGET_RestrictedPrefetchIsRestrictedUntilReuse) {
       LOAD_CAN_USE_RESTRICTED_PREFETCH;
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), can_use_restricted_prefetch_transaction,
-      &response_info, BoundTestNetLog().bound(), nullptr);
+      &response_info, RecordingBoundTestNetLog().bound(), nullptr);
   EXPECT_TRUE(response_info.restricted_prefetch);
   EXPECT_TRUE(response_info.was_cached);
   EXPECT_FALSE(response_info.network_accessed);
@@ -1552,7 +1576,7 @@ TEST_F(HttpCacheTest, SimpleGET_RestrictedPrefetchIsRestrictedUntilReuse) {
   // Later reuse is still no longer marked restricted.
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), kSimpleGET_Transaction, &response_info,
-      BoundTestNetLog().bound(), nullptr);
+      RecordingBoundTestNetLog().bound(), nullptr);
   EXPECT_FALSE(response_info.restricted_prefetch);
   EXPECT_TRUE(response_info.was_cached);
   EXPECT_FALSE(response_info.network_accessed);
@@ -1568,7 +1592,7 @@ TEST_F(HttpCacheTest, SimpleGET_RestrictedPrefetchReuseIsLimited) {
   prefetch_transaction.load_flags |= LOAD_RESTRICTED_PREFETCH;
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), prefetch_transaction, &response_info,
-      BoundTestNetLog().bound(), nullptr);
+      RecordingBoundTestNetLog().bound(), nullptr);
   EXPECT_TRUE(response_info.restricted_prefetch);
   EXPECT_FALSE(response_info.was_cached);
   EXPECT_TRUE(response_info.network_accessed);
@@ -1578,7 +1602,7 @@ TEST_F(HttpCacheTest, SimpleGET_RestrictedPrefetchReuseIsLimited) {
   // |restricted_prefetch|.
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), kSimpleGET_Transaction, &response_info,
-      BoundTestNetLog().bound(), nullptr);
+      RecordingBoundTestNetLog().bound(), nullptr);
   EXPECT_FALSE(response_info.restricted_prefetch);
   EXPECT_FALSE(response_info.was_cached);
   EXPECT_TRUE(response_info.network_accessed);
@@ -1588,7 +1612,7 @@ TEST_F(HttpCacheTest, SimpleGET_RestrictedPrefetchReuseIsLimited) {
   // an unrestricted one.
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), kSimpleGET_Transaction, &response_info,
-      BoundTestNetLog().bound(), nullptr);
+      RecordingBoundTestNetLog().bound(), nullptr);
   EXPECT_FALSE(response_info.restricted_prefetch);
   EXPECT_TRUE(response_info.was_cached);
   EXPECT_FALSE(response_info.network_accessed);
@@ -1603,7 +1627,7 @@ TEST_F(HttpCacheTest, SimpleGET_UnusedSincePrefetchWriteError) {
   prefetch_transaction.load_flags |= LOAD_PREFETCH;
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), prefetch_transaction, &response_info,
-      BoundTestNetLog().bound(), nullptr);
+      RecordingBoundTestNetLog().bound(), nullptr);
   EXPECT_TRUE(response_info.unused_since_prefetch);
   EXPECT_FALSE(response_info.was_cached);
 
@@ -1611,7 +1635,7 @@ TEST_F(HttpCacheTest, SimpleGET_UnusedSincePrefetchWriteError) {
   cache.disk_cache()->set_soft_failures_mask(MockDiskEntry::FAIL_WRITE);
   RunTransactionTestWithResponseInfoAndGetTiming(
       cache.http_cache(), kSimpleGET_Transaction, &response_info,
-      BoundTestNetLog().bound(), nullptr);
+      RecordingBoundTestNetLog().bound(), nullptr);
 }
 
 static void PreserveRequestHeaders_Handler(const HttpRequestInfo* request,
@@ -1706,8 +1730,8 @@ TEST_F(HttpCacheTest, SimpleGET_ManyReaders) {
   base::RunLoop().RunUntilIdle();
 
   // All requests are added to writers.
-  EXPECT_EQ(kNumTransactions,
-            cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_EQ(kNumTransactions, cache.GetCountWriterTransactions(cache_key));
 
   EXPECT_EQ(1, cache.network_layer()->transaction_count());
   EXPECT_EQ(0, cache.disk_cache()->open_count());
@@ -1726,9 +1750,8 @@ TEST_F(HttpCacheTest, SimpleGET_ManyReaders) {
     // After the 1st transaction has completed the response, all transactions
     // get added to readers.
     if (i > 0) {
-      EXPECT_FALSE(cache.IsWriterPresent(kSimpleGET_Transaction.url));
-      EXPECT_EQ(kNumTransactions - i,
-                cache.GetCountReaders(kSimpleGET_Transaction.url));
+      EXPECT_FALSE(cache.IsWriterPresent(cache_key));
+      EXPECT_EQ(kNumTransactions - i, cache.GetCountReaders(cache_key));
     }
 
     ReadAndVerifyTransaction(c->trans.get(), kSimpleGET_Transaction);
@@ -1958,7 +1981,7 @@ TEST_F(HttpCacheTest, RangeGET_ParallelValidationNoMatch) {
 
   // First entry created is doomed due to 2nd transaction's validation leading
   // to restarting of the queued transactions.
-  EXPECT_TRUE(cache.IsWriterPresent(kRangeGET_TransactionOK.url));
+  EXPECT_TRUE(cache.IsWriterPresent(request.CacheKey()));
 
   // TODO(shivanisha): The restarted transactions race for creating the entry
   // and thus instead of all 4 succeeding, 2 of them succeed. This is very
@@ -2030,19 +2053,18 @@ TEST_F(HttpCacheTest, RangeGET_ParallelValidationNoMatchDoomEntry) {
     // 3rd transaction will doom the entry.
     base::RunLoop().RunUntilIdle();
 
+    std::string cache_key = request.CacheKey();
     // Check status of the first and second entries after every transaction.
     switch (i) {
       case 0:
-        first_entry =
-            cache.disk_cache()->GetDiskEntryRef(kRangeGET_TransactionOK.url);
+        first_entry = cache.disk_cache()->GetDiskEntryRef(cache_key);
         break;
       case 1:
         EXPECT_FALSE(first_entry->is_doomed());
         break;
       case 2:
         EXPECT_TRUE(first_entry->is_doomed());
-        second_entry =
-            cache.disk_cache()->GetDiskEntryRef(kRangeGET_TransactionOK.url);
+        second_entry = cache.disk_cache()->GetDiskEntryRef(cache_key);
         EXPECT_FALSE(second_entry->is_doomed());
         break;
     }
@@ -2122,8 +2144,7 @@ TEST_F(HttpCacheTest, RangeGET_ParallelValidationNoMatchDoomEntry1) {
     // Check status of the entry after every transaction.
     switch (i) {
       case 0:
-        first_entry =
-            cache.disk_cache()->GetDiskEntryRef(kRangeGET_TransactionOK.url);
+        first_entry = cache.disk_cache()->GetDiskEntryRef(request.CacheKey());
         break;
       case 1:
         EXPECT_FALSE(first_entry->is_doomed());
@@ -2224,8 +2245,9 @@ TEST_F(HttpCacheTest, RangeGET_ParallelValidationDifferentRanges) {
     EXPECT_EQ(LOAD_STATE_IDLE, c->trans->GetLoadState());
   }
 
-  EXPECT_TRUE(cache.IsWriterPresent(kRangeGET_TransactionOK.url));
-  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(kRangeGET_TransactionOK.url));
+  std::string cache_key = request2.CacheKey();
+  EXPECT_TRUE(cache.IsWriterPresent(cache_key));
+  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(cache_key));
 
   EXPECT_EQ(2, cache.network_layer()->transaction_count());
   EXPECT_EQ(0, cache.disk_cache()->open_count());
@@ -2294,7 +2316,8 @@ TEST_F(HttpCacheTest, RangeGET_DoNotCreateWritersWhenReaderExists) {
   context.result = context.trans->Start(&request, context.callback.callback(),
                                         NetLogWithSource());
   base::RunLoop().RunUntilIdle();
-  EXPECT_EQ(1, cache.GetCountReaders(transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_EQ(1, cache.GetCountReaders(cache_key));
   RemoveMockTransaction(&transaction);
 
   // A range request should now "not" create Writers while readers is still
@@ -2310,9 +2333,9 @@ TEST_F(HttpCacheTest, RangeGET_DoNotCreateWritersWhenReaderExists) {
       &range_request, range_context.callback.callback(), NetLogWithSource());
   base::RunLoop().RunUntilIdle();
 
-  EXPECT_EQ(1, cache.GetCountReaders(transaction.url));
-  EXPECT_FALSE(cache.IsWriterPresent(transaction.url));
-  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(transaction.url));
+  EXPECT_EQ(1, cache.GetCountReaders(cache_key));
+  EXPECT_FALSE(cache.IsWriterPresent(cache_key));
+  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(cache_key));
 
   RemoveMockTransaction(&range_transaction);
 }
@@ -2379,7 +2402,7 @@ TEST_F(HttpCacheTest, RangeGET_ParallelValidationCacheLockTimeout) {
     EXPECT_EQ(LOAD_STATE_IDLE, c->trans->GetLoadState());
   }
 
-  EXPECT_EQ(0, cache.GetCountDoneHeadersQueue(kRangeGET_TransactionOK.url));
+  EXPECT_EQ(0, cache.GetCountDoneHeadersQueue(request1.CacheKey()));
 
   EXPECT_EQ(3, cache.network_layer()->transaction_count());
   EXPECT_EQ(0, cache.disk_cache()->open_count());
@@ -2634,8 +2657,9 @@ TEST_F(HttpCacheTest, RangeGET_ParallelValidationOverlappingRanges) {
     EXPECT_EQ(LOAD_STATE_IDLE, c->trans->GetLoadState());
   }
 
-  EXPECT_TRUE(cache.IsWriterPresent(kRangeGET_TransactionOK.url));
-  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(kRangeGET_TransactionOK.url));
+  std::string cache_key = request1.CacheKey();
+  EXPECT_TRUE(cache.IsWriterPresent(cache_key));
+  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(cache_key));
 
   // Should have created another transaction for the uncached range.
   EXPECT_EQ(2, cache.network_layer()->transaction_count());
@@ -2736,8 +2760,9 @@ TEST_F(HttpCacheTest, RangeGET_ParallelValidationRestartDoneHeaders) {
     EXPECT_EQ(LOAD_STATE_IDLE, c->trans->GetLoadState());
   }
 
-  EXPECT_TRUE(cache.IsWriterPresent(kRangeGET_TransactionOK.url));
-  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(kRangeGET_TransactionOK.url));
+  std::string cache_key = request1.CacheKey();
+  EXPECT_TRUE(cache.IsWriterPresent(cache_key));
+  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(cache_key));
 
   EXPECT_EQ(2, cache.network_layer()->transaction_count());
   EXPECT_EQ(0, cache.disk_cache()->open_count());
@@ -2774,6 +2799,104 @@ TEST_F(HttpCacheTest, RangeGET_ParallelValidationRestartDoneHeaders) {
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 }
 
+// A test of doing a range request to a cached 301 response
+TEST_F(HttpCacheTest, RangeGET_CachedRedirect) {
+  RangeTransactionServer handler;
+  handler.set_redirect(true);
+
+  MockHttpCache cache;
+  ScopedMockTransaction transaction(kRangeGET_TransactionOK);
+  transaction.request_headers = "Range: bytes = 0-\r\n" EXTRA_HEADER;
+  transaction.status = "HTTP/1.1 301 Moved Permanently";
+  transaction.response_headers = "Location: /elsewhere\nContent-Length:5";
+  transaction.data = "12345";
+  MockHttpRequest request(transaction);
+
+  TestCompletionCallback callback;
+
+  // Write to the cache.
+  {
+    std::unique_ptr<HttpTransaction> trans;
+    ASSERT_THAT(cache.CreateTransaction(&trans), IsOk());
+
+    int rv = trans->Start(&request, callback.callback(), NetLogWithSource());
+    if (rv == ERR_IO_PENDING)
+      rv = callback.WaitForResult();
+    ASSERT_THAT(rv, IsOk());
+
+    const HttpResponseInfo* info = trans->GetResponseInfo();
+    ASSERT_TRUE(info);
+
+    EXPECT_EQ(info->headers->response_code(), 301);
+
+    std::string location;
+    info->headers->EnumerateHeader(nullptr, "Location", &location);
+    EXPECT_EQ(location, "/elsewhere");
+
+    ReadAndVerifyTransaction(trans.get(), transaction);
+  }
+  EXPECT_EQ(1, cache.network_layer()->transaction_count());
+  EXPECT_EQ(0, cache.disk_cache()->open_count());
+  EXPECT_EQ(1, cache.disk_cache()->create_count());
+
+  // Active entries in the cache are not retired synchronously. Make
+  // sure the next run hits the MockHttpCache and open_count is
+  // correct.
+  base::RunLoop().RunUntilIdle();
+
+  // Read from the cache.
+  {
+    std::unique_ptr<HttpTransaction> trans;
+    ASSERT_THAT(cache.CreateTransaction(&trans), IsOk());
+
+    int rv = trans->Start(&request, callback.callback(), NetLogWithSource());
+    if (rv == ERR_IO_PENDING)
+      rv = callback.WaitForResult();
+    ASSERT_THAT(rv, IsOk());
+
+    const HttpResponseInfo* info = trans->GetResponseInfo();
+    ASSERT_TRUE(info);
+
+    EXPECT_EQ(info->headers->response_code(), 301);
+
+    std::string location;
+    info->headers->EnumerateHeader(nullptr, "Location", &location);
+    EXPECT_EQ(location, "/elsewhere");
+
+    trans->DoneReading();
+  }
+  EXPECT_EQ(1, cache.network_layer()->transaction_count());
+  EXPECT_EQ(1, cache.disk_cache()->open_count());
+  EXPECT_EQ(1, cache.disk_cache()->create_count());
+
+  // Now read the full body. This normally would not be done for a 301 by
+  // higher layers, but e.g. a 500 could hit a further bug here.
+  {
+    std::unique_ptr<HttpTransaction> trans;
+    ASSERT_THAT(cache.CreateTransaction(&trans), IsOk());
+
+    int rv = trans->Start(&request, callback.callback(), NetLogWithSource());
+    if (rv == ERR_IO_PENDING)
+      rv = callback.WaitForResult();
+    ASSERT_THAT(rv, IsOk());
+
+    const HttpResponseInfo* info = trans->GetResponseInfo();
+    ASSERT_TRUE(info);
+
+    EXPECT_EQ(info->headers->response_code(), 301);
+
+    std::string location;
+    info->headers->EnumerateHeader(nullptr, "Location", &location);
+    EXPECT_EQ(location, "/elsewhere");
+
+    ReadAndVerifyTransaction(trans.get(), transaction);
+  }
+  EXPECT_EQ(1, cache.network_layer()->transaction_count());
+  // No extra open since it picks up a previous ActiveEntry.
+  EXPECT_EQ(1, cache.disk_cache()->open_count());
+  EXPECT_EQ(1, cache.disk_cache()->create_count());
+}
+
 // A transaction that fails to validate an entry, while attempting to write
 // the response, should still get data to its consumer even if the attempt to
 // create a new entry fails.
@@ -2794,7 +2917,7 @@ TEST_F(HttpCacheTest, SimpleGET_ValidationFailureWithCreateFailure) {
   EXPECT_EQ(LOAD_STATE_WAITING_FOR_CACHE, c1->trans->GetLoadState());
   base::RunLoop().RunUntilIdle();
 
-  EXPECT_TRUE(cache.IsWriterPresent(kSimpleGET_Transaction.url));
+  EXPECT_TRUE(cache.IsWriterPresent(request.CacheKey()));
   EXPECT_EQ(1, cache.network_layer()->transaction_count());
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
@@ -2865,7 +2988,7 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelValidationNoMatch) {
   // The first request should be a writer at this point, and the subsequent
   // requests should have passed the validation phase and created their own
   // entries since none of them matched the headers of the earlier one.
-  EXPECT_TRUE(cache.IsWriterPresent(kSimpleGET_Transaction.url));
+  EXPECT_TRUE(cache.IsWriterPresent(request.CacheKey()));
 
   EXPECT_EQ(5, cache.network_layer()->transaction_count());
   EXPECT_EQ(0, cache.disk_cache()->open_count());
@@ -2990,7 +3113,7 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelValidationNoMatch1) {
   // The new entry will have all the transactions except the first one which
   // will continue in the doomed entry.
   EXPECT_EQ(kNumTransactions - 1,
-            cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
+            cache.GetCountWriterTransactions(validate_request.CacheKey()));
 
   EXPECT_EQ(1, cache.disk_cache()->doomed_count());
 
@@ -3056,8 +3179,7 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelValidationDelete) {
   // The first request should be a writer at this point, and the subsequent
   // request should have passed the validation phase and doomed the existing
   // entry.
-  EXPECT_TRUE(
-      cache.disk_cache()->IsDiskEntryDoomed(kSimpleGET_Transaction.url));
+  EXPECT_TRUE(cache.disk_cache()->IsDiskEntryDoomed(request.CacheKey()));
 
   EXPECT_EQ(2, cache.network_layer()->transaction_count());
   EXPECT_EQ(0, cache.disk_cache()->open_count());
@@ -3114,12 +3236,13 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelValidationCancelValidated) {
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
-  EXPECT_EQ(1, cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
-  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_EQ(1, cache.GetCountWriterTransactions(cache_key));
+  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(cache_key));
 
   context_list[1].reset();
 
-  EXPECT_EQ(0, cache.GetCountDoneHeadersQueue(kSimpleGET_Transaction.url));
+  EXPECT_EQ(0, cache.GetCountDoneHeadersQueue(cache_key));
 
   // Complete the rest of the transactions.
   for (auto& context : context_list) {
@@ -3162,13 +3285,12 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritingCancelIdleTransaction) {
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
   // Both transactions would be added to writers.
-  EXPECT_EQ(kNumTransactions,
-            cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_EQ(kNumTransactions, cache.GetCountWriterTransactions(cache_key));
 
   context_list[1].reset();
 
-  EXPECT_EQ(kNumTransactions - 1,
-            cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
+  EXPECT_EQ(kNumTransactions - 1, cache.GetCountWriterTransactions(cache_key));
 
   // Complete the rest of the transactions.
   for (auto& context : context_list) {
@@ -3224,8 +3346,9 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelValidationValidatedTimeout) {
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
-  EXPECT_TRUE(cache.IsWriterPresent(kSimpleGET_Transaction.url));
-  EXPECT_EQ(0, cache.GetCountDoneHeadersQueue(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_TRUE(cache.IsWriterPresent(cache_key));
+  EXPECT_EQ(0, cache.GetCountDoneHeadersQueue(cache_key));
 
   base::RunLoop().RunUntilIdle();
 
@@ -3274,20 +3397,20 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelValidationCancelReader) {
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
-  EXPECT_EQ(kNumTransactions - 1,
-            cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
-  EXPECT_TRUE(cache.IsHeadersTransactionPresent(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+
+  EXPECT_EQ(kNumTransactions - 1, cache.GetCountWriterTransactions(cache_key));
+  EXPECT_TRUE(cache.IsHeadersTransactionPresent(cache_key));
 
   // Complete the response body.
   auto& c = context_list[0];
   ReadAndVerifyTransaction(c->trans.get(), kSimpleGET_Transaction);
 
   // Rest of the transactions should move to readers.
-  EXPECT_FALSE(cache.IsWriterPresent(kSimpleGET_Transaction.url));
-  EXPECT_EQ(kNumTransactions - 2,
-            cache.GetCountReaders(kSimpleGET_Transaction.url));
-  EXPECT_EQ(0, cache.GetCountDoneHeadersQueue(kSimpleGET_Transaction.url));
-  EXPECT_TRUE(cache.IsHeadersTransactionPresent(kSimpleGET_Transaction.url));
+  EXPECT_FALSE(cache.IsWriterPresent(cache_key));
+  EXPECT_EQ(kNumTransactions - 2, cache.GetCountReaders(cache_key));
+  EXPECT_EQ(0, cache.GetCountDoneHeadersQueue(cache_key));
+  EXPECT_TRUE(cache.IsHeadersTransactionPresent(cache_key));
 
   // Add 2 new transactions.
   kNumTransactions = 6;
@@ -3303,15 +3426,15 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelValidationCancelReader) {
         c->trans->Start(&request, c->callback.callback(), NetLogWithSource());
   }
 
-  EXPECT_EQ(2, cache.GetCountAddToEntryQueue(kSimpleGET_Transaction.url));
+  EXPECT_EQ(2, cache.GetCountAddToEntryQueue(cache_key));
 
   // Delete a reader.
   context_list[1].reset();
 
   // Deleting the reader did not impact any other transaction.
-  EXPECT_EQ(1, cache.GetCountReaders(kSimpleGET_Transaction.url));
-  EXPECT_EQ(2, cache.GetCountAddToEntryQueue(kSimpleGET_Transaction.url));
-  EXPECT_TRUE(cache.IsHeadersTransactionPresent(kSimpleGET_Transaction.url));
+  EXPECT_EQ(1, cache.GetCountReaders(cache_key));
+  EXPECT_EQ(2, cache.GetCountAddToEntryQueue(cache_key));
+  EXPECT_TRUE(cache.IsHeadersTransactionPresent(cache_key));
 
   // Resume network start for headers_transaction. It will doom the entry as it
   // will be a 200 and will go to network for the response body.
@@ -3321,7 +3444,7 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelValidationCancelReader) {
   // The pending transactions will be added to a new entry as writers.
   base::RunLoop().RunUntilIdle();
 
-  EXPECT_EQ(3, cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
+  EXPECT_EQ(3, cache.GetCountWriterTransactions(cache_key));
 
   // Complete the rest of the transactions.
   for (int i = 2; i < kNumTransactions; ++i) {
@@ -3356,8 +3479,9 @@ TEST_F(HttpCacheTest, SimpleGET_HangingCacheWriteCleanup) {
   EXPECT_EQ(1, buffer_callback.GetResult(result));
 
   // Read the second byte, but leave the cache write hanging.
+  std::string cache_key = request.CacheKey();
   scoped_refptr<MockDiskEntry> entry =
-      mock_cache.disk_cache()->GetDiskEntryRef(kSimpleGET_Transaction.url);
+      mock_cache.disk_cache()->GetDiskEntryRef(cache_key);
   entry->SetDefer(MockDiskEntry::DEFER_WRITE);
 
   buffer = base::MakeRefCounted<IOBuffer>(1);
@@ -3365,13 +3489,13 @@ TEST_F(HttpCacheTest, SimpleGET_HangingCacheWriteCleanup) {
   result = transaction->Read(buffer.get(), 1, buffer_callback2.callback());
   EXPECT_EQ(ERR_IO_PENDING, result);
   base::RunLoop().RunUntilIdle();
-  EXPECT_TRUE(mock_cache.IsWriterPresent(kSimpleGET_Transaction.url));
+  EXPECT_TRUE(mock_cache.IsWriterPresent(cache_key));
 
   // At this point the next byte should have been read from the network but is
   // waiting to be written to the cache. Destroy the transaction and make sure
   // that everything has been cleaned up.
   transaction = nullptr;
-  EXPECT_FALSE(mock_cache.IsWriterPresent(kSimpleGET_Transaction.url));
+  EXPECT_FALSE(mock_cache.IsWriterPresent(cache_key));
   EXPECT_FALSE(mock_cache.network_layer()->last_transaction());
 }
 
@@ -3414,8 +3538,9 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritingCancelWriter) {
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
-  EXPECT_TRUE(cache.IsHeadersTransactionPresent(kSimpleGET_Transaction.url));
-  EXPECT_EQ(2, cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
+  std::string cache_key = validate_request.CacheKey();
+  EXPECT_TRUE(cache.IsHeadersTransactionPresent(cache_key));
+  EXPECT_EQ(2, cache.GetCountWriterTransactions(cache_key));
 
   // Initiate Read from both writers and kill 1 of them mid-read.
   std::string first_read;
@@ -3445,7 +3570,7 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritingCancelWriter) {
 
   base::RunLoop().RunUntilIdle();
 
-  EXPECT_EQ(1, cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
+  EXPECT_EQ(1, cache.GetCountWriterTransactions(cache_key));
 
   // Complete the rest of the transactions.
   for (int i = 0; i < kNumTransactions; i++) {
@@ -3506,8 +3631,9 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritingNetworkReadFailed) {
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
-  EXPECT_EQ(3, cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
-  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(kSimpleGET_Transaction.url));
+  std::string cache_key = read_request.CacheKey();
+  EXPECT_EQ(3, cache.GetCountWriterTransactions(cache_key));
+  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(cache_key));
 
   // Initiate Read from two writers and let the first get a network failure.
   for (int i = 0; i < 2; i++) {
@@ -3533,7 +3659,7 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritingNetworkReadFailed) {
   read_only->result = read_only->callback.WaitForResult();
   EXPECT_EQ(ERR_CACHE_MISS, read_only->result);
 
-  EXPECT_FALSE(cache.IsWriterPresent(kSimpleGET_Transaction.url));
+  EXPECT_FALSE(cache.IsWriterPresent(cache_key));
 
   // Invoke Read on the 3rd transaction and it should get the error code back.
   auto& c = context_list[2];
@@ -3579,14 +3705,15 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritingCacheWriteFailed) {
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
-  EXPECT_EQ(3, cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
-  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(kSimpleGET_Transaction.url));
+  std::string cache_key = read_request.CacheKey();
+  EXPECT_EQ(3, cache.GetCountWriterTransactions(cache_key));
+  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(cache_key));
 
   // Initiate Read from two writers and let the first get a cache write failure.
   cache.disk_cache()->set_soft_failures_mask(MockDiskEntry::FAIL_ALL);
   // We have to open the entry again to propagate the failure flag.
   disk_cache::Entry* en;
-  cache.OpenBackendEntry(kSimpleGET_Transaction.url, &en);
+  cache.OpenBackendEntry(cache_key, &en);
   en->Close();
   const int kBufferSize = 5;
   std::vector<scoped_refptr<IOBuffer>> buffer(
@@ -3618,7 +3745,7 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritingCacheWriteFailed) {
   read_only->result = read_only->callback.WaitForResult();
   EXPECT_EQ(ERR_CACHE_MISS, read_only->result);
 
-  EXPECT_FALSE(cache.IsWriterPresent(kSimpleGET_Transaction.url));
+  EXPECT_FALSE(cache.IsWriterPresent(cache_key));
 
   // Invoke Read on the 3rd transaction and it should get the error code back.
   auto& c = context_list[2];
@@ -3679,9 +3806,7 @@ TEST_F(HttpCacheTest, SimplePOST_ParallelWritingDisallowed) {
     base::RunLoop().RunUntilIdle();
   }
 
-  std::string cache_key =
-      base::StringPrintf("1/%s", kSimplePOST_Transaction.url);
-
+  std::string cache_key = request.CacheKey();
   // Only the 1st transaction gets added to writers.
   EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(cache_key));
   EXPECT_EQ(1, cache.GetCountWriterTransactions(cache_key));
@@ -3747,8 +3872,9 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritingSuccess) {
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
-  EXPECT_EQ(3, cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
-  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_EQ(3, cache.GetCountWriterTransactions(cache_key));
+  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(cache_key));
 
   // Initiate Read from two writers.
   const int kBufferSize = 5;
@@ -3780,7 +3906,7 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritingSuccess) {
                                       kSimpleGET_Transaction);
     if (i == 0) {
       // Remaining transactions should now be readers.
-      EXPECT_EQ(3, cache.GetCountReaders(kSimpleGET_Transaction.url));
+      EXPECT_EQ(3, cache.GetCountReaders(cache_key));
     }
   }
 
@@ -3839,9 +3965,9 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritingHuge) {
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
-  EXPECT_EQ(1, cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
-  EXPECT_EQ(kNumTransactions - 1,
-            cache.GetCountDoneHeadersQueue(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_EQ(1, cache.GetCountWriterTransactions(cache_key));
+  EXPECT_EQ(kNumTransactions - 1, cache.GetCountDoneHeadersQueue(cache_key));
 
   // Initiate Read from first transaction.
   const int kBufferSize = 5;
@@ -3913,8 +4039,9 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritingVerifyNetworkBytes) {
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
-  EXPECT_EQ(2, cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
-  EXPECT_EQ(0, cache.GetCountDoneHeadersQueue(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_EQ(2, cache.GetCountWriterTransactions(cache_key));
+  EXPECT_EQ(0, cache.GetCountDoneHeadersQueue(cache_key));
 
   // Get the network bytes read by the first transaction.
   int total_received_bytes = context_list[0]->trans->GetTotalReceivedBytes();
@@ -3925,7 +4052,7 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritingVerifyNetworkBytes) {
   ReadAndVerifyTransaction(context_list[1]->trans.get(),
                            kSimpleGET_Transaction);
 
-  EXPECT_EQ(1, cache.GetCountReaders(kSimpleGET_Transaction.url));
+  EXPECT_EQ(1, cache.GetCountReaders(cache_key));
 
   // Verify that the network bytes read are not attributed to the 2nd
   // transaction but to the 1st.
@@ -3956,8 +4083,9 @@ TEST_F(HttpCacheTest, SimpleGET_ExtraRead) {
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
-  EXPECT_EQ(1, cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
-  EXPECT_EQ(0, cache.GetCountDoneHeadersQueue(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_EQ(1, cache.GetCountWriterTransactions(cache_key));
+  EXPECT_EQ(0, cache.GetCountDoneHeadersQueue(cache_key));
 
   ReadAndVerifyTransaction(c.trans.get(), kSimpleGET_Transaction);
 
@@ -4001,8 +4129,8 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelValidationCancelWriter) {
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
-  EXPECT_EQ(kNumTransactions,
-            cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_EQ(kNumTransactions, cache.GetCountWriterTransactions(cache_key));
 
   // Let first transaction read some bytes.
   {
@@ -4070,9 +4198,9 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelValidationStopCaching) {
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
-  EXPECT_EQ(kNumTransactions - 1,
-            cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
-  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_EQ(kNumTransactions - 1, cache.GetCountWriterTransactions(cache_key));
+  EXPECT_EQ(1, cache.GetCountDoneHeadersQueue(cache_key));
 
   // Invoking StopCaching on the writer will lead to dooming the entry and
   // restarting the validated transactions. Since it is a read-only transaction
@@ -4126,9 +4254,9 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritersStopCachingNoOp) {
   EXPECT_EQ(0, cache.disk_cache()->open_count());
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
-  EXPECT_TRUE(cache.IsHeadersTransactionPresent(kSimpleGET_Transaction.url));
-  EXPECT_EQ(kNumTransactions - 1,
-            cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_TRUE(cache.IsHeadersTransactionPresent(cache_key));
+  EXPECT_EQ(kNumTransactions - 1, cache.GetCountWriterTransactions(cache_key));
 
   // Invoking StopCaching on the writer will be a no-op since there are multiple
   // transaction in writers.
@@ -4140,7 +4268,7 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritersStopCachingNoOp) {
   base::RunLoop().RunUntilIdle();
   // After validation old entry will be doomed and headers_transaction will be
   // added to the new entry.
-  EXPECT_EQ(1, cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
+  EXPECT_EQ(1, cache.GetCountWriterTransactions(cache_key));
 
   // Complete the rest of the transactions.
   for (auto& context : context_list) {
@@ -4180,8 +4308,9 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelValidationCancelHeaders) {
 
   base::RunLoop().RunUntilIdle();
 
-  EXPECT_TRUE(cache.IsHeadersTransactionPresent(kSimpleGET_Transaction.url));
-  EXPECT_EQ(1, cache.GetCountAddToEntryQueue(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_TRUE(cache.IsHeadersTransactionPresent(cache_key));
+  EXPECT_EQ(1, cache.GetCountAddToEntryQueue(cache_key));
 
   EXPECT_EQ(1, cache.network_layer()->transaction_count());
   EXPECT_EQ(0, cache.disk_cache()->open_count());
@@ -4235,8 +4364,8 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritersFailWrite) {
   base::RunLoop().RunUntilIdle();
 
   // All transactions become writers.
-  EXPECT_EQ(kNumTransactions,
-            cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
+  std::string cache_key = request.CacheKey();
+  EXPECT_EQ(kNumTransactions, cache.GetCountWriterTransactions(cache_key));
 
   // All requests depend on the writer, and the writer is between Start and
   // Read, i.e. idle.
@@ -4252,7 +4381,7 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritersFailWrite) {
   cache.disk_cache()->set_soft_failures_mask(MockDiskEntry::FAIL_ALL);
   // We have to open the entry again to propagate the failure flag.
   disk_cache::Entry* en;
-  cache.OpenBackendEntry(kSimpleGET_Transaction.url, &en);
+  cache.OpenBackendEntry(cache_key, &en);
   en->Close();
 
   for (int i = 0; i < kNumTransactions; ++i) {
@@ -4261,8 +4390,7 @@ TEST_F(HttpCacheTest, SimpleGET_ParallelWritersFailWrite) {
       c->result = c->callback.WaitForResult();
     if (i == 1) {
       // The earlier entry must be destroyed and its disk entry doomed.
-      EXPECT_TRUE(
-          cache.disk_cache()->IsDiskEntryDoomed(kSimpleGET_Transaction.url));
+      EXPECT_TRUE(cache.disk_cache()->IsDiskEntryDoomed(cache_key));
     }
 
     if (i == 0) {
@@ -4558,8 +4686,8 @@ TEST_F(HttpCacheTest, SimpleGET_ManyWriters_CancelFirst) {
   // Allow all requests to move from the Create queue to the active entry.
   // All would have been added to writers.
   base::RunLoop().RunUntilIdle();
-  EXPECT_EQ(kNumTransactions,
-            cache.GetCountWriterTransactions(kSimpleGET_Transaction.url));
+  std::string cache_key = cache.http_cache()->GenerateCacheKeyForTest(&request);
+  EXPECT_EQ(kNumTransactions, cache.GetCountWriterTransactions(cache_key));
 
   // The second transaction skipped validation, thus only one network
   // transaction is created.
@@ -5005,7 +5133,7 @@ TEST_F(HttpCacheTest, TypicalGET_ConditionalRequest) {
 
   // Get the same URL again, but this time we expect it to result
   // in a conditional request.
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   RunTransactionTestAndGetTiming(cache.http_cache(), kTypicalGET_Transaction,
                                  log.bound(), &load_timing_info);
@@ -5043,7 +5171,7 @@ TEST_F(HttpCacheTest, ETagGET_ConditionalRequest_304) {
   // in a conditional request.
   transaction.load_flags = LOAD_VALIDATE_CACHE;
   transaction.handler = ETagGet_ConditionalRequest_Handler;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   IPEndPoint remote_endpoint;
   RunTransactionTestAndGetTimingAndConnectedSocketAddress(
@@ -5121,7 +5249,7 @@ TEST_F(HttpCacheTest, GET_ValidateCache_VaryMatch) {
   // Read from the cache.
   RevalidationServer server;
   transaction.handler = server.Handler;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   RunTransactionTestAndGetTiming(cache.http_cache(), transaction, log.bound(),
                                  &load_timing_info);
@@ -5155,7 +5283,7 @@ TEST_F(HttpCacheTest, GET_ValidateCache_VaryMismatch) {
   RevalidationServer server;
   transaction.handler = server.Handler;
   transaction.request_headers = "Foo: none\r\n";
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   RunTransactionTestAndGetTiming(cache.http_cache(), transaction, log.bound(),
                                  &load_timing_info);
@@ -5187,7 +5315,7 @@ TEST_F(HttpCacheTest, GET_ValidateCache_VaryMismatchStar) {
   // Read from the cache and revalidate the entry.
   RevalidationServer server;
   transaction.handler = server.Handler;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   RunTransactionTestAndGetTiming(cache.http_cache(), transaction, log.bound(),
                                  &load_timing_info);
@@ -5220,7 +5348,7 @@ TEST_F(HttpCacheTest, GET_DontValidateCache_VaryMismatch) {
   RevalidationServer server;
   transaction.handler = server.Handler;
   transaction.request_headers = "Foo: none\r\n";
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   RunTransactionTestAndGetTiming(cache.http_cache(), transaction, log.bound(),
                                  &load_timing_info);
@@ -6926,7 +7054,7 @@ TEST_F(HttpCacheTest, RangeGET_SkipsCache2) {
 TEST_F(HttpCacheTest, SimpleGET_DoesntLogHeaders) {
   MockHttpCache cache;
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   RunTransactionTestWithLog(cache.http_cache(), kSimpleGET_Transaction,
                             log.bound());
 
@@ -6937,7 +7065,7 @@ TEST_F(HttpCacheTest, SimpleGET_DoesntLogHeaders) {
 TEST_F(HttpCacheTest, RangeGET_LogsHeaders) {
   MockHttpCache cache;
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   RunTransactionTestWithLog(cache.http_cache(), kRangeGET_Transaction,
                             log.bound());
 
@@ -6948,7 +7076,7 @@ TEST_F(HttpCacheTest, RangeGET_LogsHeaders) {
 TEST_F(HttpCacheTest, ExternalValidation_LogsHeaders) {
   MockHttpCache cache;
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   MockTransaction transaction(kSimpleGET_Transaction);
   transaction.request_headers = "If-None-Match: foo\r\n" EXTRA_HEADER;
   RunTransactionTestWithLog(cache.http_cache(), transaction, log.bound());
@@ -6960,7 +7088,7 @@ TEST_F(HttpCacheTest, ExternalValidation_LogsHeaders) {
 TEST_F(HttpCacheTest, SpecialHeaders_LogsHeaders) {
   MockHttpCache cache;
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   MockTransaction transaction(kSimpleGET_Transaction);
   transaction.request_headers = "cache-control: no-cache\r\n" EXTRA_HEADER;
   RunTransactionTestWithLog(cache.http_cache(), transaction, log.bound());
@@ -7077,7 +7205,7 @@ TEST_F(HttpCacheTest, RangeGET_NoValidation_LogsRestart) {
   RunTransactionTest(cache.http_cache(), transaction);
 
   // Now verify that the cached data is not used.
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   RunTransactionTestWithLog(cache.http_cache(), kRangeGET_TransactionOK,
                             log.bound());
 
@@ -7254,7 +7382,7 @@ TEST_F(HttpCacheTest, RangeGET_OK) {
   // Write and read from the cache (20-59).
   transaction.request_headers = "Range: bytes = 20-59\r\n" EXTRA_HEADER;
   transaction.data = "rg: 20-29 rg: 30-39 rg: 40-49 rg: 50-59 ";
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   RunTransactionTestWithResponseAndGetTiming(
       cache.http_cache(), transaction, &headers, log.bound(),
@@ -7345,7 +7473,7 @@ TEST_F(HttpCacheTest, RangeGET_SyncOK) {
   // Write and read from the cache (20-59).
   transaction.request_headers = "Range: bytes = 20-59\r\n" EXTRA_HEADER;
   transaction.data = "rg: 20-29 rg: 30-39 rg: 40-49 rg: 50-59 ";
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   RunTransactionTestWithResponseAndGetTiming(
       cache.http_cache(), transaction, &headers, log.bound(),
@@ -7373,7 +7501,9 @@ TEST_F(HttpCacheTest, Sparse_WaitForEntry) {
 
   // Simulate a previous transaction being cancelled.
   disk_cache::Entry* entry;
-  ASSERT_TRUE(cache.OpenBackendEntry(kRangeGET_TransactionOK.url, &entry));
+  MockHttpRequest request(transaction);
+  std::string cache_key = cache.http_cache()->GenerateCacheKeyForTest(&request);
+  ASSERT_TRUE(cache.OpenBackendEntry(cache_key, &entry));
   entry->CancelSparseIO();
 
   // Test with a range request.
@@ -7410,7 +7540,7 @@ TEST_F(HttpCacheTest, RangeGET_Revalidate1) {
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
   // Read from the cache (40-49).
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   RunTransactionTestWithResponseAndGetTiming(
       cache.http_cache(), transaction, &headers, log.bound(),
@@ -7909,7 +8039,7 @@ TEST_F(HttpCacheTest, GET_Previous206) {
   MockHttpCache cache;
   AddMockTransaction(&kRangeGET_TransactionOK);
   std::string headers;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
 
   // Write to the cache (40-49).
@@ -7948,7 +8078,7 @@ TEST_F(HttpCacheTest, GET_Previous206_NotModified) {
   MockTransaction transaction(kRangeGET_TransactionOK);
   AddMockTransaction(&transaction);
   std::string headers;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
 
   // Write to the cache (0-9).
@@ -8018,7 +8148,7 @@ TEST_F(HttpCacheTest, GET_Previous206_NewContent) {
   transaction2.data = "Not a range";
   RangeTransactionServer handler;
   handler.set_modified(true);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   RunTransactionTestWithResponseAndGetTiming(
       cache.http_cache(), transaction2, &headers, log.bound(),
@@ -8041,10 +8171,10 @@ TEST_F(HttpCacheTest, GET_Previous206_NewContent) {
 TEST_F(HttpCacheTest, GET_Previous206_NotSparse) {
   MockHttpCache cache;
 
+  MockHttpRequest request(kSimpleGET_Transaction);
   // Create a disk cache entry that stores 206 headers while not being sparse.
   disk_cache::Entry* entry;
-  ASSERT_TRUE(
-      cache.CreateBackendEntry(kSimpleGET_Transaction.url, &entry, nullptr));
+  ASSERT_TRUE(cache.CreateBackendEntry(request.CacheKey(), &entry, nullptr));
 
   std::string raw_headers(kRangeGET_TransactionOK.status);
   raw_headers.append("\n");
@@ -8065,7 +8195,7 @@ TEST_F(HttpCacheTest, GET_Previous206_NotSparse) {
 
   // Now see that we don't use the stored entry.
   std::string headers;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   LoadTimingInfo load_timing_info;
   RunTransactionTestWithResponseAndGetTiming(
       cache.http_cache(), kSimpleGET_Transaction, &headers, log.bound(),
@@ -8089,9 +8219,9 @@ TEST_F(HttpCacheTest, RangeGET_Previous206_NotSparse_2) {
   AddMockTransaction(&kRangeGET_TransactionOK);
 
   // Create a disk cache entry that stores 206 headers while not being sparse.
+  MockHttpRequest request(kRangeGET_TransactionOK);
   disk_cache::Entry* entry;
-  ASSERT_TRUE(
-      cache.CreateBackendEntry(kRangeGET_TransactionOK.url, &entry, nullptr));
+  ASSERT_TRUE(cache.CreateBackendEntry(request.CacheKey(), &entry, nullptr));
 
   std::string raw_headers(kRangeGET_TransactionOK.status);
   raw_headers.append("\n");
@@ -8128,10 +8258,10 @@ TEST_F(HttpCacheTest, RangeGET_Previous206_NotSparse_2) {
 TEST_F(HttpCacheTest, GET_Previous206_NotValidation) {
   MockHttpCache cache;
 
+  MockHttpRequest request(kSimpleGET_Transaction);
   // Create a disk cache entry that stores 206 headers.
   disk_cache::Entry* entry;
-  ASSERT_TRUE(
-      cache.CreateBackendEntry(kSimpleGET_Transaction.url, &entry, nullptr));
+  ASSERT_TRUE(cache.CreateBackendEntry(request.CacheKey(), &entry, nullptr));
 
   // Make sure that the headers cannot be validated with the server.
   std::string raw_headers(kRangeGET_TransactionOK.status);
@@ -8340,7 +8470,7 @@ TEST_F(HttpCacheTest, RangeGET_Cancel) {
 
   // Verify that the entry has not been deleted.
   disk_cache::Entry* entry;
-  ASSERT_TRUE(cache.OpenBackendEntry(kRangeGET_TransactionOK.url, &entry));
+  ASSERT_TRUE(cache.OpenBackendEntry(request.CacheKey(), &entry));
   entry->Close();
   RemoveMockTransaction(&kRangeGET_TransactionOK);
 }
@@ -8380,7 +8510,7 @@ TEST_F(HttpCacheTest, RangeGET_CancelWhileReading) {
   base::RunLoop().RunUntilIdle();
 
   // Verify that the entry has not been marked as truncated.
-  VerifyTruncatedFlag(&cache, kRangeGET_TransactionOK.url, false, 0);
+  VerifyTruncatedFlag(&cache, request.CacheKey(), false, 0);
   RemoveMockTransaction(&kRangeGET_TransactionOK);
 }
 
@@ -8514,7 +8644,8 @@ TEST_F(HttpCacheTest, RangeGET_InvalidResponse1) {
 
   // Verify that we don't have a cached entry.
   disk_cache::Entry* entry;
-  EXPECT_FALSE(cache.OpenBackendEntry(kRangeGET_TransactionOK.url, &entry));
+  MockHttpRequest request(transaction);
+  EXPECT_FALSE(cache.OpenBackendEntry(request.CacheKey(), &entry));
 
   RemoveMockTransaction(&kRangeGET_TransactionOK);
 }
@@ -8542,7 +8673,8 @@ TEST_F(HttpCacheTest, RangeGET_InvalidResponse2) {
 
   // Verify that we don't have a cached entry.
   disk_cache::Entry* entry;
-  EXPECT_FALSE(cache.OpenBackendEntry(kRangeGET_TransactionOK.url, &entry));
+  MockHttpRequest request(transaction);
+  EXPECT_FALSE(cache.OpenBackendEntry(request.CacheKey(), &entry));
 
   RemoveMockTransaction(&kRangeGET_TransactionOK);
 }
@@ -8613,7 +8745,8 @@ TEST_F(HttpCacheTest, RangeGET_LargeValues) {
 
   // Verify that we have a cached entry.
   disk_cache::Entry* en;
-  ASSERT_TRUE(cache.OpenBackendEntry(kRangeGET_TransactionOK.url, &en));
+  MockHttpRequest request(transaction);
+  ASSERT_TRUE(cache.OpenBackendEntry(request.CacheKey(), &en));
   en->Close();
 
   RemoveMockTransaction(&kRangeGET_TransactionOK);
@@ -8673,7 +8806,7 @@ TEST_F(HttpCacheTest, RangeGET_FastFlakyServer) {
   RangeTransactionServer handler;
   handler.set_bad_200(true);
   transaction.data = "Not a range";
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   RunTransactionTestWithLog(cache.http_cache(), transaction, log.bound());
 
   EXPECT_EQ(3, cache.network_layer()->transaction_count());
@@ -8973,7 +9106,7 @@ TEST_F(HttpCacheTest, SetTruncatedFlag) {
   EXPECT_FALSE(c->callback.have_result());
 
   base::RunLoop().RunUntilIdle();
-  VerifyTruncatedFlag(&cache, kSimpleGET_Transaction.url, true, 0);
+  VerifyTruncatedFlag(&cache, request.CacheKey(), true, 0);
 }
 
 // Tests that we do not mark an entry as truncated when the request is
@@ -9032,7 +9165,7 @@ TEST_F(HttpCacheTest, DontSetTruncatedFlagForGarbledResponseCode) {
   // complete.
   base::RunLoop().RunUntilIdle();
   disk_cache::Entry* entry;
-  ASSERT_FALSE(cache.OpenBackendEntry(kSimpleGET_Transaction.url, &entry));
+  ASSERT_FALSE(cache.OpenBackendEntry(request.CacheKey(), &entry));
 }
 
 // Tests that we don't mark an entry as truncated when we read everything.
@@ -9063,7 +9196,7 @@ TEST_F(HttpCacheTest, DontSetTruncatedFlag) {
   c->trans.reset();
 
   // Verify that the entry is not marked as truncated.
-  VerifyTruncatedFlag(&cache, kSimpleGET_Transaction.url, false, 0);
+  VerifyTruncatedFlag(&cache, request.CacheKey(), false, 0);
 }
 
 // Tests that sparse entries don't set the truncate flag.
@@ -9089,7 +9222,7 @@ TEST_F(HttpCacheTest, RangeGET_DontTruncate) {
 
   // Should not trigger any DCHECK.
   trans.reset();
-  VerifyTruncatedFlag(&cache, kRangeGET_TransactionOK.url, false, 0);
+  VerifyTruncatedFlag(&cache, request->CacheKey(), false, 0);
 }
 
 // Tests that sparse entries don't set the truncate flag (when the byte range
@@ -9116,7 +9249,7 @@ TEST_F(HttpCacheTest, RangeGET_DontTruncate2) {
 
   // Should not trigger any DCHECK.
   trans.reset();
-  VerifyTruncatedFlag(&cache, kRangeGET_TransactionOK.url, false, 0);
+  VerifyTruncatedFlag(&cache, request->CacheKey(), false, 0);
 }
 
 // Tests that we can continue with a request that was interrupted.
@@ -9151,7 +9284,8 @@ TEST_F(HttpCacheTest, GET_IncompleteResource) {
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
   // Verify that the disk entry was updated.
-  VerifyTruncatedFlag(&cache, kRangeGET_TransactionOK.url, false, 80);
+  MockHttpRequest request(transaction);
+  VerifyTruncatedFlag(&cache, request.CacheKey(), false, 80);
 }
 
 // Tests the handling of no-store when revalidating a truncated entry.
@@ -9195,7 +9329,8 @@ TEST_F(HttpCacheTest, GET_IncompleteResource_NoStore) {
 
   // Verify that the disk entry was deleted.
   disk_cache::Entry* entry;
-  EXPECT_FALSE(cache.OpenBackendEntry(kRangeGET_TransactionOK.url, &entry));
+  MockHttpRequest request(transaction);
+  EXPECT_FALSE(cache.OpenBackendEntry(request.CacheKey(), &entry));
   RemoveMockTransaction(&transaction);
 }
 
@@ -9292,7 +9427,8 @@ TEST_F(HttpCacheTest, GET_IncompleteResource2) {
 
   // Verify that the disk entry was deleted.
   disk_cache::Entry* entry;
-  ASSERT_FALSE(cache.OpenBackendEntry(kRangeGET_TransactionOK.url, &entry));
+  MockHttpRequest request(transaction);
+  ASSERT_FALSE(cache.OpenBackendEntry(request.CacheKey(), &entry));
   RemoveMockTransaction(&kRangeGET_TransactionOK);
 }
 
@@ -9374,7 +9510,7 @@ TEST_F(HttpCacheTest, GET_IncompleteResourceWithAuth) {
 
   // Verify that the entry was deleted.
   disk_cache::Entry* entry;
-  ASSERT_TRUE(cache.OpenBackendEntry(kRangeGET_TransactionOK.url, &entry));
+  ASSERT_TRUE(cache.OpenBackendEntry(request.CacheKey(), &entry));
   entry->Close();
 
   RemoveMockTransaction(&kRangeGET_TransactionOK);
@@ -9441,7 +9577,8 @@ TEST_F(HttpCacheTest, GET_IncompleteResource4) {
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
   // Verify that the disk entry was updated.
-  VerifyTruncatedFlag(&cache, kRangeGET_TransactionOK.url, false, 11);
+  MockHttpRequest request(transaction);
+  VerifyTruncatedFlag(&cache, request.CacheKey(), false, 11);
 }
 
 // Tests that when we cancel a request that was interrupted, we mark it again
@@ -9484,7 +9621,7 @@ TEST_F(HttpCacheTest, GET_CancelIncompleteResource) {
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
   // Verify that the disk entry was updated: now we have 30 bytes.
-  VerifyTruncatedFlag(&cache, kRangeGET_TransactionOK.url, true, 30);
+  VerifyTruncatedFlag(&cache, request.CacheKey(), true, 30);
 }
 
 // Tests that we can handle range requests when we have a truncated entry.
@@ -9673,7 +9810,8 @@ TEST_F(HttpCacheTest, CacheControlNoCacheNormalLoad) {
     }
 
     disk_cache::Entry* entry;
-    EXPECT_TRUE(cache.OpenBackendEntry(transaction.url, &entry));
+    MockHttpRequest request(transaction);
+    EXPECT_TRUE(cache.OpenBackendEntry(request.CacheKey(), &entry));
     entry->Close();
   }
 }
@@ -9702,7 +9840,8 @@ TEST_F(HttpCacheTest, CacheControlNoCacheHistoryLoad) {
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
   disk_cache::Entry* entry;
-  EXPECT_TRUE(cache.OpenBackendEntry(transaction.url, &entry));
+  MockHttpRequest request(transaction);
+  EXPECT_TRUE(cache.OpenBackendEntry(request.CacheKey(), &entry));
   entry->Close();
 }
 
@@ -9727,7 +9866,8 @@ TEST_F(HttpCacheTest, CacheControlNoStore) {
   EXPECT_EQ(2, cache.disk_cache()->create_count());
 
   disk_cache::Entry* entry;
-  EXPECT_FALSE(cache.OpenBackendEntry(transaction.url, &entry));
+  MockHttpRequest request(transaction);
+  EXPECT_FALSE(cache.OpenBackendEntry(request.CacheKey(), &entry));
 }
 
 TEST_F(HttpCacheTest, CacheControlNoStore2) {
@@ -9755,7 +9895,8 @@ TEST_F(HttpCacheTest, CacheControlNoStore2) {
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
   disk_cache::Entry* entry;
-  EXPECT_FALSE(cache.OpenBackendEntry(transaction.url, &entry));
+  MockHttpRequest request(transaction);
+  EXPECT_FALSE(cache.OpenBackendEntry(request.CacheKey(), &entry));
 }
 
 TEST_F(HttpCacheTest, CacheControlNoStore3) {
@@ -9784,7 +9925,8 @@ TEST_F(HttpCacheTest, CacheControlNoStore3) {
   EXPECT_EQ(1, cache.disk_cache()->create_count());
 
   disk_cache::Entry* entry;
-  EXPECT_FALSE(cache.OpenBackendEntry(transaction.url, &entry));
+  MockHttpRequest request(transaction);
+  EXPECT_FALSE(cache.OpenBackendEntry(request.CacheKey(), &entry));
 }
 
 // Ensure that we don't cache requests served over bad HTTPS.
@@ -9914,6 +10056,7 @@ TEST_F(HttpCacheTest, UpdatesRequestResponseTimeOn304) {
 
   RemoveMockTransaction(&mock_network_response);
 }
+
 TEST_F(HttpCacheTest, SplitCacheWithFrameOrigin) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
@@ -10116,6 +10259,7 @@ TEST_F(HttpCacheTest, SplitCache) {
 
   // A request without a top frame origin is not cached at all.
   MockHttpRequest trans_info = MockHttpRequest(kSimpleGET_Transaction);
+  trans_info.network_isolation_key = net::NetworkIsolationKey();
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -10131,7 +10275,8 @@ TEST_F(HttpCacheTest, SplitCache) {
 
   // Now request with a.com as the top frame origin. It shouldn't be cached
   // since the cached resource has a different top frame origin.
-  trans_info.network_isolation_key = NetworkIsolationKey(origin_a, origin_a);
+  net::NetworkIsolationKey key_a(origin_a, origin_a);
+  trans_info.network_isolation_key = key_a;
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -10157,7 +10302,7 @@ TEST_F(HttpCacheTest, SplitCache) {
   EXPECT_TRUE(response.was_cached);
 
   // a.com should still be cached.
-  trans_info.network_isolation_key = NetworkIsolationKey(origin_a, origin_b);
+  trans_info.network_isolation_key = key_a;
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_TRUE(response.was_cached);
@@ -10194,6 +10339,47 @@ TEST_F(HttpCacheTest, SplitCache) {
   EXPECT_FALSE(response.was_cached);
 }
 
+TEST_F(HttpCacheTest, SplitCacheWithRegistrableDomain) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitWithFeatures(
+      {net::features::kSplitCacheByNetworkIsolationKey,
+       net::features::kUseRegistrableDomainInNetworkIsolationKey},
+      {});
+
+  base::HistogramTester histograms;
+  MockHttpCache cache;
+  HttpResponseInfo response;
+  MockHttpRequest trans_info = MockHttpRequest(kSimpleGET_Transaction);
+
+  url::Origin origin_a = url::Origin::Create(GURL("http://a.foo.com"));
+  url::Origin origin_b = url::Origin::Create(GURL("http://b.foo.com"));
+
+  net::NetworkIsolationKey key_a(origin_a, origin_a);
+  trans_info.network_isolation_key = key_a;
+  RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
+                                trans_info, &response);
+  EXPECT_FALSE(response.was_cached);
+  histograms.ExpectBucketCount(
+      "HttpCache.NetworkIsolationKeyPresent2",
+      HttpCache::Transaction::NetworkIsolationKeyPresent::kPresent, 1);
+
+  // The second request with a different origin but the same registrable domain
+  // should be a cache hit.
+  net::NetworkIsolationKey key_b(origin_b, origin_b);
+  trans_info.network_isolation_key = key_b;
+  RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
+                                trans_info, &response);
+  EXPECT_TRUE(response.was_cached);
+
+  // Request with a different registrable domain. It should be a cache miss.
+  url::Origin new_origin_a = url::Origin::Create(GURL("http://a.bar.com"));
+  net::NetworkIsolationKey new_key_a(new_origin_a, new_origin_a);
+  trans_info.network_isolation_key = new_key_a;
+  RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
+                                trans_info, &response);
+  EXPECT_FALSE(response.was_cached);
+}
+
 TEST_F(HttpCacheTest, NonSplitCache) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndDisableFeature(
@@ -10205,6 +10391,7 @@ TEST_F(HttpCacheTest, NonSplitCache) {
 
   // A request without a top frame is cached normally.
   MockHttpRequest trans_info = MockHttpRequest(kSimpleGET_Transaction);
+  trans_info.network_isolation_key = NetworkIsolationKey();
   RunTransactionTestWithRequest(cache.http_cache(), kSimpleGET_Transaction,
                                 trans_info, &response);
   EXPECT_FALSE(response.was_cached);
@@ -10527,7 +10714,7 @@ TEST_F(HttpCacheTest, StopCachingSavesEntry) {
   // Verify that the entry is marked as incomplete.
   // VerifyTruncatedFlag(&cache, kSimpleGET_Transaction.url, true, 0);
   // Verify that the entry is doomed.
-  cache.disk_cache()->IsDiskEntryDoomed(kSimpleGET_Transaction.url);
+  cache.disk_cache()->IsDiskEntryDoomed(request.CacheKey());
 }
 
 // Tests that we handle truncated enries when StopCaching is called.
@@ -10571,7 +10758,7 @@ TEST_F(HttpCacheTest, StopCachingTruncatedEntry) {
   }
 
   // Verify that the disk entry was updated.
-  VerifyTruncatedFlag(&cache, kRangeGET_TransactionOK.url, false, 80);
+  VerifyTruncatedFlag(&cache, request.CacheKey(), false, 80);
   RemoveMockTransaction(&kRangeGET_TransactionOK);
 }
 
@@ -10884,7 +11071,8 @@ TEST_F(HttpCacheTest, TruncatedByContentLength2) {
   RemoveMockTransaction(&transaction);
 
   // Verify that the entry is marked as incomplete.
-  VerifyTruncatedFlag(&cache, kSimpleGET_Transaction.url, true, 0);
+  MockHttpRequest request(transaction);
+  VerifyTruncatedFlag(&cache, request.CacheKey(), true, 0);
 }
 
 // Make sure that calling SetPriority on a cache transaction passes on
diff --git a/chromium/net/http/http_log_util.cc b/chromium/net/http/http_log_util.cc
index 9c9bc1dbe5c..70d15a64f28 100644
--- a/chromium/net/http/http_log_util.cc
+++ b/chromium/net/http/http_log_util.cc
@@ -22,7 +22,7 @@ bool ShouldRedactChallenge(HttpAuthChallengeTokenizer* challenge) {
   if (challenge->challenge_text().find(',') != std::string::npos)
     return false;
 
-  std::string scheme = base::ToLowerASCII(challenge->scheme());
+  std::string scheme = challenge->auth_scheme();
   // Invalid input.
   if (scheme.empty())
     return false;
diff --git a/chromium/net/http/http_network_layer_unittest.cc b/chromium/net/http/http_network_layer_unittest.cc
index b8c7a7b9c02..75c975669f5 100644
--- a/chromium/net/http/http_network_layer_unittest.cc
+++ b/chromium/net/http/http_network_layer_unittest.cc
@@ -17,6 +17,7 @@
 #include "net/http/transport_security_state.h"
 #include "net/log/net_log_with_source.h"
 #include "net/proxy_resolution/proxy_resolution_service.h"
+#include "net/quic/quic_context.h"
 #include "net/socket/socket_test_util.h"
 #include "net/spdy/spdy_session_pool.h"
 #include "net/ssl/ssl_config_service_defaults.h"
@@ -58,6 +59,7 @@ class HttpNetworkLayerTest : public PlatformTest, public WithTaskEnvironment {
     session_context.proxy_resolution_service = proxy_resolution_service_.get();
     session_context.ssl_config_service = ssl_config_service_.get();
     session_context.http_server_properties = &http_server_properties_;
+    session_context.quic_context = &quic_context_;
     network_session_.reset(
         new HttpNetworkSession(HttpNetworkSession::Params(), session_context));
     factory_.reset(new HttpNetworkLayer(network_session_.get()));
@@ -270,6 +272,7 @@ class HttpNetworkLayerTest : public PlatformTest, public WithTaskEnvironment {
   DefaultCTPolicyEnforcer ct_policy_enforcer_;
   std::unique_ptr<ProxyResolutionService> proxy_resolution_service_;
   std::unique_ptr<SSLConfigService> ssl_config_service_;
+  QuicContext quic_context_;
   std::unique_ptr<HttpNetworkSession> network_session_;
   std::unique_ptr<HttpNetworkLayer> factory_;
 
diff --git a/chromium/net/http/http_network_session.cc b/chromium/net/http/http_network_session.cc
index 6fca8117d5a..050d68377c1 100644
--- a/chromium/net/http/http_network_session.cc
+++ b/chromium/net/http/http_network_session.cc
@@ -67,6 +67,11 @@ spdy::SettingsMap AddDefaultHttp2Settings(spdy::SettingsMap http2_settings) {
     http2_settings[spdy::SETTINGS_INITIAL_WINDOW_SIZE] =
         kSpdyStreamMaxRecvWindowSize;
 
+  it = http2_settings.find(spdy::SETTINGS_MAX_HEADER_LIST_SIZE);
+  if (it == http2_settings.end())
+    http2_settings[spdy::SETTINGS_MAX_HEADER_LIST_SIZE] =
+        kSpdyMaxHeaderListSize;
+
   return http2_settings;
 }
 
@@ -88,8 +93,7 @@ HttpNetworkSession::Params::Params()
       enable_quic(false),
       enable_quic_proxies_for_https_urls(false),
       disable_idle_sockets_close_on_memory_pressure(false),
-      allow_default_credentials(HttpAuthPreferences::DefaultCredentials::
-                                    DISALLOW_DEFAULT_CREDENTIALS) {
+      key_auth_cache_server_entries_by_network_isolation_key(false) {
   enable_early_data =
       base::FeatureList::IsEnabled(features::kEnableTLS13EarlyData);
 }
@@ -113,12 +117,11 @@ HttpNetworkSession::Context::Context()
       net_log(nullptr),
       socket_performance_watcher_factory(nullptr),
       network_quality_estimator(nullptr),
+      quic_context(nullptr),
 #if BUILDFLAG(ENABLE_REPORTING)
       reporting_service(nullptr),
       network_error_logging_service(nullptr),
 #endif
-      quic_clock(nullptr),
-      quic_random(nullptr),
       quic_crypto_client_stream_factory(
           QuicCryptoClientStreamFactory::GetDefaultFactory()) {
 }
@@ -141,6 +144,8 @@ HttpNetworkSession::HttpNetworkSession(const Params& params,
 #endif
       proxy_resolution_service_(context.proxy_resolution_service),
       ssl_config_service_(context.ssl_config_service),
+      http_auth_cache_(
+          params.key_auth_cache_server_entries_by_network_isolation_key),
       ssl_client_session_cache_(SSLClientSessionCache::Config()),
       ssl_client_context_(context.ssl_config_service,
                           context.cert_verifier,
@@ -149,30 +154,25 @@ HttpNetworkSession::HttpNetworkSession(const Params& params,
                           context.ct_policy_enforcer,
                           &ssl_client_session_cache_),
       push_delegate_(nullptr),
-      quic_stream_factory_(
-          context.net_log,
-          context.host_resolver,
-          context.ssl_config_service,
-          context.client_socket_factory
-              ? context.client_socket_factory
-              : ClientSocketFactory::GetDefaultFactory(),
-          context.http_server_properties,
-          context.cert_verifier,
-          context.ct_policy_enforcer,
-          context.transport_security_state,
-          context.cert_transparency_verifier,
-          context.socket_performance_watcher_factory,
-          context.quic_crypto_client_stream_factory,
-          context.quic_random ? context.quic_random
-                              : quic::QuicRandom::GetInstance(),
-          context.quic_clock ? context.quic_clock
-                             : quic::QuicChromiumClock::GetInstance(),
-          params.quic_params),
+      quic_stream_factory_(context.net_log,
+                           context.host_resolver,
+                           context.ssl_config_service,
+                           context.client_socket_factory
+                               ? context.client_socket_factory
+                               : ClientSocketFactory::GetDefaultFactory(),
+                           context.http_server_properties,
+                           context.cert_verifier,
+                           context.ct_policy_enforcer,
+                           context.transport_security_state,
+                           context.cert_transparency_verifier,
+                           context.socket_performance_watcher_factory,
+                           context.quic_crypto_client_stream_factory,
+                           context.quic_context),
       spdy_session_pool_(context.host_resolver,
                          &ssl_client_context_,
                          context.http_server_properties,
                          context.transport_security_state,
-                         params.quic_params.supported_versions,
+                         context.quic_context->params()->supported_versions,
                          params.enable_spdy_ping_based_connection_checking,
                          params.enable_http2,
                          params.enable_quic,
@@ -205,7 +205,7 @@ HttpNetworkSession::HttpNetworkSession(const Params& params,
   next_protos_.push_back(kProtoHTTP11);
 
   http_server_properties_->SetMaxServerConfigsStoredInProperties(
-      params.quic_params.max_server_configs_stored_in_properties);
+      context.quic_context->params()->max_server_configs_stored_in_properties);
 
   if (!params_.disable_idle_sockets_close_on_memory_pressure) {
     memory_pressure_listener_.reset(
@@ -257,76 +257,71 @@ std::unique_ptr<base::Value> HttpNetworkSession::QuicInfoToValue() const {
   dict->Set("sessions", quic_stream_factory_.QuicStreamFactoryInfoToValue());
   dict->SetBoolean("quic_enabled", IsQuicEnabled());
 
+  const QuicParams* quic_params = context_.quic_context->params();
+
   auto connection_options(std::make_unique<base::ListValue>());
-  for (const auto& option : params_.quic_params.connection_options)
+  for (const auto& option : quic_params->connection_options)
     connection_options->AppendString(quic::QuicTagToString(option));
   dict->Set("connection_options", std::move(connection_options));
 
   auto supported_versions(std::make_unique<base::ListValue>());
-  for (const auto& version : params_.quic_params.supported_versions)
+  for (const auto& version : quic_params->supported_versions)
     supported_versions->AppendString(ParsedQuicVersionToString(version));
   dict->Set("supported_versions", std::move(supported_versions));
 
   auto origins_to_force_quic_on(std::make_unique<base::ListValue>());
-  for (const auto& origin : params_.quic_params.origins_to_force_quic_on)
+  for (const auto& origin : quic_params->origins_to_force_quic_on)
     origins_to_force_quic_on->AppendString(origin.ToString());
   dict->Set("origins_to_force_quic_on", std::move(origins_to_force_quic_on));
 
-  dict->SetInteger("max_packet_length", params_.quic_params.max_packet_length);
+  dict->SetInteger("max_packet_length", quic_params->max_packet_length);
   dict->SetInteger("max_server_configs_stored_in_properties",
-                   params_.quic_params.max_server_configs_stored_in_properties);
+                   quic_params->max_server_configs_stored_in_properties);
   dict->SetInteger("idle_connection_timeout_seconds",
-                   params_.quic_params.idle_connection_timeout.InSeconds());
+                   quic_params->idle_connection_timeout.InSeconds());
   dict->SetInteger("reduced_ping_timeout_seconds",
-                   params_.quic_params.reduced_ping_timeout.InSeconds());
+                   quic_params->reduced_ping_timeout.InSeconds());
   dict->SetBoolean("retry_without_alt_svc_on_quic_errors",
-                   params_.quic_params.retry_without_alt_svc_on_quic_errors);
+                   quic_params->retry_without_alt_svc_on_quic_errors);
   dict->SetBoolean("race_cert_verification",
-                   params_.quic_params.race_cert_verification);
+                   quic_params->race_cert_verification);
   dict->SetBoolean("disable_bidirectional_streams",
-                   params_.quic_params.disable_bidirectional_streams);
+                   quic_params->disable_bidirectional_streams);
   dict->SetBoolean("close_sessions_on_ip_change",
-                   params_.quic_params.close_sessions_on_ip_change);
+                   quic_params->close_sessions_on_ip_change);
   dict->SetBoolean("goaway_sessions_on_ip_change",
-                   params_.quic_params.goaway_sessions_on_ip_change);
+                   quic_params->goaway_sessions_on_ip_change);
   dict->SetBoolean("migrate_sessions_on_network_change_v2",
-                   params_.quic_params.migrate_sessions_on_network_change_v2);
+                   quic_params->migrate_sessions_on_network_change_v2);
   dict->SetBoolean("migrate_sessions_early_v2",
-                   params_.quic_params.migrate_sessions_early_v2);
+                   quic_params->migrate_sessions_early_v2);
   dict->SetInteger(
       "retransmittable_on_wire_timeout_milliseconds",
-      params_.quic_params.retransmittable_on_wire_timeout.InMilliseconds());
-  dict->SetBoolean(
-      "retry_on_alternate_network_before_handshake",
-      params_.quic_params.retry_on_alternate_network_before_handshake);
-  dict->SetBoolean("migrate_idle_sessions",
-                   params_.quic_params.migrate_idle_sessions);
-  dict->SetInteger(
-      "idle_session_migration_period_seconds",
-      params_.quic_params.idle_session_migration_period.InSeconds());
-  dict->SetInteger(
-      "max_time_on_non_default_network_seconds",
-      params_.quic_params.max_time_on_non_default_network.InSeconds());
+      quic_params->retransmittable_on_wire_timeout.InMilliseconds());
+  dict->SetBoolean("retry_on_alternate_network_before_handshake",
+                   quic_params->retry_on_alternate_network_before_handshake);
+  dict->SetBoolean("migrate_idle_sessions", quic_params->migrate_idle_sessions);
+  dict->SetInteger("idle_session_migration_period_seconds",
+                   quic_params->idle_session_migration_period.InSeconds());
+  dict->SetInteger("max_time_on_non_default_network_seconds",
+                   quic_params->max_time_on_non_default_network.InSeconds());
   dict->SetInteger(
       "max_num_migrations_to_non_default_network_on_write_error",
-      params_.quic_params.max_migrations_to_non_default_network_on_write_error);
+      quic_params->max_migrations_to_non_default_network_on_write_error);
   dict->SetInteger(
       "max_num_migrations_to_non_default_network_on_path_degrading",
-      params_.quic_params
-          .max_migrations_to_non_default_network_on_path_degrading);
+      quic_params->max_migrations_to_non_default_network_on_path_degrading);
   dict->SetBoolean("allow_server_migration",
-                   params_.quic_params.allow_server_migration);
+                   quic_params->allow_server_migration);
   dict->SetBoolean("race_stale_dns_on_connection",
-                   params_.quic_params.race_stale_dns_on_connection);
+                   quic_params->race_stale_dns_on_connection);
   dict->SetBoolean("go_away_on_path_degrading",
-                   params_.quic_params.go_away_on_path_degrading);
-  dict->SetBoolean("estimate_initial_rtt",
-                   params_.quic_params.estimate_initial_rtt);
+                   quic_params->go_away_on_path_degrading);
+  dict->SetBoolean("estimate_initial_rtt", quic_params->estimate_initial_rtt);
   dict->SetBoolean("server_push_cancellation",
                    params_.enable_server_push_cancellation);
-  dict->SetInteger(
-      "initial_rtt_for_handshake_milliseconds",
-      params_.quic_params.initial_rtt_for_handshake.InMilliseconds());
+  dict->SetInteger("initial_rtt_for_handshake_milliseconds",
+                   quic_params->initial_rtt_for_handshake.InMilliseconds());
 
   return std::move(dict);
 }
@@ -420,9 +415,10 @@ CommonConnectJobParams HttpNetworkSession::CreateCommonConnectJobParams(
                                      : ClientSocketFactory::GetDefaultFactory(),
       context_.host_resolver, &http_auth_cache_,
       context_.http_auth_handler_factory, &spdy_session_pool_,
-      &params_.quic_params.supported_versions, &quic_stream_factory_,
-      context_.proxy_delegate, context_.http_user_agent_settings,
-      &ssl_client_context_, context_.socket_performance_watcher_factory,
+      &context_.quic_context->params()->supported_versions,
+      &quic_stream_factory_, context_.proxy_delegate,
+      context_.http_user_agent_settings, &ssl_client_context_,
+      context_.socket_performance_watcher_factory,
       context_.network_quality_estimator, context_.net_log,
       for_websockets ? &websocket_endpoint_lock_manager_ : nullptr);
 }
diff --git a/chromium/net/http/http_network_session.h b/chromium/net/http/http_network_session.h
index f6a0a95b013..89ae5fc2221 100644
--- a/chromium/net/http/http_network_session.h
+++ b/chromium/net/http/http_network_session.h
@@ -27,7 +27,6 @@
 #include "net/base/host_port_pair.h"
 #include "net/base/net_export.h"
 #include "net/http/http_auth_cache.h"
-#include "net/http/http_auth_preferences.h"
 #include "net/http/http_stream_factory.h"
 #include "net/net_buildflags.h"
 #include "net/quic/quic_stream_factory.h"
@@ -45,10 +44,6 @@ class ProcessMemoryDump;
 }
 }
 
-namespace quic {
-class QuicClock;
-}  // namespace quic
-
 namespace net {
 
 class CTPolicyEnforcer;
@@ -82,6 +77,9 @@ class TransportSecurityState;
 // Specifies the maximum HPACK dynamic table size the server is allowed to set.
 const uint32_t kSpdyMaxHeaderTableSize = 64 * 1024;
 
+// The maximum size of header list that the server is allowed to send.
+const uint32_t kSpdyMaxHeaderListSize = 256 * 1024;
+
 // Specifies the maximum concurrent streams server could send (via push).
 const uint32_t kSpdyMaxConcurrentPushedStreams = 1000;
 
@@ -138,18 +136,13 @@ class NET_EXPORT HttpNetworkSession {
     // If true, HTTPS URLs can be sent to QUIC proxies.
     bool enable_quic_proxies_for_https_urls;
 
-    // QUIC runtime configuration options and active experiments.
-    QuicParams quic_params;
-
     // If non-empty, QUIC will only be spoken to hosts in this list.
     base::flat_set<std::string> quic_host_allowlist;
 
     // If true, idle sockets won't be closed when memory pressure happens.
     bool disable_idle_sockets_close_on_memory_pressure;
 
-    // If authentication APIs that support ambient authentication are allowed
-    // to use the default credentials.
-    HttpAuthPreferences::DefaultCredentials allow_default_credentials;
+    bool key_auth_cache_server_entries_by_network_isolation_key;
   };
 
   // Structure with pointers to the dependencies of the HttpNetworkSession.
@@ -174,15 +167,12 @@ class NET_EXPORT HttpNetworkSession {
     NetLog* net_log;
     SocketPerformanceWatcherFactory* socket_performance_watcher_factory;
     NetworkQualityEstimator* network_quality_estimator;
+    QuicContext* quic_context;
 #if BUILDFLAG(ENABLE_REPORTING)
     ReportingService* reporting_service;
     NetworkErrorLoggingService* network_error_logging_service;
 #endif
 
-    // Source of time for QUIC connections.
-    quic::QuicClock* quic_clock;
-    // Source of entropy for QUIC connections.
-    quic::QuicRandom* quic_random;
     // Optional factory to use for creating QuicCryptoClientStreams.
     QuicCryptoClientStreamFactory* quic_crypto_client_stream_factory;
   };
diff --git a/chromium/net/http/http_network_transaction.cc b/chromium/net/http/http_network_transaction.cc
index 66c41641e4c..eeae0da29d6 100644
--- a/chromium/net/http/http_network_transaction.cc
+++ b/chromium/net/http/http_network_transaction.cc
@@ -883,10 +883,10 @@ int HttpNetworkTransaction::DoGenerateProxyAuthToken() {
     return OK;
   HttpAuth::Target target = HttpAuth::AUTH_PROXY;
   if (!auth_controllers_[target].get())
-    auth_controllers_[target] = new HttpAuthController(
-        target, AuthURL(target), session_->http_auth_cache(),
-        session_->http_auth_handler_factory(), session_->host_resolver(),
-        session_->params().allow_default_credentials);
+    auth_controllers_[target] = base::MakeRefCounted<HttpAuthController>(
+        target, AuthURL(target), request_->network_isolation_key,
+        session_->http_auth_cache(), session_->http_auth_handler_factory(),
+        session_->host_resolver());
   return auth_controllers_[target]->MaybeGenerateAuthToken(request_,
                                                            io_callback_,
                                                            net_log_);
@@ -903,10 +903,10 @@ int HttpNetworkTransaction::DoGenerateServerAuthToken() {
   next_state_ = STATE_GENERATE_SERVER_AUTH_TOKEN_COMPLETE;
   HttpAuth::Target target = HttpAuth::AUTH_SERVER;
   if (!auth_controllers_[target].get()) {
-    auth_controllers_[target] = new HttpAuthController(
-        target, AuthURL(target), session_->http_auth_cache(),
-        session_->http_auth_handler_factory(), session_->host_resolver(),
-        session_->params().allow_default_credentials);
+    auth_controllers_[target] = base::MakeRefCounted<HttpAuthController>(
+        target, AuthURL(target), request_->network_isolation_key,
+        session_->http_auth_cache(), session_->http_auth_handler_factory(),
+        session_->host_resolver());
     if (request_->load_flags & LOAD_DO_NOT_USE_EMBEDDED_IDENTITY)
       auth_controllers_[target]->DisableEmbeddedIdentity();
   }
@@ -1094,10 +1094,13 @@ int HttpNetworkTransaction::DoReadHeadersComplete(int result) {
     return ERR_CONTENT_DECODING_FAILED;
 
   // On a 408 response from the server ("Request Timeout") on a stale socket,
-  // retry the request.
+  // retry the request for HTTP/1.1 but not HTTP/2 or QUIC because those
+  // multiplex requests and have no need for 408.
   // Headers can be NULL because of http://crbug.com/384554.
   if (response_.headers.get() &&
       response_.headers->response_code() == HTTP_REQUEST_TIMEOUT &&
+      HttpResponseInfo::ConnectionInfoToCoarse(response_.connection_info) ==
+          HttpResponseInfo::CONNECTION_INFO_COARSE_HTTP1 &&
       stream_->IsConnectionReused()) {
 #if BUILDFLAG(ENABLE_REPORTING)
     GenerateNetworkErrorLoggingReport(OK);
@@ -1390,11 +1393,8 @@ void HttpNetworkTransaction::GenerateNetworkErrorLoggingReport(int rv) {
 
   NetworkErrorLoggingService* service =
       session_->network_error_logging_service();
-  if (!service) {
-    NetworkErrorLoggingService::
-        RecordRequestDiscardedForNoNetworkErrorLoggingService();
+  if (!service)
     return;
-  }
 
   // Don't report on proxy auth challenges.
   if (response_.headers && response_.headers->response_code() ==
@@ -1408,10 +1408,8 @@ void HttpNetworkTransaction::GenerateNetworkErrorLoggingReport(int rv) {
     return;
 
   // Ignore errors from non-HTTPS origins.
-  if (!url_.SchemeIsCryptographic()) {
-    NetworkErrorLoggingService::RecordRequestDiscardedForInsecureOrigin();
+  if (!url_.SchemeIsCryptographic())
     return;
-  }
 
   NetworkErrorLoggingService::RequestDetails details;
 
@@ -1586,8 +1584,9 @@ int HttpNetworkTransaction::HandleIOError(int error) {
         retry_attempts_++;
         ResetConnectionAndRequestForResend();
         error = OK;
-      } else if (session_->params()
-                     .quic_params.retry_without_alt_svc_on_quic_errors) {
+      } else if (session_->context()
+                     .quic_context->params()
+                     ->retry_without_alt_svc_on_quic_errors) {
         // Disable alternative services for this request and retry it. If the
         // retry succeeds, then the alternative service will be marked as
         // broken then.
diff --git a/chromium/net/http/http_network_transaction_unittest.cc b/chromium/net/http/http_network_transaction_unittest.cc
index 5fcb4c03c5d..8ff397d423c 100644
--- a/chromium/net/http/http_network_transaction_unittest.cc
+++ b/chromium/net/http/http_network_transaction_unittest.cc
@@ -284,17 +284,23 @@ void TestLoadTimingNotReusedWithPac(const LoadTimingInfo& load_timing_info,
 // result to return.
 class CapturingProxyResolver : public ProxyResolver {
  public:
+  struct LookupInfo {
+    GURL url;
+    NetworkIsolationKey network_isolation_key;
+  };
+
   CapturingProxyResolver()
       : proxy_server_(ProxyServer::SCHEME_HTTP, HostPortPair("myproxy", 80)) {}
   ~CapturingProxyResolver() override = default;
 
   int GetProxyForURL(const GURL& url,
+                     const NetworkIsolationKey& network_isolation_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
                      const NetLogWithSource& net_log) override {
     results->UseProxyServer(proxy_server_);
-    resolved_.push_back(url);
+    lookup_info_.push_back(LookupInfo{url, network_isolation_key});
     return OK;
   }
 
@@ -304,10 +310,10 @@ class CapturingProxyResolver : public ProxyResolver {
     proxy_server_ = proxy_server;
   }
 
-  const std::vector<GURL>& resolved() const { return resolved_; }
+  const std::vector<LookupInfo>& lookup_info() const { return lookup_info_; }
 
  private:
-  std::vector<GURL> resolved_;
+  std::vector<LookupInfo> lookup_info_;
 
   ProxyServer proxy_server_;
 
@@ -445,7 +451,7 @@ class HttpNetworkTransactionTest : public PlatformTest,
     request.traffic_annotation =
         net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
 
-    BoundTestNetLog log;
+    RecordingBoundTestNetLog log;
     session_deps_.net_log = log.bound().net_log();
     std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
     HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
@@ -544,6 +550,11 @@ class HttpNetworkTransactionTest : public PlatformTest,
 
   void CheckErrorIsPassedBack(int error, IoMode mode);
 
+  base::RepeatingClosure FastForwardByCallback(base::TimeDelta delta) {
+    return base::BindRepeating(&HttpNetworkTransactionTest::FastForwardBy,
+                               base::Unretained(this), delta);
+  }
+
   const CommonConnectJobParams dummy_connect_job_params_;
 
   // These clocks are defined here, even though they're only used in the
@@ -1623,7 +1634,7 @@ void HttpNetworkTransactionTest::KeepAliveConnectionResendRequestTest(
   request.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -1713,7 +1724,7 @@ void HttpNetworkTransactionTest::PreconnectErrorResendRequestTest(
   request.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -2139,7 +2150,7 @@ TEST_F(HttpNetworkTransactionTest, KeepAliveAfterUnreadBody) {
   request.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -2563,7 +2574,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuth) {
   request.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  TestNetLog log;
+  RecordingTestNetLog log;
   session_deps_.net_log = &log;
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
@@ -2669,7 +2680,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthWithAddressChange) {
   request.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  TestNetLog log;
+  RecordingTestNetLog log;
   MockHostResolver* resolver = new MockHostResolver();
   session_deps_.net_log = &log;
   session_deps_.host_resolver.reset(resolver);
@@ -2783,7 +2794,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthForever) {
   request.traffic_annotation =
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
 
-  TestNetLog log;
+  RecordingTestNetLog log;
   session_deps_.net_log = &log;
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session.get());
@@ -2903,7 +2914,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthKeepAlive) {
     request.traffic_annotation =
         net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
 
-    TestNetLog log;
+    RecordingTestNetLog log;
     session_deps_.net_log = &log;
     std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -3239,7 +3250,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyNoKeepAliveHttp10) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "PROXY myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -3338,6 +3349,14 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyNoKeepAliveHttp10) {
   EXPECT_EQ(5, response->headers->GetContentLength());
   EXPECT_TRUE(HttpVersion(1, 1) == response->headers->GetHttpVersion());
 
+  // Check that credentials were successfully cached, with the right target.
+  HttpAuthCache::Entry* entry = session->http_auth_cache()->Lookup(
+      GURL("http://myproxy:70"), HttpAuth::AUTH_PROXY, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+  ASSERT_TRUE(entry);
+  ASSERT_EQ(kFoo, entry->credentials().username());
+  ASSERT_EQ(kBar, entry->credentials().password());
+
   // The password prompt info should not be set.
   EXPECT_FALSE(response->auth_challenge.has_value());
 
@@ -3364,7 +3383,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyNoKeepAliveHttp11) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "PROXY myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -3493,7 +3512,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyKeepAliveHttp10) {
     session_deps_.proxy_resolution_service =
         ProxyResolutionService::CreateFixed("myproxy:70",
                                             TRAFFIC_ANNOTATION_FOR_TESTS);
-    BoundTestNetLog log;
+    RecordingBoundTestNetLog log;
     session_deps_.net_log = log.bound().net_log();
     std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -3605,7 +3624,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyKeepAliveHttp11) {
     session_deps_.proxy_resolution_service =
         ProxyResolutionService::CreateFixed("myproxy:70",
                                             TRAFFIC_ANNOTATION_FOR_TESTS);
-    BoundTestNetLog log;
+    RecordingBoundTestNetLog log;
     session_deps_.net_log = log.bound().net_log();
     std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -3714,7 +3733,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyKeepAliveExtraData) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "PROXY myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -3974,6 +3993,677 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthProxyCancelTunnel) {
   session->CloseAllConnections();
 }
 
+// Test the no-tunnel HTTP auth case where proxy and server origins and realms
+// are the same, but the user/passwords are different. Serves to verify
+// credentials are correctly separated based on HttpAuth::Target.
+TEST_F(HttpNetworkTransactionTest, BasicAuthProxyMatchesServerAuthNoTunnel) {
+  HttpRequestInfo request;
+  request.method = "GET";
+  request.url = GURL("http://myproxy:70/");
+  request.traffic_annotation =
+      net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+
+  // Proxy matches request URL.
+  session_deps_.proxy_resolution_service =
+      ProxyResolutionService::CreateFixedFromPacResult(
+          "PROXY myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
+  RecordingBoundTestNetLog log;
+  session_deps_.net_log = log.bound().net_log();
+  std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
+
+  MockWrite data_writes[] = {
+      // Initial request gets a proxy auth challenge.
+      MockWrite("GET http://myproxy:70/ HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Proxy-Connection: keep-alive\r\n\r\n"),
+      // Retry with proxy auth credentials, which will result in a server auth
+      // challenge.
+      MockWrite("GET http://myproxy:70/ HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Proxy-Connection: keep-alive\r\n"
+                "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n\r\n"),
+      // Retry with proxy and server auth credentials, which gets a response.
+      MockWrite("GET http://myproxy:70/ HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Proxy-Connection: keep-alive\r\n"
+                "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n"
+                "Authorization: Basic Zm9vMjpiYXIy\r\n\r\n"),
+      // A second request should preemptively send the correct proxy and server
+      // auth headers.
+      MockWrite("GET http://myproxy:70/ HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Proxy-Connection: keep-alive\r\n"
+                "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n"
+                "Authorization: Basic Zm9vMjpiYXIy\r\n\r\n"),
+  };
+
+  MockRead data_reads[] = {
+      // Proxy auth challenge.
+      MockRead("HTTP/1.0 407 Proxy Authentication Required\r\n"
+               "Proxy-Connection: keep-alive\r\n"
+               "Proxy-Authenticate: Basic realm=\"MyRealm1\"\r\n"
+               "Content-Length: 0\r\n\r\n"),
+      // Server auth challenge.
+      MockRead("HTTP/1.0 401 Authentication Required\r\n"
+               "Proxy-Connection: keep-alive\r\n"
+               "WWW-Authenticate: Basic realm=\"MyRealm1\"\r\n"
+               "Content-Length: 0\r\n\r\n"),
+      // Response.
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Proxy-Connection: keep-alive\r\n"
+               "Content-Length: 5\r\n\r\n"
+               "hello"),
+      // Response to second request.
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Proxy-Connection: keep-alive\r\n"
+               "Content-Length: 2\r\n\r\n"
+               "hi"),
+  };
+
+  StaticSocketDataProvider data(data_reads, data_writes);
+  session_deps_.socket_factory->AddSocketDataProvider(&data);
+
+  TestCompletionCallback callback;
+
+  auto trans =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  int rv = trans->Start(&request, callback.callback(), log.bound());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  const HttpResponseInfo* response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  ASSERT_TRUE(response->headers);
+  EXPECT_EQ(407, response->headers->response_code());
+  EXPECT_TRUE(CheckBasicProxyAuth(response->auth_challenge));
+
+  rv = trans->RestartWithAuth(AuthCredentials(kFoo, kBar), callback.callback());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  EXPECT_EQ(401, response->headers->response_code());
+  EXPECT_FALSE(response->auth_challenge->is_proxy);
+  EXPECT_EQ("http://myproxy:70",
+            response->auth_challenge->challenger.Serialize());
+  EXPECT_EQ("MyRealm1", response->auth_challenge->realm);
+  EXPECT_EQ(kBasicAuthScheme, response->auth_challenge->scheme);
+
+  rv = trans->RestartWithAuth(AuthCredentials(kFoo2, kBar2),
+                              callback.callback());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  EXPECT_EQ(200, response->headers->response_code());
+  // The password prompt info should not be set.
+  EXPECT_FALSE(response->auth_challenge.has_value());
+
+  std::string response_data;
+  EXPECT_THAT(ReadTransaction(trans.get(), &response_data), IsOk());
+  EXPECT_EQ("hello", response_data);
+
+  // Check that the credentials were cached correctly.
+  HttpAuthCache::Entry* entry = session->http_auth_cache()->Lookup(
+      GURL("http://myproxy:70"), HttpAuth::AUTH_PROXY, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+  ASSERT_TRUE(entry);
+  ASSERT_EQ(kFoo, entry->credentials().username());
+  ASSERT_EQ(kBar, entry->credentials().password());
+  entry = session->http_auth_cache()->Lookup(
+      GURL("http://myproxy:70"), HttpAuth::AUTH_SERVER, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey());
+  ASSERT_TRUE(entry);
+  ASSERT_EQ(kFoo2, entry->credentials().username());
+  ASSERT_EQ(kBar2, entry->credentials().password());
+
+  // Make another request, which should automatically send the correct proxy and
+  // server auth credentials and get another response.
+  trans =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  rv = trans->Start(&request, callback.callback(), log.bound());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  EXPECT_EQ(200, response->headers->response_code());
+  // The password prompt info should not be set.
+  EXPECT_FALSE(response->auth_challenge.has_value());
+
+  EXPECT_THAT(ReadTransaction(trans.get(), &response_data), IsOk());
+  EXPECT_EQ("hi", response_data);
+
+  trans.reset();
+  session->CloseAllConnections();
+}
+
+// Test the no-tunnel HTTP auth case where proxy and server origins and realms
+// are the same, but the user/passwords are different, and with different
+// NetworkIsolationKeys. Sends one request with a NIK, response to both proxy
+// and auth challenges, sends another request with another NIK, expecting only
+// the proxy credentials to be cached, and thus sees only a server auth
+// challenge. Then sends a request with the original NIK, expecting cached proxy
+// and auth credentials that match the ones used in the first request.
+//
+// Serves to verify credentials are correctly separated based on
+// HttpAuth::Target and NetworkIsolationKeys, but NetworkIsolationKey only
+// affects server credentials, not proxy credentials.
+TEST_F(HttpNetworkTransactionTest,
+       BasicAuthProxyMatchesServerAuthWithNetworkIsolationKeyNoTunnel) {
+  const url::Origin kOrigin1 = url::Origin::Create(GURL("https://foo.test/"));
+  const net::NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
+  const url::Origin kOrigin2 = url::Origin::Create(GURL("https://bar.test/"));
+  const net::NetworkIsolationKey kNetworkIsolationKey2(kOrigin2, kOrigin2);
+
+  // This test would need to use a single socket without this option enabled.
+  // Best to use this option when it would affect a test, as it will eventually
+  // become the default behavior.
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      features::kPartitionConnectionsByNetworkIsolationKey);
+
+  // Proxy matches request URL.
+  session_deps_.proxy_resolution_service =
+      ProxyResolutionService::CreateFixedFromPacResult(
+          "PROXY myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
+  RecordingBoundTestNetLog log;
+  session_deps_.net_log = log.bound().net_log();
+  session_deps_.key_auth_cache_server_entries_by_network_isolation_key = true;
+  std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
+
+  MockWrite data_writes[] = {
+      // Initial request gets a proxy auth challenge.
+      MockWrite("GET http://myproxy:70/ HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Proxy-Connection: keep-alive\r\n\r\n"),
+      // Retry with proxy auth credentials, which will result in a server auth
+      // challenge.
+      MockWrite("GET http://myproxy:70/ HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Proxy-Connection: keep-alive\r\n"
+                "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n\r\n"),
+      // Retry with proxy and server auth credentials, which gets a response.
+      MockWrite("GET http://myproxy:70/ HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Proxy-Connection: keep-alive\r\n"
+                "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n"
+                "Authorization: Basic Zm9vMjpiYXIy\r\n\r\n"),
+      // Another request to the same server and using the same NIK should
+      // preemptively send the correct cached proxy and server
+      // auth headers.
+      MockWrite("GET http://myproxy:70/ HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Proxy-Connection: keep-alive\r\n"
+                "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n"
+                "Authorization: Basic Zm9vMjpiYXIy\r\n\r\n"),
+  };
+
+  MockRead data_reads[] = {
+      // Proxy auth challenge.
+      MockRead("HTTP/1.0 407 Proxy Authentication Required\r\n"
+               "Proxy-Connection: keep-alive\r\n"
+               "Proxy-Authenticate: Basic realm=\"MyRealm1\"\r\n"
+               "Content-Length: 0\r\n\r\n"),
+      // Server auth challenge.
+      MockRead("HTTP/1.0 401 Authentication Required\r\n"
+               "Proxy-Connection: keep-alive\r\n"
+               "WWW-Authenticate: Basic realm=\"MyRealm1\"\r\n"
+               "Content-Length: 0\r\n\r\n"),
+      // Response.
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Proxy-Connection: keep-alive\r\n"
+               "Content-Length: 5\r\n\r\n"
+               "hello"),
+      // Response to second request.
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Proxy-Connection: keep-alive\r\n"
+               "Content-Length: 2\r\n\r\n"
+               "hi"),
+  };
+
+  StaticSocketDataProvider data(data_reads, data_writes);
+  session_deps_.socket_factory->AddSocketDataProvider(&data);
+
+  MockWrite data_writes2[] = {
+      // Initial request using a different NetworkIsolationKey includes the
+      // cached proxy credentials, but not server credentials.
+      MockWrite("GET http://myproxy:70/ HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Proxy-Connection: keep-alive\r\n"
+                "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n\r\n"),
+      // Retry with proxy and new server auth credentials, which gets a
+      // response.
+      MockWrite("GET http://myproxy:70/ HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Proxy-Connection: keep-alive\r\n"
+                "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n"
+                "Authorization: Basic Zm9vMzpiYXIz\r\n\r\n"),
+  };
+
+  MockRead data_reads2[] = {
+      // Server auth challenge.
+      MockRead("HTTP/1.0 401 Authentication Required\r\n"
+               "Proxy-Connection: keep-alive\r\n"
+               "WWW-Authenticate: Basic realm=\"MyRealm1\"\r\n"
+               "Content-Length: 0\r\n\r\n"),
+      // Response.
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Proxy-Connection: keep-alive\r\n"
+               "Content-Length: 9\r\n\r\n"
+               "greetings"),
+  };
+
+  StaticSocketDataProvider data2(data_reads2, data_writes2);
+  session_deps_.socket_factory->AddSocketDataProvider(&data2);
+
+  TestCompletionCallback callback;
+
+  HttpRequestInfo request;
+  request.method = "GET";
+  request.url = GURL("http://myproxy:70/");
+  request.traffic_annotation =
+      net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+  request.network_isolation_key = kNetworkIsolationKey1;
+
+  auto trans =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  int rv = trans->Start(&request, callback.callback(), log.bound());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  const HttpResponseInfo* response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  ASSERT_TRUE(response->headers);
+  EXPECT_EQ(407, response->headers->response_code());
+  EXPECT_TRUE(CheckBasicProxyAuth(response->auth_challenge));
+
+  rv = trans->RestartWithAuth(AuthCredentials(kFoo, kBar), callback.callback());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  EXPECT_EQ(401, response->headers->response_code());
+  EXPECT_FALSE(response->auth_challenge->is_proxy);
+  EXPECT_EQ("http://myproxy:70",
+            response->auth_challenge->challenger.Serialize());
+  EXPECT_EQ("MyRealm1", response->auth_challenge->realm);
+  EXPECT_EQ(kBasicAuthScheme, response->auth_challenge->scheme);
+
+  rv = trans->RestartWithAuth(AuthCredentials(kFoo2, kBar2),
+                              callback.callback());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  EXPECT_EQ(200, response->headers->response_code());
+  // The password prompt info should not be set.
+  EXPECT_FALSE(response->auth_challenge.has_value());
+  std::string response_data;
+  EXPECT_THAT(ReadTransaction(trans.get(), &response_data), IsOk());
+  EXPECT_EQ("hello", response_data);
+
+  // Check that the proxy credentials were cached correctly. The should be
+  // accessible with any NetworkIsolationKey.
+  HttpAuthCache::Entry* entry = session->http_auth_cache()->Lookup(
+      GURL("http://myproxy:70"), HttpAuth::AUTH_PROXY, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+  ASSERT_TRUE(entry);
+  ASSERT_EQ(kFoo, entry->credentials().username());
+  ASSERT_EQ(kBar, entry->credentials().password());
+  EXPECT_EQ(entry,
+            session->http_auth_cache()->Lookup(
+                GURL("http://myproxy:70"), HttpAuth::AUTH_PROXY, "MyRealm1",
+                HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+
+  // Check that the server credentials were cached correctly. The should be
+  // accessible with only kNetworkIsolationKey1.
+  entry = session->http_auth_cache()->Lookup(
+      GURL("http://myproxy:70"), HttpAuth::AUTH_SERVER, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+  ASSERT_TRUE(entry);
+  ASSERT_EQ(kFoo2, entry->credentials().username());
+  ASSERT_EQ(kBar2, entry->credentials().password());
+  // Looking up the server entry with another NetworkIsolationKey should fail.
+  EXPECT_FALSE(session->http_auth_cache()->Lookup(
+      GURL("http://myproxy:70"), HttpAuth::AUTH_SERVER, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+
+  // Make another request with a different NetworkIsolationKey. It should use
+  // another socket, reuse the cached proxy credentials, but result in a server
+  // auth challenge.
+  request.network_isolation_key = kNetworkIsolationKey2;
+  trans =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  rv = trans->Start(&request, callback.callback(), log.bound());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  EXPECT_EQ(401, response->headers->response_code());
+  EXPECT_FALSE(response->auth_challenge->is_proxy);
+  EXPECT_EQ("http://myproxy:70",
+            response->auth_challenge->challenger.Serialize());
+  EXPECT_EQ("MyRealm1", response->auth_challenge->realm);
+  EXPECT_EQ(kBasicAuthScheme, response->auth_challenge->scheme);
+
+  rv = trans->RestartWithAuth(AuthCredentials(kFoo3, kBar3),
+                              callback.callback());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  EXPECT_EQ(200, response->headers->response_code());
+  // The password prompt info should not be set.
+  EXPECT_FALSE(response->auth_challenge.has_value());
+  EXPECT_THAT(ReadTransaction(trans.get(), &response_data), IsOk());
+  EXPECT_EQ("greetings", response_data);
+
+  // Check that the proxy credentials are still cached.
+  entry = session->http_auth_cache()->Lookup(
+      GURL("http://myproxy:70"), HttpAuth::AUTH_PROXY, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+  ASSERT_TRUE(entry);
+  ASSERT_EQ(kFoo, entry->credentials().username());
+  ASSERT_EQ(kBar, entry->credentials().password());
+  EXPECT_EQ(entry,
+            session->http_auth_cache()->Lookup(
+                GURL("http://myproxy:70"), HttpAuth::AUTH_PROXY, "MyRealm1",
+                HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+
+  // Check that the correct server credentials are cached for each
+  // NetworkIsolationKey.
+  entry = session->http_auth_cache()->Lookup(
+      GURL("http://myproxy:70"), HttpAuth::AUTH_SERVER, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+  ASSERT_TRUE(entry);
+  ASSERT_EQ(kFoo2, entry->credentials().username());
+  ASSERT_EQ(kBar2, entry->credentials().password());
+  entry = session->http_auth_cache()->Lookup(
+      GURL("http://myproxy:70"), HttpAuth::AUTH_SERVER, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2);
+  ASSERT_TRUE(entry);
+  ASSERT_EQ(kFoo3, entry->credentials().username());
+  ASSERT_EQ(kBar3, entry->credentials().password());
+
+  // Make a request with the original NetworkIsolationKey. It should reuse the
+  // first socket, and the proxy credentials sent on the first socket.
+  request.network_isolation_key = kNetworkIsolationKey1;
+  trans =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  rv = trans->Start(&request, callback.callback(), log.bound());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  EXPECT_EQ(200, response->headers->response_code());
+  // The password prompt info should not be set.
+  EXPECT_FALSE(response->auth_challenge.has_value());
+  EXPECT_THAT(ReadTransaction(trans.get(), &response_data), IsOk());
+  EXPECT_EQ("hi", response_data);
+
+  trans.reset();
+  session->CloseAllConnections();
+}
+
+// Much like the test above, but uses tunnelled connections.
+TEST_F(HttpNetworkTransactionTest,
+       BasicAuthProxyMatchesServerAuthWithNetworkIsolationKeyWithTunnel) {
+  const url::Origin kOrigin1 = url::Origin::Create(GURL("https://foo.test/"));
+  const net::NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
+  const url::Origin kOrigin2 = url::Origin::Create(GURL("https://bar.test/"));
+  const net::NetworkIsolationKey kNetworkIsolationKey2(kOrigin2, kOrigin2);
+
+  // This test would need to use a single socket without this option enabled.
+  // Best to use this option when it would affect a test, as it will eventually
+  // become the default behavior.
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      features::kPartitionConnectionsByNetworkIsolationKey);
+
+  // Proxy matches request URL.
+  session_deps_.proxy_resolution_service =
+      ProxyResolutionService::CreateFixedFromPacResult(
+          "HTTPS myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
+  RecordingBoundTestNetLog log;
+  session_deps_.net_log = log.bound().net_log();
+  session_deps_.key_auth_cache_server_entries_by_network_isolation_key = true;
+  std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
+
+  MockWrite data_writes[] = {
+      // Initial tunnel request gets a proxy auth challenge.
+      MockWrite("CONNECT myproxy:70 HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Proxy-Connection: keep-alive\r\n\r\n"),
+      // Retry with proxy auth credentials, which will result in establishing a
+      // tunnel.
+      MockWrite("CONNECT myproxy:70 HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Proxy-Connection: keep-alive\r\n"
+                "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n\r\n"),
+      // Request over the tunnel, which gets a server auth challenge.
+      MockWrite("GET / HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Connection: keep-alive\r\n\r\n"),
+      // Retry with server auth credentials, which gets a response.
+      MockWrite("GET / HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Connection: keep-alive\r\n"
+                "Authorization: Basic Zm9vMjpiYXIy\r\n\r\n"),
+      // Another request to the same server and using the same NIK should
+      // preemptively send the correct cached server
+      // auth header. Since a tunnel was already established, the proxy headers
+      // won't be sent again except when establishing another tunnel.
+      MockWrite("GET / HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Connection: keep-alive\r\n"
+                "Authorization: Basic Zm9vMjpiYXIy\r\n\r\n"),
+  };
+
+  MockRead data_reads[] = {
+      // Proxy auth challenge.
+      MockRead("HTTP/1.0 407 Proxy Authentication Required\r\n"
+               "Proxy-Connection: keep-alive\r\n"
+               "Proxy-Authenticate: Basic realm=\"MyRealm1\"\r\n"
+               "Content-Length: 0\r\n\r\n"),
+      // Tunnel success
+      MockRead("HTTP/1.1 200 Connection Established\r\n\r\n"),
+      // Server auth challenge.
+      MockRead("HTTP/1.0 401 Authentication Required\r\n"
+               "Connection: keep-alive\r\n"
+               "WWW-Authenticate: Basic realm=\"MyRealm1\"\r\n"
+               "Content-Length: 0\r\n\r\n"),
+      // Response.
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Connection: keep-alive\r\n"
+               "Content-Length: 5\r\n\r\n"
+               "hello"),
+      // Response to second request.
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Connection: keep-alive\r\n"
+               "Content-Length: 2\r\n\r\n"
+               "hi"),
+  };
+
+  StaticSocketDataProvider data(data_reads, data_writes);
+  session_deps_.socket_factory->AddSocketDataProvider(&data);
+  // One for the proxy connection, one of the server connection.
+  SSLSocketDataProvider ssl(ASYNC, OK);
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl);
+  SSLSocketDataProvider ssl2(ASYNC, OK);
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl2);
+
+  MockWrite data_writes2[] = {
+      // Initial request using a different NetworkIsolationKey includes the
+      // cached proxy credentials when establishing a tunnel.
+      MockWrite("CONNECT myproxy:70 HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Proxy-Connection: keep-alive\r\n"
+                "Proxy-Authorization: Basic Zm9vOmJhcg==\r\n\r\n"),
+      // Request over the tunnel, which gets a server auth challenge. Cached
+      // credentials cannot be used, since the NIK is different.
+      MockWrite("GET / HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Connection: keep-alive\r\n\r\n"),
+      // Retry with server auth credentials, which gets a response.
+      MockWrite("GET / HTTP/1.1\r\n"
+                "Host: myproxy:70\r\n"
+                "Connection: keep-alive\r\n"
+                "Authorization: Basic Zm9vMzpiYXIz\r\n\r\n"),
+  };
+
+  MockRead data_reads2[] = {
+      // Tunnel success
+      MockRead("HTTP/1.1 200 Connection Established\r\n\r\n"),
+      // Server auth challenge.
+      MockRead("HTTP/1.0 401 Authentication Required\r\n"
+               "Connection: keep-alive\r\n"
+               "WWW-Authenticate: Basic realm=\"MyRealm1\"\r\n"
+               "Content-Length: 0\r\n\r\n"),
+      // Response.
+      MockRead("HTTP/1.1 200 OK\r\n"
+               "Connection: keep-alive\r\n"
+               "Content-Length: 9\r\n\r\n"
+               "greetings"),
+  };
+
+  StaticSocketDataProvider data2(data_reads2, data_writes2);
+  session_deps_.socket_factory->AddSocketDataProvider(&data2);
+  // One for the proxy connection, one of the server connection.
+  SSLSocketDataProvider ssl3(ASYNC, OK);
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl3);
+  SSLSocketDataProvider ssl4(ASYNC, OK);
+  session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl4);
+
+  TestCompletionCallback callback;
+
+  HttpRequestInfo request;
+  request.method = "GET";
+  request.url = GURL("https://myproxy:70/");
+  request.traffic_annotation =
+      net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+  request.network_isolation_key = kNetworkIsolationKey1;
+
+  auto trans =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  int rv = trans->Start(&request, callback.callback(), log.bound());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  const HttpResponseInfo* response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  ASSERT_TRUE(response->headers);
+  EXPECT_EQ(407, response->headers->response_code());
+  EXPECT_TRUE(CheckBasicSecureProxyAuth(response->auth_challenge));
+
+  rv = trans->RestartWithAuth(AuthCredentials(kFoo, kBar), callback.callback());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  EXPECT_EQ(401, response->headers->response_code());
+  EXPECT_FALSE(response->auth_challenge->is_proxy);
+  EXPECT_EQ("https://myproxy:70",
+            response->auth_challenge->challenger.Serialize());
+  EXPECT_EQ("MyRealm1", response->auth_challenge->realm);
+  EXPECT_EQ(kBasicAuthScheme, response->auth_challenge->scheme);
+
+  rv = trans->RestartWithAuth(AuthCredentials(kFoo2, kBar2),
+                              callback.callback());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  EXPECT_EQ(200, response->headers->response_code());
+  // The password prompt info should not be set.
+  EXPECT_FALSE(response->auth_challenge.has_value());
+  std::string response_data;
+  EXPECT_THAT(ReadTransaction(trans.get(), &response_data), IsOk());
+  EXPECT_EQ("hello", response_data);
+
+  // Check that the proxy credentials were cached correctly. The should be
+  // accessible with any NetworkIsolationKey.
+  HttpAuthCache::Entry* entry = session->http_auth_cache()->Lookup(
+      GURL("https://myproxy:70"), HttpAuth::AUTH_PROXY, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+  ASSERT_TRUE(entry);
+  ASSERT_EQ(kFoo, entry->credentials().username());
+  ASSERT_EQ(kBar, entry->credentials().password());
+  EXPECT_EQ(entry,
+            session->http_auth_cache()->Lookup(
+                GURL("https://myproxy:70"), HttpAuth::AUTH_PROXY, "MyRealm1",
+                HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+
+  // Check that the server credentials were cached correctly. The should be
+  // accessible with only kNetworkIsolationKey1.
+  entry = session->http_auth_cache()->Lookup(
+      GURL("https://myproxy:70"), HttpAuth::AUTH_SERVER, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+  ASSERT_TRUE(entry);
+  ASSERT_EQ(kFoo2, entry->credentials().username());
+  ASSERT_EQ(kBar2, entry->credentials().password());
+  // Looking up the server entry with another NetworkIsolationKey should fail.
+  EXPECT_FALSE(session->http_auth_cache()->Lookup(
+      GURL("https://myproxy:70"), HttpAuth::AUTH_SERVER, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+
+  // Make another request with a different NetworkIsolationKey. It should use
+  // another socket, reuse the cached proxy credentials, but result in a server
+  // auth challenge.
+  request.network_isolation_key = kNetworkIsolationKey2;
+  trans =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  rv = trans->Start(&request, callback.callback(), log.bound());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  EXPECT_EQ(401, response->headers->response_code());
+  EXPECT_FALSE(response->auth_challenge->is_proxy);
+  EXPECT_EQ("https://myproxy:70",
+            response->auth_challenge->challenger.Serialize());
+  EXPECT_EQ("MyRealm1", response->auth_challenge->realm);
+  EXPECT_EQ(kBasicAuthScheme, response->auth_challenge->scheme);
+
+  rv = trans->RestartWithAuth(AuthCredentials(kFoo3, kBar3),
+                              callback.callback());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  EXPECT_EQ(200, response->headers->response_code());
+  // The password prompt info should not be set.
+  EXPECT_FALSE(response->auth_challenge.has_value());
+  EXPECT_THAT(ReadTransaction(trans.get(), &response_data), IsOk());
+  EXPECT_EQ("greetings", response_data);
+
+  // Check that the proxy credentials are still cached.
+  entry = session->http_auth_cache()->Lookup(
+      GURL("https://myproxy:70"), HttpAuth::AUTH_PROXY, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+  ASSERT_TRUE(entry);
+  ASSERT_EQ(kFoo, entry->credentials().username());
+  ASSERT_EQ(kBar, entry->credentials().password());
+  EXPECT_EQ(entry,
+            session->http_auth_cache()->Lookup(
+                GURL("https://myproxy:70"), HttpAuth::AUTH_PROXY, "MyRealm1",
+                HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2));
+
+  // Check that the correct server credentials are cached for each
+  // NetworkIsolationKey.
+  entry = session->http_auth_cache()->Lookup(
+      GURL("https://myproxy:70"), HttpAuth::AUTH_SERVER, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey1);
+  ASSERT_TRUE(entry);
+  ASSERT_EQ(kFoo2, entry->credentials().username());
+  ASSERT_EQ(kBar2, entry->credentials().password());
+  entry = session->http_auth_cache()->Lookup(
+      GURL("https://myproxy:70"), HttpAuth::AUTH_SERVER, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, kNetworkIsolationKey2);
+  ASSERT_TRUE(entry);
+  ASSERT_EQ(kFoo3, entry->credentials().username());
+  ASSERT_EQ(kBar3, entry->credentials().password());
+
+  // Make a request with the original NetworkIsolationKey. It should reuse the
+  // first socket, and the proxy credentials sent on the first socket.
+  request.network_isolation_key = kNetworkIsolationKey1;
+  trans =
+      std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
+  rv = trans->Start(&request, callback.callback(), log.bound());
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+  response = trans->GetResponseInfo();
+  ASSERT_TRUE(response);
+  EXPECT_EQ(200, response->headers->response_code());
+  // The password prompt info should not be set.
+  EXPECT_FALSE(response->auth_challenge.has_value());
+  EXPECT_THAT(ReadTransaction(trans.get(), &response_data), IsOk());
+  EXPECT_EQ("hi", response_data);
+
+  trans.reset();
+  session->CloseAllConnections();
+}
+
 // Test that we don't pass extraneous headers from the proxy's response to the
 // caller when the proxy responds to CONNECT with 407.
 TEST_F(HttpNetworkTransactionTest, SanitizeProxyAuthHeaders) {
@@ -4092,7 +4782,7 @@ TEST_F(HttpNetworkTransactionTest, HttpsServerRequestsProxyAuthThroughProxy) {
 
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -4164,8 +4854,7 @@ TEST_F(HttpNetworkTransactionTest,
   session_deps_.http_auth_handler_factory = std::move(auth_handler_factory);
 
   // Add NetLog just so can verify load timing information gets a NetLog ID.
-  NetLog net_log;
-  session_deps_.net_log = &net_log;
+  session_deps_.net_log = NetLog::Get();
   std::unique_ptr<HttpNetworkSession> session = CreateSession(&session_deps_);
 
   // Since we have proxy, should try to establish tunnel.
@@ -4281,8 +4970,7 @@ TEST_F(HttpNetworkTransactionTest,
   session_deps_.http_auth_handler_factory = std::move(auth_handler_factory);
 
   // Add NetLog just so can verify load timing information gets a NetLog ID.
-  NetLog net_log;
-  session_deps_.net_log = &net_log;
+  session_deps_.net_log = NetLog::Get();
   std::unique_ptr<HttpNetworkSession> session = CreateSession(&session_deps_);
 
   // Should try to establish tunnel.
@@ -4403,8 +5091,7 @@ TEST_F(HttpNetworkTransactionTest,
   session_deps_.http_auth_handler_factory = std::move(auth_handler_factory);
 
   // Add NetLog just so can verify load timing information gets a NetLog ID.
-  NetLog net_log;
-  session_deps_.net_log = &net_log;
+  session_deps_.net_log = NetLog::Get();
   std::unique_ptr<HttpNetworkSession> session = CreateSession(&session_deps_);
 
   // Should try to establish tunnel.
@@ -4519,8 +5206,7 @@ TEST_F(HttpNetworkTransactionTest,
                                        HttpAuth::AUTH_PROXY);
   session_deps_.http_auth_handler_factory = std::move(auth_handler_factory);
 
-  NetLog net_log;
-  session_deps_.net_log = &net_log;
+  session_deps_.net_log = NetLog::Get();
   std::unique_ptr<HttpNetworkSession> session = CreateSession(&session_deps_);
 
   // Data for both sockets.
@@ -4629,8 +5315,7 @@ TEST_F(HttpNetworkTransactionTest,
   session_deps_.http_auth_handler_factory = std::move(auth_handler_factory);
 
   // Add NetLog just so can verify load timing information gets a NetLog ID.
-  NetLog net_log;
-  session_deps_.net_log = &net_log;
+  session_deps_.net_log = NetLog::Get();
   std::unique_ptr<HttpNetworkSession> session = CreateSession(&session_deps_);
 
   // Should try to establish tunnel.
@@ -4847,6 +5532,7 @@ class SameProxyWithDifferentSchemesProxyResolver : public ProxyResolver {
 
   // ProxyResolver implementation.
   int GetProxyForURL(const GURL& url,
+                     const NetworkIsolationKey& network_isolation_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
@@ -5126,7 +5812,7 @@ TEST_F(HttpNetworkTransactionTest, HttpProxyLoadTimingNoPacTwoRequests) {
   // Configure against proxy server "myproxy:70".
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -5230,7 +5916,7 @@ TEST_F(HttpNetworkTransactionTest, HttpProxyLoadTimingWithPacTwoRequests) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "PROXY myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -5315,6 +6001,46 @@ TEST_F(HttpNetworkTransactionTest, HttpProxyLoadTimingWithPacTwoRequests) {
   session->CloseAllConnections();
 }
 
+// Make sure that NetworkIsolationKeys are passed down to the proxy layer.
+TEST_F(HttpNetworkTransactionTest, ProxyResolvedWithNetworkIsolationKey) {
+  const url::Origin kOrigin = url::Origin::Create(GURL("https://foo.test/"));
+  const net::NetworkIsolationKey kNetworkIsolationKey(kOrigin, kOrigin);
+
+  ProxyConfig proxy_config;
+  proxy_config.set_auto_detect(true);
+  proxy_config.set_pac_url(GURL("http://fooproxyurl"));
+
+  CapturingProxyResolver capturing_proxy_resolver;
+  capturing_proxy_resolver.set_proxy_server(ProxyServer::Direct());
+  session_deps_.proxy_resolution_service =
+      std::make_unique<ProxyResolutionService>(
+          std::make_unique<ProxyConfigServiceFixed>(ProxyConfigWithAnnotation(
+              proxy_config, TRAFFIC_ANNOTATION_FOR_TESTS)),
+          std::make_unique<CapturingProxyResolverFactory>(
+              &capturing_proxy_resolver),
+          nullptr);
+
+  std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
+
+  // No need to continue with the network request - proxy resolution occurs
+  // before establishing a data.
+  StaticSocketDataProvider data{base::span<MockRead>(),
+                                base::span<MockWrite>()};
+  data.set_connect_data(MockConnect(SYNCHRONOUS, ERR_FAILED));
+  session_deps_.socket_factory->AddSocketDataProvider(&data);
+
+  // Run first request until an auth challenge is observed.
+  HttpRequestInfo request;
+  request.method = "GET";
+  request.url = GURL("http://foo.test/");
+  request.traffic_annotation =
+      net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+  HttpNetworkTransaction trans(LOWEST, session.get());
+  TestCompletionCallback callback;
+  int rv = trans.Start(&request, callback.callback(), NetLogWithSource());
+  EXPECT_THAT(callback.GetResult(rv), IsError(ERR_FAILED));
+}
+
 // Test a simple get through an HTTPS Proxy.
 TEST_F(HttpNetworkTransactionTest, HttpsProxyGet) {
   HttpRequestInfo request;
@@ -5326,7 +6052,7 @@ TEST_F(HttpNetworkTransactionTest, HttpsProxyGet) {
   // Configure against https proxy server "proxy:70".
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -5389,7 +6115,7 @@ TEST_F(HttpNetworkTransactionTest, HttpsProxySpdyGet) {
   // Configure against https proxy server "proxy:70".
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -5451,7 +6177,7 @@ TEST_F(HttpNetworkTransactionTest, HttpsProxySpdyGetWithSessionRace) {
   // Configure SPDY proxy server "proxy:70".
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -5522,7 +6248,7 @@ TEST_F(HttpNetworkTransactionTest, HttpsProxySpdyGetWithProxyAuth) {
   // Configure against https proxy server "myproxy:70".
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -5619,7 +6345,7 @@ TEST_F(HttpNetworkTransactionTest, HttpsProxySpdyConnectHttps) {
   // Configure against https proxy server "proxy:70".
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -5705,7 +6431,7 @@ TEST_F(HttpNetworkTransactionTest, HttpsProxySpdyConnectSpdy) {
   // Configure against https proxy server "proxy:70".
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -5797,7 +6523,7 @@ TEST_F(HttpNetworkTransactionTest, HttpsProxySpdyConnectFailure) {
   // Configure against https proxy server "proxy:70".
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -6017,7 +6743,7 @@ TEST_F(HttpNetworkTransactionTest,
   // Configure against https proxy server "proxy:70".
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(
       SpdySessionDependencies::SpdyCreateSession(&session_deps_));
@@ -6155,7 +6881,7 @@ TEST_F(HttpNetworkTransactionTest,
   // Configure against https proxy server "proxy:70".
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(
       SpdySessionDependencies::SpdyCreateSession(&session_deps_));
@@ -6282,7 +7008,7 @@ TEST_F(HttpNetworkTransactionTest, HttpsProxySpdyLoadTimingTwoHttpRequests) {
   // Configure against https proxy server "proxy:70".
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(
       SpdySessionDependencies::SpdyCreateSession(&session_deps_));
@@ -6661,7 +7387,7 @@ TEST_F(HttpNetworkTransactionTest, HttpsProxyAuthRetry) {
   // Configure against https proxy server "myproxy:70".
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -9628,7 +10354,7 @@ TEST_F(HttpNetworkTransactionTest, HTTPSViaHttpsProxy) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "HTTPS proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
 
   HttpRequestInfo request;
@@ -9693,7 +10419,7 @@ TEST_F(HttpNetworkTransactionTest, RedirectOfHttpsConnectViaHttpsProxy) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "HTTPS proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
 
   const base::TimeDelta kTimeIncrement = base::TimeDelta::FromSeconds(4);
@@ -9761,7 +10487,7 @@ TEST_F(HttpNetworkTransactionTest,
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "HTTPS proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
 
   HttpRequestInfo request;
@@ -9809,7 +10535,7 @@ TEST_F(HttpNetworkTransactionTest,
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromAutoDetectedPacResult(
           "HTTPS proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
 
   HttpRequestInfo request;
@@ -9856,7 +10582,7 @@ TEST_F(HttpNetworkTransactionTest, RedirectOfHttpsConnectViaSpdyProxy) {
   base::HistogramTester histograms;
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
 
   const base::TimeDelta kTimeIncrement = base::TimeDelta::FromSeconds(4);
@@ -10036,7 +10762,7 @@ TEST_F(HttpNetworkTransactionTest, BasicAuthSpdyProxy) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "HTTPS myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -10185,7 +10911,7 @@ TEST_F(HttpNetworkTransactionTest, CrossOriginSPDYProxyPush) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "HTTPS myproxy:443", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
 
   session_deps_.proxy_resolution_service->SetProxyDelegate(
@@ -10301,7 +11027,7 @@ TEST_F(HttpNetworkTransactionTest, CrossOriginProxyPushCorrectness) {
 
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://myproxy:443", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
 
   // Enable cross-origin push.
@@ -10386,7 +11112,7 @@ TEST_F(HttpNetworkTransactionTest, SameOriginProxyPushCorrectness) {
   // Configure against https proxy server "myproxy:70".
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
 
   // Enable cross-origin push.
@@ -10973,7 +11699,7 @@ TEST_F(HttpNetworkTransactionTest, SOCKS4_HTTP_GET) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "SOCKS myproxy:1080", TRAFFIC_ANNOTATION_FOR_TESTS);
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
 
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
@@ -11030,7 +11756,7 @@ TEST_F(HttpNetworkTransactionTest, SOCKS4_SSL_GET) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "SOCKS myproxy:1080", TRAFFIC_ANNOTATION_FOR_TESTS);
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
 
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
@@ -11091,7 +11817,7 @@ TEST_F(HttpNetworkTransactionTest, SOCKS4_HTTP_GET_no_PAC) {
 
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "socks4://myproxy:1080", TRAFFIC_ANNOTATION_FOR_TESTS);
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
 
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
@@ -11147,7 +11873,7 @@ TEST_F(HttpNetworkTransactionTest, SOCKS5_HTTP_GET) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "SOCKS5 myproxy:1080", TRAFFIC_ANNOTATION_FOR_TESTS);
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
 
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
@@ -11218,7 +11944,7 @@ TEST_F(HttpNetworkTransactionTest, SOCKS5_SSL_GET) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "SOCKS5 myproxy:1080", TRAFFIC_ANNOTATION_FOR_TESTS);
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
 
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
@@ -12470,7 +13196,7 @@ TEST_F(HttpNetworkTransactionTest, ClearAlternativeServices) {
   base::Time expiration = base::Time::Now() + base::TimeDelta::FromDays(1);
   http_server_properties->SetQuicAlternativeService(
       test_server, NetworkIsolationKey(), alternative_service, expiration,
-      session->params().quic_params.supported_versions);
+      session->context().quic_context->params()->supported_versions);
   EXPECT_EQ(1u,
             http_server_properties
                 ->GetAlternativeServiceInfos(test_server, NetworkIsolationKey())
@@ -12629,7 +13355,7 @@ TEST_F(HttpNetworkTransactionTest, IdentifyQuicBroken) {
   base::Time expiration = base::Time::Now() + base::TimeDelta::FromDays(1);
   http_server_properties->SetQuicAlternativeService(
       server, NetworkIsolationKey(), alternative_service, expiration,
-      HttpNetworkSession::Params().quic_params.supported_versions);
+      DefaultSupportedQuicVersions());
   // Mark the QUIC alternative service as broken.
   http_server_properties->MarkAlternativeServiceBroken(alternative_service,
                                                        NetworkIsolationKey());
@@ -12695,12 +13421,12 @@ TEST_F(HttpNetworkTransactionTest, IdentifyQuicNotBroken) {
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           alternative_service1, expiration,
-          session->params().quic_params.supported_versions));
+          session->context().quic_context->params()->supported_versions));
   AlternativeService alternative_service2(kProtoQUIC, alternative2);
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           alternative_service2, expiration,
-          session->params().quic_params.supported_versions));
+          session->context().quic_context->params()->supported_versions));
 
   http_server_properties->SetAlternativeServices(
       server, NetworkIsolationKey(), alternative_service_info_vector);
@@ -13383,7 +14109,7 @@ TEST_F(HttpNetworkTransactionTest, UseOriginNotAlternativeForProxy) {
   auto proxy_resolver_factory = std::make_unique<CapturingProxyResolverFactory>(
       &capturing_proxy_resolver);
 
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
 
   session_deps_.proxy_resolution_service =
       std::make_unique<ProxyResolutionService>(
@@ -13454,7 +14180,7 @@ TEST_F(HttpNetworkTransactionTest, UseOriginNotAlternativeForProxy) {
   EXPECT_EQ("hello!", response_data);
 
   // Origin host bypasses proxy, no resolution should have happened.
-  ASSERT_TRUE(capturing_proxy_resolver.resolved().empty());
+  ASSERT_TRUE(capturing_proxy_resolver.lookup_info().empty());
 }
 
 TEST_F(HttpNetworkTransactionTest, UseAlternativeServiceForTunneledNpnSpdy) {
@@ -13470,7 +14196,7 @@ TEST_F(HttpNetworkTransactionTest, UseAlternativeServiceForTunneledNpnSpdy) {
           std::make_unique<CapturingProxyResolverFactory>(
               &capturing_proxy_resolver),
           nullptr);
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   session_deps_.net_log = &net_log;
 
   HttpRequestInfo request;
@@ -13564,11 +14290,11 @@ TEST_F(HttpNetworkTransactionTest, UseAlternativeServiceForTunneledNpnSpdy) {
 
   ASSERT_THAT(ReadTransaction(trans.get(), &response_data), IsOk());
   EXPECT_EQ("hello!", response_data);
-  ASSERT_EQ(2u, capturing_proxy_resolver.resolved().size());
+  ASSERT_EQ(2u, capturing_proxy_resolver.lookup_info().size());
   EXPECT_EQ("https://www.example.org/",
-            capturing_proxy_resolver.resolved()[0].spec());
+            capturing_proxy_resolver.lookup_info()[0].url.spec());
   EXPECT_EQ("https://www.example.org/",
-            capturing_proxy_resolver.resolved()[1].spec());
+            capturing_proxy_resolver.lookup_info()[1].url.spec());
 
   LoadTimingInfo load_timing_info;
   EXPECT_TRUE(trans->GetLoadTimingInfo(&load_timing_info));
@@ -14945,7 +15671,7 @@ TEST_F(HttpNetworkTransactionTest, SimpleCancel) {
 
   TestCompletionCallback callback;
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   int rv = trans->Start(&request, callback.callback(), log.bound());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   trans.reset();  // Cancel the transaction here.
@@ -15009,7 +15735,7 @@ TEST_F(HttpNetworkTransactionTest, ProxyGet) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "PROXY myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -15076,7 +15802,7 @@ TEST_F(HttpNetworkTransactionTest, ProxyTunnelGet) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "PROXY myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -15160,7 +15886,7 @@ TEST_F(HttpNetworkTransactionTest, ProxyTunnelGetIPv6) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "PROXY myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -15236,7 +15962,7 @@ TEST_F(HttpNetworkTransactionTest, ProxyTunnelGetIPv6) {
 TEST_F(HttpNetworkTransactionTest, ProxyTunnelGetHangup) {
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -15605,7 +16331,7 @@ TEST_F(HttpNetworkTransactionTest, ClientAuthCertCache_Direct_FalseStart) {
 TEST_F(HttpNetworkTransactionTest, ClientAuthCertCache_Proxy_Fail) {
   session_deps_.proxy_resolution_service = ProxyResolutionService::CreateFixed(
       "https://proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
 
   auto cert_request = base::MakeRefCounted<SSLCertRequestInfo>();
@@ -15886,7 +16612,8 @@ TEST_F(HttpNetworkTransactionTest, UseIPConnectionPooling) {
 
   // Preload mail.example.com into HostCache.
   rv = session_deps_.host_resolver->LoadIntoCache(
-      HostPortPair("mail.example.com", 443), base::nullopt);
+      HostPortPair("mail.example.com", 443), NetworkIsolationKey(),
+      base::nullopt);
   EXPECT_THAT(rv, IsOk());
 
   HttpRequestInfo request2;
@@ -16058,7 +16785,8 @@ TEST_F(HttpNetworkTransactionTest, RetryWithoutConnectionPooling) {
 
   // Preload mail.example.org into HostCache.
   int rv = session_deps_.host_resolver->LoadIntoCache(
-      HostPortPair("mail.example.com", 443), base::nullopt);
+      HostPortPair("mail.example.com", 443), NetworkIsolationKey(),
+      base::nullopt);
   EXPECT_THAT(rv, IsOk());
 
   HttpRequestInfo request1;
@@ -16093,7 +16821,7 @@ TEST_F(HttpNetworkTransactionTest, RetryWithoutConnectionPooling) {
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
   HttpNetworkTransaction trans2(DEFAULT_PRIORITY, session.get());
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   rv = trans2.Start(&request2, callback.callback(), log.bound());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -16183,7 +16911,8 @@ TEST_F(HttpNetworkTransactionTest, ReturnHTTP421OnRetry) {
 
   // Preload mail.example.org into HostCache.
   int rv = session_deps_.host_resolver->LoadIntoCache(
-      HostPortPair("mail.example.com", 443), base::nullopt);
+      HostPortPair("mail.example.com", 443), NetworkIsolationKey(),
+      base::nullopt);
   EXPECT_THAT(rv, IsOk());
 
   HttpRequestInfo request1;
@@ -16218,7 +16947,7 @@ TEST_F(HttpNetworkTransactionTest, ReturnHTTP421OnRetry) {
       net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
   HttpNetworkTransaction trans2(DEFAULT_PRIORITY, session.get());
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   rv = trans2.Start(&request2, callback.callback(), log.bound());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   rv = callback.WaitForResult();
@@ -16297,7 +17026,8 @@ TEST_F(HttpNetworkTransactionTest,
 
   // Preload cache entries into HostCache.
   rv = session_deps_.host_resolver->LoadIntoCache(
-      HostPortPair("mail.example.com", 443), base::nullopt);
+      HostPortPair("mail.example.com", 443), NetworkIsolationKey(),
+      base::nullopt);
   EXPECT_THAT(rv, IsOk());
 
   HttpRequestInfo request2;
@@ -16736,7 +17466,7 @@ TEST_F(HttpNetworkTransactionTest, DoNotUseSpdySessionForHttpOverTunnel) {
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "HTTPS proxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  TestNetLog log;
+  RecordingTestNetLog log;
   session_deps_.net_log = &log;
   SSLSocketDataProvider ssl1(ASYNC, OK);  // to the proxy
   ssl1.next_proto = kProtoHTTP2;
@@ -18224,7 +18954,8 @@ TEST_F(HttpNetworkTransactionTest, ProxyHeadersNotSentOverWsTunnel) {
   session_deps_.socket_factory->AddSocketDataProvider(&data);
 
   session->http_auth_cache()->Add(
-      GURL("http://myproxy:70/"), "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC,
+      GURL("http://myproxy:70/"), HttpAuth::AUTH_PROXY, "MyRealm1",
+      HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
       "Basic realm=MyRealm1", AuthCredentials(kFoo, kBar), "/");
 
   TestWebSocketHandshakeStreamCreateHelper websocket_stream_create_helper;
@@ -18829,7 +19560,7 @@ TEST_F(HttpNetworkTransactionNetworkErrorLoggingTest,
   session_deps_.proxy_resolution_service =
       ProxyResolutionService::CreateFixedFromPacResult(
           "PROXY myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   session_deps_.net_log = log.bound().net_log();
   std::unique_ptr<HttpNetworkSession> session(CreateSession(&session_deps_));
 
@@ -19499,7 +20230,8 @@ TEST_F(HttpNetworkTransactionNetworkErrorLoggingTest,
 
   // Preload mail.example.org into HostCache.
   int rv = session_deps_.host_resolver->LoadIntoCache(
-      HostPortPair("mail.example.com", 443), base::nullopt);
+      HostPortPair("mail.example.com", 443), NetworkIsolationKey(),
+      base::nullopt);
   EXPECT_THAT(rv, IsOk());
 
   HttpRequestInfo request1;
@@ -19538,7 +20270,7 @@ TEST_F(HttpNetworkTransactionNetworkErrorLoggingTest,
   auto trans2 =
       std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   rv = trans2->Start(&request2, callback.callback(), log.bound());
   EXPECT_THAT(callback.GetResult(rv), IsOk());
 
@@ -19657,7 +20389,6 @@ TEST_F(HttpNetworkTransactionNetworkErrorLoggingTest,
 }
 
 TEST_F(HttpNetworkTransactionNetworkErrorLoggingTest, DontCreateReportHttp) {
-  base::HistogramTester histograms;
   RequestPolicy();
   EXPECT_EQ(1u, network_error_logging_service()->headers().size());
   EXPECT_EQ(1u, network_error_logging_service()->errors().size());
@@ -19695,16 +20426,11 @@ TEST_F(HttpNetworkTransactionNetworkErrorLoggingTest, DontCreateReportHttp) {
   EXPECT_EQ("hello world", response_data);
 
   // Insecure request does not generate a report
-  histograms.ExpectBucketCount(
-      NetworkErrorLoggingService::kRequestOutcomeHistogram,
-      NetworkErrorLoggingService::RequestOutcome::kDiscardedInsecureOrigin, 1);
-
   EXPECT_EQ(1u, network_error_logging_service()->errors().size());
 }
 
 TEST_F(HttpNetworkTransactionNetworkErrorLoggingTest,
        DontCreateReportHttpError) {
-  base::HistogramTester histograms;
   RequestPolicy();
   EXPECT_EQ(1u, network_error_logging_service()->headers().size());
   EXPECT_EQ(1u, network_error_logging_service()->errors().size());
@@ -19731,10 +20457,6 @@ TEST_F(HttpNetworkTransactionNetworkErrorLoggingTest,
 
   // Insecure request does not generate a report, regardless of existence of a
   // policy for the origin.
-  histograms.ExpectBucketCount(
-      NetworkErrorLoggingService::kRequestOutcomeHistogram,
-      NetworkErrorLoggingService::RequestOutcome::kDiscardedInsecureOrigin, 1);
-
   EXPECT_EQ(1u, network_error_logging_service()->errors().size());
 }
 
@@ -19925,6 +20647,7 @@ TEST_F(HttpNetworkTransactionTest, AlwaysFailRequestToCache) {
 }
 
 TEST_F(HttpNetworkTransactionTest, ZeroRTTDoesntConfirm) {
+  static const base::TimeDelta kDelay = base::TimeDelta::FromMilliseconds(10);
   HttpRequestInfo request;
   request.method = "GET";
   request.url = GURL("https://www.example.org/");
@@ -19946,7 +20669,9 @@ TEST_F(HttpNetworkTransactionTest, ZeroRTTDoesntConfirm) {
   StaticSocketDataProvider data(data_reads, data_writes);
   session_deps_.socket_factory->AddSocketDataProvider(&data);
   SSLSocketDataProvider ssl(SYNCHRONOUS, OK);
+  ssl.connect_callback = FastForwardByCallback(kDelay);
   ssl.confirm = MockConfirm(SYNCHRONOUS, OK);
+  ssl.confirm_callback = FastForwardByCallback(kDelay);
   session_deps_.enable_early_data = true;
   session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl);
 
@@ -19956,6 +20681,7 @@ TEST_F(HttpNetworkTransactionTest, ZeroRTTDoesntConfirm) {
   auto trans =
       std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
 
+  base::TimeTicks start_time = base::TimeTicks::Now();
   int rv = trans->Start(&request, callback.callback(), NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -19972,12 +20698,22 @@ TEST_F(HttpNetworkTransactionTest, ZeroRTTDoesntConfirm) {
   ASSERT_FALSE(ssl.ConfirmDataConsumed());
   ASSERT_TRUE(ssl.WriteBeforeConfirm());
 
+  // The handshake time should include the time it took to run Connect(), but
+  // not ConfirmHandshake().
+  LoadTimingInfo load_timing_info;
+  EXPECT_TRUE(trans->GetLoadTimingInfo(&load_timing_info));
+  EXPECT_EQ(load_timing_info.connect_timing.connect_start, start_time);
+  EXPECT_EQ(load_timing_info.connect_timing.ssl_start, start_time);
+  EXPECT_EQ(load_timing_info.connect_timing.ssl_end, start_time + kDelay);
+  EXPECT_EQ(load_timing_info.connect_timing.connect_end, start_time + kDelay);
+
   trans.reset();
 
   session->CloseAllConnections();
 }
 
 TEST_F(HttpNetworkTransactionTest, ZeroRTTSyncConfirmSyncWrite) {
+  static const base::TimeDelta kDelay = base::TimeDelta::FromMilliseconds(10);
   HttpRequestInfo request;
   request.method = "POST";
   request.url = GURL("https://www.example.org/");
@@ -20001,7 +20737,9 @@ TEST_F(HttpNetworkTransactionTest, ZeroRTTSyncConfirmSyncWrite) {
   StaticSocketDataProvider data(data_reads, data_writes);
   session_deps_.socket_factory->AddSocketDataProvider(&data);
   SSLSocketDataProvider ssl(SYNCHRONOUS, OK);
+  ssl.connect_callback = FastForwardByCallback(kDelay);
   ssl.confirm = MockConfirm(SYNCHRONOUS, OK);
+  ssl.confirm_callback = FastForwardByCallback(kDelay);
   session_deps_.enable_early_data = true;
   session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl);
 
@@ -20011,6 +20749,7 @@ TEST_F(HttpNetworkTransactionTest, ZeroRTTSyncConfirmSyncWrite) {
   auto trans =
       std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
 
+  base::TimeTicks start_time = base::TimeTicks::Now();
   int rv = trans->Start(&request, callback.callback(), NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -20026,6 +20765,17 @@ TEST_F(HttpNetworkTransactionTest, ZeroRTTSyncConfirmSyncWrite) {
   // Check that the Write didn't get called before ConfirmHandshake completed.
   ASSERT_FALSE(ssl.WriteBeforeConfirm());
 
+  // The handshake time should include the time it took to run Connect(), but
+  // not ConfirmHandshake(). If ConfirmHandshake() returns synchronously, we
+  // assume the connection did not negotiate 0-RTT or the handshake was already
+  // confirmed.
+  LoadTimingInfo load_timing_info;
+  EXPECT_TRUE(trans->GetLoadTimingInfo(&load_timing_info));
+  EXPECT_EQ(load_timing_info.connect_timing.connect_start, start_time);
+  EXPECT_EQ(load_timing_info.connect_timing.ssl_start, start_time);
+  EXPECT_EQ(load_timing_info.connect_timing.ssl_end, start_time + kDelay);
+  EXPECT_EQ(load_timing_info.connect_timing.connect_end, start_time + kDelay);
+
   trans.reset();
 
   session->CloseAllConnections();
@@ -20086,6 +20836,7 @@ TEST_F(HttpNetworkTransactionTest, ZeroRTTSyncConfirmAsyncWrite) {
 }
 
 TEST_F(HttpNetworkTransactionTest, ZeroRTTAsyncConfirmSyncWrite) {
+  static const base::TimeDelta kDelay = base::TimeDelta::FromMilliseconds(10);
   HttpRequestInfo request;
   request.method = "POST";
   request.url = GURL("https://www.example.org/");
@@ -20109,7 +20860,9 @@ TEST_F(HttpNetworkTransactionTest, ZeroRTTAsyncConfirmSyncWrite) {
   StaticSocketDataProvider data(data_reads, data_writes);
   session_deps_.socket_factory->AddSocketDataProvider(&data);
   SSLSocketDataProvider ssl(SYNCHRONOUS, OK);
+  ssl.connect_callback = FastForwardByCallback(kDelay);
   ssl.confirm = MockConfirm(ASYNC, OK);
+  ssl.confirm_callback = FastForwardByCallback(kDelay);
   session_deps_.enable_early_data = true;
   session_deps_.socket_factory->AddSSLSocketDataProvider(&ssl);
 
@@ -20119,6 +20872,7 @@ TEST_F(HttpNetworkTransactionTest, ZeroRTTAsyncConfirmSyncWrite) {
   auto trans =
       std::make_unique<HttpNetworkTransaction>(DEFAULT_PRIORITY, session.get());
 
+  base::TimeTicks start_time = base::TimeTicks::Now();
   int rv = trans->Start(&request, callback.callback(), NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -20134,6 +20888,16 @@ TEST_F(HttpNetworkTransactionTest, ZeroRTTAsyncConfirmSyncWrite) {
   // Check that the Write didn't get called before ConfirmHandshake completed.
   ASSERT_FALSE(ssl.WriteBeforeConfirm());
 
+  // The handshake time should include the time it took to run Connect() and
+  // ConfirmHandshake().
+  LoadTimingInfo load_timing_info;
+  EXPECT_TRUE(trans->GetLoadTimingInfo(&load_timing_info));
+  EXPECT_EQ(load_timing_info.connect_timing.connect_start, start_time);
+  EXPECT_EQ(load_timing_info.connect_timing.ssl_start, start_time);
+  EXPECT_EQ(load_timing_info.connect_timing.ssl_end, start_time + 2 * kDelay);
+  EXPECT_EQ(load_timing_info.connect_timing.connect_end,
+            start_time + 2 * kDelay);
+
   trans.reset();
 
   session->CloseAllConnections();
diff --git a/chromium/net/http/http_proxy_client_socket_fuzzer.cc b/chromium/net/http/http_proxy_client_socket_fuzzer.cc
index f253b16f46b..a173b382cb6 100644
--- a/chromium/net/http/http_proxy_client_socket_fuzzer.cc
+++ b/chromium/net/http/http_proxy_client_socket_fuzzer.cc
@@ -17,12 +17,12 @@
 #include "net/base/address_list.h"
 #include "net/base/auth.h"
 #include "net/base/host_port_pair.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/http/http_auth_cache.h"
 #include "net/http/http_auth_handler_basic.h"
 #include "net/http/http_auth_handler_digest.h"
 #include "net/http/http_auth_handler_factory.h"
-#include "net/http/http_auth_preferences.h"
 #include "net/http/http_auth_scheme.h"
 #include "net/log/test_net_log.h"
 #include "net/socket/fuzzed_socket.h"
@@ -36,7 +36,7 @@
 // class for details.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // Use a test NetLog, to exercise logging code.
-  net::TestNetLog test_net_log;
+  net::RecordingTestNetLog test_net_log;
 
   FuzzedDataProvider data_provider(data, size);
 
@@ -47,7 +47,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
   // Create auth handler supporting basic and digest schemes.  Other schemes can
   // make system calls, which doesn't seem like a great idea.
-  net::HttpAuthCache auth_cache;
+  net::HttpAuthCache auth_cache(
+      false /* key_server_entries_by_network_isolation_key */);
   net::HttpAuthHandlerRegistryFactory auth_handler_factory;
   auth_handler_factory.RegisterSchemeFactory(
       net::kBasicAuthScheme, new net::HttpAuthHandlerBasic::Factory());
@@ -55,10 +56,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
       net::kDigestAuthScheme, new net::HttpAuthHandlerDigest::Factory());
 
   scoped_refptr<net::HttpAuthController> auth_controller(
-      new net::HttpAuthController(
-          net::HttpAuth::AUTH_PROXY, GURL("http://proxy:42/"), &auth_cache,
-          &auth_handler_factory, nullptr,
-          net::HttpAuthPreferences::ALLOW_DEFAULT_CREDENTIALS));
+      base::MakeRefCounted<net::HttpAuthController>(
+          net::HttpAuth::AUTH_PROXY, GURL("http://proxy:42/"),
+          net::NetworkIsolationKey(), &auth_cache, &auth_handler_factory,
+          nullptr));
   // Determine if the HttpProxyClientSocket should be told the underlying socket
   // is HTTPS.
   net::HttpProxyClientSocket socket(
diff --git a/chromium/net/http/http_proxy_connect_job.cc b/chromium/net/http/http_proxy_connect_job.cc
index 2349095ec5d..232484d9386 100644
--- a/chromium/net/http/http_proxy_connect_job.cc
+++ b/chromium/net/http/http_proxy_connect_job.cc
@@ -181,14 +181,14 @@ HttpProxyConnectJob::HttpProxyConnectJob(
       has_established_connection_(false),
       http_auth_controller_(
           params_->tunnel()
-              ? new HttpAuthController(
+              ? base::MakeRefCounted<HttpAuthController>(
                     HttpAuth::AUTH_PROXY,
                     GURL((params_->ssl_params() ? "https://" : "http://") +
                          GetDestination().ToString()),
+                    params_->network_isolation_key(),
                     common_connect_job_params->http_auth_cache,
                     common_connect_job_params->http_auth_handler_factory,
-                    host_resolver(),
-                    HttpAuthPreferences::ALLOW_DEFAULT_CREDENTIALS)
+                    host_resolver())
               : nullptr) {}
 
 HttpProxyConnectJob::~HttpProxyConnectJob() {}
diff --git a/chromium/net/http/http_proxy_connect_job_unittest.cc b/chromium/net/http/http_proxy_connect_job_unittest.cc
index a130dac17a5..8485a4ae818 100644
--- a/chromium/net/http/http_proxy_connect_job_unittest.cc
+++ b/chromium/net/http/http_proxy_connect_job_unittest.cc
@@ -56,8 +56,8 @@ class HttpProxyConnectJobTest : public ::testing::TestWithParam<HttpProxyType>,
                                 public WithTaskEnvironment {
  protected:
   HttpProxyConnectJobTest()
-      : WithTaskEnvironment(base::test::TaskEnvironment::TimeSource::MOCK_TIME),
-        field_trial_list_(nullptr) {
+      : WithTaskEnvironment(
+            base::test::TaskEnvironment::TimeSource::MOCK_TIME) {
     // Used a mock HostResolver that does not have a cache.
     session_deps_.host_resolver = std::make_unique<MockHostResolver>();
 
@@ -109,8 +109,8 @@ class HttpProxyConnectJobTest : public ::testing::TestWithParam<HttpProxyType>,
     if (GetParam() != HTTP)
       return nullptr;
     return base::MakeRefCounted<TransportSocketParams>(
-        HostPortPair(kHttpProxyHost, 80), disable_secure_dns,
-        OnHostResolutionCallback());
+        HostPortPair(kHttpProxyHost, 80), NetworkIsolationKey(),
+        disable_secure_dns, OnHostResolutionCallback());
   }
 
   scoped_refptr<SSLSocketParams> CreateHttpsProxyParams(
@@ -119,8 +119,8 @@ class HttpProxyConnectJobTest : public ::testing::TestWithParam<HttpProxyType>,
       return nullptr;
     return base::MakeRefCounted<SSLSocketParams>(
         base::MakeRefCounted<TransportSocketParams>(
-            HostPortPair(kHttpsProxyHost, 443), disable_secure_dns,
-            OnHostResolutionCallback()),
+            HostPortPair(kHttpsProxyHost, 443), NetworkIsolationKey(),
+            disable_secure_dns, OnHostResolutionCallback()),
         nullptr, nullptr, HostPortPair(kHttpsProxyHost, 443), SSLConfig(),
         PRIVACY_MODE_DISABLED, NetworkIsolationKey());
   }
@@ -256,8 +256,6 @@ class HttpProxyConnectJobTest : public ::testing::TestWithParam<HttpProxyType>,
 
   std::unique_ptr<HttpNetworkSession> session_;
 
-  base::FieldTrialList field_trial_list_;
-
   SpdyTestUtil spdy_util_;
 
   TestCompletionCallback callback_;
@@ -754,8 +752,9 @@ TEST_P(HttpProxyConnectJobTest, HaveAuth) {
                      ? (std::string("http://") + kHttpProxyHost)
                      : (std::string("https://") + kHttpsProxyHost));
   session_->http_auth_cache()->Add(
-      proxy_url, "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC,
-      "Basic realm=MyRealm1", AuthCredentials(kFoo, kBar), "/");
+      proxy_url, HttpAuth::AUTH_PROXY, "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC,
+      NetworkIsolationKey(), "Basic realm=MyRealm1",
+      AuthCredentials(kFoo, kBar), "/");
 
   for (IoMode io_mode : {SYNCHRONOUS, ASYNC}) {
     SCOPED_TRACE(io_mode);
@@ -885,8 +884,8 @@ TEST_P(HttpProxyConnectJobTest, SpdySessionKeyDisableSecureDns) {
   TestConnectJobDelegate test_delegate;
   auto ssl_params = base::MakeRefCounted<SSLSocketParams>(
       base::MakeRefCounted<TransportSocketParams>(
-          HostPortPair(kHttpsProxyHost, 443), true /* disable_secure_dns */,
-          OnHostResolutionCallback()),
+          HostPortPair(kHttpsProxyHost, 443), NetworkIsolationKey(),
+          true /* disable_secure_dns */, OnHostResolutionCallback()),
       nullptr, nullptr, HostPortPair(kHttpsProxyHost, 443), SSLConfig(),
       PRIVACY_MODE_DISABLED, NetworkIsolationKey());
   auto http_proxy_params = base::MakeRefCounted<HttpProxySocketParams>(
diff --git a/chromium/net/http/http_response_body_drainer_unittest.cc b/chromium/net/http/http_response_body_drainer_unittest.cc
index 84c2f4501b0..75fb0115289 100644
--- a/chromium/net/http/http_response_body_drainer_unittest.cc
+++ b/chromium/net/http/http_response_body_drainer_unittest.cc
@@ -29,6 +29,7 @@
 #include "net/http/http_stream.h"
 #include "net/http/transport_security_state.h"
 #include "net/proxy_resolution/proxy_resolution_service.h"
+#include "net/quic/quic_context.h"
 #include "net/ssl/ssl_config_service_defaults.h"
 #include "net/test/test_with_task_environment.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -249,6 +250,7 @@ class HttpResponseBodyDrainerTest : public TestWithTaskEnvironment {
     context.transport_security_state = &transport_security_state_;
     context.cert_transparency_verifier = &ct_verifier_;
     context.ct_policy_enforcer = &ct_policy_enforcer_;
+    context.quic_context = &quic_context_;
     return new HttpNetworkSession(HttpNetworkSession::Params(), context);
   }
 
@@ -259,6 +261,7 @@ class HttpResponseBodyDrainerTest : public TestWithTaskEnvironment {
   TransportSecurityState transport_security_state_;
   MultiLogCTVerifier ct_verifier_;
   DefaultCTPolicyEnforcer ct_policy_enforcer_;
+  QuicContext quic_context_;
   const std::unique_ptr<HttpNetworkSession> session_;
   CloseResultWaiter result_waiter_;
   MockHttpStream* const mock_stream_;  // Owned by |drainer_|.
diff --git a/chromium/net/http/http_response_info.cc b/chromium/net/http/http_response_info.cc
index 1d2af6ceaa0..4b6b749ce7e 100644
--- a/chromium/net/http/http_response_info.cc
+++ b/chromium/net/http/http_response_info.cc
@@ -16,6 +16,7 @@
 #include "net/http/http_response_headers.h"
 #include "net/ssl/ssl_cert_request_info.h"
 #include "net/ssl/ssl_connection_status_flags.h"
+#include "net/third_party/quiche/src/quic/core/quic_versions.h"
 #include "third_party/boringssl/src/include/openssl/ssl.h"
 
 using base::Time;
@@ -118,6 +119,61 @@ enum {
   // For now, we don't support storing those.
 };
 
+HttpResponseInfo::ConnectionInfoCoarse HttpResponseInfo::ConnectionInfoToCoarse(
+    ConnectionInfo info) {
+  switch (info) {
+    case CONNECTION_INFO_HTTP0_9:
+    case CONNECTION_INFO_HTTP1_0:
+    case CONNECTION_INFO_HTTP1_1:
+      return CONNECTION_INFO_COARSE_HTTP1;
+
+    case CONNECTION_INFO_HTTP2:
+    case CONNECTION_INFO_DEPRECATED_SPDY2:
+    case CONNECTION_INFO_DEPRECATED_SPDY3:
+    case CONNECTION_INFO_DEPRECATED_HTTP2_14:
+    case CONNECTION_INFO_DEPRECATED_HTTP2_15:
+      return CONNECTION_INFO_COARSE_HTTP2;
+
+    case CONNECTION_INFO_QUIC_UNKNOWN_VERSION:
+    case CONNECTION_INFO_QUIC_32:
+    case CONNECTION_INFO_QUIC_33:
+    case CONNECTION_INFO_QUIC_34:
+    case CONNECTION_INFO_QUIC_35:
+    case CONNECTION_INFO_QUIC_36:
+    case CONNECTION_INFO_QUIC_37:
+    case CONNECTION_INFO_QUIC_38:
+    case CONNECTION_INFO_QUIC_39:
+    case CONNECTION_INFO_QUIC_40:
+    case CONNECTION_INFO_QUIC_41:
+    case CONNECTION_INFO_QUIC_42:
+    case CONNECTION_INFO_QUIC_43:
+    case CONNECTION_INFO_QUIC_44:
+    case CONNECTION_INFO_QUIC_45:
+    case CONNECTION_INFO_QUIC_46:
+    case CONNECTION_INFO_QUIC_47:
+    case CONNECTION_INFO_QUIC_Q048:
+    case CONNECTION_INFO_QUIC_T048:
+    case CONNECTION_INFO_QUIC_Q049:
+    case CONNECTION_INFO_QUIC_T049:
+    case CONNECTION_INFO_QUIC_Q050:
+    case CONNECTION_INFO_QUIC_T050:
+    case CONNECTION_INFO_QUIC_Q099:
+    case CONNECTION_INFO_QUIC_T099:
+    case CONNECTION_INFO_QUIC_999:
+      return CONNECTION_INFO_COARSE_QUIC;
+
+    case CONNECTION_INFO_UNKNOWN:
+      return CONNECTION_INFO_COARSE_OTHER;
+
+    case NUM_OF_CONNECTION_INFOS:
+      NOTREACHED();
+      return CONNECTION_INFO_COARSE_OTHER;
+  }
+
+  NOTREACHED();
+  return CONNECTION_INFO_COARSE_OTHER;
+}
+
 HttpResponseInfo::HttpResponseInfo()
     : was_cached(false),
       cache_entry_status(CacheEntryStatus::ENTRY_UNDEFINED),
@@ -428,10 +484,14 @@ bool HttpResponseInfo::DidUseQuic() const {
     case CONNECTION_INFO_QUIC_45:
     case CONNECTION_INFO_QUIC_46:
     case CONNECTION_INFO_QUIC_47:
-    case CONNECTION_INFO_QUIC_48:
-    case CONNECTION_INFO_QUIC_49:
-    case CONNECTION_INFO_QUIC_50:
-    case CONNECTION_INFO_QUIC_99:
+    case CONNECTION_INFO_QUIC_Q048:
+    case CONNECTION_INFO_QUIC_T048:
+    case CONNECTION_INFO_QUIC_Q049:
+    case CONNECTION_INFO_QUIC_T049:
+    case CONNECTION_INFO_QUIC_Q050:
+    case CONNECTION_INFO_QUIC_T050:
+    case CONNECTION_INFO_QUIC_Q099:
+    case CONNECTION_INFO_QUIC_T099:
     case CONNECTION_INFO_QUIC_999:
       return true;
     case NUM_OF_CONNECTION_INFOS:
@@ -497,14 +557,23 @@ std::string HttpResponseInfo::ConnectionInfoToString(
       return "http/2+quic/46";
     case CONNECTION_INFO_QUIC_47:
       return "http/2+quic/47";
-    case CONNECTION_INFO_QUIC_48:
-      return "http/2+quic/48";
-    case CONNECTION_INFO_QUIC_49:
-      return "http/2+quic/49";
-    case CONNECTION_INFO_QUIC_50:
-      return "http/2+quic/50";
-    case CONNECTION_INFO_QUIC_99:
-      return "http/2+quic/99";
+    case CONNECTION_INFO_QUIC_Q048:
+      return "h3-Q048";
+    case CONNECTION_INFO_QUIC_T048:
+      return "h3-T048";
+    case CONNECTION_INFO_QUIC_Q049:
+      return "h3-Q049";
+    case CONNECTION_INFO_QUIC_T049:
+      return "h3-T049";
+    case CONNECTION_INFO_QUIC_Q050:
+      return "h3-Q050";
+    case CONNECTION_INFO_QUIC_T050:
+      return "h3-T050";
+    case CONNECTION_INFO_QUIC_Q099:
+      return "h3-Q099";
+    case CONNECTION_INFO_QUIC_T099:
+      return quic::AlpnForVersion(quic::ParsedQuicVersion(
+          quic::PROTOCOL_TLS1_3, quic::QUIC_VERSION_99));
     case CONNECTION_INFO_HTTP0_9:
       return "http/0.9";
     case CONNECTION_INFO_HTTP1_0:
diff --git a/chromium/net/http/http_response_info.h b/chromium/net/http/http_response_info.h
index ae75b00e683..576d4edcd74 100644
--- a/chromium/net/http/http_response_info.h
+++ b/chromium/net/http/http_response_info.h
@@ -31,7 +31,7 @@ class NET_EXPORT HttpResponseInfo {
   // Describes the kind of connection used to fetch this response.
   //
   // NOTE: Please keep in sync with ConnectionInfo enum in
-  // tools/metrics/histograms/enum.xml.
+  // tools/metrics/histograms/enums.xml.
   // Because of that, and also because these values are persisted to
   // the cache, please make sure not to delete or reorder values.
   enum ConnectionInfo {
@@ -57,18 +57,29 @@ class NET_EXPORT HttpResponseInfo {
     CONNECTION_INFO_QUIC_41 = 19,
     CONNECTION_INFO_QUIC_42 = 20,
     CONNECTION_INFO_QUIC_43 = 21,
-    CONNECTION_INFO_QUIC_99 = 22,
+    CONNECTION_INFO_QUIC_Q099 = 22,
     CONNECTION_INFO_QUIC_44 = 23,
     CONNECTION_INFO_QUIC_45 = 24,
     CONNECTION_INFO_QUIC_46 = 25,
     CONNECTION_INFO_QUIC_47 = 26,
     CONNECTION_INFO_QUIC_999 = 27,
-    CONNECTION_INFO_QUIC_48 = 28,
-    CONNECTION_INFO_QUIC_49 = 29,
-    CONNECTION_INFO_QUIC_50 = 30,
+    CONNECTION_INFO_QUIC_Q048 = 28,
+    CONNECTION_INFO_QUIC_Q049 = 29,
+    CONNECTION_INFO_QUIC_Q050 = 30,
+    CONNECTION_INFO_QUIC_T048 = 31,
+    CONNECTION_INFO_QUIC_T049 = 32,
+    CONNECTION_INFO_QUIC_T050 = 33,
+    CONNECTION_INFO_QUIC_T099 = 34,
     NUM_OF_CONNECTION_INFOS,
   };
 
+  enum ConnectionInfoCoarse {
+    CONNECTION_INFO_COARSE_HTTP1,  // HTTP/0.9, 1.0 and 1.1
+    CONNECTION_INFO_COARSE_HTTP2,
+    CONNECTION_INFO_COARSE_QUIC,
+    CONNECTION_INFO_COARSE_OTHER,
+  };
+
   // Used for categorizing transactions for reporting in histograms.
   // CacheEntryStatus covers relatively common use cases being measured and
   // considered for optimization. Many use cases that are more complex or
@@ -97,6 +108,10 @@ class NET_EXPORT HttpResponseInfo {
     ENTRY_MAX,
   };
 
+  // Returns a more coarse-grained description of the protocol used to fetch the
+  // response.
+  static ConnectionInfoCoarse ConnectionInfoToCoarse(ConnectionInfo info);
+
   HttpResponseInfo();
   HttpResponseInfo(const HttpResponseInfo& rhs);
   ~HttpResponseInfo();
diff --git a/chromium/net/http/http_server_properties_manager_unittest.cc b/chromium/net/http/http_server_properties_manager_unittest.cc
index d08043adb3f..71303c48815 100644
--- a/chromium/net/http/http_server_properties_manager_unittest.cc
+++ b/chromium/net/http/http_server_properties_manager_unittest.cc
@@ -228,8 +228,7 @@ class HttpServerPropertiesManagerTest : public testing::Test,
 
   void SetUp() override {
     one_day_from_now_ = base::Time::Now() + base::TimeDelta::FromDays(1);
-    advertised_versions_ =
-        HttpNetworkSession::Params().quic_params.supported_versions;
+    advertised_versions_ = DefaultSupportedQuicVersions();
     pref_delegate_ = new MockPrefDelegate;
 
     http_server_props_ = std::make_unique<HttpServerProperties>(
@@ -1484,7 +1483,7 @@ TEST_F(HttpServerPropertiesManagerTest, PersistAdvertisedVersionsToPref) {
       quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
                               quic::QUIC_VERSION_46),
       quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
-                              quic::QUIC_VERSION_39)};
+                              quic::QUIC_VERSION_43)};
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           quic_alternative_service1, expiration1, advertised_versions));
@@ -1536,7 +1535,7 @@ TEST_F(HttpServerPropertiesManagerTest, PersistAdvertisedVersionsToPref) {
       "\"server_info\":\"quic_server_info1\"}],"
       "\"servers\":["
       "{\"alternative_service\":[{"
-      "\"advertised_versions\":[39,46],\"expiration\":\"13756212000000000\","
+      "\"advertised_versions\":[43,46],\"expiration\":\"13756212000000000\","
       "\"port\":443,\"protocol_str\":\"quic\"},{\"advertised_versions\":[],"
       "\"expiration\":\"13758804000000000\",\"host\":\"www.google.com\","
       "\"port\":1234,\"protocol_str\":\"h2\"}],"
@@ -1567,7 +1566,7 @@ TEST_F(HttpServerPropertiesManagerTest, ReadAdvertisedVersionsFromPref) {
       "{\"port\":443,\"protocol_str\":\"quic\"},"
       "{\"port\":123,\"protocol_str\":\"quic\","
       "\"expiration\":\"9223372036854775807\","
-      "\"advertised_versions\":[46,39]}]}");
+      "\"advertised_versions\":[46,43]}]}");
   ASSERT_TRUE(server_value);
   base::DictionaryValue* server_dict;
   ASSERT_TRUE(server_value->GetAsDictionary(&server_dict));
@@ -1605,7 +1604,7 @@ TEST_F(HttpServerPropertiesManagerTest, ReadAdvertisedVersionsFromPref) {
       alternative_service_info_vector[1].advertised_versions();
   EXPECT_EQ(2u, loaded_advertised_versions.size());
   EXPECT_EQ(quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
-                                    quic::QUIC_VERSION_39),
+                                    quic::QUIC_VERSION_43),
             loaded_advertised_versions[0]);
   EXPECT_EQ(quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
                                     quic::QUIC_VERSION_46),
@@ -1681,7 +1680,7 @@ TEST_F(HttpServerPropertiesManagerTest,
       quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
                               quic::QUIC_VERSION_46),
       quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
-                              quic::QUIC_VERSION_39)};
+                              quic::QUIC_VERSION_43)};
   alternative_service_info_vector_2.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           quic_alternative_service1, expiration1, advertised_versions));
@@ -1701,7 +1700,7 @@ TEST_F(HttpServerPropertiesManagerTest,
       "\"server_id\":\"https://mail.google.com:80\","
       "\"server_info\":\"quic_server_info1\"}],"
       "\"servers\":["
-      "{\"alternative_service\":[{\"advertised_versions\":[39,46],"
+      "{\"alternative_service\":[{\"advertised_versions\":[43,46],"
       "\"expiration\":\"13756212000000000\",\"port\":443,"
       "\"protocol_str\":\"quic\"}],"
       "\"isolation\":[],"
@@ -1717,7 +1716,7 @@ TEST_F(HttpServerPropertiesManagerTest,
   // A same set of QUIC versions but listed in a different order.
   quic::ParsedQuicVersionVector advertised_versions_2 = {
       quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
-                              quic::QUIC_VERSION_39),
+                              quic::QUIC_VERSION_43),
       quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
                               quic::QUIC_VERSION_46)};
   alternative_service_info_vector_3.push_back(
@@ -2278,8 +2277,7 @@ TEST_F(HttpServerPropertiesManagerTest,
   AlternativeServiceInfo alt_service1 =
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           AlternativeService(kProtoQUIC, "foopy.c.youtube.com", 1234),
-          expiration,
-          HttpNetworkSession::Params().quic_params.supported_versions);
+          expiration, DefaultSupportedQuicVersions());
   AlternativeServiceInfo alt_service2 =
       AlternativeServiceInfo::CreateHttp2AlternativeServiceInfo(
           AlternativeService(kProtoHTTP2, "foopy.c.youtube.com", 443),
diff --git a/chromium/net/http/http_server_properties_unittest.cc b/chromium/net/http/http_server_properties_unittest.cc
index f0fc978637e..87e053ea6f6 100644
--- a/chromium/net/http/http_server_properties_unittest.cc
+++ b/chromium/net/http/http_server_properties_unittest.cc
@@ -111,9 +111,9 @@ class HttpServerPropertiesTest : public TestWithTaskEnvironment {
     const base::Time expiration =
         test_clock_.Now() + base::TimeDelta::FromDays(1);
     if (alternative_service.protocol == kProtoQUIC) {
-      impl_.SetQuicAlternativeService(
-          origin, NetworkIsolationKey(), alternative_service, expiration,
-          HttpNetworkSession::Params().quic_params.supported_versions);
+      impl_.SetQuicAlternativeService(origin, NetworkIsolationKey(),
+                                      alternative_service, expiration,
+                                      DefaultSupportedQuicVersions());
     } else {
       impl_.SetHttp2AlternativeService(origin, NetworkIsolationKey(),
                                        alternative_service, expiration);
@@ -572,7 +572,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, ExcludeOrigin) {
   AlternativeServiceInfo alternative_service_info4 =
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           AlternativeService(kProtoQUIC, "foo", 443), expiration,
-          HttpNetworkSession::Params().quic_params.supported_versions);
+          DefaultSupportedQuicVersions());
   alternative_service_info_vector.push_back(alternative_service_info4);
 
   url::SchemeHostPort test_server("https", "foo", 443);
@@ -944,8 +944,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, ClearServerWithCanonical) {
   base::Time expiration = test_clock_.Now() + base::TimeDelta::FromDays(1);
   const AlternativeServiceInfo alternative_service_info =
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
-          alternative_service, expiration,
-          HttpNetworkSession::Params().quic_params.supported_versions);
+          alternative_service, expiration, DefaultSupportedQuicVersions());
 
   impl_.SetAlternativeServices(
       canonical_server, NetworkIsolationKey(),
@@ -1828,7 +1827,7 @@ TEST_F(AlternateProtocolServerPropertiesTest, Canonical) {
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           canonical_alternative_service1, expiration,
-          HttpNetworkSession::Params().quic_params.supported_versions));
+          DefaultSupportedQuicVersions()));
   const AlternativeService canonical_alternative_service2(kProtoHTTP2, "", 443);
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateHttp2AlternativeServiceInfo(
@@ -1898,7 +1897,7 @@ TEST_F(AlternateProtocolServerPropertiesTest,
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           canonical_alternative_service1, expiration,
-          HttpNetworkSession::Params().quic_params.supported_versions));
+          DefaultSupportedQuicVersions()));
   const AlternativeService canonical_alternative_service2(kProtoHTTP2, "", 443);
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateHttp2AlternativeServiceInfo(
@@ -2273,6 +2272,10 @@ TEST_F(AlternateProtocolServerPropertiesTest, RemoveExpiredBrokenAltSvc3) {
 
 TEST_F(AlternateProtocolServerPropertiesTest,
        GetAlternativeServiceInfoAsValue) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndDisableFeature(
+      features::kAppendFrameOriginToNetworkIsolationKey);
+
   base::Time::Exploded now_exploded;
   now_exploded.year = 2018;
   now_exploded.month = 1;
@@ -2295,13 +2298,11 @@ TEST_F(AlternateProtocolServerPropertiesTest,
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           AlternativeService(kProtoQUIC, "bar", 443),
-          now + base::TimeDelta::FromHours(1),
-          HttpNetworkSession::Params().quic_params.supported_versions));
+          now + base::TimeDelta::FromHours(1), DefaultSupportedQuicVersions()));
   alternative_service_info_vector.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           AlternativeService(kProtoQUIC, "baz", 443),
-          now + base::TimeDelta::FromHours(1),
-          HttpNetworkSession::Params().quic_params.supported_versions));
+          now + base::TimeDelta::FromHours(1), DefaultSupportedQuicVersions()));
 
   impl_.SetAlternativeServices(url::SchemeHostPort("https", "youtube.com", 443),
                                NetworkIsolationKey(),
diff --git a/chromium/net/http/http_stream_factory.cc b/chromium/net/http/http_stream_factory.cc
index 13f4b2a546b..eabab2c54fb 100644
--- a/chromium/net/http/http_stream_factory.cc
+++ b/chromium/net/http/http_stream_factory.cc
@@ -74,7 +74,7 @@ void HttpStreamFactory::ProcessAlternativeServices(
       net::ProcessAlternativeServices(
           alternative_service_vector, session->params().enable_http2,
           session->params().enable_quic,
-          session->params().quic_params.supported_versions));
+          session->context().quic_context->params()->supported_versions));
 }
 
 url::SchemeHostPort HttpStreamFactory::RewriteHost(
diff --git a/chromium/net/http/http_stream_factory_job.cc b/chromium/net/http/http_stream_factory_job.cc
index a5acdda8c0c..4df0483146d 100644
--- a/chromium/net/http/http_stream_factory_job.cc
+++ b/chromium/net/http/http_stream_factory_job.cc
@@ -177,7 +177,8 @@ HttpStreamFactory::Job::Job(Delegate* delegate,
   if (quic_version_ == quic::UnsupportedQuicVersion() &&
       ShouldForceQuic(session, destination, origin_url, proxy_info,
                       using_ssl_)) {
-    quic_version_ = session->params().quic_params.supported_versions[0];
+    quic_version_ =
+        session->context().quic_context->params()->supported_versions[0];
   }
 
   if (using_quic_)
@@ -360,10 +361,10 @@ bool HttpStreamFactory::Job::ShouldForceQuic(HttpNetworkSession* session,
   // handled by the socket pools, using an HttpProxyConnectJob.
   if (proxy_info.is_quic())
     return !using_ssl;
-  return (base::Contains(session->params().quic_params.origins_to_force_quic_on,
+  const QuicParams* quic_params = session->context().quic_context->params();
+  return (base::Contains(quic_params->origins_to_force_quic_on,
                          HostPortPair()) ||
-          base::Contains(session->params().quic_params.origins_to_force_quic_on,
-                         destination)) &&
+          base::Contains(quic_params->origins_to_force_quic_on, destination)) &&
          proxy_info.is_direct() && origin_url.SchemeIs(url::kHttpsScheme);
 }
 
@@ -728,53 +729,8 @@ int HttpStreamFactory::Job::DoInitConnectionImpl() {
     server_ssl_config_.renego_allowed_for_protos.push_back(kProtoHTTP11);
   }
 
-  if (using_quic_) {
-    HostPortPair destination;
-    SSLConfig* ssl_config;
-    GURL url(request_info_.url);
-    if (proxy_info_.is_quic()) {
-      // A proxy's certificate is expected to be valid for the proxy hostname.
-      destination = proxy_info_.proxy_server().host_port_pair();
-      ssl_config = &proxy_ssl_config_;
-      GURL::Replacements replacements;
-      replacements.SetSchemeStr(url::kHttpsScheme);
-      replacements.SetHostStr(destination.host());
-      const std::string new_port = base::NumberToString(destination.port());
-      replacements.SetPortStr(new_port);
-      replacements.ClearUsername();
-      replacements.ClearPassword();
-      replacements.ClearPath();
-      replacements.ClearQuery();
-      replacements.ClearRef();
-      url = url.ReplaceComponents(replacements);
-    } else {
-      DCHECK(using_ssl_);
-      // The certificate of a QUIC alternative server is expected to be valid
-      // for the origin of the request (in addition to being valid for the
-      // server itself).
-      destination = destination_;
-      ssl_config = &server_ssl_config_;
-    }
-    int rv = quic_request_.Request(
-        destination, quic_version_, request_info_.privacy_mode, priority_,
-        request_info_.socket_tag, request_info_.network_isolation_key,
-        request_info_.disable_secure_dns, ssl_config->GetCertVerifyFlags(), url,
-        net_log_, &net_error_details_,
-        base::BindOnce(&Job::OnFailedOnDefaultNetwork,
-                       ptr_factory_.GetWeakPtr()),
-        io_callback_);
-    if (rv == OK) {
-      using_existing_quic_session_ = true;
-    } else if (rv == ERR_IO_PENDING) {
-      // There's no available QUIC session. Inform the delegate how long to
-      // delay the main job.
-      delegate_->MaybeSetWaitTimeForMainJob(
-          quic_request_.GetTimeDelayForWaitingJob());
-      expect_on_quic_host_resolution_ = quic_request_.WaitForHostResolution(
-          base::BindOnce(&Job::OnQuicHostResolution, base::Unretained(this)));
-    }
-    return rv;
-  }
+  if (using_quic_)
+    return DoInitConnectionImplQuic();
 
   // Check first if there is a pushed stream matching the request, or an HTTP/2
   // connection this request can pool to.  If so, then go straight to using
@@ -891,6 +847,53 @@ int HttpStreamFactory::Job::DoInitConnectionImpl() {
       connection_.get(), io_callback_, proxy_auth_callback);
 }
 
+int HttpStreamFactory::Job::DoInitConnectionImplQuic() {
+  HostPortPair destination;
+  SSLConfig* ssl_config;
+  GURL url(request_info_.url);
+  if (proxy_info_.is_quic()) {
+    // A proxy's certificate is expected to be valid for the proxy hostname.
+    destination = proxy_info_.proxy_server().host_port_pair();
+    ssl_config = &proxy_ssl_config_;
+    GURL::Replacements replacements;
+    replacements.SetSchemeStr(url::kHttpsScheme);
+    replacements.SetHostStr(destination.host());
+    const std::string new_port = base::NumberToString(destination.port());
+    replacements.SetPortStr(new_port);
+    replacements.ClearUsername();
+    replacements.ClearPassword();
+    replacements.ClearPath();
+    replacements.ClearQuery();
+    replacements.ClearRef();
+    url = url.ReplaceComponents(replacements);
+  } else {
+    DCHECK(using_ssl_);
+    // The certificate of a QUIC alternative server is expected to be valid
+    // for the origin of the request (in addition to being valid for the
+    // server itself).
+    destination = destination_;
+    ssl_config = &server_ssl_config_;
+  }
+  int rv = quic_request_.Request(
+      destination, quic_version_, request_info_.privacy_mode, priority_,
+      request_info_.socket_tag, request_info_.network_isolation_key,
+      request_info_.disable_secure_dns, ssl_config->GetCertVerifyFlags(), url,
+      net_log_, &net_error_details_,
+      base::BindOnce(&Job::OnFailedOnDefaultNetwork, ptr_factory_.GetWeakPtr()),
+      io_callback_);
+  if (rv == OK) {
+    using_existing_quic_session_ = true;
+  } else if (rv == ERR_IO_PENDING) {
+    // There's no available QUIC session. Inform the delegate how long to
+    // delay the main job.
+    delegate_->MaybeSetWaitTimeForMainJob(
+        quic_request_.GetTimeDelayForWaitingJob());
+    expect_on_quic_host_resolution_ = quic_request_.WaitForHostResolution(
+        base::BindOnce(&Job::OnQuicHostResolution, base::Unretained(this)));
+  }
+  return rv;
+}
+
 void HttpStreamFactory::Job::OnQuicHostResolution(int result) {
   DCHECK(expect_on_quic_host_resolution_);
   expect_on_quic_host_resolution_ = false;
@@ -1181,17 +1184,6 @@ int HttpStreamFactory::Job::DoCreateStreamComplete(int result) {
   return OK;
 }
 
-void HttpStreamFactory::Job::ReturnToStateInitConnection(
-    bool close_connection) {
-  if (close_connection && connection_->socket())
-    connection_->socket()->Disconnect();
-  connection_->Reset();
-
-  spdy_session_request_.reset();
-
-  next_state_ = STATE_INIT_CONNECTION;
-}
-
 void HttpStreamFactory::Job::OnSpdySessionAvailable(
     base::WeakPtr<SpdySession> spdy_session) {
   DCHECK(spdy_session);
diff --git a/chromium/net/http/http_stream_factory_job.h b/chromium/net/http/http_stream_factory_job.h
index 04a0b7a8c24..bfc981c5f12 100644
--- a/chromium/net/http/http_stream_factory_job.h
+++ b/chromium/net/http/http_stream_factory_job.h
@@ -282,6 +282,7 @@ class HttpStreamFactory::Job
   int DoLoop(int result);
   int StartInternal();
   int DoInitConnectionImpl();
+  int DoInitConnectionImplQuic();
 
   // If this is a QUIC alt job, then this function is called when host
   // resolution completes. It's called with the next result after host
@@ -312,9 +313,6 @@ class HttpStreamFactory::Job
   int SetSpdyHttpStreamOrBidirectionalStreamImpl(
       base::WeakPtr<SpdySession> session);
 
-  // Returns to STATE_INIT_CONNECTION and resets some state.
-  void ReturnToStateInitConnection(bool close_connection);
-
   // SpdySessionPool::SpdySessionRequest::Delegate implementation:
   void OnSpdySessionAvailable(base::WeakPtr<SpdySession> spdy_session) override;
 
diff --git a/chromium/net/http/http_stream_factory_job_controller.cc b/chromium/net/http/http_stream_factory_job_controller.cc
index f5aef341c70..932e74e4160 100644
--- a/chromium/net/http/http_stream_factory_job_controller.cc
+++ b/chromium/net/http/http_stream_factory_job_controller.cc
@@ -621,8 +621,8 @@ int HttpStreamFactory::JobController::DoResolveProxy() {
   CompletionOnceCallback io_callback =
       base::BindOnce(&JobController::OnIOComplete, base::Unretained(this));
   return session_->proxy_resolution_service()->ResolveProxy(
-      origin_url, request_info_.method, &proxy_info_, std::move(io_callback),
-      &proxy_resolve_request_, net_log_);
+      origin_url, request_info_.method, request_info_.network_isolation_key,
+      &proxy_info_, std::move(io_callback), &proxy_resolve_request_, net_log_);
 }
 
 int HttpStreamFactory::JobController::DoResolveProxyComplete(int rv) {
@@ -998,6 +998,7 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal(
   // First alternative service that is not marked as broken.
   AlternativeServiceInfo first_alternative_service_info;
 
+  bool is_any_broken = false;
   for (const AlternativeServiceInfo& alternative_service_info :
        alternative_service_info_vector) {
     DCHECK(IsAlternateProtocolValid(alternative_service_info.protocol()));
@@ -1011,7 +1012,11 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal(
           return NetLogAltSvcParams(&alternative_service_info, is_broken);
         });
     if (is_broken) {
-      HistogramAlternateProtocolUsage(ALTERNATE_PROTOCOL_USAGE_BROKEN, false);
+      if (!is_any_broken) {
+        // Only log the broken alternative service once per request.
+        is_any_broken = true;
+        HistogramAlternateProtocolUsage(ALTERNATE_PROTOCOL_USAGE_BROKEN, false);
+      }
       continue;
     }
 
@@ -1044,7 +1049,9 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal(
       continue;
 
     if (stream_type == HttpStreamRequest::BIDIRECTIONAL_STREAM &&
-        session_->params().quic_params.disable_bidirectional_streams) {
+        session_->context()
+            .quic_context->params()
+            ->disable_bidirectional_streams) {
       continue;
     }
 
@@ -1066,7 +1073,7 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal(
 
     HostPortPair destination(alternative_service_info.host_port_pair());
     if (session_key.host() != destination.host() &&
-        !session_->params().quic_params.allow_remote_alt_svc) {
+        !session_->context().quic_context->params()->allow_remote_alt_svc) {
       continue;
     }
     ignore_result(ApplyHostMappingRules(original_url, &destination));
@@ -1093,7 +1100,7 @@ HttpStreamFactory::JobController::GetAlternativeServiceInfoInternal(
 quic::ParsedQuicVersion HttpStreamFactory::JobController::SelectQuicVersion(
     const quic::ParsedQuicVersionVector& advertised_versions) {
   const quic::ParsedQuicVersionVector& supported_versions =
-      session_->params().quic_params.supported_versions;
+      session_->context().quic_context->params()->supported_versions;
   if (advertised_versions.empty())
     return supported_versions[0];
 
diff --git a/chromium/net/http/http_stream_factory_job_controller_unittest.cc b/chromium/net/http/http_stream_factory_job_controller_unittest.cc
index d49c9945401..6052667d476 100644
--- a/chromium/net/http/http_stream_factory_job_controller_unittest.cc
+++ b/chromium/net/http/http_stream_factory_job_controller_unittest.cc
@@ -40,6 +40,7 @@
 #include "net/proxy_resolution/proxy_info.h"
 #include "net/proxy_resolution/proxy_resolution_service.h"
 #include "net/quic/mock_crypto_client_stream_factory.h"
+#include "net/quic/mock_quic_context.h"
 #include "net/quic/mock_quic_data.h"
 #include "net/quic/quic_stream_factory.h"
 #include "net/quic/quic_stream_factory_peer.h"
@@ -49,10 +50,8 @@
 #include "net/spdy/spdy_test_util_common.h"
 #include "net/test/test_with_task_environment.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/test_tools/mock_random.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
 #include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gmock_mutant.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/origin.h"
 
@@ -252,7 +251,7 @@ class HttpStreamFactoryJobControllerTest : public TestWithTaskEnvironment {
 
     session_context.quic_crypto_client_stream_factory =
         &crypto_client_stream_factory_;
-    session_context.quic_random = &random_generator_;
+    session_context.quic_context = &quic_context_;
     session_ = std::make_unique<HttpNetworkSession>(params, session_context);
     factory_ = static_cast<HttpStreamFactory*>(session_->http_stream_factory());
     if (create_job_controller_) {
@@ -287,7 +286,7 @@ class HttpStreamFactoryJobControllerTest : public TestWithTaskEnvironment {
     if (alternative_service.protocol == kProtoQUIC) {
       session_->http_server_properties()->SetQuicAlternativeService(
           server, NetworkIsolationKey(), alternative_service, expiration,
-          session_->params().quic_params.supported_versions);
+          quic_context_.params()->supported_versions);
     } else {
       session_->http_server_properties()->SetHttp2AlternativeService(
           server, NetworkIsolationKey(), alternative_service, expiration);
@@ -322,9 +321,10 @@ class HttpStreamFactoryJobControllerTest : public TestWithTaskEnvironment {
   void TestMainJobFailsAfterAltJobSucceeded(
       bool alt_job_retried_on_non_default_network);
 
-  BoundTestNetLog net_log_;
+  RecordingBoundTestNetLog net_log_;
   TestJobFactory job_factory_;
   MockHttpStreamRequestDelegate request_delegate_;
+  MockQuicContext quic_context_;
   SpdySessionDependencies session_deps_{ProxyResolutionService::CreateDirect()};
   std::unique_ptr<HttpNetworkSession> session_;
   HttpStreamFactory* factory_ = nullptr;
@@ -333,15 +333,13 @@ class HttpStreamFactoryJobControllerTest : public TestWithTaskEnvironment {
   std::unique_ptr<SequencedSocketData> tcp_data_;
   std::unique_ptr<MockQuicData> quic_data_;
   MockCryptoClientStreamFactory crypto_client_stream_factory_;
-  quic::MockClock clock_;
-  quic::test::MockRandom random_generator_{0};
-  QuicTestPacketMaker client_maker_{
-      HttpNetworkSession::Params().quic_params.supported_versions[0],
-      quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-      &clock_,
-      kServerHostname,
-      quic::Perspective::IS_CLIENT,
-      false};
+  QuicTestPacketMaker client_maker_{kDefaultSupportedQuicVersion,
+                                    quic::QuicUtils::CreateRandomConnectionId(
+                                        quic_context_.random_generator()),
+                                    quic_context_.clock(),
+                                    kServerHostname,
+                                    quic::Perspective::IS_CLIENT,
+                                    false};
 
  protected:
   bool use_alternative_proxy_ = false;
@@ -722,8 +720,7 @@ TEST_F(JobControllerReconsiderProxyAfterErrorTest,
       NetworkIsolationKey(), stats1);
 
   // Prepare the mocked data.
-  MockQuicData quic_data(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  MockQuicData quic_data(kDefaultSupportedQuicVersion);
   quic_data.AddRead(ASYNC, ERR_QUIC_PROTOCOL_ERROR);
   quic_data.AddWrite(ASYNC, OK);
   quic_data.AddSocketDataToFactory(session_deps_.socket_factory.get());
@@ -813,8 +810,7 @@ TEST_F(HttpStreamFactoryJobControllerTest, CancelJobsBeforeBinding) {
   // Use COLD_START to make the alt job pending.
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(SYNCHRONOUS, OK);
 
   tcp_data_ = std::make_unique<SequencedSocketData>();
@@ -876,8 +872,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
        DoNotDelayMainJobIfQuicWasRecentlyBroken) {
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   tcp_data_ = std::make_unique<SequencedSocketData>();
   tcp_data_->set_connect_data(MockConnect(SYNCHRONOUS, ERR_IO_PENDING));
@@ -892,7 +887,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
   base::Time expiration = base::Time::Now() + base::TimeDelta::FromDays(1);
   session_->http_server_properties()->SetQuicAlternativeService(
       server, NetworkIsolationKey(), alternative_service, expiration,
-      session_->params().quic_params.supported_versions);
+      quic_context_.params()->supported_versions);
 
   // Enable QUIC but mark the alternative service as recently broken.
   QuicStreamFactory* quic_stream_factory = session_->quic_stream_factory();
@@ -935,8 +930,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
        DelayMainJobAfterRecentlyBrokenQuicWasConfirmed) {
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   tcp_data_ = std::make_unique<SequencedSocketData>();
   tcp_data_->set_connect_data(MockConnect(SYNCHRONOUS, ERR_IO_PENDING));
@@ -951,7 +945,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
   base::Time expiration = base::Time::Now() + base::TimeDelta::FromDays(1);
   session_->http_server_properties()->SetQuicAlternativeService(
       server, NetworkIsolationKey(), alternative_service, expiration,
-      session_->params().quic_params.supported_versions);
+      quic_context_.params()->supported_versions);
 
   // Enable QUIC but mark the alternative service as recently broken.
   QuicStreamFactory* quic_stream_factory = session_->quic_stream_factory();
@@ -998,8 +992,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 
 void HttpStreamFactoryJobControllerTest::TestOnStreamFailedForBothJobs(
     bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddConnect(ASYNC, ERR_FAILED);
   tcp_data_ = std::make_unique<SequencedSocketData>();
   tcp_data_->set_connect_data(MockConnect(ASYNC, ERR_FAILED));
@@ -1050,8 +1043,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 
 void HttpStreamFactoryJobControllerTest::TestAltJobFailsAfterMainJobSucceeded(
     bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(ASYNC, ERR_FAILED);
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
@@ -1120,8 +1112,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 
 // Tests that when alt job succeeds, main job is destroyed.
 TEST_F(HttpStreamFactoryJobControllerTest, AltJobSucceedsMainJobDestroyed) {
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Use cold start and complete alt job manually.
   crypto_client_stream_factory_.set_handshake_mode(
@@ -1169,11 +1160,8 @@ TEST_F(HttpStreamFactoryJobControllerTest, AltJobSucceedsMainJobDestroyed) {
 // Regression test for crbug.com/678768.
 TEST_F(HttpStreamFactoryJobControllerTest,
        AltJobSucceedsMainJobBlockedControllerDestroyed) {
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
-  if (VersionUsesHttp3(HttpNetworkSession::Params()
-                           .quic_params.supported_versions.front()
-                           .transport_version)) {
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
+  if (VersionUsesHttp3(kDefaultSupportedQuicVersion.transport_version)) {
     quic_data_->AddWrite(SYNCHRONOUS,
                          client_maker_.MakeInitialSettingsPacket(1));
   }
@@ -1253,8 +1241,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 // JobController will be cleaned up.
 TEST_F(HttpStreamFactoryJobControllerTest,
        OrphanedJobCompletesControllerDestroyed) {
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Use cold start and complete alt job manually.
   crypto_client_stream_factory_.set_handshake_mode(
@@ -1308,8 +1295,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 
 void HttpStreamFactoryJobControllerTest::TestAltJobSucceedsAfterMainJobFailed(
     bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Use cold start and complete alt job manually.
   crypto_client_stream_factory_.set_handshake_mode(
@@ -1377,8 +1363,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 void HttpStreamFactoryJobControllerTest::
     TestAltJobSucceedsAfterMainJobSucceeded(
         bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Use cold start and complete alt job manually.
   crypto_client_stream_factory_.set_handshake_mode(
@@ -1461,8 +1446,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 void HttpStreamFactoryJobControllerTest::
     TestMainJobSucceedsAfterAltJobSucceeded(
         bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Use cold start and complete alt job manually.
   crypto_client_stream_factory_.set_handshake_mode(
@@ -1537,8 +1521,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 
 void HttpStreamFactoryJobControllerTest::TestMainJobFailsAfterAltJobSucceeded(
     bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   // Use cold start and complete alt job manually.
   crypto_client_stream_factory_.set_handshake_mode(
@@ -1601,8 +1584,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 
 void HttpStreamFactoryJobControllerTest::TestMainJobSucceedsAfterAltJobFailed(
     bool alt_job_retried_on_non_default_network) {
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddConnect(SYNCHRONOUS, ERR_FAILED);
 
   tcp_data_ = std::make_unique<SequencedSocketData>();
@@ -1670,8 +1652,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 // then the alternative service is not marked as broken.
 TEST_F(HttpStreamFactoryJobControllerTest,
        MainJobSucceedsAfterConnectionChanged) {
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddConnect(SYNCHRONOUS, ERR_NETWORK_CHANGED);
   tcp_data_ = std::make_unique<SequencedSocketData>();
   tcp_data_->set_connect_data(MockConnect(SYNCHRONOUS, OK));
@@ -1713,8 +1694,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 // Get load state after main job fails and before alternative job succeeds.
 TEST_F(HttpStreamFactoryJobControllerTest, GetLoadStateAfterMainJobFailed) {
   // Use COLD_START to complete alt job manually.
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
@@ -1761,8 +1741,7 @@ TEST_F(HttpStreamFactoryJobControllerTest, GetLoadStateAfterMainJobFailed) {
 
 TEST_F(HttpStreamFactoryJobControllerTest, ResumeMainJobWhenAltJobStalls) {
   // Use COLD_START to stall alt job.
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
@@ -1831,8 +1810,7 @@ TEST_F(HttpStreamFactoryJobControllerTest, HostResolutionHang) {
   Initialize(request_info);
 
   // handshake will fail asynchronously after mock data is unpaused.
-  MockQuicData quic_data(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  MockQuicData quic_data(kDefaultSupportedQuicVersion);
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   quic_data.AddRead(ASYNC, ERR_FAILED);
   quic_data.AddWrite(ASYNC, ERR_FAILED);
@@ -1905,8 +1883,7 @@ TEST_F(HttpStreamFactoryJobControllerTest, DelayedTCP) {
   Initialize(request_info);
 
   // Handshake will fail asynchronously after mock data is unpaused.
-  MockQuicData quic_data(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  MockQuicData quic_data(kDefaultSupportedQuicVersion);
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   quic_data.AddRead(ASYNC, ERR_FAILED);
   quic_data.AddWrite(ASYNC, ERR_FAILED);
@@ -2048,8 +2025,7 @@ TEST_F(HttpStreamFactoryJobControllerTest, DelayedTCPWithLargeSrtt) {
   Initialize(request_info);
 
   // handshake will fail asynchronously after mock data is unpaused.
-  MockQuicData quic_data(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  MockQuicData quic_data(kDefaultSupportedQuicVersion);
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   quic_data.AddRead(ASYNC, ERR_FAILED);
   quic_data.AddWrite(ASYNC, ERR_FAILED);
@@ -2111,8 +2087,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
   Initialize(request_info);
 
   // handshake will fail asynchronously after mock data is unpaused.
-  MockQuicData quic_data(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  MockQuicData quic_data(kDefaultSupportedQuicVersion);
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   quic_data.AddRead(ASYNC, ERR_FAILED);
   quic_data.AddWrite(ASYNC, ERR_FAILED);
@@ -2234,8 +2209,7 @@ TEST_F(HttpStreamFactoryJobControllerTest, DelayedTCPAlternativeProxy) {
   EXPECT_TRUE(test_proxy_delegate()->alternative_proxy_server().is_quic());
 
   // Handshake will fail asynchronously after mock data is unpaused.
-  MockQuicData quic_data(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  MockQuicData quic_data(kDefaultSupportedQuicVersion);
   quic_data.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
   quic_data.AddRead(ASYNC, ERR_FAILED);
   quic_data.AddWrite(ASYNC, ERR_FAILED);
@@ -2294,8 +2268,7 @@ TEST_F(HttpStreamFactoryJobControllerTest, FailAlternativeProxy) {
   ProxyClientSocketDataProvider proxy_data(SYNCHRONOUS, OK);
   session_deps_.socket_factory->AddProxyClientSocketDataProvider(&proxy_data);
 
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddConnect(SYNCHRONOUS, ERR_FAILED);
   tcp_data_ = std::make_unique<SequencedSocketData>();
   tcp_data_->set_connect_data(MockConnect(SYNCHRONOUS, OK));
@@ -2349,8 +2322,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
   ProxyClientSocketDataProvider proxy_data(SYNCHRONOUS, OK);
   session_deps_.socket_factory->AddProxyClientSocketDataProvider(&proxy_data);
 
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddConnect(SYNCHRONOUS, ERR_INTERNET_DISCONNECTED);
   tcp_data_ = std::make_unique<SequencedSocketData>();
   tcp_data_->set_connect_data(MockConnect(SYNCHRONOUS, OK));
@@ -2404,8 +2376,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
   // Use COLD_START to make the alt job pending.
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   tcp_data_ = std::make_unique<SequencedSocketData>();
   tcp_data_->set_connect_data(MockConnect(SYNCHRONOUS, OK));
@@ -2453,8 +2424,7 @@ TEST_F(HttpStreamFactoryJobControllerTest,
 }
 
 TEST_F(HttpStreamFactoryJobControllerTest, PreconnectToHostWithValidAltSvc) {
-  auto version =
-      HttpNetworkSession::Params().quic_params.supported_versions.front();
+  auto version = kDefaultSupportedQuicVersion;
   quic_data_ = std::make_unique<MockQuicData>(version);
   if (VersionUsesHttp3(version.transport_version)) {
     quic_data_->AddWrite(SYNCHRONOUS,
@@ -3076,8 +3046,7 @@ TEST_F(JobControllerLimitMultipleH2Requests, H1NegotiatedForFirstRequest) {
 TEST_F(JobControllerLimitMultipleH2Requests, QuicJobNotThrottled) {
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START);
-  quic_data_ = std::make_unique<MockQuicData>(
-      HttpNetworkSession::Params().quic_params.supported_versions.front());
+  quic_data_ = std::make_unique<MockQuicData>(kDefaultSupportedQuicVersion);
   quic_data_->AddRead(SYNCHRONOUS, ERR_IO_PENDING);
   MockRead reads[] = {MockRead(SYNCHRONOUS, ERR_IO_PENDING)};
   tcp_data_ =
@@ -3142,8 +3111,7 @@ TEST_P(HttpStreamFactoryJobControllerMisdirectedRequestRetry,
   const bool enable_ip_based_pooling = ::testing::get<0>(GetParam());
   const bool enable_alternative_services = ::testing::get<1>(GetParam());
   if (enable_alternative_services) {
-    auto version =
-        HttpNetworkSession::Params().quic_params.supported_versions.front();
+    auto version = kDefaultSupportedQuicVersion;
     quic_data_ = std::make_unique<MockQuicData>(version);
     quic_data_->AddConnect(SYNCHRONOUS, OK);
     if (VersionUsesHttp3(version.transport_version)) {
@@ -3284,7 +3252,7 @@ TEST_F(HttpStreamFactoryJobControllerTest, GetAlternativeServiceInfoFor) {
   // Set alternative service for the same server with the same list of versions
   // that is supported.
   quic::ParsedQuicVersionVector supported_versions =
-      session_->params().quic_params.supported_versions;
+      quic_context_.params()->supported_versions;
   session_->http_server_properties()->SetQuicAlternativeService(
       server, NetworkIsolationKey(), alternative_service, expiration,
       supported_versions);
@@ -3318,10 +3286,9 @@ TEST_F(HttpStreamFactoryJobControllerTest, GetAlternativeServiceInfoFor) {
   // Set alternative service for the same server with two QUIC versions:
   // - one unsupported version: |unsupported_version_1|,
   // - one supported version:
-  // session_->params().quic_params.supported_versions[0].
+  // quic_context_.params()->supported_versions[0].
   quic::ParsedQuicVersionVector mixed_quic_versions = {
-      unsupported_version_1,
-      session_->params().quic_params.supported_versions[0]};
+      unsupported_version_1, quic_context_.params()->supported_versions[0]};
   session_->http_server_properties()->SetQuicAlternativeService(
       server, NetworkIsolationKey(), alternative_service, expiration,
       mixed_quic_versions);
@@ -3365,13 +3332,13 @@ TEST_F(HttpStreamFactoryJobControllerTest, QuicHostAllowlist) {
   // Set HttpNetworkSession's QUIC host allowlist to only have www.example.com
   HttpNetworkSessionPeer session_peer(session_.get());
   session_peer.params()->quic_host_allowlist.insert("www.example.com");
-  session_peer.params()->quic_params.allow_remote_alt_svc = true;
+  quic_context_.params()->allow_remote_alt_svc = true;
 
   // Set alternative service for www.google.com to be www.example.com over QUIC.
   url::SchemeHostPort server(request_info.url);
   base::Time expiration = base::Time::Now() + base::TimeDelta::FromDays(1);
   quic::ParsedQuicVersionVector supported_versions =
-      session_->params().quic_params.supported_versions;
+      quic_context_.params()->supported_versions;
   session_->http_server_properties()->SetQuicAlternativeService(
       server, NetworkIsolationKey(),
       AlternativeService(kProtoQUIC, "www.example.com", 443), expiration,
diff --git a/chromium/net/http/http_stream_factory_unittest.cc b/chromium/net/http/http_stream_factory_unittest.cc
index 870d6954ef9..f0ed85065e5 100644
--- a/chromium/net/http/http_stream_factory_unittest.cc
+++ b/chromium/net/http/http_stream_factory_unittest.cc
@@ -47,6 +47,7 @@
 #include "net/proxy_resolution/proxy_info.h"
 #include "net/proxy_resolution/proxy_resolution_service.h"
 #include "net/quic/mock_crypto_client_stream_factory.h"
+#include "net/quic/mock_quic_context.h"
 #include "net/quic/quic_http_utils.h"
 #include "net/quic/quic_stream_factory_peer.h"
 #include "net/quic/quic_test_packet_maker.h"
@@ -845,10 +846,12 @@ TEST_F(HttpStreamFactoryTest, QuicProxyMarkedAsBad) {
     MultiLogCTVerifier ct_verifier;
     session_context.cert_transparency_verifier = &ct_verifier;
     DefaultCTPolicyEnforcer ct_policy_enforcer;
+    QuicContext quic_context;
     session_context.ct_policy_enforcer = &ct_policy_enforcer;
     session_context.proxy_resolution_service = proxy_resolution_service.get();
     session_context.ssl_config_service = &ssl_config_service;
     session_context.http_server_properties = &http_server_properties;
+    session_context.quic_context = &quic_context;
 
     auto session =
         std::make_unique<HttpNetworkSession>(session_params, session_context);
@@ -974,6 +977,7 @@ void SetupForQuicAlternativeProxyTest(
     SSLConfigServiceDefaults* ssl_config_service,
     MockHostResolver* host_resolver,
     TransportSecurityState* transport_security_state,
+    QuicContext* quic_context,
     bool set_alternative_proxy_server) {
   session_params->enable_quic = true;
 
@@ -986,6 +990,7 @@ void SetupForQuicAlternativeProxyTest(
   session_context->cert_verifier = cert_verifier;
   session_context->ct_policy_enforcer = ct_policy_enforcer;
   session_context->cert_transparency_verifier = ct_verifier;
+  session_context->quic_context = quic_context;
 
   if (set_alternative_proxy_server) {
     test_proxy_delegate->set_alternative_proxy_server(
@@ -1023,12 +1028,14 @@ TEST_F(HttpStreamFactoryTest, WithQUICAlternativeProxyMarkedAsBad) {
       SSLConfigServiceDefaults ssl_config_service;
       MockHostResolver host_resolver;
       TransportSecurityState transport_security_state;
+      QuicContext quic_context;
       SetupForQuicAlternativeProxyTest(
           &session_params, &session_context, &socket_factory,
           proxy_resolution_service.get(), &test_proxy_delegate,
           &http_server_properties, &cert_verifier, &ct_policy_enforcer,
           &ct_verifier, &ssl_config_service, &host_resolver,
-          &transport_security_state, set_alternative_proxy_server);
+          &transport_security_state, &quic_context,
+          set_alternative_proxy_server);
 
       auto session =
           std::make_unique<HttpNetworkSession>(session_params, session_context);
@@ -1138,13 +1145,14 @@ TEST_F(HttpStreamFactoryTest, WithQUICAlternativeProxyNotMarkedAsBad) {
     SSLConfigServiceDefaults ssl_config_service;
     MockHostResolver host_resolver;
     TransportSecurityState transport_security_state;
+    QuicContext quic_context;
 
     SetupForQuicAlternativeProxyTest(
         &session_params, &session_context, &socket_factory,
         proxy_resolution_service.get(), &test_proxy_delegate,
         &http_server_properties, &cert_verifier, &ct_policy_enforcer,
         &ct_verifier, &ssl_config_service, &host_resolver,
-        &transport_security_state, true);
+        &transport_security_state, &quic_context, true);
 
     HostPortPair host_port_pair("badproxy", 99);
     auto session =
@@ -1234,7 +1242,7 @@ TEST_F(HttpStreamFactoryTest, UsePreConnectIfNoZeroRTT) {
                                host_port_pair.port());
     http_server_properties.SetQuicAlternativeService(
         server, NetworkIsolationKey(), alternative_service, expiration,
-        session_params.quic_params.supported_versions);
+        DefaultSupportedQuicVersions());
 
     HttpNetworkSession::Context session_context =
         SpdySessionDependencies::CreateSessionContext(&session_deps);
@@ -2177,24 +2185,23 @@ class HttpStreamFactoryBidirectionalQuicTest
       : default_url_(kDefaultUrl),
         version_(std::get<0>(GetParam())),
         client_headers_include_h2_stream_dependency_(std::get<1>(GetParam())),
-        random_generator_(0),
-        client_packet_maker_(
-            version_,
-            quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-            &clock_,
-            "www.example.org",
-            quic::Perspective::IS_CLIENT,
-            client_headers_include_h2_stream_dependency_),
-        server_packet_maker_(
-            version_,
-            quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-            &clock_,
-            "www.example.org",
-            quic::Perspective::IS_SERVER,
-            false),
+        client_packet_maker_(version_,
+                             quic::QuicUtils::CreateRandomConnectionId(
+                                 quic_context_.random_generator()),
+                             quic_context_.clock(),
+                             "www.example.org",
+                             quic::Perspective::IS_CLIENT,
+                             client_headers_include_h2_stream_dependency_),
+        server_packet_maker_(version_,
+                             quic::QuicUtils::CreateRandomConnectionId(
+                                 quic_context_.random_generator()),
+                             quic_context_.clock(),
+                             "www.example.org",
+                             quic::Perspective::IS_SERVER,
+                             false),
         proxy_resolution_service_(ProxyResolutionService::CreateDirect()),
         ssl_config_service_(new SSLConfigServiceDefaults) {
-    clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(20));
+    quic_context_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(20));
     if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
       SetQuicReloadableFlag(quic_supports_tls_handshake, true);
     }
@@ -2205,20 +2212,19 @@ class HttpStreamFactoryBidirectionalQuicTest
   // Disable bidirectional stream over QUIC. This should be invoked before
   // Initialize().
   void DisableQuicBidirectionalStream() {
-    params_.quic_params.disable_bidirectional_streams = true;
+    quic_context_.params()->disable_bidirectional_streams = true;
   }
 
   void Initialize() {
     params_.enable_quic = true;
-    params_.quic_params.supported_versions =
+    quic_context_.params()->supported_versions =
         quic::test::SupportedVersions(version_);
-    params_.quic_params.headers_include_h2_stream_dependency =
+    quic_context_.params()->headers_include_h2_stream_dependency =
         client_headers_include_h2_stream_dependency_;
 
     HttpNetworkSession::Context session_context;
     session_context.http_server_properties = &http_server_properties_;
-    session_context.quic_random = &random_generator_;
-    session_context.quic_clock = &clock_;
+    session_context.quic_context = &quic_context_;
 
     // Load a certificate that is valid for *.example.org
     scoped_refptr<X509Certificate> test_cert(
@@ -2251,7 +2257,7 @@ class HttpStreamFactoryBidirectionalQuicTest
     http_server_properties_.SetQuicAlternativeService(
         url::SchemeHostPort(default_url_), NetworkIsolationKey(),
         alternative_service, expiration,
-        session_->params().quic_params.supported_versions);
+        session_->context().quic_context->params()->supported_versions);
   }
 
   test::QuicTestPacketMaker& client_packet_maker() {
@@ -2278,8 +2284,7 @@ class HttpStreamFactoryBidirectionalQuicTest
   QuicFlagSaver saver_;
   const quic::ParsedQuicVersion version_;
   const bool client_headers_include_h2_stream_dependency_;
-  quic::MockClock clock_;
-  quic::test::MockRandom random_generator_;
+  MockQuicContext quic_context_;
   test::QuicTestPacketMaker client_packet_maker_;
   test::QuicTestPacketMaker server_packet_maker_;
   MockTaggingClientSocketFactory socket_factory_;
@@ -3333,6 +3338,7 @@ class ProcessAlternativeServicesTest : public TestWithTaskEnvironment {
     session_context_.ct_policy_enforcer = &ct_policy_enforcer_;
     session_context_.ssl_config_service = &ssl_config_service_;
     session_context_.http_server_properties = &http_server_properties_;
+    session_context_.quic_context = &quic_context_;
   }
 
  protected:
@@ -3340,6 +3346,7 @@ class ProcessAlternativeServicesTest : public TestWithTaskEnvironment {
   HttpNetworkSession::Context session_context_;
   std::unique_ptr<HttpNetworkSession> session_;
   HttpServerProperties http_server_properties_;
+  QuicContext quic_context_;
 
  private:
   std::unique_ptr<ProxyResolutionService> proxy_resolution_service_ =
@@ -3404,7 +3411,7 @@ TEST_F(ProcessAlternativeServicesTest, ProcessAltSvcClear) {
 }
 
 TEST_F(ProcessAlternativeServicesTest, ProcessAltSvcQuic) {
-  session_params_.quic_params.supported_versions = quic::AllSupportedVersions();
+  quic_context_.params()->supported_versions = quic::AllSupportedVersions();
   session_ =
       std::make_unique<HttpNetworkSession>(session_params_, session_context_);
   url::SchemeHostPort origin(url::kHttpsScheme, "example.com", 443);
@@ -3435,7 +3442,7 @@ TEST_F(ProcessAlternativeServicesTest, ProcessAltSvcQuic) {
 }
 
 TEST_F(ProcessAlternativeServicesTest, ProcessAltSvcQuicIetf) {
-  session_params_.quic_params.supported_versions = quic::AllSupportedVersions();
+  quic_context_.params()->supported_versions = quic::AllSupportedVersions();
   session_ =
       std::make_unique<HttpNetworkSession>(session_params_, session_context_);
   url::SchemeHostPort origin(url::kHttpsScheme, "example.com", 443);
@@ -3461,9 +3468,7 @@ TEST_F(ProcessAlternativeServicesTest, ProcessAltSvcQuicIetf) {
       {quic::PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_50},
       {quic::PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_49},
       {quic::PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_48},
-      {quic::PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_47},
       {quic::PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_43},
-      {quic::PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_39},
   };
   AlternativeServiceInfoVector alternatives =
       http_server_properties_.GetAlternativeServiceInfos(origin,
@@ -3479,7 +3484,7 @@ TEST_F(ProcessAlternativeServicesTest, ProcessAltSvcQuicIetf) {
 }
 
 TEST_F(ProcessAlternativeServicesTest, ProcessAltSvcHttp2) {
-  session_params_.quic_params.supported_versions = quic::AllSupportedVersions();
+  quic_context_.params()->supported_versions = quic::AllSupportedVersions();
   session_ =
       std::make_unique<HttpNetworkSession>(session_params_, session_context_);
   url::SchemeHostPort origin(url::kHttpsScheme, "example.com", 443);
diff --git a/chromium/net/http/http_stream_parser_fuzzer.cc b/chromium/net/http/http_stream_parser_fuzzer.cc
index bb5543a399d..03c2727546f 100644
--- a/chromium/net/http/http_stream_parser_fuzzer.cc
+++ b/chromium/net/http/http_stream_parser_fuzzer.cc
@@ -33,7 +33,7 @@
 // |data| is used to create a FuzzedSocket.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   net::TestCompletionCallback callback;
-  net::BoundTestNetLog bound_test_net_log;
+  net::RecordingBoundTestNetLog bound_test_net_log;
   FuzzedDataProvider data_provider(data, size);
   net::FuzzedSocket fuzzed_socket(&data_provider,
                                   bound_test_net_log.bound().net_log());
diff --git a/chromium/net/http/http_transaction_test_util.cc b/chromium/net/http/http_transaction_test_util.cc
index 5f75d668b8b..43bb1e6ee3c 100644
--- a/chromium/net/http/http_transaction_test_util.cc
+++ b/chromium/net/http/http_transaction_test_util.cc
@@ -20,6 +20,7 @@
 #include "net/base/load_flags.h"
 #include "net/base/load_timing_info.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/cert/x509_certificate.h"
 #include "net/disk_cache/disk_cache.h"
 #include "net/http/http_cache.h"
@@ -174,6 +175,12 @@ MockHttpRequest::MockHttpRequest(const MockTransaction& t) {
   method = t.method;
   extra_headers.AddHeadersFromString(t.request_headers);
   load_flags = t.load_flags;
+  url::Origin origin = url::Origin::Create(url);
+  network_isolation_key = NetworkIsolationKey(origin, origin);
+}
+
+std::string MockHttpRequest::CacheKey() {
+  return HttpCache::GenerateCacheKeyForTest(this);
 }
 
 //-----------------------------------------------------------------------------
diff --git a/chromium/net/http/http_transaction_test_util.h b/chromium/net/http/http_transaction_test_util.h
index 513d8715039..acb3274fa39 100644
--- a/chromium/net/http/http_transaction_test_util.h
+++ b/chromium/net/http/http_transaction_test_util.h
@@ -122,6 +122,7 @@ struct ScopedMockTransaction : MockTransaction {
 class MockHttpRequest : public HttpRequestInfo {
  public:
   explicit MockHttpRequest(const MockTransaction& t);
+  std::string CacheKey();
 };
 
 //-----------------------------------------------------------------------------
diff --git a/chromium/net/http/transport_security_state.cc b/chromium/net/http/transport_security_state.cc
index 460b958531f..586a48d2e2b 100644
--- a/chromium/net/http/transport_security_state.cc
+++ b/chromium/net/http/transport_security_state.cc
@@ -1230,15 +1230,13 @@ bool TransportSecurityState::GetDynamicSTSState(const std::string& host,
     // If this is the most specific STS match, add it to the result. Note: a STS
     // entry at a more specific domain overrides a less specific domain whether
     // or not |include_subdomains| is set.
-    if (current_time <= j->second.expiry) {
-      if (i == 0 || j->second.include_subdomains) {
-        *result = j->second;
-        result->domain = DNSDomainToString(host_sub_chunk);
-        return true;
-      }
-
-      break;
+    if (i == 0 || j->second.include_subdomains) {
+      *result = j->second;
+      result->domain = DNSDomainToString(host_sub_chunk);
+      return true;
     }
+
+    break;
   }
 
   return false;
@@ -1271,15 +1269,13 @@ bool TransportSecurityState::GetDynamicPKPState(const std::string& host,
     // If this is the most specific PKP match, add it to the result. Note: a PKP
     // entry at a more specific domain overrides a less specific domain whether
     // or not |include_subdomains| is set.
-    if (current_time <= j->second.expiry) {
-      if (i == 0 || j->second.include_subdomains) {
-        *result = j->second;
-        result->domain = DNSDomainToString(host_sub_chunk);
-        return true;
-      }
-
-      break;
+    if (i == 0 || j->second.include_subdomains) {
+      *result = j->second;
+      result->domain = DNSDomainToString(host_sub_chunk);
+      return true;
     }
+
+    break;
   }
 
   return false;
diff --git a/chromium/net/http/transport_security_state_static.json b/chromium/net/http/transport_security_state_static.json
index 32b3f7fa533..9dbfb8b54d8 100644
--- a/chromium/net/http/transport_security_state_static.json
+++ b/chromium/net/http/transport_security_state_static.json
@@ -778,7 +778,6 @@
     { "name": "www.entropia.de", "policy": "custom", "mode": "force-https" },
     { "name": "logentries.com", "policy": "custom", "mode": "force-https" },
     { "name": "www.logentries.com", "policy": "custom", "mode": "force-https" },
-    { "name": "squareup.com", "policy": "custom", "mode": "force-https" },
     { "name": "dropcam.com", "policy": "custom", "mode": "force-https" },
     { "name": "www.dropcam.com", "policy": "custom", "mode": "force-https" },
     { "name": "epoxate.com", "policy": "custom", "mode": "force-https" },
@@ -1689,7 +1688,6 @@
     { "name": "mirindadomo.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myvirtualserver.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "neftaly.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nu3.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nu3.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nu3.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nu3.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -2464,7 +2462,6 @@
     { "name": "csacongress.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "czakey.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "czk.mk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dpsg-roden.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ducohosting.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eatsleeprepeat.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ethercalc.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -3338,7 +3335,6 @@
     { "name": "campus-finance.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cao.la", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cashlink.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ckleemann.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cloud-project.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cloudwalk.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coore.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -3486,7 +3482,6 @@
     { "name": "elmermx.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "extreemhost.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fabianasantiago.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gamers-life.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "globalinstitutefortraining.org.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "graingert.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "greenvines.com.tw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -3682,7 +3677,6 @@
     { "name": "greenpeace-magazin.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "guineapigmustach.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "htaccessbook.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "isitup.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kaloix.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kiano.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "krypsys.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -3860,7 +3854,6 @@
     { "name": "publicsuffix.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "punchr-kamikazee.rhcloud.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "reddiseals.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "repaxan.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "robtex.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "roomhub.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rsajeey.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -3900,7 +3893,6 @@
     { "name": "witae.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "withinsecurity.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wordsmart.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "workwithgo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yoloboatrentals.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yoloseo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andreas-kluge.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -3976,7 +3968,6 @@
     { "name": "getbutterfly.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "glws.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gmw-ingenieurbuero.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "granular.ag", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gsm-map.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gyboche.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "harristony.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -4051,7 +4042,6 @@
     { "name": "sdrobs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "securedevelop.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shopbakersnook.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "signing-milter.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "simonkjellberg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "simphony.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "snapappts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -4103,7 +4093,6 @@
     { "name": "conversiones.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "converter.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "couragewhispers.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dale-electric.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "danpiel.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "darioturchetti.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "datasharesystem.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -4415,7 +4404,6 @@
     { "name": "linuxbierwanderung.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lmintlcx.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "locomore.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "logfile.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lusis.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lusis.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "macgeneral.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -4558,7 +4546,6 @@
     { "name": "vissanum.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vsund.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "walkeryoung.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wallpapers.pub", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wangqiliang.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wangqiliang.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wartorngalaxy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -4698,7 +4685,6 @@
     { "name": "minecraftforums.cf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "minecraftforums.gq", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "minecraftforums.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "misterl.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mittelunsachlich.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "multigeist.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "narfation.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -4952,7 +4938,6 @@
     { "name": "lewisjuggins.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "limalama.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "listafirmelor.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lothai.re", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ltn-tom-morel.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "luehne.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lunakit.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -5444,7 +5429,6 @@
     { "name": "gravitation.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grsecurity.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hashiconf.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hashicorp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "healthiercompany.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "heyguevara.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hostgarou.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -5538,7 +5522,6 @@
     { "name": "annuaire-photographe.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anonboards.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anthenor.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "antimine.kr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anyprime.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aopedeure.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aperturesciencelabs.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -5971,7 +5954,6 @@
     { "name": "jupp0r.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kalami.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kantankye.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kaputt.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "karguine.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "katericke.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kausch.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -6072,7 +6054,6 @@
     { "name": "mereckas.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "merson.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "metapeen.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "metin2blog.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "michaelfitzpatrickruth.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "michasfahrschule.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "miconware.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -6153,7 +6134,6 @@
     { "name": "onthebriteside.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ookjesprookje.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "openpriv.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "opentrash.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "openverse.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "orbitcom.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oricejoc.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -6362,7 +6342,6 @@
     { "name": "the-earth-yui.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thehonorguard.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "theinvisibletrailer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "themerchandiser.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "theodorejones.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thescientists.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thesled.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -6414,7 +6393,6 @@
     { "name": "vetinte.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vincentkooijman.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vincentkooijman.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vleij.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vleij.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "voidi.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vop.li", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -6504,7 +6482,6 @@
     { "name": "andisadhdspot.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andrewmichaud.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andrewvoce.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "andrewx.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "androoz.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andyuk.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anglictinatabor.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -6751,7 +6728,6 @@
     { "name": "jettlarue.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jie.dance", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "joerss.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "joostbovee.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "joostrijneveld.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "joworld.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jr5devdoug.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -7056,7 +7032,6 @@
     { "name": "val-sec.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "valethound.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "valshamar.is", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vanderkley.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vanestack.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vattulainen.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vdcomp.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -7619,7 +7594,6 @@
     { "name": "ilrg.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "immigrationdirect.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "imusic.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "indusfastremit.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iprice.co.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iprice.hk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iprice.my", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -8028,7 +8002,6 @@
     { "name": "papeda.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pauspam.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "petplus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pj83.duckdns.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "plaettliaktion.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ploup.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "portalzine.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -8459,7 +8432,6 @@
     { "name": "chaos-inc.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "charityclear.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "charmyadesara.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "charnleyhouse.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chartpen.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chateau-belvoir.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chatme.im", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -8610,7 +8582,6 @@
     { "name": "demotops.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "denimio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dentallaborgeraeteservice.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dentystabirmingham.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "derchris.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "desiccantpackets.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "designgears.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -8783,7 +8754,6 @@
     { "name": "factys.do", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "factys.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fadilus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fail4free.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "faircom.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fairlyoddtreasures.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fakturi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -8976,7 +8946,6 @@
     { "name": "gurkan.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "guts.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gypsycatdreams.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gypthecat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gz-benz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gz-bmw.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "haarkliniek.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -9010,7 +8979,6 @@
     { "name": "hellersgas.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hellotandem.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "helloworldhost.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hellscanyonraft.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hennadesigns.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hentschke-bau.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hentschke-invest.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -9573,7 +9541,6 @@
     { "name": "octanio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "octocat.ninja", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oddtime.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ohiohealthfortune100.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ohsocool.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oishioffice.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "okutama.in.th", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -10019,7 +9986,6 @@
     { "name": "speculor.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "speedyprep.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "speidel.com.tr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "spherenix.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spicydog.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spirit-dev.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spitefultowel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -10253,7 +10219,6 @@
     { "name": "ukchemicalresearch.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ukdropshipment.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ukdropshipment.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ultieme.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "umie.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "umisonoda.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "under30stravelinsurance.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -10277,7 +10242,6 @@
     { "name": "usbirthcertificate.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "usercare.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "usleep.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "utopianhomespa.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "uttnetgroup.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "v2.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vakuutuskanava.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -10935,7 +10899,6 @@
     { "name": "ivi.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jan-cermak.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jimgao.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "joedavison.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "joshuarogers.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jetsetpay.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jointoweb.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -11117,7 +11080,6 @@
     { "name": "netnodes.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nerdtime.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "netsoins.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "netronix.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "newantiagingcreams.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "networx-online.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "neuhaus-city.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -11350,10 +11312,8 @@
     { "name": "spititout.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sponsortobias.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spyprofit.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sqshq.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stamkassa.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sslsurvey.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sprutech.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ssmato.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spotifyripper.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "stat.ink", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -11755,7 +11715,6 @@
     { "name": "et-buchholz.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "etaxi.tn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "everybooks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "evilsay.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "familie-zimmermann.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fashionunited.cl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fashionunited.com.ar", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -12139,7 +12098,6 @@
     { "name": "sistersurprise.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sleep10.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "slimspots.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "slow.zone", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "slowb.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "smdcn.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "smoothgesturesplus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -12200,7 +12158,6 @@
     { "name": "toursandtransfers.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tracetracker.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "trefpuntdemeent.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tronatic-studio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tsaro.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tubul.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "turtleduckstudios.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -12697,7 +12654,6 @@
     { "name": "edusantorini.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "edwardsnowden.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "edzilla.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "eewna.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "egge.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eiyoushi-shigoto.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ekodevices.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -12735,7 +12691,6 @@
     { "name": "euren.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "european-agency.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evanhandgraaf.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "evelyndayman.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evlear.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ewex.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ewycena.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -12746,7 +12701,6 @@
     { "name": "extratorrents.tech", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "extreme-gaming.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "extreme-gaming.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ezequiel-garzon.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fabriziorocca.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "facilitrak.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "falconfrag.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -13226,14 +13180,12 @@
     { "name": "movie4kto.site", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moylen.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mrdani.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mrdayman.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mrizzio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "multiworldsoftware.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "museminder2.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mustard.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mutuals.cool", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "muusikoiden.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mwba.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myadself.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "myfrenchtattoo.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mygpsite.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -13357,7 +13309,6 @@
     { "name": "phpprime.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "physicaltherapist.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "picotronic.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "picotronic.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pillowandpepper.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pimhaarsma.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pimhaarsmamedia.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -13668,7 +13619,6 @@
     { "name": "techcultivation.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "techcultivation.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "techmasters.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "technogroup.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "techwords.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "telefonnummer.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tendermaster.com.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -13922,7 +13872,6 @@
     { "name": "adventureally.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "abnarnro.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anfsanchezo.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "4096bit.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "achtzehn.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "3sreporting.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "adnot.am", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -14118,7 +14067,6 @@
     { "name": "charlesbwise.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "christophersole.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "byrko.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "biteoftech.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "budger.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "buffaloautomation.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cheazey.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -14164,14 +14112,12 @@
     { "name": "codingrobots.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chat-porc.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "comdotgame.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "chhy.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cloudapps.digital", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chatnederland.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "confucio.cl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "citizen-cam.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "collaction.hk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cryptodash.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "coreinfrastructure.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "casioshop.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cookicons.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "classpoint.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -14415,7 +14361,6 @@
     { "name": "foolwealth.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "elan-organics.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "freethetv.ie", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "florismoo.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eyedarts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "frasesparaface.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "exousiakaidunamis.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -14618,7 +14563,6 @@
     { "name": "insane-bullets.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ierna.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ishangirdhar.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "isteinbaby.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "isistomie.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "izevg.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ixnext.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -14956,7 +14900,6 @@
     { "name": "moulinaparoles.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nassi.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "n-soft.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "nikcub.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nettia.fi", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nivi.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nerdpol.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -15096,7 +15039,6 @@
     { "name": "pompefunebrilariviera.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "punitsheth.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pet-hotel-mura.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "quinnlabs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "privea.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "polaire.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "phra.gs", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -15251,7 +15193,6 @@
     { "name": "sicken.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sharevari.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "serviettenhaus.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sickfile.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "seitenwaelzer.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schlossereieder.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "safer-networking.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -15271,7 +15212,6 @@
     { "name": "secure.co.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "scottainslie.me.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "smalldogbreeds.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "shinyuu.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "severntrentinsuranceportal.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "smalltalkconsulting.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sgtcodfish.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -15628,7 +15568,6 @@
     { "name": "wsgvet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zomiac.pp.ua", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vietnamese.dating", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wyzphoto.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zary.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "zund-app.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ximens.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -15735,7 +15674,6 @@
     { "name": "benhavenarchives.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "baum.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bausep.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "balicekzdravi.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bitconcepts.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "andrewin.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bestseries.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -15747,7 +15685,6 @@
     { "name": "assindia.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "btrb.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "antonchen.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "andrea-wirthensohn.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "7x24servis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bobobox.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "amsterdamian.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -16116,7 +16053,6 @@
     { "name": "get-on.bid", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "harrysmallbones.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hackerspace-ntnu.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gonkar.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "guentherhouse.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gpcsolutions.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "herebedragons.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -16494,7 +16430,6 @@
     { "name": "oliverfaircliff.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oeko-jahr-jubilaeum.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "people-mozilla.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "paulbakaus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nou.si", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "odifi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nemunai.re", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -17525,7 +17460,6 @@
     { "name": "buildingclouds.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dynamictostatic.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dopfer-fenstertechnik.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "egoroof.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "e-rickroll-r.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ebraph.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dragfiles.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -17559,7 +17493,6 @@
     { "name": "ecc-kaufbeuren.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ecotruck-pooling.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "buildingclouds.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "drogueriaelbarco.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eqim.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "electricoperaduo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "devpsy.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -17918,7 +17851,6 @@
     { "name": "inme.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "interhosts.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "interessiert-uns.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "itsgoingdown.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ikzoekeengoedkopeauto.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ikarate.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ipfs.ink", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -18487,7 +18419,6 @@
     { "name": "patikabiztositas.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pehapkari.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "patriaco.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "peg.nu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ourai.ws", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "parabhairavayoga.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paulrotter.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -18733,7 +18664,6 @@
     { "name": "sikevux.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sh-heppelmann.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sifreuret.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "snowplane.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "seogeek.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sijmenschoon.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sokietech.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -18896,7 +18826,6 @@
     { "name": "tloxygen.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thriveta.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tosainu.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "throughtheglass.photo", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tokoyo.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ti-planet.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thomas-gibertie.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19548,7 +19477,6 @@
     { "name": "business-garden.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "buricloud.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cadooz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bragasoft.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cdmhp.org.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bsktweetup.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "canalsidehouse.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -19950,7 +19878,6 @@
     { "name": "egweb.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "faber.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fernandobarata.pt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "evilnerd.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "f43.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fcsic.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fairedeseconomies.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20127,7 +20054,6 @@
     { "name": "gypsyreel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "haehnlein.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grachtenpandverkopen.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "haynes-davis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gutscheingeiz.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hayfordoleary.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "havefunbiking.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20249,7 +20175,6 @@
     { "name": "harbourweb.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "imagine-programming.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "imefuniversitario.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ideaman924.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "inschrijfformulier.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "incontrixsingle.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "imed.com.pt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20537,7 +20462,6 @@
     { "name": "load-ev.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lyngvaer.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "koelbli.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lotos-ag.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leadbox.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "magictable.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lotw.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -20559,7 +20483,6 @@
     { "name": "maquinariaspesadas.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "manitasicily.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marcelmarnitz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "maces-net.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "masty.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "koriyoukai.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "luxinmo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -21133,7 +21056,6 @@
     { "name": "saz.sh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sengokulife.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rondreis-planner.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "schulderinsky.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shardsoft.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "schatzibaers.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "secwall.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22193,7 +22115,6 @@
     { "name": "kusdaryanto.web.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "l0re.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lambauer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "land-links.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lanna.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lasrecetasdeguada.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lastrada-minden.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22471,7 +22392,6 @@
     { "name": "secondbyte.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "section-31.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "secwise.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "seeworkdone.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sellajoch.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "semjonov.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sendai-sisters.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22582,7 +22502,6 @@
     { "name": "timoxbrow.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tinkerboard.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tittarpuls.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tlys.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tmhlive.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tmi.news", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tobiassachs.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22903,7 +22822,6 @@
     { "name": "alexpotter.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alibangash.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alicetone.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "aliwebstore.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aljammaz.holdings", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aljmz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "allamericanmuslim.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -22954,7 +22872,6 @@
     { "name": "angry.im", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "angrydragonproductions.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "animacurse.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "animaemundi.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "animal-liberation.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "animal-nature-human.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anime1.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23163,11 +23080,9 @@
     { "name": "bltc.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bltc.org.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bluecon.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bluecon.ninja", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bluefrag.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blues-and-pictures.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bluteklab.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "blutopia.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bnty.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bobep.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "boboates.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23294,7 +23209,6 @@
     { "name": "cdn6.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ce-pimkie.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cebz.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cecilwalker.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ceebee.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cefak.org.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "centerpoint.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23306,7 +23220,6 @@
     { "name": "chalker.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "champ.dog", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "champions.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "championweb.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chandr1000.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "changesfor.life", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chanoyu-gakkai.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23501,7 +23414,6 @@
     { "name": "cyber-computer.club", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cyber.cafe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cybercecurity.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cyberlab.team", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cyberwars.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cyoda.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cyph.healthcare", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -23603,7 +23515,6 @@
     { "name": "discoverrsv.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dissidence.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ditch.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ditelbat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "diti.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "diveidc.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "divinegames.studio", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24034,7 +23945,6 @@
     { "name": "gpws.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "graeber.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grandcapital.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "grantmorrison.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "grapeintentions.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "greditsoft.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "greenesting.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24538,7 +24448,6 @@
     { "name": "leebiblestudycentre.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leebiblestudycentre.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leebiblestudycentre.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "leetgamers.asia", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "leflibustier.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "legit.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "legymnase.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24690,7 +24599,6 @@
     { "name": "markusabraham.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "markusueberallconsulting.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marl.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "marlonschultz.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marqperso.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marquepersonnelle.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "marrai.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24870,7 +24778,6 @@
     { "name": "mtb.wtf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mtd.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mtdn.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "muellapp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "muga.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mulaccosmetics.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mulaisehat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24911,7 +24818,6 @@
     { "name": "myrsa.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mysocialporn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mywebinar.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "n2servers.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "n3twork.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nacyklo.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "naggie.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -24969,7 +24875,6 @@
     { "name": "nissanofbismarckparts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nitropanel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nitrous-networks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "niu.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "niva.synology.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nmadda.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nmnd.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25231,7 +25136,6 @@
     { "name": "postdarwinian.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "postdarwinism.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "potatiz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pouet.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pouets.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pourmesloisirs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "power-flowengineer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25661,7 +25565,6 @@
     { "name": "slash64.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "slash64.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "slash64.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "slashbits.no", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sleepmap.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sloths.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "slovenskycestovatel.sk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25858,7 +25761,6 @@
     { "name": "thegreenvpn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "theinternationalgeekconspiracy.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "themadmechanic.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "themimitoof.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "themusicinnoise.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "theofleck.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "theokonst.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -25911,7 +25813,6 @@
     { "name": "tobiemilford.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tobisworld.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "todon.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "toeglhofer.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tojeto.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tokainafb.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tokainakurasi.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26069,7 +25970,6 @@
     { "name": "vfn-nrw.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vhummel.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "videorullen.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "videoueberwachung-set.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vider.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "viekelis.lt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vierpluseins.wtf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26177,7 +26077,6 @@
     { "name": "winds.cf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "windycitydubfest.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "winnersports.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wiredcut.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wireframesoftware.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wiseflat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wkennington.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26404,7 +26303,6 @@
     { "name": "africantourer.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "3778xl.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "8003pay.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "aestheticdr.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "9118.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "adzuna.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "1116pay.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26433,7 +26331,6 @@
     { "name": "adamas-magicus.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "8azino777.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "adentalsolution.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "alaxyjewellers.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "agreor.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "afavre.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "allscammers.exposed", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -26538,7 +26435,6 @@
     { "name": "armyofbane.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "apm.com.tw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "amelandadventure.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "assetvault.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aquitroc.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alphie.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anthonyaires.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27116,7 +27012,6 @@
     { "name": "domyreview.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dotneko.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "domyspeech.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "diamsmedia.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "disc.uz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "domyresearchpaper.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dominikanskarepubliken.guide", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27272,7 +27167,6 @@
     { "name": "eltern-verein.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dynts.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "etaoinwu.win", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "enemiesoflight.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "epic-vistas.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ersa-shop.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "epic-vistas.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27292,7 +27186,6 @@
     { "name": "etienne.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "epossystems.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ethiobaba.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ethicsburg.gov", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evertonarentwe.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evrica.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "expowerhps.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27321,7 +27214,6 @@
     { "name": "fashionunited.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "evidencebased.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ezwritingservice.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "faithmissionaries.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "efag.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "exceed.global", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fantasticcleaners.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27781,13 +27673,11 @@
     { "name": "j-eck.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "internetinhetbuitengebied.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jabergrutschi.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "horizonshypnosis.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "it-labor.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "insolent.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jaberg-rutschi.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "innwan.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "iteha.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "its-future.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jhaveri.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ixh.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jdsf.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27875,7 +27765,6 @@
     { "name": "kazy111.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jstelecom.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kevinmorssink.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "kedibizworx.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kenalsworld.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kaka.farm", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kelmarsafety.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27923,7 +27812,6 @@
     { "name": "kode-it.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kitashop.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kiteadventure.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "krugermillions.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kangkai.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kuruppa.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kolizaskrap.bg", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -27932,7 +27820,6 @@
     { "name": "labrasaq8.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "koalapress.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ksukelife.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ktsee.eu.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "kirrie.pe.kr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "laflash.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "koningskwartiertje.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28069,7 +27956,6 @@
     { "name": "littledisney.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lotuscloud.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lensdoctor.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "lukaszorn.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lachainedesentrepreneurs.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "luffyhair.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "littleqiu.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28224,7 +28110,6 @@
     { "name": "luxescreenprotector.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mkfs.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "molunerfinn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "milktea.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mohanmekap.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "miguel.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mobil-bei-uns.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28244,23 +28129,19 @@
     { "name": "mireillewendling.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moojp.co.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "momstableonline.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "miguelmartinez.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "monteurzimmerfrei.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moneytoday.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moonrhythm.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mojoco.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moppeleinhorn.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mojefilmy.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mrca-sharp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mosaique-lachenaie.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "migueldominguez.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "modcasts.video", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "multipleservers.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moritztremmel.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "motionless.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mizipack.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mindbodytherapymn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mrbmafrica.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mstd.tokyo", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mindercasso.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mrstat.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28272,7 +28153,6 @@
     { "name": "mortis.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mountain-rock.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moviedeposit.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "mountfarmer.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mulej.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "minamo.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mundodapoesia.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28438,7 +28318,6 @@
     { "name": "op11.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oktomus.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "omronwellness.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "onshuistrust.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oneiros.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "novelvyretraite.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "nrdstd.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28579,12 +28458,10 @@
     { "name": "plot.ly", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "peekops.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pilotcrowd.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "plaasprodukte.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "plant.ml", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "piraten-basel.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "playmaza.live", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "persoform.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pmbc.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pirata.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "phuong.faith", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paxdei.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28764,7 +28641,6 @@
     { "name": "returnofwar.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "retro.rocks", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rmit.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "righteousendeavour.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "reco-studio.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "redizoo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "riverford.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28799,7 +28675,6 @@
     { "name": "rester-autonome-chez-soi.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "renlen.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rofrank.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "rockhounds.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "runebet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rustbyexample.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ristorantefattoamano.it", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -28936,11 +28811,9 @@
     { "name": "sec-wiki.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sevenet.pl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "securitybrief.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "shopsouthafrican.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sfhobbies.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "securityarena.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "santorinibbs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sharezen.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sha2017.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shaharyaranjum.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "seo-portal.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29201,7 +29074,6 @@
     { "name": "telecharger-winrar.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "the-zenti.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thebrightons.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "theebookkeepers.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thajskyraj.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thefbstalker.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tf2calculator.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29221,7 +29093,6 @@
     { "name": "thetenscrolls.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thecrazytravel.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "theory-test-online.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "thanhthinhbui.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thesecurityteam.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thepartner.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "thecuppacakery.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29463,7 +29334,6 @@
     { "name": "wadsworth.gallery", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vlsm.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webfox.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wearesouthafricans.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "viabemestar.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "waaw.tv", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "websharks.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29487,16 +29357,13 @@
     { "name": "utilitarian.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wesayyesprogram.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "whilsttraveling.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wasielewski.com.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "werhatunsverraten.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wertheimer-burgrock.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "westmead.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wilseyrealty.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wasi-net.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "westcarrollton.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "webnetmail4u.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wibbe.link", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "werwolf-live.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "web2ldap.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wellbeing360.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wildboaratvparts.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29507,7 +29374,6 @@
     { "name": "webliberty.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "westendwifi.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "whoturgled.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "worldlist.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wooplagaming.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "worldessays.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "winfield.me.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29529,7 +29395,6 @@
     { "name": "willkommen-fuerstenberg.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "worldofvnc.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "winsome.world", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "wozalapha.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "writemyessays.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wromeapp.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "writemyessay.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29795,7 +29660,6 @@
     { "name": "aiphyron.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aifreeze.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "addiko.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "alienation.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "aesthetics-blog.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ampleinfographics.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "afzco.asia", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29866,7 +29730,6 @@
     { "name": "apaginastore.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anglictina-sojcak.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arthermitage.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "attendantdesign.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "asthon.cn", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "autostodulky.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bageez.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29889,10 +29752,8 @@
     { "name": "atorcidabrasileira.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "angelinahair.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "berduri.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bevnut.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "belpbleibtbelp.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "beetgroup.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "beingmad.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "anwaltsindex.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "belfasttechservices.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bernhardluginbuehl.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -29934,7 +29795,6 @@
     { "name": "bijouxbrasil.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "blockified.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bl4ckb0x.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bodybuildingworld.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bit-cloud.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bernardfischer.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bomb.codes", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30054,7 +29914,6 @@
     { "name": "coda.world", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coda.today", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chuck.ovh", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "cloudlight.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "coffeetocode.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cinerama.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cirurgicagervasio.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30181,7 +30040,6 @@
     { "name": "do13.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dojifish.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "diveplan.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "diluv.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dichgans-besserer.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dns8.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "diva.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30258,7 +30116,6 @@
     { "name": "educaid.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "engvid.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "eatz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "eftcorp.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ekd.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "edusanjal.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "einmonolog.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30388,14 +30245,12 @@
     { "name": "fm-cdn.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ford-shop.by", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "forexee.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "folkfests.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ferreteriaxerez.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "finnclass.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ftng.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fullhub.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fyodorpi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "frickelmeister.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "frettboard.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gaycc.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "frogsonamission.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gc.gy", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30419,7 +30274,6 @@
     { "name": "gbc-radio.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "geyduschek.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "girlsgenerationgoods.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "fortricks.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "genfaerd.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "fullautomotivo.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gochu.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30437,7 +30291,6 @@
     { "name": "gamebrott.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "givesunlight.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gtopala.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "globeinform.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "giveme.online", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "greensquare.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "graumeier.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -30521,7 +30374,6 @@
     { "name": "geri.be", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "homegardenresort.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ibpsrecruitment.co.in", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "icasnetwork.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "imoner.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "illuxat.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hostarea51.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31250,7 +31102,6 @@
     { "name": "saintjohnlutheran.church", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "reidasbombas.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sa-mp.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "safe.space", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "saveora.shop", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "saludsexualmasculina.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "scholarly.com.ph", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31358,7 +31209,6 @@
     { "name": "skysuite.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "showdepiscinas.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "smartshoppers.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "slingo-sta.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "socal-babes.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sneed.company", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spearfishingmx.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31592,17 +31442,14 @@
     { "name": "u4mh-dev-accesscontroller.azurewebsites.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "uwfreelanceopticien.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "visaya.com.co", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tioat.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "star-stuff.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "umbricht.li", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "uptownlocators.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "upundit.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vanohaker.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "trouweninoverijssel.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vinzite.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ur2.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vidkovaomara.si", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "viddiaz.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vigour.us", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "visudira.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "valentinesongs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31825,7 +31672,6 @@
     { "name": "eminhuseynov.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hj.rs", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "casadowifi.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "doenjoylife.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "barprive.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "injust.cf", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chrisself.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31873,7 +31719,6 @@
     { "name": "geeklan.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "liberapay.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "meetmygoods.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hup.hu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "8522cn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "lifecism.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "learninglaw.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31897,7 +31742,6 @@
     { "name": "redivis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "phpartners.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jailbreakingisnotacrime.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "hostingsolutions.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "novelabs.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mkhsoft.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "really.ai", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -31935,7 +31779,6 @@
     { "name": "seattleprivacy.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tokobungadijambi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "okeeferanch.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "sundaycooks.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "uptodateinteriors.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vescudero.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "steampress.io", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32061,7 +31904,6 @@
     { "name": "civilg20.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "clinicaferrusbratos.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "club-reduc.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "coderme.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "comflores.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "comodesinflamarlashemorroides.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "comorecuperaratumujerpdf.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32186,7 +32028,6 @@
     { "name": "mundoarabe.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mundokinderland.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mwainc.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "myamend.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mygeneral.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mylatestnews.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mytruecare.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32397,7 +32238,6 @@
     { "name": "bkhpilates.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bluemeda.web.id", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bobstronomie.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bodymusclejournal.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bonamihome.ro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bonesserver.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "booox.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -32699,7 +32539,6 @@
     { "name": "padzilla.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pagedesignhub.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pagedesignpro.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "pagedesignshop.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "passionatehorsemanship.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "pastorsuico.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "paul-bronski.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33034,7 +32873,6 @@
     { "name": "searchbrothers.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "searchbrothers.es", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "seo-lagniappe.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "seproco.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "shushu.media", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spacehighway.ms", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "spiritualregression.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33114,7 +32952,6 @@
     { "name": "aijsk.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "air-craftglass.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "airtimefranchise.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ais.fashion", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ajibot.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alaboard.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "alexeykopytko.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33148,7 +32985,6 @@
     { "name": "araxis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "area3.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arethsu.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "ariba.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arizonaautomobileclub.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "arjunasdaughter.pub", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "armeni-jewellery.gr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33167,7 +33003,6 @@
     { "name": "atmocdn.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "augrandinquisiteur.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "auroraassociationofrealtors.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "auslandsjahr-usa.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "austincardiac.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "austinheap.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "auszeit-lanzarote.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33194,8 +33029,6 @@
     { "name": "barriofut.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "bartzutow.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "basedonline.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "basketball-brannenburg.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "bastolino.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "batiburrillo.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "batteryservice.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "baychimo.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33392,7 +33225,6 @@
     { "name": "data.govt.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "davesinclair.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "day.vip", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "dbtsai.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "dealbanana.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "deanbank.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "debrusoft.ch", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33473,7 +33305,6 @@
     { "name": "e2feed.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "e64.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "easycoding.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "edenvalerubbleremovals.co.za", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "edhesive.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "edstep.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ejusu.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33616,7 +33447,6 @@
     { "name": "garage-door.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gautham.pro", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gauthier.dk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "gazette.govt.nz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gbit.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "gdhzcgs.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "geekbaba.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -33684,12 +33514,10 @@
     { "name": "haze.productions", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "head.ru", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "health-plan-news.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "healtheals.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "heap.zone", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hearmeraw.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "heartwoodart.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hearty.tech", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "heilpraxis-bgl.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hemnet.se", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "hendersonrealestatepros.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "henkbrink.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34010,7 +33838,6 @@
     { "name": "molecularbiosystems.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "monpetitforfait.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "monpetitmobile.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "montopolis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "moorparkelectrical.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mortgagecalculator.biz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "mostlyoverhead.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34118,7 +33945,6 @@
     { "name": "opryshok.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "orcsnet.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oribia.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "orthodontiste-geneve-docteur-rioux.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "orui.com.br", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "oskrba.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "outdoorimagingportal.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34253,7 +34079,6 @@
     { "name": "reversesouthafrica.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "review.jp", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rhese.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "rhiskiapril.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rhnet.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "richardcrosby.co.uk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ricknox.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34282,7 +34107,6 @@
     { "name": "ruskod.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "rwky.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "ryzhov.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "saclier.at", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "sacred-knights.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "saint-astier-triathlon.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "samanthahumphreysstudio.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34420,7 +34244,6 @@
     { "name": "sw33tp34.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "swiftconf.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "switch.moe", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "switzerland-family-office.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "synecek11.cz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "synthetik.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tacotown.tk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34470,7 +34293,6 @@
     { "name": "tntmobi.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tobaccore.eu", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tobaccore.sk", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tobias-bauer.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tobias-kluge.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tobis-rundfluege.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tobis-webservice.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34495,7 +34317,6 @@
     { "name": "turigum.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tutanota.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "twittelzie.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "tylerharcourt.ca", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tylerharcourt.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "typist.tech", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "tyreis.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34548,7 +34369,6 @@
     { "name": "vikodek.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "viralboombox.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vitahook.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "vizards.cc", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "vkennke.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "voids.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "voipkb.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34583,7 +34403,6 @@
     { "name": "wellcom.co.il", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wellnesscheck.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "welzijnkoggenland.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "werk-34.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "werkemotion.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "wesreportportal.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "weyland.tech", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34632,8 +34451,6 @@
     { "name": "xoda.pw", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "xonn.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yaru.one", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "yephy.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "yibaoweilong.top", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yinga.ga", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "yorcool.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "youcanfuckoff.xyz", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34750,7 +34567,6 @@
     { "name": "ardor.noip.me", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "artemis.re", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "artratio.net", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "assetict.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "australien-tipps.info", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "autobedrijfschalkoort.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "averageinspired.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34800,7 +34616,6 @@
     { "name": "catchfotografie.nl", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cdnk39.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "certificatetools.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "challengeblog.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "charliemcneive.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "chatbots.systems", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "cheapssl.com.tr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -34999,7 +34814,6 @@
     { "name": "jeffhuxley.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jetflex.de", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jimdorf.com", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
-    { "name": "jmcashngold.com.au", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "joaquimgoliveira.pt", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jopl.org", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
     { "name": "jsmetallerie.fr", "policy": "bulk-18-weeks", "mode": "force-https", "include_subdomains": true },
@@ -35871,7 +35685,6 @@
     { "name": "event4fun.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "events-hire.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "evolutioninflatables.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ewizmo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "exclusivebouncycastles.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "exebouncycastles.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "extasic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -35992,7 +35805,6 @@
     { "name": "henker.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "henleybouncycastles.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "here4funpartysolutions.ie", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "heritagebaptistchurch.com.ph", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "herohirehq.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hertsbouncycastles.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hiddenhillselectrical.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -36042,7 +35854,6 @@
     { "name": "inhouseents.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "inpas.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "insgesamt.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "integrityoklahoma.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "interimages.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "internaluse.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "investarholding.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -36349,9 +36160,7 @@
     { "name": "octothorpe.ninja", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "officefundays.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ogrodywstudniach.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ohhdeertrade.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ohsohairy.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "okchousebuyer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oldbrookinflatables.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oldbrookmarqueehire.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oliode.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -36521,7 +36330,6 @@
     { "name": "sebi.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "secretnation.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "security-24-7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "self.nu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sellercritic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "seo.london", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sfdev.ovh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -36754,7 +36562,6 @@
     { "name": "wheelwide.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "whizzzbang.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wholelotofbounce.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "widenews.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wikivisually.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wirralbouncycastles.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "withoutacrystalball.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -36950,7 +36757,6 @@
     { "name": "blogexpert.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bloodyexcellent.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bluesecure.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "blueyed.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bodixite.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "boisewaldorf.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bolovegna.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -37163,7 +36969,6 @@
     { "name": "indiaflowermall.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "indoorplantsexpert.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "inetserver.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ingenium.si", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "innoteil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "instaquiz.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "interfloraservices.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -37248,7 +37053,6 @@
     { "name": "maiaimobiliare.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "makeaboldmove.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "makino.games", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "maly.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mamadoma.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mamiecouscous.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "manawill.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -37383,7 +37187,6 @@
     { "name": "sckc.stream", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "seankilgarriff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "secitem.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "securityinet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sedeusquiser.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "semaflex.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "serpenteq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -37459,7 +37262,6 @@
     { "name": "thehomeicreate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thenrdhrd.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thewallset.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "theyachtteam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thotpublicidad.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thousandoakselectrical.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tkanemoto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -37492,7 +37294,6 @@
     { "name": "visor.ph", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vitkutny.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vjeff.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vollans.id.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vosgym.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vreeman.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wacky.one", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -37967,7 +37768,6 @@
     { "name": "sauenytt.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "schwedenhaus.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "scifi.fyi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "scimage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "scruffymen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "semaphore-studios.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sergefonville.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -38025,7 +37825,6 @@
     { "name": "transformations-magazin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "trynta.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tycjt.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tylerharcourt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tylerharcourt.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "u-master.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ump45.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -38154,7 +37953,6 @@
     { "name": "baobeiglass.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "baustils.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bcradio.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "beautybear.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bennygommers.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bgr34.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bilsho.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -38499,7 +38297,6 @@
     { "name": "rittau.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rittau.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ritzlux.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "rixter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "robotattack.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rockthebabybump.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rubenkruisselbrink.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -38619,7 +38416,6 @@
     { "name": "yurinet.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "z-coder.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zenics.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "00190019.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "00330033.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "00660066.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "00880088.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -38685,8 +38481,6 @@
     { "name": "alljamin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "allpropertyservices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "allseasons-cleaning.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "allsync.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "allsync.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "alpinechaletrental.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "altaplana.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "alwaysonssl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -38757,7 +38551,6 @@
     { "name": "ayon.group", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b1236.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b1758.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "b1768.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b1rd.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b5289.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b5989.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -38772,7 +38565,6 @@
     { "name": "b95888.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b9589.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b9598.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "b9598.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b9658.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b96899.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b9883.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -38811,7 +38603,6 @@
     { "name": "bcodeur.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "be9418.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "be9418.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "be9458.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "be9458.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "be9458.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "be9458.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39155,7 +38946,6 @@
     { "name": "esb66666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "esb688.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "esb68888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "esb777.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "esb777.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "esb777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "esb777.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39172,7 +38962,6 @@
     { "name": "esba11.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "esball.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "esball888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "esbgood.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "etech-solution.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "etech-solution.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "etech-solutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39232,7 +39021,6 @@
     { "name": "fliino.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fliino.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fliino.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "flipbell.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "flirtycourts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "flmortgagebank.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "florenceapp.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39258,7 +39046,6 @@
     { "name": "freelancecollab.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "freepnglogos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "frejasdal.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "frugal-millennial.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fs-community.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "futurehack.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fwest98.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39391,7 +39178,6 @@
     { "name": "ikkev.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "immaternity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "imponet.com.ar", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "imprenta-es.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "inetsoftware.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "infinite.hosting", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "infruction.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39448,7 +39234,6 @@
     { "name": "johanneskonrad.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "johego.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jonespayne.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "jonincharacter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jonlu.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "joonatoona.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jose-alexand.re", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39560,7 +39345,6 @@
     { "name": "linuxincluded.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "liquimoly.market", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "littlegreece.ae", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "liufengyu.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "livelifewithintent.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "localdata.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "locomotive.net.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39628,7 +39412,6 @@
     { "name": "menntagatt.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "metro-web.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "meujeitodigital.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "meyash.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mfen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mfxer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "miaonagemi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -39876,7 +39659,6 @@
     { "name": "qruiser.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "quanwuji.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "quartix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "quartzclinical.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "quilmo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "quimsertek.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qwdqwd.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -40394,7 +40176,6 @@
     { "name": "authenitech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "auto-motor-i-sport.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "avernis.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "azgfd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aztraslochi.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "b2b-nestle.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "babursahvizeofisi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -40616,7 +40397,6 @@
     { "name": "fifei.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fireshellsecurity.team", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "flugstadplasticsurgery.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "fnncat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fomopop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "foto-pro.by", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fourashesgolfcentre.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -40718,13 +40498,11 @@
     { "name": "incoherent.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "infobae.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "innohb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "inscomers.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "intae.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "intpforum.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ip-tanz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ipv6.jetzt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "isakssons.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "issala.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "itaiferber.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jak-na-les.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jalogisch.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -40789,7 +40567,6 @@
     { "name": "ludek.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lumitop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "luxurynsight.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "lychankiet.name.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "magnetpass.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "maioresemelhores.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "make-your-own-song.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -41128,7 +40905,6 @@
     { "name": "tourgest.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "traceheatinguk.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "traficmusik.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "travelphoto.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tringavillasyala.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "trybooking.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tryti.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -41157,7 +40933,6 @@
     { "name": "vx.hn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wala-floor.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "walkingrehabilitation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "wallinger-online.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "water-addict.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "watoo.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "webharvest.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -41342,7 +41117,6 @@
     { "name": "businessfactors.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buytermpaper.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "byte128.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bytelog.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "calatoruldigital.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "calculateaspectratio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "carspneu.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -41399,7 +41173,6 @@
     { "name": "dailyxenang.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "danielstiner.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "danifabi.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "dansk777.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "darknight.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "daubecity.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "decompiled.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -41787,7 +41560,6 @@
     { "name": "pxio.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pycrc.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "quantolytic.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "questionyu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "quizl.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "racheldiensthuette.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "reachhead.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -41924,7 +41696,6 @@
     { "name": "tree0.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "trialandsuccess.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tsurai.work", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ttc-birkenfeld.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "turunculevye.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "typcn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "uberbkk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -42104,7 +41875,6 @@
     { "name": "baraxolka.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bart-f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "baseconvert.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bauer.network", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bck-koethen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "beckon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "beginatzero.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -42281,7 +42051,6 @@
     { "name": "fliio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fnbnokomis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "followthedog.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "forodieta.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "foundchurch.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "frankinteriordesign.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "freitasul.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -42496,7 +42265,6 @@
     { "name": "ohne-name.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "olltechjob.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "online-health-insurance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "oscillation-services.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "osielnava.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ourworldindata.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "overrustle.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43222,7 +42990,6 @@
     { "name": "ed4becky.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eigenpul.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eigenpulse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "electicofficial.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "electricfencealberton.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "electricfencebenoni.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "electrician-umhlanga.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43242,7 +43009,6 @@
     { "name": "expiscor.solutions", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "falegname-roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "falldennismarketing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "fantastici.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "farrelf.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fassaden-selleng.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fastcash.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43259,7 +43025,6 @@
     { "name": "fuantaishenhaimuli.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "funds.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gamereader.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "genoveve.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gesundes-im-napf.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "getdeveloper.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ghibli.studio", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43408,7 +43173,6 @@
     { "name": "ruquay.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "salvaalocombia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "schmelle.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "scholz-kallies.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "scpslgame.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "securitysense.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "see.wtf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43485,7 +43249,6 @@
     { "name": "welovecatsandkittens.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wentu.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wesoco.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "wewitro.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wgplatform.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "whatsupdeco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wingmin.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43642,7 +43405,6 @@
     { "name": "bltdirect.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bluecrazii.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bluntandsnakes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "boem.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bonibuty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bookingworldspeakers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "breakpoint.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43693,7 +43455,6 @@
     { "name": "cybersantri.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cygnan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "daikoz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "dalepresencia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "daniel-cholewa.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dansage.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dartcode.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43747,7 +43508,6 @@
     { "name": "familie-poeppinghaus.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "farrel-f.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "farrel-f.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "fbo.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fdm.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fedbizopps.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fedshirevets.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -43997,7 +43757,6 @@
     { "name": "peerigon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "permeance108.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pesto.video", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "petrpikora.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pflanzenshop-emsland.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ph3r3tz.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pharmica.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -44164,7 +43923,6 @@
     { "name": "virtit.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vivaldi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vivoseg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vnfs-team.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vokalsystem.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "volatimer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vulndetect.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -44625,7 +44383,6 @@
     { "name": "mariapietropola.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "markdain.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "marketindex.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "marketing91.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "masdillah.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mathsource.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mathsweek.school.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -44688,7 +44445,6 @@
     { "name": "netflixlife.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "netrewrite.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nevermore.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "nextcasino.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nf4.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nibo.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nicsezcheckfbi.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -44754,7 +44510,6 @@
     { "name": "po.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "politiezoneriho.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ponere.dz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "pop3.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "porpcr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "posalji.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "principalship.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -45022,7 +44777,6 @@
     { "name": "casadasportasejanelas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "catalystapp.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "certfa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "cfdcre5.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chapelaria.tf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chaussenot.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cjhzp.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -45044,7 +44798,6 @@
     { "name": "cyrating.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dartetdemetiers.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "datumstudio.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ddays2008.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "derkuki.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "desveja.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "detroitrocs.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -45373,7 +45126,6 @@
     { "name": "jogwitz.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "joseaveleira.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kaikei7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kay.la", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kcmicapital.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kforesund.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kinderchor-bayreuth.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -45543,7 +45295,6 @@
     { "name": "aei.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aereco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "affping.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "agingstats.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aginion.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agliamici.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aide-admin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -45602,7 +45353,6 @@
     { "name": "boote.wien", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bravebaby.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "briefassistant.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "brouwerijkoelit.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buileo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buradangonder.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "businessplanexperts.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -45881,7 +45631,6 @@
     { "name": "kanetix.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kanzlei-oehler.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "karupp-did.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kastorsky.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kellyssportsbarandgrill.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kindlezs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kirkify.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -45907,7 +45656,6 @@
     { "name": "lcy.cat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lcybox.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "legalisepeacebloom.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "lenaneva.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "letsdebug.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "leumi-how-to.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lhakustik.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -45960,7 +45708,6 @@
     { "name": "mkkkrc.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mobila-chisinau.md", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "momento.co.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "monkieteel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "montemanik.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "montessori.edu.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "moot-info.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -46069,7 +45816,6 @@
     { "name": "quic.stream", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qx.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rahadiana.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "raptorsrapture.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rawdutch.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rcd.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "redgoose.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -46215,8 +45961,6 @@
     { "name": "walltime.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "walpu.ski", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "walpuski.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "webdesignsandiego.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "webgreat.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "website-engineering.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "weiming.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wer.sh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -46973,7 +46717,6 @@
     { "name": "walent.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "walentin.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wallabet.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "warp-radio.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "watfordjc.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "webfixers.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "webkef.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -46985,7 +46728,6 @@
     { "name": "wengebowuguan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "werbezentrum-stiebler.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "west-contemporary.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "wewitro.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "whexit.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "whitewebhosting.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "whqtravel.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -47355,7 +47097,6 @@
     { "name": "gomelchat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "goujianwen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gplans.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "gpscamera.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "graft.community", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "grexx.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "greymattertechs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -47460,7 +47201,6 @@
     { "name": "kedv.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "keepingtheplot.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kejibot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kellerlan.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kersbergen.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kessawear.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kinautas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -47791,7 +47531,6 @@
     { "name": "sucretown.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sunyataherb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "supertutorial.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "surveyhealthcare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "suzukikazuki.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "swankism.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "swetrust.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -47994,7 +47733,6 @@
     { "name": "ashd1.goip.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ashd2.goip.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ashd3.goip.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "asia-global-risk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "asianspa.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "askcaisse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "astrovandalistas.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -48710,7 +48448,6 @@
     { "name": "von-lien-dachrinnen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "von-lien-lichtplatten.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "von-lien-profilbleche.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vullriede-multimedia.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "waidfrau.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "waifu-technologies.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "waifu-technologies.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -49029,7 +48766,6 @@
     { "name": "privelust.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "programistka.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "prosurveillancegear.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "prowebcenter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pru.com.hk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pureholisticliving.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "putomani.rs", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -49065,7 +48801,6 @@
     { "name": "somersetscr.nhs.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "soundscrate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sparkresearch.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "sparkreviewcenter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "spd-pulheim-mitte.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "speletrodomesticos.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "st-shakyo.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -49899,7 +49634,6 @@
     { "name": "valleyautoloan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vastkustenrunt.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vawltstorage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "verymetal.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "veterinarioaltea.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "victory.radio", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "videokaufmann.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -49931,7 +49665,6 @@
     { "name": "warsonco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "watchonline.al", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "waterslide-austria.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "webeditors.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "weedlandia.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "weforgood.org.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "welshccf.org.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -50051,7 +49784,6 @@
     { "name": "chaoswars.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "clad.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "clangwarnings.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "classroomconductor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "colorfuldots.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "consultimedia.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cordep.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -50173,7 +49905,6 @@
     { "name": "mcgaccountancy.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "meeco.kr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "megasystem.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "menhera.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mentesemprendedoras.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "meo.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "messenger.co.tz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -50230,7 +49961,6 @@
     { "name": "ronniegane.kiwi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rossmacphee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "saastopankki.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "sac-shop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sacrome.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "saleduck.co.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "saleduck.co.th", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -50530,7 +50260,6 @@
     { "name": "carhunters.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "carlot-j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "carolina.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "carroceriascarluis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "carseatchecks.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "carsoug.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "casteloinformatica.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -50547,7 +50276,6 @@
     { "name": "chefwear.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chenzhipeng.com.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chibr.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "chilimath.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chipglobe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chips-scheduler.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chmielarz.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -50613,7 +50341,6 @@
     { "name": "danielran.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dansdiscounttools.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dappworld.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "dashwebconsulting.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dasteichwerk.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "davesharpe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "davidforward.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -50754,7 +50481,6 @@
     { "name": "fracreazioni.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "frankbellamy.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "free.ac.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "freedom.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "freedom35.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "freehao123.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "frontierdiscount.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -50910,7 +50636,6 @@
     { "name": "jantinaboelens.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jarrodcastaing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jarrodcastaing.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "jason.re", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jcbgolfandcountryclub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jdjohnsonwaterproofing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jej.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -51139,7 +50864,6 @@
     { "name": "ouin.land", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "our-box.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ourdocuments.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "outsiders.paris", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p1cn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pact2017.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pagalworld.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -51198,7 +50922,6 @@
     { "name": "promo-brille.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "promo-brille.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "propertyinside.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "protech.ge", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "prowise.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "psici.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "psicologajanainapresotto.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -51384,7 +51107,6 @@
     { "name": "superdaddy.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "supermae.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "surgiclinic.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "surreyheathyc.org.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "svetdrzaku.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "svht.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "svobodnyblog.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -51561,7 +51283,6 @@
     { "name": "xn--ehq13kgw4e.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--krpto-lva.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xoonth.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "yellowfly.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yhfou.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yogahealsinc.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yourtrainingsolutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -51941,7 +51662,6 @@
     { "name": "nakene.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "namethissymbol.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nappynko.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "naturalhealthcures.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nazukebanashi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ncloud.freeddns.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "neowa.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -52018,7 +51738,6 @@
     { "name": "pwnedpass.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pxl.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pyrios.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "qiaohong.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qnq.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qr.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qrbird.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -52342,7 +52061,6 @@
     { "name": "eaglexiang.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "elfring.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eluft.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "entersoftsecurity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "epiphanyofourlordchurch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "erichogue.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "esp-desarrolladores.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -52485,7 +52203,6 @@
     { "name": "qgblog.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "queens.lgbt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ra-joergensen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "raconteur.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ratinq.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rault.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "regularflolloping.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -52810,7 +52527,6 @@
     { "name": "clearbookscdn.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "clearvoice.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "clinicasmedicas.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "cloudse.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "com-news.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "compactchess.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "comptu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -52998,7 +52714,6 @@
     { "name": "instead.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "integrateur-web-paris.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "integrityokc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "international-books.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "internationalschoolnewyork.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "internetbusiness-howto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "inumcoeli.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53057,7 +52772,6 @@
     { "name": "lampen24.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lampenwelt.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lampy.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "languagecourse.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "laravelsaas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "latedeals.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "latestbuy.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53098,7 +52812,6 @@
     { "name": "mahjongrush.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "maler-marschalleck.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mana.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "managementforstartups.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mangahigh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "manmeetgill.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mariacorzo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53286,7 +52999,6 @@
     { "name": "pro-taucher.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pro-taucher.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "promorder.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "prosperfit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "prynhawn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "prynhawn.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "prynhawn.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53374,7 +53086,6 @@
     { "name": "samitechnic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "samlivogarv.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sanantoniolocksmithtx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "sanemind.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sascha.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sascha.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "saschaeggenberger.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53766,7 +53477,6 @@
     { "name": "boogaerdtmakelaars.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "botezdepoveste.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "botsindiscord.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "brasileiro.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bridgedirectoutreach.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "briffoud.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "browserleaks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53775,7 +53485,6 @@
     { "name": "bubblin.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bursa3bydgoszcz.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "burzcast.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "burzstudios.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "businessmadeeasypodcast.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buy-out.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "byhe.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53797,8 +53506,6 @@
     { "name": "cedarcitydining.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "celeraindustries.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "centroperugia.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "championweb.co.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "championweb.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cheap-colleges.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "checkras.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chemistry-schools.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53929,7 +53636,6 @@
     { "name": "fire-schools.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fiziktedavi.name.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fizyoterapi.name.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "flare.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "flixhaven.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "flyingyoung.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "footloose.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -53971,7 +53677,6 @@
     { "name": "greatskillchecks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "greenwaylog.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gtxbbs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "gustom.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hakkasangroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hakkasannightclub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "haozhexie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -54072,7 +53777,6 @@
     { "name": "killerkink.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kinkcafe.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kissoft.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kngkng.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kochinke.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kochinke.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kogax.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -54141,7 +53845,6 @@
     { "name": "masautonomo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mascorazon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "massage-colleges.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "matbad.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "materassi.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "math-colleges.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "maxb.fm", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -54215,7 +53918,6 @@
     { "name": "npregion.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nshipster.co.kr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nshipster.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "nuclea.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nutridieta.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "occupational-therapy-colleges.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "odhosc.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -54236,7 +53938,6 @@
     { "name": "otokiralama.name.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "out-of-scope.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ovabag.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "owall.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "owncloud.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oxzeth3sboard.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oyashirosama.tokyo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -54344,7 +54045,6 @@
     { "name": "sakuracdn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "samanacafe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "samlaw.co.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "sanemind.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "savingsoftheyear.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "schgroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "schoeller.click", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -54950,7 +54650,6 @@
     { "name": "stfrancisnaugatuck.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stgabrielstowepa.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sthenryrc.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "stm32f4.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stmichaelunion.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "studio44.fit", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "studiohomebase.amsterdam", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55104,7 +54803,6 @@
     { "name": "bothellwaygarage.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bryggebladet.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bulktshirtsjohannesburg.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bungee.systems", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "butteramotors.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buyebook.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buzzcontent.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55118,7 +54816,6 @@
     { "name": "chaffeyconstruction.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chancekorte.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chascrazycreations.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "chatgrape.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chenpei.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "choiceautoloan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "christian-krug.website", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55155,7 +54852,6 @@
     { "name": "discountlumberspokane.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "disk.do", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dofux.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "doitauto.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "donaldm.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "donovankraag.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dostrece.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55233,7 +54929,6 @@
     { "name": "impendulo.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "impressivebison.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "incestporn.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "industriemeister.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "infrabeep.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "infradrop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "infranox.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55282,7 +54977,6 @@
     { "name": "letzchange.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "leveluplv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lg0.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "lie.as", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "liljohnsanitary.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lilylasvegas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lintellift.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55489,7 +55183,6 @@
     { "name": "vsd.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wapoolandspa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wblautomotive.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "weingaertner-it.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wem.hr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wetrepublic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "whattominingrigrentals.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55651,13 +55344,11 @@
     { "name": "bucek.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buckelewrealtygroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buildhoscaletraingi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bungeetaco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bunnycarenotes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "burg-hohnstein.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "businessmarketingblog.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "buysellinvestproperties.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bwserhoscaletrainaz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "byr.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bytanchan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cabinetfurnituree.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cachacacha.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55680,7 +55371,6 @@
     { "name": "casalunchbreak.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "casecoverkeygi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "caseycapitalpartners.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "casino-online.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "catalyconv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cellebrite.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "celltesequ.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55714,7 +55404,6 @@
     { "name": "collegestationhomes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "coltellisurvival.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "commeunamour.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "commonspace.la", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "compunetwor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "computercamaccgi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "consegnafioridomicilio.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55756,7 +55445,6 @@
     { "name": "darwinsearch.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "datajobs.ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "davidfetveit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "decay24.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "demiranda.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "desktopd.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "detecmon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55804,7 +55492,6 @@
     { "name": "drsamuelkoo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "drywallresponse.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dtoweb.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "duckeight.win", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "duroterm.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dvipadmin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dynamicsretailnotes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -55854,7 +55541,6 @@
     { "name": "encryptmysite.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "energycodes.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "energyefficientservices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "engelke-optik.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "enlight.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "epi-lichtblick.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "epspolymer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56052,7 +55738,6 @@
     { "name": "kingsfoot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kingsley.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kiskeedeesailing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kkren.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "klaasmeijerbodems.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kleine-strandburg-heringsdorf.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kleine-strandburg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56197,7 +55882,6 @@
     { "name": "olmcnewark.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "olphseaside.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "olqoa.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "omicron3069.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "onepercentrentals.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ongiaenegogoa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "openpresentes.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56450,7 +56134,6 @@
     { "name": "technospeakco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "techpilipinas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ted.do", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "templates-office.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tenderplan.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "texashomesandland.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "the-big-bang-theory.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56481,7 +56164,6 @@
     { "name": "think-pink.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "this-server-will-be-the-death-of-me.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thomas-schmittner.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "timchanhxe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "timewk.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "timi-matik.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tina-zander.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56544,7 +56226,6 @@
     { "name": "vickshomes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vidarity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "videobola.win", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vietnamphotoblog.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "viewing.nyc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vinnyandchristina.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vinnyvidivici.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56575,7 +56256,6 @@
     { "name": "wegonnagetsued.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "welcometoscottsdalehomes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wellness-bonbon.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "weltmeister.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "westernpadermatologist.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "westside-pediatrics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "weswitch4u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56778,7 +56458,6 @@
     { "name": "badaparda.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "balcarek.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "baldwin.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "balle.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "balticmed.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bangyu.wang", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bankpolicies.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -56889,9 +56568,6 @@
     { "name": "certifiedfieldassociate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ces-ltd.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ch.bzh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "championweb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "championweb.com.sg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "championweb.sg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chat-house-adell.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cheatengine.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "checkjelinkje.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -57036,7 +56712,6 @@
     { "name": "dronebl.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "drtimothybradley.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dryjersey.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "dstvinstallfourways.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ducius.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "duranthon.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dworekhetmanski.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -57054,7 +56729,6 @@
     { "name": "dynastylocker.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dynastyredline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dynastyredzone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "dzsi.bi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "e-gemeinde.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "e-imzo.uz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eats.soy", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -57350,7 +57024,6 @@
     { "name": "ithink.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ithjalpforetag.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "itm-c.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "itouriria.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "itsayardlife.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "itsupportnacka.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ivopetkov.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -57610,7 +57283,6 @@
     { "name": "nepezzano13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nerdca.st", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "netnea.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "neutein.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nezvestice.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nfam.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nflchan.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -57886,7 +57558,6 @@
     { "name": "s2p.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sadiejewellery.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "saf.earth", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "saidelbakkali.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sailwiz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "saintanne.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sainthedwig-saintmary.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -58044,7 +57715,6 @@
     { "name": "tech-info.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "techmagus.icu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "techmoviles.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "techzero.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "telesto.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "teletexto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "temariopolicianacional.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -58209,7 +57879,6 @@
     { "name": "wombatnet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wombere.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "woodenson.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "worklizard.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wpexplainer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wpno.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wptorium.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -58307,7 +57976,6 @@
     { "name": "baka.red", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bfp-mail.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bijancompany.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "blacktown.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "blakezone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bloody.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bluebahari.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -58511,7 +58179,6 @@
     { "name": "qlcvea.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "qpcna.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "quadra.srl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "rachurch.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "radiobox.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "readyrowan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "readyrowan.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -58704,7 +58371,6 @@
     { "name": "aminullrouted.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ampleroads.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "anlovegeek.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "anopan.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "antiaz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "antilaserpriority.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "antonuotila.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -58901,7 +58567,6 @@
     { "name": "faeservice.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fafarishoptrading.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "falce.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "falcema.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "familie-mischak.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fantasy-judo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fapplepie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -59004,10 +58669,8 @@
     { "name": "indianawaterdamagerepairpros.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "indio.co.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "infobrain.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "inforaga.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ingolonde.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "instantphotoprinter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "integrityfortcollins.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "intelligenetics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "intellitonic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "interabbit.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -59106,14 +58769,12 @@
     { "name": "mellitus.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "merchcity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mesec.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "michalpodraza.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "microfonejts.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "micromind.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mikewrites.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "milakirschner.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "milkameglepetes.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "minisoft4u.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mischak.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mixmister.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mizuhobank.co.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mneerup.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -59259,7 +58920,6 @@
     { "name": "sentiments.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sentirmebien.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "servidoresweb.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "seven-shadows.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sharing-kyoto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "shimi.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "shimi.guru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -59699,7 +59359,6 @@
     { "name": "breakwall.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "brightside.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "britanniacateringyeovil.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bryantzheng.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "btshe.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bukiskola.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bukivallalkozasok.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -60058,7 +59717,6 @@
     { "name": "ideatarmac.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "idyl.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "igdn.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "igrarium.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ijsclubdwarsgracht.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ikmx.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "iliasdeli.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -60306,7 +59964,6 @@
     { "name": "mikusa.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "milkypond.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "minican.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "miraste.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mirazperu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mircarfinder.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mirete.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -60346,7 +60003,6 @@
     { "name": "naarakah.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nabbar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "naganithin.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "nagata.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "naijaxnet.com.ng", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nais0ne.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nakayama.industries", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -60545,7 +60201,6 @@
     { "name": "rvfit.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rxguide.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ryuanerin.kr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "saga-umzuege.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "samorazvitie.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sangyoui.health", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sanovnik.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -61027,7 +60682,6 @@
     { "name": "jss.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jxkangyifu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jz585.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "k1yoshi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kalugadeti.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kelantanmudah.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kinderarzt-berlin-zia.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -61309,7 +60963,6 @@
     { "name": "frenchguy.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fuszara.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fuvelis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "fuvelis.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gakki.photos", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gamcore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "game-club.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -61391,7 +61044,6 @@
     { "name": "mindhunter.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "moneseglobal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "myownconference.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mysticrs.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "myte.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mzcsgo.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nac-6.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -61611,7 +61263,6 @@
     { "name": "beherit.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bestlooperpedalsguide.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bezlampowe.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bitcert.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "blackmagicshaman.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "blogit.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "briograce.com.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62179,7 +61830,6 @@
     { "name": "opinio.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "opus-consulting.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "overnightglasses.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "pandaltd.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "parnizaziteksasko.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "patrol-x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "payments.gy", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62280,7 +61930,6 @@
     { "name": "unti.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "unusedrooms.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vairuok.lt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "verlagdrkovac.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "view-page-source.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vincent-haupert.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vitlproducts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62358,7 +62007,6 @@
     { "name": "asemanhotel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "astropaykasa.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "atinylittle.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "aviationweather.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "avnavi.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bagnichimici.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "banland.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -62848,7 +62496,6 @@
     { "name": "guidesacademe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "guohuageng.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gwynfryncottages.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "hackadena.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hanjuapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "helensmithpr.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "help207.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63018,7 +62665,6 @@
     { "name": "securetasks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "seekersmart.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "semao.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "sengoku-okayama.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "seniorhost.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sensory-brands.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "seo-website.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63033,7 +62679,6 @@
     { "name": "smits.frl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "somethingsomething.work", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sophiahatstudio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "sopra.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "speakersbusiness.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "spotsee.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "spt.tf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63133,7 +62778,6 @@
     { "name": "998sa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "999salon.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "999salon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "99spokes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ab288.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ab2888.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ab28s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63265,7 +62909,6 @@
     { "name": "felixklein.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "femmes-women.gc.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "femmes.gc.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "fflone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "financialfreedomaus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "finilaviolence.gc.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fitnessunder50.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63292,7 +62935,6 @@
     { "name": "hitechgr.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hoberg.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "homelab.farm", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "horoca.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hotcamvids.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hothiphopmusic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hugh-dancy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63309,7 +62951,6 @@
     { "name": "idbs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "impactingsports.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "infraredradiant.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "iningrui.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "insegne.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "instagib.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "iondrey.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63528,7 +63169,6 @@
     { "name": "vbsoft.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "verasani.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vextraz.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vim.ge", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vinosalmundo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vivemedialab.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "voceempaz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63743,7 +63383,6 @@
     { "name": "kaidoblogi.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kaizencraft.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kakacon.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kassa.expert", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kep-sbt.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kepsbt.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kodamail.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63760,7 +63399,6 @@
     { "name": "lepartiecomemoracoes.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "librofilia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "link9.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "loshogares.com.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lvcshu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "machon.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "magicsms.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -63774,7 +63412,6 @@
     { "name": "mikegao.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mikegao.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "miramar.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mizar.im", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mizternational.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "moarcookies.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "moeloli.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -64034,7 +63671,6 @@
     { "name": "eyrid.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "f8s.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "falegname.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "familledessaint.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "floridaengineering.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "flyinghigh.co.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "frazell.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -64578,7 +64214,6 @@
     { "name": "richecommecresus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rk.mk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "robertcrain.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "rocket-resume.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ruralsoba.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rzegocki.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "s-gong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -64731,7 +64366,6 @@
     { "name": "blueplumbinggroup.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bluewizardart.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bogosity.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bongbabyhouse.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bourseauxservices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "breard.tf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "brisignshop.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -64839,7 +64473,6 @@
     { "name": "halihali.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hannywbarek.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "harmsboone.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "harpoo.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "health-iq.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "healthyspirituality.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "healthysuperhuman.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -65029,7 +64662,6 @@
     { "name": "tom.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "transdyne.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "treefelling-durban.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "treeoilpot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "treeremovalsboksburg.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tryplo.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tryplo.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -65709,13 +65341,11 @@
     { "name": "lottoland.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lou.ist", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "loverepair.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "lucian.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lucie-parizkova.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "luisa-birkner.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "luthierunatespalermo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lynnellneri.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "m-net.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "macedonian-hotels.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "macedonian-hotels.com.mk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "macedonian-hotels.mk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "madewithopendata.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -65856,7 +65486,6 @@
     { "name": "pitshift.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pixelcomunicacion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "planetarian.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "plasdeck.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "plasticbags.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "plurr.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pms.myiphost.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -65908,7 +65537,6 @@
     { "name": "propelgrowth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "proteco.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "provent.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "psasines.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ptab2pt.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pudro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pulizia.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66167,7 +65795,6 @@
     { "name": "triefenbach.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "triefenbach.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "troubles.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "truyencuoi.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tudineroasi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tulpan22.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tuning.energy", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66327,7 +65954,6 @@
     { "name": "znti.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zodgame.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zookids.uy", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zorrobei.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zravyobrazky.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "01-edu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "123birthdaygreetings.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66382,9 +66008,7 @@
     { "name": "bjut.photos", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bobasy.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "brocinema.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "buildiffuse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bustany.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "buyamerican.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bwgjms.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bwgjms.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cadra.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66403,7 +66027,6 @@
     { "name": "classiccutstupelo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "clausewitz-gesellschaft.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cmserviscz.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "computer-menschen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "consultasdigitales.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "controlambientalbogota.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "counterenlol.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66433,7 +66056,6 @@
     { "name": "epicserver.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ericksonvasquez.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "esher.ac.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "every-day-life.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fashion-hunters.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fau8.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fazzfinancial.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66542,7 +66164,6 @@
     { "name": "mongolie.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mopedpress.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "morgan-insurance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "motlife.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mrschristine.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mubase.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "my-webcloud.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66603,7 +66224,6 @@
     { "name": "simulfund.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sloneczni.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "smokeping.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "sollevix.ovh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "solupredperu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "somoyorkies.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "speights-law.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66620,14 +66240,12 @@
     { "name": "t3.ie", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tambo.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tamsweb.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tamtowild.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "technokicks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "techy360.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "telibee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "theviewat55th.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thmpartners.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tiger21.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tinhbotnghegold.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tissus-paris.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "titser.ph", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tombu.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -66786,7 +66404,6 @@
     { "name": "3809944.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "380zz8989.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "38138938.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "3886aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "39661463.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "4999016.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "4monar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67050,7 +66667,6 @@
     { "name": "fallenmoons.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fallin.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "familleseux.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "fattailcall.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fdfz.edu.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ferienstpeter.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "filebox.one", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67312,7 +66928,6 @@
     { "name": "tylyjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ujiyasu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "unnamed.download", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "upforshare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "uplead.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "uspaacc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "utavatu.mk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67356,7 +66971,6 @@
     { "name": "worldmeetings.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wucanyao.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wyjmb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "xanimalcaps.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xanyl.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xbjt2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xbjt22.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67679,7 +67293,6 @@
     { "name": "9728yy.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9728z.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9728zz.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "a30.tokyo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "a5197.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "a9297.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "a9397.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67693,7 +67306,6 @@
     { "name": "accessibletravelclub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "adnexa.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ainfographie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "airportal.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ajhstamps.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "alexandercanton.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "allcleaningservice.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67816,7 +67428,6 @@
     { "name": "fantasmesexuel.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "femmesaupluriel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fenhl.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ferrada.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ff5197.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ff9297.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ff9397.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67842,7 +67453,6 @@
     { "name": "gg9721.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gg9728.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gh-sandanski.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "globalwitness.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gooddayatwork.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gordonchevy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gratis.market", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -67916,7 +67526,6 @@
     { "name": "jj9397.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jj9721.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jj9728.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "jobsarkari.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "johnrosewicz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "julianbroadway.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "juristique.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68388,7 +67997,6 @@
     { "name": "argecord.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "arterydb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "arthritisrheumaticdiseases.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "artikelpendidikan.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "auburnmedicalservices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "authcom.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "auto-none.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -68435,7 +68043,6 @@
     { "name": "boccabell.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bochantinobgyn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bookwave.art", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "botealis.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bou.ke", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "brianwalther.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "brizawen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -69854,7 +69461,6 @@
     { "name": "redjuice.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "residence-donatello.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "resumelab.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "rettig.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "richardlangham.plumbing", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "richelelahaise.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rioxmarketing.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70411,7 +70017,6 @@
     { "name": "rootze.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rubenbrito.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ruhproject.kz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ryan.cafe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "s88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "saeder-krupp.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "saigaocy.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70426,7 +70031,6 @@
     { "name": "server72a.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sgcy.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "shadowcp.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "shopwebhue.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sicurezza24.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "signaletique-inox.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sissden.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70520,7 +70124,6 @@
     { "name": "36594.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "39w66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "518k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "660887.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "66619991.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "666k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "668k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70575,7 +70178,6 @@
     { "name": "backmitra.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "backmitra.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "baiyu.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "baiyu.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "banglets.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bdupnews.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "belgraver.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -70942,7 +70544,6 @@
     { "name": "torresshop.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tqm1.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "treehole.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "trevo-lotofacil.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "twlitek.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "umail2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "unicode.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71041,7 +70642,6 @@
     { "name": "alforto.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "all4nursesksa.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "allcoveredbyac.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "aloralabs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "alteraro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "alteraro.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "altonkey.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71236,7 +70836,6 @@
     { "name": "long988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lovingbody.yoga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ltheinrich.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mangowave.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mansarda-life.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "marex.host", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "martian.community", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71262,7 +70861,6 @@
     { "name": "nednex.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "networkmas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "newdirectionsolar.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "nobleandlore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nodebb-cn.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nolte-imp.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nooben.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71279,7 +70877,6 @@
     { "name": "ordermygear.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "osterlensyd.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pandiora.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "pay.mg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pcr24.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pixelabs.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "planet.live", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71323,7 +70920,6 @@
     { "name": "syogainenkin119.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "taichichuanyang.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tanshin.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tappezziere.milano.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "techmunchies.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "technotronikcanada.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tentacletank.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71342,7 +70938,6 @@
     { "name": "uze-mobility.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "uze-mobility.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "uzemobility.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vademekum.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "valuecashhomes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "valuecashoffers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "verified.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71563,7 +71158,6 @@
     { "name": "eikentafels.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eisblau.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "elldus.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "emrullahsahin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "enodais.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "espaciosdelalma.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eve-ua.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71658,7 +71252,6 @@
     { "name": "lnhydy.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lnrsoft.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "logiccircle.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "loginmailpage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "londontaxipr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "luctam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lueersen.homedns.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71821,7 +71414,6 @@
     { "name": "vigorspa.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "viki.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vkwebsite.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vontainment.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "voshod.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wearetuzag.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "webdesigngc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -71972,7 +71564,6 @@
     { "name": "eternalparking.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eternalparking.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eternalparking.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "exeye.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "f00f.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "f5la.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fenixportal.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72130,7 +71721,6 @@
     { "name": "networkdiode.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "networkdiode.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "networkdiode.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "newhamyoungbloods.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "newlifehempoil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "newsdiff.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "newsdiff.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72360,7 +71950,6 @@
     { "name": "zerocash.msk.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zl2020.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "022kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "03d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "0d111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "100up.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "100up.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72535,7 +72124,6 @@
     { "name": "amerion.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "amtsinfo.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "andrewjphotography.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "anxietyspecialistsofatlanta.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "anythinggraphic.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aptekakolska.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "arco.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72607,7 +72195,6 @@
     { "name": "d88882.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "d88886.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "d8890.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "d88988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "d88dc09.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "d88girls.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "d88md03.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72665,7 +72252,6 @@
     { "name": "gay-personal-ads.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "georgiadance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "getacrane.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "gku-winterling.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "golnet.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "growth-rocket.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "guzlewski.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72822,7 +72408,6 @@
     { "name": "petnow.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "petrovich.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "philanima.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "phongthuyanthinh.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "photosaloncontest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pignus.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "podsvojostreho.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72937,7 +72522,6 @@
     { "name": "w66136.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w661616.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w66191.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "w662211.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w663w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wallisch.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wearefrantic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -72967,7 +72551,6 @@
     { "name": "yuer.sytes.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "z8079.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zi5.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zl-49.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zl-59.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zl-69.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zl-79.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -73013,7 +72596,6 @@
     { "name": "1520328.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "156ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "158ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "173ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "1820327.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "1820331.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "1820347.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -73141,7 +72723,6 @@
     { "name": "9k629.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9k636.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9k637.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9k639.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9k653.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9k657.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9k658.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -73212,7 +72793,6 @@
     { "name": "agks188.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agks96.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "airanyumi.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "allthings.how", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "americorps.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "andesnevadotours.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "angelinaangulo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -73259,7 +72839,6 @@
     { "name": "cashbot.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cathy.lgbt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ccriderlosangeles.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "celebalita.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "centrederessourcement.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "chifumi.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "clubapk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -73277,7 +72856,6 @@
     { "name": "cuentamecomopaso.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "curexengine.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cybernetivdigital.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "d88.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "david-merkel.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "daysinnaustin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "deedyinc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -73460,7 +73038,6 @@
     { "name": "mb-demo.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mealinsider.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "medbreaker.one", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mediavamp.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "megaron.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "meliowebweer.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "meloniecharm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -73485,7 +73062,6 @@
     { "name": "netcials.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "netexpatcommunity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "new-jersey-online-casinos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "nick-slowinski.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nuoha.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nuovavetro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "officina.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -73577,7 +73153,6 @@
     { "name": "szs.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tazarelax.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "teeautomat-teemaschine.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tempatwisatakeren.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "the1.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thecontentcloud.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thecraftingstrider.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -73642,13 +73217,11 @@
     { "name": "yuzu-tee.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "z8017.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "z8023.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "z8078.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "z8106.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "z8109.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "z8132.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "z8182.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "z8851.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "z8922.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zaffke.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zakonu.net.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zd0808.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -73666,7 +73239,6 @@
     { "name": "zd239.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zd252.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zd253.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zd257.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zd258.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zd259.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zd262.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -73726,7 +73298,6 @@
     { "name": "zl5151.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zl6565.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zl6767.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zl7979.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zl850.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zl861.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zl8686.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -74056,9 +73627,7 @@
     { "name": "3837y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "3837z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "38irkutsk.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "392365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "3957b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "3957c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "3957d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "3957e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "3957f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -74513,12 +74082,10 @@
     { "name": "88740n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "888789j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "88884048.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "888b58.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "88n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8b8888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8btt.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8me.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9009019.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "906vv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "90920.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "90n13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -75905,7 +75472,6 @@
     { "name": "mypvhc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "myqbusiness.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "myraboats.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mystore24.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "myxxxsite.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "n30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "na-kipre.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -76029,7 +75595,6 @@
     { "name": "p58203.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p58204.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p58205.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "p888010.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p9120.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p9121.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p9125.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -76284,7 +75849,6 @@
     { "name": "rushmyessay.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "russian-page.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rust.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ruthiehallarsis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ryabinushka.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "s30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sabians.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -76544,9 +76108,6 @@
     { "name": "test-school.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "testthis.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "textpages.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tgo3333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tgo4444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tgo5555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thaiboystory.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thaihotmodels.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "thaiportal.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -76580,7 +76141,6 @@
     { "name": "timmi6790.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tips4india.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tirteafuera.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "titanforged.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tixio.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tobiasfischer.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tolerance-zero.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -76764,7 +76324,6 @@
     { "name": "valencianisme.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "valeravi.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vardenafilhcl.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "varianto25.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "varjo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vasheradio.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vatav.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -76841,12 +76400,9 @@
     { "name": "w9740.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w9750.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w97a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "w97aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w97app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w97app2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w97app3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "w97bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "w97cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "waermekabine.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "waimanu.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wangshengze.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -76888,7 +76444,6 @@
     { "name": "worldoflegion.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wulfrun-invicta.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ww6396.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "x10006.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x2816.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x30365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x3515.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -76909,7 +76464,6 @@
     { "name": "x58p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x58t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x58v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "x7008.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x7713.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x7715.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x7716.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -76929,8 +76483,6 @@
     { "name": "x77qq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x77tt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x77ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "x9015.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "x9701.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x98t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xab123.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xab199.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -77021,56 +76573,9 @@
     { "name": "y7091.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "y7092.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "y7093.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y890000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y891111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y892222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y893333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y894444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y895555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y896666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y897777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y898888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89aaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89bbb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89ccc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89ddd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "y89eee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "y89fff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "y89ggg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89hh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89hhh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89ii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89iii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89jjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89kk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89zz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yagoda-malina.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yangfamily.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yantox.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -77104,7 +76609,6 @@
     { "name": "yemenlink.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yenbainet.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yeniexpo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "yepmom.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yerbasbuenas.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yesteryear-chronicle.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yiluup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -77280,7 +76784,6 @@
     { "name": "9k259.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9k265.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9k272.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9k288.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9k297.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9k298.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9k326.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -77323,7 +76826,6 @@
     { "name": "affinity.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "africanhosting.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agaveandpine.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "agks02.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agrodronechile.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aimare-web.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "airmash.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -77583,7 +77085,6 @@
     { "name": "cs3338.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cs3339.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "css-tricks.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ctir.gov.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "culaneenergycorp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "culturabrasilia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "culturalparadiso.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -77778,7 +77279,6 @@
     { "name": "guiacursos.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "guys-reviews.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "habitable.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "hafer.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hairpins.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hakkariradyo.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hallcouture.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -78192,7 +77692,6 @@
     { "name": "necromantia.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "needfire.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nethealth.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "netkigestioncomercial.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "netpenge.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "netsearch.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "new-tuning.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -78305,7 +77804,6 @@
     { "name": "p333ll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p333lll.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p333m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "p333mm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p333mmm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p333n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p333nn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -78315,7 +77813,6 @@
     { "name": "p333ooo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p333ppp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p333q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "p333qq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p333qqq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p333r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "p333rr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -78879,7 +78376,6 @@
     { "name": "w0115.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w1717w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w3330.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "w5858w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w61516.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w61616.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w6603.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79047,7 +78543,6 @@
     { "name": "1000wordsevents.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "166jk.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "1698k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "192ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "197jjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "198jjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "208wns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79140,7 +78635,6 @@
     { "name": "52062v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "52062w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "52067.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "529kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "541651.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "55558744.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "56564a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79195,17 +78689,12 @@
     { "name": "57574x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "57574y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "57574z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "581kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "5889k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "589ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "595ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "606722.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "608885.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "619kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "633663.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "633663.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "63gaming.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "652kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6556a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6556b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6556c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79218,7 +78707,6 @@
     { "name": "6556m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6556x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6556z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "659ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "661326.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6619k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6685m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79311,7 +78799,6 @@
     { "name": "alyanak.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "andrewisidoro.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "angelspabeauty.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "antifa.sh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "apitodemestre.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "appbooks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "arouparia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79360,7 +78847,6 @@
     { "name": "civmob.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cjsounds.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "clientesendemanda.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "coevostudio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cokomi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "comprauncelular.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "connectionstrings.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79430,7 +78916,6 @@
     { "name": "fourxone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "freelance-webdesigner.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "freewerkt.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "friend.tours", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fuuko.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gadgets-cars.com.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "garbott.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79457,8 +78942,6 @@
     { "name": "hn122.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "houby-studio.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "housingneedz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "hsimrall.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "htcvina.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hx56.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hx678.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "i86666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79474,7 +78957,6 @@
     { "name": "intranetcrowd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "introes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "iplist.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ippawards.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ipvbook.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "irxoo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "itqh0pk67wngbob5suh-c7glbmvtfa0dqhokufs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79500,12 +78982,6 @@
     { "name": "kocka.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kp0808.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kpaycoin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6800.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6806.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6813.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6821.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6822.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks8127.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kuadey.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lakeandriverrestoration.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lavabit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79555,7 +79031,6 @@
     { "name": "ojk.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "olivia-smith.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ontstoppingsdienst123.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "open.net.sa", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oplatki-charistia.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ops.com.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "opticaltest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79586,7 +79061,6 @@
     { "name": "portafoliodenegocios.com.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "prdelka.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pricesim.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "proactivo.digital", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "proastec.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "prodwa.re", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "promods.web.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79635,7 +79109,6 @@
     { "name": "seguimosganando.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "seicochimica.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "shoparbonne.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "simplydesk.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "smartmones.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "smartpheromones.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "smartsitio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79749,19 +79222,12 @@
     { "name": "20191r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "24hourlocksmithhoustontx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "24hourlocksmithspring.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "282ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "30019.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "3311.com.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "375ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "377ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "378ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "492y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "4y4a-arts.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "516ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "52062c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "52062y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "535kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "536kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "551365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "552365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6365dx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79881,13 +79347,9 @@
     { "name": "europa.jobs", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "exnoobstore.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "eznetworks.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "f1318.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "f1318.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "f8036.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "f81818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fbe.to", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "fc8882.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "fc8882.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ff18.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fh169.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "finotax.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -79970,22 +79432,6 @@
     { "name": "kodomo.live", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "koflegend.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "krillz.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6807.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6812.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6815.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6816.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6817.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6820.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6825.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6826.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6827.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6829.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6830.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6831.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks8126.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks8892.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks8895.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks8915.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kuhnerts.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kupu.maori.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "l81818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -80006,7 +79452,6 @@
     { "name": "mancrates.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "marco-burmeister.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "marquesgroup.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "marvnetforum.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "medundmed.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mehdimassage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "merakiclub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -80209,17 +79654,6 @@
     { "name": "x81818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--strandhaus-hinter-der-dne-1wc.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xunleiyy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89a.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89b.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89c.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89d.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89e.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89f.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89g.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89h.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89i.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89j.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "y89ww.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yay.cam", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yolocast.wtf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yourpocketbook.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -80250,7 +79684,6 @@
     { "name": "1net.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "25percent.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "2jhb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "40666888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "500promocodes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "500promokodov.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "52062d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -80409,7 +79842,6 @@
     { "name": "hx77.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "hx789.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "icecodenew.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "idn.gov.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ieltslananhtruong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ihacker.ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "img.ren", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -80442,7 +79874,6 @@
     { "name": "knowpanamatours.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kp0809.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kriskras99.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6805.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "langgasse-baar.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lauralep.sy", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lavaggista.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -80605,7 +80036,6 @@
     { "name": "wintzenterprise.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wuyiwa.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xc9988.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "xerbo.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xiaojicdn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xlunastore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xn--80ageukloel.xn--p1ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -80628,14 +80058,9 @@
     { "name": "zoohaus.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "111plus.design", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "168fff.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "281ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "3dlab.team", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "3pestki.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "620207.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "623kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "633kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "655ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "698kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8888yule8888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "889w889.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "889w889.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -80673,7 +80098,6 @@
     { "name": "biznesinfo.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bjl688.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "blackmagickwitch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bogurl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bojiu99.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bonsi.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "borderless360.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -80807,20 +80231,11 @@
     { "name": "justeducationonline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kartoffel-tobi.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kazmamall.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kcfmradio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kerner.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kettinggeleider.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kickingpixels.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kinaesthetics-forschung.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kobudo49.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6809.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6810.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6819.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6823.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6828.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6832.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6833.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks9211.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kuditel.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ladiesofvietnam.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "leeannescreations.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -80878,14 +80293,12 @@
     { "name": "openwrt-dist.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "operr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "operrtel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "operrwork.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "orangelandgaming.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ouest-annonces.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "parasca7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pari.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pastimeproject.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "paulcloud.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "pcxserver.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pelosanimais.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "percloud.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pharmasana.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -80945,7 +80358,6 @@
     { "name": "srfloki.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "srkb.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stainhaufen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "studiovictorialimited.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "summusglobal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "suniru.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sunnistan.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81230,22 +80642,6 @@
     { "name": "kommunermeddnssec.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kommunermedipv6.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kondomshop.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6835.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6836.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6837.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6838.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6839.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6850.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6851.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6853.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6857.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6861.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6862.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6863.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6867.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6870.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks6871.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lackierereischmitt.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lauresta.lt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lauresta.lv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81261,7 +80657,6 @@
     { "name": "luv2watchmycam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "manshatech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "manzalud.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "marbledentalcentre.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "markusjanzen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "marzio.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mbclegal.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81350,7 +80745,6 @@
     { "name": "snizl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "songesdeplumes.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sphacks.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "sporttomorrow.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "spoters.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "srimakc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sunshinecoastplumbingcompany.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81410,7 +80804,6 @@
     { "name": "zhina.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zowedo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "020ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "026kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "029kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "0510ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "0511ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81437,8 +80830,6 @@
     { "name": "184kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "185ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "186ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "188kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "199ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "1fc0.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "2000.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "2255motion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81450,18 +80841,12 @@
     { "name": "46d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "47d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "48d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "499ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "499ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "555kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "566ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "599ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "64d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "668ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "66agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "70d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "74d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "75d88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "799ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8186d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8187d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8189d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81482,7 +80867,6 @@
     { "name": "8921d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8925d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "8926d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "899ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "967you.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "99agks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9k898.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81491,8 +80875,6 @@
     { "name": "actionverb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ae86.plus", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aeroalbrook.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ag89ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ag9ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agendaspectacles.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agentrisk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agks0.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81504,7 +80886,6 @@
     { "name": "agks666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agktest1.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agpsn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "agrolab.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "akashdsouza.now.sh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "alchemy-media-marketing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "alice-memorial.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81516,8 +80897,6 @@
     { "name": "app-scope.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "apyha.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aquariu.ms", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "arabapps.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "articulatedmedia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "artrapid.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "asianfilmfestival.barcelona", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "asp.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81668,30 +81047,18 @@
     { "name": "kb4747.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb486.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb506.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb5454.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb6464.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb6565.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb756.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb787.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb88.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb8800.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb8815.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb8818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb8819.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb8820.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb8830.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb8837.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb8841.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb8843.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb8848.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb8849.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb8852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb8854.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb8856.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb8859.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb8863.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb8867.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb8874.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb8880.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb88dc06.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb88dc15.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81702,7 +81069,6 @@
     { "name": "kb890.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb965.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb9696.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb991.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kchomemed.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kerryfoodscareers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "keyex.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81728,8 +81094,6 @@
     { "name": "ks208.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks2099.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks281.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks2888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks2888.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks291.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks299.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks329.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81737,14 +81101,10 @@
     { "name": "ks335.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks337.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks339.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks3888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks3939.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks502.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks503.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks541.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks549.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks5888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks5888.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks6008.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks610.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks635.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81758,7 +81118,6 @@
     { "name": "ks8819.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks8852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks9393.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks9888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kunda.ovh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "la-manufacture-du-nettoyage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "lambda.sx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81897,7 +81256,6 @@
     { "name": "tierradeayala.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tilde.link", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tinminnow.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "tmailz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "todaslascafeteras.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tokky.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "tokyoadultguide.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -81964,7 +81322,6 @@
     { "name": "112z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "113ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "113z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "116ks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "116z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "117z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "118z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -82059,7 +81416,6 @@
     { "name": "agencyalacarte.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agks006.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agks06.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "agks12.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agks13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agks138.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agks168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -82074,7 +81430,6 @@
     { "name": "agks988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agks99.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agks998.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "aini99.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "airconrandburg.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aljaspod.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "alpharoofga.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -82143,7 +81498,6 @@
     { "name": "darlenejacques.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dechetor.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "dejongonline.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "dennhat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "depot24.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "desertbloomplasticsurgery.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "devmode.fm", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -82249,7 +81603,6 @@
     { "name": "ks0660.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks068.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks082.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks10.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks15.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks182.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ks20.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -82331,7 +81684,6 @@
     { "name": "mcukhost.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mediafamous.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "melania-voyance.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "mentorbuk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "middletonshoppingcentre.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mjjlab.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mjs-domy.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -82387,7 +81739,6 @@
     { "name": "ratujemyzwierzaki.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rawdamental.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rcpdesign.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "rebellion.global", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "redkiwi.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "redray.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "remetall.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -82398,7 +81749,6 @@
     { "name": "ronbongamis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "safevault.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "samlam.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "santaijia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "santamariaretreats.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "schbebtv.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "scholtensupport.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -82595,7 +81945,6 @@
     { "name": "52062i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "52062m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "588z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "616xin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "654666365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "668z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "765666365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -82607,8 +81956,6 @@
     { "name": "92owl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "a04gameapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "a04webapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "a06gameapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "a06webapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aberon.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "actingcxo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "adonis.hosting", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -82616,7 +81963,6 @@
     { "name": "advaith.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "affiliates.trade", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "airconditioning-sandton.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ajsgall.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "allanta.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "allmajestic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "apkright.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -82843,7 +82189,6 @@
     { "name": "mbsync4supply.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "meiksbar.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "merchant.agency", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "metrosahel.tn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mgsdb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "michelwolf.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "micropigpets.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -82861,7 +82206,6 @@
     { "name": "mountainutilities.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mraag.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mrvnt.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "muot.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "mustsellacarglobal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "my-web.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "myphamthemis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -82875,7 +82219,6 @@
     { "name": "okkhor52.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "olive.my", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ollies.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "onchol.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "oneartyminute.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "onlytrong.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "onpointplugins.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -83025,7 +82368,6 @@
     { "name": "z6912.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "z8870.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zanjirzanane-shanbeghazan.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zd623.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zd635.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zd652.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zd653.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -83134,7 +82476,6 @@
     { "name": "0998z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "0999z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "09am8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "10k.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "1112z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "1113z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "1115z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -83168,7 +82509,6 @@
     { "name": "156z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "157z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "159z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "180ks.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "181z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "182z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "183z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -83183,7 +82523,6 @@
     { "name": "2777z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "2888z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "2999z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "2nics.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "3222z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "3322z6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "3333ylc.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -83265,8 +82604,6 @@
     { "name": "ae86b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ae86c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ae86dj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ag888.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ag918.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "agendo.com.ar", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ahsyg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "aiva.ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -83280,7 +82617,6 @@
     { "name": "alphaperfumes.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "altairlyh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "altsdigital.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "am88.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "amethyste.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "amsel305nc.ddnss.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "antennajunkies.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -83467,7 +82803,6 @@
     { "name": "inpdp.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "insights.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "intentanalytica.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "internetwork.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "inversionesgalindo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ioasync.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "isamiok.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -83485,13 +82820,9 @@
     { "name": "justsome.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jyrilaitinen.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jyvaskylantykkimies.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "k10.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "k10.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "k10.best", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "k36594.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "k51365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "k666.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "k666.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "k88256.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "k88257.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "k88258.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -83512,16 +82843,9 @@
     { "name": "k88276.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "k88277.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "k88285.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "k888.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kaishi.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kashis.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kasual.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb8.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb8.best", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kb802.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb88.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb88.best", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kb888.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kevin.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kirchenchor-olzheim.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kirillpokrovsky.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -83529,13 +82853,6 @@
     { "name": "kromonos.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kroy.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "krugersdorpplumber24-7.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks10.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks8.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks88.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks88.best", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ks888.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ksbet.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ksvip10.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kursk-otoplenie.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kuruma-ex.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kustod.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -83742,8 +83059,6 @@
     { "name": "vivoregularizafacil.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vulpr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "w36594.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "w666.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "w888.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wakastream.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "walruscode.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "watchlol.live", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -84016,7 +83331,6 @@
     { "name": "678365t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "67877777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "7652.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "7654321c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "77018vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "77168365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "777234567.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -84047,7 +83361,6 @@
     { "name": "9968707.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9968717.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9968838.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "9968909.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9968959.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9968969.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "9968aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -84232,7 +83545,6 @@
     { "name": "bet820.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bfanis.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bienestarfacial.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bigbrotherco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "biol.spb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bitcoingah.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bitvps.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -84242,7 +83554,6 @@
     { "name": "bodrumhotelsresorts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bonn.digital", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bosekarmelitky.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "boutiqueinfantil.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "brawlstarsitalia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "breadpirates.chat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bretech.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -84397,7 +83708,6 @@
     { "name": "getsmarterinsurance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "go9968.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "goc4wraps.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "grabtech.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "grand-city38.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "grimm.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "grupocata.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -84517,7 +83827,6 @@
     { "name": "parkers.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "part.la", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pascal90.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "paulalutz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "pbfashionexhibition.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "penconsultants.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "philipdeussen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -84584,7 +83893,6 @@
     { "name": "stina-vino.hr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stmohrael.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "stortiservices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "straat.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "strathspeycrown.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "studiokilund.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "suchtv.pk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -84655,7 +83963,6 @@
     { "name": "viveport.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "viveportal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "viveportchina.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "vizeyurdu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vlaggen-landen.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vrba.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "vscm888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -84692,12 +83999,8 @@
     { "name": "x00738.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x00776.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x00786.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "x10007.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "x10008.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x668.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "x9016.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "x9017.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "x9718.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xinnermedia.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xinpujing198.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xinpujing200.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -84728,7 +84031,6 @@
     { "name": "y70303.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yert.pink", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "z00228.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "zach.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zaledia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zijemvedu.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ziledelaultimagafaavioricai.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -84870,7 +84172,6 @@
     { "name": "bet44409.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bet44410.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bienhacerlimpiezas.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "bionezis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "blaargh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bloggingtipsfornewblogger.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bongocams.webcam", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -84886,7 +84187,6 @@
     { "name": "carpet---cleaning.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "casaasia.cat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "casaasia.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "cdemi.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "cedric-bour.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "censys.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "centraldoencanador.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85053,12 +84353,10 @@
     { "name": "justimports.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "jyoba.co.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kas.ie", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "kbst.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kelis.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "key-form.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "keysso.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kjkmail.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "klikacc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "kneppe.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "knulla.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "knulle.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85313,7 +84611,6 @@
     { "name": "wtfbryan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "wulala.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xahbspl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "xprometheus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ya.mk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yachtfolio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yanik.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85325,17 +84622,7 @@
     { "name": "zalure.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zdenekpasek.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zenassociates.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "040552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "041552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "042552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "046552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "049552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "04d.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "051552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "054552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "068552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "071552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "084552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "09000113.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "0x7.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "12l.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85347,13 +84634,10 @@
     { "name": "137k66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "138k66.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "139k66.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "142552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "146552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "151k66.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "151k66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "152k66.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "152k66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "154552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "155k66.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "155k66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "156k66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85375,8 +84659,6 @@
     { "name": "2033011.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "22245j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "22256j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "241552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "242552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "24hourelectricalservices.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "266k66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "347552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85404,7 +84686,6 @@
     { "name": "36533s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "36533t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "36533u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "36533v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "365q01.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "365q02.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "365q03.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85425,14 +84706,11 @@
     { "name": "427552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "457552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "487552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "497552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "566k66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "5k66.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "60062b.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "60062h.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "60062i.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "611121.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "611125.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "662k66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6666365q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "66689j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85444,13 +84722,6 @@
     { "name": "6k666.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6k666.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "6k669.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "755204.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "755245.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "755246.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "755249.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "755274.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "755284.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "755294.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "766k66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "7777365q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "77zxdy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85513,7 +84784,6 @@
     { "name": "bairuo.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bandolino-bewind.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bandolino.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "barnflix.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "baypromoteam.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "beautyandfashionadvice.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "bernmail.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85613,7 +84883,6 @@
     { "name": "fietsvierdaagsen.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "flassetlocators.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "forensicsoftware.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "freedygist.org.ng", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "friendlycleaners.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "frovi.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "fullmoviez.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85629,7 +84898,6 @@
     { "name": "globemusic.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gnaucke.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gogs.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "goover.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gospicers.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "gratefullane.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "greekplots.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85662,7 +84930,6 @@
     { "name": "irenkuhn.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "isaob.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ispfontela.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "it-market.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "ivetazivot.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "iwashealthy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "j36533.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85680,7 +84947,6 @@
     { "name": "k663.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "k663.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "k665.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "k6666.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "k66666.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "k6668.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "k667.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85767,7 +85033,6 @@
     { "name": "nepozitkova.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "netolink.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "netolink.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "niklasstinkt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nixnet.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nrvc.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "nzelaweb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85819,7 +85084,6 @@
     { "name": "revworld.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rezendemultimarcas.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rhubarb.land", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "ricomp.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rmdscreen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rtd.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "rugcleaninglondon.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85839,13 +85103,11 @@
     { "name": "shepherdsfriendly.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "shymeck.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "simplemining.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "sinargasht.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sinhnhatbaby.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sittogether.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "skydiverapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "slan.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "slidesvideo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "slyvon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "smoothiecriminals.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "smtenants.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "sofacleanerslondon.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
@@ -85938,20 +85200,5666 @@
     { "name": "xlink.com.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xmag.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "xxgalgame.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "xyz.blue", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "y36533.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yauatcha.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yogamexico.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yogshrihealing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "youber.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "yourcareerhost.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
-    { "name": "yzblack.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "z36533.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zaixsp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zambranopublicidadvideo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zlol.lg.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zuim.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     { "name": "zurlin.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "018k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "025k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "031373.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "08lc.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "091k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0cp8778.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "110k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "115lc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "116lc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "117lc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "119lc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "11lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "11lc8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "175k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "182k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "183k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1888lc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "197k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1lc8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2002712.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2019k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "219k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2222k8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "222k8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "22lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "22lc8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "234lc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "255k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "288k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2lc8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3002712.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3333k8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "33lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "33lc8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "345lc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3655612.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3655623.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3655634.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3655645.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3656701.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3656712.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3656723.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3656734.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3656745.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3656778.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365yuwen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3dnovedades.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "400k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4233070.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "455328.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "456lc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4661049.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4776070.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "500k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "513651.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5555k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5555k8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "555k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "555k8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "55lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "58xiangka.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5ccapitalinvestments.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "600k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6616.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6618.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6658.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "666k8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "66lc8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6lc8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "700k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "70nb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7777k8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "77lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88lc8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88lc88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88lc88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88lecheng.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8lc8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "900k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "917.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9180.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9186.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9189.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9796k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9796k8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "98lc98.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9jk7opa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9lc9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a210.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aabenjaminjewelry.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abdullahavci.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abdullahavci.com.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abdullahavci.net.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adamoshaver.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aes-freundeskreis.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "affaire.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag0.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag8.email", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agenciabonobo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aglc6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aglc88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ainzu.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ajbenet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "albertforfuture.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alberts-blatt.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allgovernmentjobs.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allindiacityguide.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alpha-premium.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "altabib.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ambra.net.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "analisi-logica.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anney-life.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aponkral.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aponkral.com.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aponkral.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "application-travel.us.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "applied-privacy.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apply-eta.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apply-visa.us.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arkenco.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arlaperu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arpatutorial.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ashlarimoveis.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asirigbakaute.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "assinecontrole4g.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "athemis.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atlanticmarina.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "au.ci", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "audiclubbahrain.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "augur.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "augustoshoppingnet.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "automentesszolnok.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "axiomeosteopathie.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "az1b2y3cx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b4lint.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baac-dewellmed.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bairrosonline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "basicamente.digital", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beddentotaal.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestporngirls.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333123.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333345.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333444.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333456.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333567.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333789.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444400.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444401.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444402.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444403.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444404.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444405.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444406.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444407.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444408.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444409.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444410.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444421.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444422.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444423.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444424.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444425.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444426.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444427.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444428.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444429.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet444430.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biasmath.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biggles.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blog-investimenti.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blogpress.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "booknowmytrip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brazilianbikinishop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bread.red", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "breakout.careers", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brillio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bronzew.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cadenceconstruction.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cadmax.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cairuz.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "caldersoldas.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "calonmahasiswa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carbuyersbrisbane.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carmenluz.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cashforcarremovalsipswich.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "castelodosmoveis.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cavenderhill.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ccelectricaldrafting.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ccsistema.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ceefaastresources.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chapelle.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chardhamhotel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cheapsslrenewal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chelpipe.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chromaitaly.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chungsir.com.pa", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cialde.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clientcms.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clinique-ser.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "codeguard.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cognitiveapplications.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coiffeurty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coinvex.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "competitor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "compra-deuna.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "construction-digitale.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "couponlo.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "couriergrey.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "couriersrs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "creativeliquid.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cremedigital.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cryptex.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "csci571.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cythereaxxx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "daceurope.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dailypop.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dalcomseo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "danalytics.com.pe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "danstoncu.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deadpulse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "decorotti.com.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dedoles.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dedoles.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dedoles.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dedoles.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dedoles.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dedoles.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dedoles.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dedoles.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "del-ex.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dementiacaring.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "designepublicidade.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deti-online.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dgtakano.co.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dhakawebhost.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "djitsolutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "djmox.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dmcw.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dmitry.sh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dontstopcoffee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doppler.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drpil.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "duelingaces.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "durmatest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "earlyimage.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "earthsolidarity.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "easy-vn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ecobagsmauritius.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ecodesign-labo.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ekole.shop", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elmresan.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emmastree.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emme3abbigliamento.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emmynet.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "enanto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eng-erlangen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "errortools.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "etna.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evisa.us.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evlqa1sp1tzb05zo-reoo0vhj9a1t5pousfudnkg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evomada.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "exams9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "excitoninteractive.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f8cp2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f8cp5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fa158k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fafa018.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fafa066.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fastos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fastos.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff-koenigstein-opf.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff326.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff396.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff612.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff675.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff861.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff956.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff965.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff976.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ffsbgateway.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fhinds.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "firstcoastteaco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "firstrays.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fittingperfetto.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fonamperu.org.pe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forfeiture.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forthewin.rocks", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forumstandaardisatie.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "foselectro.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fozzie.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "frankieistanbul.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freiboth.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freshers9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "frutasyvejetales.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fullhost.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gamblernd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "genunlimited.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "geraldoazevedo.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "getyour.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ggismo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gim-app.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gipfelbuch.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gkb2020.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "go-away.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goodmood.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goodmood.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goodmoodsocken.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gospomedley.com.ng", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gplvilla.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grantsmasters.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gruposertaoveredas.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gsmsale.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hardweb.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hastaneurunleri.com.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "haystackrenovation.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hearty.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hiyoko-shokutaku.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hmeonot.org.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ho188.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ho568.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "homeworkacers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hostallacasamia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hosuronline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotelevershine.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotelindraprasth.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotellerssolutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotellilas.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "houstonendodontics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hr-praemien-santander.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hrcrew.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hrpregnancy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "htxlaunch.sg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hypercompetitions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ibugone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "idesoft.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc510.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc518.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc519.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc520.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc525.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc528.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc552.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc553.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc568.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc583.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilc999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iloft.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilove588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilove618.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilove918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imaginelab.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imkerei-contento.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imkereicontento.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "impulsocristiano.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infocus.company", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ingenias.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inmatesupport.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inocelda.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "insta-drive.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "interphoto.by", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ipanchev.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iranturkey.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "is-in-hyper.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ishotagency.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "isolde.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itsig-faq.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iwatt.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ixix.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jabberd.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jacarandafinance.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jgonzalezm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jiayi.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "joejacobs.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jungleadventuretours.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jurojin.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "juxin08.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k-jtan.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8-1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8-2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8-facai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8007.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k801.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k801.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8029.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8031.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k805.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8050.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8052.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8053.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k80608.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8062.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8067.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k807.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k80725.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8073.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8079.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k809.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8098.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k80998.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8100.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8103.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8105.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8107.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k811.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k811.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k811111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k814.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8158.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k81788.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k818.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k819.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k821.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k82222.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8270.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k829.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k829.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k82999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k83.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k830.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k831.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k831.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8330.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k83333.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8336.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k835.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k835.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8427.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k843.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k843.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8432.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k846.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k85.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k851.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k852.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8550.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k85555.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8578.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k860.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86188.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k865.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k865.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8668.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86690.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k867.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k867.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86810.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86813.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86814.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86830.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86833.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86834.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86835.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86836.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86837.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86838.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86839.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86848.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86849.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86851.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86852.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86853.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86856.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86870.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86871.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86887.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k869.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86922.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86924.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86929.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86989.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k86991.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87023.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87024.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87025.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87026.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87027.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87028.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87067.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87071.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87072.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87073.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87074.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87075.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87076.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87077.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87078.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87079.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87080.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87081.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87082.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87083.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87084.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87100.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87119.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87120.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87121.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87126.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87127.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87128.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87129.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87130.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87131.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87132.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87133.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87134.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87135.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87136.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87137.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87138.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k873.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k873.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8736.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k875.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8771.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87777.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8804.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88101.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88102.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88103.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88105.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88106.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88107.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88109.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88110.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88112.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88113.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88115.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88116.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88117.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88120.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88121.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88122.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88125.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88126.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88127.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88128.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88129.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88130.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88131.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88132.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88133.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88135.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88137.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88139.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88151.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88152.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88153.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88201.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88205.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88207.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88210.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88213.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k884.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k885.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k886.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8860.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8861.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88635.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88636.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88637.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88638.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88639.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88650.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88651.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88652.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88653.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88655.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88656.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88657.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88658.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88659.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88660.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88661.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88662.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88665.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88667.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88670.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88671.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88672.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88673.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88675.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88676.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88677.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88679.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88680.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88681.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88682.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88683.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88684.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88685.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88686.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88881.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88890.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k889.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8892.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8901119.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8927.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k894.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k895.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k89595.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8974.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8994.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8slot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaibo.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kanyingba.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "karger.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kassa.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "keller-aarau.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kernel-panik.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kesef.org.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf-slot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf0000g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf005.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf006.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf009.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf0101.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf016.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf020.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf026.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf030.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf060.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf0606g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf068.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf0808.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf098.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf099.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf0q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf108.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf130.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf1313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf188.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf196.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf200.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf2000.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf201988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf2020g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf260.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf268.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf282.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf2828.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf296.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf319.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf327.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf3333g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf338.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf355.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf356.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf3u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf4040.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf4343g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf5201314.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf5252.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf5656.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf5858.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf5858g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6161.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6161g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf618.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf633.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6565.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6622.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6623.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6625.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6626.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6627.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6628.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6631.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6633.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6635.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6636.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6637.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6638.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6639.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6666g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf66888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf680.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6800.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6801.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6802.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6803.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6805.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6806.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6807.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6808.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6809.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6811.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6812.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6813.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6815.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6816.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6817.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6819.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6820.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6821.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6822.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6823.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6825.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6826.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6827.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6828.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6829.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6830.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6831.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6835.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf707.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf7171.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf7272.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf759.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf7676.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf7676g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf77.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf772.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf780.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf7979.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf7979g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf820.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf826.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8282g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8383.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf846.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf848.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8484g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8686.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8801.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8803.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8805.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8810.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8812.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8813.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8817.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8819.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8825.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8835.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8850.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8851.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8857.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8858.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8865.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf88666.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8867.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8868.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8869.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8871.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8872.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8873.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8876.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8878.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8879.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8891.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8892.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8895.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8896.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8897.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf908.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf909.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf9191.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf955.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf968.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf9696.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf9797.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf981.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf997.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kimkyzcrs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kingstake.network", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kneli.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "koladeogunleye.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kritikahotels.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "larsson-ornmark.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc0101.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc0188.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc040.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc0404g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc044.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc0606g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc0808.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc08080.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc10086.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc1010g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc1212g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc1313.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc1616.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc1616g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc171.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc18.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc18.ph", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc18.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc1800.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc1818.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc1904.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc2121g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc2222g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc2323g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc2424.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc245.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc2500.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc2525.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc2727.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc2828.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc287.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3131.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3131g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3232g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3434g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3708.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3709.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3710.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3711.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3712.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3713.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3714.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3715.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3716.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3717.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3718.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3719.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3720.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3723.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3724.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3725.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3726.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3727.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3728.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3729.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3731.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3733.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3736.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3738.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3739.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3741.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3742.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3743.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3744.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3745.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3746.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3747.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3748.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3752.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3757.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3759.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3760.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3763.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3772.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3774.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3776.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3778.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3779.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3780.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3781.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3782.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3783.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3793.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3794.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3795.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3798.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3799.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3801.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3802.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3838g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc3939.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc432.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc4343g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc50000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc5081.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc5188.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc530.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc5353.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc555.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc5555g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc5668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc58588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc60000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6060.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6161.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6161g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6262.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6363.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6363g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6464.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6565g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6601.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6602.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6603.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6605.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6607.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6609.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6621.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6623.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6625.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6626.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6627.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6629.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6631.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6632.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6635.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6636.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6637.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6638.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6639.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6651.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6652.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6653.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6656.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6657.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6659.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6662.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6663.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6665.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6666g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6667.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6669.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6681.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6683.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6686.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6698.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6800.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6801.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6802.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6803.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6805.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6806.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6807.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6808.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6809.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6810.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6811.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6812.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6813.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6815.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6816.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6817.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68686.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68688.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6868g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68690.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68692.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68693.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68695.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68696.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68697.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68698.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc6880.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68882.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68884.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc68888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc690.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc7.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc7171g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc7373.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc7575.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc7676.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc7676g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc7979.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc7979g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8.vc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc80000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8003.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8005.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8020.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8023.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8032.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8033.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8036.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8038.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8050.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8052.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc818.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8181.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8282.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8383g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8585g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc859.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc869.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc873.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc876.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc879.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc88.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8812.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8813.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8815.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8816.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8817.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8819.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8820.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8823.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8825.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8826.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8835.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8836.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8838.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8839.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc88508.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8856.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8859.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8861.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8862.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8863.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8865.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8866.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8868.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8869.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8870.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8874.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8878.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8881.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8882.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8885.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8887.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8888g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8890.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8891.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8892.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8896.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8898.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8900.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8905.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8906.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc891.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8910.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8911.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8912.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8913.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8914.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8915.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8916.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8917.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc892.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8920.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8921.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8922.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8923.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8924.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8925.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8926.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8927.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8928.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8929.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc893.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8930.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8931.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8932.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8934.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8935.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8936.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc895.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc897.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc04.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc08.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc10.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc13.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc15.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc16.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc20.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc21.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc24.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc26.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc27.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc28.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8dc29.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8md00.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8md02.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8md11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8md26.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8md28.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8md35.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8md55.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8md66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc8md77.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc90000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9090.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9108.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9158.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9191.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9251.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9253.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9256.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9292.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9393g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9494g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc973.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9862.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9899.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9900.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9920.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9930.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9938.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9939.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9950.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9960.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9968.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9986.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc9999g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lcvip0.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lcvip3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lcvip4.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lcvip5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lcvip6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lcvip7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lcvip8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lcvip9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "le052.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "le056.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "le518.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "le802.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng31.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng518.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng5888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng66.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng98.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng98.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lemonrotools.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "levante.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lexoo.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "libo766.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "libo766.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lidl-foto.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lidl-fotos.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lidl-fotos.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lindquistnet.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "livv168.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ljskatt.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "loan-lenders.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "localnet.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lolivpn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lssolutions.ie", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lunarshark.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maekha.in.th", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magellan-met.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magnesium-biomed.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marketing1-0-1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mathias-frank.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "matthias-wimmer.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mckay-bednar.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mclawyers.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md10lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md11lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md12lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md13lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md15lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md16lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md17lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md1lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md34lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md35lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md38lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md43lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md44lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md45lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md46lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md52lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "md56lc8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mealcast.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "melissagalt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mellika.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "michael-contento.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "michaelcontento.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miftahulteknik.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mikdoss.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mikeowens.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "millennialbeekeeper.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mochilerostailandia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mojizuri.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moninformaticien.ovh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moninformaticien.shop", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moonrhythm.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "movahoteis.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myebony.cam", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myintimtoys.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myrvogna.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nasaacronyms-beta.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nasaacronyms.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netolink.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "niftypersonalloans.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nklwhx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nkx4sjyrk4tcv0sluhwajyc-n6icja9gchqxmhp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nn01.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nn01.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "no-ice.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "no-ice.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nolalove.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nonzero.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "northrose.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nosedoctor.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "novalite.rs", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nuquery.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "o98.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ociaw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ofileo.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "okewp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oktayincesuturizm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oneclickjailbreak.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oneclickroot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oyungg.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parareflex.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "patryk.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paul-online.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pcdn.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pelachim.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "personalfunctionaldata.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "piatika.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pirscapital.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pixael.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "playinfinity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pomtom.co.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pop.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "popoway9.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "poppincurls.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "portalexpressservices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "powch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pratemarkets.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "primegiftindia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "produra.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "projekt-allianz.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "promodafinil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "promtechosnastka.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "protectedpayments.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "puer.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "puntoestadodemexico.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pymescentro.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pythonatrix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qicsystems.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qnsgmd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quarim.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "questdairy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raffaelevinci.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ramitan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ramtechmodular.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ranthambhorenationalpark.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rdr2-rp-forum.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "recht.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "recolic.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "red031000.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "regalopublicidad.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reparacionmovilesmurcia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "revolucionfemenina.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rfid-basis.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ritel.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rodelstein.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rolandoredi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "royalpratapniwas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rs2ap33.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rssfeedblast.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rubenjromo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saintanthonylakin.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sanogym.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saorview.ie", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "satania.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scratchzeeland.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seisansei.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "selaluberkah.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "semenov.su", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sethlmatarassomd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shdw.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shopikal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "simpleprojects.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sitelmexico.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skynetstores.ae", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sl66.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smartmail24.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sofigeleiascaseiras.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "songsterr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spectre.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sportboot.mobi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spot9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spyfone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "srcprivatesecurity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sslsecurity.ooo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sssldurban.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "steuerberater-bayreuth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stevenuniverse.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "supergmtransport.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swtun.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sylvainboudou.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tahhan-tech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "takkguitar.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tecnicosenlineablanca.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tegel-schoonmaken.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "telcotronics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "telegram.hk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thefoodellers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thepurplemaids.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thilobuchholz.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thoschi.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tiagoealine.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tiendadolca.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "timeforcoffe.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tishopsv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toldositajuba.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "travelassist.us.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trechosemilhas.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trezor.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trueopenlove.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uccisme.net.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ulovelc88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unlockauthority.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uuzsama.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vermellcollection.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vidasanayfitness.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viplc0.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viplc1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viplc2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viplc3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viplc4.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viplc5.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viplc6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viplc7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vmautorajkot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wakf456.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wasticker.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weather.gov.mo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weiran.org.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wilddirections.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wildfirechain.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wolfy.design", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "womenswellnessobgyn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "workshop.men", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wpwebshop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wrglzd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x-charge.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x001.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xmgspace.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--depias-zwa.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yannickb.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ykkme.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ytcount.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "za12bxc3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zaraweb.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zeus.gent", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zkd.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zodian-research.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zsolti.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "180k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "188cn-sb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1v1.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "24848rr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "28365cn-365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "288cn-563.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2th.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365cn-288.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "365sb-cn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "48365365cn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "48365cn-365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "588k8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981655.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981668.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981669.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981677.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981688.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981699.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981800.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981811.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981822.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981833.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981855.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981866.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981877.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981899.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5981w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7pets.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "878365cn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "915kb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499137.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499212.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499232.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499278.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499343.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499518.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499676.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499737.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499757.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499835.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499dc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499good.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499jjj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499love.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499ttt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499xxx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9499yl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9n1shop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abcdreamusa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abhaldus.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "action-verite.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adv-f1.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agriquads.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alliedpavers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allspinecare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ampgroep.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amt-taxfrance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "andreina-atencio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "angelok.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apertureimaging.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arcanist.games", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arcticbit.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "armageddonstuff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "armpads.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arnesegers.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arsindecor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asdwfwqd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ashmyra.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aupaysdesanes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "babounet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beatrice-nightscout.herokuapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beautycreamultimate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beplephan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bequ1ck.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bespokemortgages.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet365cn-poker.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet5678.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet5678.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet5678a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet5678b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet5678c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet5678e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet5678f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet5678g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betcn-mart.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bevelbeer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bibliobus.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bifm.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bikebristol.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bio-place.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bishopp.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitsalt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blamefran.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blanboom.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bluesync.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blw.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bootyourboss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bouwbedrijfvandortbv.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brabank.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brabank.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "braystudio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brguk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brinksurl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "browse-tutorials.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brunoreno.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "by-robyn.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "camera-news.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "canva.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "captainfit.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carmineforsheriff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ccparishwilmington.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cdgfrm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "changeanalytics.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "changeanalytics.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cheater.best", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chilliwackchurchofgod.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chk-ccs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ciliwang.live", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ciliwang.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cinemixer.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clearvoice1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cliffyb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cloudpole.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clutch.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "codelei.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "comcov.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "connectingrentals.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "connectingrentalsofbethel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "console-tribe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "contenthosting.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cordemar.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cozmoyachts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cr8haven.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "createbeing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cx100.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dalianbbq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "daniilgeorge.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dayuse-hotels.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dayuse.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dayuse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dayuse.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dayuse.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dayuse.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dayuse.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dayuse.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deffo.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "degoeiewebsite.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dekruifschalkwijk.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deloretta.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deltatutoriais.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "depelos.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dermsf.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "destakbrasilbrindes.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deu.sh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dev-pmcc.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dev.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "devconf.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "devpp.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dgangsta.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dhtr.pw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "digitalagencynetwork.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "digixcellence.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dimomaint.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dioesfoto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "directveilig.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "distributori.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drcourtney.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "droppia.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drrr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dtivandortbv.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dwz-solutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e-businessexpert.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eastmaintech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eastping.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eastyorkshirebuses.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ehb-sec-ward.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ehbsecuritydavy.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ekalisch.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "electronicbub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elskling.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "empicargo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "encuentratumueble.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "endurogp.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eprezto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "escortbee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eurogarden-parts.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eurogarden.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eurogarden.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "euroonline.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evowrap.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "existest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "expertisematrix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f1distribution.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fairgaming.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "feuerhaken.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fidias.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "firecareandsecurity.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "firstdorsal.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "footstepstofreedom.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freecashfunnel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freelance-magazine.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freepastlife.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freestylesolutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "friedberg2020.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "frozensector.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ftgeufyihreufheriofeuozirgrgd.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "furryrex.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fuseyahoken.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "g-lab.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gasinstallationsjohannesburg.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gatos.plus", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gchq.lol", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "genealogieonline.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gesevi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gestlifes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "get-maurice.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "geus-okna.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "girlinthetiara.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "glosons.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gramiaperu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guangjiangk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gutieli.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gvwparts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gymnchod.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "h404bi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hallme.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hassra.org.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hazmijardin.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hd-iptv.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "healthworksmarden.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "heijmans.pm", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hithardnews.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hkmap.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hkmap.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hkmap.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hopeworld.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotelnatrajp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hplace.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hrna.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "http3.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "httpstaak.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hullseals.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "huntertechsolution.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iinfin.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imkindofabigdeal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infoyaracuy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inmedic.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inovacallis.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "institut-uthyl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "integratemyschool.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "into-the-mountain.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "islandmapstore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "it-zt.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itsallsotireso.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ivanderevianko.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j70101.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j70102.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j70103.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j70104.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j70105.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j7051.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j7052.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j7053.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jayden.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jdefreitas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jdproofing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jenniwiltz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jensdesmeyter.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jimmycai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jittruckparts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "joaobautista.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "johnrosen.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jonaskarlssonfoto.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jonathanha.as", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jwchords.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k8083.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k87183.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaleidokollection.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kalex.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kalisch.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kantoportraits.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf172.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf6262.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8181.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8820.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf8821.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kimsnagelstudio.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kkutu.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "klempin.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "koolerbythelake.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "koplax-online.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kuaikan1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kuketz-suche.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lakeee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lanselot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lapseofsanity.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecheng5288.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leesyal.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "legend-v.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lexautoservice.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "limasartes.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "listisima.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "livechat-ag777.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lojas25online.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lonelyhaoss.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lovelive.tools", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "macji-raj.si", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "madreluna.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mamsds.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maytalkhao.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mbed.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mbedcloud.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mc007.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mccannbristol.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "medicareful.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mehode.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mehvix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "melodyjane.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mentita.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mepambalaj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mercedobem.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miapuntes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mindcms.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miyasyou.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mkalisch.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mocknen.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "morecreativelife.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "morganwilder.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "morningtime.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mthopebank.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "multicorpbra.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mumablue.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myfavorite.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myhomeworkpapers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "neatlife.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "neilpatel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nevychova.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newquilters.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nguru.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nhanlucnhatban.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nicolaspecher.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nobreaks.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nooverviewavailable.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "norapiero.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "noujoumtounes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "npaccel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "npdigital.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nub-aptech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nutbot.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "obasigeorge.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "odolbeau.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "okonto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "olympicfitness.com.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oneshotmediakc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onlineradio.pp.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "openarch.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "openbayes.blog", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "osano.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paardenpro.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pacificintegration.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "packetoverflow.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "panthi.lk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parfum-selbermachen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pars.work", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paulbrown.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paulcoldren.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pelion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "perf1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peter-hurtenbach.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheasantrunpress.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phpcrudgenerator.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "piata.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "piataborrachas.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "piatatem.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "picklinik.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pickthestory.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pirateproxy.vc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "piratesbrewcoffee.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "planetloisirs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "planrow.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pmcc.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "podxappa.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "polybius.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "polychainlabs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "portalaltadefinicao.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "post.icu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "probazen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "programme-phenix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "projectxparis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "proyectosinelec.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pservicer.com.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "publikate.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pylon.bot", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qldcarwreckers.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qp666d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quiqd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quiqurls.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radiodeutsch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radiohub.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ramuel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ranyeh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "real-neo.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "red-dead-rp.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "red-dead.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "repliksword.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reprowesty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "retetop95.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rezio.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rhaniegghe.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rhaniegghesoftwaresecurity.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "richie.pm", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ritsu-life.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rofai.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rogerkunz.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ronvil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rooselaers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "royaleagletourism.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rtfch.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "runicspells.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "russianescortsmumbai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rvdbict.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sabkappers.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saferequest.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sailormoongallery.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sanpei-design.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sayver22.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sbstattoo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schrader-institute.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scpi-is.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scrap.photos", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sdeu.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sebastianungureanu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "securview.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seewines.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "segtronix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sekurak.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "semmuhely.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "senneeeraerts.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seoharish.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "serkanyarbas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "serkanyarbas.com.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sgrossi.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shapin.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shellcon.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shopandworld.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "silviacataldi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "simcoecurlingclub.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "simonevans.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sitesecurityscan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sixcolors.lu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sjrcommercialfinance.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skywalkers.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sobczakdesign.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "socialclimb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "softwaresecurityandradefernando.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "softwsabri.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "solarpvoffer.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sonkonews.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spaceapi.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spanier.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squadronprotectiveservices.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stellatusstudios.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stickypassword.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stjohnnepomucene.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sukiu.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "svc1.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swagger.london", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swit.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "system-admin-girl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taiwanhotspring.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tamakyi.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "targetx.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taylorfry.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tenelco.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teslarius.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "testmy.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thatshayini-sivananthan.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thehullbeekeeper.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thesslonline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thmail.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thoe.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ticketpro.com.my", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "titantax.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "todoporjesus.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tradinghelper.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tudosobrehost.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tunochebuena.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tuxsrv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ufoch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unibusreputation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "universocaballo.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urabain.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v2c.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vacacionesenlinea.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vandortbv.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vandortgroep.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vectormagnetics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "videosjust.work", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vip.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vizuul.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "voicebrew.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "volatilesystems.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vox.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vqebizconsulting.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vv1234.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vyvod-iz-zapoya.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "waalderhofje.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "walnus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "warrantynowvoid.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wellcomemdhealth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wetter.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "windowreplacement.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "winsposure.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wizbot.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wpbeter.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xaxax.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xiaololi.best", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--eo5aaa.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xuonggiaynu.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yarapilates.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yardley.digital", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yeahwu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yeulathich.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yogaschule-herzraum.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "youthink.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yuhangq.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zby.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zezeatolye.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zhis.ltd", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ziendo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "008yingshi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "01tools.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1-345.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "102ch.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990cc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990ee.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990ff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990gg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990ii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990jj.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990tt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990uu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990xx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "19990zz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1datatec.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2y3x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3-800.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "369-7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "456-3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5-600.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5-890.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "593-7.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5i.gs", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6-600.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "608vets.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "77dd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88021.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8855950.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8866012.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "88740g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a2ch.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a3mobile.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aarquiteta.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aasvets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abacusfi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abbeyvetspets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "accademia24.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "accionistaprincipiante.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acessibilidadebr.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adarixconsultores.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adasbench.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "addones.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adelaidecc.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adf.rocks", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adollarseo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "advengers.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ajl.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ajnah.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "akkade.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allcinema.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allcountyins.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allnoticebd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allsurpl.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alodocuratelemensagem.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ambassify.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ambassify.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anasahr.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "andriraharjo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "annuaire-auto-ecole.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antispamcloud.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aorosora.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apex.to", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apirest.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "appliancepronwi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arox.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arturli.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arx.vg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "astifan.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "astucewebmaster.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atelieracbaby.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aufro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "auksnest.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "austerevisuals.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "avonvets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "badmintonadvisor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bangkokcookingclass.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bavomaes.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beargoggleson.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beauty-expert.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betimely.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bgfix.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bibliotekasnow.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bilder-designs.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bildungshaus-arnach.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "billigesommerhuse.nu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bioemprendiendo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biscuit.town", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blackhawkup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blogredmachine.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bluemanhoop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blythwood.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bobnbounce.ie", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bomhard.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bomhard.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "botcore.ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boundaryvets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bracknellvets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brainboxai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "breakingtech.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brindice.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "broadwayvets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bszoft.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buchhaltung-muehelos.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "byaustere.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "c3softworks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "caldervets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "calichines.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "candidatlibre.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cartegrise.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casavacanze.estate", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casinoguide.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cathcartandwinn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ccr.ovh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cedehb.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "centralpaellera.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "centreagree.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "centurykiaparts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ceskaexpedice.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chapelhousevet.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chattergallery.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cheapsslsecurity.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chiboost.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chocamekong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chodaczek.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chrxw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clan-zone.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cloudsavvyit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cmskakuyasu.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "codinglogs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coignieresentransition.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "connectfri.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "connexion.health", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "connexionht.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cosirex.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cppaste.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "craxbay.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "creative-thinking.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "creatleencoaching.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cromwellvets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "culturess.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "customsportsocks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dan-bureau.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dan-bureau.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "danajamin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dealerbrindes.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "delegao.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "democracydirect.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deniz.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "depoker.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deteken.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deutschland-dsl.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dieti-natura.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dimomaint.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dimomaint.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dimomaint.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dimomaint.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dimomaint.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "disabilitydischarge.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "disproweb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "distrishow.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "do-pro.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "docskiff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doitexperience.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dokkanashop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domyhomework123.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doolz.co.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dovermotion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drendermobilyaservisi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drilon.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ducadu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dumboverflow.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dxzsj.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dyrvigs.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e-coexist.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e-oscar-web.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ebola-hosting.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ecotransfer.bio", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ellbusiness.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elwebkala.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "enofmusic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esfiledecrypter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eskapi.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "espace-habitat-francais.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esroradio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "etaoinwu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eugeniocorso.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eutiximo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evemagazineonline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eventprazdnik.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evlorin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evony.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ewaf.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ewritingservice.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "example.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "excelkursdirekt.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "expatfire.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eyal-dvorkin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f8921.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fady.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "falsterhus.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "falsterhus.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fanohus.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fanohus.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "farmaciacomunalelacchiarella.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fatihingemisi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "feriehus-danmark.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ferienhaus-danemark-hund.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ferienhaus-danemark-privat.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ferienhaus-laesoe.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ferienhaus-urlaub-danemark.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ferieservice.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "filmpronet.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fisiotohome.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flass.lu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flightright.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flixcheck.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "floristik-online.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fluffy.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flyersmarket.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forum-4.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fotoblog.nrw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fourfourcrew.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fromtheboxoffice.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "frozenfutures.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fruxprivatebank.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fullcirclestudio.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "g22-livechat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gabe.house", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gamingroomaccessories.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gardensandgifts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gatomanias.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gaypirateassassins.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gesamenvat.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "getboubou.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gezondetips.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "glamira.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "global-monitoring.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "glutenfreehomemaker.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gmenhq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goldandgopher.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gowervets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gpsblackbox.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "greensidevetpractice.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "greenstreethammers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gtacty.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gute-schulen-porta.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gw66.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hancocklawfl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hatachan.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hawickvets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hayonik.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hexaware.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hikikomori-sos.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hikustore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hispadent.com.do", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "homebank.kg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "homeshowoff.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "horo.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotelcorporate.codes", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "httpsarnemergan.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hypolineweb.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ifacservice.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ighl.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilovelwy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "immortal-pc.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imoveisavenda.rio.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "impact-fluids.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "investuji.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iocp.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iotekha.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iqsecurity.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "istormsolutions.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itbloginfo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itdata.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ithedgehog.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ithink.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itnow.ng", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "izntz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "javanguiano.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jetses.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jetswhiteout.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jeuxerotiques.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "johnrosen.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "josealonsodds.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "josephquinaucho.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jourdain.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88398.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88399.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88601.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88602.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88603.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88605.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88606.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88607.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88608.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k88609.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kbsinflatablekingdom.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kentdalevets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "khedmatazma.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "khokey.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kin-to-kin.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kindertherapie-wesel.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kingjamesgospel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kingsofkauffman.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "klitmoeller.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "klitmoeller.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kliu.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ktsee.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kysseo.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ladyofsongstv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "laurenball.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lawlessrepublic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lawservice.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ledburyvets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "libraryofcode.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lida-vets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lidl-blumen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lifesavvy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "linksphotograph.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "linnaeusgroup.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "litarvan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "liuliuya.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lizzian.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "localpov.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "longboard-vergleich.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "loopback.kr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lopes.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lucymontebello-arte.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "luisfariasgrupo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "luuinhaler.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m2h-fiscaliste.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maichun.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "main-freedom.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maischances.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "malediven.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "malinaclub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mame.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maplebgm.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marivalemotions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "masshvac.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "matrixglobalsms.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mattberryman.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maxdg.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mdbug.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mdkhorshedalam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "medisense.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "medrep.pp.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mehdibouchema.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metrocarremovals.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miamiobgyndreams.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "michaeldg.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mikethiessen.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mindbounce.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "minervacars.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mminsco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mmoneko.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mod.af", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moderniknihovna.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "monlissagebresilien.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moort.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moritzkornher.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moso.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mouniresidences.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mrmemory.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "multimedia-pool.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mycrypto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myesk.rs", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myqservices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nachovni.pp.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "naiaokami.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nategreen.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ndx.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netferie.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netferie.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netferie.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newcomm.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newendsoft.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nhakhoabella.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.ads", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.android", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.app", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.boo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.cal", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.channel", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.chrome", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.dad", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.day", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.dclk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.dev", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.docs", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.drive", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.eat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.esq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.fly", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.foo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.gbiz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.gle", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.gmail", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.google", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.guge", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.hangout", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.here", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.ing", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.meet", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.meme", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.mov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.new", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.nexus", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.page", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.play", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.prod", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.prof", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.rsvp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.youtube", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nic.zip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nihaarpstars.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ningrui.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nocommentsallowed.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nordvestkysten.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nordvestkysten.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "northampton-vets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nothinfancy.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ntzlaw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oakbarnvets.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "olopp.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "omniteck.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "omtleden.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "once.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onenetcdn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onestpasdesanges.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "opel-focken.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "openbayesstatus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "openmail.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "opp.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ordevanoranjenassau.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ortopedistamarcelocosta.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "osteolaclusaz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "otocenterfelix.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oxidemusic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p-damda.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pagalsongs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pagalsongs.world", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "palner.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paperwritten.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pappasappar.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parcbotanique.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parkvetgroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "passhojao.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peakvets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pepinierebotanique.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "permis-apoints.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pgpaintanddesign.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phinphanatic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phonefilter.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phonetikos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "piercing.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pinpointline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plekker.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pmarbeid.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "podobovo.if.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pornopark.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "portierato.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "precisedigitalmarketing.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "precisionhealthpilot.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "presseagrume.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prestonetwork.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "preventfalls.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "projectinnovation.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "provlas.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "purepest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qryo.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quintenehb.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rbtvshitstorm.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "recursionrecursion.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reddevilarmada.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "registry.google", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "remachadoras.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "repairguy.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "resorts.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "retraitebysaulsplace.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reviewgeek.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "riggosrag.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rit.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ritewayconcrete.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "riversmeet.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "romo-holidays.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "romo-holidays.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ronan-hello.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roomlab.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rossome.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rtveen.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rugeley-vets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "samcentertech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saulsplace.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saulsplacehealth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saulsplacewebdesign.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saulvanderbijl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seattledevicerepair.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "section215.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "securepress.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seedboite.ovh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "selltous.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "senshot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seriesdatv.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "servermaster.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "setuplog.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sevilinux.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shiresvets.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shrelief.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "silverspottrading.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "simosol.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "simosol.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "siogyumolcs.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sirg.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sisu.ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sitemai.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skagen-feriebolig.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skolappar.nu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skywt.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "slim-planet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sociallyunited.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "socialsurvivalist.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sologstrand.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sologstrand.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sologstrand.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sologstrand.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sologstrand.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sommerhusudlejning.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sonneundstrand.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soundviz.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "southsideshowdown.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sparanoidstatus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spellic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sportchirp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spotworld.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ssfbank.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ssmut.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stage-recuperation-points-bordeaux.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stage-recuperation-points-lille.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stage-recuperation-points-lyon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stage-recuperation-points-marseille.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stage-recuperation-points-montpellier.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stage-recuperation-points-nantes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stage-recuperation-points-nice.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stage-recuperation-points-paris.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stage-recuperation-points-reims.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stage-recuperation-points-rennes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stage-recuperation-points-strasbourg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stage-recuperation-points-toulouse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stephenlam.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stleonardmn.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stluciastar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "strd.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stripehype.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studio-satellite.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stugor-danmark.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "styel.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "svedalataxi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swiftpak.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tabegamisama.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tajr.shop", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tampabayhometours.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tandoanh.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tangle-teezer.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tantravoorlichting.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tdvg.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teamkoncert.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teamx-gaming.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "technewera.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tekingb.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tele-points.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "texasbluesalley.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thai369.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "the5th.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thelevelman.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theninehertz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "therealchamps.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thincats.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thomasebenrett.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tiener-herentals.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tiffanywatson.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "timelyapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tipsmake.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tisgroup.com.my", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tmcjobs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tommymoya.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomvanlaer.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "top-autoshop.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "totvs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toujour.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "transforumation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "triangle-energie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tsahf.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tsunami-alarm-system.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ttcak.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tuning-parts24.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tunnelstore.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "turnoffthelights.video", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tvaerialsmanchester.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "udid.fyi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ultrabeautycream.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unideck.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urrestarazuserranoabogados.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "us.marketing", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "utaiw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vakantiehuisschellinkhout.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vakantiehuizen-denemarken.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vector.solutions", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vejersferie.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vejersferie.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "veliovgroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vellingetaxi.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vemtorcer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vestibtech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vet4life.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vidiobokep.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vincentwathelet.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vindafrid.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vindafrid.nu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vindafrid.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visartdecor.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vista-calculator.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "voodooshaman.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vpinball.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vrachi.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vzemisite.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wannapopularnews.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wawapuquy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "web-desing.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webers-webdesign.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webhotels.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "websiteforstudents.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wheatbagslove.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "whoami.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "whodatdish.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "why918.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wificonnect.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wijaya2u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wildcatproductions.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wismile.lu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wolftain.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wolvesvtc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wordadmin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "worldtravelandadventure.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wormate.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xcraftsumulator.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xier.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xifrem.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--90acjfgylpnm.xn--90ais", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--ggle-qoaa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--uisz44m.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--ukasik-2db.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--wby9t.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xotv.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpods.sg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yavorivanov.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yeptechnology.store", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yinulo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yoonas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yourazbraces.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zeocax.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zfj.hk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zifoapptest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zoomplumbing.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zoyride.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1337.vg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2022class1.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2habc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5icsb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9118.hk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9968.ag", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9968.love", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9jabase.com.ng", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a-tes-cotes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abdelaliezzyn.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abdelaliezzyn.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acronis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adamdorman.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adhocracy.plus", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adimplere.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adultwebcams1.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aeroacademia.com.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aficards.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agence-wazacom.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agilesurvey.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agroconsultoraplus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ahollamby.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ahu.la", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alfratehotelcampiglio.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alitec.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "altertek.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amforst-ha.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amforst.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anblik.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "andrija-i-andjelka.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "annabelcinemas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "appers.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "appsaraby.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apptesters.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "archframe.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arcinapoli.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arkantos.agency", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asociaciontrastea.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "assistenciamultitec.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atelier-origami.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atis-ars.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "autowise.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "avalonbelltown.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ayecode.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "badcreditcarsfinance.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bailleux.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bamanshop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bank-yahav.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "barnvets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "batitrakya.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bayoleth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beanbox.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beautyinweb.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "besensi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333111.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet333222.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet33app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bewegtes-lagern.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bewegtes-lagern.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bewegtes-lagern.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bewegtes-lagern.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bewegteslagern.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bewegteslagern.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bewegteslagern.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bhi.consulting", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bimacitizen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biolmarket.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "birdie.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blackstump.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blackzebra.audio", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blaulicht-giessen.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blinds.media", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blogofapps.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blrjmt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boats.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "botcamp.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "botmedia.cf", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brainstobrand.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brandwidth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bravobet.et", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brendansbits.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brookes.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brutecloud.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "burotec-sarl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buster.me.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buycurious.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bxegypt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bysgo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bytheswordinc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "byxong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "c2m-staging.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cabalacoach.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cajalosandes.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "calitateavietii-ardeal.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "calucon.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "caoliu.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cardanoinvestment.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carolineball.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cbt.tj", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "centurion-consulting.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "centurion-consulting.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "checkra.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chika.kr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chimpmatic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chr1sbin.works", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cissofitness.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "citizenkevin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cixiaoya.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cixiaoya1.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cixiaoya2.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cleaningsolutionn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clinicadentalvinateros.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clinicainfinitydental.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clouddesk.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coinclickz.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coldren.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "colinespinas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "comparecompensationclaims.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "consultingconnection.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "courvix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cpars.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cpls.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cry-sys.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cswebi.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cumagini.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cyberdyne.ie", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d3a.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dabai.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dabai.photo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "daie-inc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dailychristianpodcast.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dailyrenewblog.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "danndorf.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "davidgroup.co.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "davidops.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dcave.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dcmarvelunited.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deerwoodrvpark.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "defendbearbutte.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "designrhome.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "devtea.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "digicasso.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "distrivalle.ec", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dktq2hj81vknv.cloudfront.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dokhuyenmaigiatot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "domicile-clean.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dominicanosenpr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drherndonent.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dtune.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dug.net.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e-klempir.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e-privat.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ebashim.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "echo.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "edelweiss-pinzolo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "educa2.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "egglestonyouthcenter.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ekocleaningllc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "electronicayseguridadmonserrate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eletminosegert.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elsuccionador.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emkode.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emptyadjacentpossible.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "en-este.link", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "en0.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "enjoymondayofficial.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "envman.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ernearmetx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eruga.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eusolar.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evnt.team", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "execbar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "exl-english.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "exoticaz.to", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ezftrs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f8cp0.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fabulosa.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "faca.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fachversand-hennes.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fanbot.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fapiis.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "farallonesrentacar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fenom.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "finethin.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fluglektuere.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "foonly.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "frag.works", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freebsd.la", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freebsd.one", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freebsd.wiki", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freelancerhub.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "galj.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "galleonwaymedical.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gavr.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gender-summit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ggiveilig.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gitube.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "glassofgrape.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "globalipaction.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goaudits.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gotravel.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gozaars.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gpl-elite.store", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grafia.ink", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "graspingtech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gregmc.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grouindev.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guidesorbetiere.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gxpconsultora.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hads0m.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "halilyagcioglu.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hargamobilmu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "harrisandharris.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hartleighclyde.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hawkargentina.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hazelglow.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hceu-performance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hennesshop.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hethakhout.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "himpler.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hiteshjoshi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hitfront.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hiwannz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hly0928.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hofstaetter.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "holdengreene.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotelcorporatecodes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotelpresident.co.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotelpromo.codes", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hrumka.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "huawenyy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hubspot.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hubspot.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hubspot.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hubspot.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hw923.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "idee-lq.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "idee-lq.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "idee-lq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "idee-lq.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "idee-lq.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iedison.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imwjc.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indoor-kletterwald.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infinity-uitvaartzorg.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "informatiger.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ingadesign.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inpector.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "insurediy.com.sg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "integralsalud.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "involic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iotsys.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iranwiki.ovh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "italiensk-tolk.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ivais.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ivoryandgrace.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "izumi-ryokan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j-k-fischer-verlag.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jasnowidzkajowi.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jaspersreef.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessem.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "joaojunior.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jobty.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "joernwendland.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jolee.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "joomla-leipzig.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jorgeto.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jouons-aux-echecs.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jzwebdesign.ie", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "karopapier.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "karrselfstorage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kashflowcoupon.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kashflowpromocode.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kawiarnia.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "keepdecor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kenkou-kitakyusyu.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf086.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf117.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kf3131g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kik.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kiwiflowershop.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "koji-tsujitani.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kollross.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "konyaescortsiteler.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kopidingin.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kreativklinik.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "krypto-geld.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kurhotel-am-reischberg.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kweb.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "laab.gv.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "laby.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lajkatheme.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lancers.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "larete.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "launchgroup.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lawrenceklepinger.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leddingplasticsurgery.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leemac.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leisurepools.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lemagauto.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lifeguatemala.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lintasi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "linux.farm", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "livresetmanuscrits.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "locksmithdriftwood.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "logico.ar", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lomerhouse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "long139.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "loshogares.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lsl.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lushan.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m8593.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maisan.best", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "manageprefs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mariagealamontagne.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maringalazer.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marketplacestrategy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "masdemexico.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "masterwayhealth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "matthiasmueller.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mattrude.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maywoodpark.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mbc.asn.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mclouds.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mdclass.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "me7878.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "medasset.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meganruggiero.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metanumbers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metzgermark.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mi1k.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miamiaquatours.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "microwavezone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mieldemexico.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "milleron.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mindvalley.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "minimonies.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "modbom.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "molleron.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "monotai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "monthlyfukuoka.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moonlightdesign.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mosternaut.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "muscularbabes.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "muskokavoltz.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "my-profile.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mybillie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mycarinsurance123.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mydenverhomesource.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mygear.live", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myjarofhope.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myloanmanager.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nbook.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nectardigit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netliste.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "netzwerk-lq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newyorkhiltonmidtown.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nextechoax.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nguyendiep.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "noranowak.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "notedinstyle.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nougat-anduze.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nrv-linux.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nubehogar.nsupdate.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oacloud.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oh-leg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "olibomb.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oliver-wiedemann.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "omahmebel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "on-targettrainingcourses.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "on-this.link", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onlineltctraining.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "op3y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "openstakes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "opstory.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ornsyn.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "osuarez3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "overijsselsemerentocht.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oz-style.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p333kk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pacificbeachpub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pathsha.re", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "patlis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "patrickcurl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pcrab.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pedigreetechnologies.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pendrivelinux.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "performancepiers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "permista.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "persiennkompaniet.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "photomaniastore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phuductms.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "piffer.ind.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pighouse.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pinpromosisemarang.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pjgj16.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "playtzolk.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pluginsetemaswp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "polestar.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "porn7.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "portalz.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "portiaweb.org.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "postoffices.co.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prawnikdlaanglii.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "precisionhockey.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "precisionicerinks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "primecursos.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "primetrial.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "primetrialfree.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pro-lq.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pro-lq.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pro-lq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pro-lq.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pro-lq.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pro-lq.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pro-lq.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pro-lq.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prodentalsantacruz.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "proextra.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prograce.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pupset.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pusehusetkattehotell.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pusehusetmalvik.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "putrawijayatours.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pvc-stolarija.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "queenbeer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "quizhub.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radiosdeguate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rajasatour.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ratirl.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raynersorchard.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rdr2natives.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "recruit.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rekurasi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "repalcateia.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "resch.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "retirest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "revistadiscover.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ricardotaakehb.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ridadihouse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "riklewis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rjrplay.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rockefellergroup.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rohde.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rsa-erp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rugsandmore.co.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sahilm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sanabproperties.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sbaten.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scoach475k.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scottshorter.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "searx.rocks", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seoexpert.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sergiogas.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "serveur.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sexytagram.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shawnz.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shellopolis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sheremetka.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shin-yo.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shiningbright.co.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shitcountries.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shopjek.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "siecledigital.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "signup.ly", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "siteweb-seo.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "siwek.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skilloutlook.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skynetstores.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "slymak.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "snowrippers.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soket.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "southmill.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spd-porta-westfalica.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spm.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "springboardsandmore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squareforums.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stefanknobel.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stenhojmedia.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stiff.wang", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stiftung-lq.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stiftung-lq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stiftung-lq.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stiftunglq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "storyoneforty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "streemprn.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studioxii.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "superglidewardrobes.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "svo-intranet.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swissinternationalva.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "symbo.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taskhorizon.audio", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tebebo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tech4arab.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tekingb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tektouch.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theangelfishfoundation.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theclonker.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "themattresswarehouse.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thisislaikipia.co.ke", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tiamarcia.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tipranks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomandsonya.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomandsonya.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomandsonya.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tool.lu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "totallclean.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tours.co.th", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tradesafe.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tradingoptioncloud.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "traumaheilung.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "travelinc.pk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "treasuredandloved.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "treasuredandloved.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trendfrisuren-bongard.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trendycrowds.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tryprime.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tsutawal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tubedesire.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tusharwalaskar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tvnow.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tvoe-delo24.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tx299.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "udtunnel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ukpropertyrescue.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uksb.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "underwoodpatents.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unidostransportes.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "upawg.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "usamultimeters.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uvtcinemas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vagueetvent.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "valverdedelcamino.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vechainstats.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "verlag-lq.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "verlag-lq.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "verlag-lq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "verlag-lq.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "verlag-lq.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "verlaglq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "verloskundigepraktijktolmiea.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "video-adult-clips-mobile.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "videogamecoupons.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "videopornoitaliana.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "videoskaseros.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vinco.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vir.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "virtueinfo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visarewardprogramplatform.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visatitans.ae", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visatitans.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visatitans.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wear-referrals.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webbricks.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webce.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webcloud.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webrox.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weymouthslowik.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "whi.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wohlraj.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "worcestervets.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wxhbts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wzp.ovh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--80aafaxhj3c.xn--p1ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--9xa.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--rb-fka.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yann.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ymatyt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yodababy.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yourname.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yuan.nctu.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yuxiangyuan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zfj.la", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zhongxigo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zihun.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zngay.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zqzx.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zvive.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zz342.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00100010.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00120012.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00130013.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00140014.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00150015.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00160016.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00180018.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00190019.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00440044.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00550055.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "00770077.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "06am8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "07am8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "0q0.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10160365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "110110110.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "112112112.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "113113113.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "118118118.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1481481.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1481481.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1481482.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1481482.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1481483.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1481483.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1481485.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1481485.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1481486.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "16036510.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "16036520.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "16036530.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "16036540.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "16036550.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "16036560.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "16036570.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "16036580.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "16036590.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "168bo9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "168bo9.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1st2bounce.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "20160365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "30160365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "40160365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4dpredict.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "50160365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5214889.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5214889.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5310899.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5310899.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "598598598.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "60160365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "70160365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "80160365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8888esb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "888am8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "888am8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8901178.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8901178.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8910899.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8910899.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8917168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8917168.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8917818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8917818.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8951889.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8992088.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8992088.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8e8z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9696178.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9696178.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "988am8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "988wh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9bingo.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aarwer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aarwer.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abacross.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abelrubio.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abona24.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aboutasia-trade.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aboutasia.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aceshop702.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "activegearandapparel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "activityhub.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "activityhub.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acubens.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adaptiv.ltd", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adhgroup.ug", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "adsib.gob.bo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aevar.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "afcmrs.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "afcmrstest.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "afgaim.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "afterschoolprogramsoflancaster.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agingstats.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agrobaza.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "airbrake.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "akvitens.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "albagora.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alfadlmedical.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "altospam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alvimedika.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am8.im", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am8009.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am8028.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am8811.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am8866m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am8895.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amalficoastransfers.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amazighlove.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amb8.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amjinc.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amoryurgentcare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "animemotivation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ankya9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anoncom.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "antipolygraph.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aoyamacc.co.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apotheek-ict.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "applaudit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "appletree.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "argyrakis.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arhitekti.hr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artikel9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artisan-emmanuel.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artsacademics.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aseth.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "askexpert.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asmrbuluo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aussiestories.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "awlgolf.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ayselonia.onl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b0618.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b0618.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b0868.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b0868.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b1758.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b1768.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b1768.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b1788.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b1788.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b2486.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b2486.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5189.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5189.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5289.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5989.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b67901.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b67902.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b67903.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b67904.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b67905.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b8591.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b8591.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b8979.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b8979.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9018.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9018.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9108.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9108.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9110.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9110.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9112.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9112.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b911gt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b911gt.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b91688.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b91688.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b91688.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9175.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9175.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9258.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9258.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9318.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9318.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9418.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9418.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9428.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9428.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9453.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9468.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9468.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9488.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9488.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9498.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9518.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9518.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9518.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9518.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9528.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9538.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9538.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9598.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9658.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9758.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9758.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9818.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9818.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9858.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9858.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9880.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9920.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9948.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9948.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9960.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9best.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9best.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9king.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9king.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9king.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9winner.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b9winner.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baches-piscines.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "backlinkbase.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bamboehof.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bao-in.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bao-in.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bapha.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "basel-gynaecology.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "basel-gynaekologie.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "basilsys.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bat909.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bat909.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bat9vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bat9vip.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "batvip9.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bbswin9.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bbxin9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bbxin9.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "be9418.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "be9418.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "be9458.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "be958.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "be958.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bedacdn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bedtimeflirt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "belllegal.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "benmack.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestcrossbowguide.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bestesb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet-99.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet-99.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet-99.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet168wy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet168wy.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet9bet9.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betgo9.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betwin9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betwin9.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bigudi.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "binbin9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "binbin9.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bioamtw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biolika.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biotanquesbts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitgild.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitsler.ie", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bjl5689.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bjl5689.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "black-magic-love-spells.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blacksheepsw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blackyin.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bling9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bling999.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bling999.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bling999.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bloondl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bluemoonrescue.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bo1689.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bo9club.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bo9club.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bo9club.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bo9fun.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bo9fun.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bo9game.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bo9game.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bo9king.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bobigames.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bonifatius-friedrich.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bonifatiusfriedrich.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boosteusedetalents.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bottle.li", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brain-club.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bricksmateriales.com.ar", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "broe.ie", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brokernotes.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brownsgroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buddhismedia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buitenposter.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "burningmarket.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buscoterapia.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bywin9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "campbellkennedy.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "caregiverva.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carolinaallergyandasthma.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casabella.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casamarrom.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "catchcrabs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ceditedv.com.pe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cefinco.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "celestialisms.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "centraljerseyrcca.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ceverett.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chabad360.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chancekorte.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chancekorte.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "charlie.im", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "choservices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cirvapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "citylift.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cityradiusmaps.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ckp.ie", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "claudia-makeup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clearbooks.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clearlinux.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clearsense.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cleveroad.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clownday.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coastalurgentcarebatonrouge.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coastalurgentcarebossier.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coastalurgentcaregonzales.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coastalurgentcarehouma.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coastalurgentcareruston.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coastalurgentcarethibodaux.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "combineconquer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "compdermcenter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "computerbas.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "comunal.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "confusion-band.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cornsoyexpo.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "corsorspp.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cpilot.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "craftcms.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crazycube.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "creditmonkey.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cryptotrendclub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ctor.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cuitandokter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cupcake.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "curontwerptoolgroenbeton.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cw.do", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cybersecurite-info.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d88988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dailysuperheroes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dalliard.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "danca.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dark-archive.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "daviddejori.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "daxterfellowesservers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dbcartography.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dd.center", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dds.pe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dealerwriter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "debzsh.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "denninger.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "denta-ua.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "derenderkeks.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "design-your-life.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "devbean.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "diariosurnoticias.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "didaktik4you.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "docu.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dogrockresorts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dolmenejecutores.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doorgate.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dos.cafe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "driestwegkerk.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dungeoncity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "duriemas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e-cogni.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e1488.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e52888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e52888.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e53888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e53888.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e59888.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e59888.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eccma.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "electrocomplect.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elicite.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eline168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emalm.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emeraldcoasturgentcare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emote.bot", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "emotebot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "enekogarrido.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "envoker.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "envoypresents.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eradigital.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "es888.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "es9999.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb-in.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb-top.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb-top.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb168168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb168168.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb168168.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb168168.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb1688.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb1688.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb1688.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb1688.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb1688.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb1711.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb1711.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb1788.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb1788.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb1788.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb1788.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb2013.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb2013.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb2099.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb2099.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb258.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb325.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb325.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb333.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb336.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb433.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb518.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb553.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb555.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb555.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb5889.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb6.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb677.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb777.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb777.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb886.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb888.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb9527.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb9588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb9588.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb9588.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb9588.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esb999.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esba11.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esball-in.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esball-in.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esball.bz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esball.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esball.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esball.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esball.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esball.win", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esball.ws", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esball518.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esball518.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esball518.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esball518.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esballs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esbbon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esbbon.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esbfun.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esbfun.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esbgood.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esbin.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esbjon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esbjon.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esbm4.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esbm5.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esmoney.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "esmoney.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "espiragen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eurocons.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evaria-network.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evhoeft.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evrodim.company", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "exnce.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "expansion-lidl.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "experens.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "exploradora.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "extreme-stock.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f8906.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f8cp8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fableheartmedia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fancypantsfit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fapcoholic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fbvstore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "feelingmassage.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "feistore.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "feng-in.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "feng-in.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "finanskredirehberi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "finsecurity.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "firstcolonyengraving.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "firstversionist.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fix.mk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flairfindr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "folkofolk.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "force4racing.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "force4racing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fournisseur-des-collectivites.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "france-hotellerie-restauration.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "frenchmac.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fresh-components.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freshgujarat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fricassea.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fu-li88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fu-li88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fudie.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fugioninc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funprode.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fysio-ict.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fysiotherapie-ict.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "g2x.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gainins.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gantt-chart.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "garagedoorrepaircedarhilltx.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gentapps.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gentlemens-life.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gentlentapis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "germfr.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "get-baaam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "getcreditscore.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gethome.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "getmonero.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gezondheidszorg-ict.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gezondheidszorg-it.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ghostpin.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "giardinoperfetto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "global-qanoon.gq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gmeet.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gmeet.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goblackcat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "god-esb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "godbo9.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "godbo9.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "godesb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goetzinger-web.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gottcar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gowin9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gowin9.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grafe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "greenangels.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gruslic.org.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gtd.cloud", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gutscheineplus.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hackmeifyoucan.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "haiyan.cat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hamamatsu-kotsu.co.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hanami-web.tokyo.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "happyretail.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "harptechnologies.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hasseplatslageri.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hegdahl.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "helpfulhealthinsurance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "helseogmassasje.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hetwalhalla.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hexhu.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hide.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hifala.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "highriskpay.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hkno.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hodler.shop", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hot-and-new.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotelevergrandpalace.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotesb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "housingloan.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hua-in.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hua-in.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hua-li88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hua-li88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hui-in.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hui-in.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "huisartsen-ict.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hunt.gs", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hydra-clothing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ias.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iba.gov.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ibcmed.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ibcmed.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ichglaubesbackt.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "identityexperts.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "illuminatiofficial.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imcreative.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imolog.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "implantica.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "improvenerg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indrebuild.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infovb.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ing89.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ing89.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ingeni.ink", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inkerotic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "innovation-photography.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "internex.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ipggroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iptops.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ironmountainsolutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iskultur.com.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "islandsbanki.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itseovn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessica-weller.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jing-in.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jing-in.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jmsystems.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jovisa.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jpn.parts", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jumeirashoes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jwatt.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k1chn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaisev.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kaliajoyas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kamilmajewski.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kasse.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kasse.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kerameion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ki-management.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kiinteistot-lidl.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kissesb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kittymagician.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kodenia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kokomo.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "konarentals.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "konkursita.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kontenido.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kqqzyl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kunvarji.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kurungkurawal.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kyivstar-internet.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "l2l.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "labs.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ladeboks.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lambda.dance", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lamchannang.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lamnhom.com.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "laprensadelasagradafamilia.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lazo.futbol", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leafletdistributionmanchester.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ledspalluto.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leonardocremonesi.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "levels3d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lhp-creation.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lhp-creation.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lian-in.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "liang-li88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "liang-li88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lidl-immobilien.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "liputan4.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lis.koeln", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "liscieperfetti.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "logfile.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "logtenberg.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lovebo9.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lovebo9.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "luck9988.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lyteclinic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mafworld.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magnetoterapiapertutti.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "malwaretips.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mandediary.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mandor.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maransurology.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marktgorman.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "matgodt.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maxverboom.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mbusi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "megaelettrostimolatore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "membersense.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mephim24h.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "methodfactory.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miegames.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mikmik.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "milleron.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miwebmadrid.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mnc.moda", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mon-butin.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "monarchpartnersgroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mooveo.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "morritosfelices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motivational-babes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motor-agro.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mox.link", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "muganworld.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mulail.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mundosteampunk.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mural.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "musedash.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "museloveurania.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myoddlittleworld.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n-blox.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nageler.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nailsforyoustouffville.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "namu.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nationslending.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "naturalbeautyhacks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nba669.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nba686.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ncu.world", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "neemdetijd.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nekretnine-lidl.hr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nepremicnine-lidl.si", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nertus.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "neumarkcb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "neverwasinparis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nick-slowinski.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nlagstage.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "odacyeux.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "offertenet.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ofrion.lu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ohiooutside.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "omaedu.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "omaosurveys.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onlineinsurancespot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onlyesb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onthehook.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "open-novel.work", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orbitabaja.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ovpn.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oxfordurgentclinic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pablo.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pagliucadb.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pandorasprom.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pathcode.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paxer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pdxdeli.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peabodytile.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peninsuladoctor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "perfmed.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "perka.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "piken.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pirateproxy.onl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pisquettes.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pixelcatproductions.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plgr.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pravnisistem.rs", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "precisionvaccinations.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "premiumiptvplus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prethost.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "princelishan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "princelishan.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prisync.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pro-esb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "proesb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "programtracker.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "provide-your-image.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "proxybay.red", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pruna.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "puntoseguro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "puredayshop.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pyrohandel.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "r18.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radio-utopie.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radiomercure.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raffleoftheday.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raspberid.com.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raywin168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raywin168.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "raywin88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rbiacademylms.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rblx.red", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.bg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.lt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.lu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.lv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.rs", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realestate-lidl.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "recoveryunplugged.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "redhawkwa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reinventfit.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "researchchempro.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "resilienzatropical.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "resolve-portal.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "revealglobally.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "revitalisierungs-akademie.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rgiohio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rhodos.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ridgarou.no-ip.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rikunori.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rndconceptsourcing.solutions", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rokcupusa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rumbasguayaquil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rustfu.rs", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rxyz.rocks", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "s3dservices.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saisaweb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sajtr.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "samesound.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "samiamelikian.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sandgatebaysidedental.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sbconstrucciones.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scatters.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scheervergelijker.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scheidsrechtersinfo.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "schnitzel-und-co.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sebastian-walla.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "selectra.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seobase.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sexonosalao.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sgsy.bid", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sh0uld.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shansen-online.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shop-h2o.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shopteq.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "singleproduction.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sinupret-extract.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sitak.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sjenkins.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skipbounce.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skysoftbg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smcquistin.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smithsanchez.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soslsd.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spotlabs.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ssc8689.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ssc8689.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "starkvilleurgentcareclinic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stc-istok.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stocknxt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stormingbrain.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stratforge.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "strongmail.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "subtasks.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sugarpiano.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sweetspot.co.kr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "systemscoinsminers.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "systime.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t-nice.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t4w.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tai-in.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tai-in.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taktak.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tandarts-ict.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tandartsen-ict.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tapasnandi.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tarba-schluesseldienst-duesseldorf.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tateishi-ip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tathanhson.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tauerperfumes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tche.digital", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "techfishnews.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "techie-show.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tennisportal.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tezwifi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thaiteaw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theblackboard.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theencounter.nu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thegrowhouse.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theojellis.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thesmokypoet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thethreadsmiths.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thetravelhack.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theveils.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thewehmeiers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "throwmails.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thrw.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tikloot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tomsoft.hr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "top-esb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "top-rensner.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "topesb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "topyachts-shop.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "touchezlebouddha.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "traff1k.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trauerbegleitung-kudla.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trophies.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "truccoshop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tuestilo.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "turi.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tuxsoul.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tx577.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tysonspersonalinjurylawyer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uf-ace.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ugolsibiri.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unblocked.earth", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unicorn.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urbest.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "urgentcaresouthaven.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uurl.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ux-solution.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uxsto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v-bank.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vaaes.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vastgoed-lidl.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vbezhenar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vconstruct.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "veganopia.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vegetus.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "versuschat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vestasib.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "veteransnewsroom.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vetergysurveys.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vhasurvey.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vinc.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viocleannettoyage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vipesball.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vipesball.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vipesball.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vofy.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vote4.hk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "votemoore.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vrnhn.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wai-in.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "waka168.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "waka168.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "waka88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "waka88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "waldur.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wanghongfuli.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webconverge.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webpcstudio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wehmeier.family", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wen-in.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wen-in.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wendepunkt-betreuung.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wh966.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wijnlandkroatie.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "win8.am", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wpcc.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wwmm.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xebeche.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xin-in.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xin-in.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xing-in.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xiphwork.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn----7sbabrwauchevq0ba.xn--p1ai", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--spiraphnix-olb.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xpornoizle.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xuan-li88.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xuan-li88.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yachta.kiev.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yachtmarket.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yamei6688.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yamei6699.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yamei98.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yao-in.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yao-in.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yashinstore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yibei-original.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ying518.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ym087.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ym1199.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ym198.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ym353.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ym516.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ym966.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "youtubekids.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zeromedia.co.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ztsns.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zz284.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squareup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "10x.to", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1117035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "12zw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1cedibet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2227035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "233try.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "234567365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3337035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3456789365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3733366.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "37zw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3pm.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4447035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5557035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "647630.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "6667035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "678365app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7.plus", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "7748229.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365vip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "861365z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "9997035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a3m.gmbh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a7035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abcbusinesspark.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abcempreendimentos.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "abloomnova.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acdcbrasil.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "af.link", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "afcmrsfeedback.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ag2017.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agenteit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "agropotter.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aja.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ak.com.iq", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alana.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alaunus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alea.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alex-n.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alfastone.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allhomemueble.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allhsa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allianceexpressmail.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alyssahart.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ameninalaceira.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ameriondental.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amion.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amper.kharkov.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ananswer.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anayarealm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "androtix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anoretics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anquankongjian.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anthonychampagne.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anthonychampagne.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "appfarm.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apswater.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arcadeencasa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "art-dolls.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "artycoz.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asker-massasje.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aspirantum.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "astrologjia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asua.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aszw.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atab.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atelierverbeelding.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atkstore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atlantacompa-international.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "atomick.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "attentionpleats.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "attractant.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "attwoodmarshall.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "audiencealchemy.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "augredutemps.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "autenticoperfumes.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "autohut.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "await.one", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ayrop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "azertyjobs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b7035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baby-care.ir", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "backpackingtours.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baidu-s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ballisticdetailing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "balsallcommonbouncycastles.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "banlinhdanong.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "barkassen15.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beam-to.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bedrijvencentrum-maartenslaan.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "belfastvibes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bellaaroma.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beris.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "berluga.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bern.bz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet916.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bethanyhome.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betolerant.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "betterbladders.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beveiligingsupdate.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biblia.name", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biglu.eu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bikyaku.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "billiardmaster.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biocal.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biocal.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biokal-labsystems.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biokal-labsystems.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biokal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biokal.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "biokal.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitech-ec.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bitmart.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blockchain.poker", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bluemeteor.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bobbyblueplumbing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boerdam.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bogena.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bonchaboncha.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brianlehfeld.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brunohenc.from.hr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bscquimicos.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "budowle.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buffus.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bvprecords.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bycrates.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "byjus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "byuu.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "byuu.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "c35.design", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "c4wlabz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cambridgeanalytica.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cameo.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "capalsa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "carcani.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casasparaperross.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cash.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cash.nyc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "casio.bg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "castelnuovo.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "catprincess.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "celsoazevedo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chatromania.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chcheaptech.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chengbet.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chipollinko.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chita.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chopchat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cibdol.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ciclimattio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cinematherapy.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clickempresarialgroup.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "club10x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cmsua.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cocoa-job.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cokeflix.tv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "columbushydroxide.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "columbushydroxide.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "columbushydroxide.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "condostjacques.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "connectnet247.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "copyengine.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "core-collective.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cpdhealthcare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "creatujoya.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "creditdigital.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "criss.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cslbuild.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cursocatolico.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cursosemmaus.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cvmatch.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cybercrew.rocks", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cyberlab.team", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d7035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dashadmit123.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "datasubject.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "datasubjects.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "davidfindlay.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deelodge.art", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deemlove.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "defesaaereanaval.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "demongey.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "departureboard.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "derival.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "descargarwhatsappplusgratis.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "diablocarpet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "diaconat.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "diariorp.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dicoeste.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "digitalgyan.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "djurklinikenangelholm.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "donotcallgov.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dreamswelcome.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "drevoline.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "droobedu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "droplen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "duboisinternational.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dwarf.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e7035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "easycredit.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "easymotionskin-japan.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elefantebrasil.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elenapulizieroma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elimer.com.ve", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elisabethbegle.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elobservadordiario.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "empresasguia.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ender.moe", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "energy-robotics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "epiccdn.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "epoker6.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "equip-test.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eroticlist.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "escaperoompsl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "estudiaenrusia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ethicallogistics.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "everichspice.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f7035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fall.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fanysehy-prof.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fastpeoplesearch.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fatpeople.lol", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "faunahotel.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fdlpl.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "feline.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fh-x.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fh70.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fidoniagara.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "filejet.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "findheim.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fishycam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fleetcomplete.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flip.lease", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flusszs.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fneon.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "forcerakodo.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "foreverydream.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "foxeffect.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "francisplaza.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "friendsofparks.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fromtinythings.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "g7035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "games2kids.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gamingmonitortest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "garonna.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gebaeudebilanzierung.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "georgebeverlysheamemorial.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "getintra.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "getjms.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "getmovil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "giftofsquare.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "giftofsquare.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "giftsofsquare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "giftsofsquare.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "giftsofsquare.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "giordano.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "giveamericahope.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "giveasquare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "giveasquare.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "giveasquare.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gkstyle.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "globalfuture.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "glyfadacoaststudio.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "go-mail.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goettinger-katzenschutz.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gomiblog.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gosq.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gosq.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "greendvorik.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "groovefetish.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "groupramirez.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "growik.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grwebdesigns.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gsbolivia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guberniya.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "guercioarchitecture.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gun321.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "h2ssafety.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "h678.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "haineshilton.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "harleyclassifieds.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "helppc.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hhl.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hiltonhylandluxurycondos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hiperusera.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hollywoodsurvey.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hotelesenpuertoescondido.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "http-2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hypnose-hennigsdorf.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hysemmarket.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ibiki-boushi-makura.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "icc.kharkov.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "iic.kharkov.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "image-cdn.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imageshare.web.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imbdagency.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infoprofuse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "international-friends.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itdoneproperly.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itmax.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itmedicinai.lt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "janome.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jarods.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jayceeprints.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jbholdings.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jch.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jeep4ik.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jellebo.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jellyfish.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jesec.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jesscharlie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jesse-charlie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jesse-charlie.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jesse-charlie.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessecharlie.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessecharlie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessecharlie.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessecharlie.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessecharlie.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessecharlienaser.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessenaser.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessenaser.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessenaser.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessiecharlie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jiaty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "job-chocolat.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "johnnybetstaging.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jonesfor.men", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jonincharacter.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jorganicsolutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "journaldesvoisins.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "julian-miller.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jw.fail", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kabartani.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kamp-kisten.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kayant-server.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kdistech.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ketoliv.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kingsvilletexas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "klapib.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "komfort.kh.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "konveer.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kronnos-gen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kronopolo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "krti.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "krup.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "krusic22.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kusasa.biz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kuwaitsatellite.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "labtechsupplyco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lada-event.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ladymakeup.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ladymakeup.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ladymakeup.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "landsbref.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lanparty.si", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lars-minecraft.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lasept.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lcso.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lecannabiste.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leemachinetools.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lelo.com.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lessentieldanthony.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lexitravels.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lgbusiness.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "light-vision.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "listiu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "litepanels-parts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "little.recipes", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "littlebites.co.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lmh-style.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "loisirsdouville.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lojadoanime.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lor.kharkov.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "love-sent.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lovejms.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lovesove.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lucascantor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lukaswiden.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lummi-nsn.gov", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m-epigrafes.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m-hydravlika.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m-office.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maderasyacabados.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mae.sh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magic-chair.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magicbullets.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magicomotor.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mahalaraibanda.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mailmerc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maisallianz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "makura.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maleevcues.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maltegegner.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mapado.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marco-reitmeier.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marcoreitmeier.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mariagiovannaluini.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mariasavchenko.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marketingprofesszorok.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marylandtraditions.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "matchmuchach.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "matebalazs.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maunium.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mauwis.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mawai.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maxiglobal.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mbski.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mdinvest.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "megayachts.world", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meikampf.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meiobit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "membercents.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mentup.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mesh.org.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metod.photo", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metrolaut.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "miacordeonstereo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mightybit.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mijam.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mijnkantoor.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mikedhoore.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "milkkids.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "minibaggerverleih-aulendorf.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "missmaid.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "missmaid.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mjforan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mkt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mmhome.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mmphub.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mobilidadeurbana.ind.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mongooselock.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "monpetitherboriste.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "monroe27.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moonsault.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moosbild.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motor-agro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motor-agro.kz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motor-agro.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "motorialab.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mpodraza.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "msc-corps.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "munzlocal10.org.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "musingsatmidnight.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myammo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mybuildingcertifier.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mygedit.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mygedit.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mygedit.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "myhotdesign.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mylms.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "naia.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nao.sh", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "naql.om", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nardininaturopathic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nastrojka-pianino.spb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nathaliesadventure.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "naturadent.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nealvorusphd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nibletllc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ningwei.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nixnetmail.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nl-xs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "noithat247.com.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nomadichome.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nomadichome.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nomadichomes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nomadichomes.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "notecoffee.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "notengosuelto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "novysvit.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "npchosting.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nuntiicaelo.in.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "obuchowicz.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ocodo.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "od-cure.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oi-wiki.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "okna-vek.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "olafvantol.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oldpc.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onde.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onezero24.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "opale-concept.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "orienttime.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "originalabsinthe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "otiumtech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "otpusk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "outdoormixfestival.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "owbt.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p-store.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paisleyandsparrow.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paletdecor.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paolodemichele.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parcoursup-nouvelle-caledonie.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "part-of-that-world.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheramoan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheramoans.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pherologie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pherology.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheromeon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheromeons.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheromoans.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheromoen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheromoens.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheromonez.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheronome.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheronomes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheros.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheroz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "phillippe-lemarc.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pikboxstore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pippenainteasy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "piraeuspress.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pjgj18.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pk.cash", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pk.city", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pk.cool", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pk.vin", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pk.wiki", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "placepugs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "planeta-deti.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "planetadeti.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plastdesign.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plavdoma.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "playfinder.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pmcfarland.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "poisk.kharkov.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pojarnayabezopasnost-gov.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pokedex.mobi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pokemongochamp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pokerking.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pornolab.su", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pornolarizlehd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "profvideo.kharkov.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prommontag.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prosperbot.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "protectionformula.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "protic.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "prowindow.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psasines.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psinergy.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psinergyhealth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "psinergytech.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "publicard.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pymenetica.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pyro.works", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qei.org.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qipei8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qrz.one", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "queirozmiotto.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qunix.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radiantweb.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radioduepuntozero.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "radyodinle.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "randomcategory.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rapportdecoracoes.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realmofaesir.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "realneo.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "recyclingisland.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "reitmeier.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "renehsz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "repauto.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "repin.in.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "resize2fs.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "retirementsolutionva.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "revolware.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ricardojsanchez.com.ar", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rice.id.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "richviajero.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rigintegrity.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rinzler.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "riselab.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "riviere.pro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rk12.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rs200.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "runetracker.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rust-lang.codes", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ruthbellgrahammemorial.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sadkodesign.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "safethishome.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "safetymp3.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sailing-yacht.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sainzderozas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saltsugarlove.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sanderpoppe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saorsa.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sapiperelining.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sat-kw.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sciguyryan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "secinto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "secrethub.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "security.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sellwithsquare.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "semerkhet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "semriscos.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "senergyconsultants.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "seolab.amsterdam", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "serije.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sermasvital.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sewing-machines.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shadsupershop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shivamohanam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shoppingicarai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "siberiactiva.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "siddigsami.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sijbesmaverhuizingen.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "silv.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sipal.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sivers.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sjttt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sk.tl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skyartsfake.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skynet-research.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smileywoodflooring.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "snipl.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "snow-service.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "snwaterpolo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soap-teco.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "socializam.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soloinfo.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spaceunique.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sparklingloungecampiglio.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sparkstack.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spboot.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spe.org.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spokeo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spreenauto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sqap.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sqclick.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "square.com.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "square.engineering", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "square.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "square.ly", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "square.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "square.site", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squaregift.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squaregift.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squaregift.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squareinstallments.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squareinvite.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squareinvoices.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squaremktg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squaremktgstaging.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squareoffer.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squareregister.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squaresolutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squarestagingexternal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "squareupsandbox.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ssc.vg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ssccp.am", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "steeple-claydon.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sterohouse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stijndv.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stiliankasimov.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stilingavonia.lt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sto500.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stoildaaliyski.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "storey-lines.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stpatsschool.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "streaming-download.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "strongtieinsurance.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "strousberg.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stuartcrawford.co.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studioavvocato.roma.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "styleetvieperfumes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "super-puper.su", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "surthriveak.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swaenenburg.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t060.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t070.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t449.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t49.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t7035.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "taoaworld.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tatildekirala.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tchealers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "techzero.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tecnoblog.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "telepok.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "telnet.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teplohod.kharkov.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "terres-et-territoires.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thalita-reload.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "the-kuusatu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thebotanicalstore.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thebrainfactory.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thecluster.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theelectricguide.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theonegroup.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thijs.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thijsslop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thijsslop.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thinair.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thinairsolutions.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tiance.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tiendaengeneral.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "timseverien.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tipsypresent.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tksainc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tn-bb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tnwgrc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tobiefornerod.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "top1betting.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "topferta.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "topsteroidsonline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "torresdocaribe.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "torresdocariberesidence.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "totalofficeclean.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toursencancun.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "traefik.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "transes.com.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "transservice.net.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trendparty.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trictric.eco.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trictriceletrico.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "triphop.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "truckshina-plus.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "truewateraustralia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "truthserum.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trycaviar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tsmn.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tuoicay.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tvtion.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tvzahist.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tzonevrakis.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ucdap.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ucibt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ukrapak.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ukrobmen.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ulys.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unferno.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "upscope.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "usmammy.com.tw", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v-horus.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "valentinoduval.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "varda.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "velforo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "velikijhutir.cherkassy.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viaggivistos.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viethungwork.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vigliano.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "villa-toscana.berlin", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "villawirz.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vipmdh.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vipom.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "virtubox.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vismaconnect.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vivalajack.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vlajo.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "voruswebsites.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vvsochenergiteknik.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w3d.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "washabich.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "webpc.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "widecontrol.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wolfhowl.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wonderland.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wondium.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wordpressp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "worldvisionsummerfest.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wrap.in.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "www-pheromone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "www-pheromones.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wwwpheromone.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xeerpa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn-----7kcbhdpr0asllefq0bjk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn----7sbarcdvrtr1be.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn----7sbbgbr0arxb4a4exa.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--80a8aqs.biz.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--90aij9af3f.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--c1adqibibm8i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--ex-1b4auld4fn3u3ck2069g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--flordepia-s6a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--ritmller-95a.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--zsr042b.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xnativi.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xslim.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yakamediaperu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zklokotskehory.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zof.kh.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zz074.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1234365t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365aa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "131365b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "1voz.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "20071019780415.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "21566365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2340365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "2dua.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3651267.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3652367.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3652389.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36536533.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36536555.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36536566.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36536588.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "36536599.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "37889658.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3798.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3798.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "392365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "3aexpert.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4kpi.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4played.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "4played.vip", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5201365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5205365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5206365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "5209365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "81365z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365a.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365b.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365c.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365d.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365e.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365f.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365g.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365i.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365j.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365k.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365l.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365m.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365n.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365o.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365p.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365q.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365r.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365s.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365t.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365u.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365v.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365w.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365x.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365y.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "82365z.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "8602010.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "99naturalfoods.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "a82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "acihotel.vn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ae86dy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aeb.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "afslankspecialist.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aguiascarecas.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "airfocused.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ais.fashion", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ajt.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ajtatum.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "albanycountydems.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "allenarchive.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "alphamedphysicians.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am8898.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "am8info.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ammobrand.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "amzmall.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "anachristinarodriguez.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "andreariccitraduzioni.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "andrehazeswinactie.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "animecracks.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "aphelion-design.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "apkclash.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "appcuarium.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "archauthority.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "argrafiche.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ariba.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arionta.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "arkenstone.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asitanc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "asokan.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ayudaprogramacion.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "azadliq.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b538.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b5dev.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b6530.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b6531.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "b82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "baitaplamvan.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "balkanpharmstore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "barkingaboutbusiness.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "basementwaterproofingwi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bebecar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bedding.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "beitmidrashrambam.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "belafonte.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "benoniplumber24-7.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bergman-gmbh.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bet3app.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bfdz.ink", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bghope.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blockchainbulteni.com.tr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blogcast.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "blogthetindung.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bluemail24.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bmbfiltration.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boksburgplumber24-7.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "books.co.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bookwormex.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "boston-sailing.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "brucebenes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "buddhaspa.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "bungaspa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "byluthier.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "c678.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "c81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "c82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cardingforum.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "champagneandcoconuts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cherhenri.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chilbert.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "chinookdigital.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "claimspharmacy.services", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "claretvillans.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clio-dev.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clio.health", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "clubportside.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cmavs.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "codebitel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "communiquons.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "comoviajarcontumascota.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "coolmoda.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cpsecureapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cqvradio.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "crackload.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "culturoquiz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "cursomente.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "d82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dakshm.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dampt.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "darkleia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "datakl.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "davelage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "davidlindekilde.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ddjlawtampa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "decaturwomensports.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "defiant.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "deluxe-dubai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dev-aries.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dinamobet2.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "directvacations.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "diriya.lk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "disinfestazioni.cagliari.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "djdavid98.art", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dnns.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dobreoknaszczecin.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dokee.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dosug.so", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "doubleglazingmelbourne.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dovizborsa.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "dsds-ltd.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "duboisinvestissements.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "e82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eagar.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ecocuisinedesign.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ekimaeseitai.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "electricgatemotorsalberton.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "elherraderoloscabos.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eliav.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eonwavesstudio.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "epost.pub", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eroticdinners.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "error418.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "estalinas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "eumananc.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ev-menden.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "evolutionbiote.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "express-hosting.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "expressioncoffins.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "f82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fafro.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fantastici.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fantasybet.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fascat.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "faydali.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fed-shashek.spb.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ferestre-bucuresti.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ferfer.ga", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "festizen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ff2k.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "finn-thorben.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fishingplaces.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fiyatgrafik.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "flugrecht.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fourwaysplumber24-7.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "freeinfos.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "fundamentalsofaccounting.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia-tr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.bg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.ca", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.co.nz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.com.ar", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.dk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.ee", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.fi", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.hk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.hr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.hu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.ie", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.is", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.kr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.lt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.lu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.lv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.my", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.ph", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.rs", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.sg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.si", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "funidelia.sk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "g81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "g82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gad.co.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gadgetflip.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gamberorotto.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "genoveve.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gentlent.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gentlent.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gentlent.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gentlent.us", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "germistonplumber24-7.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gfw.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gooch.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "goodgame.lt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grahamleeonline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grahamsgifts.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grand-sity.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "grillfocused.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "groundsdirect.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gununsesi.info", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "gununsesi.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "h81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "h82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "habitatetbatiment.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hankoreas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hazelhof.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hebamme-ebersberg.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hegartymaths.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hitflow.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hjelpemiddeldatabasen.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "homemdeferro.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hoopshabit.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "hpic.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "i36588.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "i81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "i82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ihredls.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ilovemychi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imine.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "imphotep.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "incisivea.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inclusiv.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "indexer.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "infopico.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "innoteknology.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "inu.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "irina-beauty.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "itemmc.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ivolunteer.com.ph", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "j82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jamesxu.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "janv.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jesecharlie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessecharley.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessecharli.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessicharlie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jessycharlie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jesuscnasistente.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jonaskoeritz.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "joostbovee.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jordywijman.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "josien.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jsfloydlaw.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "json2bot.chat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "jupiterchiropractic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k123123.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k234234.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "k82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "karmaful.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "katio.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kbst.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kelapagading.co.id", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kevinfumbles.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kevinrousseeuw.be", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kgcarpetandupholsterycleaning.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kirche-sankt-augustin.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kiwitastic.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kkk101.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kkk102.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kkk104.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kkk106.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kkk109.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kkk201.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kkk202.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kkk203.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kkk204.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kkk208.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kkk209.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kleinveefokkerij.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "klil.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kreativoweb.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kst-dlvr.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "kwadraadtevredenheid.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "l51365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "l81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "l82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lagaia.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "langjp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "laobayy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lasercareestetica.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "latvijashipoteka.lv", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "laylo.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lc-suites.gr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leakplay.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leatherwill.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lebeachvillage.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "leftbankdesign.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lemat.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "levis.fun", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lifeeducationqld.org.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lifestylediet.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lifetimeexteriors-us.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lipobattery.pl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "locationfontaine.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lojastec.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lornabenes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "louiscap.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "loveni.me", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lovessentials.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lovink.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lowend.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lps.in.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lums.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lunatic.red", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lunivertdelyne.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "luxeturf.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "lytemedical.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "m82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maaret.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "macx.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mafia-penguin.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magen.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "magicafacil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maigesellschaft-lammersdorf.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "makelinks.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "makepro.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mariasandoli.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "marshallpeak.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mattcronin.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mau.chat", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mau.life", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "maxiglobal.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mczone.su", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meekhak.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meinephbern.ch", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "meldpuntemma.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "melento.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "metadedi.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "microcyber.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mijnkwadraad.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mirjamderijk.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "misstika-bijoux.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mjbulgaria.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mjdmetal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mnlfnet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moca-2081.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moca-2082.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "montenegro-yacht.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "moviestrendingnow.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mpath.health", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "multixvideo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "musicvideo.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mycodes.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mytrinity.com.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "mzb.company", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "n82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "najfilmy.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nashikmatka.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nellydallois.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "newspaper-myapp.herokuapp.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "niederalt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nlc.org.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nopaincenter.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "npu.best", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "nunu.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "o81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "o82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oakshield.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ofertaviva.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ohari5336.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ohya8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "onebestdeal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oosm.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "open.film", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "openreel.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oqrqtn7ynmgc7qrgwd-ubhdvfiymfbjrh5ethdti8.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "oyk13tyuj8ljpete31edj2tes-9if7bi.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "p82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "panamarealestatebrokers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pansino.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parkercs.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "parketdoska.ua", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "patentchallenges.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "paulineetaugustin.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pcrabme.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peer.travel", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pepkey.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "peter-r.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pheroforce.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "photoshop-tipps-und-tricks.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "piferdal.pt", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pilatespt.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pistonpowered.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pixiin.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plezantforum.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "plus-immo-neuf.fr", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pmccrystal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pmcorganometallix.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pmcouvrie.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pmcvinyladditives.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pnfc.re", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pokemongostatus.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "povarchik.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "powerplantmall.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "printmet.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "projectmaka.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "protic.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "provakil.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pspbar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pumpn.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "punchadragon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "punematka.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pursuingoutdoors.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "pwg-see.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "q81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "q82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qpaypro.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "qualiacomputers.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "r81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "r82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rainbowswingers.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "recoveryunpluggedtreatment.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "redinational.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "regazofotografia.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "remny.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rentandamiosycasetas.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "requezmc.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rijsinkunst.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "risoscotti.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "riverotravel.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rocmartialartsacademy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "roleplaybdsm.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rosihui.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rouair.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rswebsols.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rt.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "rthe.cn", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "s81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "s82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sait.at", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saito-koken.co.jp", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "saltyfish.tech", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sandton-plumbing.co.za", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "savejobsshoplocal.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scheidingspuntlansingerland.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scholz-kallies.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "scriptic.xyz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "securityhandbook.cz", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sensivo.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sheltieplanet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shoejitsu.co", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "shorifart.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sindominio.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skydiverecuador.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "skypefr.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "slalix.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smmpanelweb.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "smoqerhome.ddns.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "soaringdownsouth.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sodo.top", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "solidnetwork.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "solidrop.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "specdver.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "speeder.best", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "speederss.best", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sportswear.by", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "springfield-ohio-post.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "spteam.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ssccp.in", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sschd.cc", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "stevenapate.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studiekort.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studiekortet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studiekortet.eu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studiekortet.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studiekortet.nu", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studiekortet.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "studiekortet.se", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "suricate.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swcloud.io", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "swipedon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "sydneybamboo.com.au", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "szuecs.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "t82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tableturnrms.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "talkmojang.club", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tas.best", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teamfilm.tk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tecfleet.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "techsmartstore.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "teddykatz.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "templars.army", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thaiwaterbirds.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "the1way.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "theawesomemuse.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "thenextasset.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "therapyconnects.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "time-craft.su", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "timothysykes.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tipplist.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tnd.com.ar", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "toabetteryou.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tokyotimeline.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "topanimecharacters.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "torlinnhe.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tornadotwistar.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "traditionalturk.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trainoclock.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "transvolando.es", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "treezone.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trelloparea.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "trenorario.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "tuchile.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "u81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "u82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "udiregelverk.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ugrod.ru", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unibag.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "unifashion.ro", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "uninutri.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "universeit.mx", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v55565.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v55569.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v55580.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v55593.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v66233.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v66255.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v66557.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v66615.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v88511.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v88522.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v9285.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v9289.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "v9812.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "valutienda.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vectordtg.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vegner.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "verymetal.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vibgyorhigh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "viceversa2013.org", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "videograb.ml", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "villa-luna.it", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "villaville.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visitrainscounty.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "visto.cl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vixonline.com.br", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "vsec.co.il", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w3scan.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w66001.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "w82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "weddingwire.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wewitro.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wewitro.net", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "whafs.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "whatisthebestflag.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wispyon.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wittgen-kfz-technik.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wjsh.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "worcesterpethydrotherapy.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "worcestervetsreferrals.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wordfence.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "workinghardinit.work", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "workinnorway.no", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "worldwaterprojects.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wouterbruijning.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wprecommend.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wpresscoder.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "wvpventures.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "x82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xfzhao.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "xn--80abwhtbgbedcy6h.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "y82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yangshangzhen.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yify.online", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ym14.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "ytsdownload.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "yumepolo.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z81365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "z82365.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zahnarztpraxis-rusch.de", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zakrentus-ostrus.space", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zecuur.nl", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zenavita.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zoedale.co.uk", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zubar.bg", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
+    { "name": "zyellowbox.com", "policy": "bulk-1-year", "mode": "force-https", "include_subdomains": true },
     // END OF 1-YEAR BULK HSTS ENTRIES
 
     // Only eTLD+1 domains can be submitted automatically to hstspreload.org,
@@ -86038,6 +90946,7 @@
     { "name": "weeblrpress.com", "policy": "custom", "mode": "force-https", "include_subdomains": true },
     { "name": "photistic.org", "policy": "custom", "mode": "force-https", "include_subdomains": true },
     { "name": "cortis-consulting.ch", "policy": "custom", "mode": "force-https", "include_subdomains": true },
+    { "name": "tumblr.com", "policy": "custom", "mode": "force-https", "include_subdomains": true },
     // Burton domains (contact: burton at typewritten.net)
     { "name": "typewritten.net", "policy": "custom", "mode": "force-https", "include_subdomains": true },
     { "name": "codebreaking.org", "policy": "custom", "mode": "force-https", "include_subdomains": true },
@@ -86052,7 +90961,6 @@
     { "name": "www.ft.com", "policy": "custom", "mode": "force-https", "include_subdomains": true },
     { "name": "va.gov", "policy": "custom", "mode": "force-https", "include_subdomains": false },
     { "name": "gov.uk", "policy": "custom", "mode": "force-https", "include_subdomains": false },
-    { "name": "www.tumblr.com", "policy": "custom", "mode": "force-https", "include_subdomains": false },
     // HPKP
     { "name": "swehack.org", "policy": "custom", "mode": "force-https", "include_subdomains": true, "pins": "swehackCom" },
     // TODO(elawrence): hstspreload.org can't scan IPv6-only sites due to Google
@@ -86064,6 +90972,7 @@
     { "name": "mysa.is", "policy": "custom", "mode": "force-https", "include_subdomains": true },
     { "name": "vensl.org", "policy": "custom", "mode": "force-https", "include_subdomains": true },
     { "name": "aaron-schaal.de", "policy": "custom", "mode": "force-https", "include_subdomains": true },
+    { "name": "as204982.net", "policy": "custom", "mode": "force-https", "include_subdomains": true },
     // Expect-CT
     {
       "name": "crt.sh", "policy": "custom",
@@ -86385,6 +91294,52 @@
     { "name": "waverlytn.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
     { "name": "wilderky.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
     { "name": "williamscountyoh.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "ceredowv.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "logancountyky.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "frederickmd.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "humboldtcountynv.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "louisvillene.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "sharpsburg-ga.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "clarksburgma.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "votelevy.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "waynecountyoh.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "northbayvillage-fl.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "republicanleader.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "republicanwhip.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "woodridgeil.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "centretownshipin.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "rehobothma.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "cowcreek-nsn.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "riversideiowa.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "pickawaycountyohio.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "ohiot21.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "ohiotobacco21.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "bridgercanyonfiremt.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "militaryaviationsafety.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "landoverhillsmd.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "myoregon.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "texasready.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "clayelections.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "findtreatment.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "tiogacountyny.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "waverlypa.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "whitepinetn.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "esatn.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "lickingcounty.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "brookscountyga.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "huntsvillealtransit.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "jenkinscountyga.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "ohiostateparks.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "summitcountyboe.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "townofpolk-wi.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "aselectionoffice.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "harpersvilleal.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "whdpc.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "boonecountyfpdmo.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "votemarion.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "everykidoutdoors.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "medinacountyohio.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
+    { "name": "buyamerican.gov", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
     { "name": "bmoattachments.org", "policy": "public-suffix-requested", "mode": "force-https", "include_subdomains": true },
     // END OF ETLD-OWNER REQUESTED ENTRIES
 
diff --git a/chromium/net/http/transport_security_state_unittest.cc b/chromium/net/http/transport_security_state_unittest.cc
index e40e7495c58..6d08d43c06d 100644
--- a/chromium/net/http/transport_security_state_unittest.cc
+++ b/chromium/net/http/transport_security_state_unittest.cc
@@ -2736,9 +2736,6 @@ TEST_F(TransportSecurityStateStaticTest, Preloaded) {
   EXPECT_TRUE(StaticShouldRedirect("uprotect.it"));
   EXPECT_TRUE(StaticShouldRedirect("foo.uprotect.it"));
 
-  EXPECT_TRUE(StaticShouldRedirect("squareup.com"));
-  EXPECT_FALSE(HasStaticState("foo.squareup.com"));
-
   EXPECT_TRUE(StaticShouldRedirect("cert.se"));
   EXPECT_TRUE(StaticShouldRedirect("foo.cert.se"));
 
diff --git a/chromium/net/http2/platform/impl/http2_ptr_util_impl.h b/chromium/net/http2/platform/impl/http2_ptr_util_impl.h
deleted file mode 100644
index af84848b11f..00000000000
--- a/chromium/net/http2/platform/impl/http2_ptr_util_impl.h
+++ /dev/null
@@ -1,20 +0,0 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_HTTP2_PLATFORM_IMPL_HTTP2_PTR_UTIL_IMPL_H_
-#define NET_HTTP2_PLATFORM_IMPL_HTTP2_PTR_UTIL_IMPL_H_
-
-#include <memory>
-#include <utility>
-
-namespace http2 {
-
-template <typename T, typename... Args>
-std::unique_ptr<T> Http2MakeUniqueImpl(Args&&... args) {
-  return std::make_unique<T>(std::forward<Args>(args)...);
-}
-
-}  // namespace http2
-
-#endif  // NET_HTTP2_PLATFORM_IMPL_HTTP2_PTR_UTIL_IMPL_H_
diff --git a/chromium/net/http2/platform/impl/http2_string_utils_impl.h b/chromium/net/http2/platform/impl/http2_string_utils_impl.h
index 3bd8be70d1b..4dd894b83a4 100644
--- a/chromium/net/http2/platform/impl/http2_string_utils_impl.h
+++ b/chromium/net/http2/platform/impl/http2_string_utils_impl.h
@@ -41,7 +41,10 @@ inline std::string Http2HexEncodeImpl(const void* bytes, size_t size) {
 }
 
 inline std::string Http2HexDecodeImpl(Http2StringPiece data) {
-  return net::HexDecode(data);
+  std::string result;
+  if (!base::HexStringToString(data, &result))
+    result.clear();
+  return result;
 }
 
 inline std::string Http2HexDumpImpl(Http2StringPiece data) {
diff --git a/chromium/net/log/file_net_log_observer_unittest.cc b/chromium/net/log/file_net_log_observer_unittest.cc
index 86c99c052aa..cd97ab898ef 100644
--- a/chromium/net/log/file_net_log_observer_unittest.cc
+++ b/chromium/net/log/file_net_log_observer_unittest.cc
@@ -15,6 +15,7 @@
 #include "base/files/scoped_temp_dir.h"
 #include "base/json/json_reader.h"
 #include "base/json/json_writer.h"
+#include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/task/thread_pool/thread_pool_instance.h"
@@ -28,6 +29,7 @@
 #include "net/log/net_log_source_type.h"
 #include "net/log/net_log_util.h"
 #include "net/log/net_log_values.h"
+#include "net/log/test_net_log.h"
 #include "net/test/test_with_task_environment.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_context.h"
@@ -79,7 +81,7 @@ void AddEntries(FileNetLogObserver* logger,
 
   for (int i = 0; i < num_entries; i++) {
     source = NetLogSource(NetLogSourceType::HTTP2_SESSION, i);
-    std::string id = std::to_string(i);
+    std::string id = base::NumberToString(i);
 
     // String size accounts for the number of digits in id so that all events
     // are the same size.
@@ -281,7 +283,7 @@ class FileNetLogObserverTest : public ::testing::TestWithParam<bool>,
   }
 
  protected:
-  NetLog net_log_;
+  TestNetLog net_log_;
   std::unique_ptr<FileNetLogObserver> logger_;
   base::ScopedTempDir temp_dir_;
   base::ScopedTempDir scratch_dir_;  // used for bounded + preexisting
@@ -319,7 +321,7 @@ class FileNetLogObserverBoundedTest : public ::testing::Test,
 
   base::FilePath GetEventFilePath(int index) const {
     return GetInprogressDirectory().AppendASCII(
-        "event_file_" + std::to_string(index) + ".json");
+        "event_file_" + base::NumberToString(index) + ".json");
   }
 
   base::FilePath GetEndNetlogPath() const {
@@ -332,7 +334,7 @@ class FileNetLogObserverBoundedTest : public ::testing::Test,
 
 
  protected:
-  NetLog net_log_;
+  TestNetLog net_log_;
   std::unique_ptr<FileNetLogObserver> logger_;
   base::FilePath log_path_;
 
@@ -341,7 +343,7 @@ class FileNetLogObserverBoundedTest : public ::testing::Test,
 };
 
 // Instantiates each FileNetLogObserverTest to use bounded and unbounded modes.
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          FileNetLogObserverTest,
                          ::testing::Values(true, false));
 
diff --git a/chromium/net/log/net_log.cc b/chromium/net/log/net_log.cc
index 7afade5334b..b9c16211528 100644
--- a/chromium/net/log/net_log.cc
+++ b/chromium/net/log/net_log.cc
@@ -4,6 +4,7 @@
 
 #include "net/log/net_log.h"
 
+#include "base/no_destructor.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/values.h"
 #include "net/log/net_log_values.h"
@@ -29,12 +30,18 @@ NetLog* NetLog::ThreadSafeObserver::net_log() const {
   return net_log_;
 }
 
-NetLog::NetLog() : last_id_(0), observer_capture_modes_(0) {}
-
-NetLog::~NetLog() {
-  MarkDead();
+// static
+NetLog* NetLog::Get() {
+  static base::NoDestructor<NetLog> instance{util::PassKey<NetLog>()};
+  return instance.get();
 }
 
+NetLog::NetLog(util::PassKey<NetLog>) {}
+NetLog::NetLog(util::PassKey<NetLogWithSource>) {}
+NetLog::NetLog(util::PassKey<TestNetLog>) {}
+
+NetLog::~NetLog() = default;
+
 void NetLog::AddEntry(NetLogEventType type,
                       const NetLogSource& source,
                       NetLogEventPhase phase) {
diff --git a/chromium/net/log/net_log.h b/chromium/net/log/net_log.h
index fe2b4cfb7be..cd17430c5e8 100644
--- a/chromium/net/log/net_log.h
+++ b/chromium/net/log/net_log.h
@@ -15,6 +15,7 @@
 #include "base/macros.h"
 #include "base/synchronization/lock.h"
 #include "base/time/time.h"
+#include "base/util/type_safety/pass_key.h"
 #include "build/build_config.h"
 #include "net/base/net_export.h"
 #include "net/log/net_log_capture_mode.h"
@@ -29,6 +30,9 @@ class Value;
 
 namespace net {
 
+class NetLogWithSource;
+class TestNetLog;
+
 // NetLog is the destination for log messages generated by the network stack.
 // Each log message has a "source" field which identifies the specific entity
 // that generated the message (for example, which URLRequest or which
@@ -136,7 +140,25 @@ class NET_EXPORT NetLog {
     DISALLOW_COPY_AND_ASSIGN(ThreadSafeObserver);
   };
 
-  NetLog();
+  // Returns the singleton NetLog object, which is never destructed and which
+  // may be used on any thread.
+  static NetLog* Get();
+
+  // NetLog should only be used through the singleton returned by Get(), the
+  // constructor takes a PassKey to ensure that additional NetLog objects
+  // cannot be created.
+  explicit NetLog(util::PassKey<NetLog>);
+
+  // NetLogWithSource creates a dummy NetLog as an internal optimization.
+  explicit NetLog(util::PassKey<NetLogWithSource>);
+
+  // Allow TestNetLog so test cases can create scoped lifetime NetLog objects.
+  // TODO(crbug.com/177538): Remove TestNetLog class, make tests use the global
+  // NetLog.
+  explicit NetLog(util::PassKey<TestNetLog>);
+
+  // TODO(crbug.com/177538): make the destructor = delete once there are no
+  // tests instantiating TestNetLogs.
   virtual ~NetLog();
 
   void AddEntry(NetLogEventType type,
@@ -229,7 +251,6 @@ class NET_EXPORT NetLog {
   // TODO(eroman): Survey current callsites; most are probably not necessary,
   // and may even be harmful.
   bool IsCapturing() const {
-    CheckAlive();
     return GetObserverCaptureModes() != 0;
   }
 
@@ -321,33 +342,17 @@ class NET_EXPORT NetLog {
   // be called while |lock_| is already held.
   bool HasObserver(ThreadSafeObserver* observer);
 
-  // In debug and ASAN builds, verify that the NetLog is not used while free.
-  // This is a regression test for https://crbug.com/983298.
-#if defined(ADDRESS_SANITIZER) || !defined(NDEBUG)
-  static constexpr int kAliveToken = 0xDEADBEEF;
-
-  inline void CheckAlive() const { CHECK_EQ(alive_, kAliveToken); }
-  inline void MarkDead() {
-    CheckAlive();
-    alive_ = 0;
-  }
-  int alive_ = kAliveToken;
-#else
-  inline void CheckAlive() const {}
-  inline void MarkDead() {}
-#endif
-
   // |lock_| protects access to |observers_|.
   base::Lock lock_;
 
   // Last assigned source ID.  Incremented to get the next one.
-  base::subtle::Atomic32 last_id_;
+  base::subtle::Atomic32 last_id_ = 0;
 
   // Holds the set of all capture modes that observers are watching the log at.
   //
   // Is 0 when there are no observers. Stored as an Atomic32 so it can be
   // accessed and updated more efficiently.
-  base::subtle::Atomic32 observer_capture_modes_;
+  base::subtle::Atomic32 observer_capture_modes_ = 0;
 
   // |observers_| is a list of observers, ordered by when they were added.
   // Pointers contained in |observers_| are non-owned, and must
diff --git a/chromium/net/log/net_log_event_type_list.h b/chromium/net/log/net_log_event_type_list.h
index ccd0b77307e..6ae3a67b9c9 100644
--- a/chromium/net/log/net_log_event_type_list.h
+++ b/chromium/net/log/net_log_event_type_list.h
@@ -48,11 +48,13 @@ EVENT_TYPE(REQUEST_ALIVE)
 //
 //   {
 //     "host": <Hostname associated with the request>,
-//     "address_family": <The address family to restrict results to>,
+//     "dns_query_type": <The type of the DNS query>,
 //     "allow_cached_response": <Whether it is ok to return a result from
 //                               the host cache>,
 //     "is_speculative": <Whether this request was started by the DNS
 //                        prefetcher>
+//     "network_isolation_key": <NetworkIsolationKey associated with the
+//                               request>
 //   }
 //
 // If an error occurred, the END phase will contain these parameters:
@@ -822,6 +824,7 @@ EVENT_TYPE(SOCKET_POOL_CONNECTING_N_SOCKETS)
 //      "method": <The method ("POST" or "GET" or "HEAD" etc..)>,
 //      "load_flags": <Numeric value of the combined load flags>,
 //      "privacy_mode": <True if privacy mode is enabled for the request>
+//      "network_isolation_key": <NIK associated with the request>
 //      "priority": <Numeric priority of the request>,
 //      "traffic_annotation": <int32 for the request's TrafficAnnotationTag>,
 //      "upload_id" <String of upload body identifier, if present>,
@@ -2095,6 +2098,74 @@ EVENT_TYPE(QUIC_SESSION_MAX_STREAMS_FRAME_SENT)
 //  }
 EVENT_TYPE(QUIC_SESSION_MAX_STREAMS_FRAME_RECEIVED)
 
+// Session sent a PADDING frame.
+//  {
+//    "num_padding_bytes": <The number of padding bytes>
+//  }
+EVENT_TYPE(QUIC_SESSION_PADDING_FRAME_SENT)
+
+// Session received a PADDING frame.
+//  {
+//    "num_padding_bytes": <The number of padding bytes>
+//  }
+EVENT_TYPE(QUIC_SESSION_PADDING_FRAME_RECEIVED)
+
+// Session sent a NEW_CONNECITON_ID frame.
+//  {
+//    "connection_id": <The new connection id>
+//    "sequencer_number": <Connection id sequence number that specifies the
+//    order that connection ids must be used in.>
+//    "retire_prior_to": <retire prior to>
+//  }
+EVENT_TYPE(QUIC_SESSION_NEW_CONNECTION_ID_FRAME_SENT)
+
+// Session received a NEW_CONNECITON_ID frame.
+//  {
+//    "connection_id": <The new connection id>
+//    "sequence_number": <Connection id sequence number that specifies the
+//    order that connection ids must be used in.>
+//    "retire_prior_to": <retire prior to>
+//  }
+EVENT_TYPE(QUIC_SESSION_NEW_CONNECTION_ID_FRAME_RECEIVED)
+
+// Session sent a NEW_TOKEN frame.
+//  {
+//    "token": <String representation of the token>
+//  }
+EVENT_TYPE(QUIC_SESSION_NEW_TOKEN_FRAME_SENT)
+
+// Session received a NEW_TOKEN frame.
+//  {
+//    "token": <String representation of the token>
+//  }
+EVENT_TYPE(QUIC_SESSION_NEW_TOKEN_FRAME_RECEIVED)
+
+// Session sent a RETIRE_CONNECTION_ID frame.
+//  {
+//    "sequence_number": <Connection id sequence number that specifies the
+//    order that connection ids must be used in.>
+//  }
+EVENT_TYPE(QUIC_SESSION_RETIRE_CONNECTION_ID_FRAME_SENT)
+
+// Session received a RETIRE_CONNECTION_ID frame.
+//  {
+//    "sequence_number": <Connection id sequence number that specifies the
+//    order that connection ids must be used in.>
+//  }
+EVENT_TYPE(QUIC_SESSION_RETIRE_CONNECTION_ID_FRAME_RECEIVED)
+
+// Session sent a MESSAGE frame.
+//  {
+//    "message_length": <the length of the message>
+//  }
+EVENT_TYPE(QUIC_SESSION_MESSAGE_FRAME_SENT)
+
+// Session received a MESSAGE frame.
+//  {
+//    "message_length": <the length of the message>
+//  }
+EVENT_TYPE(QUIC_SESSION_MESSAGE_FRAME_RECEIVED)
+
 // ------------------------------------------------------------------------
 // QuicHttpStream
 // ------------------------------------------------------------------------
@@ -2739,7 +2810,11 @@ EVENT_TYPE(CERT_VERIFIER_REQUEST)
 //   "certificates": <A list of PEM encoded certificates, the first one
 //                    being the certificate to verify and the remaining
 //                    being intermediate certificates to assist path
-//                    building. Only present when byte logging is enabled.>
+//                    building.>
+//   "ocsp_response": <Optionally, a PEM encoded stapled OCSP response.>
+//   "sct_list": <Optionally, a PEM encoded SignedCertificateTimestampList.>
+//   "host": <The hostname verification is being performed for.>
+//   "verifier_flags": <The CertVerifier::VerifyFlags.>
 // }
 //
 // The END phase event parameters are:
diff --git a/chromium/net/log/net_log_unittest.cc b/chromium/net/log/net_log_unittest.cc
index bd7b0f7f1ea..fec3bda76be 100644
--- a/chromium/net/log/net_log_unittest.cc
+++ b/chromium/net/log/net_log_unittest.cc
@@ -36,7 +36,7 @@ base::Value NetCaptureModeParams(NetLogCaptureMode capture_mode) {
 }
 
 TEST(NetLogTest, Basic) {
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   auto entries = net_log.GetEntries();
   EXPECT_EQ(0u, entries.size());
 
@@ -60,7 +60,7 @@ TEST(NetLogTest, CaptureModes) {
       NetLogCaptureMode::kEverything,
   };
 
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
 
   for (NetLogCaptureMode mode : kModes) {
     net_log.SetObserverCaptureMode(mode);
@@ -235,7 +235,7 @@ void RunTestThreads(NetLog* net_log) {
 
 // Makes sure that events on multiple threads are dispatched to all observers.
 TEST(NetLogTest, NetLogEventThreads) {
-  NetLog net_log;
+  TestNetLog net_log;
 
   // Attach some observers.  Since they're created after |net_log|, they'll
   // safely detach themselves on destruction.
@@ -256,7 +256,7 @@ TEST(NetLogTest, NetLogEventThreads) {
 
 // Test adding and removing a single observer.
 TEST(NetLogTest, NetLogAddRemoveObserver) {
-  NetLog net_log;
+  TestNetLog net_log;
   CountingObserver observer;
 
   AddEvent(&net_log);
@@ -298,7 +298,7 @@ TEST(NetLogTest, NetLogAddRemoveObserver) {
 
 // Test adding and removing two observers at different log levels.
 TEST(NetLogTest, NetLogTwoObservers) {
-  NetLog net_log;
+  TestNetLog net_log;
   LoggingObserver observer[2];
 
   // Add first observer.
@@ -354,7 +354,7 @@ TEST(NetLogTest, NetLogTwoObservers) {
 // Makes sure that adding and removing observers simultaneously on different
 // threads works.
 TEST(NetLogTest, NetLogAddRemoveObserverThreads) {
-  NetLog net_log;
+  TestNetLog net_log;
 
   // Run a bunch of threads to completion, each of which will repeatedly add
   // and remove an observer, and set its logging level.
diff --git a/chromium/net/log/net_log_util.cc b/chromium/net/log/net_log_util.cc
index 1254b6b7713..86077232bd5 100644
--- a/chromium/net/log/net_log_util.cc
+++ b/chromium/net/log/net_log_util.cc
@@ -19,6 +19,7 @@
 #include "net/base/address_family.h"
 #include "net/base/load_states.h"
 #include "net/base/net_errors.h"
+#include "net/cert/cert_verifier.h"
 #include "net/disk_cache/disk_cache.h"
 #include "net/dns/host_cache.h"
 #include "net/dns/host_resolver.h"
@@ -155,6 +156,20 @@ std::unique_ptr<base::DictionaryValue> GetNetConstants() {
     constants_dict->Set("certStatusFlag", std::move(dict));
   }
 
+  // Add a dictionary with information about the relationship between
+  // CertVerifier::VerifyFlags and their symbolic names.
+  {
+    std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
+
+    dict->SetInteger("VERIFY_DISABLE_NETWORK_FETCHES",
+                     CertVerifier::VERIFY_DISABLE_NETWORK_FETCHES);
+
+    static_assert(CertVerifier::VERIFY_FLAGS_LAST == (1 << 0),
+                  "Update with new flags");
+
+    constants_dict->Set("certVerifierFlags", std::move(dict));
+  }
+
   // Add a dictionary with information about the relationship between load flag
   // enums and their symbolic names.
   {
diff --git a/chromium/net/log/net_log_util_unittest.cc b/chromium/net/log/net_log_util_unittest.cc
index a40d6c7d444..73ba2670b94 100644
--- a/chromium/net/log/net_log_util_unittest.cc
+++ b/chromium/net/log/net_log_util_unittest.cc
@@ -65,7 +65,7 @@ TEST(NetLogUtil, CreateNetLogEntriesForActiveObjectsOneContext) {
   // Using same context for each iteration makes sure deleted requests don't
   // appear in the list, or result in crashes.
   TestURLRequestContext context(true);
-  NetLog net_log;
+  TestNetLog net_log;
   context.set_net_log(&net_log);
   context.Init();
   TestDelegate delegate;
@@ -78,7 +78,7 @@ TEST(NetLogUtil, CreateNetLogEntriesForActiveObjectsOneContext) {
     }
     std::set<URLRequestContext*> contexts;
     contexts.insert(&context);
-    TestNetLog test_net_log;
+    RecordingTestNetLog test_net_log;
     CreateNetLogEntriesForActiveObjects(contexts, test_net_log.GetObserver());
     auto entry_list = test_net_log.GetEntries();
     ASSERT_EQ(num_requests, entry_list.size());
@@ -96,7 +96,7 @@ TEST(NetLogUtil, CreateNetLogEntriesForActiveObjectsMultipleContexts) {
 
   TestDelegate delegate;
   for (size_t num_requests = 0; num_requests < 5; ++num_requests) {
-    NetLog net_log;
+    TestNetLog net_log;
     std::vector<std::unique_ptr<TestURLRequestContext>> contexts;
     std::vector<std::unique_ptr<URLRequest>> requests;
     std::set<URLRequestContext*> context_set;
@@ -109,7 +109,7 @@ TEST(NetLogUtil, CreateNetLogEntriesForActiveObjectsMultipleContexts) {
           contexts[i]->CreateRequest(GURL("about:hats"), DEFAULT_PRIORITY,
                                      &delegate, TRAFFIC_ANNOTATION_FOR_TESTS));
     }
-    TestNetLog test_net_log;
+    RecordingTestNetLog test_net_log;
     CreateNetLogEntriesForActiveObjects(context_set,
                                         test_net_log.GetObserver());
     auto entry_list = test_net_log.GetEntries();
diff --git a/chromium/net/log/net_log_with_source.cc b/chromium/net/log/net_log_with_source.cc
index 3b36b5f339b..9e9575c856b 100644
--- a/chromium/net/log/net_log_with_source.cc
+++ b/chromium/net/log/net_log_with_source.cc
@@ -8,6 +8,7 @@
 #include <utility>
 
 #include "base/logging.h"
+#include "base/no_destructor.h"
 #include "base/values.h"
 #include "net/base/net_errors.h"
 #include "net/log/net_log.h"
@@ -42,9 +43,9 @@ NetLogWithSource::NetLogWithSource() {
   // The "dummy" net log used here will always return false for IsCapturing(),
   // and have no sideffects should its method be called. In practice the only
   // method that will get called on it is IsCapturing().
-  static NetLog* dummy = new NetLog();
+  static base::NoDestructor<NetLog> dummy{util::PassKey<NetLogWithSource>()};
   DCHECK(!dummy->IsCapturing());
-  non_null_net_log_ = dummy;
+  non_null_net_log_ = dummy.get();
 }
 
 NetLogWithSource::~NetLogWithSource() {}
diff --git a/chromium/net/log/test_net_log.cc b/chromium/net/log/test_net_log.cc
index 0bb9ab11a39..2021c538201 100644
--- a/chromium/net/log/test_net_log.cc
+++ b/chromium/net/log/test_net_log.cc
@@ -14,15 +14,18 @@
 
 namespace net {
 
-TestNetLog::TestNetLog() {
+TestNetLog::TestNetLog() : NetLog(util::PassKey<TestNetLog>()) {}
+TestNetLog::~TestNetLog() = default;
+
+RecordingTestNetLog::RecordingTestNetLog() {
   AddObserver(this, NetLogCaptureMode::kIncludeSensitive);
 }
 
-TestNetLog::~TestNetLog() {
+RecordingTestNetLog::~RecordingTestNetLog() {
   RemoveObserver(this);
 }
 
-std::vector<NetLogEntry> TestNetLog::GetEntries() const {
+std::vector<NetLogEntry> RecordingTestNetLog::GetEntries() const {
   base::AutoLock lock(lock_);
   std::vector<NetLogEntry> result;
   for (const auto& entry : entry_list_)
@@ -30,7 +33,7 @@ std::vector<NetLogEntry> TestNetLog::GetEntries() const {
   return result;
 }
 
-std::vector<NetLogEntry> TestNetLog::GetEntriesForSource(
+std::vector<NetLogEntry> RecordingTestNetLog::GetEntriesForSource(
     NetLogSource source) const {
   base::AutoLock lock(lock_);
   std::vector<NetLogEntry> result;
@@ -41,7 +44,7 @@ std::vector<NetLogEntry> TestNetLog::GetEntriesForSource(
   return result;
 }
 
-std::vector<NetLogEntry> TestNetLog::GetEntriesWithType(
+std::vector<NetLogEntry> RecordingTestNetLog::GetEntriesWithType(
     NetLogEventType type) const {
   base::AutoLock lock(lock_);
   std::vector<NetLogEntry> result;
@@ -52,17 +55,17 @@ std::vector<NetLogEntry> TestNetLog::GetEntriesWithType(
   return result;
 }
 
-size_t TestNetLog::GetSize() const {
+size_t RecordingTestNetLog::GetSize() const {
   base::AutoLock lock(lock_);
   return entry_list_.size();
 }
 
-void TestNetLog::Clear() {
+void RecordingTestNetLog::Clear() {
   base::AutoLock lock(lock_);
   entry_list_.clear();
 }
 
-void TestNetLog::OnAddEntry(const NetLogEntry& entry) {
+void RecordingTestNetLog::OnAddEntry(const NetLogEntry& entry) {
   base::Value params = entry.params.Clone();
   auto time = base::TimeTicks::Now();
 
@@ -72,44 +75,46 @@ void TestNetLog::OnAddEntry(const NetLogEntry& entry) {
                            std::move(params));
 }
 
-NetLog::ThreadSafeObserver* TestNetLog::GetObserver() {
+NetLog::ThreadSafeObserver* RecordingTestNetLog::GetObserver() {
   return this;
 }
 
-void TestNetLog::SetObserverCaptureMode(NetLogCaptureMode capture_mode) {
+void RecordingTestNetLog::SetObserverCaptureMode(
+    NetLogCaptureMode capture_mode) {
   RemoveObserver(this);
   AddObserver(this, capture_mode);
 }
 
-BoundTestNetLog::BoundTestNetLog()
+RecordingBoundTestNetLog::RecordingBoundTestNetLog()
     : net_log_(NetLogWithSource::Make(&test_net_log_, NetLogSourceType::NONE)) {
 }
 
-BoundTestNetLog::~BoundTestNetLog() = default;
+RecordingBoundTestNetLog::~RecordingBoundTestNetLog() = default;
 
-std::vector<NetLogEntry> BoundTestNetLog::GetEntries() const {
+std::vector<NetLogEntry> RecordingBoundTestNetLog::GetEntries() const {
   return test_net_log_.GetEntries();
 }
 
-std::vector<NetLogEntry> BoundTestNetLog::GetEntriesForSource(
+std::vector<NetLogEntry> RecordingBoundTestNetLog::GetEntriesForSource(
     NetLogSource source) const {
   return test_net_log_.GetEntriesForSource(source);
 }
 
-std::vector<NetLogEntry> BoundTestNetLog::GetEntriesWithType(
+std::vector<NetLogEntry> RecordingBoundTestNetLog::GetEntriesWithType(
     NetLogEventType type) const {
   return test_net_log_.GetEntriesWithType(type);
 }
 
-size_t BoundTestNetLog::GetSize() const {
+size_t RecordingBoundTestNetLog::GetSize() const {
   return test_net_log_.GetSize();
 }
 
-void BoundTestNetLog::Clear() {
+void RecordingBoundTestNetLog::Clear() {
   test_net_log_.Clear();
 }
 
-void BoundTestNetLog::SetObserverCaptureMode(NetLogCaptureMode capture_mode) {
+void RecordingBoundTestNetLog::SetObserverCaptureMode(
+    NetLogCaptureMode capture_mode) {
   test_net_log_.SetObserverCaptureMode(capture_mode);
 }
 
diff --git a/chromium/net/log/test_net_log.h b/chromium/net/log/test_net_log.h
index 96ba8eaa9be..89325f92f65 100644
--- a/chromium/net/log/test_net_log.h
+++ b/chromium/net/log/test_net_log.h
@@ -19,16 +19,31 @@ namespace net {
 
 struct NetLogSource;
 
+// NetLog subclass that follows normal lifetime rules (has a public
+// destructor.)
+//
+// This class is for testing only. Production code should use the singleton
+// NetLog::Get().
+class TestNetLog : public NetLog {
+ public:
+  TestNetLog();
+  ~TestNetLog() override;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(TestNetLog);
+};
+
 // NetLog subclass that attaches a single observer (this) to record NetLog
 // events and their parameters into an in-memory buffer. The NetLog is observed
 // at kSensitive level by default, however can be changed with
 // SetObserverCaptureMode().
 //
 // This class is for testing only.
-class TestNetLog : public NetLog, public NetLog::ThreadSafeObserver {
+class RecordingTestNetLog : public TestNetLog,
+                            public NetLog::ThreadSafeObserver {
  public:
-  TestNetLog();
-  ~TestNetLog() override;
+  RecordingTestNetLog();
+  ~RecordingTestNetLog() override;
 
   void SetObserverCaptureMode(NetLogCaptureMode capture_mode);
 
@@ -59,18 +74,18 @@ class TestNetLog : public NetLog, public NetLog::ThreadSafeObserver {
   mutable base::Lock lock_;
   std::vector<NetLogEntry> entry_list_;
 
-  DISALLOW_COPY_AND_ASSIGN(TestNetLog);
+  DISALLOW_COPY_AND_ASSIGN(RecordingTestNetLog);
 };
 
 // Helper class that exposes a similar API as NetLogWithSource, but uses a
-// TestNetLog rather than the more generic NetLog.
+// RecordingTestNetLog rather than the more generic NetLog.
 //
-// A BoundTestNetLog can easily be converted to a NetLogWithSource using the
-// bound() method.
-class BoundTestNetLog {
+// A RecordingBoundTestNetLog can easily be converted to a NetLogWithSource
+// using the bound() method.
+class RecordingBoundTestNetLog {
  public:
-  BoundTestNetLog();
-  ~BoundTestNetLog();
+  RecordingBoundTestNetLog();
+  ~RecordingBoundTestNetLog();
 
   // The returned NetLogWithSource is only valid while |this| is alive.
   NetLogWithSource bound() const { return net_log_; }
@@ -89,14 +104,14 @@ class BoundTestNetLog {
 
   void Clear();
 
-  // Sets the observer capture mode of the underlying TestNetLog.
+  // Sets the observer capture mode of the underlying RecordingTestNetLog.
   void SetObserverCaptureMode(NetLogCaptureMode capture_mode);
 
  private:
-  TestNetLog test_net_log_;
+  RecordingTestNetLog test_net_log_;
   const NetLogWithSource net_log_;
 
-  DISALLOW_COPY_AND_ASSIGN(BoundTestNetLog);
+  DISALLOW_COPY_AND_ASSIGN(RecordingBoundTestNetLog);
 };
 
 }  // namespace net
diff --git a/chromium/net/log/trace_net_log_observer_unittest.cc b/chromium/net/log/trace_net_log_observer_unittest.cc
index aed776211e0..71d81daf345 100644
--- a/chromium/net/log/trace_net_log_observer_unittest.cc
+++ b/chromium/net/log/trace_net_log_observer_unittest.cc
@@ -157,7 +157,7 @@ class TraceNetLogObserverTest : public TestWithTaskEnvironment {
 
   base::ListValue* trace_events() const { return trace_events_.get(); }
 
-  TestNetLog* net_log() { return &net_log_; }
+  RecordingTestNetLog* net_log() { return &net_log_; }
 
   TraceNetLogObserver* trace_net_log_observer() const {
     return trace_net_log_observer_.get();
@@ -167,7 +167,7 @@ class TraceNetLogObserverTest : public TestWithTaskEnvironment {
   std::unique_ptr<base::ListValue> trace_events_;
   base::trace_event::TraceResultBuffer trace_buffer_;
   base::trace_event::TraceResultBuffer::SimpleOutput json_output_;
-  TestNetLog net_log_;
+  RecordingTestNetLog net_log_;
   std::unique_ptr<TraceNetLogObserver> trace_net_log_observer_;
 };
 
@@ -429,7 +429,7 @@ TEST_F(TraceNetLogObserverTest, EventsWithAndWithoutParameters) {
 TEST(TraceNetLogObserverCategoryTest, DisabledCategory) {
   base::test::TaskEnvironment task_environment;
   TraceNetLogObserver observer;
-  NetLog net_log;
+  TestNetLog net_log;
   observer.WatchForTraceStart(&net_log);
 
   EXPECT_FALSE(net_log.IsCapturing());
@@ -446,7 +446,7 @@ TEST(TraceNetLogObserverCategoryTest, DisabledCategory) {
 TEST(TraceNetLogObserverCategoryTest, EnabledCategory) {
   base::test::TaskEnvironment task_environment;
   TraceNetLogObserver observer;
-  NetLog net_log;
+  TestNetLog net_log;
   observer.WatchForTraceStart(&net_log);
 
   EXPECT_FALSE(net_log.IsCapturing());
diff --git a/chromium/net/network_error_logging/OWNERS b/chromium/net/network_error_logging/OWNERS
index a71bd7f3482..46f7dc92b25 100644
--- a/chromium/net/network_error_logging/OWNERS
+++ b/chromium/net/network_error_logging/OWNERS
@@ -1,3 +1,3 @@
 chlily@chromium.org
 
-# COMPONENT: Internals>Network>Logging
+# COMPONENT: Internals>Network>ReportingAndNEL
diff --git a/chromium/net/network_error_logging/network_error_logging_service.cc b/chromium/net/network_error_logging/network_error_logging_service.cc
index d1d78250426..50a87585133 100644
--- a/chromium/net/network_error_logging/network_error_logging_service.cc
+++ b/chromium/net/network_error_logging/network_error_logging_service.cc
@@ -168,11 +168,6 @@ void RecordHeaderOutcome(NetworkErrorLoggingService::HeaderOutcome outcome) {
                             NetworkErrorLoggingService::HeaderOutcome::MAX);
 }
 
-void RecordRequestOutcome(NetworkErrorLoggingService::RequestOutcome outcome) {
-  UMA_HISTOGRAM_ENUMERATION(
-      NetworkErrorLoggingService::kRequestOutcomeHistogram, outcome);
-}
-
 void RecordSignedExchangeRequestOutcome(
     NetworkErrorLoggingService::RequestOutcome outcome) {
   UMA_HISTOGRAM_ENUMERATION(
@@ -217,10 +212,8 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
     // This method is only called on secure requests.
     DCHECK(details.uri.SchemeIsCryptographic());
 
-    if (!reporting_service_) {
-      RecordRequestOutcome(RequestOutcome::kDiscardedNoReportingService);
+    if (!reporting_service_)
       return;
-    }
 
     base::Time request_received_time = clock_->Now();
     // base::Unretained is safe because the callback gets stored in
@@ -435,10 +428,8 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
 
     auto report_origin = url::Origin::Create(details.uri);
     const NelPolicy* policy = FindPolicyForOrigin(report_origin);
-    if (!policy) {
-      RecordRequestOutcome(RequestOutcome::kDiscardedNoOriginPolicy);
+    if (!policy)
       return;
-    }
 
     MarkPolicyUsed(policy, request_received_time);
 
@@ -465,10 +456,8 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
     // This check would go earlier, but the histogram bucket will be more
     // meaningful if it only includes reports that otherwise could have been
     // uploaded.
-    if (details.reporting_upload_depth > kMaxNestedReportDepth) {
-      RecordRequestOutcome(RequestOutcome::kDiscardedReportingUpload);
+    if (details.reporting_upload_depth > kMaxNestedReportDepth)
       return;
-    }
 
     // If the server that handled the request is different than the server that
     // delivered the NEL policy (as determined by their IP address), then we
@@ -486,19 +475,14 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
     // errors.
     if (phase_string != kDnsPhase &&
         IsMismatchingSubdomainReport(*policy, report_origin)) {
-      RecordRequestOutcome(RequestOutcome::kDiscardedNonDNSSubdomainReport);
       return;
     }
 
     bool success = (type == OK) && !IsHttpError(details);
     const base::Optional<double> sampling_fraction =
         SampleAndReturnFraction(*policy, success);
-    if (!sampling_fraction.has_value()) {
-      RecordRequestOutcome(success
-                               ? RequestOutcome::kDiscardedUnsampledSuccess
-                               : RequestOutcome::kDiscardedUnsampledFailure);
+    if (!sampling_fraction.has_value())
       return;
-    }
 
     DVLOG(1) << "Created NEL report (" << type_string
              << ", status=" << details.status_code
@@ -509,7 +493,6 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
         CreateReportBody(phase_string, type_string, sampling_fraction.value(),
                          details),
         details.reporting_upload_depth);
-    RecordRequestOutcome(RequestOutcome::kQueued);
   }
 
   void DoQueueSignedExchangeReport(SignedExchangeReportDetails details,
@@ -924,9 +907,6 @@ const char NetworkErrorLoggingService::kReportType[] = "network-error";
 const char NetworkErrorLoggingService::kHeaderOutcomeHistogram[] =
     "Net.NetworkErrorLogging.HeaderOutcome";
 
-const char NetworkErrorLoggingService::kRequestOutcomeHistogram[] =
-    "Net.NetworkErrorLogging.RequestOutcome";
-
 const char
     NetworkErrorLoggingService::kSignedExchangeRequestOutcomeHistogram[] =
         "Net.NetworkErrorLogging.SignedExchangeRequestOutcome";
@@ -983,17 +963,6 @@ void NetworkErrorLoggingService::
 }
 
 // static
-void NetworkErrorLoggingService::
-    RecordRequestDiscardedForNoNetworkErrorLoggingService() {
-  RecordRequestOutcome(RequestOutcome::kDiscardedNoNetworkErrorLoggingService);
-}
-
-// static
-void NetworkErrorLoggingService::RecordRequestDiscardedForInsecureOrigin() {
-  RecordRequestOutcome(RequestOutcome::kDiscardedInsecureOrigin);
-}
-
-// static
 std::unique_ptr<NetworkErrorLoggingService> NetworkErrorLoggingService::Create(
     PersistentNelStore* store) {
   return std::make_unique<NetworkErrorLoggingServiceImpl>(store);
diff --git a/chromium/net/network_error_logging/network_error_logging_service.h b/chromium/net/network_error_logging/network_error_logging_service.h
index 3d0addaa52f..8f233bbe55a 100644
--- a/chromium/net/network_error_logging/network_error_logging_service.h
+++ b/chromium/net/network_error_logging/network_error_logging_service.h
@@ -146,7 +146,6 @@ class NET_EXPORT NetworkErrorLoggingService {
   // events occurred.
 
   static const char kHeaderOutcomeHistogram[];
-  static const char kRequestOutcomeHistogram[];
   static const char kSignedExchangeRequestOutcomeHistogram[];
 
   enum class HeaderOutcome {
@@ -174,6 +173,9 @@ class NET_EXPORT NetworkErrorLoggingService {
     MAX
   };
 
+  // Used for histogramming Signed Exchange request outcomes only. Previously,
+  // the outcome of all requests would be histogrammed, but this was removed in
+  // crbug.com/1007122 because the histogram was very large and not very useful.
   enum class RequestOutcome {
     kDiscardedNoNetworkErrorLoggingService = 0,
 
@@ -196,9 +198,6 @@ class NET_EXPORT NetworkErrorLoggingService {
   static void RecordHeaderDiscardedForCertStatusError();
   static void RecordHeaderDiscardedForMissingRemoteEndpoint();
 
-  static void RecordRequestDiscardedForNoNetworkErrorLoggingService();
-  static void RecordRequestDiscardedForInsecureOrigin();
-
   // NEL policies are persisted to disk if |store| is not null.
   // The store, if given, should outlive |*this|.
   static std::unique_ptr<NetworkErrorLoggingService> Create(
diff --git a/chromium/net/nqe/event_creator_unittest.cc b/chromium/net/nqe/event_creator_unittest.cc
index 6bb8a49044d..cc0af6bfab3 100644
--- a/chromium/net/nqe/event_creator_unittest.cc
+++ b/chromium/net/nqe/event_creator_unittest.cc
@@ -21,16 +21,14 @@ namespace {
 
 // Returns the number of entries in |net_log| that have type set to
 // |NetLogEventType::NETWORK_QUALITY_CHANGED|.
-int GetNetworkQualityChangedEntriesCount(BoundTestNetLog* net_log) {
+int GetNetworkQualityChangedEntriesCount(RecordingBoundTestNetLog* net_log) {
   return net_log->GetEntriesWithType(NetLogEventType::NETWORK_QUALITY_CHANGED)
       .size();
 }
 
 // Verify that the net log events are recorded correctly.
 TEST(NetworkQualityEstimatorEventCreatorTest, Notified) {
-  // std::unique_ptr<BoundTestNetLog>
-  // net_log(std::make_unique<BoundTestNetLog>());
-  BoundTestNetLog net_log;
+  RecordingBoundTestNetLog net_log;
 
   EventCreator event_creator(net_log.bound());
 
diff --git a/chromium/net/nqe/network_quality_estimator.cc b/chromium/net/nqe/network_quality_estimator.cc
index 7e6788ea124..f0cb36ba0e8 100644
--- a/chromium/net/nqe/network_quality_estimator.cc
+++ b/chromium/net/nqe/network_quality_estimator.cc
@@ -492,8 +492,8 @@ bool NetworkQualityEstimator::RequestProvidesRTTObservation(
     const URLRequest& request) const {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
-  bool private_network_request = nqe::internal::IsPrivateHost(
-      request.context()->host_resolver(), HostPortPair::FromURL(request.url()));
+  bool private_network_request =
+      nqe::internal::IsRequestForPrivateHost(request);
 
   return (use_localhost_requests_ || !private_network_request) &&
          // Verify that response headers are received, so it can be ensured that
diff --git a/chromium/net/nqe/network_quality_estimator_test_util.cc b/chromium/net/nqe/network_quality_estimator_test_util.cc
index 25172ad41c6..df53d17eb2b 100644
--- a/chromium/net/nqe/network_quality_estimator_test_util.cc
+++ b/chromium/net/nqe/network_quality_estimator_test_util.cc
@@ -29,16 +29,17 @@ TestNetworkQualityEstimator::TestNetworkQualityEstimator()
 
 TestNetworkQualityEstimator::TestNetworkQualityEstimator(
     const std::map<std::string, std::string>& variation_params)
-    : TestNetworkQualityEstimator(variation_params,
-                                  true,
-                                  true,
-                                  std::make_unique<BoundTestNetLog>()) {}
+    : TestNetworkQualityEstimator(
+          variation_params,
+          true,
+          true,
+          std::make_unique<RecordingBoundTestNetLog>()) {}
 
 TestNetworkQualityEstimator::TestNetworkQualityEstimator(
     const std::map<std::string, std::string>& variation_params,
     bool allow_local_host_requests_for_tests,
     bool allow_smaller_responses_for_tests,
-    std::unique_ptr<BoundTestNetLog> net_log)
+    std::unique_ptr<RecordingBoundTestNetLog> net_log)
     : TestNetworkQualityEstimator(variation_params,
                                   allow_local_host_requests_for_tests,
                                   allow_smaller_responses_for_tests,
@@ -50,7 +51,7 @@ TestNetworkQualityEstimator::TestNetworkQualityEstimator(
     bool allow_local_host_requests_for_tests,
     bool allow_smaller_responses_for_tests,
     bool suppress_notifications_for_testing,
-    std::unique_ptr<BoundTestNetLog> net_log)
+    std::unique_ptr<RecordingBoundTestNetLog> net_log)
     : NetworkQualityEstimator(
           std::make_unique<NetworkQualityEstimatorParams>(variation_params),
           net_log->bound().net_log()),
@@ -64,18 +65,18 @@ TestNetworkQualityEstimator::TestNetworkQualityEstimator(
 
 TestNetworkQualityEstimator::TestNetworkQualityEstimator(
     std::unique_ptr<NetworkQualityEstimatorParams> params)
-    : TestNetworkQualityEstimator(std::move(params),
-                                  std::make_unique<BoundTestNetLog>()) {}
+    : TestNetworkQualityEstimator(
+          std::move(params),
+          std::make_unique<RecordingBoundTestNetLog>()) {}
 
 TestNetworkQualityEstimator::TestNetworkQualityEstimator(
     std::unique_ptr<NetworkQualityEstimatorParams> params,
-    std::unique_ptr<BoundTestNetLog> net_log)
+    std::unique_ptr<RecordingBoundTestNetLog> net_log)
     : NetworkQualityEstimator(std::move(params), net_log->bound().net_log()),
       net_log_(std::move(net_log)),
       current_network_type_(NetworkChangeNotifier::CONNECTION_UNKNOWN),
       embedded_test_server_(base::FilePath(kTestFilePath)),
-      suppress_notifications_for_testing_(false) {
-}
+      suppress_notifications_for_testing_(false) {}
 
 TestNetworkQualityEstimator::~TestNetworkQualityEstimator() = default;
 
diff --git a/chromium/net/nqe/network_quality_estimator_test_util.h b/chromium/net/nqe/network_quality_estimator_test_util.h
index b4ea72f31e6..c0b71507971 100644
--- a/chromium/net/nqe/network_quality_estimator_test_util.h
+++ b/chromium/net/nqe/network_quality_estimator_test_util.h
@@ -40,14 +40,14 @@ class TestNetworkQualityEstimator : public NetworkQualityEstimator {
       const std::map<std::string, std::string>& variation_params,
       bool allow_local_host_requests_for_tests,
       bool allow_smaller_responses_for_tests,
-      std::unique_ptr<BoundTestNetLog> net_log);
+      std::unique_ptr<RecordingBoundTestNetLog> net_log);
 
   TestNetworkQualityEstimator(
       const std::map<std::string, std::string>& variation_params,
       bool allow_local_host_requests_for_tests,
       bool allow_smaller_responses_for_tests,
       bool suppress_notifications_for_testing,
-      std::unique_ptr<BoundTestNetLog> net_log);
+      std::unique_ptr<RecordingBoundTestNetLog> net_log);
 
   explicit TestNetworkQualityEstimator(
       std::unique_ptr<NetworkQualityEstimatorParams> params);
@@ -233,7 +233,7 @@ class TestNetworkQualityEstimator : public NetworkQualityEstimator {
 
   TestNetworkQualityEstimator(
       std::unique_ptr<NetworkQualityEstimatorParams> params,
-      std::unique_ptr<BoundTestNetLog> net_log);
+      std::unique_ptr<RecordingBoundTestNetLog> net_log);
 
   void RecordSpdyPingLatency(const HostPortPair& host_port_pair,
                              base::TimeDelta rtt) override;
@@ -246,7 +246,7 @@ class TestNetworkQualityEstimator : public NetworkQualityEstimator {
   base::Optional<net::EffectiveConnectionType> GetOverrideECT() const override;
 
   // Net log provided to network quality estimator.
-  std::unique_ptr<net::BoundTestNetLog> net_log_;
+  std::unique_ptr<net::RecordingBoundTestNetLog> net_log_;
 
   // If set, GetEffectiveConnectionType() and GetRecentEffectiveConnectionType()
   // would return the set values, respectively.
diff --git a/chromium/net/nqe/network_quality_estimator_unittest.cc b/chromium/net/nqe/network_quality_estimator_unittest.cc
index 6b95d86dcf0..7dd538e7890 100644
--- a/chromium/net/nqe/network_quality_estimator_unittest.cc
+++ b/chromium/net/nqe/network_quality_estimator_unittest.cc
@@ -779,8 +779,9 @@ TEST_F(NetworkQualityEstimatorTest, DefaultObservations) {
   TestRTTObserver rtt_observer;
   TestThroughputObserver throughput_observer;
   std::map<std::string, std::string> variation_params;
-  TestNetworkQualityEstimator estimator(variation_params, false, false,
-                                        std::make_unique<BoundTestNetLog>());
+  TestNetworkQualityEstimator estimator(
+      variation_params, false, false,
+      std::make_unique<RecordingBoundTestNetLog>());
 
   // Default observations should be added when constructing the |estimator|.
   histogram_tester.ExpectBucketCount(
@@ -920,8 +921,9 @@ TEST_F(NetworkQualityEstimatorTest, DefaultObservationsOverridden) {
   // Negative variation value should not be used.
   variation_params["2G.DefaultMedianTransportRTTMsec"] = "-5";
 
-  TestNetworkQualityEstimator estimator(variation_params, false, false,
-                                        std::make_unique<BoundTestNetLog>());
+  TestNetworkQualityEstimator estimator(
+      variation_params, false, false,
+      std::make_unique<RecordingBoundTestNetLog>());
   estimator.SimulateNetworkChange(
       NetworkChangeNotifier::ConnectionType::CONNECTION_UNKNOWN, "unknown-1");
 
@@ -1443,10 +1445,10 @@ TEST_F(NetworkQualityEstimatorTest, TestThroughputNoRequestOverlap) {
   };
 
   for (const auto& test : tests) {
-    TestNetworkQualityEstimator estimator(variation_params,
-                                          test.allow_small_localhost_requests,
-                                          test.allow_small_localhost_requests,
-                                          std::make_unique<BoundTestNetLog>());
+    TestNetworkQualityEstimator estimator(
+        variation_params, test.allow_small_localhost_requests,
+        test.allow_small_localhost_requests,
+        std::make_unique<RecordingBoundTestNetLog>());
 
     base::TimeDelta rtt;
     EXPECT_FALSE(
@@ -2162,8 +2164,9 @@ TEST_F(NetworkQualityEstimatorTest, MAYBE_TestTCPSocketRTT) {
   std::map<std::string, std::string> variation_params;
   variation_params["persistent_cache_reading_enabled"] = "true";
   variation_params["throughput_min_requests_in_flight"] = "1";
-  TestNetworkQualityEstimator estimator(variation_params, true, true,
-                                        std::make_unique<BoundTestNetLog>());
+  TestNetworkQualityEstimator estimator(
+      variation_params, true, true,
+      std::make_unique<RecordingBoundTestNetLog>());
   estimator.SetTickClockForTesting(&tick_clock);
   estimator.SimulateNetworkChange(
       NetworkChangeNotifier::ConnectionType::CONNECTION_2G, "test");
@@ -2547,8 +2550,9 @@ TEST_F(NetworkQualityEstimatorTest, OnPrefsRead) {
   variation_params["add_default_platform_observations"] = "false";
   // Disable default platform values so that the effect of cached estimates
   // at the time of startup can be studied in isolation.
-  TestNetworkQualityEstimator estimator(variation_params, true, true,
-                                        std::make_unique<BoundTestNetLog>());
+  TestNetworkQualityEstimator estimator(
+      variation_params, true, true,
+      std::make_unique<RecordingBoundTestNetLog>());
 
   // Add observers.
   TestRTTObserver rtt_observer;
@@ -2658,8 +2662,9 @@ TEST_F(NetworkQualityEstimatorTest, OnPrefsReadWithReadingDisabled) {
 
   // Disable default platform values so that the effect of cached estimates
   // at the time of startup can be studied in isolation.
-  TestNetworkQualityEstimator estimator(variation_params, true, true,
-                                        std::make_unique<BoundTestNetLog>());
+  TestNetworkQualityEstimator estimator(
+      variation_params, true, true,
+      std::make_unique<RecordingBoundTestNetLog>());
 
   // Add observers.
   TestRTTObserver rtt_observer;
@@ -2748,8 +2753,9 @@ TEST_F(NetworkQualityEstimatorTest,
   variation_params["add_default_platform_observations"] = "false";
   // Disable default platform values so that the effect of cached estimates
   // at the time of startup can be studied in isolation.
-  TestNetworkQualityEstimator estimator(variation_params, true, true,
-                                        std::make_unique<BoundTestNetLog>());
+  TestNetworkQualityEstimator estimator(
+      variation_params, true, true,
+      std::make_unique<RecordingBoundTestNetLog>());
 
   // Add observers.
   TestRTTObserver rtt_observer;
diff --git a/chromium/net/nqe/network_quality_estimator_util.cc b/chromium/net/nqe/network_quality_estimator_util.cc
index d12934f5671..7df30e836d7 100644
--- a/chromium/net/nqe/network_quality_estimator_util.cc
+++ b/chromium/net/nqe/network_quality_estimator_util.cc
@@ -15,21 +15,24 @@
 #include "net/dns/host_resolver.h"
 #include "net/dns/host_resolver_source.h"
 #include "net/log/net_log_with_source.h"
+#include "net/url_request/url_request.h"
+#include "net/url_request/url_request_context.h"
 
 namespace net {
 
 namespace nqe {
 
-namespace internal {
+namespace {
 
 bool IsPrivateHost(HostResolver* host_resolver,
-                   const HostPortPair& host_port_pair) {
+                   const HostPortPair& host_port_pair,
+                   const NetworkIsolationKey& network_isolation_key) {
   // Try resolving |host_port_pair.host()| synchronously.
   HostResolver::ResolveHostParameters parameters;
   parameters.source = HostResolverSource::LOCAL_ONLY;
   std::unique_ptr<HostResolver::ResolveHostRequest> request =
-      host_resolver->CreateRequest(host_port_pair, NetLogWithSource(),
-                                   parameters);
+      host_resolver->CreateRequest(host_port_pair, network_isolation_key,
+                                   NetLogWithSource(), parameters);
 
   int rv = request->Start(base::BindOnce([](int error) { NOTREACHED(); }));
   DCHECK_NE(rv, ERR_IO_PENDING);
@@ -46,6 +49,24 @@ bool IsPrivateHost(HostResolver* host_resolver,
   return false;
 }
 
+}  // namespace
+
+namespace internal {
+
+bool IsRequestForPrivateHost(const URLRequest& request) {
+  // Using the request's NetworkIsolationKey isn't necessary for privacy
+  // reasons, but is needed to maximize the chances of a cache hit.
+  return IsPrivateHost(request.context()->host_resolver(),
+                       HostPortPair::FromURL(request.url()),
+                       request.network_isolation_key());
+}
+
+bool IsPrivateHostForTesting(HostResolver* host_resolver,
+                             const HostPortPair& host_port_pair,
+                             const NetworkIsolationKey& network_isolation_key) {
+  return IsPrivateHost(host_resolver, host_port_pair, network_isolation_key);
+}
+
 }  // namespace internal
 
 }  // namespace nqe
diff --git a/chromium/net/nqe/network_quality_estimator_util.h b/chromium/net/nqe/network_quality_estimator_util.h
index c9200b8e5c4..41e15d08380 100644
--- a/chromium/net/nqe/network_quality_estimator_util.h
+++ b/chromium/net/nqe/network_quality_estimator_util.h
@@ -13,6 +13,8 @@ namespace net {
 
 class HostPortPair;
 class HostResolver;
+class NetworkIsolationKey;
+class URLRequest;
 
 namespace nqe {
 
@@ -21,18 +23,23 @@ namespace internal {
 // A unified compact representation of an IPv6 or an IPv4 address.
 typedef uint64_t IPHash;
 
-// Returns true if the host contained in |host_port_pair| is a host in a
-// private Internet as defined by RFC 1918 or if the requests to
-// |host_port_pair| are not expected to generate useful network quality
-// information. This includes localhost, hosts on private subnets, and
-// hosts on subnets that are reserved for specific usage, and are unlikely
-// to be used by public web servers.
-// To make this determination, IsPrivateHost() makes the best
-// effort estimate including trying to resolve the host in the
-// |host_port_pair|. The method is synchronous.
-// |host_resolver| must not be null.
-NET_EXPORT_PRIVATE bool IsPrivateHost(HostResolver* host_resolver,
-                                      const HostPortPair& host_port_pair);
+// Returns true if the host contained of |request.url()| is a host in a
+// private Internet as defined by RFC 1918 or if the requests to it are not
+// expected to generate useful network quality information. This includes
+// localhost, hosts on private subnets, and hosts on subnets that are reserved
+// for specific usage, and are unlikely to be used by public web servers.
+//
+// To make this determination, this method makes the best effort estimate
+// including trying to resolve the host from the HostResolver's cache. This
+// method is synchronous.
+NET_EXPORT_PRIVATE bool IsRequestForPrivateHost(const URLRequest& request);
+
+// Provides access to the method used internally by IsRequestForPrivateHost(),
+// for testing.
+NET_EXPORT_PRIVATE bool IsPrivateHostForTesting(
+    HostResolver* host_resolver,
+    const HostPortPair& host_port_pair,
+    const NetworkIsolationKey& network_isolation_key);
 
 }  // namespace internal
 
diff --git a/chromium/net/nqe/network_quality_estimator_util_unittest.cc b/chromium/net/nqe/network_quality_estimator_util_unittest.cc
index 014f4a63ae6..dac7d5dd2b5 100644
--- a/chromium/net/nqe/network_quality_estimator_util_unittest.cc
+++ b/chromium/net/nqe/network_quality_estimator_util_unittest.cc
@@ -7,9 +7,12 @@
 #include <memory>
 
 #include "base/optional.h"
+#include "base/test/scoped_feature_list.h"
 #include "base/test/task_environment.h"
+#include "net/base/features.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/context_host_resolver.h"
 #include "net/dns/host_resolver.h"
@@ -17,6 +20,7 @@
 #include "net/log/test_net_log.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
+#include "url/origin.h"
 
 namespace net {
 
@@ -31,8 +35,6 @@ namespace {
 TEST(NetworkQualityEstimatorUtilTest, ReservedHost) {
   base::test::TaskEnvironment task_environment;
 
-  std::unique_ptr<BoundTestNetLog> net_log =
-      std::make_unique<BoundTestNetLog>();
   MockCachingHostResolver mock_host_resolver;
 
   scoped_refptr<net::RuleBasedHostResolverProc> rules(
@@ -49,42 +51,45 @@ TEST(NetworkQualityEstimatorUtilTest, ReservedHost) {
   EXPECT_EQ(0u, mock_host_resolver.num_resolve());
 
   // Load hostnames into HostResolver cache.
-  int rv = mock_host_resolver.LoadIntoCache(HostPortPair("example1.com", 443),
-                                            base::nullopt);
+  int rv = mock_host_resolver.LoadIntoCache(
+      HostPortPair("example1.com", 443), NetworkIsolationKey(), base::nullopt);
   EXPECT_EQ(OK, rv);
   rv = mock_host_resolver.LoadIntoCache(HostPortPair("example2.com", 443),
-                                        base::nullopt);
+                                        NetworkIsolationKey(), base::nullopt);
   EXPECT_EQ(OK, rv);
 
   EXPECT_EQ(2u, mock_host_resolver.num_non_local_resolves());
 
-  EXPECT_FALSE(IsPrivateHost(&mock_host_resolver,
-                             HostPortPair("2607:f8b0:4006:819::200e", 80)));
+  EXPECT_FALSE(IsPrivateHostForTesting(
+      &mock_host_resolver, HostPortPair("2607:f8b0:4006:819::200e", 80),
+      NetworkIsolationKey()));
 
-  EXPECT_TRUE(
-      IsPrivateHost(&mock_host_resolver, HostPortPair("192.168.0.1", 443)));
+  EXPECT_TRUE(IsPrivateHostForTesting(&mock_host_resolver,
+                                      HostPortPair("192.168.0.1", 443),
+                                      NetworkIsolationKey()));
 
-  EXPECT_FALSE(
-      IsPrivateHost(&mock_host_resolver, HostPortPair("92.168.0.1", 443)));
+  EXPECT_FALSE(IsPrivateHostForTesting(&mock_host_resolver,
+                                       HostPortPair("92.168.0.1", 443),
+                                       NetworkIsolationKey()));
 
-  EXPECT_TRUE(
-      IsPrivateHost(&mock_host_resolver, HostPortPair("example1.com", 443)));
+  EXPECT_TRUE(IsPrivateHostForTesting(&mock_host_resolver,
+                                      HostPortPair("example1.com", 443),
+                                      NetworkIsolationKey()));
 
-  EXPECT_FALSE(
-      IsPrivateHost(&mock_host_resolver, HostPortPair("example2.com", 443)));
+  EXPECT_FALSE(IsPrivateHostForTesting(&mock_host_resolver,
+                                       HostPortPair("example2.com", 443),
+                                       NetworkIsolationKey()));
 
-  // IsPrivateHost() should have queried only the resolver's cache.
+  // IsPrivateHostForTesting() should have queried only the resolver's cache.
   EXPECT_EQ(2u, mock_host_resolver.num_non_local_resolves());
 }
 
-// Verify that IsPrivateHost() returns false for a hostname whose DNS
+// Verify that IsPrivateHostForTesting() returns false for a hostname whose DNS
 // resolution is not cached. Further, once the resolution is cached, verify that
 // the cached entry is used.
 TEST(NetworkQualityEstimatorUtilTest, ReservedHostUncached) {
   base::test::TaskEnvironment task_environment;
 
-  std::unique_ptr<BoundTestNetLog> net_log =
-      std::make_unique<BoundTestNetLog>();
   MockCachingHostResolver mock_host_resolver;
 
   scoped_refptr<net::RuleBasedHostResolverProc> rules(
@@ -95,29 +100,79 @@ TEST(NetworkQualityEstimatorUtilTest, ReservedHostUncached) {
   mock_host_resolver.set_rules(rules.get());
 
   // Not in DNS host cache, so should not be marked as private.
-  EXPECT_FALSE(
-      IsPrivateHost(&mock_host_resolver, HostPortPair("example3.com", 443)));
+  EXPECT_FALSE(IsPrivateHostForTesting(&mock_host_resolver,
+                                       HostPortPair("example3.com", 443),
+                                       NetworkIsolationKey()));
   EXPECT_EQ(0u, mock_host_resolver.num_non_local_resolves());
 
-  int rv = mock_host_resolver.LoadIntoCache(HostPortPair("example3.com", 443),
-                                            base::nullopt);
+  int rv = mock_host_resolver.LoadIntoCache(
+      HostPortPair("example3.com", 443), NetworkIsolationKey(), base::nullopt);
   EXPECT_EQ(OK, rv);
   EXPECT_EQ(1u, mock_host_resolver.num_non_local_resolves());
 
-  EXPECT_TRUE(
-      IsPrivateHost(&mock_host_resolver, HostPortPair("example3.com", 443)));
+  EXPECT_TRUE(IsPrivateHostForTesting(&mock_host_resolver,
+                                      HostPortPair("example3.com", 443),
+                                      NetworkIsolationKey()));
 
-  // IsPrivateHost() should have queried only the resolver's cache.
+  // IsPrivateHostForTesting() should have queried only the resolver's cache.
   EXPECT_EQ(1u, mock_host_resolver.num_non_local_resolves());
 }
 
-// Verify that IsPrivateHost() returns correct results for local hosts.
+// Make sure that IsPrivateHostForTesting() uses the NetworkIsolationKey
+// provided to it.
+TEST(NetworkQualityEstimatorUtilTest,
+     ReservedHostUncachedWithNetworkIsolationKey) {
+  const url::Origin kOrigin = url::Origin::Create(GURL("https://foo.test/"));
+  const net::NetworkIsolationKey kNetworkIsolationKey(kOrigin, kOrigin);
+
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      features::kSplitHostCacheByNetworkIsolationKey);
+
+  base::test::TaskEnvironment task_environment;
+
+  MockCachingHostResolver mock_host_resolver;
+
+  scoped_refptr<net::RuleBasedHostResolverProc> rules(
+      new net::RuleBasedHostResolverProc(nullptr));
+
+  // Add example3.com resolution to the DNS cache.
+  rules->AddRule("example3.com", "127.0.0.3");
+  mock_host_resolver.set_rules(rules.get());
+
+  // Not in DNS host cache, so should not be marked as private.
+  EXPECT_FALSE(IsPrivateHostForTesting(&mock_host_resolver,
+                                       HostPortPair("example3.com", 443),
+                                       kNetworkIsolationKey));
+  EXPECT_EQ(0u, mock_host_resolver.num_non_local_resolves());
+
+  int rv = mock_host_resolver.LoadIntoCache(
+      HostPortPair("example3.com", 443), kNetworkIsolationKey, base::nullopt);
+  EXPECT_EQ(OK, rv);
+  EXPECT_EQ(1u, mock_host_resolver.num_non_local_resolves());
+
+  EXPECT_TRUE(IsPrivateHostForTesting(&mock_host_resolver,
+                                      HostPortPair("example3.com", 443),
+                                      kNetworkIsolationKey));
+
+  // IsPrivateHostForTesting() should have queried only the resolver's cache.
+  EXPECT_EQ(1u, mock_host_resolver.num_non_local_resolves());
+
+  // IsPrivateHostForTesting should return false when using a different
+  // NetworkIsolationKey (in this case, any empty one).
+  EXPECT_FALSE(IsPrivateHostForTesting(&mock_host_resolver,
+                                       HostPortPair("example3.com", 443),
+                                       NetworkIsolationKey()));
+}
+
+// Verify that IsPrivateHostForTesting() returns correct results for local
+// hosts.
 TEST(NetworkQualityEstimatorUtilTest, Localhost) {
   base::test::TaskEnvironment task_environment;
 
-  std::unique_ptr<BoundTestNetLog> net_log =
-      std::make_unique<BoundTestNetLog>();
-  BoundTestNetLog* net_log_ptr = net_log.get();
+  std::unique_ptr<RecordingBoundTestNetLog> net_log =
+      std::make_unique<RecordingBoundTestNetLog>();
+  RecordingBoundTestNetLog* net_log_ptr = net_log.get();
 
   // Use actual HostResolver since MockCachingHostResolver does not determine
   // the correct answer for localhosts.
@@ -128,12 +183,18 @@ TEST(NetworkQualityEstimatorUtilTest, Localhost) {
   scoped_refptr<net::RuleBasedHostResolverProc> rules(
       new net::RuleBasedHostResolverProc(nullptr));
 
-  EXPECT_TRUE(IsPrivateHost(resolver.get(), HostPortPair("localhost", 443)));
-  EXPECT_TRUE(IsPrivateHost(resolver.get(), HostPortPair("localhost6", 443)));
-  EXPECT_TRUE(IsPrivateHost(resolver.get(), HostPortPair("127.0.0.1", 80)));
-  EXPECT_TRUE(IsPrivateHost(resolver.get(), HostPortPair("0.0.0.0", 80)));
-  EXPECT_TRUE(IsPrivateHost(resolver.get(), HostPortPair("::1", 80)));
-  EXPECT_FALSE(IsPrivateHost(resolver.get(), HostPortPair("google.com", 80)));
+  EXPECT_TRUE(IsPrivateHostForTesting(
+      resolver.get(), HostPortPair("localhost", 443), NetworkIsolationKey()));
+  EXPECT_TRUE(IsPrivateHostForTesting(
+      resolver.get(), HostPortPair("localhost6", 443), NetworkIsolationKey()));
+  EXPECT_TRUE(IsPrivateHostForTesting(
+      resolver.get(), HostPortPair("127.0.0.1", 80), NetworkIsolationKey()));
+  EXPECT_TRUE(IsPrivateHostForTesting(
+      resolver.get(), HostPortPair("0.0.0.0", 80), NetworkIsolationKey()));
+  EXPECT_TRUE(IsPrivateHostForTesting(resolver.get(), HostPortPair("::1", 80),
+                                      NetworkIsolationKey()));
+  EXPECT_FALSE(IsPrivateHostForTesting(
+      resolver.get(), HostPortPair("google.com", 80), NetworkIsolationKey()));
 }
 
 }  // namespace
diff --git a/chromium/net/nqe/throughput_analyzer.cc b/chromium/net/nqe/throughput_analyzer.cc
index 250ba9f5c7e..6abf1388168 100644
--- a/chromium/net/nqe/throughput_analyzer.cc
+++ b/chromium/net/nqe/throughput_analyzer.cc
@@ -404,8 +404,8 @@ int64_t ThroughputAnalyzer::CountTotalContentSizeBytes() const {
 bool ThroughputAnalyzer::DegradesAccuracy(const URLRequest& request) const {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
 
-  bool private_network_request = nqe::internal::IsPrivateHost(
-      request.context()->host_resolver(), HostPortPair::FromURL(request.url()));
+  bool private_network_request =
+      nqe::internal::IsRequestForPrivateHost(request);
 
   return !(use_localhost_requests_for_tests_ || !private_network_request) ||
          request.creation_time() < last_connection_change_;
diff --git a/chromium/net/nqe/throughput_analyzer_unittest.cc b/chromium/net/nqe/throughput_analyzer_unittest.cc
index 0e8d54dee64..259b80c16ce 100644
--- a/chromium/net/nqe/throughput_analyzer_unittest.cc
+++ b/chromium/net/nqe/throughput_analyzer_unittest.cc
@@ -22,11 +22,14 @@
 #include "base/strings/string_number_conversions.h"
 #include "base/test/bind_test_util.h"
 #include "base/test/metrics/histogram_tester.h"
+#include "base/test/scoped_feature_list.h"
 #include "base/test/simple_test_tick_clock.h"
 #include "base/test/test_timeouts.h"
 #include "base/threading/platform_thread.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/time/default_tick_clock.h"
+#include "net/base/features.h"
+#include "net/base/network_isolation_key.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/log/test_net_log.h"
 #include "net/nqe/network_quality_estimator.h"
@@ -38,6 +41,8 @@
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_test_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
+#include "url/origin.h"
 
 namespace net {
 
@@ -58,7 +63,7 @@ class TestThroughputAnalyzer : public internal::ThroughputAnalyzer {
                 &TestThroughputAnalyzer::OnNewThroughputObservationAvailable,
                 base::Unretained(this)),
             tick_clock,
-            std::make_unique<BoundTestNetLog>()->bound()),
+            std::make_unique<RecordingBoundTestNetLog>()->bound()),
         throughput_observations_received_(0),
         bits_received_(0) {}
 
@@ -81,11 +86,17 @@ class TestThroughputAnalyzer : public internal::ThroughputAnalyzer {
   // Uses a mock resolver to force example.com to resolve to a public IP
   // address.
   void AddIPAddressResolution(TestURLRequestContext* context) {
-    scoped_refptr<net::RuleBasedHostResolverProc> rules(
-        new net::RuleBasedHostResolverProc(nullptr));
-    // example1.com resolves to a public IP address.
+    scoped_refptr<net::RuleBasedHostResolverProc> rules =
+        base::MakeRefCounted<RuleBasedHostResolverProc>(nullptr);
+    // example.com resolves to a public IP address.
     rules->AddRule("example.com", "27.0.0.3");
+    // local.com resolves to a private IP address.
+    rules->AddRule("local.com", "127.0.0.1");
     mock_host_resolver_.set_rules(rules.get());
+    mock_host_resolver_.LoadIntoCache(HostPortPair("example.com", 80),
+                                      NetworkIsolationKey(), base::nullopt);
+    mock_host_resolver_.LoadIntoCache(HostPortPair("local.com", 80),
+                                      NetworkIsolationKey(), base::nullopt);
     context->set_host_resolver(&mock_host_resolver_);
   }
 
@@ -108,16 +119,16 @@ class TestThroughputAnalyzer : public internal::ThroughputAnalyzer {
 using ThroughputAnalyzerTest = TestWithTaskEnvironment;
 
 TEST_F(ThroughputAnalyzerTest, MaximumRequests) {
-  const struct {
-    bool use_local_requests;
-  } tests[] = {{
-                   false,
-               },
-               {
-                   true,
-               }};
+  const struct TestCase {
+    GURL url;
+    bool is_local;
+  } kTestCases[] = {
+      {GURL("http://127.0.0.1/test.html"), true /* is_local */},
+      {GURL("http://example.com/test.html"), false /* is_local */},
+      {GURL("http://local.com/test.html"), true /* is_local */},
+  };
 
-  for (const auto& test : tests) {
+  for (const auto& test_case : kTestCases) {
     const base::TickClock* tick_clock = base::DefaultTickClock::GetInstance();
     TestNetworkQualityEstimator network_quality_estimator;
     std::map<std::string, std::string> variation_params;
@@ -135,25 +146,88 @@ TEST_F(ThroughputAnalyzerTest, MaximumRequests) {
 
     // Start more requests than the maximum number of requests that can be held
     // in the memory.
-    const std::string url = test.use_local_requests
-                                ? "http://127.0.0.1/test.html"
-                                : "http://example.com/test.html";
-
-    EXPECT_EQ(
-        test.use_local_requests,
-        nqe::internal::IsPrivateHost(
-            context.host_resolver(),
-            HostPortPair(GURL(url).host(), GURL(url).EffectiveIntPort())));
+    EXPECT_EQ(test_case.is_local,
+              nqe::internal::IsPrivateHostForTesting(
+                  context.host_resolver(), HostPortPair::FromURL(test_case.url),
+                  NetworkIsolationKey()));
+    for (size_t i = 0; i < 1000; ++i) {
+      std::unique_ptr<URLRequest> request(
+          context.CreateRequest(test_case.url, DEFAULT_PRIORITY, &test_delegate,
+                                TRAFFIC_ANNOTATION_FOR_TESTS));
+      throughput_analyzer.NotifyStartTransaction(*(request.get()));
+      requests.push_back(std::move(request));
+    }
+    // Too many local requests should cause the |throughput_analyzer| to disable
+    // throughput measurements.
+    EXPECT_NE(test_case.is_local,
+              throughput_analyzer.IsCurrentlyTrackingThroughput());
+  }
+}
+
+// Make sure that the NetworkIsolationKey is respected when resolving a host
+// from the cache.
+TEST_F(ThroughputAnalyzerTest, MaximumRequestsWithNetworkIsolationKey) {
+  const url::Origin kOrigin = url::Origin::Create(GURL("https://foo.test/"));
+  const net::NetworkIsolationKey kNetworkIsolationKey(kOrigin, kOrigin);
+  const GURL kUrl = GURL("http://foo.test/test.html");
+
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      features::kSplitHostCacheByNetworkIsolationKey);
+
+  for (bool use_network_isolation_key : {false, true}) {
+    const base::TickClock* tick_clock = base::DefaultTickClock::GetInstance();
+    TestNetworkQualityEstimator network_quality_estimator;
+    std::map<std::string, std::string> variation_params;
+    NetworkQualityEstimatorParams params(variation_params);
+    TestThroughputAnalyzer throughput_analyzer(&network_quality_estimator,
+                                               &params, tick_clock);
+
+    TestDelegate test_delegate;
+    TestURLRequestContext context;
+    MockCachingHostResolver mock_host_resolver;
+    context.set_host_resolver(&mock_host_resolver);
+
+    // Add an entry to the host cache mapping kUrl to non-local IP when using an
+    // empty NetworkIsolationKey.
+    scoped_refptr<net::RuleBasedHostResolverProc> rules =
+        base::MakeRefCounted<RuleBasedHostResolverProc>(nullptr);
+    rules->AddRule(kUrl.host(), "1.2.3.4");
+    mock_host_resolver.set_rules(rules.get());
+    mock_host_resolver.LoadIntoCache(HostPortPair::FromURL(kUrl),
+                                     NetworkIsolationKey(), base::nullopt);
+
+    // Add an entry to the host cache mapping kUrl to local IP when using
+    // kNetworkIsolationKey.
+    rules = base::MakeRefCounted<RuleBasedHostResolverProc>(nullptr);
+    rules->AddRule(kUrl.host(), "127.0.0.1");
+    mock_host_resolver.set_rules(rules.get());
+    mock_host_resolver.LoadIntoCache(HostPortPair::FromURL(kUrl),
+                                     kNetworkIsolationKey, base::nullopt);
+
+    ASSERT_FALSE(
+        throughput_analyzer.disable_throughput_measurements_for_testing());
+    base::circular_deque<std::unique_ptr<URLRequest>> requests;
+
+    // Start more requests than the maximum number of requests that can be held
+    // in the memory.
+    EXPECT_EQ(use_network_isolation_key,
+              nqe::internal::IsPrivateHostForTesting(
+                  context.host_resolver(), HostPortPair::FromURL(kUrl),
+                  use_network_isolation_key ? kNetworkIsolationKey
+                                            : NetworkIsolationKey()));
     for (size_t i = 0; i < 1000; ++i) {
       std::unique_ptr<URLRequest> request(
-          context.CreateRequest(GURL(url), DEFAULT_PRIORITY, &test_delegate,
+          context.CreateRequest(kUrl, DEFAULT_PRIORITY, &test_delegate,
                                 TRAFFIC_ANNOTATION_FOR_TESTS));
+      if (use_network_isolation_key)
+        request->set_network_isolation_key(kNetworkIsolationKey);
       throughput_analyzer.NotifyStartTransaction(*(request.get()));
       requests.push_back(std::move(request));
     }
     // Too many local requests should cause the |throughput_analyzer| to disable
     // throughput measurements.
-    EXPECT_NE(test.use_local_requests,
+    EXPECT_NE(use_network_isolation_key,
               throughput_analyzer.IsCurrentlyTrackingThroughput());
   }
 }
diff --git a/chromium/net/proxy_resolution/mock_proxy_host_resolver.cc b/chromium/net/proxy_resolution/mock_proxy_host_resolver.cc
deleted file mode 100644
index 5b372d587f1..00000000000
--- a/chromium/net/proxy_resolution/mock_proxy_host_resolver.cc
+++ /dev/null
@@ -1,131 +0,0 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/proxy_resolution/mock_proxy_host_resolver.h"
-
-#include "base/callback.h"
-#include "base/location.h"
-#include "base/logging.h"
-#include "base/memory/weak_ptr.h"
-#include "base/threading/thread_task_runner_handle.h"
-#include "net/base/completion_once_callback.h"
-#include "net/base/net_errors.h"
-
-namespace net {
-
-class MockProxyHostResolver::RequestImpl
-    : public Request,
-      public base::SupportsWeakPtr<RequestImpl> {
- public:
-  RequestImpl(std::vector<IPAddress> results, bool synchronous_mode)
-      : results_(std::move(results)), synchronous_mode_(synchronous_mode) {}
-  ~RequestImpl() override = default;
-
-  int Start(CompletionOnceCallback callback) override {
-    if (!synchronous_mode_) {
-      callback_ = std::move(callback);
-      base::ThreadTaskRunnerHandle::Get()->PostTask(
-          FROM_HERE, base::BindOnce(&RequestImpl::SendResults, AsWeakPtr()));
-      return ERR_IO_PENDING;
-    }
-
-    if (results_.empty())
-      return ERR_NAME_NOT_RESOLVED;
-
-    return OK;
-  }
-
-  const std::vector<IPAddress>& GetResults() const override {
-    DCHECK(!callback_);
-    return results_;
-  }
-
- private:
-  void SendResults() {
-    if (results_.empty())
-      std::move(callback_).Run(ERR_NAME_NOT_RESOLVED);
-    else
-      std::move(callback_).Run(OK);
-  }
-
-  const std::vector<IPAddress> results_;
-  const bool synchronous_mode_;
-
-  CompletionOnceCallback callback_;
-};
-
-MockProxyHostResolver::MockProxyHostResolver(bool synchronous_mode)
-    : num_resolve_(0), fail_all_(false), synchronous_mode_(synchronous_mode) {}
-
-MockProxyHostResolver::~MockProxyHostResolver() = default;
-
-std::unique_ptr<ProxyHostResolver::Request>
-MockProxyHostResolver::CreateRequest(const std::string& hostname,
-                                     ProxyResolveDnsOperation operation) {
-  ++num_resolve_;
-
-  if (fail_all_)
-    return std::make_unique<RequestImpl>(std::vector<IPAddress>(),
-                                         synchronous_mode_);
-
-  auto match = results_.find({hostname, operation});
-  if (match == results_.end())
-    return std::make_unique<RequestImpl>(
-        std::vector<IPAddress>({IPAddress(127, 0, 0, 1)}), synchronous_mode_);
-
-  return std::make_unique<RequestImpl>(match->second, synchronous_mode_);
-}
-
-void MockProxyHostResolver::SetError(const std::string& hostname,
-                                     ProxyResolveDnsOperation operation) {
-  fail_all_ = false;
-  results_[{hostname, operation}].clear();
-}
-
-void MockProxyHostResolver::SetResult(const std::string& hostname,
-                                      ProxyResolveDnsOperation operation,
-                                      std::vector<IPAddress> result) {
-  DCHECK(!result.empty());
-  fail_all_ = false;
-  results_[{hostname, operation}] = std::move(result);
-}
-
-void MockProxyHostResolver::FailAll() {
-  results_.clear();
-  fail_all_ = true;
-}
-
-class HangingProxyHostResolver::RequestImpl : public Request {
- public:
-  explicit RequestImpl(HangingProxyHostResolver* resolver)
-      : resolver_(resolver) {}
-  ~RequestImpl() override { ++resolver_->num_cancelled_requests_; }
-
-  int Start(CompletionOnceCallback callback) override {
-    if (resolver_->hang_callback_)
-      resolver_->hang_callback_.Run();
-    return ERR_IO_PENDING;
-  }
-
-  const std::vector<IPAddress>& GetResults() const override {
-    IMMEDIATE_CRASH();
-  }
-
- private:
-  HangingProxyHostResolver* resolver_;
-};
-
-HangingProxyHostResolver::HangingProxyHostResolver(
-    base::RepeatingClosure hang_callback)
-    : num_cancelled_requests_(0), hang_callback_(std::move(hang_callback)) {}
-
-HangingProxyHostResolver::~HangingProxyHostResolver() = default;
-
-std::unique_ptr<ProxyHostResolver::Request>
-HangingProxyHostResolver::CreateRequest(const std::string& hostname,
-                                        ProxyResolveDnsOperation operation) {
-  return std::make_unique<RequestImpl>(this);
-}
-
-}  // namespace net
diff --git a/chromium/net/proxy_resolution/mock_proxy_host_resolver.h b/chromium/net/proxy_resolution/mock_proxy_host_resolver.h
deleted file mode 100644
index cb3e87f09e1..00000000000
--- a/chromium/net/proxy_resolution/mock_proxy_host_resolver.h
+++ /dev/null
@@ -1,85 +0,0 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_PROXY_RESOLUTION_MOCK_PROXY_HOST_RESOLVER_H_
-#define NET_PROXY_RESOLUTION_MOCK_PROXY_HOST_RESOLVER_H_
-
-#include <map>
-#include <memory>
-#include <string>
-#include <utility>
-#include <vector>
-
-#include "base/callback_forward.h"
-#include "net/base/ip_address.h"
-#include "net/proxy_resolution/proxy_host_resolver.h"
-#include "net/proxy_resolution/proxy_resolve_dns_operation.h"
-
-namespace net {
-
-// Mock of ProxyHostResolver that resolves by default to 127.0.0.1, except for
-// hostnames with more specific results set using SetError() or SetResult().
-// Also allows returning failure for all results with FailAll().
-class MockProxyHostResolver : public ProxyHostResolver {
- public:
-  // If |synchronous_mode| set to |true|, all results will be returned
-  // synchronously.  Otherwise, all results will be asynchronous.
-  explicit MockProxyHostResolver(bool synchronous_mode = false);
-  ~MockProxyHostResolver() override;
-
-  std::unique_ptr<Request> CreateRequest(
-      const std::string& hostname,
-      ProxyResolveDnsOperation operation) override;
-
-  void SetError(const std::string& hostname,
-                ProxyResolveDnsOperation operation);
-
-  void SetResult(const std::string& hostname,
-                 ProxyResolveDnsOperation operation,
-                 std::vector<IPAddress> result);
-
-  void FailAll();
-
-  unsigned num_resolve() const { return num_resolve_; }
-
- private:
-  using ResultKey = std::pair<std::string, ProxyResolveDnsOperation>;
-
-  class RequestImpl;
-
-  // Any entry with an empty value signifies an ERR_NAME_NOT_RESOLVED result.
-  std::map<ResultKey, std::vector<IPAddress>> results_;
-  unsigned num_resolve_;
-  bool fail_all_;
-  bool synchronous_mode_;
-};
-
-// Mock of ProxyHostResolver that always hangs until cancelled.
-class HangingProxyHostResolver : public ProxyHostResolver {
- public:
-  // If not null, |hang_callback| will be invoked whenever a request is started.
-  HangingProxyHostResolver(
-      base::RepeatingClosure hang_callback = base::RepeatingClosure());
-  ~HangingProxyHostResolver() override;
-
-  std::unique_ptr<Request> CreateRequest(
-      const std::string& hostname,
-      ProxyResolveDnsOperation operation) override;
-
-  int num_cancelled_requests() const { return num_cancelled_requests_; }
-
-  void set_hang_callback(base::RepeatingClosure hang_callback) {
-    hang_callback_ = hang_callback;
-  }
-
- private:
-  class RequestImpl;
-
-  int num_cancelled_requests_;
-  base::RepeatingClosure hang_callback_;
-};
-
-}  // namespace net
-
-#endif  // NET_PROXY_RESOLUTION_MOCK_PROXY_HOST_RESOLVER_H_
diff --git a/chromium/net/proxy_resolution/mock_proxy_resolver.cc b/chromium/net/proxy_resolution/mock_proxy_resolver.cc
index 31d87851a24..fa9a1eef5d5 100644
--- a/chromium/net/proxy_resolution/mock_proxy_resolver.cc
+++ b/chromium/net/proxy_resolution/mock_proxy_resolver.cc
@@ -48,6 +48,7 @@ MockAsyncProxyResolver::~MockAsyncProxyResolver() = default;
 
 int MockAsyncProxyResolver::GetProxyForURL(
     const GURL& url,
+    const NetworkIsolationKey& network_isolation_key,
     ProxyInfo* results,
     CompletionOnceCallback callback,
     std::unique_ptr<Request>* request,
@@ -169,13 +170,15 @@ ForwardingProxyResolver::ForwardingProxyResolver(ProxyResolver* impl)
     : impl_(impl) {
 }
 
-int ForwardingProxyResolver::GetProxyForURL(const GURL& query_url,
-                                            ProxyInfo* results,
-                                            CompletionOnceCallback callback,
-                                            std::unique_ptr<Request>* request,
-                                            const NetLogWithSource& net_log) {
-  return impl_->GetProxyForURL(query_url, results, std::move(callback), request,
-                               net_log);
+int ForwardingProxyResolver::GetProxyForURL(
+    const GURL& query_url,
+    const NetworkIsolationKey& network_isolation_key,
+    ProxyInfo* results,
+    CompletionOnceCallback callback,
+    std::unique_ptr<Request>* request,
+    const NetLogWithSource& net_log) {
+  return impl_->GetProxyForURL(query_url, network_isolation_key, results,
+                               std::move(callback), request, net_log);
 }
 
 }  // namespace net
diff --git a/chromium/net/proxy_resolution/mock_proxy_resolver.h b/chromium/net/proxy_resolution/mock_proxy_resolver.h
index 2e1bb8eddba..d94555a8184 100644
--- a/chromium/net/proxy_resolution/mock_proxy_resolver.h
+++ b/chromium/net/proxy_resolution/mock_proxy_resolver.h
@@ -11,6 +11,7 @@
 #include "base/macros.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/proxy_resolution/proxy_resolver.h"
 #include "net/proxy_resolution/proxy_resolver_factory.h"
 #include "url/gurl.h"
@@ -60,6 +61,7 @@ class MockAsyncProxyResolver : public ProxyResolver {
 
   // ProxyResolver implementation.
   int GetProxyForURL(const GURL& url,
+                     const NetworkIsolationKey& network_isolation_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
@@ -148,6 +150,7 @@ class ForwardingProxyResolver : public ProxyResolver {
 
   // ProxyResolver overrides.
   int GetProxyForURL(const GURL& query_url,
+                     const NetworkIsolationKey& network_isolation_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
diff --git a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.cc b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.cc
index e8623497dd2..d213b042dbd 100644
--- a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.cc
+++ b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver.cc
@@ -21,6 +21,7 @@
 #include "base/threading/thread_restrictions.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/log/net_log.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_with_source.h"
@@ -29,6 +30,8 @@
 
 namespace net {
 
+class NetworkIsolationKey;
+
 // http://crbug.com/69710
 class MultiThreadedProxyResolverScopedAllowJoinOnIO
     : public base::ScopedAllowBaseSyncPrimitivesOutsideBlockingScope {};
@@ -122,6 +125,7 @@ class MultiThreadedProxyResolver : public ProxyResolver,
 
   // ProxyResolver implementation:
   int GetProxyForURL(const GURL& url,
+                     const NetworkIsolationKey& network_isolation_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
@@ -269,6 +273,7 @@ class MultiThreadedProxyResolver::GetProxyForURLJob : public Job {
   // |url|         -- the URL of the query.
   // |results|     -- the structure to fill with proxy resolve results.
   GetProxyForURLJob(const GURL& url,
+                    const NetworkIsolationKey& network_isolation_key,
                     ProxyInfo* results,
                     CompletionOnceCallback callback,
                     const NetLogWithSource& net_log)
@@ -276,6 +281,7 @@ class MultiThreadedProxyResolver::GetProxyForURLJob : public Job {
         results_(results),
         net_log_(net_log),
         url_(url),
+        network_isolation_key_(network_isolation_key),
         was_waiting_for_thread_(false) {
     DCHECK(callback_);
   }
@@ -303,8 +309,9 @@ class MultiThreadedProxyResolver::GetProxyForURLJob : public Job {
   void Run(scoped_refptr<base::SingleThreadTaskRunner> origin_runner) override {
     ProxyResolver* resolver = executor()->resolver();
     DCHECK(resolver);
-    int rv = resolver->GetProxyForURL(
-        url_, &results_buf_, CompletionOnceCallback(), nullptr, net_log_);
+    int rv =
+        resolver->GetProxyForURL(url_, network_isolation_key_, &results_buf_,
+                                 CompletionOnceCallback(), nullptr, net_log_);
     DCHECK_NE(rv, ERR_IO_PENDING);
 
     origin_runner->PostTask(
@@ -334,7 +341,9 @@ class MultiThreadedProxyResolver::GetProxyForURLJob : public Job {
 
   // Can be used on either "origin" or worker thread.
   NetLogWithSource net_log_;
+
   const GURL url_;
+  const NetworkIsolationKey network_isolation_key_;
 
   // Usable from within DoQuery on the worker thread.
   ProxyInfo results_buf_;
@@ -436,6 +445,7 @@ MultiThreadedProxyResolver::~MultiThreadedProxyResolver() {
 
 int MultiThreadedProxyResolver::GetProxyForURL(
     const GURL& url,
+    const NetworkIsolationKey& network_isolation_key,
     ProxyInfo* results,
     CompletionOnceCallback callback,
     std::unique_ptr<Request>* request,
@@ -443,8 +453,8 @@ int MultiThreadedProxyResolver::GetProxyForURL(
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK(!callback.is_null());
 
-  scoped_refptr<GetProxyForURLJob> job(
-      new GetProxyForURLJob(url, results, std::move(callback), net_log));
+  scoped_refptr<GetProxyForURLJob> job(new GetProxyForURLJob(
+      url, network_isolation_key, results, std::move(callback), net_log));
 
   // Completion will be notified through |callback|, unless the caller cancels
   // the request using |request|.
diff --git a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver_unittest.cc b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver_unittest.cc
index d7b5a6bf090..2a7150a0131 100644
--- a/chromium/net/proxy_resolution/multi_threaded_proxy_resolver_unittest.cc
+++ b/chromium/net/proxy_resolution/multi_threaded_proxy_resolver_unittest.cc
@@ -18,6 +18,7 @@
 #include "base/threading/platform_thread.h"
 #include "base/threading/thread_checker_impl.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/log/net_log_event_type.h"
 #include "net/log/net_log_with_source.h"
@@ -31,6 +32,7 @@
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
+#include "url/origin.h"
 
 using net::test::IsError;
 using net::test::IsOk;
@@ -50,10 +52,14 @@ class MockProxyResolver : public ProxyResolver {
 
   // ProxyResolver implementation.
   int GetProxyForURL(const GURL& query_url,
+                     const NetworkIsolationKey& network_isolation_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
                      const NetLogWithSource& net_log) override {
+    last_query_url_ = query_url;
+    last_network_isolation_key_ = network_isolation_key;
+
     if (!resolve_latency_.is_zero())
       base::PlatformThread::Sleep(resolve_latency_);
 
@@ -77,10 +83,19 @@ class MockProxyResolver : public ProxyResolver {
     resolve_latency_ = latency;
   }
 
+  // Return the most recent values passed to GetProxyForURL(), if any.
+  const GURL& last_query_url() const { return last_query_url_; }
+  const NetworkIsolationKey& last_network_isolation_key() const {
+    return last_network_isolation_key_;
+  }
+
  private:
   base::ThreadCheckerImpl worker_thread_checker_;
   int request_count_ = 0;
   base::TimeDelta resolve_latency_;
+
+  GURL last_query_url_;
+  NetworkIsolationKey last_network_isolation_key_;
 };
 
 
@@ -127,6 +142,7 @@ class BlockableProxyResolver : public MockProxyResolver {
   }
 
   int GetProxyForURL(const GURL& query_url,
+                     const NetworkIsolationKey& network_isolation_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
@@ -145,8 +161,9 @@ class BlockableProxyResolver : public MockProxyResolver {
       }
     }
 
-    return MockProxyResolver::GetProxyForURL(
-        query_url, results, std::move(callback), request, net_log);
+    return MockProxyResolver::GetProxyForURL(query_url, network_isolation_key,
+                                             results, std::move(callback),
+                                             request, net_log);
   }
 
  private:
@@ -257,10 +274,11 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_Basic) {
   // Start request 0.
   int rv;
   TestCompletionCallback callback0;
-  BoundTestNetLog log0;
+  RecordingBoundTestNetLog log0;
   ProxyInfo results0;
-  rv = resolver().GetProxyForURL(GURL("http://request0"), &results0,
-                                 callback0.callback(), nullptr, log0.bound());
+  rv = resolver().GetProxyForURL(GURL("http://request0"), NetworkIsolationKey(),
+                                 &results0, callback0.callback(), nullptr,
+                                 log0.bound());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Wait for request 0 to finish.
@@ -281,22 +299,22 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_Basic) {
 
   TestCompletionCallback callback1;
   ProxyInfo results1;
-  rv = resolver().GetProxyForURL(GURL("http://request1"), &results1,
-                                 callback1.callback(), nullptr,
+  rv = resolver().GetProxyForURL(GURL("http://request1"), NetworkIsolationKey(),
+                                 &results1, callback1.callback(), nullptr,
                                  NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   TestCompletionCallback callback2;
   ProxyInfo results2;
-  rv = resolver().GetProxyForURL(GURL("http://request2"), &results2,
-                                 callback2.callback(), nullptr,
+  rv = resolver().GetProxyForURL(GURL("http://request2"), NetworkIsolationKey(),
+                                 &results2, callback2.callback(), nullptr,
                                  NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   TestCompletionCallback callback3;
   ProxyInfo results3;
-  rv = resolver().GetProxyForURL(GURL("http://request3"), &results3,
-                                 callback3.callback(), nullptr,
+  rv = resolver().GetProxyForURL(GURL("http://request3"), NetworkIsolationKey(),
+                                 &results3, callback3.callback(), nullptr,
                                  NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -332,26 +350,29 @@ TEST_F(MultiThreadedProxyResolverTest,
   std::unique_ptr<ProxyResolver::Request> request0;
   TestCompletionCallback callback0;
   ProxyInfo results0;
-  BoundTestNetLog log0;
-  rv = resolver().GetProxyForURL(GURL("http://request0"), &results0,
-                                 callback0.callback(), &request0, log0.bound());
+  RecordingBoundTestNetLog log0;
+  rv = resolver().GetProxyForURL(GURL("http://request0"), NetworkIsolationKey(),
+                                 &results0, callback0.callback(), &request0,
+                                 log0.bound());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Start 2 more requests (request1 and request2).
 
   TestCompletionCallback callback1;
   ProxyInfo results1;
-  BoundTestNetLog log1;
-  rv = resolver().GetProxyForURL(GURL("http://request1"), &results1,
-                                 callback1.callback(), nullptr, log1.bound());
+  RecordingBoundTestNetLog log1;
+  rv = resolver().GetProxyForURL(GURL("http://request1"), NetworkIsolationKey(),
+                                 &results1, callback1.callback(), nullptr,
+                                 log1.bound());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   std::unique_ptr<ProxyResolver::Request> request2;
   TestCompletionCallback callback2;
   ProxyInfo results2;
-  BoundTestNetLog log2;
-  rv = resolver().GetProxyForURL(GURL("http://request2"), &results2,
-                                 callback2.callback(), &request2, log2.bound());
+  RecordingBoundTestNetLog log2;
+  rv = resolver().GetProxyForURL(GURL("http://request2"), NetworkIsolationKey(),
+                                 &results2, callback2.callback(), &request2,
+                                 log2.bound());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Unblock the worker thread so the requests can continue running.
@@ -409,8 +430,8 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_CancelRequest) {
   std::unique_ptr<ProxyResolver::Request> request0;
   TestCompletionCallback callback0;
   ProxyInfo results0;
-  rv = resolver().GetProxyForURL(GURL("http://request0"), &results0,
-                                 callback0.callback(), &request0,
+  rv = resolver().GetProxyForURL(GURL("http://request0"), NetworkIsolationKey(),
+                                 &results0, callback0.callback(), &request0,
                                  NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -421,23 +442,23 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_CancelRequest) {
 
   TestCompletionCallback callback1;
   ProxyInfo results1;
-  rv = resolver().GetProxyForURL(GURL("http://request1"), &results1,
-                                 callback1.callback(), nullptr,
+  rv = resolver().GetProxyForURL(GURL("http://request1"), NetworkIsolationKey(),
+                                 &results1, callback1.callback(), nullptr,
                                  NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   std::unique_ptr<ProxyResolver::Request> request2;
   TestCompletionCallback callback2;
   ProxyInfo results2;
-  rv = resolver().GetProxyForURL(GURL("http://request2"), &results2,
-                                 callback2.callback(), &request2,
+  rv = resolver().GetProxyForURL(GURL("http://request2"), NetworkIsolationKey(),
+                                 &results2, callback2.callback(), &request2,
                                  NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   TestCompletionCallback callback3;
   ProxyInfo results3;
-  rv = resolver().GetProxyForURL(GURL("http://request3"), &results3,
-                                 callback3.callback(), nullptr,
+  rv = resolver().GetProxyForURL(GURL("http://request3"), NetworkIsolationKey(),
+                                 &results3, callback3.callback(), nullptr,
                                  NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -466,6 +487,40 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_CancelRequest) {
   EXPECT_FALSE(callback2.have_result());
 }
 
+// Make sure the NetworkIsolationKey makes it to the resolver.
+TEST_F(MultiThreadedProxyResolverTest, SingleThread_WithNetworkIsolationKey) {
+  const url::Origin kOrigin(url::Origin::Create(GURL("https://origin.test/")));
+  const net::NetworkIsolationKey kNetworkIsolationKey(kOrigin, kOrigin);
+  const GURL kUrl("https://url.test/");
+
+  const size_t kNumThreads = 1u;
+  ASSERT_NO_FATAL_FAILURE(Init(kNumThreads));
+
+  int rv;
+
+  // Block the proxy resolver, so no request can complete.
+  factory().resolvers()[0]->Block();
+
+  // Start request.
+  std::unique_ptr<ProxyResolver::Request> request;
+  TestCompletionCallback callback;
+  ProxyInfo results;
+  rv = resolver().GetProxyForURL(kUrl, kNetworkIsolationKey, &results,
+                                 callback.callback(), &request,
+                                 NetLogWithSource());
+  EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
+
+  // Wait until request reaches the worker thread.
+  factory().resolvers()[0]->WaitUntilBlocked();
+
+  factory().resolvers()[0]->Unblock();
+  EXPECT_EQ(0, callback.WaitForResult());
+
+  EXPECT_EQ(kUrl, factory().resolvers()[0]->last_query_url());
+  EXPECT_EQ(kNetworkIsolationKey,
+            factory().resolvers()[0]->last_network_isolation_key());
+}
+
 // Test that deleting MultiThreadedProxyResolver while requests are
 // outstanding cancels them (and doesn't leak anything).
 TEST_F(MultiThreadedProxyResolverTest, SingleThread_CancelRequestByDeleting) {
@@ -482,22 +537,22 @@ TEST_F(MultiThreadedProxyResolverTest, SingleThread_CancelRequestByDeleting) {
 
   TestCompletionCallback callback0;
   ProxyInfo results0;
-  rv = resolver().GetProxyForURL(GURL("http://request0"), &results0,
-                                 callback0.callback(), nullptr,
+  rv = resolver().GetProxyForURL(GURL("http://request0"), NetworkIsolationKey(),
+                                 &results0, callback0.callback(), nullptr,
                                  NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   TestCompletionCallback callback1;
   ProxyInfo results1;
-  rv = resolver().GetProxyForURL(GURL("http://request1"), &results1,
-                                 callback1.callback(), nullptr,
+  rv = resolver().GetProxyForURL(GURL("http://request1"), NetworkIsolationKey(),
+                                 &results1, callback1.callback(), nullptr,
                                  NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   TestCompletionCallback callback2;
   ProxyInfo results2;
-  rv = resolver().GetProxyForURL(GURL("http://request2"), &results2,
-                                 callback2.callback(), nullptr,
+  rv = resolver().GetProxyForURL(GURL("http://request2"), NetworkIsolationKey(),
+                                 &results2, callback2.callback(), nullptr,
                                  NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -544,9 +599,9 @@ TEST_F(MultiThreadedProxyResolverTest, ThreeThreads_Basic) {
 
   // Start request 0 -- this should run on thread 0 as there is nothing else
   // going on right now.
-  rv = resolver().GetProxyForURL(GURL("http://request0"), &results[0],
-                                 callback[0].callback(), &request[0],
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(GURL("http://request0"), NetworkIsolationKey(),
+                                 &results[0], callback[0].callback(),
+                                 &request[0], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Wait for request 0 to finish.
@@ -561,14 +616,14 @@ TEST_F(MultiThreadedProxyResolverTest, ThreeThreads_Basic) {
   // We now block the first resolver to ensure a request is sent to the second
   // thread.
   factory().resolvers()[0]->Block();
-  rv = resolver().GetProxyForURL(GURL("http://request1"), &results[1],
-                                 callback[1].callback(), &request[1],
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(GURL("http://request1"), NetworkIsolationKey(),
+                                 &results[1], callback[1].callback(),
+                                 &request[1], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   factory().resolvers()[0]->WaitUntilBlocked();
-  rv = resolver().GetProxyForURL(GURL("http://request2"), &results[2],
-                                 callback[2].callback(), &request[2],
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(GURL("http://request2"), NetworkIsolationKey(),
+                                 &results[2], callback[2].callback(),
+                                 &request[2], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   EXPECT_EQ(0, callback[2].WaitForResult());
   ASSERT_EQ(2u, factory().resolvers().size());
@@ -576,14 +631,14 @@ TEST_F(MultiThreadedProxyResolverTest, ThreeThreads_Basic) {
   // We now block the second resolver as well to ensure a request is sent to the
   // third thread.
   factory().resolvers()[1]->Block();
-  rv = resolver().GetProxyForURL(GURL("http://request3"), &results[3],
-                                 callback[3].callback(), &request[3],
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(GURL("http://request3"), NetworkIsolationKey(),
+                                 &results[3], callback[3].callback(),
+                                 &request[3], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   factory().resolvers()[1]->WaitUntilBlocked();
-  rv = resolver().GetProxyForURL(GURL("http://request4"), &results[4],
-                                 callback[4].callback(), &request[4],
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(GURL("http://request4"), NetworkIsolationKey(),
+                                 &results[4], callback[4].callback(),
+                                 &request[4], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   EXPECT_EQ(0, callback[4].WaitForResult());
 
@@ -603,17 +658,17 @@ TEST_F(MultiThreadedProxyResolverTest, ThreeThreads_Basic) {
   // will reach the resolver, but the second will still be queued when canceled.
   // Start a third request so we can be sure the resolver has completed running
   // the first request.
-  rv = resolver().GetProxyForURL(GURL("http://request5"), &results[5],
-                                 callback[5].callback(), &request[5],
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(GURL("http://request5"), NetworkIsolationKey(),
+                                 &results[5], callback[5].callback(),
+                                 &request[5], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  rv = resolver().GetProxyForURL(GURL("http://request6"), &results[6],
-                                 callback[6].callback(), &request[6],
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(GURL("http://request6"), NetworkIsolationKey(),
+                                 &results[6], callback[6].callback(),
+                                 &request[6], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
-  rv = resolver().GetProxyForURL(GURL("http://request7"), &results[7],
-                                 callback[7].callback(), &request[7],
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(GURL("http://request7"), NetworkIsolationKey(),
+                                 &results[7], callback[7].callback(),
+                                 &request[7], NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   request[5].reset();
   request[6].reset();
@@ -658,9 +713,9 @@ TEST_F(MultiThreadedProxyResolverTest, OneThreadBlocked) {
 
   factory().resolvers()[0]->Block();
 
-  rv = resolver().GetProxyForURL(GURL("http://request0"), &results[0],
-                                 callback[0].callback(), &request[0],
-                                 NetLogWithSource());
+  rv = resolver().GetProxyForURL(GURL("http://request0"), NetworkIsolationKey(),
+                                 &results[0], callback[0].callback(),
+                                 &request[0], NetLogWithSource());
 
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   factory().resolvers()[0]->WaitUntilBlocked();
@@ -670,8 +725,8 @@ TEST_F(MultiThreadedProxyResolverTest, OneThreadBlocked) {
 
   for (int i = 1; i < kNumRequests; ++i) {
     rv = resolver().GetProxyForURL(
-        GURL(base::StringPrintf("http://request%d", i)), &results[i],
-        callback[i].callback(), &request[i], NetLogWithSource());
+        GURL(base::StringPrintf("http://request%d", i)), NetworkIsolationKey(),
+        &results[i], callback[i].callback(), &request[i], NetLogWithSource());
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   }
 
diff --git a/chromium/net/proxy_resolution/network_delegate_error_observer_unittest.cc b/chromium/net/proxy_resolution/network_delegate_error_observer_unittest.cc
index 50fb964a20d..dff170e9e55 100644
--- a/chromium/net/proxy_resolution/network_delegate_error_observer_unittest.cc
+++ b/chromium/net/proxy_resolution/network_delegate_error_observer_unittest.cc
@@ -7,6 +7,7 @@
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/location.h"
+#include "base/optional.h"
 #include "base/run_loop.h"
 #include "base/single_thread_task_runner.h"
 #include "base/test/task_environment.h"
@@ -45,7 +46,7 @@ class TestNetworkDelegate : public NetworkDelegateImpl {
       const HttpResponseHeaders* original_response_headers,
       scoped_refptr<HttpResponseHeaders>* override_response_headers,
       const net::IPEndPoint& endpoint,
-      GURL* allowed_unsafe_redirect_url) override {
+      base::Optional<GURL>* preserve_fragment_on_redirect_url) override {
     return OK;
   }
   void OnBeforeRedirect(URLRequest* request,
diff --git a/chromium/net/proxy_resolution/pac_file_decider.cc b/chromium/net/proxy_resolution/pac_file_decider.cc
index fcbe342e4ad..1b32b42170b 100644
--- a/chromium/net/proxy_resolution/pac_file_decider.cc
+++ b/chromium/net/proxy_resolution/pac_file_decider.cc
@@ -18,6 +18,7 @@
 #include "net/base/completion_repeating_callback.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/request_priority.h"
 #include "net/log/net_log_capture_mode.h"
 #include "net/log/net_log_event_type.h"
@@ -276,8 +277,12 @@ int PacFileDecider::DoQuickCheck() {
 
   HostResolver* host_resolver =
       pac_file_fetcher_->GetRequestContext()->host_resolver();
-  resolve_request_ = host_resolver->CreateRequest(HostPortPair(host, 80),
-                                                  net_log_, parameters);
+  // It's safe to use an empty NetworkIsolationKey() here, since this is only
+  // for fetching the PAC script, so can't usefully leak data to web-initiated
+  // requests (Which can't use an empty NIK for resolving IPs other than that of
+  // the proxy).
+  resolve_request_ = host_resolver->CreateRequest(
+      HostPortPair(host, 80), NetworkIsolationKey(), net_log_, parameters);
 
   CompletionRepeatingCallback callback = base::BindRepeating(
       &PacFileDecider::OnIOCompletion, base::Unretained(this));
diff --git a/chromium/net/proxy_resolution/pac_file_decider_unittest.cc b/chromium/net/proxy_resolution/pac_file_decider_unittest.cc
index 87b3cb346a5..800f8ee5bfb 100644
--- a/chromium/net/proxy_resolution/pac_file_decider_unittest.cc
+++ b/chromium/net/proxy_resolution/pac_file_decider_unittest.cc
@@ -208,7 +208,7 @@ TEST(PacFileDeciderTest, CustomPacSucceeds) {
   Rules::Rule rule = rules.AddSuccessRule("http://custom/proxy.pac");
 
   TestCompletionCallback callback;
-  TestNetLog log;
+  RecordingTestNetLog log;
   PacFileDecider decider(&fetcher, &dhcp_fetcher, &log);
   EXPECT_THAT(decider.Start(ProxyConfigWithAnnotation(
                                 config, TRAFFIC_ANNOTATION_FOR_TESTS),
@@ -246,7 +246,7 @@ TEST(PacFileDeciderTest, CustomPacFails1) {
   rules.AddFailDownloadRule("http://custom/proxy.pac");
 
   TestCompletionCallback callback;
-  TestNetLog log;
+  RecordingTestNetLog log;
   PacFileDecider decider(&fetcher, &dhcp_fetcher, &log);
   EXPECT_THAT(decider.Start(ProxyConfigWithAnnotation(
                                 config, TRAFFIC_ANNOTATION_FOR_TESTS),
@@ -525,7 +525,7 @@ TEST(PacFileDeciderTest, AutodetectFailCustomSuccess2) {
   Rules::Rule rule = rules.AddSuccessRule("http://custom/proxy.pac");
 
   TestCompletionCallback callback;
-  TestNetLog log;
+  RecordingTestNetLog log;
 
   PacFileDecider decider(&fetcher, &dhcp_fetcher, &log);
   EXPECT_THAT(decider.Start(ProxyConfigWithAnnotation(
@@ -636,7 +636,7 @@ TEST(PacFileDeciderTest, CustomPacFails1_WithPositiveDelay) {
   rules.AddFailDownloadRule("http://custom/proxy.pac");
 
   TestCompletionCallback callback;
-  TestNetLog log;
+  RecordingTestNetLog log;
   PacFileDecider decider(&fetcher, &dhcp_fetcher, &log);
   EXPECT_THAT(
       decider.Start(
@@ -679,7 +679,7 @@ TEST(PacFileDeciderTest, CustomPacFails1_WithNegativeDelay) {
   rules.AddFailDownloadRule("http://custom/proxy.pac");
 
   TestCompletionCallback callback;
-  TestNetLog log;
+  RecordingTestNetLog log;
   PacFileDecider decider(&fetcher, &dhcp_fetcher, &log);
   EXPECT_THAT(
       decider.Start(
diff --git a/chromium/net/proxy_resolution/pac_file_fetcher_impl_unittest.cc b/chromium/net/proxy_resolution/pac_file_fetcher_impl_unittest.cc
index 6882f78f531..f6f4a73b3ee 100644
--- a/chromium/net/proxy_resolution/pac_file_fetcher_impl_unittest.cc
+++ b/chromium/net/proxy_resolution/pac_file_fetcher_impl_unittest.cc
@@ -11,6 +11,7 @@
 #include "base/compiler_specific.h"
 #include "base/files/file_path.h"
 #include "base/memory/ref_counted.h"
+#include "base/optional.h"
 #include "base/path_service.h"
 #include "base/run_loop.h"
 #include "base/sequenced_task_runner.h"
@@ -34,6 +35,7 @@
 #include "net/http/http_transaction_factory.h"
 #include "net/http/transport_security_state.h"
 #include "net/net_buildflags.h"
+#include "net/quic/quic_context.h"
 #include "net/socket/client_socket_pool_manager.h"
 #include "net/socket/transport_client_socket_pool.h"
 #include "net/ssl/ssl_config_service_defaults.h"
@@ -90,6 +92,7 @@ class RequestContext : public URLRequestContext {
         std::make_unique<SSLConfigServiceDefaults>());
     storage_.set_http_server_properties(
         std::make_unique<HttpServerProperties>());
+    storage_.set_quic_context(std::make_unique<QuicContext>());
 
     HttpNetworkSession::Context session_context;
     session_context.host_resolver = host_resolver();
@@ -100,6 +103,7 @@ class RequestContext : public URLRequestContext {
     session_context.proxy_resolution_service = proxy_resolution_service();
     session_context.ssl_config_service = ssl_config_service();
     session_context.http_server_properties = http_server_properties();
+    session_context.quic_context = quic_context();
     storage_.set_http_network_session(std::make_unique<HttpNetworkSession>(
         HttpNetworkSession::Params(), session_context));
     storage_.set_http_transaction_factory(std::make_unique<HttpCache>(
@@ -156,7 +160,7 @@ class BasicNetworkDelegate : public NetworkDelegateImpl {
       const HttpResponseHeaders* original_response_headers,
       scoped_refptr<HttpResponseHeaders>* override_response_headers,
       const net::IPEndPoint& endpoint,
-      GURL* allowed_unsafe_redirect_url) override {
+      base::Optional<GURL>* preserve_fragment_on_redirect_url) override {
     return OK;
   }
 
diff --git a/chromium/net/proxy_resolution/pac_js_library.h b/chromium/net/proxy_resolution/pac_js_library.h
deleted file mode 100644
index 24f68b2f5af..00000000000
--- a/chromium/net/proxy_resolution/pac_js_library.h
+++ /dev/null
@@ -1,296 +0,0 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_PROXY_RESOLUTION_PAC_JS_LIBRARY_H_
-#define NET_PROXY_RESOLUTION_PAC_JS_LIBRARY_H_
-
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Akhil Arora <akhil.arora@sun.com>
- *   Tomi Leppikangas <Tomi.Leppikangas@oulu.fi>
- *   Darin Fisher <darin@meer.net>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-// The following code was last extracted from netwerk/base/ProxyAutoConfig.cpp
-// on 2018-03-29 using this command:
-//
-// REV="6aa3b57955fed5e137d0306478e1a4b424a6d392"
-// FILE_PATH="netwerk/base/ProxyAutoConfig.cpp"
-// URL="https://hg.mozilla.org/mozilla-central/raw-file/$REV/$FILE_PATH"
-//
-// curl "$URL" | awk '/sPacUtils =/,/ "";/' | sed -e 's/"$/" \\/g'
-//
-// Additionally, the definition for isPlainHostName() was removed, as it is
-// implemented by the C++ side already.
-#define PAC_JS_LIBRARY                                                         \
-  "function dnsDomainIs(host, domain) {\n"                                     \
-  "    return (host.length >= domain.length &&\n"                              \
-  "            host.substring(host.length - domain.length) == domain);\n"      \
-  "}\n"                                                                        \
-  ""                                                                           \
-  "function dnsDomainLevels(host) {\n"                                         \
-  "    return host.split('.').length - 1;\n"                                   \
-  "}\n"                                                                        \
-  ""                                                                           \
-  "function isValidIpAddress(ipchars) {\n"                                     \
-  "    var matches = "                                                         \
-  "/^(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})$/.exec(ipchars);\n"     \
-  "    if (matches == null) {\n"                                               \
-  "        return false;\n"                                                    \
-  "    } else if (matches[1] > 255 || matches[2] > 255 || \n"                  \
-  "               matches[3] > 255 || matches[4] > 255) {\n"                   \
-  "        return false;\n"                                                    \
-  "    }\n"                                                                    \
-  "    return true;\n"                                                         \
-  "}\n"                                                                        \
-  ""                                                                           \
-  "function convert_addr(ipchars) {\n"                                         \
-  "    var bytes = ipchars.split('.');\n"                                      \
-  "    var result = ((bytes[0] & 0xff) << 24) |\n"                             \
-  "                 ((bytes[1] & 0xff) << 16) |\n"                             \
-  "                 ((bytes[2] & 0xff) <<  8) |\n"                             \
-  "                  (bytes[3] & 0xff);\n"                                     \
-  "    return result;\n"                                                       \
-  "}\n"                                                                        \
-  ""                                                                           \
-  "function isInNet(ipaddr, pattern, maskstr) {\n"                             \
-  "    if (!isValidIpAddress(pattern) || !isValidIpAddress(maskstr)) {\n"      \
-  "        return false;\n"                                                    \
-  "    }\n"                                                                    \
-  "    if (!isValidIpAddress(ipaddr)) {\n"                                     \
-  "        ipaddr = dnsResolve(ipaddr);\n"                                     \
-  "        if (ipaddr == null) {\n"                                            \
-  "            return false;\n"                                                \
-  "        }\n"                                                                \
-  "    }\n"                                                                    \
-  "    var host = convert_addr(ipaddr);\n"                                     \
-  "    var pat  = convert_addr(pattern);\n"                                    \
-  "    var mask = convert_addr(maskstr);\n"                                    \
-  "    return ((host & mask) == (pat & mask));\n"                              \
-  "    \n"                                                                     \
-  "}\n"                                                                        \
-  ""                                                                           \
-  "function isResolvable(host) {\n"                                            \
-  "    var ip = dnsResolve(host);\n"                                           \
-  "    return (ip != null);\n"                                                 \
-  "}\n"                                                                        \
-  ""                                                                           \
-  "function localHostOrDomainIs(host, hostdom) {\n"                            \
-  "    return (host == hostdom) ||\n"                                          \
-  "           (hostdom.lastIndexOf(host + '.', 0) == 0);\n"                    \
-  "}\n"                                                                        \
-  ""                                                                           \
-  "function shExpMatch(url, pattern) {\n"                                      \
-  "   pattern = pattern.replace(/\\./g, '\\\\.');\n"                           \
-  "   pattern = pattern.replace(/\\*/g, '.*');\n"                              \
-  "   pattern = pattern.replace(/\\?/g, '.');\n"                               \
-  "   var newRe = new RegExp('^'+pattern+'$');\n"                              \
-  "   return newRe.test(url);\n"                                               \
-  "}\n"                                                                        \
-  ""                                                                           \
-  "var wdays = {SUN: 0, MON: 1, TUE: 2, WED: 3, THU: 4, FRI: 5, SAT: 6};\n"    \
-  "var months = {JAN: 0, FEB: 1, MAR: 2, APR: 3, MAY: 4, JUN: 5, JUL: 6, "     \
-  "AUG: 7, SEP: 8, OCT: 9, NOV: 10, DEC: 11};\n"                               \
-  ""                                                                           \
-  "function weekdayRange() {\n"                                                \
-  "    function getDay(weekday) {\n"                                           \
-  "        if (weekday in wdays) {\n"                                          \
-  "            return wdays[weekday];\n"                                       \
-  "        }\n"                                                                \
-  "        return -1;\n"                                                       \
-  "    }\n"                                                                    \
-  "    var date = new Date();\n"                                               \
-  "    var argc = arguments.length;\n"                                         \
-  "    var wday;\n"                                                            \
-  "    if (argc < 1)\n"                                                        \
-  "        return false;\n"                                                    \
-  "    if (arguments[argc - 1] == 'GMT') {\n"                                  \
-  "        argc--;\n"                                                          \
-  "        wday = date.getUTCDay();\n"                                         \
-  "    } else {\n"                                                             \
-  "        wday = date.getDay();\n"                                            \
-  "    }\n"                                                                    \
-  "    var wd1 = getDay(arguments[0]);\n"                                      \
-  "    var wd2 = (argc == 2) ? getDay(arguments[1]) : wd1;\n"                  \
-  "    return (wd1 == -1 || wd2 == -1) ? false\n"                              \
-  "                                    : (wd1 <= wd2) ? (wd1 <= wday && wday " \
-  "<= wd2)\n"                                                                  \
-  "                                                   : (wd2 >= wday || wday " \
-  ">= wd1);\n"                                                                 \
-  "}\n"                                                                        \
-  ""                                                                           \
-  "function dateRange() {\n"                                                   \
-  "    function getMonth(name) {\n"                                            \
-  "        if (name in months) {\n"                                            \
-  "            return months[name];\n"                                         \
-  "        }\n"                                                                \
-  "        return -1;\n"                                                       \
-  "    }\n"                                                                    \
-  "    var date = new Date();\n"                                               \
-  "    var argc = arguments.length;\n"                                         \
-  "    if (argc < 1) {\n"                                                      \
-  "        return false;\n"                                                    \
-  "    }\n"                                                                    \
-  "    var isGMT = (arguments[argc - 1] == 'GMT');\n"                          \
-  "\n"                                                                         \
-  "    if (isGMT) {\n"                                                         \
-  "        argc--;\n"                                                          \
-  "    }\n"                                                                    \
-  "    // function will work even without explict handling of this case\n"     \
-  "    if (argc == 1) {\n"                                                     \
-  "        var tmp = parseInt(arguments[0]);\n"                                \
-  "        if (isNaN(tmp)) {\n"                                                \
-  "            return ((isGMT ? date.getUTCMonth() : date.getMonth()) ==\n"    \
-  "                     getMonth(arguments[0]));\n"                            \
-  "        } else if (tmp < 32) {\n"                                           \
-  "            return ((isGMT ? date.getUTCDate() : date.getDate()) == "       \
-  "tmp);\n"                                                                    \
-  "        } else { \n"                                                        \
-  "            return ((isGMT ? date.getUTCFullYear() : date.getFullYear()) "  \
-  "==\n"                                                                       \
-  "                     tmp);\n"                                               \
-  "        }\n"                                                                \
-  "    }\n"                                                                    \
-  "    var year = date.getFullYear();\n"                                       \
-  "    var date1, date2;\n"                                                    \
-  "    date1 = new Date(year,  0,  1,  0,  0,  0);\n"                          \
-  "    date2 = new Date(year, 11, 31, 23, 59, 59);\n"                          \
-  "    var adjustMonth = false;\n"                                             \
-  "    for (var i = 0; i < (argc >> 1); i++) {\n"                              \
-  "        var tmp = parseInt(arguments[i]);\n"                                \
-  "        if (isNaN(tmp)) {\n"                                                \
-  "            var mon = getMonth(arguments[i]);\n"                            \
-  "            date1.setMonth(mon);\n"                                         \
-  "        } else if (tmp < 32) {\n"                                           \
-  "            adjustMonth = (argc <= 2);\n"                                   \
-  "            date1.setDate(tmp);\n"                                          \
-  "        } else {\n"                                                         \
-  "            date1.setFullYear(tmp);\n"                                      \
-  "        }\n"                                                                \
-  "    }\n"                                                                    \
-  "    for (var i = (argc >> 1); i < argc; i++) {\n"                           \
-  "        var tmp = parseInt(arguments[i]);\n"                                \
-  "        if (isNaN(tmp)) {\n"                                                \
-  "            var mon = getMonth(arguments[i]);\n"                            \
-  "            date2.setMonth(mon);\n"                                         \
-  "        } else if (tmp < 32) {\n"                                           \
-  "            date2.setDate(tmp);\n"                                          \
-  "        } else {\n"                                                         \
-  "            date2.setFullYear(tmp);\n"                                      \
-  "        }\n"                                                                \
-  "    }\n"                                                                    \
-  "    if (adjustMonth) {\n"                                                   \
-  "        date1.setMonth(date.getMonth());\n"                                 \
-  "        date2.setMonth(date.getMonth());\n"                                 \
-  "    }\n"                                                                    \
-  "    if (isGMT) {\n"                                                         \
-  "    var tmp = date;\n"                                                      \
-  "        tmp.setFullYear(date.getUTCFullYear());\n"                          \
-  "        tmp.setMonth(date.getUTCMonth());\n"                                \
-  "        tmp.setDate(date.getUTCDate());\n"                                  \
-  "        tmp.setHours(date.getUTCHours());\n"                                \
-  "        tmp.setMinutes(date.getUTCMinutes());\n"                            \
-  "        tmp.setSeconds(date.getUTCSeconds());\n"                            \
-  "        date = tmp;\n"                                                      \
-  "    }\n"                                                                    \
-  "    return (date1 <= date2) ? (date1 <= date) && (date <= date2)\n"         \
-  "                            : (date2 >= date) || (date >= date1);\n"        \
-  "}\n"                                                                        \
-  ""                                                                           \
-  "function timeRange() {\n"                                                   \
-  "    var argc = arguments.length;\n"                                         \
-  "    var date = new Date();\n"                                               \
-  "    var isGMT= false;\n"                                                    \
-  ""                                                                           \
-  "    if (argc < 1) {\n"                                                      \
-  "        return false;\n"                                                    \
-  "    }\n"                                                                    \
-  "    if (arguments[argc - 1] == 'GMT') {\n"                                  \
-  "        isGMT = true;\n"                                                    \
-  "        argc--;\n"                                                          \
-  "    }\n"                                                                    \
-  "\n"                                                                         \
-  "    var hour = isGMT ? date.getUTCHours() : date.getHours();\n"             \
-  "    var date1, date2;\n"                                                    \
-  "    date1 = new Date();\n"                                                  \
-  "    date2 = new Date();\n"                                                  \
-  "\n"                                                                         \
-  "    if (argc == 1) {\n"                                                     \
-  "        return (hour == arguments[0]);\n"                                   \
-  "    } else if (argc == 2) {\n"                                              \
-  "        return ((arguments[0] <= hour) && (hour <= arguments[1]));\n"       \
-  "    } else {\n"                                                             \
-  "        switch (argc) {\n"                                                  \
-  "        case 6:\n"                                                          \
-  "            date1.setSeconds(arguments[2]);\n"                              \
-  "            date2.setSeconds(arguments[5]);\n"                              \
-  "        case 4:\n"                                                          \
-  "            var middle = argc >> 1;\n"                                      \
-  "            date1.setHours(arguments[0]);\n"                                \
-  "            date1.setMinutes(arguments[1]);\n"                              \
-  "            date2.setHours(arguments[middle]);\n"                           \
-  "            date2.setMinutes(arguments[middle + 1]);\n"                     \
-  "            if (middle == 2) {\n"                                           \
-  "                date2.setSeconds(59);\n"                                    \
-  "            }\n"                                                            \
-  "            break;\n"                                                       \
-  "        default:\n"                                                         \
-  "          throw 'timeRange: bad number of arguments'\n"                     \
-  "        }\n"                                                                \
-  "    }\n"                                                                    \
-  "\n"                                                                         \
-  "    if (isGMT) {\n"                                                         \
-  "        date.setFullYear(date.getUTCFullYear());\n"                         \
-  "        date.setMonth(date.getUTCMonth());\n"                               \
-  "        date.setDate(date.getUTCDate());\n"                                 \
-  "        date.setHours(date.getUTCHours());\n"                               \
-  "        date.setMinutes(date.getUTCMinutes());\n"                           \
-  "        date.setSeconds(date.getUTCSeconds());\n"                           \
-  "    }\n"                                                                    \
-  "    return (date1 <= date2) ? (date1 <= date) && (date <= date2)\n"         \
-  "                            : (date2 >= date) || (date >= date1);\n"        \
-  "\n"                                                                         \
-  "}\n"
-
-// This is a Microsoft extension to PAC for IPv6, see:
-// http://blogs.msdn.com/b/wndp/archive/2006/07/13/ipv6-pac-extensions-v0-9.aspx
-#define PAC_JS_LIBRARY_EX                  \
-  "function isResolvableEx(host) {\n"      \
-  "    var ipList = dnsResolveEx(host);\n" \
-  "    return (ipList != '');\n"           \
-  "}\n"
-
-#endif  // NET_PROXY_RESOLUTION_PAC_JS_LIBRARY_H_
diff --git a/chromium/net/proxy_resolution/pac_library.cc b/chromium/net/proxy_resolution/pac_library.cc
deleted file mode 100644
index 69cb35fd06b..00000000000
--- a/chromium/net/proxy_resolution/pac_library.cc
+++ /dev/null
@@ -1,290 +0,0 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/proxy_resolution/pac_library.h"
-#include "net/base/address_list.h"
-#include "net/base/ip_address.h"
-#include "net/base/network_interfaces.h"
-#include "net/dns/host_resolver_proc.h"
-#include "net/socket/client_socket_factory.h"
-#include "net/socket/udp_client_socket.h"
-
-namespace net {
-
-namespace {
-
-enum class Mode {
-  kMyIpAddress,
-  kMyIpAddressEx,
-};
-
-// Helper used to accumulate and select the best candidate IP addresses.
-//
-// myIpAddress() is a broken API available to PAC scripts.
-// It has the problematic definition of:
-// "Returns the IP address of the host machine."
-//
-// This has ambiguity on what should happen for multi-homed hosts which may have
-// multiple IP addresses to choose from. To be unambiguous we would need to
-// know which hosts is going to be connected to, in order to use the outgoing
-// IP for that request.
-//
-// However at this point that is not known, as the proxy still hasn't been
-// decided.
-//
-// The strategy used here is to prioritize the IP address that would be used
-// for connecting to the public internet by testing which interface is used for
-// connecting to 8.8.8.8 and 2001:4860:4860::8888 (public IPs).
-//
-// If that fails, we will try resolving the machine's hostname, and also probing
-// for routes in the private IP space.
-//
-// Link-local IP addresses are not generally returned, however may be if no
-// other IP was found by the probes.
-class MyIpAddressImpl {
- public:
-  MyIpAddressImpl() = default;
-
-  // Used for mocking the socket dependency.
-  void SetSocketFactoryForTest(ClientSocketFactory* socket_factory) {
-    override_socket_factory_ = socket_factory;
-  }
-
-  // Used for mocking the DNS dependency.
-  void SetDNSResultForTest(const AddressList& addrs) {
-    override_dns_result_ = std::make_unique<AddressList>(addrs);
-  }
-
-  IPAddressList Run(Mode mode) {
-    DCHECK(candidate_ips_.empty());
-    DCHECK(link_local_ips_.empty());
-    DCHECK(!done_);
-
-    mode_ = mode;
-
-    // Try several different methods to obtain IP addresses.
-    TestPublicInternetRoutes();
-    TestResolvingHostname();
-    TestPrivateIPRoutes();
-
-    return mode_ == Mode::kMyIpAddress ? GetResultForMyIpAddress()
-                                       : GetResultForMyIpAddressEx();
-  }
-
- private:
-  // Adds |address| to the result.
-  void Add(const IPAddress& address) {
-    if (done_)
-      return;
-
-    // Don't consider loopback addresses (ex: 127.0.0.1). These can notably be
-    // returned when probing addresses associated with the hostname.
-    if (address.IsLoopback())
-      return;
-
-    if (!seen_ips_.insert(address).second)
-      return;  // Duplicate IP address.
-
-    // Link-local addresses are only used as a last-resort if there are no
-    // better addresses.
-    if (address.IsLinkLocal()) {
-      link_local_ips_.push_back(address);
-      return;
-    }
-
-    // For legacy reasons IPv4 addresses are favored over IPv6 for myIpAddress()
-    // - https://crbug.com/905126 - so this only stops the search when a IPv4
-    // address is found.
-    if ((mode_ == Mode::kMyIpAddress) && address.IsIPv4())
-      done_ = true;
-
-    candidate_ips_.push_back(address);
-  }
-
-  IPAddressList GetResultForMyIpAddress() const {
-    DCHECK_EQ(Mode::kMyIpAddress, mode_);
-
-    if (!candidate_ips_.empty())
-      return GetSingleResultFavoringIPv4(candidate_ips_);
-
-    if (!link_local_ips_.empty())
-      return GetSingleResultFavoringIPv4(link_local_ips_);
-
-    return {};
-  }
-
-  IPAddressList GetResultForMyIpAddressEx() const {
-    DCHECK_EQ(Mode::kMyIpAddressEx, mode_);
-
-    if (!candidate_ips_.empty())
-      return candidate_ips_;
-
-    if (!link_local_ips_.empty()) {
-      // Note that only a single link-local address is returned here, even
-      // though multiple could be returned for this API. See
-      // http://crbug.com/905366 before expanding this.
-      return GetSingleResultFavoringIPv4(link_local_ips_);
-    }
-
-    return {};
-  }
-
-  // Tests what source IP address would be used for sending a UDP packet to the
-  // given destination IP. This does not hit the network and should be fast.
-  void TestRoute(const IPAddress& destination_ip) {
-    if (done_)
-      return;
-
-    ClientSocketFactory* socket_factory =
-        override_socket_factory_
-            ? override_socket_factory_
-            : net::ClientSocketFactory::GetDefaultFactory();
-
-    auto socket = socket_factory->CreateDatagramClientSocket(
-        net::DatagramSocket::DEFAULT_BIND, nullptr, net::NetLogSource());
-
-    IPEndPoint destination(destination_ip, /*port=*/80);
-
-    if (socket->Connect(destination) != OK)
-      return;
-
-    IPEndPoint source;
-    if (socket->GetLocalAddress(&source) != OK)
-      return;
-
-    Add(source.address());
-  }
-
-  void TestPublicInternetRoutes() {
-    if (done_)
-      return;
-
-    // 8.8.8.8 and 2001:4860:4860::8888 are Google DNS.
-    TestRoute(IPAddress(8, 8, 8, 8));
-    TestRoute(IPAddress(0x20, 0x01, 0x48, 0x60, 0x48, 0x60, 0, 0, 0, 0, 0, 0, 0,
-                        0, 0x88, 0x88));
-
-    MarkAsDoneIfHaveCandidates();
-  }
-
-  // Marks the current search as done if candidate IPs have been found.
-  //
-  // This is used to stop exploring for IPs if any of the high-level tests find
-  // a match (i.e. either the public internet route test, or hostname test, or
-  // private route test found something).
-  //
-  // In the case of myIpAddressEx() this means it will be conservative in which
-  // IPs it returns and not enumerate the full set. See http://crbug.com/905366
-  // before expanding that policy.
-  void MarkAsDoneIfHaveCandidates() {
-    if (!candidate_ips_.empty())
-      done_ = true;
-  }
-
-  void TestPrivateIPRoutes() {
-    if (done_)
-      return;
-
-    // Representative IP from each range in RFC 1918.
-    TestRoute(IPAddress(10, 0, 0, 0));
-    TestRoute(IPAddress(172, 16, 0, 0));
-    TestRoute(IPAddress(192, 168, 0, 0));
-
-    // Representative IP for Unique Local Address (FC00::/7).
-    TestRoute(IPAddress(0xfc, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0));
-
-    MarkAsDoneIfHaveCandidates();
-  }
-
-  void TestResolvingHostname() {
-    if (done_)
-      return;
-
-    AddressList addrlist;
-
-    int resolver_error;
-
-    if (override_dns_result_) {
-      addrlist = *override_dns_result_;
-      resolver_error = addrlist.empty() ? ERR_NAME_NOT_RESOLVED : OK;
-    } else {
-      resolver_error = SystemHostResolverCall(
-          GetHostName(), AddressFamily::ADDRESS_FAMILY_UNSPECIFIED, 0,
-          &addrlist,
-          /*os_error=*/nullptr);
-    }
-
-    if (resolver_error != OK)
-      return;
-
-    for (const auto& e : addrlist.endpoints())
-      Add(e.address());
-
-    MarkAsDoneIfHaveCandidates();
-  }
-
-  static IPAddressList GetSingleResultFavoringIPv4(const IPAddressList& ips) {
-    for (const auto& ip : ips) {
-      if (ip.IsIPv4())
-        return {ip};
-    }
-
-    if (!ips.empty())
-      return {ips.front()};
-
-    return {};
-  }
-
-  std::set<IPAddress> seen_ips_;
-
-  // The preferred ordered candidate IPs so far.
-  IPAddressList candidate_ips_;
-
-  // The link-local IP addresses seen so far (not part of |candidate_ips_|).
-  IPAddressList link_local_ips_;
-
-  // The operation being carried out.
-  Mode mode_;
-
-  // Whether the search for results has completed.
-  //
-  // Once "done", calling Add() will not change the final result. This is used
-  // to short-circuit early.
-  bool done_ = false;
-
-  ClientSocketFactory* override_socket_factory_ = nullptr;
-  std::unique_ptr<AddressList> override_dns_result_;
-
-  DISALLOW_COPY_AND_ASSIGN(MyIpAddressImpl);
-};
-
-}  // namespace
-
-IPAddressList PacMyIpAddress() {
-  MyIpAddressImpl impl;
-  return impl.Run(Mode::kMyIpAddress);
-}
-
-IPAddressList PacMyIpAddressEx() {
-  MyIpAddressImpl impl;
-  return impl.Run(Mode::kMyIpAddressEx);
-}
-
-IPAddressList PacMyIpAddressForTest(ClientSocketFactory* socket_factory,
-                                    const AddressList& dns_result) {
-  MyIpAddressImpl impl;
-  impl.SetSocketFactoryForTest(socket_factory);
-  impl.SetDNSResultForTest(dns_result);
-  return impl.Run(Mode::kMyIpAddress);
-}
-
-IPAddressList PacMyIpAddressExForTest(ClientSocketFactory* socket_factory,
-                                      const AddressList& dns_result) {
-  MyIpAddressImpl impl;
-  impl.SetSocketFactoryForTest(socket_factory);
-  impl.SetDNSResultForTest(dns_result);
-  return impl.Run(Mode::kMyIpAddressEx);
-}
-
-}  // namespace net
diff --git a/chromium/net/proxy_resolution/pac_library.h b/chromium/net/proxy_resolution/pac_library.h
deleted file mode 100644
index 8f58980bf5e..00000000000
--- a/chromium/net/proxy_resolution/pac_library.h
+++ /dev/null
@@ -1,37 +0,0 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_PROXY_RESOLUTION_PAC_LIBRARY_H_
-#define NET_PROXY_RESOLUTION_PAC_LIBRARY_H_
-
-#include "net/base/ip_address.h"
-#include "net/base/net_export.h"
-
-// TODO(eroman): Move other PAC library support functions into here.
-
-namespace net {
-
-class ClientSocketFactory;
-class AddressList;
-
-// Implementations for myIpAddress() and myIpAddressEx() function calls
-// available in the PAC environment. These are expected to be called on a worker
-// thread as they may block.
-//
-// Do not use these outside of PAC as they are broken APIs. See comments in the
-// implementation file for details.
-NET_EXPORT_PRIVATE IPAddressList PacMyIpAddress();
-NET_EXPORT_PRIVATE IPAddressList PacMyIpAddressEx();
-
-// Test exposed variants that allows mocking the UDP and DNS dependencies.
-NET_EXPORT_PRIVATE IPAddressList
-PacMyIpAddressForTest(ClientSocketFactory* socket_factory,
-                      const AddressList& dns_result);
-NET_EXPORT_PRIVATE IPAddressList
-PacMyIpAddressExForTest(ClientSocketFactory* socket_factory,
-                        const AddressList& dns_result);
-
-}  // namespace net
-
-#endif  // NET_PROXY_RESOLUTION_PAC_LIBRARY_H_
diff --git a/chromium/net/proxy_resolution/pac_library_unittest.cc b/chromium/net/proxy_resolution/pac_library_unittest.cc
deleted file mode 100644
index 9337c5b9568..00000000000
--- a/chromium/net/proxy_resolution/pac_library_unittest.cc
+++ /dev/null
@@ -1,621 +0,0 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/proxy_resolution/pac_library.h"
-
-#include "net/base/address_list.h"
-#include "net/base/net_errors.h"
-#include "net/base/network_interfaces.h"
-#include "net/log/net_log_with_source.h"
-#include "net/socket/client_socket_factory.h"
-#include "net/socket/client_socket_handle.h"
-#include "net/socket/datagram_client_socket.h"
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace net {
-namespace {
-
-// Helper for verifying whether the address list returned by myIpAddress() /
-// myIpAddressEx() looks correct.
-void VerifyActualMyIpAddresses(const IPAddressList& test_list) {
-  // Enumerate all of the IP addresses for the system (skipping loopback and
-  // link-local ones). This is used as a reference implementation to check
-  // whether |test_list| (which was obtained using a different strategy) looks
-  // correct.
-  std::set<IPAddress> candidates;
-  NetworkInterfaceList networks;
-  GetNetworkList(&networks, EXCLUDE_HOST_SCOPE_VIRTUAL_INTERFACES);
-  for (const auto& network : networks) {
-    if (network.address.IsLinkLocal() || network.address.IsLoopback())
-      continue;
-    candidates.insert(network.address);
-  }
-
-  // Ordinarily the machine running this test will have an IP address. However
-  // for some bot configurations (notably Android) that may not be the case.
-  EXPECT_EQ(candidates.empty(), test_list.empty());
-
-  // |test_list| should be a subset of |candidates|.
-  for (const auto& ip : test_list)
-    EXPECT_EQ(1u, candidates.count(ip));
-}
-
-// Tests for PacMyIpAddress() and PacMyIpAddressEx().
-TEST(PacLibraryTest, ActualPacMyIpAddress) {
-  auto my_ip_addresses = PacMyIpAddress();
-
-  VerifyActualMyIpAddresses(my_ip_addresses);
-}
-
-TEST(PacLibraryTest, ActualPacMyIpAddressEx) {
-  VerifyActualMyIpAddresses(PacMyIpAddressEx());
-}
-
-IPAddress CreateIPAddress(base::StringPiece literal) {
-  IPAddress result;
-  if (!result.AssignFromIPLiteral(literal)) {
-    ADD_FAILURE() << "Failed parsing IP: " << literal;
-    return IPAddress();
-  }
-  return result;
-}
-
-AddressList CreateAddressList(
-    const std::vector<base::StringPiece>& ip_literals) {
-  AddressList result;
-  for (const auto& ip : ip_literals)
-    result.push_back(IPEndPoint(CreateIPAddress(ip), 8080));
-  return result;
-}
-
-class MockUDPSocket : public DatagramClientSocket {
- public:
-  MockUDPSocket(const IPAddress& peer_ip,
-                const IPAddress& local_ip,
-                Error connect_error)
-      : peer_ip_(peer_ip), local_ip_(local_ip), connect_error_(connect_error) {}
-
-  ~MockUDPSocket() override = default;
-
-  // Socket implementation.
-  int Read(IOBuffer* buf,
-           int buf_len,
-           CompletionOnceCallback callback) override {
-    ADD_FAILURE() << "Called Read()";
-    return ERR_UNEXPECTED;
-  }
-  int Write(IOBuffer* buf,
-            int buf_len,
-            CompletionOnceCallback callback,
-            const NetworkTrafficAnnotationTag& traffic_annotation) override {
-    ADD_FAILURE() << "Called Read()";
-    return ERR_UNEXPECTED;
-  }
-  int SetReceiveBufferSize(int32_t size) override {
-    ADD_FAILURE() << "Called SetReceiveBufferSize()";
-    return ERR_UNEXPECTED;
-  }
-  int SetSendBufferSize(int32_t size) override {
-    ADD_FAILURE() << "Called SetSendBufferSize()";
-    return ERR_UNEXPECTED;
-  }
-
-  // DatagramSocket implementation.
-  void Close() override { ADD_FAILURE() << "Called Close()"; }
-  int GetPeerAddress(IPEndPoint* address) const override {
-    ADD_FAILURE() << "Called GetPeerAddress()";
-    return ERR_UNEXPECTED;
-  }
-  int GetLocalAddress(IPEndPoint* address) const override {
-    if (connect_error_ != OK)
-      return connect_error_;
-
-    *address = IPEndPoint(local_ip_, 8080);
-    return OK;
-  }
-  void UseNonBlockingIO() override {
-    ADD_FAILURE() << "Called UseNonBlockingIO()";
-  }
-  int SetDoNotFragment() override {
-    ADD_FAILURE() << "Called SetDoNotFragment()";
-    return ERR_UNEXPECTED;
-  }
-  void SetMsgConfirm(bool confirm) override {
-    ADD_FAILURE() << "Called SetMsgConfirm()";
-  }
-  const NetLogWithSource& NetLog() const override {
-    ADD_FAILURE() << "Called NetLog()";
-    return net_log_;
-  }
-
-  // DatagramClientSocket implementation.
-  int Connect(const IPEndPoint& address) override {
-    EXPECT_EQ(peer_ip_.ToString(), address.address().ToString());
-    return connect_error_;
-  }
-  int ConnectUsingNetwork(NetworkChangeNotifier::NetworkHandle network,
-                          const IPEndPoint& address) override {
-    ADD_FAILURE() << "Called ConnectUsingNetwork()";
-    return ERR_UNEXPECTED;
-  }
-  int ConnectUsingDefaultNetwork(const IPEndPoint& address) override {
-    ADD_FAILURE() << "Called ConnectUsingDefaultNetwork()";
-    return ERR_UNEXPECTED;
-  }
-  NetworkChangeNotifier::NetworkHandle GetBoundNetwork() const override {
-    ADD_FAILURE() << "Called GetBoundNetwork()";
-    return network_;
-  }
-  void ApplySocketTag(const SocketTag& tag) override {
-    ADD_FAILURE() << "Called ApplySocketTag()";
-  }
-  int WriteAsync(
-      DatagramBuffers buffers,
-      CompletionOnceCallback callback,
-      const NetworkTrafficAnnotationTag& traffic_annotation) override {
-    ADD_FAILURE() << "Called WriteAsync()";
-    return ERR_UNEXPECTED;
-  }
-  int WriteAsync(
-      const char* buffer,
-      size_t buf_len,
-      CompletionOnceCallback callback,
-      const NetworkTrafficAnnotationTag& traffic_annotation) override {
-    ADD_FAILURE() << "Called WriteAsync()";
-    return ERR_UNEXPECTED;
-  }
-  DatagramBuffers GetUnwrittenBuffers() override {
-    ADD_FAILURE() << "Called GetUnwrittenBuffers()";
-    return DatagramBuffers();
-  }
-  void SetWriteAsyncEnabled(bool enabled) override {
-    ADD_FAILURE() << "Called SetWriteAsyncEnabled()";
-  }
-  void SetMaxPacketSize(size_t max_packet_size) override {
-    ADD_FAILURE() << "Called SetWriteAsyncEnabled()";
-  }
-  bool WriteAsyncEnabled() override {
-    ADD_FAILURE() << "Called WriteAsyncEnabled()";
-    return false;
-  }
-  void SetWriteMultiCoreEnabled(bool enabled) override {
-    ADD_FAILURE() << "Called SetWriteMultiCoreEnabled()";
-  }
-  void SetSendmmsgEnabled(bool enabled) override {
-    ADD_FAILURE() << "Called SetSendmmsgEnabled()";
-  }
-  void SetWriteBatchingActive(bool active) override {
-    ADD_FAILURE() << "Called SetWriteBatchingActive()";
-  }
-  int SetMulticastInterface(uint32_t interface_index) override {
-    ADD_FAILURE() << "Called SetMulticastInterface()";
-    return ERR_UNEXPECTED;
-  }
-
- private:
-  NetLogWithSource net_log_;
-  NetworkChangeNotifier::NetworkHandle network_;
-
-  IPAddress peer_ip_;
-  IPAddress local_ip_;
-  Error connect_error_;
-
-  DISALLOW_COPY_AND_ASSIGN(MockUDPSocket);
-};
-
-class MockSocketFactory : public ClientSocketFactory {
- public:
-  MockSocketFactory() = default;
-
-  void AddUDPConnectSuccess(base::StringPiece peer_ip_literal,
-                            base::StringPiece local_ip_literal) {
-    auto peer_ip = CreateIPAddress(peer_ip_literal);
-    auto local_ip = CreateIPAddress(local_ip_literal);
-
-    // The address family of local and peer IP must match.
-    ASSERT_EQ(peer_ip.size(), local_ip.size());
-
-    udp_sockets_.push_back(std::make_unique<MockUDPSocket>(
-        peer_ip, local_ip, OK));
-  }
-
-  void AddUDPConnectFailure(base::StringPiece peer_ip) {
-    udp_sockets_.push_back(std::make_unique<MockUDPSocket>(
-        CreateIPAddress(peer_ip), IPAddress(), ERR_ADDRESS_UNREACHABLE));
-  }
-
-  ~MockSocketFactory() override {
-    EXPECT_EQ(0u, udp_sockets_.size())
-        << "Not all of the mock sockets were consumed.";
-  }
-
-  // ClientSocketFactory
-  std::unique_ptr<DatagramClientSocket> CreateDatagramClientSocket(
-      DatagramSocket::BindType bind_type,
-      NetLog* net_log,
-      const NetLogSource& source) override {
-    if (udp_sockets_.empty()) {
-      ADD_FAILURE() << "Not enough mock UDP sockets";
-      return nullptr;
-    }
-
-    auto result = std::move(udp_sockets_.front());
-    udp_sockets_.erase(udp_sockets_.begin());
-    return result;
-  }
-  std::unique_ptr<TransportClientSocket> CreateTransportClientSocket(
-      const AddressList& addresses,
-      std::unique_ptr<SocketPerformanceWatcher> socket_performance_watcher,
-      NetLog* net_log,
-      const NetLogSource& source) override {
-    ADD_FAILURE() << "Called CreateTransportClientSocket()";
-    return nullptr;
-  }
-  std::unique_ptr<SSLClientSocket> CreateSSLClientSocket(
-      SSLClientContext* context,
-      std::unique_ptr<StreamSocket> stream_socket,
-      const HostPortPair& host_and_port,
-      const SSLConfig& ssl_config) override {
-    ADD_FAILURE() << "Called CreateSSLClientSocket()";
-    return nullptr;
-  }
-  std::unique_ptr<ProxyClientSocket> CreateProxyClientSocket(
-      std::unique_ptr<StreamSocket> stream_socket,
-      const std::string& user_agent,
-      const HostPortPair& endpoint,
-      const ProxyServer& proxy_server,
-      HttpAuthController* http_auth_controller,
-      bool tunnel,
-      bool using_spdy,
-      NextProto negotiated_protocol,
-      ProxyDelegate* proxy_delegate,
-      const NetworkTrafficAnnotationTag& traffic_annotation) override {
-    ADD_FAILURE() << "Called CreateProxyClientSocket()";
-    return nullptr;
-  }
-
- private:
-  std::vector<std::unique_ptr<MockUDPSocket>> udp_sockets_;
-
-  DISALLOW_COPY_AND_ASSIGN(MockSocketFactory);
-};
-
-// Tests myIpAddress() when there is a route to 8.8.8.8.
-TEST(PacLibraryTest, PacMyIpAddress8888) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectSuccess("8.8.8.8", "192.168.1.1");
-
-  auto result = PacMyIpAddressForTest(&factory, {});
-  ASSERT_EQ(1u, result.size());
-  EXPECT_EQ("192.168.1.1", result.front().ToString());
-}
-
-// Tests myIpAddress() when there is no route to 8.8.8.8, but there is one to
-// 2001:4860:4860::8888.
-TEST(PacLibraryTest, PacMyIpAddress2001) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectSuccess("2001:4860:4860::8888", "2001::beef");
-
-  AddressList dns_result;
-
-  auto result = PacMyIpAddressForTest(&factory, dns_result);
-  ASSERT_EQ(1u, result.size());
-  EXPECT_EQ("2001::beef", result.front().ToString());
-}
-
-// Tests myIpAddress() when there is no route to 8.8.8.8, no route to
-// 2001:4860:4860::8888, however getaddrinfo(gethostname()) finds results. Most
-// of those results are skipped over, and the IPv4 one is favored.
-TEST(PacLibraryTest, PacMyIpAddressHostname) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result = CreateAddressList({
-      "169.254.13.16", "127.0.0.1", "::1", "fe89::beef", "2001::f001",
-      "178.1.99.3", "192.168.1.3",
-  });
-
-  auto result = PacMyIpAddressForTest(&factory, dns_result);
-  ASSERT_EQ(1u, result.size());
-  EXPECT_EQ("178.1.99.3", result.front().ToString());
-}
-
-// Tests myIpAddress() when there is no route to 8.8.8.8, no route to
-// 2001:4860:4860::8888, however getaddrinfo(gethostname()) finds multiple IPv6
-// results.
-TEST(PacLibraryTest, PacMyIpAddressHostnameAllIPv6) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result =
-      CreateAddressList({"::1", "2001::f001", "2001::f00d", "169.254.0.6"});
-
-  auto result = PacMyIpAddressForTest(&factory, dns_result);
-  ASSERT_EQ(1u, result.size());
-  EXPECT_EQ("2001::f001", result.front().ToString());
-}
-
-// Tests myIpAddress() when there is no route to 8.8.8.8, no route to
-// 2001:4860:4860::8888, no acceptable result in getaddrinfo(gethostname()),
-// however there is a route for private address.
-TEST(PacLibraryTest, PacMyIpAddressPrivateIPv4) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result = CreateAddressList({
-      "169.254.13.16", "127.0.0.1", "::1", "fe89::beef",
-  });
-
-  factory.AddUDPConnectSuccess("10.0.0.0", "127.0.0.1");
-  factory.AddUDPConnectFailure("172.16.0.0");
-  factory.AddUDPConnectSuccess("192.168.0.0", "63.31.9.8");
-
-  auto result = PacMyIpAddressForTest(&factory, dns_result);
-  ASSERT_EQ(1u, result.size());
-  EXPECT_EQ("63.31.9.8", result.front().ToString());
-}
-
-// Tests myIpAddress() when there is no route to 8.8.8.8, no route to
-// 2001:4860:4860::8888, no acceptable result in getaddrinfo(gethostname()),
-// however there is a route for private address.
-TEST(PacLibraryTest, PacMyIpAddressPrivateIPv6) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result;
-
-  factory.AddUDPConnectSuccess("10.0.0.0", "127.0.0.1");
-  factory.AddUDPConnectFailure("172.16.0.0");
-  factory.AddUDPConnectFailure("192.168.0.0");
-  factory.AddUDPConnectSuccess("FC00::", "2001::7777");
-
-  auto result = PacMyIpAddressForTest(&factory, dns_result);
-  ASSERT_EQ(1u, result.size());
-  EXPECT_EQ("2001::7777", result.front().ToString());
-}
-
-// Tests myIpAddress() when there are no routes, and getaddrinfo(gethostname())
-// fails.
-TEST(PacLibraryTest, PacMyIpAddressAllFail) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result;
-
-  factory.AddUDPConnectFailure("10.0.0.0");
-  factory.AddUDPConnectFailure("172.16.0.0");
-  factory.AddUDPConnectFailure("192.168.0.0");
-  factory.AddUDPConnectFailure("FC00::");
-
-  auto result = PacMyIpAddressForTest(&factory, dns_result);
-  EXPECT_EQ(0u, result.size());
-}
-
-// Tests myIpAddress() when there are no routes, and
-// getaddrinfo(gethostname()) only returns loopback.
-TEST(PacLibraryTest, PacMyIpAddressAllFailOrLoopback) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result = CreateAddressList({"127.0.0.1", "::1"});
-
-  factory.AddUDPConnectFailure("10.0.0.0");
-  factory.AddUDPConnectFailure("172.16.0.0");
-  factory.AddUDPConnectFailure("192.168.0.0");
-  factory.AddUDPConnectFailure("FC00::");
-
-  auto result = PacMyIpAddressForTest(&factory, dns_result);
-  EXPECT_EQ(0u, result.size());
-}
-
-// Tests myIpAddress() when there is only an IPv6 link-local address.
-TEST(PacLibraryTest, PacMyIpAddressAllFailHasLinkLocal) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result =
-      CreateAddressList({"127.0.0.1", "::1", "fe81::8881"});
-
-  factory.AddUDPConnectFailure("10.0.0.0");
-  factory.AddUDPConnectFailure("172.16.0.0");
-  factory.AddUDPConnectFailure("192.168.0.0");
-  factory.AddUDPConnectFailure("FC00::");
-
-  auto result = PacMyIpAddressForTest(&factory, dns_result);
-  ASSERT_EQ(1u, result.size());
-  EXPECT_EQ("fe81::8881", result.front().ToString());
-}
-
-// Tests myIpAddress() when there are only link-local addresses. The IPv4
-// link-local address is favored.
-TEST(PacLibraryTest, PacMyIpAddressAllFailHasLinkLocalFavorIPv4) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result =
-      CreateAddressList({"127.0.0.1", "::1", "fe81::8881", "169.254.89.133"});
-
-  factory.AddUDPConnectFailure("10.0.0.0");
-  factory.AddUDPConnectFailure("172.16.0.0");
-  factory.AddUDPConnectFailure("192.168.0.0");
-  factory.AddUDPConnectFailure("FC00::");
-
-  auto result = PacMyIpAddressForTest(&factory, dns_result);
-  ASSERT_EQ(1u, result.size());
-  EXPECT_EQ("169.254.89.133", result.front().ToString());
-}
-
-// Tests myIpAddressEx() when there is a route to 8.8.8.8 but not one to
-// 2001:4860:4860::8888
-TEST(PacLibraryTest, PacMyIpAddressEx8888) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectSuccess("8.8.8.8", "192.168.1.1");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  auto result = PacMyIpAddressExForTest(&factory, {});
-  ASSERT_EQ(1u, result.size());
-  EXPECT_EQ("192.168.1.1", result.front().ToString());
-}
-
-// Tests myIpAddressEx() when there is a route to 2001:4860:4860::8888 but
-// not 8.8.8.8.
-TEST(PacLibraryTest, PacMyIpAddressEx2001) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectSuccess("2001:4860:4860::8888", "2001::3333");
-
-  AddressList dns_result;
-
-  auto result = PacMyIpAddressExForTest(&factory, dns_result);
-  ASSERT_EQ(1u, result.size());
-  EXPECT_EQ("2001::3333", result.front().ToString());
-}
-
-// Tests myIpAddressEx() when there is a route to both 8.8.8.8 and
-// 2001:4860:4860::8888.
-TEST(PacLibraryTest, PacMyIpAddressEx8888And2001) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectSuccess("8.8.8.8", "192.168.17.8");
-  factory.AddUDPConnectSuccess("2001:4860:4860::8888", "2001::8333");
-
-  AddressList dns_result;
-
-  auto result = PacMyIpAddressExForTest(&factory, dns_result);
-  ASSERT_EQ(2u, result.size());
-  EXPECT_EQ("192.168.17.8", result.front().ToString());
-  EXPECT_EQ("2001::8333", result.back().ToString());
-}
-
-// Tests myIpAddressEx() when there is no route to 8.8.8.8, no route to
-// 2001:4860:4860::8888, however getaddrinfo(gethostname()) finds results. Some
-// of those results are skipped due to being link-local and loopback.
-TEST(PacLibraryTest, PacMyIpAddressExHostname) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result = CreateAddressList({
-      "169.254.13.16", "::1", "fe89::beef", "2001::bebe", "178.1.99.3",
-      "127.0.0.1", "192.168.1.3",
-  });
-
-  auto result = PacMyIpAddressExForTest(&factory, dns_result);
-  ASSERT_EQ(3u, result.size());
-  EXPECT_EQ("2001::bebe", result[0].ToString());
-  EXPECT_EQ("178.1.99.3", result[1].ToString());
-  EXPECT_EQ("192.168.1.3", result[2].ToString());
-}
-
-// Tests myIpAddressEx() when routes are found for private IP space.
-TEST(PacLibraryTest, PacMyIpAddressExPrivateDuplicates) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result;
-
-  factory.AddUDPConnectSuccess("10.0.0.0", "192.168.3.3");
-  factory.AddUDPConnectSuccess("172.16.0.0", "192.168.3.4");
-  factory.AddUDPConnectSuccess("192.168.0.0", "192.168.3.3");
-  factory.AddUDPConnectSuccess("FC00::", "2001::beef");
-
-  auto result = PacMyIpAddressExForTest(&factory, dns_result);
-
-  // Note that 192.168.3.3. was probed twice, but only added once to the final
-  // result.
-  ASSERT_EQ(3u, result.size());
-  EXPECT_EQ("192.168.3.3", result[0].ToString());
-  EXPECT_EQ("192.168.3.4", result[1].ToString());
-  EXPECT_EQ("2001::beef", result[2].ToString());
-}
-
-// Tests myIpAddressEx() when there are no routes, and
-// getaddrinfo(gethostname()) fails.
-TEST(PacLibraryTest, PacMyIpAddressExAllFail) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result;
-
-  factory.AddUDPConnectFailure("10.0.0.0");
-  factory.AddUDPConnectFailure("172.16.0.0");
-  factory.AddUDPConnectFailure("192.168.0.0");
-  factory.AddUDPConnectFailure("FC00::");
-
-  auto result = PacMyIpAddressExForTest(&factory, dns_result);
-  EXPECT_EQ(0u, result.size());
-}
-
-// Tests myIpAddressEx() when there are only IPv6 link-local address.
-TEST(PacLibraryTest, PacMyIpAddressExAllFailHasLinkLocal) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result =
-      CreateAddressList({"127.0.0.1", "::1", "fe81::8881", "fe80::8899"});
-
-  factory.AddUDPConnectFailure("10.0.0.0");
-  factory.AddUDPConnectFailure("172.16.0.0");
-  factory.AddUDPConnectFailure("192.168.0.0");
-  factory.AddUDPConnectSuccess("FC00::", "fe80::1");
-
-  auto result = PacMyIpAddressExForTest(&factory, dns_result);
-  // There were four link-local addresses found, but only the first one is
-  // returned.
-  ASSERT_EQ(1u, result.size());
-  EXPECT_EQ("fe81::8881", result.front().ToString());
-}
-
-// Tests myIpAddressEx() when there are only link-local addresses. The IPv4
-// link-local address is favored.
-TEST(PacLibraryTest, PacMyIpAddressExAllFailHasLinkLocalFavorIPv4) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result =
-      CreateAddressList({"127.0.0.1", "::1", "fe81::8881", "169.254.89.133"});
-
-  factory.AddUDPConnectFailure("10.0.0.0");
-  factory.AddUDPConnectFailure("172.16.0.0");
-  factory.AddUDPConnectFailure("192.168.0.0");
-  factory.AddUDPConnectFailure("FC00::");
-
-  auto result = PacMyIpAddressExForTest(&factory, dns_result);
-  ASSERT_EQ(1u, result.size());
-  EXPECT_EQ("169.254.89.133", result.front().ToString());
-}
-
-// Tests myIpAddressEx() when there are no routes, and
-// getaddrinfo(gethostname()) only returns loopback.
-TEST(PacLibraryTest, PacMyIpAddressExAllFailOrLoopback) {
-  MockSocketFactory factory;
-  factory.AddUDPConnectFailure("8.8.8.8");
-  factory.AddUDPConnectFailure("2001:4860:4860::8888");
-
-  AddressList dns_result = CreateAddressList({"127.0.0.1", "::1"});
-
-  factory.AddUDPConnectFailure("10.0.0.0");
-  factory.AddUDPConnectFailure("172.16.0.0");
-  factory.AddUDPConnectFailure("192.168.0.0");
-  factory.AddUDPConnectFailure("FC00::");
-
-  auto result = PacMyIpAddressExForTest(&factory, dns_result);
-  EXPECT_EQ(0u, result.size());
-}
-
-}  // namespace
-}  // namespace net
diff --git a/chromium/net/proxy_resolution/proxy_config_unittest.cc b/chromium/net/proxy_resolution/proxy_config_unittest.cc
index ad0029f7d00..cffcfa14695 100644
--- a/chromium/net/proxy_resolution/proxy_config_unittest.cc
+++ b/chromium/net/proxy_resolution/proxy_config_unittest.cc
@@ -207,7 +207,7 @@ ProxyConfigToValueTestCase GetTestCaseSingleProxyList() {
 }
 
 INSTANTIATE_TEST_SUITE_P(
-    ,
+    All,
     ProxyConfigToValueTest,
     testing::Values(GetTestCaseDirect(),
                     GetTestCaseAutoDetect(),
diff --git a/chromium/net/proxy_resolution/proxy_host_resolver.h b/chromium/net/proxy_resolution/proxy_host_resolver.h
deleted file mode 100644
index 085a197933d..00000000000
--- a/chromium/net/proxy_resolution/proxy_host_resolver.h
+++ /dev/null
@@ -1,38 +0,0 @@
-// Copyright 2019 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_PROXY_RESOLUTION_PROXY_HOST_RESOLVER_H_
-#define NET_PROXY_RESOLUTION_PROXY_HOST_RESOLVER_H_
-
-#include <memory>
-#include <string>
-#include <vector>
-
-#include "net/base/completion_once_callback.h"
-#include "net/base/ip_address.h"
-#include "net/proxy_resolution/proxy_resolve_dns_operation.h"
-
-namespace net {
-
-// Interface for a limited (compared to the standard HostResolver) host resolver
-// used just for proxy resolution.
-class NET_EXPORT ProxyHostResolver {
- public:
-  virtual ~ProxyHostResolver() {}
-
-  class Request {
-   public:
-    virtual ~Request() {}
-    virtual int Start(CompletionOnceCallback callback) = 0;
-    virtual const std::vector<IPAddress>& GetResults() const = 0;
-  };
-
-  virtual std::unique_ptr<Request> CreateRequest(
-      const std::string& hostname,
-      ProxyResolveDnsOperation operation) = 0;
-};
-
-}  // namespace net
-
-#endif  // NET_PROXY_RESOLUTION_PROXY_HOST_RESOLVER_H_
diff --git a/chromium/net/proxy_resolution/proxy_resolution_service.cc b/chromium/net/proxy_resolution/proxy_resolution_service.cc
index 3c92a4b6aab..b960c662daf 100644
--- a/chromium/net/proxy_resolution/proxy_resolution_service.cc
+++ b/chromium/net/proxy_resolution/proxy_resolution_service.cc
@@ -23,6 +23,7 @@
 #include "base/values.h"
 #include "build/build_config.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/proxy_delegate.h"
 #include "net/base/url_util.h"
 #include "net/log/net_log.h"
@@ -217,13 +218,13 @@ class ProxyResolverNull : public ProxyResolver {
 
   // ProxyResolver implementation.
   int GetProxyForURL(const GURL& url,
+                     const NetworkIsolationKey& network_isolation_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
                      const NetLogWithSource& net_log) override {
     return ERR_NOT_IMPLEMENTED;
   }
-
 };
 
 // ProxyResolver that simulates a PAC script which returns
@@ -234,6 +235,7 @@ class ProxyResolverFromPacString : public ProxyResolver {
       : pac_string_(pac_string) {}
 
   int GetProxyForURL(const GURL& url,
+                     const NetworkIsolationKey& network_isolation_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
@@ -843,6 +845,7 @@ class ProxyResolutionService::RequestImpl
   RequestImpl(ProxyResolutionService* service,
               const GURL& url,
               const std::string& method,
+              const NetworkIsolationKey& network_isolation_key,
               ProxyInfo* results,
               const CompletionOnceCallback user_callback,
               const NetLogWithSource& net_log);
@@ -889,8 +892,9 @@ class ProxyResolutionService::RequestImpl
   ProxyResolutionService* service_;
   CompletionOnceCallback user_callback_;
   ProxyInfo* results_;
-  GURL url_;
-  std::string method_;
+  const GURL url_;
+  const std::string method_;
+  const NetworkIsolationKey network_isolation_key_;
   std::unique_ptr<ProxyResolver::Request> resolve_job_;
   MutableNetworkTrafficAnnotationTag traffic_annotation_;
   NetLogWithSource net_log_;
@@ -905,6 +909,7 @@ ProxyResolutionService::RequestImpl::RequestImpl(
     ProxyResolutionService* service,
     const GURL& url,
     const std::string& method,
+    const NetworkIsolationKey& network_isolation_key,
     ProxyInfo* results,
     CompletionOnceCallback user_callback,
     const NetLogWithSource& net_log)
@@ -913,6 +918,7 @@ ProxyResolutionService::RequestImpl::RequestImpl(
       results_(results),
       url_(url),
       method_(method),
+      network_isolation_key_(network_isolation_key),
       resolve_job_(nullptr),
       net_log_(net_log),
       creation_time_(base::TimeTicks::Now()) {
@@ -946,7 +952,7 @@ int ProxyResolutionService::RequestImpl::Start() {
     return OK;
 
   return resolver()->GetProxyForURL(
-      url_, results_,
+      url_, network_isolation_key_, results_,
       base::BindOnce(&ProxyResolutionService::RequestImpl::QueryComplete,
                      base::Unretained(this)),
       &resolve_job_, net_log_);
@@ -1136,12 +1142,14 @@ ProxyResolutionService::CreateFixedFromAutoDetectedPacResult(
       std::make_unique<ProxyResolverFactoryForPacResult>(pac_string), nullptr);
 }
 
-int ProxyResolutionService::ResolveProxy(const GURL& raw_url,
-                                         const std::string& method,
-                                         ProxyInfo* result,
-                                         CompletionOnceCallback callback,
-                                         std::unique_ptr<Request>* out_request,
-                                         const NetLogWithSource& net_log) {
+int ProxyResolutionService::ResolveProxy(
+    const GURL& raw_url,
+    const std::string& method,
+    const NetworkIsolationKey& network_isolation_key,
+    ProxyInfo* result,
+    CompletionOnceCallback callback,
+    std::unique_ptr<Request>* out_request,
+    const NetLogWithSource& net_log) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK(!callback.is_null());
   DCHECK(out_request);
@@ -1171,8 +1179,9 @@ int ProxyResolutionService::ResolveProxy(const GURL& raw_url,
     return rv;
   }
 
-  std::unique_ptr<RequestImpl> req = std::make_unique<RequestImpl>(
-      this, url, method, result, std::move(callback), net_log);
+  std::unique_ptr<RequestImpl> req =
+      std::make_unique<RequestImpl>(this, url, method, network_isolation_key,
+                                    result, std::move(callback), net_log);
 
   if (current_state_ == STATE_READY) {
     // Start the resolve request.
diff --git a/chromium/net/proxy_resolution/proxy_resolution_service.h b/chromium/net/proxy_resolution/proxy_resolution_service.h
index 4af3df269d4..8585a0a8ece 100644
--- a/chromium/net/proxy_resolution/proxy_resolution_service.h
+++ b/chromium/net/proxy_resolution/proxy_resolution_service.h
@@ -140,6 +140,7 @@ class NET_EXPORT ProxyResolutionService
   // Profiling information for the request is saved to |net_log| if non-NULL.
   int ResolveProxy(const GURL& url,
                    const std::string& method,
+                   const NetworkIsolationKey& network_isolation_key,
                    ProxyInfo* results,
                    CompletionOnceCallback callback,
                    std::unique_ptr<Request>* request,
diff --git a/chromium/net/proxy_resolution/proxy_resolution_service_unittest.cc b/chromium/net/proxy_resolution/proxy_resolution_service_unittest.cc
index f7820bb6ecd..4cfa4c73f9d 100644
--- a/chromium/net/proxy_resolution/proxy_resolution_service_unittest.cc
+++ b/chromium/net/proxy_resolution/proxy_resolution_service_unittest.cc
@@ -18,6 +18,7 @@
 #include "base/strings/utf_string_conversions.h"
 #include "base/test/metrics/histogram_tester.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/proxy_delegate.h"
 #include "net/base/proxy_server.h"
 #include "net/base/test_completion_callback.h"
@@ -396,10 +397,11 @@ TEST_F(ProxyResolutionServiceTest, Direct) {
 
   ProxyInfo info;
   TestCompletionCallback callback;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback.callback(),
-                                &request, log.bound());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback.callback(), &request, log.bound());
   EXPECT_THAT(rv, IsOk());
   EXPECT_TRUE(factory->pending_requests().empty());
 
@@ -434,13 +436,14 @@ TEST_F(ProxyResolutionServiceTest, OnResolveProxyCallbackAddProxy) {
 
   ProxyInfo info;
   TestCompletionCallback callback;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
 
   // First, warm up the ProxyResolutionService and fake an error to mark the
   // first server as bad.
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback.callback(),
-                                &request, log.bound());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback.callback(), &request, log.bound());
   EXPECT_THAT(rv, IsOk());
   EXPECT_EQ("badproxy:8080", info.proxy_server().ToURI());
 
@@ -452,8 +455,8 @@ TEST_F(ProxyResolutionServiceTest, OnResolveProxyCallbackAddProxy) {
   // Verify that network delegate is invoked.
   TestResolveProxyDelegate delegate;
   service.SetProxyDelegate(&delegate);
-  rv = service.ResolveProxy(url, "GET", &info, callback.callback(), &request,
-                            log.bound());
+  rv = service.ResolveProxy(url, "GET", NetworkIsolationKey(), &info,
+                            callback.callback(), &request, log.bound());
   EXPECT_EQ(1, delegate.num_resolve_proxy_called());
   EXPECT_THAT(delegate.proxy_retry_info(), ElementsAre(Key("badproxy:8080")));
   EXPECT_EQ(delegate.method(), "GET");
@@ -464,21 +467,21 @@ TEST_F(ProxyResolutionServiceTest, OnResolveProxyCallbackAddProxy) {
   delegate.set_add_proxy(true);
 
   // Callback should interpose:
-  rv = service.ResolveProxy(url, "GET", &info, callback.callback(), &request,
-                            log.bound());
+  rv = service.ResolveProxy(url, "GET", NetworkIsolationKey(), &info,
+                            callback.callback(), &request, log.bound());
   EXPECT_FALSE(info.is_direct());
   EXPECT_EQ(info.proxy_server().host_port_pair().host(), "delegate_proxy.com");
   delegate.set_add_proxy(false);
 
   // Check non-bypassed URL:
-  rv = service.ResolveProxy(url, "GET", &info, callback.callback(), &request,
-                            log.bound());
+  rv = service.ResolveProxy(url, "GET", NetworkIsolationKey(), &info,
+                            callback.callback(), &request, log.bound());
   EXPECT_FALSE(info.is_direct());
   EXPECT_EQ(info.proxy_server().host_port_pair().host(), "foopy1");
 
   // Check bypassed URL:
-  rv = service.ResolveProxy(bypass_url, "GET", &info, callback.callback(),
-                            &request, log.bound());
+  rv = service.ResolveProxy(bypass_url, "GET", NetworkIsolationKey(), &info,
+                            callback.callback(), &request, log.bound());
   EXPECT_TRUE(info.is_direct());
 }
 
@@ -499,12 +502,13 @@ TEST_F(ProxyResolutionServiceTest, OnResolveProxyCallbackRemoveProxy) {
 
   ProxyInfo info;
   TestCompletionCallback callback;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
 
   // First, warm up the ProxyResolutionService.
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback.callback(),
-                                &request, log.bound());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback.callback(), &request, log.bound());
   EXPECT_THAT(rv, IsOk());
 
   TestResolveProxyDelegate delegate;
@@ -512,20 +516,20 @@ TEST_F(ProxyResolutionServiceTest, OnResolveProxyCallbackRemoveProxy) {
   delegate.set_remove_proxy(true);
 
   // Callback should interpose:
-  rv = service.ResolveProxy(url, "GET", &info, callback.callback(), &request,
-                            log.bound());
+  rv = service.ResolveProxy(url, "GET", NetworkIsolationKey(), &info,
+                            callback.callback(), &request, log.bound());
   EXPECT_TRUE(info.is_direct());
   delegate.set_remove_proxy(false);
 
   // Check non-bypassed URL:
-  rv = service.ResolveProxy(url, "GET", &info, callback.callback(), &request,
-                            log.bound());
+  rv = service.ResolveProxy(url, "GET", NetworkIsolationKey(), &info,
+                            callback.callback(), &request, log.bound());
   EXPECT_FALSE(info.is_direct());
   EXPECT_EQ(info.proxy_server().host_port_pair().host(), "foopy1");
 
   // Check bypassed URL:
-  rv = service.ResolveProxy(bypass_url, "GET", &info, callback.callback(),
-                            &request, log.bound());
+  rv = service.ResolveProxy(bypass_url, "GET", NetworkIsolationKey(), &info,
+                            callback.callback(), &request, log.bound());
   EXPECT_TRUE(info.is_direct());
 }
 
@@ -584,12 +588,14 @@ TEST_F(ProxyResolutionServiceTest, CallbackDeletesRequest) {
   net::CompletionOnceCallback callback2 =
       base::BindOnce([](int result) { ASSERT_FALSE(true); });
 
-  int rv = service->ResolveProxy(url, std::string(), &info, callback.callback(),
-                                 &request, NetLogWithSource());
+  int rv =
+      service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                            callback.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
-  rv = service->ResolveProxy(url2, std::string(), &info, std::move(callback2),
-                             &request2, NetLogWithSource());
+  rv = service->ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info,
+                             std::move(callback2), &request2,
+                             NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Run pending requests.
@@ -645,12 +651,14 @@ TEST_F(ProxyResolutionServiceTest, CallbackDeletesRequestDuringDestructor) {
   DeletingCallback<ProxyResolutionService::Request> callback(&request2),
       callback2(&request);
 
-  int rv = service->ResolveProxy(url, std::string(), &info, callback.callback(),
-                                 &request, NetLogWithSource());
+  int rv =
+      service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                            callback.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
-  rv = service->ResolveProxy(url, std::string(), &info, callback2.callback(),
-                             &request2, NetLogWithSource());
+  rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                             callback2.callback(), &request2,
+                             NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Make sure that ProxyResolutionServices is deleted before the requests, as
@@ -691,22 +699,24 @@ TEST_F(ProxyResolutionServiceTest, CallbackDeletesSelf) {
 
   std::unique_ptr<ProxyResolutionService::Request> request1;
   TestCompletionCallback callback1;
-  int rv =
-      service->ResolveProxy(url, std::string(), &info, callback1.callback(),
-                            &request1, NetLogWithSource());
+  int rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(),
+                                 &info, callback1.callback(), &request1,
+                                 NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   GURL url2("http://www.example.com/");
   std::unique_ptr<ProxyResolutionService::Request> request2;
   DeletingCallback<ProxyResolutionService::Request> callback2(&request2);
-  rv = service->ResolveProxy(url2, std::string(), &info, callback2.callback(),
-                             &request2, NetLogWithSource());
+  rv = service->ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info,
+                             callback2.callback(), &request2,
+                             NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   std::unique_ptr<ProxyResolutionService::Request> request3;
   TestCompletionCallback callback3;
-  rv = service->ResolveProxy(url, std::string(), &info, callback3.callback(),
-                             &request3, NetLogWithSource());
+  rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                             callback3.callback(), &request3,
+                             NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, factory->pending_requests().size());
@@ -756,21 +766,23 @@ TEST_F(ProxyResolutionServiceTest, CallbackDeletesSelfDuringDestructor) {
 
   std::unique_ptr<ProxyResolutionService::Request> request1;
   TestCompletionCallback callback1;
-  int rv =
-      service->ResolveProxy(url, std::string(), &info, callback1.callback(),
-                            &request1, NetLogWithSource());
+  int rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(),
+                                 &info, callback1.callback(), &request1,
+                                 NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   std::unique_ptr<ProxyResolutionService::Request> request2;
   DeletingCallback<ProxyResolutionService::Request> callback2(&request2);
-  rv = service->ResolveProxy(url, std::string(), &info, callback2.callback(),
-                             &request2, NetLogWithSource());
+  rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                             callback2.callback(), &request2,
+                             NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   std::unique_ptr<ProxyResolutionService::Request> request3;
   TestCompletionCallback callback3;
-  rv = service->ResolveProxy(url, std::string(), &info, callback3.callback(),
-                             &request3, NetLogWithSource());
+  rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                             callback3.callback(), &request3,
+                             NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   service.reset();
@@ -796,14 +808,14 @@ TEST_F(ProxyResolutionServiceTest, ProxyServiceDeletedBeforeRequest) {
   ProxyInfo info;
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
 
   int rv;
   {
     ProxyResolutionService service(base::WrapUnique(config_service),
                                    base::WrapUnique(factory), nullptr);
-    rv = service.ResolveProxy(url, std::string(), &info, callback.callback(),
-                              &request, log.bound());
+    rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                              callback.callback(), &request, log.bound());
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
     EXPECT_EQ(LOAD_STATE_RESOLVING_PROXY_FOR_URL, request->GetLoadState());
@@ -840,22 +852,25 @@ TEST_F(ProxyResolutionServiceTest, CallbackDeletesService) {
 
   DeletingCallback<ProxyResolutionService> callback(&service);
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv = service->ResolveProxy(url, std::string(), &info, callback.callback(),
-                                 &request1, NetLogWithSource());
+  int rv =
+      service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                            callback.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(LOAD_STATE_RESOLVING_PROXY_FOR_URL, request1->GetLoadState());
 
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv = service->ResolveProxy(url, std::string(), &info, callback2.callback(),
-                             &request2, NetLogWithSource());
+  rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                             callback2.callback(), &request2,
+                             NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionService::Request> request3;
-  rv = service->ResolveProxy(url, std::string(), &info, callback3.callback(),
-                             &request3, NetLogWithSource());
+  rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                             callback3.callback(), &request3,
+                             NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   config_service->SetConfig(ProxyConfigWithAnnotation(
@@ -883,10 +898,11 @@ TEST_F(ProxyResolutionServiceTest, PAC) {
   ProxyInfo info;
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
 
-  int rv = service.ResolveProxy(url, std::string(), &info, callback.callback(),
-                                &request, log.bound());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback.callback(), &request, log.bound());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(LOAD_STATE_RESOLVING_PROXY_FOR_URL, request->GetLoadState());
@@ -946,8 +962,9 @@ TEST_F(ProxyResolutionServiceTest, PAC_NoIdentityOrHash) {
   ProxyInfo info;
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback.callback(),
-                                &request, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(GURL("http://foopy/proxy.pac"),
@@ -978,8 +995,9 @@ TEST_F(ProxyResolutionServiceTest, PAC_FailoverWithoutDirect) {
   ProxyInfo info;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback1.callback(),
-                                &request1, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(GURL("http://foopy/proxy.pac"),
@@ -1026,8 +1044,9 @@ TEST_F(ProxyResolutionServiceTest, PAC_RuntimeError) {
   ProxyInfo info;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback1.callback(),
-                                &request1, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(GURL("http://foopy/proxy.pac"),
@@ -1084,8 +1103,9 @@ TEST_F(ProxyResolutionServiceTest, PAC_FailoverAfterDirect) {
   ProxyInfo info;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback1.callback(),
-                                &request1, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(GURL("http://foopy/proxy.pac"),
@@ -1140,8 +1160,9 @@ TEST_F(ProxyResolutionServiceTest, PAC_ConfigSourcePropagates) {
   ProxyInfo info;
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback.callback(),
-                                &request, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback.callback(), &request, NetLogWithSource());
   ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
   factory->pending_requests()[0]->CompleteNowWithForwarder(OK, &resolver);
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1180,8 +1201,9 @@ TEST_F(ProxyResolutionServiceTest, ProxyResolverFails) {
   ProxyInfo info;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback1.callback(),
-                                &request, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback1.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(GURL("http://foopy/proxy.pac"),
@@ -1207,8 +1229,8 @@ TEST_F(ProxyResolutionServiceTest, ProxyResolverFails) {
   // The second resolve request will try to run through the proxy resolver,
   // regardless of whether the first request failed in it.
   TestCompletionCallback callback2;
-  rv = service.ResolveProxy(url, std::string(), &info, callback2.callback(),
-                            &request, NetLogWithSource());
+  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                            callback2.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1243,8 +1265,9 @@ TEST_F(ProxyResolutionServiceTest, ProxyResolverTerminatedDuringRequest) {
   ProxyInfo info;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback1.callback(),
-                                &request, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback1.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, factory->pending_requests().size());
@@ -1273,8 +1296,8 @@ TEST_F(ProxyResolutionServiceTest, ProxyResolverTerminatedDuringRequest) {
   EXPECT_TRUE(factory->pending_requests().empty());
 
   TestCompletionCallback callback2;
-  rv = service.ResolveProxy(url, std::string(), &info, callback2.callback(),
-                            &request, NetLogWithSource());
+  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                            callback2.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, factory->pending_requests().size());
@@ -1316,12 +1339,13 @@ TEST_F(ProxyResolutionServiceTest,
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1, request2;
   int rv =
-      service.ResolveProxy(url1, std::string(), &info, callback1.callback(),
-                           &request1, NetLogWithSource());
+      service.ResolveProxy(url1, std::string(), NetworkIsolationKey(), &info,
+                           callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   TestCompletionCallback callback2;
-  rv = service.ResolveProxy(url2, std::string(), &info, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info,
+                           callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, factory->pending_requests().size());
@@ -1386,8 +1410,9 @@ TEST_F(ProxyResolutionServiceTest, PacFileFetcherFailsDownloadingMandatoryPac) {
   ProxyInfo info;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback1.callback(),
-                                &request, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback1.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(GURL("http://foopy/proxy.pac"),
@@ -1406,8 +1431,8 @@ TEST_F(ProxyResolutionServiceTest, PacFileFetcherFailsDownloadingMandatoryPac) {
   // mandatory PAC script, ProxyResolutionService must not implicitly fall-back
   // to DIRECT.
   TestCompletionCallback callback2;
-  rv = service.ResolveProxy(url, std::string(), &info, callback2.callback(),
-                            &request, NetLogWithSource());
+  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                            callback2.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_MANDATORY_PROXY_CONFIGURATION_FAILED));
   EXPECT_FALSE(info.is_direct());
 }
@@ -1439,8 +1464,9 @@ TEST_F(ProxyResolutionServiceTest,
   ProxyInfo info;
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback.callback(),
-                                &request, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that nothing has been sent to the proxy resolver factory yet.
@@ -1486,8 +1512,9 @@ TEST_F(ProxyResolutionServiceTest, ProxyResolverFailsInJavaScriptMandatoryPac) {
   ProxyInfo info;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback1.callback(),
-                                &request, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback1.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(GURL("http://foopy/proxy.pac"),
@@ -1509,8 +1536,8 @@ TEST_F(ProxyResolutionServiceTest, ProxyResolverFailsInJavaScriptMandatoryPac) {
   // The second resolve request will try to run through the proxy resolver,
   // regardless of whether the first request failed in it.
   TestCompletionCallback callback2;
-  rv = service.ResolveProxy(url, std::string(), &info, callback2.callback(),
-                            &request, NetLogWithSource());
+  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                            callback2.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1546,8 +1573,9 @@ TEST_F(ProxyResolutionServiceTest, ProxyFallback) {
   ProxyInfo info;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback1.callback(),
-                                &request, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback1.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(GURL("http://foopy/proxy.pac"),
@@ -1593,8 +1621,8 @@ TEST_F(ProxyResolutionServiceTest, ProxyFallback) {
   service.SetProxyDelegate(nullptr);
 
   TestCompletionCallback callback3;
-  rv = service.ResolveProxy(url, std::string(), &info, callback3.callback(),
-                            &request, NetLogWithSource());
+  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                            callback3.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1640,8 +1668,8 @@ TEST_F(ProxyResolutionServiceTest, ProxyFallback) {
 
   // Look up proxies again
   TestCompletionCallback callback7;
-  rv = service.ResolveProxy(url, std::string(), &info, callback7.callback(),
-                            &request, NetLogWithSource());
+  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                            callback7.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1683,8 +1711,9 @@ TEST_F(ProxyResolutionServiceTest, ProxyFallbackToDirect) {
   ProxyInfo info;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback1.callback(),
-                                &request1, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(GURL("http://foopy/proxy.pac"),
@@ -1747,8 +1776,9 @@ TEST_F(ProxyResolutionServiceTest, ProxyFallback_BadConfig) {
   TestResolveProxyDelegate delegate;
   std::unique_ptr<ProxyResolutionService::Request> request;
   service.SetProxyDelegate(&delegate);
-  int rv = service.ResolveProxy(url, std::string(), &info, callback1.callback(),
-                                &request, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback1.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(GURL("http://foopy/proxy.pac"),
@@ -1780,8 +1810,8 @@ TEST_F(ProxyResolutionServiceTest, ProxyFallback_BadConfig) {
   // Fake a PAC failure.
   ProxyInfo info2;
   TestCompletionCallback callback2;
-  rv = service.ResolveProxy(url, std::string(), &info2, callback2.callback(),
-                            &request, NetLogWithSource());
+  rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info2,
+                            callback2.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1802,8 +1832,9 @@ TEST_F(ProxyResolutionServiceTest, ProxyFallback_BadConfig) {
   ProxyInfo info3;
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionService::Request> request3;
-  rv = service.ResolveProxy(url, std::string(), &info3, callback3.callback(),
-                            &request3, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info3,
+                           callback3.callback(), &request3, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1849,8 +1880,9 @@ TEST_F(ProxyResolutionServiceTest, ProxyFallback_BadConfigMandatory) {
   ProxyInfo info;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback1.callback(),
-                                &request1, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(GURL("http://foopy/proxy.pac"),
@@ -1883,8 +1915,9 @@ TEST_F(ProxyResolutionServiceTest, ProxyFallback_BadConfigMandatory) {
   ProxyInfo info2;
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionService::Request> request3;
-  rv = service.ResolveProxy(url, std::string(), &info2, callback3.callback(),
-                            &request3, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info2,
+                           callback3.callback(), &request3, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1906,8 +1939,9 @@ TEST_F(ProxyResolutionServiceTest, ProxyFallback_BadConfigMandatory) {
   ProxyInfo info3;
   TestCompletionCallback callback4;
   std::unique_ptr<ProxyResolutionService::Request> request4;
-  rv = service.ResolveProxy(url, std::string(), &info3, callback4.callback(),
-                            &request4, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info3,
+                           callback4.callback(), &request4, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -1945,15 +1979,15 @@ TEST_F(ProxyResolutionServiceTest, ProxyBypassList) {
   std::unique_ptr<ProxyResolutionService::Request> request2;
 
   // Request for a .org domain should bypass proxy.
-  rv = service.ResolveProxy(url1, std::string(), &info[0],
-                            callback[0].callback(), &request1,
+  rv = service.ResolveProxy(url1, std::string(), NetworkIsolationKey(),
+                            &info[0], callback[0].callback(), &request1,
                             NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
   EXPECT_TRUE(info[0].is_direct());
 
   // Request for a .com domain hits the proxy.
-  rv = service.ResolveProxy(url2, std::string(), &info[1],
-                            callback[1].callback(), &request2,
+  rv = service.ResolveProxy(url2, std::string(), NetworkIsolationKey(),
+                            &info[1], callback[1].callback(), &request2,
                             NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
   EXPECT_EQ("foopy1:8080", info[1].proxy_server().ToURI());
@@ -2004,9 +2038,9 @@ TEST_F(ProxyResolutionServiceTest, PerProtocolProxyTests) {
     GURL test_url("http://www.msn.com");
     ProxyInfo info;
     TestCompletionCallback callback;
-    int rv =
-        service.ResolveProxy(test_url, std::string(), &info,
-                             callback.callback(), &request, NetLogWithSource());
+    int rv = service.ResolveProxy(
+        test_url, std::string(), NetworkIsolationKey(), &info,
+        callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
     EXPECT_EQ("foopy1:8080", info.proxy_server().ToURI());
@@ -2017,9 +2051,9 @@ TEST_F(ProxyResolutionServiceTest, PerProtocolProxyTests) {
     GURL test_url("ftp://ftp.google.com");
     ProxyInfo info;
     TestCompletionCallback callback;
-    int rv =
-        service.ResolveProxy(test_url, std::string(), &info,
-                             callback.callback(), &request, NetLogWithSource());
+    int rv = service.ResolveProxy(
+        test_url, std::string(), NetworkIsolationKey(), &info,
+        callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_TRUE(info.is_direct());
     EXPECT_EQ("direct://", info.proxy_server().ToURI());
@@ -2030,9 +2064,9 @@ TEST_F(ProxyResolutionServiceTest, PerProtocolProxyTests) {
     GURL test_url("https://webbranch.techcu.com");
     ProxyInfo info;
     TestCompletionCallback callback;
-    int rv =
-        service.ResolveProxy(test_url, std::string(), &info,
-                             callback.callback(), &request, NetLogWithSource());
+    int rv = service.ResolveProxy(
+        test_url, std::string(), NetworkIsolationKey(), &info,
+        callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
     EXPECT_EQ("foopy2:8080", info.proxy_server().ToURI());
@@ -2044,9 +2078,9 @@ TEST_F(ProxyResolutionServiceTest, PerProtocolProxyTests) {
     GURL test_url("http://www.microsoft.com");
     ProxyInfo info;
     TestCompletionCallback callback;
-    int rv =
-        service.ResolveProxy(test_url, std::string(), &info,
-                             callback.callback(), &request, NetLogWithSource());
+    int rv = service.ResolveProxy(
+        test_url, std::string(), NetworkIsolationKey(), &info,
+        callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
     EXPECT_EQ("foopy1:8080", info.proxy_server().ToURI());
@@ -2066,9 +2100,9 @@ TEST_F(ProxyResolutionServiceTest, ProxyConfigTrafficAnnotationPropagates) {
     GURL test_url("http://www.google.com");
     ProxyInfo info;
     TestCompletionCallback callback;
-    int rv =
-        service.ResolveProxy(test_url, std::string(), &info,
-                             callback.callback(), &request, NetLogWithSource());
+    int rv = service.ResolveProxy(
+        test_url, std::string(), NetworkIsolationKey(), &info,
+        callback.callback(), &request, NetLogWithSource());
     ASSERT_THAT(rv, IsOk());
     // Should be test, even if there are no HTTP proxies configured.
     EXPECT_EQ(MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS),
@@ -2082,9 +2116,9 @@ TEST_F(ProxyResolutionServiceTest, ProxyConfigTrafficAnnotationPropagates) {
     GURL test_url("https://www.google.com");
     ProxyInfo info;
     TestCompletionCallback callback;
-    int rv =
-        service.ResolveProxy(test_url, std::string(), &info,
-                             callback.callback(), &request, NetLogWithSource());
+    int rv = service.ResolveProxy(
+        test_url, std::string(), NetworkIsolationKey(), &info,
+        callback.callback(), &request, NetLogWithSource());
     ASSERT_THAT(rv, IsOk());
     // Used the HTTPS proxy. So traffic annotation should test.
     EXPECT_EQ(MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS),
@@ -2097,9 +2131,9 @@ TEST_F(ProxyResolutionServiceTest, ProxyConfigTrafficAnnotationPropagates) {
     GURL test_url("http://www.google.com");
     ProxyInfo info;
     TestCompletionCallback callback;
-    int rv =
-        service.ResolveProxy(test_url, std::string(), &info,
-                             callback.callback(), &request, NetLogWithSource());
+    int rv = service.ResolveProxy(
+        test_url, std::string(), NetworkIsolationKey(), &info,
+        callback.callback(), &request, NetLogWithSource());
     ASSERT_THAT(rv, IsOk());
     // ProxyConfig is empty. Traffic annotation should still be TEST.
     EXPECT_EQ(MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS),
@@ -2123,9 +2157,9 @@ TEST_F(ProxyResolutionServiceTest, DefaultProxyFallbackToSOCKS) {
     GURL test_url("http://www.msn.com");
     ProxyInfo info;
     TestCompletionCallback callback;
-    int rv =
-        service.ResolveProxy(test_url, std::string(), &info,
-                             callback.callback(), &request, NetLogWithSource());
+    int rv = service.ResolveProxy(
+        test_url, std::string(), NetworkIsolationKey(), &info,
+        callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
     EXPECT_EQ("foopy1:8080", info.proxy_server().ToURI());
@@ -2136,9 +2170,9 @@ TEST_F(ProxyResolutionServiceTest, DefaultProxyFallbackToSOCKS) {
     GURL test_url("ftp://ftp.google.com");
     ProxyInfo info;
     TestCompletionCallback callback;
-    int rv =
-        service.ResolveProxy(test_url, std::string(), &info,
-                             callback.callback(), &request, NetLogWithSource());
+    int rv = service.ResolveProxy(
+        test_url, std::string(), NetworkIsolationKey(), &info,
+        callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
     EXPECT_EQ("socks4://foopy2:1080", info.proxy_server().ToURI());
@@ -2149,9 +2183,9 @@ TEST_F(ProxyResolutionServiceTest, DefaultProxyFallbackToSOCKS) {
     GURL test_url("https://webbranch.techcu.com");
     ProxyInfo info;
     TestCompletionCallback callback;
-    int rv =
-        service.ResolveProxy(test_url, std::string(), &info,
-                             callback.callback(), &request, NetLogWithSource());
+    int rv = service.ResolveProxy(
+        test_url, std::string(), NetworkIsolationKey(), &info,
+        callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
     EXPECT_EQ("socks4://foopy2:1080", info.proxy_server().ToURI());
@@ -2162,9 +2196,9 @@ TEST_F(ProxyResolutionServiceTest, DefaultProxyFallbackToSOCKS) {
     GURL test_url("unknown://www.microsoft.com");
     ProxyInfo info;
     TestCompletionCallback callback;
-    int rv =
-        service.ResolveProxy(test_url, std::string(), &info,
-                             callback.callback(), &request, NetLogWithSource());
+    int rv = service.ResolveProxy(
+        test_url, std::string(), NetworkIsolationKey(), &info,
+        callback.callback(), &request, NetLogWithSource());
     EXPECT_THAT(rv, IsOk());
     EXPECT_FALSE(info.is_direct());
     EXPECT_EQ("socks4://foopy2:1080", info.proxy_server().ToURI());
@@ -2192,8 +2226,8 @@ TEST_F(ProxyResolutionServiceTest, CancelInProgressRequest) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
   int rv =
-      service.ResolveProxy(url1, std::string(), &info1, callback1.callback(),
-                           &request1, NetLogWithSource());
+      service.ResolveProxy(url1, std::string(), NetworkIsolationKey(), &info1,
+                           callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Successfully initialize the PAC script.
@@ -2206,8 +2240,9 @@ TEST_F(ProxyResolutionServiceTest, CancelInProgressRequest) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv = service.ResolveProxy(url2, std::string(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info2,
+                           callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   GetPendingJobsForURLs(resolver, url1, url2);
@@ -2215,8 +2250,9 @@ TEST_F(ProxyResolutionServiceTest, CancelInProgressRequest) {
   ProxyInfo info3;
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionService::Request> request3;
-  rv = service.ResolveProxy(url3, std::string(), &info3, callback3.callback(),
-                            &request3, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url3, std::string(), NetworkIsolationKey(), &info3,
+                           callback3.callback(), &request3, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
   GetPendingJobsForURLs(resolver, url1, url2, url3);
 
@@ -2268,8 +2304,8 @@ TEST_F(ProxyResolutionServiceTest, InitialPACScriptDownload) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
   int rv =
-      service.ResolveProxy(url1, std::string(), &info1, callback1.callback(),
-                           &request1, NetLogWithSource());
+      service.ResolveProxy(url1, std::string(), NetworkIsolationKey(), &info1,
+                           callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // The first request should have triggered download of PAC script.
@@ -2279,15 +2315,17 @@ TEST_F(ProxyResolutionServiceTest, InitialPACScriptDownload) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv = service.ResolveProxy(url2, std::string(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info2,
+                           callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ProxyInfo info3;
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionService::Request> request3;
-  rv = service.ResolveProxy(url3, std::string(), &info3, callback3.callback(),
-                            &request3, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url3, std::string(), NetworkIsolationKey(), &info3,
+                           callback3.callback(), &request3, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Nothing has been sent to the factory yet.
@@ -2373,8 +2411,8 @@ TEST_F(ProxyResolutionServiceTest,
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
   int rv =
-      service.ResolveProxy(url1, std::string(), &info1, callback1.callback(),
-                           &request1, NetLogWithSource());
+      service.ResolveProxy(url1, std::string(), NetworkIsolationKey(), &info1,
+                           callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // The first request should have triggered download of PAC script.
@@ -2384,8 +2422,9 @@ TEST_F(ProxyResolutionServiceTest,
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv = service.ResolveProxy(url2, std::string(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info2,
+                           callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // At this point the ProxyResolutionService should be waiting for the
@@ -2433,8 +2472,9 @@ TEST_F(ProxyResolutionServiceTest, CancelWhilePACFetching) {
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  BoundTestNetLog log1;
-  int rv = service.ResolveProxy(GURL("http://request1"), std::string(), &info1,
+  RecordingBoundTestNetLog log1;
+  int rv = service.ResolveProxy(GURL("http://request1"), std::string(),
+                                NetworkIsolationKey(), &info1,
                                 callback1.callback(), &request1, log1.bound());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -2445,17 +2485,17 @@ TEST_F(ProxyResolutionServiceTest, CancelWhilePACFetching) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv =
-      service.ResolveProxy(GURL("http://request2"), std::string(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
+                            NetworkIsolationKey(), &info2, callback2.callback(),
+                            &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ProxyInfo info3;
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionService::Request> request3;
-  rv =
-      service.ResolveProxy(GURL("http://request3"), std::string(), &info3,
-                           callback3.callback(), &request3, NetLogWithSource());
+  rv = service.ResolveProxy(GURL("http://request3"), std::string(),
+                            NetworkIsolationKey(), &info3, callback3.callback(),
+                            &request3, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Nothing has been sent to the factory yet.
@@ -2534,15 +2574,16 @@ TEST_F(ProxyResolutionServiceTest, FallbackFromAutodetectToCustomPac) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
   int rv =
-      service.ResolveProxy(url1, std::string(), &info1, callback1.callback(),
-                           &request1, NetLogWithSource());
+      service.ResolveProxy(url1, std::string(), NetworkIsolationKey(), &info1,
+                           callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv = service.ResolveProxy(url2, std::string(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info2,
+                           callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that nothing has been sent to the proxy resolver factory yet.
@@ -2618,15 +2659,16 @@ TEST_F(ProxyResolutionServiceTest, FallbackFromAutodetectToCustomPac2) {
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
   int rv =
-      service.ResolveProxy(url1, std::string(), &info1, callback1.callback(),
-                           &request1, NetLogWithSource());
+      service.ResolveProxy(url1, std::string(), NetworkIsolationKey(), &info1,
+                           callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv = service.ResolveProxy(url2, std::string(), &info2, callback2.callback(),
-                            &request2, NetLogWithSource());
+  rv =
+      service.ResolveProxy(url2, std::string(), NetworkIsolationKey(), &info2,
+                           callback2.callback(), &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that nothing has been sent to the proxy resolver factory yet.
@@ -2694,17 +2736,17 @@ TEST_F(ProxyResolutionServiceTest, FallbackFromAutodetectToCustomToManual) {
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv =
-      service.ResolveProxy(GURL("http://request1"), std::string(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(
+      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv =
-      service.ResolveProxy(GURL("http://request2"), std::string(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
+                            NetworkIsolationKey(), &info2, callback2.callback(),
+                            &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that nothing has been sent to the proxy resolver factory yet.
@@ -2757,9 +2799,9 @@ TEST_F(ProxyResolutionServiceTest, BypassDoesntApplyToPac) {
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv =
-      service.ResolveProxy(GURL("http://www.google.com"), std::string(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(
+      GURL("http://www.google.com"), std::string(), NetworkIsolationKey(),
+      &info1, callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that nothing has been sent to the proxy resolver factory yet.
@@ -2789,9 +2831,9 @@ TEST_F(ProxyResolutionServiceTest, BypassDoesntApplyToPac) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv =
-      service.ResolveProxy(GURL("http://www.google.com"), std::string(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(GURL("http://www.google.com"), std::string(),
+                            NetworkIsolationKey(), &info2, callback2.callback(),
+                            &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   ASSERT_EQ(1u, resolver.pending_jobs().size());
@@ -2829,9 +2871,9 @@ TEST_F(ProxyResolutionServiceTest,
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv =
-      service.ResolveProxy(GURL("http://www.google.com"), std::string(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(
+      GURL("http://www.google.com"), std::string(), NetworkIsolationKey(),
+      &info1, callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that nothing has been sent to the proxy resolver factory yet.
@@ -2863,8 +2905,9 @@ TEST_F(ProxyResolutionServiceTest,
   ProxyInfo info;
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv = service.ResolveProxy(url, std::string(), &info, callback.callback(),
-                                &request, NetLogWithSource());
+  int rv =
+      service.ResolveProxy(url, std::string(), NetworkIsolationKey(), &info,
+                           callback.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   EXPECT_EQ(GURL("http://foopy/proxy.pac"),
@@ -2888,9 +2931,9 @@ TEST_F(ProxyResolutionServiceTest, UpdateConfigFromPACToDirect) {
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv =
-      service.ResolveProxy(GURL("http://www.google.com"), std::string(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(
+      GURL("http://www.google.com"), std::string(), NetworkIsolationKey(),
+      &info1, callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Successfully set the autodetect script.
@@ -2918,9 +2961,9 @@ TEST_F(ProxyResolutionServiceTest, UpdateConfigFromPACToDirect) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv =
-      service.ResolveProxy(GURL("http://www.google.com"), std::string(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(GURL("http://www.google.com"), std::string(),
+                            NetworkIsolationKey(), &info2, callback2.callback(),
+                            &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
 
   EXPECT_TRUE(info2.is_direct());
@@ -2934,7 +2977,7 @@ TEST_F(ProxyResolutionServiceTest, NetworkChangeTriggersPacRefetch) {
   MockAsyncProxyResolverFactory* factory =
       new MockAsyncProxyResolverFactory(true);
 
-  TestNetLog log;
+  RecordingTestNetLog log;
 
   ProxyResolutionService service(base::WrapUnique(config_service),
                                  base::WrapUnique(factory), &log);
@@ -2952,9 +2995,9 @@ TEST_F(ProxyResolutionServiceTest, NetworkChangeTriggersPacRefetch) {
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv =
-      service.ResolveProxy(GURL("http://request1"), std::string(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(
+      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // The first request should have triggered initial download of PAC script.
@@ -2996,9 +3039,9 @@ TEST_F(ProxyResolutionServiceTest, NetworkChangeTriggersPacRefetch) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv =
-      service.ResolveProxy(GURL("http://request2"), std::string(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
+                            NetworkIsolationKey(), &info2, callback2.callback(),
+                            &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // This second request should have triggered the re-download of the PAC
@@ -3071,9 +3114,9 @@ TEST_F(ProxyResolutionServiceTest, PACScriptRefetchAfterFailure) {
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv =
-      service.ResolveProxy(GURL("http://request1"), std::string(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(
+      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // The first request should have triggered initial download of PAC script.
@@ -3133,9 +3176,9 @@ TEST_F(ProxyResolutionServiceTest, PACScriptRefetchAfterFailure) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv =
-      service.ResolveProxy(GURL("http://request2"), std::string(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
+                            NetworkIsolationKey(), &info2, callback2.callback(),
+                            &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that it was sent to the resolver.
@@ -3180,9 +3223,9 @@ TEST_F(ProxyResolutionServiceTest, PACScriptRefetchAfterContentChange) {
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv =
-      service.ResolveProxy(GURL("http://request1"), std::string(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(
+      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // The first request should have triggered initial download of PAC script.
@@ -3248,9 +3291,9 @@ TEST_F(ProxyResolutionServiceTest, PACScriptRefetchAfterContentChange) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv =
-      service.ResolveProxy(GURL("http://request2"), std::string(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
+                            NetworkIsolationKey(), &info2, callback2.callback(),
+                            &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that it was sent to the resolver.
@@ -3295,9 +3338,9 @@ TEST_F(ProxyResolutionServiceTest, PACScriptRefetchAfterContentUnchanged) {
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv =
-      service.ResolveProxy(GURL("http://request1"), std::string(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(
+      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // The first request should have triggered initial download of PAC script.
@@ -3360,9 +3403,9 @@ TEST_F(ProxyResolutionServiceTest, PACScriptRefetchAfterContentUnchanged) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv =
-      service.ResolveProxy(GURL("http://request2"), std::string(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
+                            NetworkIsolationKey(), &info2, callback2.callback(),
+                            &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // Check that it was sent to the resolver.
@@ -3407,9 +3450,9 @@ TEST_F(ProxyResolutionServiceTest, PACScriptRefetchAfterSuccess) {
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv =
-      service.ResolveProxy(GURL("http://request1"), std::string(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(
+      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // The first request should have triggered initial download of PAC script.
@@ -3469,9 +3512,9 @@ TEST_F(ProxyResolutionServiceTest, PACScriptRefetchAfterSuccess) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv =
-      service.ResolveProxy(GURL("http://request2"), std::string(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
+                            NetworkIsolationKey(), &info2, callback2.callback(),
+                            &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
   EXPECT_TRUE(info2.is_direct());
 }
@@ -3572,9 +3615,9 @@ TEST_F(ProxyResolutionServiceTest, PACScriptRefetchAfterActivity) {
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv =
-      service.ResolveProxy(GURL("http://request1"), std::string(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(
+      GURL("http://request1"), std::string(), NetworkIsolationKey(), &info1,
+      callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // The first request should have triggered initial download of PAC script.
@@ -3618,9 +3661,9 @@ TEST_F(ProxyResolutionServiceTest, PACScriptRefetchAfterActivity) {
   ProxyInfo info2;
   TestCompletionCallback callback2;
   std::unique_ptr<ProxyResolutionService::Request> request2;
-  rv =
-      service.ResolveProxy(GURL("http://request2"), std::string(), &info2,
-                           callback2.callback(), &request2, NetLogWithSource());
+  rv = service.ResolveProxy(GURL("http://request2"), std::string(),
+                            NetworkIsolationKey(), &info2, callback2.callback(),
+                            &request2, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // This request should have sent work to the resolver; complete it.
@@ -3650,9 +3693,9 @@ TEST_F(ProxyResolutionServiceTest, PACScriptRefetchAfterActivity) {
   ProxyInfo info3;
   TestCompletionCallback callback3;
   std::unique_ptr<ProxyResolutionService::Request> request3;
-  rv =
-      service.ResolveProxy(GURL("http://request3"), std::string(), &info3,
-                           callback3.callback(), &request3, NetLogWithSource());
+  rv = service.ResolveProxy(GURL("http://request3"), std::string(),
+                            NetworkIsolationKey(), &info3, callback3.callback(),
+                            &request3, NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
   EXPECT_TRUE(info3.is_direct());
 }
@@ -3677,9 +3720,9 @@ class SanitizeUrlHelper {
     ProxyInfo info;
     TestCompletionCallback callback;
     std::unique_ptr<ProxyResolutionService::Request> request;
-    int rv =
-        service_->ResolveProxy(url, std::string(), &info, callback.callback(),
-                               &request, NetLogWithSource());
+    int rv = service_->ResolveProxy(url, std::string(), NetworkIsolationKey(),
+                                    &info, callback.callback(), &request,
+                                    NetLogWithSource());
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
     // First step is to download the PAC script.
@@ -3704,9 +3747,9 @@ class SanitizeUrlHelper {
     ProxyInfo info;
     TestCompletionCallback callback;
     std::unique_ptr<ProxyResolutionService::Request> request1;
-    int rv = service_->ResolveProxy(raw_url, std::string(), &info,
-                                    callback.callback(), &request1,
-                                    NetLogWithSource());
+    int rv = service_->ResolveProxy(
+        raw_url, std::string(), NetworkIsolationKey(), &info,
+        callback.callback(), &request1, NetLogWithSource());
     EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
     EXPECT_EQ(1u, resolver.pending_jobs().size());
@@ -3839,9 +3882,9 @@ TEST_F(ProxyResolutionServiceTest, OnShutdownWithLiveRequest) {
   ProxyInfo info;
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv =
-      service.ResolveProxy(GURL("http://request/"), std::string(), &info,
-                           callback.callback(), &request, NetLogWithSource());
+  int rv = service.ResolveProxy(
+      GURL("http://request/"), std::string(), NetworkIsolationKey(), &info,
+      callback.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // The first request should have triggered download of PAC script.
@@ -3874,9 +3917,9 @@ TEST_F(ProxyResolutionServiceTest, OnShutdownFollowedByRequest) {
   ProxyInfo info;
   TestCompletionCallback callback;
   std::unique_ptr<ProxyResolutionService::Request> request;
-  int rv =
-      service.ResolveProxy(GURL("http://request/"), std::string(), &info,
-                           callback.callback(), &request, NetLogWithSource());
+  int rv = service.ResolveProxy(
+      GURL("http://request/"), std::string(), NetworkIsolationKey(), &info,
+      callback.callback(), &request, NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
   EXPECT_FALSE(fetcher->has_pending_request());
   EXPECT_TRUE(info.is_direct());
@@ -3966,9 +4009,9 @@ TEST_F(ProxyResolutionServiceTest, ImplicitlyBypassWithManualSettings) {
   std::unique_ptr<ProxyResolutionService::Request> request1;
   ProxyInfo info1;
   TestCompletionCallback callback1;
-  int rv = service->ResolveProxy(GURL("http://www.example.com"), std::string(),
-                                 &info1, callback1.callback(), &request1,
-                                 NetLogWithSource());
+  int rv = service->ResolveProxy(
+      GURL("http://www.example.com"), std::string(), NetworkIsolationKey(),
+      &info1, callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsOk());
   EXPECT_EQ("foopy1:8080", info1.proxy_server().ToURI());
 
@@ -3981,9 +4024,9 @@ TEST_F(ProxyResolutionServiceTest, ImplicitlyBypassWithManualSettings) {
       std::unique_ptr<ProxyResolutionService::Request> request;
       ProxyInfo info;
       TestCompletionCallback callback;
-      int rv =
-          service->ResolveProxy(url, std::string(), &info, callback.callback(),
-                                &request, NetLogWithSource());
+      int rv = service->ResolveProxy(url, std::string(), NetworkIsolationKey(),
+                                     &info, callback.callback(), &request,
+                                     NetLogWithSource());
       EXPECT_THAT(rv, IsOk());
       EXPECT_TRUE(info.is_direct());
     }
@@ -4012,9 +4055,9 @@ TEST_F(ProxyResolutionServiceTest, ImplicitlyBypassWithPac) {
   ProxyInfo info1;
   TestCompletionCallback callback1;
   std::unique_ptr<ProxyResolutionService::Request> request1;
-  int rv =
-      service.ResolveProxy(GURL("http://www.google.com"), std::string(), &info1,
-                           callback1.callback(), &request1, NetLogWithSource());
+  int rv = service.ResolveProxy(
+      GURL("http://www.google.com"), std::string(), NetworkIsolationKey(),
+      &info1, callback1.callback(), &request1, NetLogWithSource());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
   // This started auto-detect; complete it.
@@ -4047,9 +4090,9 @@ TEST_F(ProxyResolutionServiceTest, ImplicitlyBypassWithPac) {
       std::unique_ptr<ProxyResolutionService::Request> request;
       ProxyInfo info;
       TestCompletionCallback callback;
-      int rv =
-          service.ResolveProxy(url, std::string(), &info, callback.callback(),
-                               &request, NetLogWithSource());
+      int rv = service.ResolveProxy(url, std::string(), NetworkIsolationKey(),
+                                    &info, callback.callback(), &request,
+                                    NetLogWithSource());
       EXPECT_THAT(rv, IsOk());
       EXPECT_TRUE(info.is_direct());
     }
diff --git a/chromium/net/proxy_resolution/proxy_resolve_dns_operation.h b/chromium/net/proxy_resolution/proxy_resolve_dns_operation.h
index fdb8391f8d2..57dc1549e48 100644
--- a/chromium/net/proxy_resolution/proxy_resolve_dns_operation.h
+++ b/chromium/net/proxy_resolution/proxy_resolve_dns_operation.h
@@ -7,6 +7,8 @@
 
 namespace net {
 
+// TODO(mmenke): Remove this enum in favor of
+// proxy_resolver.mojom.HostResolveOperation.
 enum class ProxyResolveDnsOperation {
   DNS_RESOLVE,
   DNS_RESOLVE_EX,
diff --git a/chromium/net/proxy_resolution/proxy_resolver.h b/chromium/net/proxy_resolution/proxy_resolver.h
index ea01efa5a8f..6cfdb32859b 100644
--- a/chromium/net/proxy_resolution/proxy_resolver.h
+++ b/chromium/net/proxy_resolution/proxy_resolver.h
@@ -19,6 +19,7 @@
 namespace net {
 
 class NetLogWithSource;
+class NetworkIsolationKey;
 class ProxyInfo;
 
 // Interface for "proxy resolvers". A ProxyResolver fills in a list of proxies
@@ -42,8 +43,13 @@ class NET_EXPORT_PRIVATE ProxyResolver {
   // by running |callback|.  If the result code is OK then
   // the request was successful and |results| contains the proxy
   // resolution information.  In the case of asynchronous completion
-  // |*request| is written to. Call request_.reset() to cancel the request
+  // |*request| is written to. Call request_.reset() to cancel the request.
+  //
+  // |network_isolation_key| is used for any DNS lookups associated with the
+  // request, if net's HostResolver is used. If the underlying platform itself
+  // handles proxy resolution, |network_isolation_key| will be ignored.
   virtual int GetProxyForURL(const GURL& url,
+                             const NetworkIsolationKey& network_isolation_key,
                              ProxyInfo* results,
                              CompletionOnceCallback callback,
                              std::unique_ptr<Request>* request,
diff --git a/chromium/net/proxy_resolution/proxy_resolver_mac.cc b/chromium/net/proxy_resolution/proxy_resolver_mac.cc
index e0ab8173558..ce42aa72fe2 100644
--- a/chromium/net/proxy_resolution/proxy_resolver_mac.cc
+++ b/chromium/net/proxy_resolution/proxy_resolver_mac.cc
@@ -28,6 +28,8 @@
 
 namespace net {
 
+class NetworkIsolationKey;
+
 namespace {
 
 // A lock shared by all ProxyResolverMac instances. It is used to synchronize
@@ -189,6 +191,7 @@ class ProxyResolverMac : public ProxyResolver {
 
   // ProxyResolver methods:
   int GetProxyForURL(const GURL& url,
+                     const NetworkIsolationKey& network_isolation_key,
                      ProxyInfo* results,
                      CompletionOnceCallback callback,
                      std::unique_ptr<Request>* request,
@@ -206,11 +209,13 @@ ProxyResolverMac::~ProxyResolverMac() {}
 
 // Gets the proxy information for a query URL from a PAC. Implementation
 // inspired by http://developer.apple.com/samplecode/CFProxySupportTool/
-int ProxyResolverMac::GetProxyForURL(const GURL& query_url,
-                                     ProxyInfo* results,
-                                     CompletionOnceCallback /*callback*/,
-                                     std::unique_ptr<Request>* /*request*/,
-                                     const NetLogWithSource& net_log) {
+int ProxyResolverMac::GetProxyForURL(
+    const GURL& query_url,
+    const NetworkIsolationKey& network_isolation_key,
+    ProxyInfo* results,
+    CompletionOnceCallback /*callback*/,
+    std::unique_ptr<Request>* /*request*/,
+    const NetLogWithSource& net_log) {
   // OS X's system resolver does not support WebSocket URLs in proxy.pac, as of
   // version 10.13.5. See https://crbug.com/862121.
   GURL mutable_query_url = query_url;
diff --git a/chromium/net/proxy_resolution/proxy_resolver_v8.cc b/chromium/net/proxy_resolution/proxy_resolver_v8.cc
deleted file mode 100644
index f32d0fa3331..00000000000
--- a/chromium/net/proxy_resolution/proxy_resolver_v8.cc
+++ /dev/null
@@ -1,913 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/proxy_resolution/proxy_resolver_v8.h"
-
-#include <algorithm>
-#include <cstdio>
-#include <utility>
-
-#include "base/auto_reset.h"
-#include "base/compiler_specific.h"
-#include "base/debug/leak_annotations.h"
-#include "base/lazy_instance.h"
-#include "base/logging.h"
-#include "base/stl_util.h"
-#include "base/strings/string_tokenizer.h"
-#include "base/strings/string_util.h"
-#include "base/strings/utf_string_conversions.h"
-#include "base/synchronization/lock.h"
-#include "base/threading/thread_task_runner_handle.h"
-#include "gin/array_buffer.h"
-#include "gin/public/isolate_holder.h"
-#include "gin/v8_initializer.h"
-#include "net/base/ip_address.h"
-#include "net/base/net_errors.h"
-#include "net/proxy_resolution/pac_file_data.h"
-#include "net/proxy_resolution/pac_js_library.h"
-#include "net/proxy_resolution/proxy_info.h"
-#include "url/gurl.h"
-#include "url/url_canon.h"
-#include "v8/include/v8.h"
-
-// Notes on the javascript environment:
-//
-// For the majority of the PAC utility functions, we use the same code
-// as Firefox. See the javascript library that pac_js_library.h pulls in.
-//
-// In addition, we implement a subset of Microsoft's extensions to PAC.
-// - myIpAddressEx()
-// - dnsResolveEx()
-// - isResolvableEx()
-// - isInNetEx()
-// - sortIpAddressList()
-//
-// It is worth noting that the original PAC specification does not describe
-// the return values on failure. Consequently, there are compatibility
-// differences between browsers on what to return on failure, which are
-// illustrated below:
-//
-// --------------------+-------------+-------------------+--------------
-//                     | Firefox3    | InternetExplorer8 |  --> Us <---
-// --------------------+-------------+-------------------+--------------
-// myIpAddress()       | "127.0.0.1" |  ???              |  "127.0.0.1"
-// dnsResolve()        | null        |  false            |  null
-// myIpAddressEx()     | N/A         |  ""               |  ""
-// sortIpAddressList() | N/A         |  false            |  false
-// dnsResolveEx()      | N/A         |  ""               |  ""
-// isInNetEx()         | N/A         |  false            |  false
-// --------------------+-------------+-------------------+--------------
-//
-// TODO(eroman): The cell above reading ??? means I didn't test it.
-//
-// Another difference is in how dnsResolve() and myIpAddress() are
-// implemented -- whether they should restrict to IPv4 results, or
-// include both IPv4 and IPv6. The following table illustrates the
-// differences:
-//
-// --------------------+-------------+-------------------+--------------
-//                     | Firefox3    | InternetExplorer8 |  --> Us <---
-// --------------------+-------------+-------------------+--------------
-// myIpAddress()       | IPv4/IPv6   |  IPv4             |  IPv4/IPv6
-// dnsResolve()        | IPv4/IPv6   |  IPv4             |  IPv4
-// isResolvable()      | IPv4/IPv6   |  IPv4             |  IPv4
-// myIpAddressEx()     | N/A         |  IPv4/IPv6        |  IPv4/IPv6
-// dnsResolveEx()      | N/A         |  IPv4/IPv6        |  IPv4/IPv6
-// sortIpAddressList() | N/A         |  IPv4/IPv6        |  IPv4/IPv6
-// isResolvableEx()    | N/A         |  IPv4/IPv6        |  IPv4/IPv6
-// isInNetEx()         | N/A         |  IPv4/IPv6        |  IPv4/IPv6
-// -----------------+-------------+-------------------+--------------
-
-namespace net {
-
-namespace {
-
-// Pseudo-name for the PAC script.
-const char kPacResourceName[] = "proxy-pac-script.js";
-// Pseudo-name for the PAC utility script.
-const char kPacUtilityResourceName[] = "proxy-pac-utility-script.js";
-
-// External string wrapper so V8 can access the UTF16 string wrapped by
-// PacFileData.
-class V8ExternalStringFromScriptData
-    : public v8::String::ExternalStringResource {
- public:
-  explicit V8ExternalStringFromScriptData(
-      const scoped_refptr<PacFileData>& script_data)
-      : script_data_(script_data) {}
-
-  const uint16_t* data() const override {
-    return reinterpret_cast<const uint16_t*>(script_data_->utf16().data());
-  }
-
-  size_t length() const override { return script_data_->utf16().size(); }
-
- private:
-  const scoped_refptr<PacFileData> script_data_;
-  DISALLOW_COPY_AND_ASSIGN(V8ExternalStringFromScriptData);
-};
-
-// External string wrapper so V8 can access a string literal.
-class V8ExternalASCIILiteral
-    : public v8::String::ExternalOneByteStringResource {
- public:
-  // |ascii| must be a NULL-terminated C string, and must remain valid
-  // throughout this object's lifetime.
-  V8ExternalASCIILiteral(const char* ascii, size_t length)
-      : ascii_(ascii), length_(length) {
-    DCHECK(base::IsStringASCII(ascii));
-  }
-
-  const char* data() const override { return ascii_; }
-
-  size_t length() const override { return length_; }
-
- private:
-  const char* ascii_;
-  size_t length_;
-  DISALLOW_COPY_AND_ASSIGN(V8ExternalASCIILiteral);
-};
-
-// When creating a v8::String from a C++ string we have two choices: create
-// a copy, or create a wrapper that shares the same underlying storage.
-// For small strings it is better to just make a copy, whereas for large
-// strings there are savings by sharing the storage. This number identifies
-// the cutoff length for when to start wrapping rather than creating copies.
-const size_t kMaxStringBytesForCopy = 256;
-
-// Converts a V8 String to a UTF8 std::string.
-std::string V8StringToUTF8(v8::Isolate* isolate, v8::Local<v8::String> s) {
-  int len = s->Length();
-  std::string result;
-  if (len > 0)
-    s->WriteUtf8(isolate, base::WriteInto(&result, len + 1));
-  return result;
-}
-
-// Converts a V8 String to a UTF16 base::string16.
-base::string16 V8StringToUTF16(v8::Isolate* isolate, v8::Local<v8::String> s) {
-  int len = s->Length();
-  base::string16 result;
-  // Note that the reinterpret cast is because on Windows string16 is an alias
-  // to wstring, and hence has character type wchar_t not uint16_t.
-  if (len > 0) {
-    s->Write(isolate,
-             reinterpret_cast<uint16_t*>(base::WriteInto(&result, len + 1)), 0,
-             len);
-  }
-  return result;
-}
-
-// Converts an ASCII std::string to a V8 string.
-v8::Local<v8::String> ASCIIStringToV8String(v8::Isolate* isolate,
-                                            const std::string& s) {
-  DCHECK(base::IsStringASCII(s));
-  return v8::String::NewFromUtf8(isolate, s.data(), v8::NewStringType::kNormal,
-                                 s.size()).ToLocalChecked();
-}
-
-// Converts a UTF16 base::string16 (wrapped by a PacFileData) to a
-// V8 string.
-v8::Local<v8::String> ScriptDataToV8String(
-    v8::Isolate* isolate,
-    const scoped_refptr<PacFileData>& s) {
-  if (s->utf16().size() * 2 <= kMaxStringBytesForCopy) {
-    return v8::String::NewFromTwoByte(
-               isolate, reinterpret_cast<const uint16_t*>(s->utf16().data()),
-               v8::NewStringType::kNormal, s->utf16().size()).ToLocalChecked();
-  }
-  return v8::String::NewExternalTwoByte(
-             isolate, new V8ExternalStringFromScriptData(s)).ToLocalChecked();
-}
-
-// Converts an ASCII string literal to a V8 string.
-v8::Local<v8::String> ASCIILiteralToV8String(v8::Isolate* isolate,
-                                             const char* ascii) {
-  DCHECK(base::IsStringASCII(ascii));
-  size_t length = strlen(ascii);
-  if (length <= kMaxStringBytesForCopy)
-    return v8::String::NewFromUtf8(isolate, ascii, v8::NewStringType::kNormal,
-                                   length).ToLocalChecked();
-  return v8::String::NewExternalOneByte(
-             isolate, new V8ExternalASCIILiteral(ascii, length))
-      .ToLocalChecked();
-}
-
-// Stringizes a V8 object by calling its toString() method. Returns true
-// on success. This may fail if the toString() throws an exception.
-bool V8ObjectToUTF16String(v8::Local<v8::Value> object,
-                           base::string16* utf16_result,
-                           v8::Isolate* isolate) {
-  if (object.IsEmpty())
-    return false;
-
-  v8::HandleScope scope(isolate);
-  v8::Local<v8::String> str_object;
-  if (!object->ToString(isolate->GetCurrentContext()).ToLocal(&str_object))
-    return false;
-  *utf16_result = V8StringToUTF16(isolate, str_object);
-  return true;
-}
-
-// Extracts an hostname argument from |args|. On success returns true
-// and fills |*hostname| with the result.
-bool GetHostnameArgument(const v8::FunctionCallbackInfo<v8::Value>& args,
-                         std::string* hostname) {
-  // The first argument should be a string.
-  if (args.Length() == 0 || args[0].IsEmpty() || !args[0]->IsString())
-    return false;
-
-  const base::string16 hostname_utf16 =
-      V8StringToUTF16(args.GetIsolate(), v8::Local<v8::String>::Cast(args[0]));
-
-  // If the hostname is already in ASCII, simply return it as is.
-  if (base::IsStringASCII(hostname_utf16)) {
-    *hostname = base::UTF16ToASCII(hostname_utf16);
-    return true;
-  }
-
-  // Otherwise try to convert it from IDN to punycode.
-  const int kInitialBufferSize = 256;
-  url::RawCanonOutputT<base::char16, kInitialBufferSize> punycode_output;
-  if (!url::IDNToASCII(hostname_utf16.data(), hostname_utf16.length(),
-                       &punycode_output)) {
-    return false;
-  }
-
-  // |punycode_output| should now be ASCII; convert it to a std::string.
-  // (We could use UTF16ToASCII() instead, but that requires an extra string
-  // copy. Since ASCII is a subset of UTF8 the following is equivalent).
-  bool success = base::UTF16ToUTF8(punycode_output.data(),
-                             punycode_output.length(),
-                             hostname);
-  DCHECK(success);
-  DCHECK(base::IsStringASCII(*hostname));
-  return success;
-}
-
-// Wrapper around an IP address that stores the original string as well as a
-// corresponding parsed IPAddress.
-
-// This struct is used as a helper for sorting IP address strings - the IP
-// literal is parsed just once and used as the sorting key, while also
-// preserving the original IP literal string.
-struct IPAddressSortingEntry {
-  IPAddressSortingEntry(const std::string& ip_string,
-                        const IPAddress& ip_address)
-      : string_value(ip_string), ip_address(ip_address) {}
-
-  // Used for sorting IP addresses in ascending order in SortIpAddressList().
-  // IPv6 addresses are placed ahead of IPv4 addresses.
-  bool operator<(const IPAddressSortingEntry& rhs) const {
-    const IPAddress& ip1 = this->ip_address;
-    const IPAddress& ip2 = rhs.ip_address;
-    if (ip1.size() != ip2.size())
-      return ip1.size() > ip2.size();  // IPv6 before IPv4.
-    return ip1 < ip2;                  // Ascending order.
-  }
-
-  std::string string_value;
-  IPAddress ip_address;
-};
-
-// Handler for "sortIpAddressList(IpAddressList)". |ip_address_list| is a
-// semi-colon delimited string containing IP addresses.
-// |sorted_ip_address_list| is the resulting list of sorted semi-colon delimited
-// IP addresses or an empty string if unable to sort the IP address list.
-// Returns 'true' if the sorting was successful, and 'false' if the input was an
-// empty string, a string of separators (";" in this case), or if any of the IP
-// addresses in the input list failed to parse.
-bool SortIpAddressList(const std::string& ip_address_list,
-                       std::string* sorted_ip_address_list) {
-  sorted_ip_address_list->clear();
-
-  // Strip all whitespace (mimics IE behavior).
-  std::string cleaned_ip_address_list;
-  base::RemoveChars(ip_address_list, " \t", &cleaned_ip_address_list);
-  if (cleaned_ip_address_list.empty())
-    return false;
-
-  // Split-up IP addresses and store them in a vector.
-  std::vector<IPAddressSortingEntry> ip_vector;
-  IPAddress ip_address;
-  base::StringTokenizer str_tok(cleaned_ip_address_list, ";");
-  while (str_tok.GetNext()) {
-    if (!ip_address.AssignFromIPLiteral(str_tok.token()))
-      return false;
-    ip_vector.push_back(IPAddressSortingEntry(str_tok.token(), ip_address));
-  }
-
-  if (ip_vector.empty())  // Can happen if we have something like
-    return false;         // sortIpAddressList(";") or sortIpAddressList("; ;")
-
-  DCHECK(!ip_vector.empty());
-
-  // Sort lists according to ascending numeric value.
-  if (ip_vector.size() > 1)
-    std::stable_sort(ip_vector.begin(), ip_vector.end());
-
-  // Return a semi-colon delimited list of sorted addresses (IPv6 followed by
-  // IPv4).
-  for (size_t i = 0; i < ip_vector.size(); ++i) {
-    if (i > 0)
-      *sorted_ip_address_list += ";";
-    *sorted_ip_address_list += ip_vector[i].string_value;
-  }
-  return true;
-}
-
-// Handler for "isInNetEx(ip_address, ip_prefix)". |ip_address| is a string
-// containing an IPv4/IPv6 address, and |ip_prefix| is a string containg a
-// slash-delimited IP prefix with the top 'n' bits specified in the bit
-// field. This returns 'true' if the address is in the same subnet, and
-// 'false' otherwise. Also returns 'false' if the prefix is in an incorrect
-// format. If the address types of |ip_address| and |ip_prefix| don't match,
-// will promote the IPv4 literal to an IPv4 mapped IPv6 literal and
-// proceed with the comparison.
-bool IsInNetEx(const std::string& ip_address, const std::string& ip_prefix) {
-  IPAddress address;
-  if (!address.AssignFromIPLiteral(ip_address))
-    return false;
-
-  IPAddress prefix;
-  size_t prefix_length_in_bits;
-  if (!ParseCIDRBlock(ip_prefix, &prefix, &prefix_length_in_bits))
-    return false;
-
-  return IPAddressMatchesPrefix(address, prefix, prefix_length_in_bits);
-}
-
-// Consider only single component domains like 'foo' as plain host names.
-bool IsPlainHostName(const std::string& hostname_utf8) {
-  if (hostname_utf8.find('.') != std::string::npos)
-    return false;
-
-  // IPv6 literals might not contain any periods, however are not considered
-  // plain host names.
-  IPAddress unused;
-  return !unused.AssignFromIPLiteral(hostname_utf8);
-}
-
-// All instances of ProxyResolverV8 share the same v8::Isolate. This isolate is
-// created lazily the first time it is needed and lives until process shutdown.
-// This creation might happen from any thread, as ProxyResolverV8 is typically
-// run in a threadpool.
-//
-// TODO(eroman): The lazily created isolate is never freed. Instead it should be
-// disposed once there are no longer any ProxyResolverV8 referencing it.
-class SharedIsolateFactory {
- public:
-  SharedIsolateFactory() : has_initialized_v8_(false) {}
-
-  // Lazily creates a v8::Isolate, or returns the already created instance.
-  v8::Isolate* GetSharedIsolate() {
-    base::AutoLock lock(lock_);
-
-    if (!holder_) {
-      // Do one-time initialization for V8.
-      if (!has_initialized_v8_) {
-#ifdef V8_USE_EXTERNAL_STARTUP_DATA
-        gin::V8Initializer::LoadV8Snapshot();
-        gin::V8Initializer::LoadV8Natives();
-#endif
-
-        // The performance of the proxy resolver is limited by DNS resolution,
-        // and not V8, so tune down V8 to use as little memory as possible.
-        static const char kOptimizeForSize[] = "--optimize_for_size";
-        v8::V8::SetFlagsFromString(kOptimizeForSize, strlen(kOptimizeForSize));
-        static const char kNoOpt[] = "--noopt";
-        v8::V8::SetFlagsFromString(kNoOpt, strlen(kNoOpt));
-
-        // WebAssembly isn't encountered during resolution, so reduce the
-        // potential attack surface.
-        static const char kNoExposeWasm[] = "--no-expose-wasm";
-        v8::V8::SetFlagsFromString(kNoExposeWasm, strlen(kNoExposeWasm));
-
-        gin::IsolateHolder::Initialize(
-            gin::IsolateHolder::kNonStrictMode,
-            gin::ArrayBufferAllocator::SharedInstance());
-
-        has_initialized_v8_ = true;
-      }
-
-      holder_.reset(new gin::IsolateHolder(
-          base::ThreadTaskRunnerHandle::Get(), gin::IsolateHolder::kUseLocker,
-          gin::IsolateHolder::IsolateType::kUtility));
-    }
-
-    return holder_->isolate();
-  }
-
-  v8::Isolate* GetSharedIsolateWithoutCreating() {
-    base::AutoLock lock(lock_);
-    return holder_ ? holder_->isolate() : nullptr;
-  }
-
- private:
-  base::Lock lock_;
-  std::unique_ptr<gin::IsolateHolder> holder_;
-  bool has_initialized_v8_;
-
-  DISALLOW_COPY_AND_ASSIGN(SharedIsolateFactory);
-};
-
-base::LazyInstance<SharedIsolateFactory>::Leaky g_isolate_factory =
-    LAZY_INSTANCE_INITIALIZER;
-
-}  // namespace
-
-// ProxyResolverV8::Context ---------------------------------------------------
-
-class ProxyResolverV8::Context {
- public:
-  explicit Context(v8::Isolate* isolate)
-      : js_bindings_(nullptr), isolate_(isolate) {
-    DCHECK(isolate);
-  }
-
-  ~Context() {
-    v8::Locker locked(isolate_);
-    v8::Isolate::Scope isolate_scope(isolate_);
-
-    v8_this_.Reset();
-    v8_context_.Reset();
-  }
-
-  JSBindings* js_bindings() { return js_bindings_; }
-
-  int ResolveProxy(const GURL& query_url,
-                   ProxyInfo* results,
-                   JSBindings* bindings) {
-    DCHECK(bindings);
-    base::AutoReset<JSBindings*> bindings_reset(&js_bindings_, bindings);
-    v8::Locker locked(isolate_);
-    v8::Isolate::Scope isolate_scope(isolate_);
-    v8::Isolate::SafeForTerminationScope safe_for_termination(isolate_);
-    v8::HandleScope scope(isolate_);
-
-    v8::Local<v8::Context> context =
-        v8::Local<v8::Context>::New(isolate_, v8_context_);
-    v8::Context::Scope function_scope(context);
-
-    v8::Local<v8::Value> function;
-    int rv = GetFindProxyForURL(&function);
-    if (rv != OK)
-      return rv;
-
-    v8::Local<v8::Value> argv[] = {
-      ASCIIStringToV8String(isolate_, query_url.spec()),
-      ASCIIStringToV8String(isolate_, query_url.HostNoBrackets()),
-    };
-
-    v8::TryCatch try_catch(isolate_);
-    v8::Local<v8::Value> ret;
-    if (!v8::Function::Cast(*function)
-             ->Call(context, context->Global(), base::size(argv), argv)
-             .ToLocal(&ret)) {
-      DCHECK(try_catch.HasCaught());
-      HandleError(try_catch.Message());
-      return ERR_PAC_SCRIPT_FAILED;
-    }
-
-    if (!ret->IsString()) {
-      js_bindings()->OnError(
-          -1, base::ASCIIToUTF16("FindProxyForURL() did not return a string."));
-      return ERR_PAC_SCRIPT_FAILED;
-    }
-
-    base::string16 ret_str =
-        V8StringToUTF16(isolate_, v8::Local<v8::String>::Cast(ret));
-
-    if (!base::IsStringASCII(ret_str)) {
-      // TODO(eroman): Rather than failing when a wide string is returned, we
-      //               could extend the parsing to handle IDNA hostnames by
-      //               converting them to ASCII punycode.
-      //               crbug.com/47234
-      base::string16 error_message =
-          base::ASCIIToUTF16("FindProxyForURL() returned a non-ASCII string "
-                             "(crbug.com/47234): ") + ret_str;
-      js_bindings()->OnError(-1, error_message);
-      return ERR_PAC_SCRIPT_FAILED;
-    }
-
-    results->UsePacString(base::UTF16ToASCII(ret_str));
-    return OK;
-  }
-
-  int InitV8(const scoped_refptr<PacFileData>& pac_script,
-             JSBindings* bindings) {
-    base::AutoReset<JSBindings*> bindings_reset(&js_bindings_, bindings);
-    v8::Locker locked(isolate_);
-    v8::Isolate::Scope isolate_scope(isolate_);
-    v8::HandleScope scope(isolate_);
-
-    v8_this_.Reset(isolate_, v8::External::New(isolate_, this));
-    v8::Local<v8::External> v8_this =
-        v8::Local<v8::External>::New(isolate_, v8_this_);
-    v8::Local<v8::ObjectTemplate> global_template =
-        v8::ObjectTemplate::New(isolate_);
-
-    // Attach the javascript bindings.
-    v8::Local<v8::FunctionTemplate> alert_template =
-        v8::FunctionTemplate::New(isolate_, &AlertCallback, v8_this);
-    alert_template->RemovePrototype();
-    global_template->Set(ASCIILiteralToV8String(isolate_, "alert"),
-                         alert_template);
-
-    v8::Local<v8::FunctionTemplate> my_ip_address_template =
-        v8::FunctionTemplate::New(isolate_, &MyIpAddressCallback, v8_this);
-    my_ip_address_template->RemovePrototype();
-    global_template->Set(ASCIILiteralToV8String(isolate_, "myIpAddress"),
-                         my_ip_address_template);
-
-    v8::Local<v8::FunctionTemplate> dns_resolve_template =
-        v8::FunctionTemplate::New(isolate_, &DnsResolveCallback, v8_this);
-    dns_resolve_template->RemovePrototype();
-    global_template->Set(ASCIILiteralToV8String(isolate_, "dnsResolve"),
-                         dns_resolve_template);
-
-    v8::Local<v8::FunctionTemplate> is_plain_host_name_template =
-        v8::FunctionTemplate::New(isolate_, &IsPlainHostNameCallback, v8_this);
-    is_plain_host_name_template->RemovePrototype();
-    global_template->Set(ASCIILiteralToV8String(isolate_, "isPlainHostName"),
-                         is_plain_host_name_template);
-
-    // Microsoft's PAC extensions:
-
-    v8::Local<v8::FunctionTemplate> dns_resolve_ex_template =
-        v8::FunctionTemplate::New(isolate_, &DnsResolveExCallback, v8_this);
-    dns_resolve_ex_template->RemovePrototype();
-    global_template->Set(ASCIILiteralToV8String(isolate_, "dnsResolveEx"),
-                         dns_resolve_ex_template);
-
-    v8::Local<v8::FunctionTemplate> my_ip_address_ex_template =
-        v8::FunctionTemplate::New(isolate_, &MyIpAddressExCallback, v8_this);
-    my_ip_address_ex_template->RemovePrototype();
-    global_template->Set(ASCIILiteralToV8String(isolate_, "myIpAddressEx"),
-                         my_ip_address_ex_template);
-
-    v8::Local<v8::FunctionTemplate> sort_ip_address_list_template =
-        v8::FunctionTemplate::New(isolate_,
-                                  &SortIpAddressListCallback,
-                                  v8_this);
-    sort_ip_address_list_template->RemovePrototype();
-    global_template->Set(ASCIILiteralToV8String(isolate_, "sortIpAddressList"),
-                         sort_ip_address_list_template);
-
-    v8::Local<v8::FunctionTemplate> is_in_net_ex_template =
-        v8::FunctionTemplate::New(isolate_, &IsInNetExCallback, v8_this);
-    is_in_net_ex_template->RemovePrototype();
-    global_template->Set(ASCIILiteralToV8String(isolate_, "isInNetEx"),
-                         is_in_net_ex_template);
-
-    v8_context_.Reset(isolate_,
-                      v8::Context::New(isolate_, nullptr, global_template));
-
-    v8::Local<v8::Context> context =
-        v8::Local<v8::Context>::New(isolate_, v8_context_);
-    v8::Context::Scope ctx(context);
-
-    // Add the PAC utility functions to the environment.
-    // (This script should never fail, as it is a string literal!)
-    // Note that the two string literals are concatenated.
-    int rv = RunScript(
-        ASCIILiteralToV8String(isolate_, PAC_JS_LIBRARY PAC_JS_LIBRARY_EX),
-        kPacUtilityResourceName);
-    if (rv != OK) {
-      NOTREACHED();
-      return rv;
-    }
-
-    // Add the user's PAC code to the environment.
-    rv =
-        RunScript(ScriptDataToV8String(isolate_, pac_script), kPacResourceName);
-    if (rv != OK)
-      return rv;
-
-    // At a minimum, the FindProxyForURL() function must be defined for this
-    // to be a legitimiate PAC script.
-    v8::Local<v8::Value> function;
-    return GetFindProxyForURL(&function);
-  }
-
- private:
-  int GetFindProxyForURL(v8::Local<v8::Value>* function) {
-    v8::Local<v8::Context> context =
-        v8::Local<v8::Context>::New(isolate_, v8_context_);
-
-    v8::TryCatch try_catch(isolate_);
-
-    if (!context->Global()
-             ->Get(context, ASCIILiteralToV8String(isolate_, "FindProxyForURL"))
-             .ToLocal(function)) {
-      DCHECK(try_catch.HasCaught());
-      HandleError(try_catch.Message());
-    }
-
-    // The value should only be empty if an exception was thrown. Code
-    // defensively just in case.
-    DCHECK_EQ(function->IsEmpty(), try_catch.HasCaught());
-    if (function->IsEmpty() || try_catch.HasCaught()) {
-      js_bindings()->OnError(
-          -1,
-          base::ASCIIToUTF16("Accessing FindProxyForURL threw an exception."));
-      return ERR_PAC_SCRIPT_FAILED;
-    }
-
-    if (!(*function)->IsFunction()) {
-      js_bindings()->OnError(
-          -1, base::ASCIIToUTF16(
-                  "FindProxyForURL is undefined or not a function."));
-      return ERR_PAC_SCRIPT_FAILED;
-    }
-
-    return OK;
-  }
-
-  // Handle an exception thrown by V8.
-  void HandleError(v8::Local<v8::Message> message) {
-    v8::Local<v8::Context> context =
-        v8::Local<v8::Context>::New(isolate_, v8_context_);
-    base::string16 error_message;
-    int line_number = -1;
-
-    if (!message.IsEmpty()) {
-      auto maybe = message->GetLineNumber(context);
-      if (maybe.IsJust())
-        line_number = maybe.FromJust();
-      V8ObjectToUTF16String(message->Get(), &error_message, isolate_);
-    }
-
-    js_bindings()->OnError(line_number, error_message);
-  }
-
-  // Compiles and runs |script| in the current V8 context.
-  // Returns OK on success, otherwise an error code.
-  int RunScript(v8::Local<v8::String> script, const char* script_name) {
-    v8::Local<v8::Context> context =
-        v8::Local<v8::Context>::New(isolate_, v8_context_);
-    v8::TryCatch try_catch(isolate_);
-
-    // Compile the script.
-    v8::ScriptOrigin origin =
-        v8::ScriptOrigin(ASCIILiteralToV8String(isolate_, script_name));
-    v8::ScriptCompiler::Source script_source(script, origin);
-    v8::Local<v8::Script> code;
-    if (!v8::ScriptCompiler::Compile(
-             context, &script_source, v8::ScriptCompiler::kNoCompileOptions,
-             v8::ScriptCompiler::NoCacheReason::kNoCacheBecausePacScript)
-             .ToLocal(&code)) {
-      DCHECK(try_catch.HasCaught());
-      HandleError(try_catch.Message());
-      return ERR_PAC_SCRIPT_FAILED;
-    }
-
-    // Execute.
-    auto result = code->Run(context);
-    if (result.IsEmpty()) {
-      DCHECK(try_catch.HasCaught());
-      HandleError(try_catch.Message());
-      return ERR_PAC_SCRIPT_FAILED;
-    }
-
-    return OK;
-  }
-
-  // V8 callback for when "alert()" is invoked by the PAC script.
-  static void AlertCallback(const v8::FunctionCallbackInfo<v8::Value>& args) {
-    Context* context =
-        static_cast<Context*>(v8::External::Cast(*args.Data())->Value());
-
-    // Like firefox we assume "undefined" if no argument was specified, and
-    // disregard any arguments beyond the first.
-    base::string16 message;
-    if (args.Length() == 0) {
-      message = base::ASCIIToUTF16("undefined");
-    } else {
-      if (!V8ObjectToUTF16String(args[0], &message, args.GetIsolate()))
-        return;  // toString() threw an exception.
-    }
-
-    context->js_bindings()->Alert(message);
-  }
-
-  // V8 callback for when "myIpAddress()" is invoked by the PAC script.
-  static void MyIpAddressCallback(
-      const v8::FunctionCallbackInfo<v8::Value>& args) {
-    DnsResolveCallbackHelper(args, ProxyResolveDnsOperation::MY_IP_ADDRESS);
-  }
-
-  // V8 callback for when "myIpAddressEx()" is invoked by the PAC script.
-  static void MyIpAddressExCallback(
-      const v8::FunctionCallbackInfo<v8::Value>& args) {
-    DnsResolveCallbackHelper(args, ProxyResolveDnsOperation::MY_IP_ADDRESS_EX);
-  }
-
-  // V8 callback for when "dnsResolve()" is invoked by the PAC script.
-  static void DnsResolveCallback(
-      const v8::FunctionCallbackInfo<v8::Value>& args) {
-    DnsResolveCallbackHelper(args, ProxyResolveDnsOperation::DNS_RESOLVE);
-  }
-
-  // V8 callback for when "dnsResolveEx()" is invoked by the PAC script.
-  static void DnsResolveExCallback(
-      const v8::FunctionCallbackInfo<v8::Value>& args) {
-    DnsResolveCallbackHelper(args, ProxyResolveDnsOperation::DNS_RESOLVE_EX);
-  }
-
-  // Shared code for implementing:
-  //   - myIpAddress(), myIpAddressEx(), dnsResolve(), dnsResolveEx().
-  static void DnsResolveCallbackHelper(
-      const v8::FunctionCallbackInfo<v8::Value>& args,
-      ProxyResolveDnsOperation op) {
-    Context* context =
-        static_cast<Context*>(v8::External::Cast(*args.Data())->Value());
-
-    std::string hostname;
-
-    // dnsResolve() and dnsResolveEx() need at least 1 argument.
-    if (op == ProxyResolveDnsOperation::DNS_RESOLVE ||
-        op == ProxyResolveDnsOperation::DNS_RESOLVE_EX) {
-      if (!GetHostnameArgument(args, &hostname)) {
-        if (op == ProxyResolveDnsOperation::DNS_RESOLVE)
-          args.GetReturnValue().SetNull();
-        return;
-      }
-    }
-
-    std::string result;
-    bool success;
-    bool terminate = false;
-
-    {
-      v8::Unlocker unlocker(args.GetIsolate());
-      success = context->js_bindings()->ResolveDns(
-          hostname, op, &result, &terminate);
-    }
-
-    if (terminate)
-      args.GetIsolate()->TerminateExecution();
-
-    if (success) {
-      args.GetReturnValue().Set(
-          ASCIIStringToV8String(args.GetIsolate(), result));
-      return;
-    }
-
-    // Each function handles resolution errors differently.
-    switch (op) {
-      case ProxyResolveDnsOperation::DNS_RESOLVE:
-        args.GetReturnValue().SetNull();
-        return;
-      case ProxyResolveDnsOperation::DNS_RESOLVE_EX:
-        args.GetReturnValue().SetEmptyString();
-        return;
-      case ProxyResolveDnsOperation::MY_IP_ADDRESS:
-        args.GetReturnValue().Set(
-            ASCIILiteralToV8String(args.GetIsolate(), "127.0.0.1"));
-        return;
-      case ProxyResolveDnsOperation::MY_IP_ADDRESS_EX:
-        args.GetReturnValue().SetEmptyString();
-        return;
-    }
-
-    NOTREACHED();
-  }
-
-  // V8 callback for when "sortIpAddressList()" is invoked by the PAC script.
-  static void SortIpAddressListCallback(
-      const v8::FunctionCallbackInfo<v8::Value>& args) {
-    // We need at least one string argument.
-    if (args.Length() == 0 || args[0].IsEmpty() || !args[0]->IsString()) {
-      args.GetReturnValue().SetNull();
-      return;
-    }
-
-    std::string ip_address_list =
-        V8StringToUTF8(args.GetIsolate(), v8::Local<v8::String>::Cast(args[0]));
-    if (!base::IsStringASCII(ip_address_list)) {
-      args.GetReturnValue().SetNull();
-      return;
-    }
-    std::string sorted_ip_address_list;
-    bool success = SortIpAddressList(ip_address_list, &sorted_ip_address_list);
-    if (!success) {
-      args.GetReturnValue().Set(false);
-      return;
-    }
-    args.GetReturnValue().Set(
-        ASCIIStringToV8String(args.GetIsolate(), sorted_ip_address_list));
-  }
-
-  // V8 callback for when "isInNetEx()" is invoked by the PAC script.
-  static void IsInNetExCallback(
-      const v8::FunctionCallbackInfo<v8::Value>& args) {
-    // We need at least 2 string arguments.
-    if (args.Length() < 2 || args[0].IsEmpty() || !args[0]->IsString() ||
-        args[1].IsEmpty() || !args[1]->IsString()) {
-      args.GetReturnValue().SetNull();
-      return;
-    }
-
-    std::string ip_address =
-        V8StringToUTF8(args.GetIsolate(), v8::Local<v8::String>::Cast(args[0]));
-    if (!base::IsStringASCII(ip_address)) {
-      args.GetReturnValue().Set(false);
-      return;
-    }
-    std::string ip_prefix =
-        V8StringToUTF8(args.GetIsolate(), v8::Local<v8::String>::Cast(args[1]));
-    if (!base::IsStringASCII(ip_prefix)) {
-      args.GetReturnValue().Set(false);
-      return;
-    }
-    args.GetReturnValue().Set(IsInNetEx(ip_address, ip_prefix));
-  }
-
-  // V8 callback for when "isPlainHostName()" is invoked by the PAC script.
-  static void IsPlainHostNameCallback(
-      const v8::FunctionCallbackInfo<v8::Value>& args) {
-    // Need at least 1 string arguments.
-    if (args.Length() < 1 || args[0].IsEmpty() || !args[0]->IsString()) {
-      args.GetIsolate()->ThrowException(
-          v8::Exception::TypeError(ASCIIStringToV8String(
-              args.GetIsolate(), "Requires 1 string parameter")));
-      return;
-    }
-
-    std::string hostname_utf8 =
-        V8StringToUTF8(args.GetIsolate(), v8::Local<v8::String>::Cast(args[0]));
-    args.GetReturnValue().Set(IsPlainHostName(hostname_utf8));
-  }
-
-  mutable base::Lock lock_;
-  ProxyResolverV8::JSBindings* js_bindings_;
-  v8::Isolate* isolate_;
-  v8::Persistent<v8::External> v8_this_;
-  v8::Persistent<v8::Context> v8_context_;
-};
-
-// ProxyResolverV8 ------------------------------------------------------------
-
-ProxyResolverV8::ProxyResolverV8(std::unique_ptr<Context> context)
-    : context_(std::move(context)) {
-  DCHECK(context_);
-}
-
-ProxyResolverV8::~ProxyResolverV8() = default;
-
-int ProxyResolverV8::GetProxyForURL(const GURL& query_url,
-                                    ProxyInfo* results,
-                                    ProxyResolverV8::JSBindings* bindings) {
-  return context_->ResolveProxy(query_url, results, bindings);
-}
-
-// static
-int ProxyResolverV8::Create(const scoped_refptr<PacFileData>& script_data,
-                            ProxyResolverV8::JSBindings* js_bindings,
-                            std::unique_ptr<ProxyResolverV8>* resolver) {
-  DCHECK(script_data.get());
-  DCHECK(js_bindings);
-
-  if (script_data->utf16().empty())
-    return ERR_PAC_SCRIPT_FAILED;
-
-  // Try parsing the PAC script.
-  std::unique_ptr<Context> context(
-      new Context(g_isolate_factory.Get().GetSharedIsolate()));
-  int rv = context->InitV8(script_data, js_bindings);
-  if (rv == OK)
-    resolver->reset(new ProxyResolverV8(std::move(context)));
-  return rv;
-}
-
-// static
-size_t ProxyResolverV8::GetTotalHeapSize() {
-  v8::Isolate* isolate =
-      g_isolate_factory.Get().GetSharedIsolateWithoutCreating();
-  if (!isolate)
-    return 0;
-
-  v8::Locker locked(isolate);
-  v8::Isolate::Scope isolate_scope(isolate);
-  v8::HeapStatistics heap_statistics;
-  isolate->GetHeapStatistics(&heap_statistics);
-  return heap_statistics.total_heap_size();
-}
-
-// static
-size_t ProxyResolverV8::GetUsedHeapSize() {
-  v8::Isolate* isolate =
-      g_isolate_factory.Get().GetSharedIsolateWithoutCreating();
-  if (!isolate)
-    return 0;
-
-  v8::Locker locked(isolate);
-  v8::Isolate::Scope isolate_scope(isolate);
-  v8::HeapStatistics heap_statistics;
-  isolate->GetHeapStatistics(&heap_statistics);
-  return heap_statistics.used_heap_size();
-}
-
-}  // namespace net
diff --git a/chromium/net/proxy_resolution/proxy_resolver_v8.h b/chromium/net/proxy_resolution/proxy_resolver_v8.h
deleted file mode 100644
index da55956b7c1..00000000000
--- a/chromium/net/proxy_resolution/proxy_resolver_v8.h
+++ /dev/null
@@ -1,80 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_PROXY_RESOLUTION_PROXY_RESOLVER_V8_H_
-#define NET_PROXY_RESOLUTION_PROXY_RESOLVER_V8_H_
-
-#include <stddef.h>
-
-#include <memory>
-
-#include "base/compiler_specific.h"
-#include "base/macros.h"
-#include "base/memory/ref_counted.h"
-#include "base/strings/string16.h"
-#include "net/base/net_export.h"
-#include "net/proxy_resolution/proxy_resolve_dns_operation.h"
-
-class GURL;
-
-namespace net {
-class ProxyInfo;
-class PacFileData;
-
-// A synchronous ProxyResolver-like that uses V8 to evaluate PAC scripts.
-class NET_EXPORT_PRIVATE ProxyResolverV8 {
- public:
-  // Interface for the javascript bindings.
-  class NET_EXPORT_PRIVATE JSBindings {
-   public:
-    JSBindings() {}
-
-    // Handler for "dnsResolve()", "dnsResolveEx()", "myIpAddress()",
-    // "myIpAddressEx()". Returns true on success and fills |*output| with the
-    // result. If |*terminate| is set to true, then the script execution will
-    // be aborted. Note that termination may not happen right away.
-    virtual bool ResolveDns(const std::string& host,
-                            ProxyResolveDnsOperation op,
-                            std::string* output,
-                            bool* terminate) = 0;
-
-    // Handler for "alert(message)"
-    virtual void Alert(const base::string16& message) = 0;
-
-    // Handler for when an error is encountered. |line_number| may be -1
-    // if a line number is not applicable to this error.
-    virtual void OnError(int line_number, const base::string16& error) = 0;
-
-   protected:
-    virtual ~JSBindings() {}
-  };
-
-  // Constructs a ProxyResolverV8.
-  static int Create(const scoped_refptr<PacFileData>& script_data,
-                    JSBindings* bindings,
-                    std::unique_ptr<ProxyResolverV8>* resolver);
-
-  ~ProxyResolverV8();
-
-  int GetProxyForURL(const GURL& url, ProxyInfo* results, JSBindings* bindings);
-
-  // Get total/used heap memory usage of all v8 instances used by the proxy
-  // resolver.
-  static size_t GetTotalHeapSize();
-  static size_t GetUsedHeapSize();
-
- private:
-  // Context holds the Javascript state for the PAC script.
-  class Context;
-
-  explicit ProxyResolverV8(std::unique_ptr<Context> context);
-
-  std::unique_ptr<Context> context_;
-
-  DISALLOW_COPY_AND_ASSIGN(ProxyResolverV8);
-};
-
-}  // namespace net
-
-#endif  // NET_PROXY_RESOLUTION_PROXY_RESOLVER_V8_H_
diff --git a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing.cc b/chromium/net/proxy_resolution/proxy_resolver_v8_tracing.cc
deleted file mode 100644
index e155264af26..00000000000
--- a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing.cc
+++ /dev/null
@@ -1,1101 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/proxy_resolution/proxy_resolver_v8_tracing.h"
-
-#include <map>
-#include <set>
-#include <string>
-#include <utility>
-#include <vector>
-
-#include "base/bind.h"
-#include "base/macros.h"
-#include "base/single_thread_task_runner.h"
-#include "base/strings/stringprintf.h"
-#include "base/synchronization/atomic_flag.h"
-#include "base/synchronization/waitable_event.h"
-#include "base/threading/thread.h"
-#include "base/threading/thread_checker.h"
-#include "base/threading/thread_restrictions.h"
-#include "base/threading/thread_task_runner_handle.h"
-#include "base/trace_event/trace_event.h"
-#include "net/base/ip_address.h"
-#include "net/base/net_errors.h"
-#include "net/base/network_interfaces.h"
-#include "net/base/trace_constants.h"
-#include "net/log/net_log_with_source.h"
-#include "net/proxy_resolution/proxy_host_resolver.h"
-#include "net/proxy_resolution/proxy_info.h"
-#include "net/proxy_resolution/proxy_resolve_dns_operation.h"
-#include "net/proxy_resolution/proxy_resolver_error_observer.h"
-#include "net/proxy_resolution/proxy_resolver_v8.h"
-
-// The intent of this class is explained in the design document:
-// https://docs.google.com/a/chromium.org/document/d/16Ij5OcVnR3s0MH4Z5XkhI9VTPoMJdaBn9rKreAmGOdE/edit
-//
-// In a nutshell, PAC scripts are Javascript programs and may depend on
-// network I/O, by calling functions like dnsResolve().
-//
-// This is problematic since functions such as dnsResolve() will block the
-// Javascript execution until the DNS result is availble, thereby stalling the
-// PAC thread, which hurts the ability to process parallel proxy resolves.
-// An obvious solution is to simply start more PAC threads, however this scales
-// poorly, which hurts the ability to process parallel proxy resolves.
-//
-// The solution in ProxyResolverV8Tracing is to model PAC scripts as being
-// deterministic, and depending only on the inputted URL. When the script
-// issues a dnsResolve() for a yet unresolved hostname, the Javascript
-// execution is "aborted", and then re-started once the DNS result is
-// known.
-namespace net {
-
-class ScopedAllowThreadJoinForProxyResolverV8Tracing
-    : public base::ScopedAllowBaseSyncPrimitivesOutsideBlockingScope {};
-
-namespace {
-
-// Upper bound on how many *unique* DNS resolves a PAC script is allowed
-// to make. This is a failsafe both for scripts that do a ridiculous
-// number of DNS resolves, as well as scripts which are misbehaving
-// under the tracing optimization. It is not expected to hit this normally.
-const size_t kMaxUniqueResolveDnsPerExec = 20;
-
-// Approximate number of bytes to use for buffering alerts() and errors.
-// This is a failsafe in case repeated executions of the script causes
-// too much memory bloat. It is not expected for well behaved scripts to
-// hit this. (In fact normal scripts should not even have alerts() or errors).
-const size_t kMaxAlertsAndErrorsBytes = 2048;
-
-// The Job class is responsible for executing GetProxyForURL() and
-// creating ProxyResolverV8 instances, since both of these operations share
-// similar code.
-//
-// The DNS for these operations can operate in either blocking or
-// non-blocking mode. Blocking mode is used as a fallback when the PAC script
-// seems to be misbehaving under the tracing optimization.
-//
-// Note that this class runs on both the origin thread and a worker
-// thread. Most methods are expected to be used exclusively on one thread
-// or the other.
-//
-// The lifetime of Jobs does not exceed that of the ProxyResolverV8TracingImpl
-// that spawned it. Destruction might happen on either the origin thread or the
-// worker thread.
-class Job : public base::RefCountedThreadSafe<Job>,
-            public ProxyResolverV8::JSBindings {
- public:
-  struct Params {
-    Params(
-        const scoped_refptr<base::SingleThreadTaskRunner>& worker_task_runner,
-        int* num_outstanding_callbacks)
-        : v8_resolver(nullptr),
-          worker_task_runner(worker_task_runner),
-          num_outstanding_callbacks(num_outstanding_callbacks) {}
-
-    ProxyResolverV8* v8_resolver;
-    scoped_refptr<base::SingleThreadTaskRunner> worker_task_runner;
-    int* num_outstanding_callbacks;
-  };
-  // |params| is non-owned. It contains the parameters for this Job, and must
-  // outlive it.
-  Job(const Params* params,
-      std::unique_ptr<ProxyResolverV8Tracing::Bindings> bindings);
-
-  // Called from origin thread.
-  void StartCreateV8Resolver(const scoped_refptr<PacFileData>& script_data,
-                             std::unique_ptr<ProxyResolverV8>* resolver,
-                             CompletionOnceCallback callback);
-
-  // Called from origin thread.
-  void StartGetProxyForURL(const GURL& url,
-                           ProxyInfo* results,
-                           CompletionOnceCallback callback);
-
-  // Called from origin thread.
-  void Cancel();
-
-  // Called from origin thread.
-  LoadState GetLoadState() const;
-
- private:
-  typedef std::map<std::string, std::string> DnsCache;
-  friend class base::RefCountedThreadSafe<Job>;
-
-  enum Operation {
-    CREATE_V8_RESOLVER,
-    GET_PROXY_FOR_URL,
-  };
-
-  struct AlertOrError {
-    bool is_alert;
-    int line_number;
-    base::string16 message;
-  };
-
-  ~Job() override;
-
-  void CheckIsOnWorkerThread() const;
-  void CheckIsOnOriginThread() const;
-
-  void SetCallback(CompletionOnceCallback callback);
-  void ReleaseCallback();
-
-  ProxyResolverV8* v8_resolver();
-  const scoped_refptr<base::SingleThreadTaskRunner>& worker_task_runner();
-  ProxyHostResolver* host_resolver();
-
-  // Invokes the user's callback.
-  void NotifyCaller(int result);
-  void NotifyCallerOnOriginLoop(int result);
-
-  void Start(Operation op, bool blocking_dns, CompletionOnceCallback callback);
-
-  void ExecuteBlocking();
-  void ExecuteNonBlocking();
-  int ExecuteProxyResolver();
-
-  // Implementation of ProxyResolverv8::JSBindings
-  bool ResolveDns(const std::string& host,
-                  ProxyResolveDnsOperation op,
-                  std::string* output,
-                  bool* terminate) override;
-  void Alert(const base::string16& message) override;
-  void OnError(int line_number, const base::string16& error) override;
-
-  bool ResolveDnsBlocking(const std::string& host,
-                          ProxyResolveDnsOperation op,
-                          std::string* output);
-
-  bool ResolveDnsNonBlocking(const std::string& host,
-                             ProxyResolveDnsOperation op,
-                             std::string* output,
-                             bool* terminate);
-
-  bool PostDnsOperationAndWait(const std::string& host,
-                               ProxyResolveDnsOperation op,
-                               bool* completed_synchronously)
-      WARN_UNUSED_RESULT;
-
-  void DoDnsOperation();
-  void OnDnsOperationComplete(int result);
-
-  void ScheduleRestartWithBlockingDns();
-
-  bool GetDnsFromLocalCache(const std::string& host,
-                            ProxyResolveDnsOperation op,
-                            std::string* output,
-                            bool* return_value);
-
-  void SaveDnsToLocalCache(const std::string& host,
-                           ProxyResolveDnsOperation op,
-                           int net_error,
-                           const std::vector<IPAddress>& addresses);
-
-  // Makes a key for looking up |host, op| in |dns_cache_|. Strings are used for
-  // convenience, to avoid defining custom comparators.
-  static std::string MakeDnsCacheKey(const std::string& host,
-                                     ProxyResolveDnsOperation op);
-
-  void HandleAlertOrError(bool is_alert, int line_number,
-                          const base::string16& message);
-  void DispatchBufferedAlertsAndErrors();
-  void DispatchAlertOrErrorOnOriginThread(bool is_alert,
-                                          int line_number,
-                                          const base::string16& message);
-
-  // The thread which called into ProxyResolverV8TracingImpl, and on which the
-  // completion callback is expected to run.
-  scoped_refptr<base::SingleThreadTaskRunner> origin_runner_;
-
-  // The Parameters for this Job.
-  // Initialized on origin thread and then accessed from both threads.
-  const Params* const params_;
-
-  std::unique_ptr<ProxyResolverV8Tracing::Bindings> bindings_;
-
-  // The callback to run (on the origin thread) when the Job finishes.
-  // Should only be accessed from origin thread.
-  CompletionOnceCallback callback_;
-
-  // Flag to indicate whether the request has been cancelled.
-  base::AtomicFlag cancelled_;
-
-  // The operation that this Job is running.
-  // Initialized on origin thread and then accessed from both threads.
-  Operation operation_;
-
-  // The DNS mode for this Job.
-  // Initialized on origin thread, mutated on worker thread, and accessed
-  // by both the origin thread and worker thread.
-  bool blocking_dns_;
-
-  // Used to block the worker thread on a DNS operation taking place on the
-  // origin thread.
-  base::WaitableEvent event_;
-
-  // Map of DNS operations completed so far. Written into on the origin thread
-  // and read on the worker thread.
-  DnsCache dns_cache_;
-
-  // The job holds a reference to itself to ensure that it remains alive until
-  // either completion or cancellation.
-  scoped_refptr<Job> owned_self_reference_;
-
-  // -------------------------------------------------------
-  // State specific to CREATE_V8_RESOLVER.
-  // -------------------------------------------------------
-
-  scoped_refptr<PacFileData> script_data_;
-  std::unique_ptr<ProxyResolverV8>* resolver_out_;
-
-  // -------------------------------------------------------
-  // State specific to GET_PROXY_FOR_URL.
-  // -------------------------------------------------------
-
-  ProxyInfo* user_results_;  // Owned by caller, lives on origin thread.
-  GURL url_;
-  ProxyInfo results_;
-
-  // ---------------------------------------------------------------------------
-  // State for ExecuteNonBlocking()
-  // ---------------------------------------------------------------------------
-  // These variables are used exclusively on the worker thread and are only
-  // meaningful when executing inside of ExecuteNonBlocking().
-
-  // Whether this execution was abandoned due to a missing DNS dependency.
-  bool abandoned_;
-
-  // Number of calls made to ResolveDns() by this execution.
-  int num_dns_;
-
-  // Sequence of calls made to Alert() or OnError() by this execution.
-  std::vector<AlertOrError> alerts_and_errors_;
-  size_t alerts_and_errors_byte_cost_;  // Approximate byte cost of the above.
-
-  // Number of calls made to ResolveDns() by the PREVIOUS execution.
-  int last_num_dns_;
-
-  // Whether the current execution needs to be restarted in blocking mode.
-  bool should_restart_with_blocking_dns_;
-
-  // ---------------------------------------------------------------------------
-  // State for pending DNS request.
-  // ---------------------------------------------------------------------------
-
-  // Handle to the outstanding request in the ProxyHostResolver, or NULL.
-  // This is mutated and used on the origin thread, however it may be read by
-  // the worker thread for some DCHECKS().
-  std::unique_ptr<ProxyHostResolver::Request> pending_dns_;
-
-  // Indicates if the outstanding DNS request completed synchronously. Written
-  // on the origin thread, and read by the worker thread.
-  bool pending_dns_completed_synchronously_;
-
-  // These are the inputs to DoDnsOperation(). Written on the worker thread,
-  // read by the origin thread.
-  std::string pending_dns_host_;
-  ProxyResolveDnsOperation pending_dns_op_;
-};
-
-class ProxyResolverV8TracingImpl : public ProxyResolverV8Tracing {
- public:
-  ProxyResolverV8TracingImpl(std::unique_ptr<base::Thread> thread,
-                             std::unique_ptr<ProxyResolverV8> resolver,
-                             std::unique_ptr<Job::Params> job_params);
-
-  ~ProxyResolverV8TracingImpl() override;
-
-  // ProxyResolverV8Tracing overrides.
-  void GetProxyForURL(const GURL& url,
-                      ProxyInfo* results,
-                      CompletionOnceCallback callback,
-                      std::unique_ptr<ProxyResolver::Request>* request,
-                      std::unique_ptr<Bindings> bindings) override;
-
-  class RequestImpl : public ProxyResolver::Request {
-   public:
-    explicit RequestImpl(scoped_refptr<Job> job);
-    ~RequestImpl() override;
-    LoadState GetLoadState() override;
-
-   private:
-    scoped_refptr<Job> job_;
-  };
-
- private:
-  // The worker thread on which the ProxyResolverV8 will be run.
-  std::unique_ptr<base::Thread> thread_;
-  std::unique_ptr<ProxyResolverV8> v8_resolver_;
-
-  std::unique_ptr<Job::Params> job_params_;
-
-  // The number of outstanding (non-cancelled) jobs.
-  int num_outstanding_callbacks_;
-
-  THREAD_CHECKER(thread_checker_);
-
-  DISALLOW_COPY_AND_ASSIGN(ProxyResolverV8TracingImpl);
-};
-
-Job::Job(const Job::Params* params,
-         std::unique_ptr<ProxyResolverV8Tracing::Bindings> bindings)
-    : origin_runner_(base::ThreadTaskRunnerHandle::Get()),
-      params_(params),
-      bindings_(std::move(bindings)),
-      event_(base::WaitableEvent::ResetPolicy::MANUAL,
-             base::WaitableEvent::InitialState::NOT_SIGNALED),
-      last_num_dns_(0) {
-  CheckIsOnOriginThread();
-}
-
-void Job::StartCreateV8Resolver(const scoped_refptr<PacFileData>& script_data,
-                                std::unique_ptr<ProxyResolverV8>* resolver,
-                                CompletionOnceCallback callback) {
-  CheckIsOnOriginThread();
-
-  resolver_out_ = resolver;
-  script_data_ = script_data;
-
-  // Script initialization uses blocking DNS since there isn't any
-  // advantage to using non-blocking mode here. That is because the
-  // parent ProxyResolutionService can't submit any ProxyResolve requests until
-  // initialization has completed successfully!
-  Start(CREATE_V8_RESOLVER, true /*blocking*/, std::move(callback));
-}
-
-void Job::StartGetProxyForURL(const GURL& url,
-                              ProxyInfo* results,
-                              CompletionOnceCallback callback) {
-  CheckIsOnOriginThread();
-
-  url_ = url;
-  user_results_ = results;
-
-  Start(GET_PROXY_FOR_URL, false /*non-blocking*/, std::move(callback));
-}
-
-void Job::Cancel() {
-  CheckIsOnOriginThread();
-
-  // There are several possibilities to consider for cancellation:
-  // (a) The job has been posted to the worker thread, however script execution
-  //     has not yet started.
-  // (b) The script is executing on the worker thread.
-  // (c) The script is executing on the worker thread, however is blocked inside
-  //     of dnsResolve() waiting for a response from the origin thread.
-  // (d) Nothing is running on the worker thread, however the host resolver has
-  //     a pending DNS request which upon completion will restart the script
-  //     execution.
-  // (e) The worker thread has a pending task to restart execution, which was
-  //     posted after the DNS dependency was resolved and saved to local cache.
-  // (f) The script execution completed entirely, and posted a task to the
-  //     origin thread to notify the caller.
-  // (g) The job is already completed.
-  //
-  // |cancelled_| is read on both the origin thread and worker thread. The
-  // code that runs on the worker thread is littered with checks on
-  // |cancelled_| to break out early.
-
-  // If the job already completed, there is nothing to be cancelled.
-  if (callback_.is_null())
-    return;
-
-  cancelled_.Set();
-
-  ReleaseCallback();
-
-  // Note we only mutate |pending_dns_| if it is non-null. If it is null, the
-  // worker thread may be about to request a new DNS resolution. This avoids a
-  // race condition with the DCHECK in PostDnsOperationAndWait().
-  // See https://crbug.com/699562.
-  if (pending_dns_)
-    pending_dns_.reset();
-
-  // The worker thread might be blocked waiting for DNS.
-  event_.Signal();
-
-  bindings_.reset();
-  owned_self_reference_ = nullptr;
-}
-
-LoadState Job::GetLoadState() const {
-  CheckIsOnOriginThread();
-
-  if (pending_dns_)
-    return LOAD_STATE_RESOLVING_HOST_IN_PAC_FILE;
-
-  return LOAD_STATE_RESOLVING_PROXY_FOR_URL;
-}
-
-Job::~Job() {
-  DCHECK(!pending_dns_);
-  DCHECK(callback_.is_null());
-  DCHECK(!bindings_);
-}
-
-void Job::CheckIsOnWorkerThread() const {
-  DCHECK(params_->worker_task_runner->BelongsToCurrentThread());
-}
-
-void Job::CheckIsOnOriginThread() const {
-  DCHECK(origin_runner_->BelongsToCurrentThread());
-}
-
-void Job::SetCallback(CompletionOnceCallback callback) {
-  CheckIsOnOriginThread();
-  DCHECK(callback_.is_null());
-  (*params_->num_outstanding_callbacks)++;
-  callback_ = std::move(callback);
-}
-
-void Job::ReleaseCallback() {
-  CheckIsOnOriginThread();
-  CHECK_GT(*params_->num_outstanding_callbacks, 0);
-  (*params_->num_outstanding_callbacks)--;
-  callback_.Reset();
-
-  // For good measure, clear this other user-owned pointer.
-  user_results_ = nullptr;
-}
-
-ProxyResolverV8* Job::v8_resolver() {
-  return params_->v8_resolver;
-}
-
-const scoped_refptr<base::SingleThreadTaskRunner>& Job::worker_task_runner() {
-  return params_->worker_task_runner;
-}
-
-ProxyHostResolver* Job::host_resolver() {
-  return bindings_->GetHostResolver();
-}
-
-void Job::NotifyCaller(int result) {
-  CheckIsOnWorkerThread();
-
-  origin_runner_->PostTask(
-      FROM_HERE, base::BindOnce(&Job::NotifyCallerOnOriginLoop, this, result));
-}
-
-void Job::NotifyCallerOnOriginLoop(int result) {
-  CheckIsOnOriginThread();
-
-  if (cancelled_.IsSet())
-    return;
-
-  DispatchBufferedAlertsAndErrors();
-
-  // This isn't the ordinary execution flow, however it is exercised by
-  // unit-tests.
-  if (cancelled_.IsSet())
-    return;
-
-  DCHECK(!callback_.is_null());
-  DCHECK(!pending_dns_);
-
-  if (operation_ == GET_PROXY_FOR_URL) {
-    *user_results_ = results_;
-  }
-
-  CompletionOnceCallback callback = std::move(callback_);
-  ReleaseCallback();
-  std::move(callback).Run(result);
-
-  bindings_.reset();
-  owned_self_reference_ = nullptr;
-}
-
-void Job::Start(Operation op,
-                bool blocking_dns,
-                CompletionOnceCallback callback) {
-  CheckIsOnOriginThread();
-
-  operation_ = op;
-  blocking_dns_ = blocking_dns;
-  SetCallback(std::move(callback));
-
-  owned_self_reference_ = this;
-
-  worker_task_runner()->PostTask(
-      FROM_HERE, blocking_dns_
-                     ? base::BindOnce(&Job::ExecuteBlocking, this)
-                     : base::BindOnce(&Job::ExecuteNonBlocking, this));
-}
-
-void Job::ExecuteBlocking() {
-  CheckIsOnWorkerThread();
-  DCHECK(blocking_dns_);
-
-  if (cancelled_.IsSet())
-    return;
-
-  NotifyCaller(ExecuteProxyResolver());
-}
-
-void Job::ExecuteNonBlocking() {
-  CheckIsOnWorkerThread();
-  DCHECK(!blocking_dns_);
-
-  if (cancelled_.IsSet())
-    return;
-
-  // Reset state for the current execution.
-  abandoned_ = false;
-  num_dns_ = 0;
-  alerts_and_errors_.clear();
-  alerts_and_errors_byte_cost_ = 0;
-  should_restart_with_blocking_dns_ = false;
-
-  int result = ExecuteProxyResolver();
-
-  if (should_restart_with_blocking_dns_) {
-    DCHECK(!blocking_dns_);
-    DCHECK(abandoned_);
-    blocking_dns_ = true;
-    ExecuteBlocking();
-    return;
-  }
-
-  if (abandoned_)
-    return;
-
-  NotifyCaller(result);
-}
-
-int Job::ExecuteProxyResolver() {
-  TRACE_EVENT0(NetTracingCategory(), "Job::ExecuteProxyResolver");
-  int result = ERR_UNEXPECTED;  // Initialized to silence warnings.
-
-  switch (operation_) {
-    case CREATE_V8_RESOLVER: {
-      std::unique_ptr<ProxyResolverV8> resolver;
-      result = ProxyResolverV8::Create(script_data_, this, &resolver);
-      if (result == OK)
-        *resolver_out_ = std::move(resolver);
-      break;
-    }
-    case GET_PROXY_FOR_URL: {
-      result = v8_resolver()->GetProxyForURL(
-          url_,
-          // Important: Do not write directly into |user_results_|, since if the
-          // request were to be cancelled from the origin thread, must guarantee
-          // that |user_results_| is not accessed anymore.
-          &results_, this);
-      break;
-    }
-  }
-
-  return result;
-}
-
-bool Job::ResolveDns(const std::string& host,
-                     ProxyResolveDnsOperation op,
-                     std::string* output,
-                     bool* terminate) {
-  if (cancelled_.IsSet()) {
-    *terminate = true;
-    return false;
-  }
-
-  if ((op == ProxyResolveDnsOperation::DNS_RESOLVE ||
-       op == ProxyResolveDnsOperation::DNS_RESOLVE_EX) &&
-      host.empty()) {
-    // a DNS resolve with an empty hostname is considered an error.
-    return false;
-  }
-
-  return blocking_dns_ ?
-      ResolveDnsBlocking(host, op, output) :
-      ResolveDnsNonBlocking(host, op, output, terminate);
-}
-
-void Job::Alert(const base::string16& message) {
-  HandleAlertOrError(true, -1, message);
-}
-
-void Job::OnError(int line_number, const base::string16& error) {
-  HandleAlertOrError(false, line_number, error);
-}
-
-bool Job::ResolveDnsBlocking(const std::string& host,
-                             ProxyResolveDnsOperation op,
-                             std::string* output) {
-  CheckIsOnWorkerThread();
-
-  // Check if the DNS result for this host has already been cached.
-  bool rv;
-  if (GetDnsFromLocalCache(host, op, output, &rv)) {
-    // Yay, cache hit!
-    return rv;
-  }
-
-  if (dns_cache_.size() >= kMaxUniqueResolveDnsPerExec) {
-    // Safety net for scripts with unexpectedly many DNS calls.
-    // We will continue running to completion, but will fail every
-    // subsequent DNS request.
-    return false;
-  }
-
-  if (!PostDnsOperationAndWait(host, op, nullptr))
-    return false;  // Was cancelled.
-
-  CHECK(GetDnsFromLocalCache(host, op, output, &rv));
-  return rv;
-}
-
-bool Job::ResolveDnsNonBlocking(const std::string& host,
-                                ProxyResolveDnsOperation op,
-                                std::string* output,
-                                bool* terminate) {
-  CheckIsOnWorkerThread();
-
-  if (abandoned_) {
-    // If this execution was already abandoned can fail right away. Only 1 DNS
-    // dependency will be traced at a time (for more predictable outcomes).
-    return false;
-  }
-
-  num_dns_ += 1;
-
-  // Check if the DNS result for this host has already been cached.
-  bool rv;
-  if (GetDnsFromLocalCache(host, op, output, &rv)) {
-    // Yay, cache hit!
-    return rv;
-  }
-
-  if (num_dns_ <= last_num_dns_) {
-    // The sequence of DNS operations is different from last time!
-    ScheduleRestartWithBlockingDns();
-    *terminate = true;
-    return false;
-  }
-
-  if (dns_cache_.size() >= kMaxUniqueResolveDnsPerExec) {
-    // Safety net for scripts with unexpectedly many DNS calls.
-    return false;
-  }
-
-  DCHECK(!should_restart_with_blocking_dns_);
-
-  bool completed_synchronously;
-  if (!PostDnsOperationAndWait(host, op, &completed_synchronously))
-    return false;  // Was cancelled.
-
-  if (completed_synchronously) {
-    CHECK(GetDnsFromLocalCache(host, op, output, &rv));
-    return rv;
-  }
-
-  // Otherwise if the result was not in the cache, then a DNS request has
-  // been started. Abandon this invocation of FindProxyForURL(), it will be
-  // restarted once the DNS request completes.
-  abandoned_ = true;
-  *terminate = true;
-  last_num_dns_ = num_dns_;
-  return false;
-}
-
-bool Job::PostDnsOperationAndWait(const std::string& host,
-                                  ProxyResolveDnsOperation op,
-                                  bool* completed_synchronously) {
-  // Post the DNS request to the origin thread. It is safe to mutate
-  // |pending_dns_host_| and |pending_dns_op_| because there cannot be another
-  // DNS operation in progress or scheduled.
-  DCHECK(!pending_dns_);
-  pending_dns_host_ = host;
-  pending_dns_op_ = op;
-  origin_runner_->PostTask(FROM_HERE,
-                           base::BindOnce(&Job::DoDnsOperation, this));
-
-  event_.Wait();
-  event_.Reset();
-
-  if (cancelled_.IsSet())
-    return false;
-
-  if (completed_synchronously)
-    *completed_synchronously = pending_dns_completed_synchronously_;
-
-  return true;
-}
-
-void Job::DoDnsOperation() {
-  CheckIsOnOriginThread();
-  DCHECK(!pending_dns_);
-
-  if (cancelled_.IsSet())
-    return;
-
-  bool is_myip_request =
-      pending_dns_op_ == ProxyResolveDnsOperation::MY_IP_ADDRESS ||
-      pending_dns_op_ == ProxyResolveDnsOperation::MY_IP_ADDRESS_EX;
-  pending_dns_ = host_resolver()->CreateRequest(
-      is_myip_request ? GetHostName() : pending_dns_host_, pending_dns_op_);
-  int result =
-      pending_dns_->Start(base::BindOnce(&Job::OnDnsOperationComplete, this));
-
-  pending_dns_completed_synchronously_ = result != ERR_IO_PENDING;
-
-  // Check if the request was cancelled as a side-effect of calling into the
-  // HostResolver. This isn't the ordinary execution flow, however it is
-  // exercised by unit-tests.
-  if (cancelled_.IsSet())
-    return;
-
-  if (pending_dns_completed_synchronously_) {
-    OnDnsOperationComplete(result);
-  }
-  // Else OnDnsOperationComplete() will be called by host resolver on
-  // completion.
-
-  if (!blocking_dns_) {
-    // The worker thread always blocks waiting to see if the result can be
-    // serviced from cache before restarting.
-    event_.Signal();
-  }
-}
-
-void Job::OnDnsOperationComplete(int result) {
-  CheckIsOnOriginThread();
-
-  DCHECK(!cancelled_.IsSet());
-
-  SaveDnsToLocalCache(pending_dns_host_, pending_dns_op_, result,
-                      pending_dns_->GetResults());
-  pending_dns_.reset();
-
-  if (blocking_dns_) {
-    event_.Signal();
-    return;
-  }
-
-  if (!blocking_dns_ && !pending_dns_completed_synchronously_) {
-    // Restart. This time it should make more progress due to having
-    // cached items.
-    worker_task_runner()->PostTask(
-        FROM_HERE, base::BindOnce(&Job::ExecuteNonBlocking, this));
-  }
-}
-
-void Job::ScheduleRestartWithBlockingDns() {
-  CheckIsOnWorkerThread();
-
-  DCHECK(!should_restart_with_blocking_dns_);
-  DCHECK(!abandoned_);
-  DCHECK(!blocking_dns_);
-
-  abandoned_ = true;
-
-  // The restart will happen after ExecuteNonBlocking() finishes.
-  should_restart_with_blocking_dns_ = true;
-}
-
-bool Job::GetDnsFromLocalCache(const std::string& host,
-                               ProxyResolveDnsOperation op,
-                               std::string* output,
-                               bool* return_value) {
-  CheckIsOnWorkerThread();
-
-  DnsCache::const_iterator it = dns_cache_.find(MakeDnsCacheKey(host, op));
-  if (it == dns_cache_.end())
-    return false;
-
-  *output = it->second;
-  *return_value = !it->second.empty();
-  return true;
-}
-
-void Job::SaveDnsToLocalCache(const std::string& host,
-                              ProxyResolveDnsOperation op,
-                              int net_error,
-                              const std::vector<IPAddress>& addresses) {
-  CheckIsOnOriginThread();
-
-  // Serialize the result into a string to save to the cache.
-  std::string cache_value;
-  if (net_error != OK) {
-    cache_value = std::string();
-  } else if (op == ProxyResolveDnsOperation::DNS_RESOLVE ||
-             op == ProxyResolveDnsOperation::MY_IP_ADDRESS) {
-    // dnsResolve() and myIpAddress() are expected to return a single IP
-    // address.
-    cache_value = addresses.front().ToString();
-  } else {
-    // The *Ex versions are expected to return a semi-colon separated list.
-    for (auto iter = addresses.begin(); iter != addresses.end(); ++iter) {
-      if (!cache_value.empty())
-        cache_value += ";";
-      cache_value += iter->ToString();
-    }
-  }
-
-  dns_cache_[MakeDnsCacheKey(host, op)] = cache_value;
-}
-
-std::string Job::MakeDnsCacheKey(const std::string& host,
-                                 ProxyResolveDnsOperation op) {
-  return base::StringPrintf("%d:%s", op, host.c_str());
-}
-
-void Job::HandleAlertOrError(bool is_alert,
-                             int line_number,
-                             const base::string16& message) {
-  CheckIsOnWorkerThread();
-
-  if (cancelled_.IsSet())
-    return;
-
-  if (blocking_dns_) {
-    // In blocking DNS mode the events can be dispatched immediately.
-    origin_runner_->PostTask(
-        FROM_HERE, base::BindOnce(&Job::DispatchAlertOrErrorOnOriginThread,
-                                  this, is_alert, line_number, message));
-    return;
-  }
-
-  // Otherwise in nonblocking mode, buffer all the messages until
-  // the end.
-
-  if (abandoned_)
-    return;
-
-  alerts_and_errors_byte_cost_ += sizeof(AlertOrError) + message.size() * 2;
-
-  // If there have been lots of messages, enqueing could be expensive on
-  // memory. Consider a script which does megabytes worth of alerts().
-  // Avoid this by falling back to blocking mode.
-  if (alerts_and_errors_byte_cost_ > kMaxAlertsAndErrorsBytes) {
-    alerts_and_errors_.clear();
-    ScheduleRestartWithBlockingDns();
-    return;
-  }
-
-  AlertOrError entry = {is_alert, line_number, message};
-  alerts_and_errors_.push_back(entry);
-}
-
-void Job::DispatchBufferedAlertsAndErrors() {
-  CheckIsOnOriginThread();
-  for (size_t i = 0; i < alerts_and_errors_.size(); ++i) {
-    const AlertOrError& x = alerts_and_errors_[i];
-    DispatchAlertOrErrorOnOriginThread(x.is_alert, x.line_number, x.message);
-  }
-}
-
-void Job::DispatchAlertOrErrorOnOriginThread(bool is_alert,
-                                             int line_number,
-                                             const base::string16& message) {
-  CheckIsOnOriginThread();
-
-  if (cancelled_.IsSet())
-    return;
-
-  if (is_alert) {
-    // -------------------
-    // alert
-    // -------------------
-    VLOG(1) << "PAC-alert: " << message;
-
-    bindings_->Alert(message);
-  } else {
-    // -------------------
-    // error
-    // -------------------
-    if (line_number == -1)
-      VLOG(1) << "PAC-error: " << message;
-    else
-      VLOG(1) << "PAC-error: " << "line: " << line_number << ": " << message;
-
-    bindings_->OnError(line_number, message);
-  }
-}
-
-ProxyResolverV8TracingImpl::ProxyResolverV8TracingImpl(
-    std::unique_ptr<base::Thread> thread,
-    std::unique_ptr<ProxyResolverV8> resolver,
-    std::unique_ptr<Job::Params> job_params)
-    : thread_(std::move(thread)),
-      v8_resolver_(std::move(resolver)),
-      job_params_(std::move(job_params)),
-      num_outstanding_callbacks_(0) {
-  job_params_->num_outstanding_callbacks = &num_outstanding_callbacks_;
-}
-
-ProxyResolverV8TracingImpl::~ProxyResolverV8TracingImpl() {
-  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
-  // Note, all requests should have been cancelled.
-  CHECK_EQ(0, num_outstanding_callbacks_);
-
-  // Join the worker thread. See http://crbug.com/69710.
-  ScopedAllowThreadJoinForProxyResolverV8Tracing allow_thread_join;
-  thread_.reset();
-}
-
-ProxyResolverV8TracingImpl::RequestImpl::RequestImpl(scoped_refptr<Job> job)
-    : job_(std::move(job)) {}
-
-ProxyResolverV8TracingImpl::RequestImpl::~RequestImpl() {
-  job_->Cancel();
-}
-
-LoadState ProxyResolverV8TracingImpl::RequestImpl::GetLoadState() {
-  return job_->GetLoadState();
-}
-
-void ProxyResolverV8TracingImpl::GetProxyForURL(
-    const GURL& url,
-    ProxyInfo* results,
-    CompletionOnceCallback callback,
-    std::unique_ptr<ProxyResolver::Request>* request,
-    std::unique_ptr<Bindings> bindings) {
-  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
-  DCHECK(!callback.is_null());
-
-  scoped_refptr<Job> job = new Job(job_params_.get(), std::move(bindings));
-
-  request->reset(new RequestImpl(job));
-
-  job->StartGetProxyForURL(url, results, std::move(callback));
-}
-
-
-class ProxyResolverV8TracingFactoryImpl : public ProxyResolverV8TracingFactory {
- public:
-  ProxyResolverV8TracingFactoryImpl();
-  ~ProxyResolverV8TracingFactoryImpl() override;
-
-  void CreateProxyResolverV8Tracing(
-      const scoped_refptr<PacFileData>& pac_script,
-      std::unique_ptr<ProxyResolverV8Tracing::Bindings> bindings,
-      std::unique_ptr<ProxyResolverV8Tracing>* resolver,
-      CompletionOnceCallback callback,
-      std::unique_ptr<ProxyResolverFactory::Request>* request) override;
-
- private:
-  class CreateJob;
-
-  void RemoveJob(CreateJob* job);
-
-  std::set<CreateJob*> jobs_;
-
-  DISALLOW_COPY_AND_ASSIGN(ProxyResolverV8TracingFactoryImpl);
-};
-
-class ProxyResolverV8TracingFactoryImpl::CreateJob
-    : public ProxyResolverFactory::Request {
- public:
-  CreateJob(ProxyResolverV8TracingFactoryImpl* factory,
-            std::unique_ptr<ProxyResolverV8Tracing::Bindings> bindings,
-            const scoped_refptr<PacFileData>& pac_script,
-            std::unique_ptr<ProxyResolverV8Tracing>* resolver_out,
-            CompletionOnceCallback callback)
-      : factory_(factory),
-        thread_(new base::Thread("Proxy Resolver")),
-        resolver_out_(resolver_out),
-        callback_(std::move(callback)),
-        num_outstanding_callbacks_(0) {
-    // Start up the thread.
-    base::Thread::Options options;
-    options.timer_slack = base::TIMER_SLACK_MAXIMUM;
-    CHECK(thread_->StartWithOptions(options));
-    job_params_.reset(
-        new Job::Params(thread_->task_runner(), &num_outstanding_callbacks_));
-    create_resolver_job_ = new Job(job_params_.get(), std::move(bindings));
-    create_resolver_job_->StartCreateV8Resolver(
-        pac_script, &v8_resolver_,
-        base::BindOnce(
-            &ProxyResolverV8TracingFactoryImpl::CreateJob::OnV8ResolverCreated,
-            base::Unretained(this)));
-  }
-
-  ~CreateJob() override {
-    if (factory_) {
-      factory_->RemoveJob(this);
-      DCHECK(create_resolver_job_);
-      create_resolver_job_->Cancel();
-      StopWorkerThread();
-    }
-    DCHECK_EQ(0, num_outstanding_callbacks_);
-  }
-
-  void FactoryDestroyed() {
-    factory_ = nullptr;
-    create_resolver_job_->Cancel();
-    create_resolver_job_ = nullptr;
-    StopWorkerThread();
-  }
-
- private:
-  void OnV8ResolverCreated(int error) {
-    DCHECK(factory_);
-    if (error == OK) {
-      job_params_->v8_resolver = v8_resolver_.get();
-      resolver_out_->reset(new ProxyResolverV8TracingImpl(
-          std::move(thread_), std::move(v8_resolver_), std::move(job_params_)));
-    } else {
-      StopWorkerThread();
-    }
-
-    factory_->RemoveJob(this);
-    factory_ = nullptr;
-    create_resolver_job_ = nullptr;
-    std::move(callback_).Run(error);
-  }
-
-  void StopWorkerThread() {
-    // Join the worker thread. See http://crbug.com/69710.
-    ScopedAllowThreadJoinForProxyResolverV8Tracing allow_thread_join;
-    thread_.reset();
-  }
-
-  ProxyResolverV8TracingFactoryImpl* factory_;
-  std::unique_ptr<base::Thread> thread_;
-  std::unique_ptr<Job::Params> job_params_;
-  scoped_refptr<Job> create_resolver_job_;
-  std::unique_ptr<ProxyResolverV8> v8_resolver_;
-  std::unique_ptr<ProxyResolverV8Tracing>* resolver_out_;
-  CompletionOnceCallback callback_;
-  int num_outstanding_callbacks_;
-
-  DISALLOW_COPY_AND_ASSIGN(CreateJob);
-};
-
-ProxyResolverV8TracingFactoryImpl::ProxyResolverV8TracingFactoryImpl() =
-    default;
-
-ProxyResolverV8TracingFactoryImpl::~ProxyResolverV8TracingFactoryImpl() {
-  for (auto* job : jobs_) {
-    job->FactoryDestroyed();
-  }
-}
-
-void ProxyResolverV8TracingFactoryImpl::CreateProxyResolverV8Tracing(
-    const scoped_refptr<PacFileData>& pac_script,
-    std::unique_ptr<ProxyResolverV8Tracing::Bindings> bindings,
-    std::unique_ptr<ProxyResolverV8Tracing>* resolver,
-    CompletionOnceCallback callback,
-    std::unique_ptr<ProxyResolverFactory::Request>* request) {
-  std::unique_ptr<CreateJob> job(new CreateJob(
-      this, std::move(bindings), pac_script, resolver, std::move(callback)));
-  jobs_.insert(job.get());
-  *request = std::move(job);
-}
-
-void ProxyResolverV8TracingFactoryImpl::RemoveJob(
-    ProxyResolverV8TracingFactoryImpl::CreateJob* job) {
-  size_t erased = jobs_.erase(job);
-  DCHECK_EQ(1u, erased);
-}
-
-}  // namespace
-
-// static
-std::unique_ptr<ProxyResolverV8TracingFactory>
-ProxyResolverV8TracingFactory::Create() {
-  return std::make_unique<ProxyResolverV8TracingFactoryImpl>();
-}
-
-}  // namespace net
diff --git a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing.h b/chromium/net/proxy_resolution/proxy_resolver_v8_tracing.h
deleted file mode 100644
index 54c0c73b413..00000000000
--- a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing.h
+++ /dev/null
@@ -1,90 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_PROXY_RESOLUTION_PROXY_RESOLVER_V8_TRACING_H_
-#define NET_PROXY_RESOLUTION_PROXY_RESOLVER_V8_TRACING_H_
-
-#include <memory>
-
-#include "base/macros.h"
-#include "base/memory/ref_counted.h"
-#include "net/base/completion_once_callback.h"
-#include "net/base/net_export.h"
-#include "net/proxy_resolution/proxy_resolver.h"
-#include "net/proxy_resolution/proxy_resolver_factory.h"
-
-namespace net {
-
-class NetLogWithSource;
-class ProxyHostResolver;
-
-// ProxyResolverV8Tracing is a non-blocking proxy resolver.
-class NET_EXPORT ProxyResolverV8Tracing {
- public:
-  // Bindings is an interface used by ProxyResolverV8Tracing to delegate
-  // per-request functionality. Each instance will be destroyed on the origin
-  // thread of the ProxyResolverV8Tracing when the request completes or is
-  // cancelled. All methods will be invoked from the origin thread.
-  class Bindings {
-   public:
-    Bindings() {}
-    virtual ~Bindings() {}
-
-    // Invoked in response to an alert() call by the PAC script.
-    virtual void Alert(const base::string16& message) = 0;
-
-    // Invoked in response to an error in the PAC script.
-    virtual void OnError(int line_number, const base::string16& message) = 0;
-
-    // Returns a HostResolver to use for DNS resolution.
-    virtual ProxyHostResolver* GetHostResolver() = 0;
-
-    // Returns a NetLogWithSource to be passed to the HostResolver returned by
-    // GetHostResolver().
-    virtual NetLogWithSource GetNetLogWithSource() = 0;
-
-   private:
-    DISALLOW_COPY_AND_ASSIGN(Bindings);
-  };
-
-  virtual ~ProxyResolverV8Tracing() {}
-
-  // Gets a list of proxy servers to use for |url|. This request always
-  // runs asynchronously and notifies the result by running |callback|. If the
-  // result code is OK then the request was successful and |results| contains
-  // the proxy resolution information.  Request can be cancelled by resetting
-  // |*request|.
-  virtual void GetProxyForURL(const GURL& url,
-                              ProxyInfo* results,
-                              CompletionOnceCallback callback,
-                              std::unique_ptr<ProxyResolver::Request>* request,
-                              std::unique_ptr<Bindings> bindings) = 0;
-};
-
-// A factory for ProxyResolverV8Tracing instances. The default implementation,
-// returned by Create(), creates ProxyResolverV8Tracing instances that execute
-// ProxyResolverV8 on a single helper thread, and do some magic to avoid
-// blocking in DNS. For more details see the design document:
-// https://docs.google.com/a/google.com/document/d/16Ij5OcVnR3s0MH4Z5XkhI9VTPoMJdaBn9rKreAmGOdE/edit?pli=1
-class NET_EXPORT ProxyResolverV8TracingFactory {
- public:
-  ProxyResolverV8TracingFactory() {}
-  virtual ~ProxyResolverV8TracingFactory() = default;
-
-  virtual void CreateProxyResolverV8Tracing(
-      const scoped_refptr<PacFileData>& pac_script,
-      std::unique_ptr<ProxyResolverV8Tracing::Bindings> bindings,
-      std::unique_ptr<ProxyResolverV8Tracing>* resolver,
-      CompletionOnceCallback callback,
-      std::unique_ptr<ProxyResolverFactory::Request>* request) = 0;
-
-  static std::unique_ptr<ProxyResolverV8TracingFactory> Create();
-
- private:
-  DISALLOW_COPY_AND_ASSIGN(ProxyResolverV8TracingFactory);
-};
-
-}  // namespace net
-
-#endif  // NET_PROXY_RESOLUTION_PROXY_RESOLVER_V8_TRACING_H_
diff --git a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing_unittest.cc b/chromium/net/proxy_resolution/proxy_resolver_v8_tracing_unittest.cc
deleted file mode 100644
index 88096e1ec99..00000000000
--- a/chromium/net/proxy_resolution/proxy_resolver_v8_tracing_unittest.cc
+++ /dev/null
@@ -1,970 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/proxy_resolution/proxy_resolver_v8_tracing.h"
-
-#include <string>
-#include <utility>
-#include <vector>
-
-#include "base/bind.h"
-#include "base/files/file_util.h"
-#include "base/path_service.h"
-#include "base/run_loop.h"
-#include "base/stl_util.h"
-#include "base/strings/utf_string_conversions.h"
-#include "base/synchronization/waitable_event.h"
-#include "base/threading/platform_thread.h"
-#include "base/threading/thread_checker.h"
-#include "base/values.h"
-#include "net/base/net_errors.h"
-#include "net/base/network_interfaces.h"
-#include "net/base/test_completion_callback.h"
-#include "net/log/net_log_with_source.h"
-#include "net/proxy_resolution/mock_proxy_host_resolver.h"
-#include "net/proxy_resolution/proxy_info.h"
-#include "net/proxy_resolution/proxy_resolve_dns_operation.h"
-#include "net/test/event_waiter.h"
-#include "net/test/gtest_util.h"
-#include "net/test/test_with_task_environment.h"
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
-#include "url/gurl.h"
-
-using net::test::IsError;
-using net::test::IsOk;
-
-namespace net {
-
-namespace {
-
-class ProxyResolverV8TracingTest : public TestWithTaskEnvironment {
- public:
-  void TearDown() override {
-    // Drain any pending messages, which may be left over from cancellation.
-    // This way they get reliably run as part of the current test, rather than
-    // spilling into the next test's execution.
-    base::RunLoop().RunUntilIdle();
-  }
-};
-
-scoped_refptr<PacFileData> LoadScriptData(const char* filename) {
-  base::FilePath path;
-  base::PathService::Get(base::DIR_SOURCE_ROOT, &path);
-  path = path.AppendASCII("net");
-  path = path.AppendASCII("data");
-  path = path.AppendASCII("proxy_resolver_v8_tracing_unittest");
-  path = path.AppendASCII(filename);
-
-  // Try to read the file from disk.
-  std::string file_contents;
-  bool ok = base::ReadFileToString(path, &file_contents);
-
-  // If we can't load the file from disk, something is misconfigured.
-  EXPECT_TRUE(ok) << "Failed to read file: " << path.value();
-
-  // Load the PAC script into the ProxyResolver.
-  return PacFileData::FromUTF8(file_contents);
-}
-
-class MockBindings {
- public:
-  explicit MockBindings(ProxyHostResolver* host_resolver)
-      : host_resolver_(host_resolver) {}
-
-  void Alert(const base::string16& message) {
-    alerts_.push_back(base::UTF16ToASCII(message));
-  }
-  void OnError(int line_number, const base::string16& error) {
-    waiter_.NotifyEvent(EVENT_ERROR);
-    errors_.push_back(std::make_pair(line_number, base::UTF16ToASCII(error)));
-    if (!error_callback_.is_null())
-      error_callback_.Run();
-  }
-
-  ProxyHostResolver* host_resolver() { return host_resolver_; }
-
-  std::vector<std::string> GetAlerts() {
-    return alerts_;
-  }
-
-  std::vector<std::pair<int, std::string>> GetErrors() {
-    return errors_;
-  }
-
-  void RunOnError(const base::Closure& callback) {
-    error_callback_ = callback;
-    waiter_.WaitForEvent(EVENT_ERROR);
-  }
-
-  std::unique_ptr<ProxyResolverV8Tracing::Bindings> CreateBindings() {
-    return std::make_unique<ForwardingBindings>(this);
-  }
-
- private:
-  class ForwardingBindings : public ProxyResolverV8Tracing::Bindings {
-   public:
-    explicit ForwardingBindings(MockBindings* bindings) : bindings_(bindings) {}
-
-    // ProxyResolverV8Tracing::Bindings overrides.
-    void Alert(const base::string16& message) override {
-      DCHECK(thread_checker_.CalledOnValidThread());
-      bindings_->Alert(message);
-    }
-
-    void OnError(int line_number, const base::string16& error) override {
-      DCHECK(thread_checker_.CalledOnValidThread());
-      bindings_->OnError(line_number, error);
-    }
-
-    NetLogWithSource GetNetLogWithSource() override {
-      DCHECK(thread_checker_.CalledOnValidThread());
-      return NetLogWithSource();
-    }
-
-    ProxyHostResolver* GetHostResolver() override {
-      DCHECK(thread_checker_.CalledOnValidThread());
-      return bindings_->host_resolver();
-    }
-
-   private:
-    MockBindings* bindings_;
-    base::ThreadChecker thread_checker_;
-  };
-
-  enum Event {
-    EVENT_ERROR,
-  };
-
-  std::vector<std::string> alerts_;
-  std::vector<std::pair<int, std::string>> errors_;
-  ProxyHostResolver* const host_resolver_;
-  base::Closure error_callback_;
-  EventWaiter<Event> waiter_;
-};
-
-std::unique_ptr<ProxyResolverV8Tracing> CreateResolver(
-    std::unique_ptr<ProxyResolverV8Tracing::Bindings> bindings,
-    const char* filename) {
-  std::unique_ptr<ProxyResolverV8Tracing> resolver;
-  std::unique_ptr<ProxyResolverV8TracingFactory> factory(
-      ProxyResolverV8TracingFactory::Create());
-  TestCompletionCallback callback;
-  std::unique_ptr<ProxyResolverFactory::Request> request;
-  factory->CreateProxyResolverV8Tracing(LoadScriptData(filename),
-                                        std::move(bindings), &resolver,
-                                        callback.callback(), &request);
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-  EXPECT_TRUE(resolver);
-  return resolver;
-}
-
-TEST_F(ProxyResolverV8TracingTest, Simple) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "simple.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-  std::unique_ptr<ProxyResolver::Request> req;
-
-  resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                           callback.callback(), &req,
-                           mock_bindings.CreateBindings());
-
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  EXPECT_EQ("foo:99", proxy_info.proxy_server().ToURI());
-
-  EXPECT_EQ(0u, host_resolver.num_resolve());
-
-  // There were no alerts or errors.
-  EXPECT_TRUE(mock_bindings.GetAlerts().empty());
-  EXPECT_TRUE(mock_bindings.GetErrors().empty());
-}
-
-TEST_F(ProxyResolverV8TracingTest, JavascriptError) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "error.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  resolver->GetProxyForURL(GURL("http://throw-an-error/"), &proxy_info,
-                           callback.callback(), &req,
-                           mock_bindings.CreateBindings());
-
-  EXPECT_THAT(callback.WaitForResult(), IsError(ERR_PAC_SCRIPT_FAILED));
-
-  EXPECT_EQ(0u, host_resolver.num_resolve());
-
-  // Check the output -- there was 1 alert and 1 javascript error.
-  ASSERT_EQ(1u, mock_bindings.GetAlerts().size());
-  EXPECT_EQ("Prepare to DIE!", mock_bindings.GetAlerts()[0]);
-  ASSERT_EQ(1u, mock_bindings.GetErrors().size());
-  EXPECT_EQ(5, mock_bindings.GetErrors()[0].first);
-  EXPECT_EQ("Uncaught TypeError: Cannot read property 'split' of null",
-            mock_bindings.GetErrors()[0].second);
-}
-
-TEST_F(ProxyResolverV8TracingTest, TooManyAlerts) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "too_many_alerts.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                           callback.callback(), &req,
-                           mock_bindings.CreateBindings());
-
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  // Iteration1 does a DNS resolve
-  // Iteration2 exceeds the alert buffer
-  // Iteration3 runs in blocking mode and completes
-  EXPECT_EQ("foo:3", proxy_info.proxy_server().ToURI());
-
-  EXPECT_EQ(1u, host_resolver.num_resolve());
-
-  // No errors.
-  EXPECT_TRUE(mock_bindings.GetErrors().empty());
-
-  // Check the alerts -- the script generated 50 alerts.
-  std::vector<std::string> alerts = mock_bindings.GetAlerts();
-  ASSERT_EQ(50u, alerts.size());
-  for (size_t i = 0; i < alerts.size(); i++) {
-    EXPECT_EQ("Gee, all these alerts are silly!", alerts[i]);
-  }
-}
-
-// Verify that buffered alerts cannot grow unboundedly, even when the message is
-// empty string.
-TEST_F(ProxyResolverV8TracingTest, TooManyEmptyAlerts) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver = CreateResolver(
-      mock_bindings.CreateBindings(), "too_many_empty_alerts.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                           callback.callback(), &req,
-                           mock_bindings.CreateBindings());
-
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  EXPECT_EQ("foo:3", proxy_info.proxy_server().ToURI());
-
-  EXPECT_EQ(1u, host_resolver.num_resolve());
-
-  // No errors.
-  EXPECT_TRUE(mock_bindings.GetErrors().empty());
-
-  // Check the alerts -- the script generated 1000 alerts.
-  std::vector<std::string> alerts = mock_bindings.GetAlerts();
-  ASSERT_EQ(1000u, alerts.size());
-  for (size_t i = 0; i < alerts.size(); i++) {
-    EXPECT_EQ("", alerts[i]);
-  }
-}
-
-// This test runs a PAC script that issues a sequence of DNS resolves. The test
-// verifies the final result, and that the underlying DNS resolver received
-// the correct set of queries.
-TEST_F(ProxyResolverV8TracingTest, Dns) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  host_resolver.SetResult(GetHostName(),
-                          ProxyResolveDnsOperation::MY_IP_ADDRESS,
-                          {IPAddress(122, 133, 144, 155)});
-  host_resolver.SetResult(GetHostName(),
-                          ProxyResolveDnsOperation::MY_IP_ADDRESS_EX,
-                          {IPAddress(133, 122, 100, 200)});
-  host_resolver.SetError("", ProxyResolveDnsOperation::DNS_RESOLVE);
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 44)});
-  IPAddress v6_local;
-  ASSERT_TRUE(v6_local.AssignFromIPLiteral("::1"));
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE_EX,
-                          {v6_local, IPAddress(192, 168, 1, 1)});
-  host_resolver.SetError("host2", ProxyResolveDnsOperation::DNS_RESOLVE);
-  host_resolver.SetResult("host3", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 33)});
-  host_resolver.SetError("host6", ProxyResolveDnsOperation::DNS_RESOLVE_EX);
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "dns.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                           callback.callback(), &req,
-                           mock_bindings.CreateBindings());
-
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  // The test does 13 DNS resolution, however only 7 of them are unique.
-  EXPECT_EQ(7u, host_resolver.num_resolve());
-
-  const char* kExpectedResult =
-    "122.133.144.155-"  // myIpAddress()
-    "null-"  // dnsResolve('')
-    "__1_192.168.1.1-"  // dnsResolveEx('host1')
-    "null-"  // dnsResolve('host2')
-    "166.155.144.33-"  // dnsResolve('host3')
-    "122.133.144.155-"  // myIpAddress()
-    "166.155.144.33-"  // dnsResolve('host3')
-    "__1_192.168.1.1-"  // dnsResolveEx('host1')
-    "122.133.144.155-"  // myIpAddress()
-    "null-"  // dnsResolve('host2')
-    "-"  // dnsResolveEx('host6')
-    "133.122.100.200-"  // myIpAddressEx()
-    "166.155.144.44"  // dnsResolve('host1')
-    ":99";
-
-  EXPECT_EQ(kExpectedResult, proxy_info.proxy_server().ToURI());
-
-  // No errors.
-  EXPECT_TRUE(mock_bindings.GetErrors().empty());
-
-  // The script generated 1 alert.
-  ASSERT_EQ(1u, mock_bindings.GetAlerts().size());
-  EXPECT_EQ("iteration: 7", mock_bindings.GetAlerts()[0]);
-}
-
-// This test runs a weird PAC script that was designed to defeat the DNS tracing
-// optimization. The proxy resolver should detect the inconsistency and
-// fall-back to synchronous mode execution.
-TEST_F(ProxyResolverV8TracingTest, FallBackToSynchronous1) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 11)});
-  host_resolver.SetResult("crazy4", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(133, 199, 111, 4)});
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "global_sideffects1.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                           callback.callback(), &req,
-                           mock_bindings.CreateBindings());
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  // The script itself only does 2 DNS resolves per execution, however it
-  // constructs the hostname using a global counter which changes on each
-  // invocation.
-  EXPECT_EQ(3u, host_resolver.num_resolve());
-
-  EXPECT_EQ("166.155.144.11-133.199.111.4:100",
-            proxy_info.proxy_server().ToURI());
-
-  // No errors.
-  EXPECT_TRUE(mock_bindings.GetErrors().empty());
-
-  ASSERT_EQ(1u, mock_bindings.GetAlerts().size());
-  EXPECT_EQ("iteration: 4", mock_bindings.GetAlerts()[0]);
-}
-
-// This test runs a weird PAC script that was designed to defeat the DNS tracing
-// optimization. The proxy resolver should detect the inconsistency and
-// fall-back to synchronous mode execution.
-TEST_F(ProxyResolverV8TracingTest, FallBackToSynchronous2) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 11)});
-  host_resolver.SetResult("host2", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 22)});
-  host_resolver.SetResult("host3", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 33)});
-  host_resolver.SetResult("host4", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(166, 155, 144, 44)});
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "global_sideffects2.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                           callback.callback(), &req,
-                           mock_bindings.CreateBindings());
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  EXPECT_EQ(3u, host_resolver.num_resolve());
-
-  EXPECT_EQ("166.155.144.44:100", proxy_info.proxy_server().ToURI());
-
-  // There were no alerts or errors.
-  EXPECT_TRUE(mock_bindings.GetAlerts().empty());
-  EXPECT_TRUE(mock_bindings.GetErrors().empty());
-}
-
-// This test runs a weird PAC script that yields a never ending sequence
-// of DNS resolves when restarting. Running it will hit the maximum
-// DNS resolves per request limit (20) after which every DNS resolve will
-// fail.
-TEST_F(ProxyResolverV8TracingTest, InfiniteDNSSequence) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  for (int i = 0; i < 21; ++i) {
-    host_resolver.SetResult("host" + std::to_string(i),
-                            ProxyResolveDnsOperation::DNS_RESOLVE,
-                            {IPAddress(166, 155, 144, 11)});
-  }
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "global_sideffects3.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                           callback.callback(), &req,
-                           mock_bindings.CreateBindings());
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  EXPECT_EQ(20u, host_resolver.num_resolve());
-
-  EXPECT_EQ(
-      "166.155.144.11-166.155.144.11-166.155.144.11-166.155.144.11-"
-      "166.155.144.11-166.155.144.11-166.155.144.11-166.155.144.11-"
-      "166.155.144.11-166.155.144.11-166.155.144.11-166.155.144.11-"
-      "166.155.144.11-166.155.144.11-166.155.144.11-166.155.144.11-"
-      "166.155.144.11-166.155.144.11-166.155.144.11-166.155.144.11-"
-      "null:21", proxy_info.proxy_server().ToURI());
-
-  // No errors.
-  EXPECT_TRUE(mock_bindings.GetErrors().empty());
-
-  // 1 alert.
-  EXPECT_EQ(1u, mock_bindings.GetAlerts().size());
-  EXPECT_EQ("iteration: 21", mock_bindings.GetAlerts()[0]);
-}
-
-// This test runs a weird PAC script that yields a never ending sequence
-// of DNS resolves when restarting. Running it will hit the maximum
-// DNS resolves per request limit (20) after which every DNS resolve will
-// fail.
-TEST_F(ProxyResolverV8TracingTest, InfiniteDNSSequence2) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  host_resolver.SetResult(GetHostName(),
-                          ProxyResolveDnsOperation::MY_IP_ADDRESS,
-                          {IPAddress(122, 133, 144, 155)});
-  for (int i = 0; i < 21; ++i) {
-    host_resolver.SetResult("host" + std::to_string(i),
-                            ProxyResolveDnsOperation::DNS_RESOLVE,
-                            {IPAddress(166, 155, 144, 11)});
-  }
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "global_sideffects4.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                           callback.callback(), &req,
-                           mock_bindings.CreateBindings());
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  EXPECT_EQ(20u, host_resolver.num_resolve());
-
-  EXPECT_EQ("null21:34", proxy_info.proxy_server().ToURI());
-
-  // No errors.
-  EXPECT_TRUE(mock_bindings.GetErrors().empty());
-
-  // 1 alert.
-  EXPECT_EQ(1u, mock_bindings.GetAlerts().size());
-  EXPECT_EQ("iteration: 21", mock_bindings.GetAlerts()[0]);
-}
-
-void DnsDuringInitHelper(bool synchronous_host_resolver) {
-  MockProxyHostResolver host_resolver(synchronous_host_resolver);
-  MockBindings mock_bindings(&host_resolver);
-
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(91, 13, 12, 1)});
-  host_resolver.SetResult("host2", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(91, 13, 12, 2)});
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "dns_during_init.js");
-
-  // Initialization did 2 dnsResolves.
-  EXPECT_EQ(2u, host_resolver.num_resolve());
-
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(145, 88, 13, 3)});
-  host_resolver.SetResult("host2", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(137, 89, 8, 45)});
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                           callback.callback(), &req,
-                           mock_bindings.CreateBindings());
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  // Fetched host1 and host2 again, since the ones done during initialization
-  // should not have been cached.
-  EXPECT_EQ(4u, host_resolver.num_resolve());
-
-  EXPECT_EQ("91.13.12.1-91.13.12.2-145.88.13.3-137.89.8.45:99",
-            proxy_info.proxy_server().ToURI());
-
-  // 2 alerts.
-  ASSERT_EQ(2u, mock_bindings.GetAlerts().size());
-  EXPECT_EQ("Watsup", mock_bindings.GetAlerts()[0]);
-  EXPECT_EQ("Watsup2", mock_bindings.GetAlerts()[1]);
-}
-
-// Tests a PAC script which does DNS resolves during initialization.
-TEST_F(ProxyResolverV8TracingTest, DnsDuringInit) {
-  // Test with both both a host resolver that always completes asynchronously,
-  // and then again with one that completes synchronously.
-  DnsDuringInitHelper(false);
-  DnsDuringInitHelper(true);
-}
-
-void CrashCallback(int) {
-  // Be extra sure that if the callback ever gets invoked, the test will fail.
-  CHECK(false);
-}
-
-// Start some requests, cancel them all, and then destroy the resolver.
-// Note the execution order for this test can vary. Since multiple
-// threads are involved, the cancellation may be received a different
-// times.
-TEST_F(ProxyResolverV8TracingTest, CancelAll) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  host_resolver.FailAll();
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "dns.js");
-
-  const size_t kNumRequests = 5;
-  ProxyInfo proxy_info[kNumRequests];
-  std::unique_ptr<ProxyResolver::Request> request[kNumRequests];
-
-  for (size_t i = 0; i < kNumRequests; ++i) {
-    resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info[i],
-                             base::BindOnce(&CrashCallback), &request[i],
-                             mock_bindings.CreateBindings());
-  }
-
-  for (size_t i = 0; i < kNumRequests; ++i) {
-    request[i].reset();
-  }
-}
-
-// Note the execution order for this test can vary. Since multiple
-// threads are involved, the cancellation may be received a different
-// times.
-TEST_F(ProxyResolverV8TracingTest, CancelSome) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  host_resolver.FailAll();
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "dns.js");
-
-  ProxyInfo proxy_info1;
-  ProxyInfo proxy_info2;
-  std::unique_ptr<ProxyResolver::Request> request1;
-  std::unique_ptr<ProxyResolver::Request> request2;
-  TestCompletionCallback callback;
-
-  resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info1,
-                           base::BindOnce(&CrashCallback), &request1,
-                           mock_bindings.CreateBindings());
-  resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info2,
-                           callback.callback(), &request2,
-                           mock_bindings.CreateBindings());
-
-  request1.reset();
-
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-}
-
-// Cancel a request after it has finished running on the worker thread, and has
-// posted a task the completion task back to origin thread.
-TEST_F(ProxyResolverV8TracingTest, CancelWhilePendingCompletionTask) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  host_resolver.FailAll();
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "error.js");
-
-  ProxyInfo proxy_info1;
-  ProxyInfo proxy_info2;
-  std::unique_ptr<ProxyResolver::Request> request1;
-  std::unique_ptr<ProxyResolver::Request> request2;
-  TestCompletionCallback callback;
-
-  resolver->GetProxyForURL(GURL("http://throw-an-error/"), &proxy_info1,
-                           base::BindOnce(&CrashCallback), &request1,
-                           mock_bindings.CreateBindings());
-
-  // Wait until the first request has finished running on the worker thread.
-  // Cancel the first request, while it is running its completion task on
-  // the origin thread. Reset deletes Request opject which cancels the request.
-  mock_bindings.RunOnError(
-      base::Bind(&std::unique_ptr<ProxyResolver::Request>::reset,
-                 base::Unretained(&request1), nullptr));
-
-  // Start another request, to make sure it is able to complete.
-  resolver->GetProxyForURL(GURL("http://i-have-no-idea-what-im-doing/"),
-                           &proxy_info2, callback.callback(), &request2,
-                           mock_bindings.CreateBindings());
-
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  EXPECT_EQ("i-approve-this-message:42", proxy_info2.proxy_server().ToURI());
-}
-
-// This cancellation test exercises a more predictable cancellation codepath --
-// when the request has an outstanding DNS request in flight.
-TEST_F(ProxyResolverV8TracingTest, CancelWhileOutstandingNonBlockingDns) {
-  base::RunLoop run_loop1;
-  HangingProxyHostResolver host_resolver(run_loop1.QuitClosure());
-  MockBindings mock_bindings(&host_resolver);
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "dns.js");
-
-  ProxyInfo proxy_info1;
-  ProxyInfo proxy_info2;
-  std::unique_ptr<ProxyResolver::Request> request1;
-  std::unique_ptr<ProxyResolver::Request> request2;
-
-  resolver->GetProxyForURL(GURL("http://foo/req1"), &proxy_info1,
-                           base::BindOnce(&CrashCallback), &request1,
-                           mock_bindings.CreateBindings());
-
-  run_loop1.Run();
-
-  base::RunLoop run_loop2;
-  host_resolver.set_hang_callback(run_loop2.QuitClosure());
-  resolver->GetProxyForURL(GURL("http://foo/req2"), &proxy_info2,
-                           base::BindOnce(&CrashCallback), &request2,
-                           mock_bindings.CreateBindings());
-
-  run_loop2.Run();
-
-  request1.reset();
-  request2.reset();
-
-  EXPECT_EQ(2, host_resolver.num_cancelled_requests());
-
-  // After leaving this scope, the ProxyResolver is destroyed.
-  // This should not cause any problems, as the outstanding work
-  // should have been cancelled.
-}
-
-void CancelRequestAndPause(std::unique_ptr<ProxyResolver::Request>* request,
-                           base::RunLoop* run_loop) {
-  request->reset();
-
-  // Sleep for a little bit. This makes it more likely for the worker
-  // thread to have returned from its call, and serves as a regression
-  // test for http://crbug.com/173373.
-  base::PlatformThread::Sleep(base::TimeDelta::FromMilliseconds(30));
-
-  run_loop->Quit();
-}
-
-// In non-blocking mode, the worker thread actually does block for
-// a short time to see if the result is in the DNS cache. Test
-// cancellation while the worker thread is waiting on this event.
-TEST_F(ProxyResolverV8TracingTest, CancelWhileBlockedInNonBlockingDns) {
-  HangingProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "dns.js");
-
-  ProxyInfo proxy_info;
-  std::unique_ptr<ProxyResolver::Request> request;
-
-  base::RunLoop run_loop;
-  host_resolver.set_hang_callback(
-      base::BindRepeating(&CancelRequestAndPause, &request, &run_loop));
-
-  resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                           base::BindOnce(&CrashCallback), &request,
-                           mock_bindings.CreateBindings());
-
-  run_loop.Run();
-}
-
-// Cancel the request while there is a pending DNS request, however before
-// the request is sent to the host resolver.
-TEST_F(ProxyResolverV8TracingTest, CancelWhileBlockedInNonBlockingDns2) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "dns.js");
-
-  ProxyInfo proxy_info;
-  std::unique_ptr<ProxyResolver::Request> request;
-
-  resolver->GetProxyForURL(GURL("http://foo/"), &proxy_info,
-                           base::BindOnce(&CrashCallback), &request,
-                           mock_bindings.CreateBindings());
-
-  // Wait a bit, so the DNS task has hopefully been posted. The test will
-  // work whatever the delay is here, but it is most useful if the delay
-  // is large enough to allow a task to be posted back.
-  base::PlatformThread::Sleep(base::TimeDelta::FromMilliseconds(10));
-  request.reset();
-
-  EXPECT_EQ(0u, host_resolver.num_resolve());
-}
-
-TEST_F(ProxyResolverV8TracingTest,
-       CancelCreateResolverWhileOutstandingBlockingDns) {
-  base::RunLoop run_loop;
-  HangingProxyHostResolver host_resolver(run_loop.QuitClosure());
-  MockBindings mock_bindings(&host_resolver);
-
-  std::unique_ptr<ProxyResolverV8TracingFactory> factory(
-      ProxyResolverV8TracingFactory::Create());
-  std::unique_ptr<ProxyResolverV8Tracing> resolver;
-  std::unique_ptr<ProxyResolverFactory::Request> request;
-  factory->CreateProxyResolverV8Tracing(
-      LoadScriptData("dns_during_init.js"), mock_bindings.CreateBindings(),
-      &resolver, base::BindOnce(&CrashCallback), &request);
-
-  run_loop.Run();
-
-  request.reset();
-  EXPECT_EQ(1, host_resolver.num_cancelled_requests());
-}
-
-TEST_F(ProxyResolverV8TracingTest, DeleteFactoryWhileOutstandingBlockingDns) {
-  base::RunLoop run_loop;
-  HangingProxyHostResolver host_resolver(run_loop.QuitClosure());
-  MockBindings mock_bindings(&host_resolver);
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver;
-  std::unique_ptr<ProxyResolverFactory::Request> request;
-  {
-    std::unique_ptr<ProxyResolverV8TracingFactory> factory(
-        ProxyResolverV8TracingFactory::Create());
-
-    factory->CreateProxyResolverV8Tracing(
-        LoadScriptData("dns_during_init.js"), mock_bindings.CreateBindings(),
-        &resolver, base::BindOnce(&CrashCallback), &request);
-    run_loop.Run();
-  }
-  EXPECT_EQ(1, host_resolver.num_cancelled_requests());
-}
-
-TEST_F(ProxyResolverV8TracingTest, ErrorLoadingScript) {
-  HangingProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  std::unique_ptr<ProxyResolverV8TracingFactory> factory(
-      ProxyResolverV8TracingFactory::Create());
-  std::unique_ptr<ProxyResolverV8Tracing> resolver;
-  std::unique_ptr<ProxyResolverFactory::Request> request;
-  TestCompletionCallback callback;
-  factory->CreateProxyResolverV8Tracing(
-      LoadScriptData("error_on_load.js"), mock_bindings.CreateBindings(),
-      &resolver, callback.callback(), &request);
-
-  EXPECT_THAT(callback.WaitForResult(), IsError(ERR_PAC_SCRIPT_FAILED));
-  EXPECT_FALSE(resolver);
-}
-
-// This tests that the execution of a PAC script is terminated when the DNS
-// dependencies are missing. If the test fails, then it will hang.
-TEST_F(ProxyResolverV8TracingTest, Terminate) {
-  MockProxyHostResolver host_resolver;
-  MockBindings mock_bindings(&host_resolver);
-
-  host_resolver.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                          {IPAddress(182, 111, 0, 222)});
-  host_resolver.SetResult("host2", ProxyResolveDnsOperation::DNS_RESOLVE_EX,
-                          {IPAddress(111, 33, 44, 55)});
-
-  std::unique_ptr<ProxyResolverV8Tracing> resolver =
-      CreateResolver(mock_bindings.CreateBindings(), "terminate.js");
-
-  TestCompletionCallback callback;
-  ProxyInfo proxy_info;
-
-  std::unique_ptr<ProxyResolver::Request> req;
-  resolver->GetProxyForURL(GURL("http://foopy/req1"), &proxy_info,
-                           callback.callback(), &req,
-                           mock_bindings.CreateBindings());
-  EXPECT_THAT(callback.WaitForResult(), IsOk());
-
-  // The test does 2 DNS resolutions.
-  EXPECT_EQ(2u, host_resolver.num_resolve());
-
-  EXPECT_EQ("foopy:3", proxy_info.proxy_server().ToURI());
-
-  // No errors or alerts.
-  EXPECT_TRUE(mock_bindings.GetErrors().empty());
-  EXPECT_TRUE(mock_bindings.GetAlerts().empty());
-}
-
-// Tests that multiple instances of ProxyResolverV8Tracing can coexist and run
-// correctly at the same time. This is relevant because at the moment (time
-// this test was written) each ProxyResolverV8Tracing creates its own thread to
-// run V8 on, however each thread is operating on the same v8::Isolate.
-TEST_F(ProxyResolverV8TracingTest, MultipleResolvers) {
-  // ------------------------
-  // Setup resolver0
-  // ------------------------
-  MockProxyHostResolver host_resolver0;
-  MockBindings mock_bindings0(&host_resolver0);
-  host_resolver0.SetResult(GetHostName(),
-                           ProxyResolveDnsOperation::MY_IP_ADDRESS,
-                           {IPAddress(122, 133, 144, 155)});
-  host_resolver0.SetResult(GetHostName(),
-                           ProxyResolveDnsOperation::MY_IP_ADDRESS_EX,
-                           {IPAddress(133, 122, 100, 200)});
-  host_resolver0.SetError("", ProxyResolveDnsOperation::DNS_RESOLVE);
-  host_resolver0.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE,
-                           {IPAddress(166, 155, 144, 44)});
-  IPAddress v6_local;
-  ASSERT_TRUE(v6_local.AssignFromIPLiteral("::1"));
-  host_resolver0.SetResult("host1", ProxyResolveDnsOperation::DNS_RESOLVE_EX,
-                           {v6_local, IPAddress(192, 168, 1, 1)});
-  host_resolver0.SetError("host2", ProxyResolveDnsOperation::DNS_RESOLVE);
-  host_resolver0.SetResult("host3", ProxyResolveDnsOperation::DNS_RESOLVE,
-                           {IPAddress(166, 155, 144, 33)});
-  host_resolver0.SetError("host6", ProxyResolveDnsOperation::DNS_RESOLVE_EX);
-  std::unique_ptr<ProxyResolverV8Tracing> resolver0 =
-      CreateResolver(mock_bindings0.CreateBindings(), "dns.js");
-
-  // ------------------------
-  // Setup resolver1
-  // ------------------------
-  std::unique_ptr<ProxyResolverV8Tracing> resolver1 =
-      CreateResolver(mock_bindings0.CreateBindings(), "dns.js");
-
-  // ------------------------
-  // Setup resolver2
-  // ------------------------
-  std::unique_ptr<ProxyResolverV8Tracing> resolver2 =
-      CreateResolver(mock_bindings0.CreateBindings(), "simple.js");
-
-  // ------------------------
-  // Setup resolver3
-  // ------------------------
-  MockProxyHostResolver host_resolver3;
-  MockBindings mock_bindings3(&host_resolver3);
-  host_resolver3.SetResult("foo", ProxyResolveDnsOperation::DNS_RESOLVE,
-                           {IPAddress(166, 155, 144, 33)});
-  std::unique_ptr<ProxyResolverV8Tracing> resolver3 =
-      CreateResolver(mock_bindings3.CreateBindings(), "simple_dns.js");
-
-  // ------------------------
-  // Queue up work for each resolver (which will be running in parallel).
-  // ------------------------
-
-  ProxyResolverV8Tracing* resolver[] = {
-      resolver0.get(), resolver1.get(), resolver2.get(), resolver3.get(),
-  };
-
-  const size_t kNumResolvers = base::size(resolver);
-  const size_t kNumIterations = 20;
-  const size_t kNumResults = kNumResolvers * kNumIterations;
-  TestCompletionCallback callback[kNumResults];
-  ProxyInfo proxy_info[kNumResults];
-  std::unique_ptr<ProxyResolver::Request> request[kNumResults];
-
-  for (size_t i = 0; i < kNumResults; ++i) {
-    size_t resolver_i = i % kNumResolvers;
-    resolver[resolver_i]->GetProxyForURL(
-        GURL("http://foo/"), &proxy_info[i], callback[i].callback(),
-        &request[i], resolver_i == 3 ? mock_bindings3.CreateBindings()
-                                     : mock_bindings0.CreateBindings());
-  }
-
-  // ------------------------
-  // Verify all of the results.
-  // ------------------------
-
-  const char* kExpectedForDnsJs =
-    "122.133.144.155-"  // myIpAddress()
-    "null-"  // dnsResolve('')
-    "__1_192.168.1.1-"  // dnsResolveEx('host1')
-    "null-"  // dnsResolve('host2')
-    "166.155.144.33-"  // dnsResolve('host3')
-    "122.133.144.155-"  // myIpAddress()
-    "166.155.144.33-"  // dnsResolve('host3')
-    "__1_192.168.1.1-"  // dnsResolveEx('host1')
-    "122.133.144.155-"  // myIpAddress()
-    "null-"  // dnsResolve('host2')
-    "-"  // dnsResolveEx('host6')
-    "133.122.100.200-"  // myIpAddressEx()
-    "166.155.144.44"  // dnsResolve('host1')
-    ":99";
-
-  for (size_t i = 0; i < kNumResults; ++i) {
-    size_t resolver_i = i % kNumResolvers;
-    EXPECT_THAT(callback[i].WaitForResult(), IsOk());
-
-    std::string proxy_uri = proxy_info[i].proxy_server().ToURI();
-
-    if (resolver_i == 0 || resolver_i == 1) {
-      EXPECT_EQ(kExpectedForDnsJs, proxy_uri);
-    } else if (resolver_i == 2) {
-      EXPECT_EQ("foo:99", proxy_uri);
-    } else if (resolver_i == 3) {
-      EXPECT_EQ("166.155.144.33:",
-                proxy_uri.substr(0, proxy_uri.find(':') + 1));
-    } else {
-      NOTREACHED();
-    }
-  }
-}
-
-}  // namespace
-
-}  // namespace net
diff --git a/chromium/net/proxy_resolution/proxy_resolver_v8_unittest.cc b/chromium/net/proxy_resolution/proxy_resolver_v8_unittest.cc
deleted file mode 100644
index 06fc8445feb..00000000000
--- a/chromium/net/proxy_resolution/proxy_resolver_v8_unittest.cc
+++ /dev/null
@@ -1,546 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/proxy_resolution/proxy_resolver_v8.h"
-
-#include "base/compiler_specific.h"
-#include "base/files/file_util.h"
-#include "base/path_service.h"
-#include "base/stl_util.h"
-#include "base/strings/string_util.h"
-#include "base/strings/stringprintf.h"
-#include "base/strings/utf_string_conversions.h"
-#include "net/base/net_errors.h"
-#include "net/proxy_resolution/pac_file_data.h"
-#include "net/proxy_resolution/proxy_info.h"
-#include "net/test/gtest_util.h"
-#include "net/test/test_with_task_environment.h"
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
-#include "url/gurl.h"
-
-using net::test::IsError;
-using net::test::IsOk;
-using ::testing::IsEmpty;
-
-namespace net {
-namespace {
-
-// Javascript bindings for ProxyResolverV8, which returns mock values.
-// Each time one of the bindings is called into, we push the input into a
-// list, for later verification.
-class MockJSBindings : public ProxyResolverV8::JSBindings {
- public:
-  MockJSBindings()
-      : my_ip_address_count(0),
-        my_ip_address_ex_count(0),
-        should_terminate(false) {}
-
-  void Alert(const base::string16& message) override {
-    VLOG(1) << "PAC-alert: " << message;  // Helpful when debugging.
-    alerts.push_back(base::UTF16ToUTF8(message));
-  }
-
-  bool ResolveDns(const std::string& host,
-                  ProxyResolveDnsOperation op,
-                  std::string* output,
-                  bool* terminate) override {
-    *terminate = should_terminate;
-
-    if (op == ProxyResolveDnsOperation::MY_IP_ADDRESS) {
-      my_ip_address_count++;
-      *output = my_ip_address_result;
-      return !my_ip_address_result.empty();
-    }
-
-    if (op == ProxyResolveDnsOperation::MY_IP_ADDRESS_EX) {
-      my_ip_address_ex_count++;
-      *output = my_ip_address_ex_result;
-      return !my_ip_address_ex_result.empty();
-    }
-
-    if (op == ProxyResolveDnsOperation::DNS_RESOLVE) {
-      dns_resolves.push_back(host);
-      *output = dns_resolve_result;
-      return !dns_resolve_result.empty();
-    }
-
-    if (op == ProxyResolveDnsOperation::DNS_RESOLVE_EX) {
-      dns_resolves_ex.push_back(host);
-      *output = dns_resolve_ex_result;
-      return !dns_resolve_ex_result.empty();
-    }
-
-    CHECK(false);
-    return false;
-  }
-
-  void OnError(int line_number, const base::string16& message) override {
-    // Helpful when debugging.
-    VLOG(1) << "PAC-error: [" << line_number << "] " << message;
-
-    errors.push_back(base::UTF16ToUTF8(message));
-    errors_line_number.push_back(line_number);
-  }
-
-  // Mock values to return.
-  std::string my_ip_address_result;
-  std::string my_ip_address_ex_result;
-  std::string dns_resolve_result;
-  std::string dns_resolve_ex_result;
-
-  // Inputs we got called with.
-  std::vector<std::string> alerts;
-  std::vector<std::string> errors;
-  std::vector<int> errors_line_number;
-  std::vector<std::string> dns_resolves;
-  std::vector<std::string> dns_resolves_ex;
-  int my_ip_address_count;
-  int my_ip_address_ex_count;
-
-  // Whether ResolveDns() should terminate script execution.
-  bool should_terminate;
-};
-
-class ProxyResolverV8Test : public TestWithTaskEnvironment {
- public:
-  // Creates a ProxyResolverV8 using the PAC script contained in |filename|. If
-  // called more than once, the previous ProxyResolverV8 is deleted.
-  int CreateResolver(const char* filename) {
-    base::FilePath path;
-    base::PathService::Get(base::DIR_SOURCE_ROOT, &path);
-    path = path.AppendASCII("net");
-    path = path.AppendASCII("data");
-    path = path.AppendASCII("proxy_resolver_v8_unittest");
-    path = path.AppendASCII(filename);
-
-    // Try to read the file from disk.
-    std::string file_contents;
-    bool ok = base::ReadFileToString(path, &file_contents);
-
-    // If we can't load the file from disk, something is misconfigured.
-    if (!ok) {
-      LOG(ERROR) << "Failed to read file: " << path.value();
-      return ERR_FAILED;
-    }
-
-    // Create the ProxyResolver using the PAC script.
-    return ProxyResolverV8::Create(PacFileData::FromUTF8(file_contents),
-                                   bindings(), &resolver_);
-  }
-
-  ProxyResolverV8& resolver() {
-    DCHECK(resolver_);
-    return *resolver_;
-  }
-
-  MockJSBindings* bindings() { return &js_bindings_; }
-
- private:
-  MockJSBindings js_bindings_;
-  std::unique_ptr<ProxyResolverV8> resolver_;
-};
-
-// Doesn't really matter what these values are for many of the tests.
-const GURL kQueryUrl("http://www.google.com");
-const GURL kPacUrl;
-
-TEST_F(ProxyResolverV8Test, Direct) {
-  ASSERT_THAT(CreateResolver("direct.js"), IsOk());
-
-  ProxyInfo proxy_info;
-  int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-
-  EXPECT_THAT(result, IsOk());
-  EXPECT_TRUE(proxy_info.is_direct());
-
-  EXPECT_EQ(0U, bindings()->alerts.size());
-  EXPECT_EQ(0U, bindings()->errors.size());
-}
-
-TEST_F(ProxyResolverV8Test, ReturnEmptyString) {
-  ASSERT_THAT(CreateResolver("return_empty_string.js"), IsOk());
-
-  ProxyInfo proxy_info;
-  int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-
-  EXPECT_THAT(result, IsOk());
-  EXPECT_TRUE(proxy_info.is_direct());
-
-  EXPECT_EQ(0U, bindings()->alerts.size());
-  EXPECT_EQ(0U, bindings()->errors.size());
-}
-
-TEST_F(ProxyResolverV8Test, Basic) {
-  ASSERT_THAT(CreateResolver("passthrough.js"), IsOk());
-
-  // The "FindProxyForURL" of this PAC script simply concatenates all of the
-  // arguments into a pseudo-host. The purpose of this test is to verify that
-  // the correct arguments are being passed to FindProxyForURL().
-  {
-    ProxyInfo proxy_info;
-    int result = resolver().GetProxyForURL(GURL("http://query.com/path"),
-                                           &proxy_info, bindings());
-    EXPECT_THAT(result, IsOk());
-    EXPECT_EQ("http.query.com.path.query.com:80",
-              proxy_info.proxy_server().ToURI());
-  }
-  {
-    ProxyInfo proxy_info;
-    int result = resolver().GetProxyForURL(GURL("ftp://query.com:90/path"),
-                                           &proxy_info, bindings());
-    EXPECT_THAT(result, IsOk());
-    // Note that FindProxyForURL(url, host) does not expect |host| to contain
-    // the port number.
-    EXPECT_EQ("ftp.query.com.90.path.query.com:80",
-              proxy_info.proxy_server().ToURI());
-
-    EXPECT_EQ(0U, bindings()->alerts.size());
-    EXPECT_EQ(0U, bindings()->errors.size());
-  }
-}
-
-TEST_F(ProxyResolverV8Test, BadReturnType) {
-  // These are the filenames of PAC scripts which each return a non-string
-  // types for FindProxyForURL(). They should all fail with
-  // ERR_PAC_SCRIPT_FAILED.
-  static const char* const filenames[] = {
-      "return_undefined.js",
-      "return_integer.js",
-      "return_function.js",
-      "return_object.js",
-      // TODO(eroman): Should 'null' be considered equivalent to "DIRECT" ?
-      "return_null.js"};
-
-  for (size_t i = 0; i < base::size(filenames); ++i) {
-    ASSERT_THAT(CreateResolver(filenames[i]), IsOk());
-
-    MockJSBindings bindings;
-    ProxyInfo proxy_info;
-    int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, &bindings);
-
-    EXPECT_THAT(result, IsError(ERR_PAC_SCRIPT_FAILED));
-
-    EXPECT_EQ(0U, bindings.alerts.size());
-    ASSERT_EQ(1U, bindings.errors.size());
-    EXPECT_EQ("FindProxyForURL() did not return a string.", bindings.errors[0]);
-    EXPECT_EQ(-1, bindings.errors_line_number[0]);
-  }
-}
-
-// Try using a PAC script which defines no "FindProxyForURL" function.
-TEST_F(ProxyResolverV8Test, NoEntryPoint) {
-  EXPECT_THAT(CreateResolver("no_entrypoint.js"),
-              IsError(ERR_PAC_SCRIPT_FAILED));
-
-  ASSERT_EQ(1U, bindings()->errors.size());
-  EXPECT_EQ("FindProxyForURL is undefined or not a function.",
-            bindings()->errors[0]);
-  EXPECT_EQ(-1, bindings()->errors_line_number[0]);
-}
-
-// Try loading a malformed PAC script.
-TEST_F(ProxyResolverV8Test, ParseError) {
-  EXPECT_THAT(CreateResolver("missing_close_brace.js"),
-              IsError(ERR_PAC_SCRIPT_FAILED));
-
-  EXPECT_EQ(0U, bindings()->alerts.size());
-
-  // We get one error during compilation.
-  ASSERT_EQ(1U, bindings()->errors.size());
-
-  EXPECT_EQ("Uncaught SyntaxError: Unexpected end of input",
-            bindings()->errors[0]);
-  EXPECT_EQ(7, bindings()->errors_line_number[0]);
-}
-
-// Run a PAC script several times, which has side-effects.
-TEST_F(ProxyResolverV8Test, SideEffects) {
-  ASSERT_THAT(CreateResolver("side_effects.js"), IsOk());
-
-  // The PAC script increments a counter each time we invoke it.
-  for (int i = 0; i < 3; ++i) {
-    ProxyInfo proxy_info;
-    int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-    EXPECT_THAT(result, IsOk());
-    EXPECT_EQ(base::StringPrintf("sideffect_%d:80", i),
-              proxy_info.proxy_server().ToURI());
-  }
-
-  // Reload the script -- the javascript environment should be reset, hence
-  // the counter starts over.
-  ASSERT_THAT(CreateResolver("side_effects.js"), IsOk());
-
-  for (int i = 0; i < 3; ++i) {
-    ProxyInfo proxy_info;
-    int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-    EXPECT_THAT(result, IsOk());
-    EXPECT_EQ(base::StringPrintf("sideffect_%d:80", i),
-              proxy_info.proxy_server().ToURI());
-  }
-}
-
-// Execute a PAC script which throws an exception in FindProxyForURL.
-TEST_F(ProxyResolverV8Test, UnhandledException) {
-  ASSERT_THAT(CreateResolver("unhandled_exception.js"), IsOk());
-
-  ProxyInfo proxy_info;
-  int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-
-  EXPECT_THAT(result, IsError(ERR_PAC_SCRIPT_FAILED));
-
-  EXPECT_EQ(0U, bindings()->alerts.size());
-  ASSERT_EQ(1U, bindings()->errors.size());
-  EXPECT_EQ("Uncaught ReferenceError: undefined_variable is not defined",
-            bindings()->errors[0]);
-  EXPECT_EQ(3, bindings()->errors_line_number[0]);
-}
-
-// Execute a PAC script which throws an exception when first accessing
-// FindProxyForURL
-TEST_F(ProxyResolverV8Test, ExceptionAccessingFindProxyForURLDuringInit) {
-  EXPECT_EQ(ERR_PAC_SCRIPT_FAILED,
-            CreateResolver("exception_findproxyforurl_during_init.js"));
-
-  ASSERT_EQ(2U, bindings()->errors.size());
-  EXPECT_EQ("Uncaught crash!", bindings()->errors[0]);
-  EXPECT_EQ(9, bindings()->errors_line_number[0]);
-  EXPECT_EQ("Accessing FindProxyForURL threw an exception.",
-            bindings()->errors[1]);
-  EXPECT_EQ(-1, bindings()->errors_line_number[1]);
-}
-
-// Execute a PAC script which throws an exception during the second access to
-// FindProxyForURL
-TEST_F(ProxyResolverV8Test, ExceptionAccessingFindProxyForURLDuringResolve) {
-  ASSERT_THAT(CreateResolver("exception_findproxyforurl_during_resolve.js"),
-              IsOk());
-
-  ProxyInfo proxy_info;
-  int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-
-  EXPECT_THAT(result, IsError(ERR_PAC_SCRIPT_FAILED));
-
-  ASSERT_EQ(2U, bindings()->errors.size());
-  EXPECT_EQ("Uncaught crash!", bindings()->errors[0]);
-  EXPECT_EQ(17, bindings()->errors_line_number[0]);
-  EXPECT_EQ("Accessing FindProxyForURL threw an exception.",
-            bindings()->errors[1]);
-  EXPECT_EQ(-1, bindings()->errors_line_number[1]);
-}
-
-TEST_F(ProxyResolverV8Test, ReturnUnicode) {
-  ASSERT_THAT(CreateResolver("return_unicode.js"), IsOk());
-
-  ProxyInfo proxy_info;
-  int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-
-  // The result from this resolve was unparseable, because it
-  // wasn't ASCII.
-  EXPECT_THAT(result, IsError(ERR_PAC_SCRIPT_FAILED));
-}
-
-// Test the PAC library functions that we expose in the JS environment.
-TEST_F(ProxyResolverV8Test, JavascriptLibrary) {
-  ASSERT_THAT(CreateResolver("pac_library_unittest.js"), IsOk());
-
-  ProxyInfo proxy_info;
-  int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-
-  // If the javascript side of this unit-test fails, it will throw a javascript
-  // exception. Otherwise it will return "PROXY success:80".
-  EXPECT_THAT(bindings()->alerts, IsEmpty());
-  EXPECT_THAT(bindings()->errors, IsEmpty());
-
-  ASSERT_THAT(result, IsOk());
-  EXPECT_EQ("success:80", proxy_info.proxy_server().ToURI());
-}
-
-// Test marshalling/un-marshalling of values between C++/V8.
-TEST_F(ProxyResolverV8Test, V8Bindings) {
-  ASSERT_THAT(CreateResolver("bindings.js"), IsOk());
-  bindings()->dns_resolve_result = "127.0.0.1";
-
-  ProxyInfo proxy_info;
-  int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-
-  EXPECT_THAT(result, IsOk());
-  EXPECT_TRUE(proxy_info.is_direct());
-
-  EXPECT_EQ(0U, bindings()->errors.size());
-
-  // Alert was called 5 times.
-  ASSERT_EQ(5U, bindings()->alerts.size());
-  EXPECT_EQ("undefined", bindings()->alerts[0]);
-  EXPECT_EQ("null", bindings()->alerts[1]);
-  EXPECT_EQ("undefined", bindings()->alerts[2]);
-  EXPECT_EQ("[object Object]", bindings()->alerts[3]);
-  EXPECT_EQ("exception from calling toString()", bindings()->alerts[4]);
-
-  // DnsResolve was called 8 times, however only 2 of those were string
-  // parameters. (so 6 of them failed immediately).
-  ASSERT_EQ(2U, bindings()->dns_resolves.size());
-  EXPECT_EQ("", bindings()->dns_resolves[0]);
-  EXPECT_EQ("arg1", bindings()->dns_resolves[1]);
-
-  // MyIpAddress was called two times.
-  EXPECT_EQ(2, bindings()->my_ip_address_count);
-
-  // MyIpAddressEx was called once.
-  EXPECT_EQ(1, bindings()->my_ip_address_ex_count);
-
-  // DnsResolveEx was called 2 times.
-  ASSERT_EQ(2U, bindings()->dns_resolves_ex.size());
-  EXPECT_EQ("is_resolvable", bindings()->dns_resolves_ex[0]);
-  EXPECT_EQ("foobar", bindings()->dns_resolves_ex[1]);
-}
-
-// Test calling a binding (myIpAddress()) from the script's global scope.
-// http://crbug.com/40026
-TEST_F(ProxyResolverV8Test, BindingCalledDuringInitialization) {
-  ASSERT_THAT(CreateResolver("binding_from_global.js"), IsOk());
-
-  // myIpAddress() got called during initialization of the script.
-  EXPECT_EQ(1, bindings()->my_ip_address_count);
-
-  ProxyInfo proxy_info;
-  int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-
-  EXPECT_THAT(result, IsOk());
-  EXPECT_FALSE(proxy_info.is_direct());
-  EXPECT_EQ("127.0.0.1:80", proxy_info.proxy_server().ToURI());
-
-  // Check that no other bindings were called.
-  EXPECT_EQ(0U, bindings()->errors.size());
-  ASSERT_EQ(0U, bindings()->alerts.size());
-  ASSERT_EQ(0U, bindings()->dns_resolves.size());
-  EXPECT_EQ(0, bindings()->my_ip_address_ex_count);
-  ASSERT_EQ(0U, bindings()->dns_resolves_ex.size());
-}
-
-// Try loading a PAC script that ends with a comment and has no terminal
-// newline. This should not cause problems with the PAC utility functions
-// that we add to the script's environment.
-// http://crbug.com/22864
-TEST_F(ProxyResolverV8Test, EndsWithCommentNoNewline) {
-  ASSERT_THAT(CreateResolver("ends_with_comment.js"), IsOk());
-
-  ProxyInfo proxy_info;
-  int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-
-  EXPECT_THAT(result, IsOk());
-  EXPECT_FALSE(proxy_info.is_direct());
-  EXPECT_EQ("success:80", proxy_info.proxy_server().ToURI());
-}
-
-// Try loading a PAC script that ends with a statement and has no terminal
-// newline. This should not cause problems with the PAC utility functions
-// that we add to the script's environment.
-// http://crbug.com/22864
-TEST_F(ProxyResolverV8Test, EndsWithStatementNoNewline) {
-  ASSERT_THAT(CreateResolver("ends_with_statement_no_semicolon.js"), IsOk());
-
-  ProxyInfo proxy_info;
-  int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-
-  EXPECT_THAT(result, IsOk());
-  EXPECT_FALSE(proxy_info.is_direct());
-  EXPECT_EQ("success:3", proxy_info.proxy_server().ToURI());
-}
-
-// Test the return values from myIpAddress(), myIpAddressEx(), dnsResolve(),
-// dnsResolveEx(), isResolvable(), isResolvableEx(), when the the binding
-// returns empty string (failure). This simulates the return values from
-// those functions when the underlying DNS resolution fails.
-TEST_F(ProxyResolverV8Test, DNSResolutionFailure) {
-  ASSERT_THAT(CreateResolver("dns_fail.js"), IsOk());
-
-  ProxyInfo proxy_info;
-  int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-
-  EXPECT_THAT(result, IsOk());
-  EXPECT_FALSE(proxy_info.is_direct());
-  EXPECT_EQ("success:80", proxy_info.proxy_server().ToURI());
-}
-
-TEST_F(ProxyResolverV8Test, DNSResolutionOfInternationDomainName) {
-  ASSERT_THAT(CreateResolver("international_domain_names.js"), IsOk());
-
-  // Execute FindProxyForURL().
-  ProxyInfo proxy_info;
-  int result = resolver().GetProxyForURL(kQueryUrl, &proxy_info, bindings());
-
-  EXPECT_THAT(result, IsOk());
-  EXPECT_TRUE(proxy_info.is_direct());
-
-  // Check that the international domain name was converted to punycode
-  // before passing it onto the bindings layer.
-  ASSERT_EQ(1u, bindings()->dns_resolves.size());
-  EXPECT_EQ("xn--bcher-kva.ch", bindings()->dns_resolves[0]);
-
-  ASSERT_EQ(1u, bindings()->dns_resolves_ex.size());
-  EXPECT_EQ("xn--bcher-kva.ch", bindings()->dns_resolves_ex[0]);
-}
-
-// Test that when resolving a URL which contains an IPv6 string literal, the
-// brackets are removed from the host before passing it down to the PAC script.
-// If we don't do this, then subsequent calls to dnsResolveEx(host) will be
-// doomed to fail since it won't correspond with a valid name.
-TEST_F(ProxyResolverV8Test, IPv6HostnamesNotBracketed) {
-  ASSERT_THAT(CreateResolver("resolve_host.js"), IsOk());
-
-  ProxyInfo proxy_info;
-  int result = resolver().GetProxyForURL(
-      GURL("http://[abcd::efff]:99/watsupdawg"), &proxy_info, bindings());
-
-  EXPECT_THAT(result, IsOk());
-  EXPECT_TRUE(proxy_info.is_direct());
-
-  // We called dnsResolveEx() exactly once, by passing through the "host"
-  // argument to FindProxyForURL(). The brackets should have been stripped.
-  ASSERT_EQ(1U, bindings()->dns_resolves_ex.size());
-  EXPECT_EQ("abcd::efff", bindings()->dns_resolves_ex[0]);
-}
-
-// Test that terminating a script within DnsResolve() leads to eventual
-// termination of the script. Also test that repeatedly calling terminate is
-// safe, and running the script again after termination still works.
-TEST_F(ProxyResolverV8Test, Terminate) {
-  ASSERT_THAT(CreateResolver("terminate.js"), IsOk());
-
-  // Terminate script execution upon reaching dnsResolve(). Note that
-  // termination may not take effect right away (so the subsequent dnsResolve()
-  // and alert() may be run).
-  bindings()->should_terminate = true;
-
-  ProxyInfo proxy_info;
-  int result =
-      resolver().GetProxyForURL(GURL("http://hang/"), &proxy_info, bindings());
-
-  // The script execution was terminated.
-  EXPECT_THAT(result, IsError(ERR_PAC_SCRIPT_FAILED));
-
-  EXPECT_EQ(1U, bindings()->dns_resolves.size());
-  EXPECT_GE(2U, bindings()->dns_resolves_ex.size());
-  EXPECT_GE(1U, bindings()->alerts.size());
-
-  EXPECT_EQ(1U, bindings()->errors.size());
-
-  // Termination shows up as an uncaught exception without any message.
-  EXPECT_EQ("", bindings()->errors[0]);
-
-  bindings()->errors.clear();
-
-  // Try running the script again, this time with a different input which won't
-  // cause a termination+hang.
-  result = resolver().GetProxyForURL(GURL("http://kittens/"), &proxy_info,
-                                     bindings());
-
-  EXPECT_THAT(result, IsOk());
-  EXPECT_EQ(0u, bindings()->errors.size());
-  EXPECT_EQ("kittens:88", proxy_info.proxy_server().ToURI());
-}
-
-}  // namespace
-}  // namespace net
diff --git a/chromium/net/proxy_resolution/proxy_resolver_winhttp.cc b/chromium/net/proxy_resolution/proxy_resolver_winhttp.cc
index 58012bc631e..e7ceb891e8c 100644
--- a/chromium/net/proxy_resolution/proxy_resolver_winhttp.cc
+++ b/chromium/net/proxy_resolution/proxy_resolver_winhttp.cc
@@ -57,6 +57,7 @@ class ProxyResolverWinHttp : public ProxyResolver {
 
   // ProxyResolver implementation:
   int GetProxyForURL(const GURL& url,
+                     const NetworkIsolationKey& network_isolation_key,
                      ProxyInfo* results,
                      CompletionOnceCallback /*callback*/,
                      std::unique_ptr<Request>* /*request*/,
@@ -85,11 +86,13 @@ ProxyResolverWinHttp::~ProxyResolverWinHttp() {
   CloseWinHttpSession();
 }
 
-int ProxyResolverWinHttp::GetProxyForURL(const GURL& query_url,
-                                         ProxyInfo* results,
-                                         CompletionOnceCallback /*callback*/,
-                                         std::unique_ptr<Request>* /*request*/,
-                                         const NetLogWithSource& /*net_log*/) {
+int ProxyResolverWinHttp::GetProxyForURL(
+    const GURL& query_url,
+    const NetworkIsolationKey& network_isolation_key,
+    ProxyInfo* results,
+    CompletionOnceCallback /*callback*/,
+    std::unique_ptr<Request>* /*request*/,
+    const NetLogWithSource& /*net_log*/) {
   // If we don't have a WinHTTP session, then create a new one.
   if (!session_handle_ && !OpenWinHttpSession())
     return ERR_FAILED;
diff --git a/chromium/net/quic/bidirectional_stream_quic_impl.cc b/chromium/net/quic/bidirectional_stream_quic_impl.cc
index 19a6549ffad..a48cb346a69 100644
--- a/chromium/net/quic/bidirectional_stream_quic_impl.cc
+++ b/chromium/net/quic/bidirectional_stream_quic_impl.cc
@@ -216,7 +216,7 @@ int64_t BidirectionalStreamQuicImpl::GetTotalReceivedBytes() const {
   // When QPACK is enabled, headers are sent and received on the stream, so
   // the headers bytes do not need to be accounted for independently.
   int64_t total_received_bytes =
-      quic::VersionUsesHttp3(session_->GetQuicVersion())
+      quic::VersionUsesHttp3(session_->GetQuicVersion().transport_version)
           ? 0
           : headers_bytes_received_;
   if (stream_) {
@@ -232,9 +232,10 @@ int64_t BidirectionalStreamQuicImpl::GetTotalReceivedBytes() const {
 int64_t BidirectionalStreamQuicImpl::GetTotalSentBytes() const {
   // When QPACK is enabled, headers are sent and received on the stream, so
   // the headers bytes do not need to be accounted for independently.
-  int64_t total_sent_bytes = quic::VersionUsesHttp3(session_->GetQuicVersion())
-                                 ? 0
-                                 : headers_bytes_sent_;
+  int64_t total_sent_bytes =
+      quic::VersionUsesHttp3(session_->GetQuicVersion().transport_version)
+          ? 0
+          : headers_bytes_sent_;
   if (stream_) {
     total_sent_bytes += stream_->stream_bytes_written();
   } else {
diff --git a/chromium/net/quic/bidirectional_stream_quic_impl_unittest.cc b/chromium/net/quic/bidirectional_stream_quic_impl_unittest.cc
index 70b02f55403..cb4506c0333 100644
--- a/chromium/net/quic/bidirectional_stream_quic_impl_unittest.cc
+++ b/chromium/net/quic/bidirectional_stream_quic_impl_unittest.cc
@@ -99,11 +99,8 @@ std::vector<TestParams> GetTestParams() {
   quic::ParsedQuicVersionVector all_supported_versions =
       quic::AllSupportedVersions();
   for (const auto& version : all_supported_versions) {
-    // TODO(rch): crbug.com/978745 - Make this work with TLS
-    if (version.handshake_protocol != quic::PROTOCOL_TLS1_3) {
-      params.push_back(TestParams{version, false});
-      params.push_back(TestParams{version, true});
-    }
+    params.push_back(TestParams{version, false});
+    params.push_back(TestParams{version, true});
   }
   return params;
 }
@@ -473,16 +470,21 @@ class BidirectionalStreamQuicImplTest
   }
 
   ~BidirectionalStreamQuicImplTest() {
-    session_->CloseSessionOnError(ERR_ABORTED, quic::QUIC_INTERNAL_ERROR,
-                                  quic::ConnectionCloseBehavior::SILENT_CLOSE);
+    if (session_) {
+      session_->CloseSessionOnError(
+          ERR_ABORTED, quic::QUIC_INTERNAL_ERROR,
+          quic::ConnectionCloseBehavior::SILENT_CLOSE);
+    }
     for (size_t i = 0; i < writes_.size(); i++) {
       delete writes_[i].packet;
     }
   }
 
   void TearDown() override {
-    EXPECT_TRUE(socket_data_->AllReadDataConsumed());
-    EXPECT_TRUE(socket_data_->AllWriteDataConsumed());
+    if (socket_data_) {
+      EXPECT_TRUE(socket_data_->AllReadDataConsumed());
+      EXPECT_TRUE(socket_data_->AllWriteDataConsumed());
+    }
   }
 
   // Adds a packet to the list of expected writes.
@@ -816,7 +818,7 @@ class BidirectionalStreamQuicImplTest
     ExpectLoadTimingHasOnlyConnectionTimes(load_timing_info);
   }
 
-  const BoundTestNetLog& net_log() const { return net_log_; }
+  const RecordingBoundTestNetLog& net_log() const { return net_log_; }
 
   QuicChromiumClientSession* session() const { return session_.get(); }
 
@@ -829,9 +831,9 @@ class BidirectionalStreamQuicImplTest
     if (version_.transport_version != quic::QUIC_VERSION_99) {
       return "";
     }
-    quic::HttpEncoder encoder;
     std::unique_ptr<char[]> buffer;
-    auto header_length = encoder.SerializeDataFrameHeader(body_len, &buffer);
+    auto header_length =
+        quic::HttpEncoder::SerializeDataFrameHeader(body_len, &buffer);
     return std::string(buffer.get(), header_length);
   }
 
@@ -839,7 +841,7 @@ class BidirectionalStreamQuicImplTest
   QuicFlagSaver saver_;
   const quic::ParsedQuicVersion version_;
   const bool client_headers_include_h2_stream_dependency_;
-  BoundTestNetLog net_log_;
+  RecordingBoundTestNetLog net_log_;
   scoped_refptr<TestTaskRunner> runner_;
   std::unique_ptr<MockWrite[]> mock_writes_;
   quic::MockClock clock_;
@@ -875,6 +877,11 @@ INSTANTIATE_TEST_SUITE_P(Version,
                          ::testing::PrintToStringParamName());
 
 TEST_P(BidirectionalStreamQuicImplTest, GetRequest) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -979,6 +986,11 @@ TEST_P(BidirectionalStreamQuicImplTest, GetRequest) {
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, LoadTimingTwoRequests) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   if (VersionUsesHttp3(version_.transport_version))
@@ -1053,6 +1065,10 @@ TEST_P(BidirectionalStreamQuicImplTest, LoadTimingTwoRequests) {
 // Tests that when request headers are not delayed, only data buffers are
 // coalesced.
 TEST_P(BidirectionalStreamQuicImplTest, CoalesceDataBuffersNotHeadersFrame) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -1195,6 +1211,11 @@ TEST_P(BidirectionalStreamQuicImplTest, CoalesceDataBuffersNotHeadersFrame) {
 // request headers with data buffers.
 TEST_P(BidirectionalStreamQuicImplTest,
        SendDataCoalesceDataBufferAndHeaderFrame) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -1312,6 +1333,11 @@ TEST_P(BidirectionalStreamQuicImplTest,
 // request headers with data buffers.
 TEST_P(BidirectionalStreamQuicImplTest,
        SendvDataCoalesceDataBuffersAndHeaderFrame) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -1448,6 +1474,11 @@ TEST_P(BidirectionalStreamQuicImplTest,
 // headers to be sent, if that write fails the stream does not crash.
 TEST_P(BidirectionalStreamQuicImplTest,
        SendDataWriteErrorCoalesceDataBufferAndHeaderFrame) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   if (VersionUsesHttp3(version_.transport_version))
     AddWrite(ConstructInitialSettingsPacket());
@@ -1485,6 +1516,10 @@ TEST_P(BidirectionalStreamQuicImplTest,
 // headers to be sent, if that write fails the stream does not crash.
 TEST_P(BidirectionalStreamQuicImplTest,
        SendvDataWriteErrorCoalesceDataBufferAndHeaderFrame) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   if (VersionUsesHttp3(version_.transport_version))
     AddWrite(ConstructInitialSettingsPacket());
@@ -1523,6 +1558,11 @@ TEST_P(BidirectionalStreamQuicImplTest,
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, PostRequest) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -1619,6 +1659,11 @@ TEST_P(BidirectionalStreamQuicImplTest, PostRequest) {
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, EarlyDataOverrideRequest) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("PUT", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -1716,6 +1761,11 @@ TEST_P(BidirectionalStreamQuicImplTest, EarlyDataOverrideRequest) {
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, InterleaveReadDataAndSendData) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -1824,6 +1874,11 @@ TEST_P(BidirectionalStreamQuicImplTest, InterleaveReadDataAndSendData) {
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, ServerSendsRstAfterHeaders) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -1870,6 +1925,11 @@ TEST_P(BidirectionalStreamQuicImplTest, ServerSendsRstAfterHeaders) {
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, ServerSendsRstAfterReadData) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -1934,6 +1994,11 @@ TEST_P(BidirectionalStreamQuicImplTest, ServerSendsRstAfterReadData) {
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, SessionClosedBeforeReadData) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -2046,6 +2111,11 @@ TEST_P(BidirectionalStreamQuicImplTest, SessionClosedBeforeStartNotConfirmed) {
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, SessionCloseDuringOnStreamReady) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   if (VersionUsesHttp3(version_.transport_version))
@@ -2074,6 +2144,11 @@ TEST_P(BidirectionalStreamQuicImplTest, SessionCloseDuringOnStreamReady) {
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnStreamReady) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -2108,6 +2183,11 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnStreamReady) {
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamAfterReadData) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -2166,6 +2246,11 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamAfterReadData) {
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnHeadersReceived) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -2216,6 +2301,11 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnHeadersReceived) {
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnDataRead) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -2277,6 +2367,11 @@ TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnDataRead) {
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, AsyncFinRead) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   const char kBody[] = "here is some data";
   SetRequest("POST", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
@@ -2356,6 +2451,11 @@ TEST_P(BidirectionalStreamQuicImplTest, AsyncFinRead) {
 }
 
 TEST_P(BidirectionalStreamQuicImplTest, DeleteStreamDuringOnTrailersReceived) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetRequest("GET", "/", DEFAULT_PRIORITY);
   size_t spdy_request_headers_frame_length;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
diff --git a/chromium/net/quic/crypto/proof_test_chromium.cc b/chromium/net/quic/crypto/proof_test_chromium.cc
index b6a3919d745..2f74582fa07 100644
--- a/chromium/net/quic/crypto/proof_test_chromium.cc
+++ b/chromium/net/quic/crypto/proof_test_chromium.cc
@@ -117,16 +117,14 @@ class TestCallback : public quic::ProofSource::Callback {
   quic::QuicCryptoProof* proof_;
 };
 
-class ProofTest : public ::testing::TestWithParam<quic::QuicTransportVersion> {
-};
+class ProofTest : public ::testing::TestWithParam<quic::ParsedQuicVersion> {};
 
 }  // namespace
 
-INSTANTIATE_TEST_SUITE_P(
-    QuicTransportVersion,
-    ProofTest,
-    ::testing::ValuesIn(quic::AllSupportedTransportVersions()),
-    ::testing::PrintToStringParamName());
+INSTANTIATE_TEST_SUITE_P(QuicTransportVersion,
+                         ProofTest,
+                         ::testing::ValuesIn(quic::AllSupportedVersions()),
+                         ::testing::PrintToStringParamName());
 
 TEST_P(ProofTest, Verify) {
   std::unique_ptr<quic::ProofSource> source(
@@ -139,7 +137,7 @@ TEST_P(ProofTest, Verify) {
   const uint16_t port = 8443;
   const string first_chlo_hash = "first chlo hash bytes";
   const string second_chlo_hash = "first chlo hash bytes";
-  const quic::QuicTransportVersion quic_version = GetParam();
+  const quic::QuicTransportVersion quic_version = GetParam().transport_version;
 
   bool called = false;
   bool first_called = false;
@@ -285,8 +283,8 @@ TEST_P(ProofTest, UseAfterFree) {
 
   // GetProof here expects the async method to invoke the callback
   // synchronously.
-  source->GetProof(server_addr, hostname, server_config, GetParam(), chlo_hash,
-                   std::move(cb));
+  source->GetProof(server_addr, hostname, server_config,
+                   GetParam().transport_version, chlo_hash, std::move(cb));
   ASSERT_TRUE(called);
   ASSERT_TRUE(ok);
 
diff --git a/chromium/net/quic/crypto/proof_verifier_chromium.cc b/chromium/net/quic/crypto/proof_verifier_chromium.cc
index d806652a9fe..79b6fc0216f 100644
--- a/chromium/net/quic/crypto/proof_verifier_chromium.cc
+++ b/chromium/net/quic/crypto/proof_verifier_chromium.cc
@@ -511,6 +511,7 @@ int ProofVerifierChromium::Job::DoVerifyCertComplete(int result) {
 
   verify_details_->is_fatal_cert_error =
       IsCertStatusError(cert_status) &&
+      result != ERR_CERT_KNOWN_INTERCEPTION_BLOCKED &&
       transport_security_state_->ShouldSSLErrorsBeFatal(hostname_);
 
   if (result != OK) {
diff --git a/chromium/net/quic/crypto/proof_verifier_chromium_test.cc b/chromium/net/quic/crypto/proof_verifier_chromium_test.cc
index 723bd1849fc..867158d59c5 100644
--- a/chromium/net/quic/crypto/proof_verifier_chromium_test.cc
+++ b/chromium/net/quic/crypto/proof_verifier_chromium_test.cc
@@ -149,7 +149,7 @@ class ProofVerifierChromiumTest : public ::testing::Test {
                       base::FilePath());
     std::string signature;
     source.GetProof(quic::QuicSocketAddress(), kTestHostname, kTestConfig,
-                    quic::QUIC_VERSION_39, kTestChloHash,
+                    quic::QUIC_VERSION_43, kTestChloHash,
                     std::make_unique<SignatureSaver>(&signature));
     return signature;
   }
@@ -207,7 +207,7 @@ TEST_F(ProofVerifierChromiumTest, VerifyProof) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_SUCCESS, status);
@@ -230,7 +230,7 @@ TEST_F(ProofVerifierChromiumTest, FailsIfCertFails) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_FAILURE, status);
@@ -250,7 +250,7 @@ TEST_F(ProofVerifierChromiumTest, ValidSCTList) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, ct::GetSCTListForTesting(), kTestEmptySCT,
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_FAILURE, status);
@@ -270,7 +270,7 @@ TEST_F(ProofVerifierChromiumTest, InvalidSCTList) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, ct::GetSCTListWithInvalidSCT(), kTestEmptySCT,
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_FAILURE, status);
@@ -288,7 +288,7 @@ TEST_F(ProofVerifierChromiumTest, FailsIfSignatureFails) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, kTestConfig, verify_context_.get(),
       &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_FAILURE, status);
@@ -313,7 +313,7 @@ TEST_F(ProofVerifierChromiumTest, PreservesEVIfAllowed) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_SUCCESS, status);
@@ -344,7 +344,7 @@ TEST_F(ProofVerifierChromiumTest, StripsEVIfNotAllowed) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_SUCCESS, status);
@@ -381,7 +381,7 @@ TEST_F(ProofVerifierChromiumTest, CTEVHistogramNonCompliant) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_SUCCESS, status);
@@ -422,7 +422,7 @@ TEST_F(ProofVerifierChromiumTest, CTEVHistogramCompliant) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_SUCCESS, status);
@@ -447,7 +447,7 @@ HashValueVector MakeHashValueVector(uint8_t tag) {
 }
 
 TEST_F(ProofVerifierChromiumTest, IsFatalErrorNotSetForNonFatalError) {
-  dummy_result_.cert_status = MapNetErrorToCertStatus(ERR_CERT_DATE_INVALID);
+  dummy_result_.cert_status = CERT_STATUS_DATE_INVALID;
 
   MockCertVerifier dummy_verifier;
   dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result_,
@@ -460,7 +460,7 @@ TEST_F(ProofVerifierChromiumTest, IsFatalErrorNotSetForNonFatalError) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_FAILURE, status);
@@ -471,7 +471,7 @@ TEST_F(ProofVerifierChromiumTest, IsFatalErrorNotSetForNonFatalError) {
 }
 
 TEST_F(ProofVerifierChromiumTest, IsFatalErrorSetForFatalError) {
-  dummy_result_.cert_status = MapNetErrorToCertStatus(ERR_CERT_DATE_INVALID);
+  dummy_result_.cert_status = CERT_STATUS_DATE_INVALID;
 
   MockCertVerifier dummy_verifier;
   dummy_verifier.AddResultForCert(test_cert_.get(), dummy_result_,
@@ -488,7 +488,7 @@ TEST_F(ProofVerifierChromiumTest, IsFatalErrorSetForFatalError) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_FAILURE, status);
@@ -515,7 +515,7 @@ TEST_F(ProofVerifierChromiumTest, PKPEnforced) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kCTAndPKPHost, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kCTAndPKPHost, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_FAILURE, status);
@@ -548,7 +548,7 @@ TEST_F(ProofVerifierChromiumTest, PKPBypassFlagSet) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kCTAndPKPHost, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kCTAndPKPHost, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_SUCCESS, status);
@@ -588,7 +588,7 @@ TEST_F(ProofVerifierChromiumTest, CTIsRequired) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_FAILURE, status);
@@ -634,7 +634,7 @@ TEST_F(ProofVerifierChromiumTest, CTIsRequiredHistogramNonCompliant) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_FAILURE, status);
@@ -679,7 +679,7 @@ TEST_F(ProofVerifierChromiumTest, CTIsRequiredHistogramCompliant) {
     std::unique_ptr<DummyProofVerifierCallback> callback(
         new DummyProofVerifierCallback);
     quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-        kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+        kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
         kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
         verify_context_.get(), &error_details_, &details_, std::move(callback));
     ASSERT_EQ(quic::QUIC_SUCCESS, status);
@@ -698,7 +698,7 @@ TEST_F(ProofVerifierChromiumTest, CTIsRequiredHistogramCompliant) {
     std::unique_ptr<DummyProofVerifierCallback> callback(
         new DummyProofVerifierCallback);
     quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-        kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+        kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
         kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
         verify_context_.get(), &error_details_, &details_, std::move(callback));
     ASSERT_EQ(quic::QUIC_SUCCESS, status);
@@ -730,7 +730,7 @@ TEST_F(ProofVerifierChromiumTest, CTIsNotRequiredHistogram) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_SUCCESS, status);
@@ -770,7 +770,7 @@ TEST_F(ProofVerifierChromiumTest, PKPAndCTBothTested) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kCTAndPKPHost, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kCTAndPKPHost, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_FAILURE, status);
@@ -808,7 +808,7 @@ TEST_F(ProofVerifierChromiumTest, CTComplianceStatusHistogram) {
     std::unique_ptr<DummyProofVerifierCallback> callback(
         new DummyProofVerifierCallback);
     quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-        kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+        kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
         kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
         verify_context_.get(), &error_details_, &details_, std::move(callback));
     ASSERT_EQ(quic::QUIC_SUCCESS, status);
@@ -829,7 +829,7 @@ TEST_F(ProofVerifierChromiumTest, CTComplianceStatusHistogram) {
     std::unique_ptr<DummyProofVerifierCallback> callback(
         new DummyProofVerifierCallback);
     quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-        kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+        kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
         kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
         verify_context_.get(), &error_details_, &details_, std::move(callback));
     ASSERT_EQ(quic::QUIC_SUCCESS, status);
@@ -866,7 +866,7 @@ TEST_F(ProofVerifierChromiumTest, CTRequirementsFlagNotMet) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
 
@@ -901,7 +901,7 @@ TEST_F(ProofVerifierChromiumTest, CTRequirementsFlagMet) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
 
@@ -925,7 +925,7 @@ TEST_F(ProofVerifierChromiumTest, UnknownRootRejected) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_FAILURE, status);
@@ -947,7 +947,7 @@ TEST_F(ProofVerifierChromiumTest, UnknownRootAcceptedWithOverride) {
   std::unique_ptr<DummyProofVerifierCallback> callback(
       new DummyProofVerifierCallback);
   quic::QuicAsyncStatus status = proof_verifier.VerifyProof(
-      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_39,
+      kTestHostname, kTestPort, kTestConfig, quic::QUIC_VERSION_43,
       kTestChloHash, certs_, kTestEmptySCT, GetTestSignature(),
       verify_context_.get(), &error_details_, &details_, std::move(callback));
   ASSERT_EQ(quic::QUIC_SUCCESS, status);
diff --git a/chromium/net/quic/mock_crypto_client_stream.cc b/chromium/net/quic/mock_crypto_client_stream.cc
index ab42d351722..b4be81b27c0 100644
--- a/chromium/net/quic/mock_crypto_client_stream.cc
+++ b/chromium/net/quic/mock_crypto_client_stream.cc
@@ -87,6 +87,11 @@ void MockCryptoClientStream::OnHandshakeMessage(
 }
 
 bool MockCryptoClientStream::CryptoConnect() {
+  if (session()->connection()->version().KnowsWhichDecrypterToUse()) {
+    session()->connection()->InstallDecrypter(
+        ENCRYPTION_FORWARD_SECURE,
+        std::make_unique<NullDecrypter>(Perspective::IS_CLIENT));
+  }
   if (proof_verify_details_) {
     if (!proof_verify_details_->cert_verify_result.verified_cert
              ->VerifyNameMatch(server_id_.host())) {
@@ -135,8 +140,12 @@ bool MockCryptoClientStream::CryptoConnect() {
             ENCRYPTION_ZERO_RTT,
             std::make_unique<NullEncrypter>(Perspective::IS_CLIENT));
       }
-      session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_ZERO_RTT);
-      session()->OnCryptoHandshakeEvent(QuicSession::ENCRYPTION_ESTABLISHED);
+      if (session()->use_handshake_delegate()) {
+        session()->SetDefaultEncryptionLevel(ENCRYPTION_ZERO_RTT);
+      } else {
+        session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_ZERO_RTT);
+        session()->OnCryptoHandshakeEvent(QuicSession::ENCRYPTION_ESTABLISHED);
+      }
       break;
     }
 
@@ -177,10 +186,16 @@ bool MockCryptoClientStream::CryptoConnect() {
             ENCRYPTION_FORWARD_SECURE,
             std::make_unique<NullEncrypter>(Perspective::IS_CLIENT));
       }
-      session()->connection()->SetDefaultEncryptionLevel(
-          ENCRYPTION_FORWARD_SECURE);
-      session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
-      session()->connection()->OnHandshakeComplete();
+      if (session()->use_handshake_delegate()) {
+        session()->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+        session()->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
+        session()->NeuterHandshakeData();
+      } else {
+        session()->connection()->SetDefaultEncryptionLevel(
+            ENCRYPTION_FORWARD_SECURE);
+        session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
+        session()->connection()->OnHandshakeComplete();
+      }
       break;
     }
 
@@ -252,10 +267,17 @@ void MockCryptoClientStream::SendOnCryptoHandshakeEvent(
           ENCRYPTION_FORWARD_SECURE,
           std::make_unique<NullEncrypter>(Perspective::IS_CLIENT));
     }
-    session()->connection()->SetDefaultEncryptionLevel(
-        ENCRYPTION_FORWARD_SECURE);
+    if (session()->use_handshake_delegate()) {
+      session()->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+      session()->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
+    } else {
+      session()->connection()->SetDefaultEncryptionLevel(
+          ENCRYPTION_FORWARD_SECURE);
+    }
+  }
+  if (!session()->use_handshake_delegate()) {
+    session()->OnCryptoHandshakeEvent(event);
   }
-  session()->OnCryptoHandshakeEvent(event);
 }
 
 // static
diff --git a/chromium/net/quic/mock_quic_context.cc b/chromium/net/quic/mock_quic_context.cc
new file mode 100644
index 00000000000..9c818a32fd1
--- /dev/null
+++ b/chromium/net/quic/mock_quic_context.cc
@@ -0,0 +1,25 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/quic/mock_quic_context.h"
+
+namespace net {
+
+MockQuicContext::MockQuicContext()
+    : QuicContext(std::make_unique<quic::test::MockQuicConnectionHelper>()) {
+  mock_helper_ = static_cast<quic::test::MockQuicConnectionHelper*>(helper());
+}
+
+void MockQuicContext::AdvanceTime(quic::QuicTime::Delta delta) {
+  mock_helper_->AdvanceTime(delta);
+}
+
+quic::MockClock* MockQuicContext::mock_clock() {
+  // TODO(vasilvv): add a proper accessor to MockQuicConnectionHelper and delete
+  // the cast.
+  return const_cast<quic::MockClock*>(
+      static_cast<const quic::MockClock*>(mock_helper_->GetClock()));
+}
+
+}  // namespace net
diff --git a/chromium/net/quic/mock_quic_context.h b/chromium/net/quic/mock_quic_context.h
new file mode 100644
index 00000000000..9b03969976a
--- /dev/null
+++ b/chromium/net/quic/mock_quic_context.h
@@ -0,0 +1,27 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_QUIC_MOCK_QUIC_CONTEXT_H_
+#define NET_QUIC_MOCK_QUIC_CONTEXT_H_
+
+#include "net/quic/quic_context.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+
+namespace net {
+
+class MockQuicContext : public QuicContext {
+ public:
+  MockQuicContext();
+
+  void AdvanceTime(quic::QuicTime::Delta delta);
+
+  quic::MockClock* mock_clock();
+
+ private:
+  quic::test::MockQuicConnectionHelper* mock_helper_;
+};
+
+}  // namespace net
+
+#endif  // NET_QUIC_MOCK_QUIC_CONTEXT_H_
diff --git a/chromium/net/quic/platform/impl/quic_export_impl.h b/chromium/net/quic/platform/impl/quic_export_impl.h
index cbf2ea475ed..338497431a0 100644
--- a/chromium/net/quic/platform/impl/quic_export_impl.h
+++ b/chromium/net/quic/platform/impl/quic_export_impl.h
@@ -7,7 +7,11 @@
 
 #include "net/base/net_export.h"
 
+// These macros are documented in:
+// net/third_party/quiche/src/quic/platform/api/quic_export.h
+
 #define QUIC_EXPORT NET_EXPORT
 #define QUIC_EXPORT_PRIVATE NET_EXPORT_PRIVATE
+#define QUIC_NO_EXPORT
 
 #endif  // NET_QUIC_PLATFORM_IMPL_QUIC_EXPORT_IMPL_H_
diff --git a/chromium/net/quic/platform/impl/quic_ptr_util_impl.h b/chromium/net/quic/platform/impl/quic_ptr_util_impl.h
index 3ad3fe51552..061d93db787 100644
--- a/chromium/net/quic/platform/impl/quic_ptr_util_impl.h
+++ b/chromium/net/quic/platform/impl/quic_ptr_util_impl.h
@@ -8,11 +8,6 @@
 
 namespace quic {
 
-template <typename T, typename... Args>
-std::unique_ptr<T> QuicMakeUniqueImpl(Args&&... args) {
-  return std::make_unique<T>(std::forward<Args>(args)...);
-}
-
 template <typename T>
 std::unique_ptr<T> QuicWrapUniqueImpl(T* ptr) {
   return base::WrapUnique<T>(ptr);
diff --git a/chromium/net/quic/platform/impl/quic_test_impl.h b/chromium/net/quic/platform/impl/quic_test_impl.h
index bfe074a1eac..8549f907055 100644
--- a/chromium/net/quic/platform/impl/quic_test_impl.h
+++ b/chromium/net/quic/platform/impl/quic_test_impl.h
@@ -76,4 +76,15 @@ namespace quic {
 ParsedQuicVersionVector AllVersionsExcept99();
 }  // namespace quic
 
+#if GTEST_HAS_DEATH_TEST && !defined(NDEBUG)
+#define EXPECT_QUIC_DEBUG_DEATH_IMPL(condition, message) \
+  EXPECT_DEBUG_DEATH(condition, message)
+#else
+#define EXPECT_QUIC_DEBUG_DEATH_IMPL(condition, message) \
+  do {                                                   \
+  } while (0)
+#endif
+
+#define QUIC_SLOW_TEST_IMPL(name) DISABLED_##name
+
 #endif  // NET_QUIC_PLATFORM_IMPL_QUIC_TEST_IMPL_H_
diff --git a/chromium/net/quic/platform/impl/quic_text_utils_impl.h b/chromium/net/quic/platform/impl/quic_text_utils_impl.h
index d9feafcc8b3..96b48214826 100644
--- a/chromium/net/quic/platform/impl/quic_text_utils_impl.h
+++ b/chromium/net/quic/platform/impl/quic_text_utils_impl.h
@@ -87,9 +87,12 @@ class QuicTextUtilsImpl {
   }
 
   // Converts |data| from a hexadecimal ASCII string to a binary string
-  // that is |data.length()/2| bytes long.
+  // that is |data.length()/2| bytes long. On failure returns empty string.
   static std::string HexDecode(QuicStringPiece data) {
-    return net::HexDecode(data);
+    std::string result;
+    if (!base::HexStringToString(data, &result))
+      result.clear();
+    return result;
   }
 
   // Base64 encodes with no padding |data_len| bytes of |data| into |output|.
diff --git a/chromium/net/quic/quic_chromium_client_session.cc b/chromium/net/quic/quic_chromium_client_session.cc
index 5d985df8922..2a06a675426 100644
--- a/chromium/net/quic/quic_chromium_client_session.cc
+++ b/chromium/net/quic/quic_chromium_client_session.cc
@@ -209,6 +209,8 @@ std::string MigrationCauseToString(MigrationCause cause) {
       return "OnPathDegrading";
     case CHANGE_PORT_ON_PATH_DEGRADING:
       return "ChangePortOnPathDegrading";
+    case NEW_NETWORK_CONNECTED_POST_PATH_DEGRADING:
+      return "NewNetworkConnectedPostPathDegrading";
     default:
       QUIC_NOTREACHED();
       break;
@@ -284,6 +286,13 @@ class QuicServerPushHelper : public ServerPushDelegate::ServerPushHelper {
 
   const GURL& GetURL() const override { return request_url_; }
 
+  NetworkIsolationKey GetNetworkIsolationKey() const override {
+    if (session_) {
+      return session_->quic_session_key().network_isolation_key();
+    }
+    return NetworkIsolationKey();
+  }
+
  private:
   base::WeakPtr<QuicChromiumClientSession> session_;
   const GURL request_url_;
@@ -303,7 +312,7 @@ QuicChromiumClientSession::Handle::Handle(
       quic_error_(quic::QUIC_NO_ERROR),
       port_migration_detected_(false),
       server_id_(session_->server_id()),
-      quic_version_(session->connection()->transport_version()),
+      quic_version_(session->connection()->version()),
       push_handle_(nullptr),
       was_ever_used_(false) {
   DCHECK(session_);
@@ -326,7 +335,7 @@ void QuicChromiumClientSession::Handle::OnCryptoHandshakeConfirmed() {
 }
 
 void QuicChromiumClientSession::Handle::OnSessionClosed(
-    quic::QuicTransportVersion quic_version,
+    quic::ParsedQuicVersion quic_version,
     int net_error,
     quic::QuicErrorCode quic_error,
     bool port_migration_detected,
@@ -368,12 +377,12 @@ void QuicChromiumClientSession::Handle::PopulateNetErrorDetails(
   }
 }
 
-quic::QuicTransportVersion QuicChromiumClientSession::Handle::GetQuicVersion()
+quic::ParsedQuicVersion QuicChromiumClientSession::Handle::GetQuicVersion()
     const {
   if (!session_)
     return quic_version_;
 
-  return session_->connection()->transport_version();
+  return session_->GetQuicVersion();
 }
 
 void QuicChromiumClientSession::Handle::ResetPromised(
@@ -690,7 +699,7 @@ QuicChromiumClientSession::QuicChromiumClientSession(
     std::unique_ptr<DatagramClientSocket> socket,
     QuicStreamFactory* stream_factory,
     QuicCryptoClientStreamFactory* crypto_client_stream_factory,
-    quic::QuicClock* clock,
+    const quic::QuicClock* clock,
     TransportSecurityState* transport_security_state,
     SSLConfigService* ssl_config_service,
     std::unique_ptr<QuicServerInfo> server_info,
@@ -784,19 +793,20 @@ QuicChromiumClientSession::QuicChromiumClientSession(
       ignore_read_error_(false),
       headers_include_h2_stream_dependency_(
           headers_include_h2_stream_dependency &&
-          this->connection()->transport_version() >= quic::QUIC_VERSION_43) {
+          this->connection()->transport_version() >= quic::QUIC_VERSION_43),
+      max_allowed_push_id_(max_allowed_push_id) {
   // Make sure connection migration and goaway on path degrading are not turned
   // on at the same time.
   DCHECK(!(migrate_session_early_v2_ && go_away_on_path_degrading_));
   DCHECK(!(allow_port_migration_ && go_away_on_path_degrading_));
 
-  quic::QuicSpdyClientSessionBase::SetMaxAllowedPushId(max_allowed_push_id);
   default_network_ = default_network;
   auto* socket_raw = socket.get();
   sockets_.push_back(std::move(socket));
   packet_readers_.push_back(std::make_unique<QuicChromiumPacketReader>(
       sockets_.back().get(), clock, this, yield_after_packets,
       yield_after_duration, net_log_));
+  CHECK_EQ(packet_readers_.size(), sockets_.size());
   crypto_stream_.reset(
       crypto_client_stream_factory->CreateQuicCryptoClientStream(
           session_key.server_id(), this,
@@ -821,7 +831,7 @@ QuicChromiumClientSession::QuicChromiumClientSession(
   connect_timing_.dns_start = dns_resolution_start_time;
   connect_timing_.dns_end = dns_resolution_end_time;
   if (!retransmittable_on_wire_timeout.IsZero()) {
-    connection->set_retransmittable_on_wire_timeout(
+    connection->set_initial_retransmittable_on_wire_timeout(
         retransmittable_on_wire_timeout);
   }
 }
@@ -940,6 +950,7 @@ QuicChromiumClientSession::~QuicChromiumClientSession() {
 }
 
 void QuicChromiumClientSession::Initialize() {
+  quic::QuicSpdyClientSessionBase::SetMaxAllowedPushId(max_allowed_push_id_);
   set_max_inbound_header_list_size(kQuicMaxHeaderListSize);
   quic::QuicSpdyClientSessionBase::Initialize();
   SetHpackEncoderDebugVisitor(std::make_unique<HpackEncoderDebugVisitor>());
@@ -1018,9 +1029,9 @@ void QuicChromiumClientSession::OnStreamFrame(
 void QuicChromiumClientSession::AddHandle(Handle* handle) {
   if (going_away_) {
     RecordUnexpectedObservers(ADD_OBSERVER);
-    handle->OnSessionClosed(connection()->transport_version(), ERR_UNEXPECTED,
-                            error(), port_migration_detected_,
-                            GetConnectTiming(), WasConnectionEverUsed());
+    handle->OnSessionClosed(connection()->version(), ERR_UNEXPECTED, error(),
+                            port_migration_detected_, GetConnectTiming(),
+                            WasConnectionEverUsed());
     return;
   }
 
@@ -1545,45 +1556,28 @@ void QuicChromiumClientSession::OnCryptoHandshakeEvent(
     std::move(callback_).Run(OK);
   }
   if (event == HANDSHAKE_CONFIRMED) {
-    if (stream_factory_)
-      stream_factory_->set_is_quic_known_to_work_on_current_network(true);
-
-    // Update |connect_end| only when handshake is confirmed. This should also
-    // take care of any failed 0-RTT request.
-    connect_timing_.connect_end = tick_clock_->NowTicks();
-    DCHECK_LE(connect_timing_.connect_start, connect_timing_.connect_end);
-    UMA_HISTOGRAM_TIMES(
-        "Net.QuicSession.HandshakeConfirmedTime",
-        connect_timing_.connect_end - connect_timing_.connect_start);
-    // Track how long it has taken to finish handshake after we have finished
-    // DNS host resolution.
-    if (!connect_timing_.dns_end.is_null()) {
-      UMA_HISTOGRAM_TIMES(
-          "Net.QuicSession.HostResolution.HandshakeConfirmedTime",
-          tick_clock_->NowTicks() - connect_timing_.dns_end);
-    }
-
-    auto it = handles_.begin();
-    while (it != handles_.end()) {
-      Handle* handle = *it;
-      ++it;
-      handle->OnCryptoHandshakeConfirmed();
-    }
-
-    NotifyRequestsOfConfirmation(OK);
-    // Attempt to migrate back to the default network after handshake has been
-    // confirmed if the session is not created on the default network.
-    if (migrate_session_on_network_change_v2_ &&
-        default_network_ != NetworkChangeNotifier::kInvalidNetworkHandle &&
-        GetDefaultSocket()->GetBoundNetwork() != default_network_) {
-      current_migration_cause_ = ON_MIGRATE_BACK_TO_DEFAULT_NETWORK;
-      StartMigrateBackToDefaultNetworkTimer(
-          base::TimeDelta::FromSeconds(kMinRetryTimeForDefaultNetworkSecs));
-    }
+    OnCryptoHandshakeComplete();
   }
   quic::QuicSpdySession::OnCryptoHandshakeEvent(event);
 }
 
+void QuicChromiumClientSession::SetDefaultEncryptionLevel(
+    quic::EncryptionLevel level) {
+  if (!callback_.is_null() &&
+      (!require_confirmation_ || level == quic::ENCRYPTION_FORWARD_SECURE ||
+       level == quic::ENCRYPTION_ZERO_RTT)) {
+    // TODO(rtenneti): Currently for all CryptoHandshakeEvent events, callback_
+    // could be called because there are no error events in CryptoHandshakeEvent
+    // enum. If error events are added to CryptoHandshakeEvent, then the
+    // following code needs to changed.
+    std::move(callback_).Run(OK);
+  }
+  if (level == quic::ENCRYPTION_FORWARD_SECURE) {
+    OnCryptoHandshakeComplete();
+  }
+  quic::QuicSpdySession::SetDefaultEncryptionLevel(level);
+}
+
 void QuicChromiumClientSession::OnCryptoHandshakeMessageSent(
     const quic::CryptoHandshakeMessage& message) {
   logger_->OnCryptoHandshakeMessageSent(message);
@@ -1747,6 +1741,7 @@ void QuicChromiumClientSession::OnConnectionClosed(
     std::move(callback_).Run(ERR_QUIC_PROTOCOL_ERROR);
   }
 
+  CHECK_EQ(sockets_.size(), packet_readers_.size());
   for (auto& socket : sockets_) {
     socket->Close();
   }
@@ -2022,6 +2017,7 @@ void QuicChromiumClientSession::OnProbeSucceeded(
   net_log_.AddEventWithInt64Params(
       NetLogEventType::QUIC_CONNECTION_MIGRATION_SUCCESS_AFTER_PROBING,
       "migrate_to_network", network);
+  HistogramAndLogMigrationSuccess(net_log_, connection_id());
   if (network == default_network_) {
     DVLOG(1) << "Client successfully migrated to default network: "
              << default_network_;
@@ -2082,7 +2078,13 @@ void QuicChromiumClientSession::OnNetworkConnected(
     return;
 
   if (connection()->IsPathDegrading()) {
-    current_migration_cause_ = CHANGE_NETWORK_ON_PATH_DEGRADING;
+    base::TimeDelta duration =
+        tick_clock_->NowTicks() - most_recent_path_degrading_timestamp_;
+    UMA_HISTOGRAM_CUSTOM_TIMES("Net.QuicNetworkDegradingDurationTillConnected",
+                               duration, base::TimeDelta::FromMilliseconds(1),
+                               base::TimeDelta::FromMinutes(10), 50);
+
+    current_migration_cause_ = NEW_NETWORK_CONNECTED_POST_PATH_DEGRADING;
   }
 
   if (wait_for_new_network_) {
@@ -2427,9 +2429,9 @@ void QuicChromiumClientSession::CloseAllHandles(int net_error) {
   while (!handles_.empty()) {
     Handle* handle = *handles_.begin();
     handles_.erase(handle);
-    handle->OnSessionClosed(connection()->transport_version(), net_error,
-                            error(), port_migration_detected_,
-                            GetConnectTiming(), WasConnectionEverUsed());
+    handle->OnSessionClosed(connection()->version(), net_error, error(),
+                            port_migration_detected_, GetConnectTiming(),
+                            WasConnectionEverUsed());
   }
 }
 
@@ -2969,6 +2971,43 @@ void QuicChromiumClientSession::NotifyFactoryOfSessionClosed() {
     stream_factory_->OnSessionClosed(this);
 }
 
+void QuicChromiumClientSession::OnCryptoHandshakeComplete() {
+  if (stream_factory_)
+    stream_factory_->set_is_quic_known_to_work_on_current_network(true);
+
+  // Update |connect_end| only when handshake is confirmed. This should also
+  // take care of any failed 0-RTT request.
+  connect_timing_.connect_end = tick_clock_->NowTicks();
+  DCHECK_LE(connect_timing_.connect_start, connect_timing_.connect_end);
+  UMA_HISTOGRAM_TIMES(
+      "Net.QuicSession.HandshakeConfirmedTime",
+      connect_timing_.connect_end - connect_timing_.connect_start);
+  // Track how long it has taken to finish handshake after we have finished
+  // DNS host resolution.
+  if (!connect_timing_.dns_end.is_null()) {
+    UMA_HISTOGRAM_TIMES("Net.QuicSession.HostResolution.HandshakeConfirmedTime",
+                        tick_clock_->NowTicks() - connect_timing_.dns_end);
+  }
+
+  auto it = handles_.begin();
+  while (it != handles_.end()) {
+    Handle* handle = *it;
+    ++it;
+    handle->OnCryptoHandshakeConfirmed();
+  }
+
+  NotifyRequestsOfConfirmation(OK);
+  // Attempt to migrate back to the default network after handshake has been
+  // confirmed if the session is not created on the default network.
+  if (migrate_session_on_network_change_v2_ &&
+      default_network_ != NetworkChangeNotifier::kInvalidNetworkHandle &&
+      GetDefaultSocket()->GetBoundNetwork() != default_network_) {
+    current_migration_cause_ = ON_MIGRATE_BACK_TO_DEFAULT_NETWORK;
+    StartMigrateBackToDefaultNetworkTimer(
+        base::TimeDelta::FromSeconds(kMinRetryTimeForDefaultNetworkSecs));
+  }
+}
+
 MigrationResult QuicChromiumClientSession::Migrate(
     NetworkChangeNotifier::NetworkHandle network,
     IPEndPoint peer_address,
@@ -3056,7 +3095,7 @@ bool QuicChromiumClientSession::MigrateToSocket(
     std::unique_ptr<DatagramClientSocket> socket,
     std::unique_ptr<QuicChromiumPacketReader> reader,
     std::unique_ptr<QuicChromiumPacketWriter> writer) {
-  DCHECK_EQ(sockets_.size(), packet_readers_.size());
+  CHECK_EQ(sockets_.size(), packet_readers_.size());
 
   // TODO(zhongyi): figure out whether we want to limit the number of
   // connection migrations for v2, which includes migration on platform signals,
@@ -3198,8 +3237,8 @@ QuicChromiumClientSession::GetConnectTiming() {
   return connect_timing_;
 }
 
-quic::QuicTransportVersion QuicChromiumClientSession::GetQuicVersion() const {
-  return connection()->transport_version();
+quic::ParsedQuicVersion QuicChromiumClientSession::GetQuicVersion() const {
+  return connection()->version();
 }
 
 size_t QuicChromiumClientSession::EstimateMemoryUsage() const {
diff --git a/chromium/net/quic/quic_chromium_client_session.h b/chromium/net/quic/quic_chromium_client_session.h
index b25c8cfaa54..0299ce10e62 100644
--- a/chromium/net/quic/quic_chromium_client_session.h
+++ b/chromium/net/quic/quic_chromium_client_session.h
@@ -89,13 +89,14 @@ enum class ConnectionMigrationMode {
 // Cause of a migration.
 enum MigrationCause {
   UNKNOWN_CAUSE,
-  ON_NETWORK_CONNECTED,                // No probing.
-  ON_NETWORK_DISCONNECTED,             // No probing.
-  ON_WRITE_ERROR,                      // No probing.
-  ON_NETWORK_MADE_DEFAULT,             // With probing.
-  ON_MIGRATE_BACK_TO_DEFAULT_NETWORK,  // With probing.
-  CHANGE_NETWORK_ON_PATH_DEGRADING,    // With probing.
-  CHANGE_PORT_ON_PATH_DEGRADING,       // With probing.
+  ON_NETWORK_CONNECTED,                       // No probing.
+  ON_NETWORK_DISCONNECTED,                    // No probing.
+  ON_WRITE_ERROR,                             // No probing.
+  ON_NETWORK_MADE_DEFAULT,                    // With probing.
+  ON_MIGRATE_BACK_TO_DEFAULT_NETWORK,         // With probing.
+  CHANGE_NETWORK_ON_PATH_DEGRADING,           // With probing.
+  CHANGE_PORT_ON_PATH_DEGRADING,              // With probing.
+  NEW_NETWORK_CONNECTED_POST_PATH_DEGRADING,  // With probing.
   MIGRATION_CAUSE_MAX
 };
 
@@ -202,7 +203,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
     bool SharesSameSession(const Handle& other) const;
 
     // Returns the QUIC version used by the session.
-    quic::QuicTransportVersion GetQuicVersion() const;
+    quic::ParsedQuicVersion GetQuicVersion() const;
 
     // Copies the remote udp address into |address| and returns a net error
     // code.
@@ -253,7 +254,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
     void OnCryptoHandshakeConfirmed();
 
     // Called when the session is closed with a net error.
-    void OnSessionClosed(quic::QuicTransportVersion quic_version,
+    void OnSessionClosed(quic::ParsedQuicVersion quic_version,
                          int net_error,
                          quic::QuicErrorCode quic_error,
                          bool port_migration_detected,
@@ -282,7 +283,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
     quic::QuicErrorCode quic_error_;
     bool port_migration_detected_;
     quic::QuicServerId server_id_;
-    quic::QuicTransportVersion quic_version_;
+    quic::ParsedQuicVersion quic_version_;
     LoadTimingInfo::ConnectTiming connect_timing_;
     quic::QuicClientPushPromiseIndex* push_promise_index_;
 
@@ -381,7 +382,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
       std::unique_ptr<DatagramClientSocket> socket,
       QuicStreamFactory* stream_factory,
       QuicCryptoClientStreamFactory* crypto_client_stream_factory,
-      quic::QuicClock* clock,
+      const quic::QuicClock* clock,
       TransportSecurityState* transport_security_state,
       SSLConfigService* ssl_config_service,
       std::unique_ptr<QuicServerInfo> server_info,
@@ -494,6 +495,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
                      quic::QuicRstStreamErrorCode error,
                      quic::QuicStreamOffset bytes_written) override;
   void OnCryptoHandshakeEvent(CryptoHandshakeEvent event) override;
+  void SetDefaultEncryptionLevel(quic::EncryptionLevel level) override;
   void OnCryptoHandshakeMessageSent(
       const quic::CryptoHandshakeMessage& message) override;
   void OnCryptoHandshakeMessageReceived(
@@ -660,7 +662,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
 
   const LoadTimingInfo::ConnectTiming& GetConnectTiming();
 
-  quic::QuicTransportVersion GetQuicVersion() const;
+  quic::ParsedQuicVersion GetQuicVersion() const;
 
   // Returns the estimate of dynamically allocated memory in bytes.
   // See base/trace_event/memory_usage_estimator.h.
@@ -771,6 +773,9 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
   // delete |this|.
   void NotifyFactoryOfSessionClosed();
 
+  // Called when default encryption level switches to forward secure.
+  void OnCryptoHandshakeComplete();
+
   QuicSessionKey session_key_;
   bool require_confirmation_;
   bool migrate_session_early_v2_;
@@ -788,7 +793,7 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
   // path degrading per default network.
   int max_migrations_to_non_default_network_on_path_degrading_;
   int current_migrations_to_non_default_network_on_path_degrading_;
-  quic::QuicClock* clock_;  // Unowned.
+  const quic::QuicClock* clock_;  // Unowned.
   int yield_after_packets_;
   quic::QuicTime::Delta yield_after_duration_;
   bool go_away_on_path_degrading_;
@@ -864,6 +869,8 @@ class NET_EXPORT_PRIVATE QuicChromiumClientSession
   bool headers_include_h2_stream_dependency_;
   Http2PriorityDependencies priority_dependency_state_;
 
+  quic::QuicStreamId max_allowed_push_id_;
+
   base::WeakPtrFactory<QuicChromiumClientSession> weak_factory_{this};
 
   DISALLOW_COPY_AND_ASSIGN(QuicChromiumClientSession);
diff --git a/chromium/net/quic/quic_chromium_client_session_test.cc b/chromium/net/quic/quic_chromium_client_session_test.cc
index a50ced10eb1..78622bd2299 100644
--- a/chromium/net/quic/quic_chromium_client_session_test.cc
+++ b/chromium/net/quic/quic_chromium_client_session_test.cc
@@ -259,8 +259,8 @@ class QuicChromiumClientSessionTest
   const bool client_headers_include_h2_stream_dependency_;
   QuicFlagSaver flags_;  // Save/restore all QUIC flag values.
   quic::QuicCryptoClientConfig crypto_config_;
-  TestNetLog net_log_;
-  BoundTestNetLog bound_test_net_log_;
+  RecordingTestNetLog net_log_;
+  RecordingBoundTestNetLog bound_test_net_log_;
   MockClientSocketFactory socket_factory_;
   std::unique_ptr<MockRead> default_read_;
   std::unique_ptr<SequencedSocketData> socket_data_;
@@ -305,8 +305,7 @@ TEST_P(QuicChromiumClientSessionTest, IsFatalErrorNotSetForNonFatalError) {
   ProofVerifyDetailsChromium details;
   details.cert_verify_result.verified_cert =
       ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem");
-  details.cert_verify_result.cert_status =
-      MapNetErrorToCertStatus(ERR_CERT_DATE_INVALID);
+  details.cert_verify_result.cert_status = CERT_STATUS_DATE_INVALID;
   details.is_fatal_cert_error = false;
   CompleteCryptoHandshake();
   session_->OnProofVerifyDetailsAvailable(details);
@@ -328,8 +327,7 @@ TEST_P(QuicChromiumClientSessionTest, IsFatalErrorSetForFatalError) {
   ProofVerifyDetailsChromium details;
   details.cert_verify_result.verified_cert =
       ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem");
-  details.cert_verify_result.cert_status =
-      MapNetErrorToCertStatus(ERR_CERT_DATE_INVALID);
+  details.cert_verify_result.cert_status = CERT_STATUS_DATE_INVALID;
   details.is_fatal_cert_error = true;
   CompleteCryptoHandshake();
   session_->OnProofVerifyDetailsAvailable(details);
@@ -366,7 +364,7 @@ TEST_P(QuicChromiumClientSessionTest, Handle) {
       session_->CreateHandle(destination_);
   EXPECT_TRUE(handle->IsConnected());
   EXPECT_FALSE(handle->IsCryptoHandshakeConfirmed());
-  EXPECT_EQ(version_.transport_version, handle->GetQuicVersion());
+  EXPECT_EQ(version_, handle->GetQuicVersion());
   EXPECT_EQ(session_key_.server_id(), handle->server_id());
   EXPECT_EQ(session_net_log.source().type, handle->net_log().source().type);
   EXPECT_EQ(session_net_log.source().id, handle->net_log().source().id);
@@ -394,7 +392,7 @@ TEST_P(QuicChromiumClientSessionTest, Handle) {
   // Veirfy that the handle works correctly after the session is closed.
   EXPECT_FALSE(handle->IsConnected());
   EXPECT_TRUE(handle->IsCryptoHandshakeConfirmed());
-  EXPECT_EQ(version_.transport_version, handle->GetQuicVersion());
+  EXPECT_EQ(version_, handle->GetQuicVersion());
   EXPECT_EQ(session_key_.server_id(), handle->server_id());
   EXPECT_EQ(session_net_log.source().type, handle->net_log().source().type);
   EXPECT_EQ(session_net_log.source().id, handle->net_log().source().id);
@@ -418,7 +416,7 @@ TEST_P(QuicChromiumClientSessionTest, Handle) {
   // Veirfy that the handle works correctly after the session is deleted.
   EXPECT_FALSE(handle->IsConnected());
   EXPECT_TRUE(handle->IsCryptoHandshakeConfirmed());
-  EXPECT_EQ(version_.transport_version, handle->GetQuicVersion());
+  EXPECT_EQ(version_, handle->GetQuicVersion());
   EXPECT_EQ(session_key_.server_id(), handle->server_id());
   EXPECT_EQ(session_net_log.source().type, handle->net_log().source().type);
   EXPECT_EQ(session_net_log.source().id, handle->net_log().source().id);
@@ -620,6 +618,76 @@ TEST_P(QuicChromiumClientSessionTest, AsyncStreamRequest) {
   EXPECT_TRUE(quic_data.AllWriteDataConsumed());
 }
 
+// Regression test for https://crbug.com/1021938.
+// When the connection is closed, there may be tasks queued in the message loop
+// to read the last packet, reading that packet should not crash.
+TEST_P(QuicChromiumClientSessionTest, ReadAfterConnectionClose) {
+  MockQuicData quic_data(version_);
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
+    quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeInitialSettingsPacket(1));
+    // The open stream limit is set to 50 by
+    // MockCryptoClientStream::SetConfigNegotiated() so when the 51st stream is
+    // requested, a STREAMS_BLOCKED will be sent, indicating that it's blocked
+    // at the limit of 50.
+    quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeStreamsBlockedPacket(
+                                        2, true, 50,
+                                        /*unidirectional=*/false));
+    quic_data.AddWrite(SYNCHRONOUS, client_maker_.MakeStreamsBlockedPacket(
+                                        3, true, 50,
+                                        /*unidirectional=*/false));
+  }
+  quic_data.AddRead(ASYNC, ERR_IO_PENDING);
+  // This packet will be read after connection is closed.
+  quic_data.AddRead(
+      ASYNC,
+      server_maker_.MakeConnectionClosePacket(
+          1, false, quic::QUIC_CRYPTO_VERSION_NOT_SUPPORTED, "Time to panic!"));
+  quic_data.AddSocketDataToFactory(&socket_factory_);
+
+  Initialize();
+  CompleteCryptoHandshake();
+
+  // Open the maximum number of streams so that a subsequent request
+  // can not proceed immediately.
+  const size_t kMaxOpenStreams = GetMaxAllowedOutgoingBidirectionalStreams();
+  for (size_t i = 0; i < kMaxOpenStreams; i++) {
+    QuicChromiumClientSessionPeer::CreateOutgoingStream(session_.get());
+  }
+  EXPECT_EQ(kMaxOpenStreams, session_->GetNumOpenOutgoingStreams());
+
+  // Request two streams which will both be pending.
+  // In V99 each will generate a max stream id for each attempt.
+  std::unique_ptr<QuicChromiumClientSession::Handle> handle =
+      session_->CreateHandle(destination_);
+  std::unique_ptr<QuicChromiumClientSession::Handle> handle2 =
+      session_->CreateHandle(destination_);
+
+  ASSERT_EQ(
+      ERR_IO_PENDING,
+      handle->RequestStream(
+          /*requires_confirmation=*/false,
+          base::BindOnce(&QuicChromiumClientSessionTest::ResetHandleOnError,
+                         base::Unretained(this), &handle2),
+          TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  TestCompletionCallback callback2;
+  ASSERT_EQ(ERR_IO_PENDING,
+            handle2->RequestStream(/*requires_confirmation=*/false,
+                                   callback2.callback(),
+                                   TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  session_->connection()->CloseConnection(
+      quic::QUIC_NETWORK_IDLE_TIMEOUT, "Timed out",
+      quic::ConnectionCloseBehavior::SILENT_CLOSE);
+
+  // Pump the message loop to read the connection close packet.
+  base::RunLoop().RunUntilIdle();
+  EXPECT_FALSE(handle2.get());
+  quic_data.Resume();
+  EXPECT_TRUE(quic_data.AllReadDataConsumed());
+  EXPECT_TRUE(quic_data.AllWriteDataConsumed());
+}
+
 TEST_P(QuicChromiumClientSessionTest, ClosedWithAsyncStreamRequest) {
   MockQuicData quic_data(version_);
   if (version_.transport_version == quic::QUIC_VERSION_99) {
@@ -1897,7 +1965,7 @@ TEST_P(QuicChromiumClientSessionTest, RetransmittableOnWireTimeout) {
   CompleteCryptoHandshake();
 
   EXPECT_EQ(quic::QuicTime::Delta::FromMilliseconds(200),
-            session_->connection()->retransmittable_on_wire_timeout());
+            session_->connection()->initial_retransmittable_on_wire_timeout());
 
   // Open a stream since the connection only sends PINGs to keep a
   // retransmittable packet on the wire if there's an open stream.
diff --git a/chromium/net/quic/quic_chromium_client_stream_test.cc b/chromium/net/quic/quic_chromium_client_stream_test.cc
index fa9f5d76024..b693ec9cee4 100644
--- a/chromium/net/quic/quic_chromium_client_stream_test.cc
+++ b/chromium/net/quic/quic_chromium_client_stream_test.cc
@@ -23,18 +23,14 @@
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_config_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
 #include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gmock_mutant.h"
 
-using testing::AnyNumber;
-using testing::CreateFunctor;
-using testing::Invoke;
-using testing::Return;
-using testing::StrEq;
 using testing::_;
+using testing::Return;
 
 namespace net {
 namespace test {
@@ -156,22 +152,30 @@ MockQuicClientSessionBase::MockQuicClientSessionBase(
 MockQuicClientSessionBase::~MockQuicClientSessionBase() {}
 
 class QuicChromiumClientStreamTest
-    : public ::testing::TestWithParam<quic::QuicTransportVersion>,
+    : public ::testing::TestWithParam<quic::ParsedQuicVersion>,
       public WithTaskEnvironment {
  public:
   QuicChromiumClientStreamTest()
-      : crypto_config_(
+      : version_(GetParam()),
+        crypto_config_(
             quic::test::crypto_test_utils::ProofVerifierForTesting()),
         session_(new quic::test::MockQuicConnection(
                      &helper_,
                      &alarm_factory_,
                      quic::Perspective::IS_CLIENT,
-                     quic::test::SupportedVersions(
-                         quic::ParsedQuicVersion(quic::PROTOCOL_QUIC_CRYPTO,
-                                                 GetParam()))),
+                     quic::test::SupportedVersions(version_)),
                  &push_promise_index_) {
+    quic::test::QuicConfigPeer::SetReceivedInitialSessionFlowControlWindow(
+        session_.config(), quic::kMinimumFlowControlSendWindow);
+    quic::test::QuicConfigPeer::
+        SetReceivedInitialMaxStreamDataBytesOutgoingBidirectional(
+            session_.config(), quic::kMinimumFlowControlSendWindow);
+    quic::test::QuicConfigPeer::SetReceivedMaxIncomingUnidirectionalStreams(
+        session_.config(), 10);
+    session_.OnConfigNegotiated();
     stream_ = new QuicChromiumClientStream(
-        quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+        quic::test::GetNthClientInitiatedBidirectionalStreamId(
+            version_.transport_version, 0),
         &session_, quic::BIDIRECTIONAL, NetLogWithSource(),
         TRAFFIC_ANNOTATION_FOR_TESTS);
     session_.ActivateStream(base::WrapUnique(stream_));
@@ -256,15 +260,16 @@ class QuicChromiumClientStreamTest
   }
 
   std::string ConstructDataHeader(size_t body_len) {
-    if (GetParam() != quic::QUIC_VERSION_99) {
+    if (version_.transport_version != quic::QUIC_VERSION_99) {
       return "";
     }
-    quic::HttpEncoder encoder;
     std::unique_ptr<char[]> buffer;
-    auto header_length = encoder.SerializeDataFrameHeader(body_len, &buffer);
+    auto header_length =
+        quic::HttpEncoder::SerializeDataFrameHeader(body_len, &buffer);
     return std::string(buffer.get(), header_length);
   }
 
+  const quic::ParsedQuicVersion version_;
   quic::QuicCryptoClientConfig crypto_config_;
   std::unique_ptr<QuicChromiumClientStream::Handle> handle_;
   std::unique_ptr<QuicChromiumClientStream::Handle> handle2_;
@@ -277,18 +282,17 @@ class QuicChromiumClientStreamTest
   quic::QuicClientPushPromiseIndex push_promise_index_;
 };
 
-INSTANTIATE_TEST_SUITE_P(
-    Version,
-    QuicChromiumClientStreamTest,
-    ::testing::ValuesIn(quic::AllSupportedTransportVersions()),
-    ::testing::PrintToStringParamName());
+INSTANTIATE_TEST_SUITE_P(Version,
+                         QuicChromiumClientStreamTest,
+                         ::testing::ValuesIn(quic::AllSupportedVersions()),
+                         ::testing::PrintToStringParamName());
 
 TEST_P(QuicChromiumClientStreamTest, Handle) {
   testing::InSequence seq;
   EXPECT_TRUE(handle_->IsOpen());
-  EXPECT_EQ(
-      quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
-      handle_->id());
+  EXPECT_EQ(quic::test::GetNthClientInitiatedBidirectionalStreamId(
+                version_.transport_version, 0),
+            handle_->id());
   EXPECT_EQ(quic::QUIC_NO_ERROR, handle_->connection_error());
   EXPECT_EQ(quic::QUIC_STREAM_NO_ERROR, handle_->stream_error());
   EXPECT_TRUE(handle_->IsFirstStream());
@@ -303,7 +307,8 @@ TEST_P(QuicChromiumClientStreamTest, Handle) {
   quic::QuicStreamOffset offset = 0;
   ProcessHeadersFull(headers_);
   quic::QuicStreamFrame frame2(
-      quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+      quic::test::GetNthClientInitiatedBidirectionalStreamId(
+          version_.transport_version, 0),
       true, offset, quic::QuicStringPiece());
   stream_->OnStreamFrame(frame2);
   EXPECT_TRUE(handle_->fin_received());
@@ -314,7 +319,7 @@ TEST_P(QuicChromiumClientStreamTest, Handle) {
 
   // All data written.
   std::string header = ConstructDataHeader(kDataLen);
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     EXPECT_CALL(session_, WritevData(stream_, stream_->id(), _, _, _))
         .WillOnce(Return(quic::QuicConsumedData(header.length(), false)));
   }
@@ -326,9 +331,9 @@ TEST_P(QuicChromiumClientStreamTest, Handle) {
                                      true, callback.callback()));
 
   EXPECT_FALSE(handle_->IsOpen());
-  EXPECT_EQ(
-      quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
-      handle_->id());
+  EXPECT_EQ(quic::test::GetNthClientInitiatedBidirectionalStreamId(
+                version_.transport_version, 0),
+            handle_->id());
   EXPECT_EQ(quic::QUIC_NO_ERROR, handle_->connection_error());
   EXPECT_EQ(quic::QUIC_STREAM_NO_ERROR, handle_->stream_error());
   EXPECT_TRUE(handle_->IsFirstStream());
@@ -357,9 +362,9 @@ TEST_P(QuicChromiumClientStreamTest, Handle) {
 TEST_P(QuicChromiumClientStreamTest, HandleAfterConnectionClose) {
   EXPECT_CALL(
       session_,
-      SendRstStream(
-          quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
-          quic::QUIC_RST_ACKNOWLEDGEMENT, 0));
+      SendRstStream(quic::test::GetNthClientInitiatedBidirectionalStreamId(
+                        version_.transport_version, 0),
+                    quic::QUIC_RST_ACKNOWLEDGEMENT, 0));
   stream_->OnConnectionClosed(quic::QUIC_INVALID_FRAME_DATA,
                               quic::ConnectionCloseSource::FROM_PEER);
 
@@ -371,13 +376,14 @@ TEST_P(QuicChromiumClientStreamTest, HandleAfterStreamReset) {
   // Verify that the Handle still behaves correctly after the stream is reset.
   quic::QuicRstStreamFrame rst(
       quic::kInvalidControlFrameId,
-      quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+      quic::test::GetNthClientInitiatedBidirectionalStreamId(
+          version_.transport_version, 0),
       quic::QUIC_STREAM_CANCELLED, 0);
-  if (GetParam() != quic::QUIC_VERSION_99) {
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
     EXPECT_CALL(
         session_,
         SendRstStream(quic::test::GetNthClientInitiatedBidirectionalStreamId(
-                          GetParam(), 0),
+                          version_.transport_version, 0),
                       quic::QUIC_RST_ACKNOWLEDGEMENT, 0));
   } else {
     // Intercept & check that the call to the QuicConnection's OnStreamReast
@@ -393,13 +399,14 @@ TEST_P(QuicChromiumClientStreamTest, HandleAfterStreamReset) {
   }
 
   stream_->OnStreamReset(rst);
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     // Make a STOP_SENDING frame and pass it to QUIC. For V99/IETF QUIC,
     // we need both a REST_STREAM and a STOP_SENDING to effect a closed
     // stream.
     quic::QuicStopSendingFrame stop_sending_frame(
         quic::kInvalidControlFrameId,
-        quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+        quic::test::GetNthClientInitiatedBidirectionalStreamId(
+            version_.transport_version, 0),
         quic::QUIC_STREAM_CANCELLED);
     session_.OnStopSendingFrame(stop_sending_frame);
   }
@@ -412,7 +419,8 @@ TEST_P(QuicChromiumClientStreamTest, OnFinRead) {
   quic::QuicStreamOffset offset = 0;
   ProcessHeadersFull(headers_);
   quic::QuicStreamFrame frame2(
-      quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+      quic::test::GetNthClientInitiatedBidirectionalStreamId(
+          version_.transport_version, 0),
       true, offset, quic::QuicStringPiece());
   stream_->OnStreamFrame(frame2);
 }
@@ -424,16 +432,18 @@ TEST_P(QuicChromiumClientStreamTest, OnDataAvailable) {
   const char data[] = "hello world!";
   int data_len = strlen(data);
   size_t offset = 0;
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     std::string header = ConstructDataHeader(data_len);
     stream_->OnStreamFrame(quic::QuicStreamFrame(
-        quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+        quic::test::GetNthClientInitiatedBidirectionalStreamId(
+            version_.transport_version, 0),
         /*fin=*/false,
         /*offset=*/offset, header));
     offset += header.length();
   }
   stream_->OnStreamFrame(quic::QuicStreamFrame(
-      quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+      quic::test::GetNthClientInitiatedBidirectionalStreamId(
+          version_.transport_version, 0),
       /*fin=*/false,
       /*offset=*/offset, data));
 
@@ -460,17 +470,19 @@ TEST_P(QuicChromiumClientStreamTest, OnDataAvailableAfterReadBody) {
             handle_->ReadBody(buffer.get(), 2 * data_len, callback.callback()));
 
   size_t offset = 0;
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     std::string header = ConstructDataHeader(data_len);
     stream_->OnStreamFrame(quic::QuicStreamFrame(
-        quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+        quic::test::GetNthClientInitiatedBidirectionalStreamId(
+            version_.transport_version, 0),
         /*fin=*/false,
         /*offset=*/offset, header));
     offset += header.length();
   }
 
   stream_->OnStreamFrame(quic::QuicStreamFrame(
-      quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+      quic::test::GetNthClientInitiatedBidirectionalStreamId(
+          version_.transport_version, 0),
       /*fin=*/false,
       /*offset=*/offset, data));
 
@@ -485,9 +497,9 @@ TEST_P(QuicChromiumClientStreamTest, ProcessHeadersWithError) {
   bad_headers["NAME"] = "...";
   EXPECT_CALL(
       session_,
-      SendRstStream(
-          quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
-          quic::QUIC_BAD_APPLICATION_PAYLOAD, 0));
+      SendRstStream(quic::test::GetNthClientInitiatedBidirectionalStreamId(
+                        version_.transport_version, 0),
+                    quic::QUIC_BAD_APPLICATION_PAYLOAD, 0));
 
   auto headers = quic::test::AsHeaderList(bad_headers);
   stream_->OnStreamHeaderList(false, headers.uncompressed_header_bytes(),
@@ -502,9 +514,9 @@ TEST_P(QuicChromiumClientStreamTest, OnDataAvailableWithError) {
   ProcessHeadersFull(headers_);
   EXPECT_CALL(
       session_,
-      SendRstStream(
-          quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
-          quic::QUIC_STREAM_CANCELLED, 0));
+      SendRstStream(quic::test::GetNthClientInitiatedBidirectionalStreamId(
+                        version_.transport_version, 0),
+                    quic::QUIC_STREAM_CANCELLED, 0));
 
   const char data[] = "hello world!";
   int data_len = strlen(data);
@@ -521,16 +533,18 @@ TEST_P(QuicChromiumClientStreamTest, OnDataAvailableWithError) {
 
   // Receive the data and close the stream during the callback.
   size_t offset = 0;
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     std::string header = ConstructDataHeader(data_len);
     stream_->OnStreamFrame(quic::QuicStreamFrame(
-        quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+        quic::test::GetNthClientInitiatedBidirectionalStreamId(
+            version_.transport_version, 0),
         /*fin=*/false,
         /*offset=*/offset, header));
     offset += header.length();
   }
   stream_->OnStreamFrame(quic::QuicStreamFrame(
-      quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+      quic::test::GetNthClientInitiatedBidirectionalStreamId(
+          version_.transport_version, 0),
       /*fin=*/false,
       /*offset=*/0, data));
 
@@ -551,16 +565,18 @@ TEST_P(QuicChromiumClientStreamTest, OnTrailers) {
   const char data[] = "hello world!";
   int data_len = strlen(data);
   size_t offset = 0;
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     std::string header = ConstructDataHeader(data_len);
     stream_->OnStreamFrame(quic::QuicStreamFrame(
-        quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+        quic::test::GetNthClientInitiatedBidirectionalStreamId(
+            version_.transport_version, 0),
         /*fin=*/false,
         /*offset=*/offset, header));
     offset += header.length();
   }
   stream_->OnStreamFrame(quic::QuicStreamFrame(
-      quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+      quic::test::GetNthClientInitiatedBidirectionalStreamId(
+          version_.transport_version, 0),
       /*fin=*/false,
       /*offset=*/offset, data));
 
@@ -574,7 +590,7 @@ TEST_P(QuicChromiumClientStreamTest, OnTrailers) {
 
   spdy::SpdyHeaderBlock trailers;
   trailers["bar"] = "foo";
-  if (GetParam() != quic::QUIC_VERSION_99) {
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
     trailers[quic::kFinalOffsetHeaderKey] = base::NumberToString(strlen(data));
   }
 
@@ -605,16 +621,18 @@ TEST_P(QuicChromiumClientStreamTest, MarkTrailersConsumedWhenNotifyDelegate) {
   const char data[] = "hello world!";
   int data_len = strlen(data);
   size_t offset = 0;
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     std::string header = ConstructDataHeader(data_len);
     stream_->OnStreamFrame(quic::QuicStreamFrame(
-        quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+        quic::test::GetNthClientInitiatedBidirectionalStreamId(
+            version_.transport_version, 0),
         /*fin=*/false,
         /*offset=*/offset, header));
     offset += header.length();
   }
   stream_->OnStreamFrame(quic::QuicStreamFrame(
-      quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+      quic::test::GetNthClientInitiatedBidirectionalStreamId(
+          version_.transport_version, 0),
       /*fin=*/false,
       /*offset=*/offset, data));
 
@@ -633,7 +651,7 @@ TEST_P(QuicChromiumClientStreamTest, MarkTrailersConsumedWhenNotifyDelegate) {
 
   spdy::SpdyHeaderBlock trailers;
   trailers["bar"] = "foo";
-  if (GetParam() != quic::QUIC_VERSION_99) {
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
     trailers[quic::kFinalOffsetHeaderKey] = base::NumberToString(strlen(data));
   }
   quic::QuicHeaderList t = ProcessTrailers(trailers);
@@ -666,16 +684,18 @@ TEST_P(QuicChromiumClientStreamTest, ReadAfterTrailersReceivedButNotDelivered) {
   const char data[] = "hello world!";
   int data_len = strlen(data);
   size_t offset = 0;
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     std::string header = ConstructDataHeader(data_len);
     stream_->OnStreamFrame(quic::QuicStreamFrame(
-        quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+        quic::test::GetNthClientInitiatedBidirectionalStreamId(
+            version_.transport_version, 0),
         /*fin=*/false,
         /*offset=*/offset, header));
     offset += header.length();
   }
   stream_->OnStreamFrame(quic::QuicStreamFrame(
-      quic::test::GetNthClientInitiatedBidirectionalStreamId(GetParam(), 0),
+      quic::test::GetNthClientInitiatedBidirectionalStreamId(
+          version_.transport_version, 0),
       /*fin=*/false,
       /*offset=*/offset, data));
 
@@ -690,7 +710,7 @@ TEST_P(QuicChromiumClientStreamTest, ReadAfterTrailersReceivedButNotDelivered) {
   // Deliver trailers. Delegate notification is posted asynchronously.
   spdy::SpdyHeaderBlock trailers;
   trailers["bar"] = "foo";
-  if (GetParam() != quic::QUIC_VERSION_99) {
+  if (version_.transport_version != quic::QUIC_VERSION_99) {
     trailers[quic::kFinalOffsetHeaderKey] = base::NumberToString(strlen(data));
   }
 
@@ -731,7 +751,7 @@ TEST_P(QuicChromiumClientStreamTest, WriteStreamData) {
   const size_t kDataLen = base::size(kData1);
 
   // All data written.
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     std::string header = ConstructDataHeader(kDataLen);
     EXPECT_CALL(session_, WritevData(stream_, stream_->id(), _, _, _))
         .WillOnce(Return(quic::QuicConsumedData(header.length(), false)));
@@ -759,7 +779,7 @@ TEST_P(QuicChromiumClientStreamTest, WriteStreamDataAsync) {
   ASSERT_FALSE(callback.have_result());
 
   // All data written.
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     std::string header = ConstructDataHeader(kDataLen);
     EXPECT_CALL(session_, WritevData(stream_, stream_->id(), _, _, _))
         .WillOnce(Return(quic::QuicConsumedData(header.length(), false)));
@@ -768,7 +788,7 @@ TEST_P(QuicChromiumClientStreamTest, WriteStreamDataAsync) {
       .WillOnce(Return(quic::QuicConsumedData(kDataLen, true)));
   stream_->OnCanWrite();
   // Do 2 writes in version 99.
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     stream_->OnCanWrite();
   }
   ASSERT_TRUE(callback.have_result());
@@ -783,14 +803,14 @@ TEST_P(QuicChromiumClientStreamTest, WritevStreamData) {
       base::MakeRefCounted<StringIOBuffer>("Just a small payload");
 
   // All data written.
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     std::string header = ConstructDataHeader(buf1->size());
     EXPECT_CALL(session_, WritevData(stream_, stream_->id(), _, _, _))
         .WillOnce(Return(quic::QuicConsumedData(header.length(), false)));
   }
   EXPECT_CALL(session_, WritevData(stream_, stream_->id(), _, _, _))
       .WillOnce(Return(quic::QuicConsumedData(buf1->size(), false)));
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     std::string header = ConstructDataHeader(buf2->size());
     EXPECT_CALL(session_, WritevData(stream_, stream_->id(), _, _, _))
         .WillOnce(Return(quic::QuicConsumedData(header.length(), false)));
@@ -811,7 +831,7 @@ TEST_P(QuicChromiumClientStreamTest, WritevStreamDataAsync) {
       base::MakeRefCounted<StringIOBuffer>("Just a small payload");
 
   // Only a part of the data is written.
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     std::string header = ConstructDataHeader(buf1->size());
     EXPECT_CALL(session_, WritevData(stream_, stream_->id(), _, _, _))
         .WillOnce(Return(quic::QuicConsumedData(header.length(), false)));
@@ -830,7 +850,7 @@ TEST_P(QuicChromiumClientStreamTest, WritevStreamDataAsync) {
   ASSERT_FALSE(callback.have_result());
 
   // The second piece of data is written.
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     std::string header = ConstructDataHeader(buf2->size());
     EXPECT_CALL(session_, WritevData(stream_, stream_->id(), _, _, _))
         .WillOnce(Return(quic::QuicConsumedData(header.length(), false)));
@@ -838,7 +858,7 @@ TEST_P(QuicChromiumClientStreamTest, WritevStreamDataAsync) {
   EXPECT_CALL(session_, WritevData(stream_, stream_->id(), _, _, _))
       .WillOnce(Return(quic::QuicConsumedData(buf2->size(), true)));
   stream_->OnCanWrite();
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     stream_->OnCanWrite();
   }
   ASSERT_TRUE(callback.have_result());
@@ -887,7 +907,7 @@ TEST_P(QuicChromiumClientStreamTest, HeadersAndDataBeforeHandle) {
   const char data[] = "hello world!";
 
   size_t offset = 0;
-  if (GetParam() == quic::QUIC_VERSION_99) {
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
     std::string header = ConstructDataHeader(strlen(data));
     stream2->OnStreamFrame(quic::QuicStreamFrame(stream_id,
                                                  /*fin=*/false,
diff --git a/chromium/net/quic/quic_chromium_packet_reader.cc b/chromium/net/quic/quic_chromium_packet_reader.cc
index 468052e160f..de491c01617 100644
--- a/chromium/net/quic/quic_chromium_packet_reader.cc
+++ b/chromium/net/quic/quic_chromium_packet_reader.cc
@@ -17,7 +17,7 @@ namespace net {
 
 QuicChromiumPacketReader::QuicChromiumPacketReader(
     DatagramClientSocket* socket,
-    quic::QuicClock* clock,
+    const quic::QuicClock* clock,
     Visitor* visitor,
     int yield_after_packets,
     quic::QuicTime::Delta yield_after_duration,
@@ -44,7 +44,7 @@ void QuicChromiumPacketReader::StartReading() {
     if (num_packets_read_ == 0)
       yield_after_ = clock_->Now() + yield_after_duration_;
 
-    DCHECK(socket_);
+    CHECK(socket_);
     read_pending_ = true;
     int rv =
         socket_->Read(read_buffer_.get(), read_buffer_->size(),
@@ -92,14 +92,17 @@ bool QuicChromiumPacketReader::ProcessReadResult(int result) {
   IPEndPoint peer_address;
   socket_->GetLocalAddress(&local_address);
   socket_->GetPeerAddress(&peer_address);
+  auto self = weak_factory_.GetWeakPtr();
+  // Notifies the visitor that |this| reader gets a new packet, which may delete
+  // |this| if |this| is a connectivity probing reader.
   return visitor_->OnPacket(packet, ToQuicSocketAddress(local_address),
-                            ToQuicSocketAddress(peer_address));
+                            ToQuicSocketAddress(peer_address)) &&
+         self;
 }
 
 void QuicChromiumPacketReader::OnReadComplete(int result) {
-  if (ProcessReadResult(result)) {
+  if (ProcessReadResult(result))
     StartReading();
-  }
 }
 
 }  // namespace net
diff --git a/chromium/net/quic/quic_chromium_packet_reader.h b/chromium/net/quic/quic_chromium_packet_reader.h
index b4d25070816..c88d113d33b 100644
--- a/chromium/net/quic/quic_chromium_packet_reader.h
+++ b/chromium/net/quic/quic_chromium_packet_reader.h
@@ -39,7 +39,7 @@ class NET_EXPORT_PRIVATE QuicChromiumPacketReader {
   };
 
   QuicChromiumPacketReader(DatagramClientSocket* socket,
-                           quic::QuicClock* clock,
+                           const quic::QuicClock* clock,
                            Visitor* visitor,
                            int yield_after_packets,
                            quic::QuicTime::Delta yield_after_duration,
@@ -60,10 +60,11 @@ class NET_EXPORT_PRIVATE QuicChromiumPacketReader {
   bool ProcessReadResult(int result);
 
   DatagramClientSocket* socket_;
+
   Visitor* visitor_;
   bool read_pending_;
   int num_packets_read_;
-  quic::QuicClock* clock_;  // Owned by QuicStreamFactory
+  const quic::QuicClock* clock_;  // Not owned.
   int yield_after_packets_;
   quic::QuicTime::Delta yield_after_duration_;
   quic::QuicTime yield_after_;
diff --git a/chromium/net/quic/quic_connection_logger.cc b/chromium/net/quic/quic_connection_logger.cc
index 375069c3c88..024968dd486 100644
--- a/chromium/net/quic/quic_connection_logger.cc
+++ b/chromium/net/quic/quic_connection_logger.cc
@@ -63,17 +63,6 @@ base::Value NetLogQuicPacketSentParams(
   return dict;
 }
 
-base::Value NetLogQuicPacketRetransmittedParams(
-    quic::QuicPacketNumber old_packet_number,
-    quic::QuicPacketNumber new_packet_number) {
-  base::Value dict(base::Value::Type::DICTIONARY);
-  dict.SetKey("old_packet_number",
-              NetLogNumberValue(old_packet_number.ToUint64()));
-  dict.SetKey("new_packet_number",
-              NetLogNumberValue(new_packet_number.ToUint64()));
-  return dict;
-}
-
 base::Value NetLogQuicPacketLostParams(quic::QuicPacketNumber packet_number,
                                        quic::TransmissionType transmission_type,
                                        quic::QuicTime detection_time) {
@@ -176,7 +165,7 @@ base::Value NetLogQuicWindowUpdateFrameParams(
     const quic::QuicWindowUpdateFrame* frame) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetIntKey("stream_id", frame->stream_id);
-  dict.SetKey("byte_offset", NetLogNumberValue(frame->byte_offset));
+  dict.SetKey("byte_offset", NetLogNumberValue(frame->max_data));
   return dict;
 }
 
@@ -304,6 +293,31 @@ base::Value NetLogQuicMaxStreamsFrameParams(
   return dict;
 }
 
+base::Value NetLogQuicNewConnectionIdFrameParams(
+    const quic::QuicNewConnectionIdFrame* frame) {
+  base::Value dict(base::Value::Type::DICTIONARY);
+  dict.SetStringKey("connection_id", frame->connection_id.ToString());
+  dict.SetKey("sequence_number", NetLogNumberValue(frame->sequence_number));
+  dict.SetKey("retire_prior_to", NetLogNumberValue(frame->retire_prior_to));
+  return dict;
+}
+
+base::Value NetLogQuicRetireConnectionIdFrameParams(
+    const quic::QuicRetireConnectionIdFrame* frame) {
+  base::Value dict(base::Value::Type::DICTIONARY);
+  dict.SetKey("sequence_number", NetLogNumberValue(frame->sequence_number));
+  return dict;
+}
+
+base::Value NetLogQuicNewTokenFrameParams(
+    const quic::QuicNewTokenFrame* frame) {
+  base::Value dict(base::Value::Type::DICTIONARY);
+  dict.SetKey("token", NetLogBinaryValue(
+                           reinterpret_cast<const void*>(frame->token.data()),
+                           frame->token.length()));
+  return dict;
+}
+
 void UpdatePublicResetAddressMismatchHistogram(
     const IPEndPoint& server_hello_address,
     const IPEndPoint& public_reset_address) {
@@ -448,6 +462,9 @@ void QuicConnectionLogger::OnFrameAddedToPacket(const quic::QuicFrame& frame) {
     return;
   switch (frame.type) {
     case quic::PADDING_FRAME:
+      net_log_.AddEventWithIntParams(
+          NetLogEventType::QUIC_SESSION_PADDING_FRAME_SENT, "num_padding_bytes",
+          frame.padding_frame.num_padding_bytes);
       break;
     case quic::STREAM_FRAME:
       net_log_.AddEvent(NetLogEventType::QUIC_SESSION_STREAM_FRAME_SENT, [&] {
@@ -510,6 +527,11 @@ void QuicConnectionLogger::OnFrameAddedToPacket(const quic::QuicFrame& frame) {
       net_log_.AddEvent(NetLogEventType::QUIC_SESSION_MTU_DISCOVERY_FRAME_SENT);
       break;
     case quic::NEW_CONNECTION_ID_FRAME:
+      net_log_.AddEvent(
+          NetLogEventType::QUIC_SESSION_NEW_CONNECTION_ID_FRAME_SENT, [&] {
+            return NetLogQuicNewConnectionIdFrameParams(
+                frame.new_connection_id_frame);
+          });
       break;
     case quic::MAX_STREAMS_FRAME:
       net_log_.AddEvent(
@@ -543,6 +565,9 @@ void QuicConnectionLogger::OnFrameAddedToPacket(const quic::QuicFrame& frame) {
           });
       break;
     case quic::MESSAGE_FRAME:
+      net_log_.AddEventWithIntParams(
+          NetLogEventType::QUIC_SESSION_MESSAGE_FRAME_SENT, "message_length",
+          frame.message_frame->message_length);
       break;
     case quic::CRYPTO_FRAME:
       net_log_.AddEvent(NetLogEventType::QUIC_SESSION_CRYPTO_FRAME_SENT, [&] {
@@ -551,8 +576,16 @@ void QuicConnectionLogger::OnFrameAddedToPacket(const quic::QuicFrame& frame) {
       });
       break;
     case quic::NEW_TOKEN_FRAME:
+      net_log_.AddEvent(
+          NetLogEventType::QUIC_SESSION_NEW_TOKEN_FRAME_SENT,
+          [&] { return NetLogQuicNewTokenFrameParams(frame.new_token_frame); });
       break;
     case quic::RETIRE_CONNECTION_ID_FRAME:
+      net_log_.AddEvent(
+          NetLogEventType::QUIC_SESSION_RETIRE_CONNECTION_ID_FRAME_SENT, [&] {
+            return NetLogQuicRetireConnectionIdFrameParams(
+                frame.retire_connection_id_frame);
+          });
       break;
     default:
       DCHECK(false) << "Illegal frame type: " << frame.type;
@@ -561,22 +594,14 @@ void QuicConnectionLogger::OnFrameAddedToPacket(const quic::QuicFrame& frame) {
 
 void QuicConnectionLogger::OnPacketSent(
     const quic::SerializedPacket& serialized_packet,
-    quic::QuicPacketNumber original_packet_number,
     quic::TransmissionType transmission_type,
     quic::QuicTime sent_time) {
   if (!net_log_.IsCapturing())
     return;
-  if (!original_packet_number.IsInitialized()) {
-    net_log_.AddEvent(NetLogEventType::QUIC_SESSION_PACKET_SENT, [&] {
-      return NetLogQuicPacketSentParams(serialized_packet, transmission_type,
-                                        sent_time);
-    });
-  } else {
-    net_log_.AddEvent(NetLogEventType::QUIC_SESSION_PACKET_RETRANSMITTED, [&] {
-      return NetLogQuicPacketRetransmittedParams(
-          original_packet_number, serialized_packet.packet_number);
-    });
-  }
+  net_log_.AddEvent(NetLogEventType::QUIC_SESSION_PACKET_SENT, [&] {
+    return NetLogQuicPacketSentParams(serialized_packet, transmission_type,
+                                      sent_time);
+  });
 }
 
 void QuicConnectionLogger::OnPacketLoss(
@@ -846,6 +871,48 @@ void QuicConnectionLogger::OnPingFrame(const quic::QuicPingFrame& frame) {
   net_log_.AddEvent(NetLogEventType::QUIC_SESSION_PING_FRAME_RECEIVED);
 }
 
+void QuicConnectionLogger::OnPaddingFrame(const quic::QuicPaddingFrame& frame) {
+  if (!net_log_.IsCapturing())
+    return;
+  net_log_.AddEventWithIntParams(
+      NetLogEventType::QUIC_SESSION_PADDING_FRAME_RECEIVED, "num_padding_bytes",
+      frame.num_padding_bytes);
+}
+
+void QuicConnectionLogger::OnNewConnectionIdFrame(
+    const quic::QuicNewConnectionIdFrame& frame) {
+  if (!net_log_.IsCapturing())
+    return;
+  net_log_.AddEvent(
+      NetLogEventType::QUIC_SESSION_NEW_CONNECTION_ID_FRAME_RECEIVED,
+      [&] { return NetLogQuicNewConnectionIdFrameParams(&frame); });
+}
+
+void QuicConnectionLogger::OnNewTokenFrame(
+    const quic::QuicNewTokenFrame& frame) {
+  if (!net_log_.IsCapturing())
+    return;
+  net_log_.AddEvent(NetLogEventType::QUIC_SESSION_NEW_TOKEN_FRAME_RECEIVED,
+                    [&] { return NetLogQuicNewTokenFrameParams(&frame); });
+}
+
+void QuicConnectionLogger::OnRetireConnectionIdFrame(
+    const quic::QuicRetireConnectionIdFrame& frame) {
+  if (!net_log_.IsCapturing())
+    return;
+  net_log_.AddEvent(
+      NetLogEventType::QUIC_SESSION_RETIRE_CONNECTION_ID_FRAME_RECEIVED,
+      [&] { return NetLogQuicRetireConnectionIdFrameParams(&frame); });
+}
+
+void QuicConnectionLogger::OnMessageFrame(const quic::QuicMessageFrame& frame) {
+  if (!net_log_.IsCapturing())
+    return;
+  net_log_.AddEventWithIntParams(
+      NetLogEventType::QUIC_SESSION_MESSAGE_FRAME_RECEIVED, "message_length",
+      frame.message_length);
+}
+
 void QuicConnectionLogger::OnPublicResetPacket(
     const quic::QuicPublicResetPacket& packet) {
   UpdatePublicResetAddressMismatchHistogram(
diff --git a/chromium/net/quic/quic_connection_logger.h b/chromium/net/quic/quic_connection_logger.h
index 550266a8318..4620c0756a9 100644
--- a/chromium/net/quic/quic_connection_logger.h
+++ b/chromium/net/quic/quic_connection_logger.h
@@ -47,7 +47,6 @@ class NET_EXPORT_PRIVATE QuicConnectionLogger
 
   // QuicConnectionDebugVisitorInterface
   void OnPacketSent(const quic::SerializedPacket& serialized_packet,
-                    quic::QuicPacketNumber original_packet_number,
                     quic::TransmissionType transmission_type,
                     quic::QuicTime sent_time) override;
   void OnIncomingAck(quic::QuicPacketNumber ack_packet_number,
@@ -86,6 +85,13 @@ class NET_EXPORT_PRIVATE QuicConnectionLogger
   void OnBlockedFrame(const quic::QuicBlockedFrame& frame) override;
   void OnGoAwayFrame(const quic::QuicGoAwayFrame& frame) override;
   void OnPingFrame(const quic::QuicPingFrame& frame) override;
+  void OnPaddingFrame(const quic::QuicPaddingFrame& frame) override;
+  void OnNewConnectionIdFrame(
+      const quic::QuicNewConnectionIdFrame& frame) override;
+  void OnNewTokenFrame(const quic::QuicNewTokenFrame& frame) override;
+  void OnRetireConnectionIdFrame(
+      const quic::QuicRetireConnectionIdFrame& frame) override;
+  void OnMessageFrame(const quic::QuicMessageFrame& frame) override;
   void OnPublicResetPacket(const quic::QuicPublicResetPacket& packet) override;
   void OnVersionNegotiationPacket(
       const quic::QuicVersionNegotiationPacket& packet) override;
diff --git a/chromium/net/quic/quic_connectivity_probing_manager_test.cc b/chromium/net/quic/quic_connectivity_probing_manager_test.cc
index 425c00d877e..c29be701ebc 100644
--- a/chromium/net/quic/quic_connectivity_probing_manager_test.cc
+++ b/chromium/net/quic/quic_connectivity_probing_manager_test.cc
@@ -140,8 +140,8 @@ class QuicConnectivityProbingManagerTest : public ::testing::Test {
 
   quic::MockClock clock_;
   MockClientSocketFactory socket_factory_;
-  TestNetLog net_log_;
-  BoundTestNetLog bound_test_net_log_;
+  RecordingTestNetLog net_log_;
+  RecordingBoundTestNetLog bound_test_net_log_;
 
   DISALLOW_COPY_AND_ASSIGN(QuicConnectivityProbingManagerTest);
 };
diff --git a/chromium/net/quic/quic_context.cc b/chromium/net/quic/quic_context.cc
new file mode 100644
index 00000000000..c9ff40e3517
--- /dev/null
+++ b/chromium/net/quic/quic_context.cc
@@ -0,0 +1,31 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/quic/quic_context.h"
+
+#include "net/quic/platform/impl/quic_chromium_clock.h"
+#include "net/quic/quic_chromium_connection_helper.h"
+#include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
+#include "net/third_party/quiche/src/quic/core/quic_constants.h"
+
+namespace net {
+
+QuicParams::QuicParams() = default;
+
+QuicParams::QuicParams(const QuicParams& other) = default;
+
+QuicParams::~QuicParams() = default;
+
+QuicContext::QuicContext()
+    : QuicContext(std::make_unique<QuicChromiumConnectionHelper>(
+          quic::QuicChromiumClock::GetInstance(),
+          quic::QuicRandom::GetInstance())) {}
+
+QuicContext::QuicContext(
+    std::unique_ptr<quic::QuicConnectionHelperInterface> helper)
+    : helper_(std::move(helper)) {}
+
+QuicContext::~QuicContext() = default;
+
+}  // namespace net
diff --git a/chromium/net/quic/quic_context.h b/chromium/net/quic/quic_context.h
new file mode 100644
index 00000000000..bff766d5c9c
--- /dev/null
+++ b/chromium/net/quic/quic_context.h
@@ -0,0 +1,194 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_QUIC_QUIC_CONTEXT_H_
+#define NET_QUIC_QUIC_CONTEXT_H_
+
+#include <memory>
+
+#include "net/base/host_port_pair.h"
+#include "net/third_party/quiche/src/quic/core/quic_connection.h"
+
+namespace net {
+
+// Default QUIC version used in absence of any external configuration.
+constexpr quic::ParsedQuicVersion kDefaultSupportedQuicVersion{
+    quic::PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_46};
+
+// Returns a list containing only the current default version.
+inline NET_EXPORT_PRIVATE quic::ParsedQuicVersionVector
+DefaultSupportedQuicVersions() {
+  return quic::ParsedQuicVersionVector{kDefaultSupportedQuicVersion};
+}
+
+// When a connection is idle for 30 seconds it will be closed.
+constexpr base::TimeDelta kIdleConnectionTimeout =
+    base::TimeDelta::FromSeconds(30);
+
+// Sessions can migrate if they have been idle for less than this period.
+constexpr base::TimeDelta kDefaultIdleSessionMigrationPeriod =
+    base::TimeDelta::FromSeconds(30);
+
+// The default maximum time allowed to have no retransmittable packets on the
+// wire (after sending the first retransmittable packet) if
+// |migrate_session_early_v2_| is true. PING frames will be sent as needed to
+// enforce this.
+constexpr base::TimeDelta kDefaultRetransmittableOnWireTimeout =
+    base::TimeDelta::FromMilliseconds(200);
+
+// The default maximum time QUIC session could be on non-default network before
+// migrate back to default network.
+constexpr base::TimeDelta kMaxTimeOnNonDefaultNetwork =
+    base::TimeDelta::FromSeconds(128);
+
+// The default maximum number of migrations to non default network on write
+// error per network.
+const int64_t kMaxMigrationsToNonDefaultNetworkOnWriteError = 5;
+
+// The default maximum number of migrations to non default network on path
+// degrading per network.
+const int64_t kMaxMigrationsToNonDefaultNetworkOnPathDegrading = 5;
+
+// Structure containing simple configuration options and experiments for QUIC.
+struct NET_EXPORT QuicParams {
+  QuicParams();
+  QuicParams(const QuicParams& other);
+  ~QuicParams();
+
+  // QUIC runtime configuration options.
+
+  // Versions of QUIC which may be used.
+  quic::ParsedQuicVersionVector supported_versions =
+      DefaultSupportedQuicVersions();
+  // User agent description to send in the QUIC handshake.
+  std::string user_agent_id;
+  // Limit on the size of QUIC packets.
+  size_t max_packet_length = quic::kDefaultMaxPacketSize;
+  // Maximum number of server configs that are to be stored in
+  // HttpServerProperties, instead of the disk cache.
+  size_t max_server_configs_stored_in_properties = 0u;
+  // QUIC will be used for all connections in this set.
+  std::set<HostPortPair> origins_to_force_quic_on;
+  // Set of QUIC tags to send in the handshake's connection options.
+  quic::QuicTagVector connection_options;
+  // Set of QUIC tags to send in the handshake's connection options that only
+  // affect the client.
+  quic::QuicTagVector client_connection_options;
+  // Enables experimental optimization for receiving data in UDPSocket.
+  bool enable_socket_recv_optimization = false;
+  // Initial value of QuicSpdyClientSessionBase::max_allowed_push_id_.
+  quic::QuicStreamId max_allowed_push_id = 0;
+
+  // Active QUIC experiments
+
+  // Retry requests which fail with QUIC_PROTOCOL_ERROR, and mark QUIC
+  // broken if the retry succeeds.
+  bool retry_without_alt_svc_on_quic_errors = true;
+  // If true, all QUIC sessions are closed when any local IP address changes.
+  bool close_sessions_on_ip_change = false;
+  // If true, all QUIC sessions are marked as goaway when any local IP address
+  // changes.
+  bool goaway_sessions_on_ip_change = false;
+  // Specifies QUIC idle connection state lifetime.
+  base::TimeDelta idle_connection_timeout = kIdleConnectionTimeout;
+  // Specifies the reduced ping timeout subsequent connections should use when
+  // a connection was timed out with open streams.
+  base::TimeDelta reduced_ping_timeout =
+      base::TimeDelta::FromSeconds(quic::kPingTimeoutSecs);
+  // Maximum time that a session can have no retransmittable packets on the
+  // wire. Set to zero if not specified and no retransmittable PING will be
+  // sent to peer when the wire has no retransmittable packets.
+  base::TimeDelta retransmittable_on_wire_timeout;
+  // Maximum time the session can be alive before crypto handshake is
+  // finished.
+  base::TimeDelta max_time_before_crypto_handshake =
+      base::TimeDelta::FromSeconds(quic::kMaxTimeForCryptoHandshakeSecs);
+  // Maximum idle time before the crypto handshake has completed.
+  base::TimeDelta max_idle_time_before_crypto_handshake =
+      base::TimeDelta::FromSeconds(quic::kInitialIdleTimeoutSecs);
+  // If true, connection migration v2 will be used to migrate existing
+  // sessions to network when the platform indicates that the default network
+  // is changing.
+  bool migrate_sessions_on_network_change_v2 = false;
+  // If true, connection migration v2 may be used to migrate active QUIC
+  // sessions to alternative network if current network connectivity is poor.
+  bool migrate_sessions_early_v2 = false;
+  // If true, a new connection may be kicked off on an alternate network when
+  // a connection fails on the default network before handshake is confirmed.
+  bool retry_on_alternate_network_before_handshake = false;
+  // If true, an idle session will be migrated within the idle migration
+  // period.
+  bool migrate_idle_sessions = false;
+  // If true, sessions with open streams will attempt to migrate to a different
+  // port when the current path is poor.
+  bool allow_port_migration = false;
+  // A session can be migrated if its idle time is within this period.
+  base::TimeDelta idle_session_migration_period =
+      kDefaultIdleSessionMigrationPeriod;
+  // Maximum time the session could be on the non-default network before
+  // migrates back to default network. Defaults to
+  // kMaxTimeOnNonDefaultNetwork.
+  base::TimeDelta max_time_on_non_default_network = kMaxTimeOnNonDefaultNetwork;
+  // Maximum number of migrations to the non-default network on write error
+  // per network for each session.
+  int max_migrations_to_non_default_network_on_write_error =
+      kMaxMigrationsToNonDefaultNetworkOnWriteError;
+  // Maximum number of migrations to the non-default network on path
+  // degrading per network for each session.
+  int max_migrations_to_non_default_network_on_path_degrading =
+      kMaxMigrationsToNonDefaultNetworkOnPathDegrading;
+  // If true, allows migration of QUIC connections to a server-specified
+  // alternate server address.
+  bool allow_server_migration = false;
+  // If true, allows QUIC to use alternative services with a different
+  // hostname from the origin.
+  bool allow_remote_alt_svc = true;
+  // If true, the quic stream factory may race connection from stale dns
+  // result with the original dns resolution
+  bool race_stale_dns_on_connection = false;
+  // If true, the quic session may mark itself as GOAWAY on path degrading.
+  bool go_away_on_path_degrading = false;
+  // If true, bidirectional streams over QUIC will be disabled.
+  bool disable_bidirectional_streams = false;
+  // If true, race cert verification with host resolution.
+  bool race_cert_verification = false;
+  // If true, estimate the initial RTT for QUIC connections based on network.
+  bool estimate_initial_rtt = false;
+  // If true, client headers will include HTTP/2 stream dependency info
+  // derived from the request priority.
+  bool headers_include_h2_stream_dependency = false;
+  // The initial rtt that will be used in crypto handshake if no cached
+  // smoothed rtt is present.
+  base::TimeDelta initial_rtt_for_handshake;
+};
+
+// QuicContext contains QUIC-related variables that are shared across all of the
+// QUIC connections, both HTTP and non-HTTP ones.
+class NET_EXPORT_PRIVATE QuicContext {
+ public:
+  QuicContext();
+  QuicContext(std::unique_ptr<quic::QuicConnectionHelperInterface> helper);
+  ~QuicContext();
+
+  quic::QuicConnectionHelperInterface* helper() { return helper_.get(); }
+  const quic::QuicClock* clock() { return helper_->GetClock(); }
+  quic::QuicRandom* random_generator() { return helper_->GetRandomGenerator(); }
+
+  QuicParams* params() { return &params_; }
+  quic::ParsedQuicVersion GetDefaultVersion() {
+    return params_.supported_versions[0];
+  }
+  const quic::ParsedQuicVersionVector& supported_versions() {
+    return params_.supported_versions;
+  }
+
+ private:
+  std::unique_ptr<quic::QuicConnectionHelperInterface> helper_;
+
+  QuicParams params_;
+};
+
+}  // namespace net
+
+#endif  // NET_QUIC_QUIC_CONTEXT_H_
diff --git a/chromium/net/quic/quic_end_to_end_unittest.cc b/chromium/net/quic/quic_end_to_end_unittest.cc
index 2508f027d97..bb2c3e07be7 100644
--- a/chromium/net/quic/quic_end_to_end_unittest.cc
+++ b/chromium/net/quic/quic_end_to_end_unittest.cc
@@ -30,6 +30,7 @@
 #include "net/http/transport_security_state.h"
 #include "net/log/net_log_with_source.h"
 #include "net/proxy_resolution/proxy_resolution_service.h"
+#include "net/quic/quic_context.h"
 #include "net/ssl/ssl_config_service_defaults.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/gtest_util.h"
@@ -100,7 +101,7 @@ class QuicEndToEndTest : public ::testing::Test, public WithTaskEnvironment {
 
     session_params_.enable_quic = true;
 
-    session_context_.quic_random = nullptr;
+    session_context_.quic_context = &quic_context_;
     session_context_.host_resolver = &host_resolver_;
     session_context_.cert_verifier = &cert_verifier_;
     session_context_.transport_security_state = &transport_security_state_;
@@ -140,7 +141,7 @@ class QuicEndToEndTest : public ::testing::Test, public WithTaskEnvironment {
 
     // To simplify the test, and avoid the race with the HTTP request, we force
     // QUIC for these requests.
-    session_params_.quic_params.origins_to_force_quic_on.insert(
+    quic_context_.params()->origins_to_force_quic_on.insert(
         HostPortPair::FromString("test.example.com:443"));
 
     transaction_factory_.reset(
@@ -211,6 +212,7 @@ class QuicEndToEndTest : public ::testing::Test, public WithTaskEnvironment {
     EXPECT_EQ(body, consumer.content());
   }
 
+  QuicContext quic_context_;
   std::unique_ptr<MockHostResolver> host_resolver_impl_;
   MappedHostResolver host_resolver_;
   MockCertVerifier cert_verifier_;
diff --git a/chromium/net/quic/quic_flags_list.h b/chromium/net/quic/quic_flags_list.h
index e1e79932a19..56b4c681c29 100644
--- a/chromium/net/quic/quic_flags_list.h
+++ b/chromium/net/quic/quic_flags_list.h
@@ -120,7 +120,7 @@ QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_bbr_one_mss_conservation, false)
 
 // Enables the BBQ5 connection option, which forces saved aggregation values to
 // expire when the bandwidth increases more than 25% in QUIC BBR STARTUP.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_bbr_slower_startup4, false)
+QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_bbr_slower_startup4, true)
 
 // When true and the BBR9 connection option is present, BBR only considers
 // bandwidth samples app-limited if they're not filling the pipe.
@@ -130,7 +130,7 @@ QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_bbr_flexible_app_limited, false)
 // will cause the sequencer to discard future data.
 QUIC_FLAG(bool,
           FLAGS_quic_reloadable_flag_quic_stop_reading_when_level_triggered,
-          false)
+          true)
 
 // When the STMP connection option is sent by the client, timestamps in the QUIC
 // ACK frame are sent and processed.
@@ -156,15 +156,6 @@ QUIC_FLAG(bool,
           FLAGS_quic_reloadable_flag_quic_bbr_startup_rate_reduction,
           false)
 
-// If true, enable QUIC version 47.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_enable_version_47, false)
-
-// If true, enable QUIC version 48.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_enable_version_48_2, true)
-
-// If true, disable QUIC version 39.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_disable_version_39, true)
-
 // If true and using Leto for QUIC shared-key calculations, GFE will react to a
 // failure to contact Leto by sending a REJ containing a fallback ServerConfig,
 // allowing the client to continue the handshake.
@@ -173,9 +164,6 @@ QUIC_FLAG(
     FLAGS_quic_reloadable_flag_send_quic_fallback_server_config_on_leto_error,
     false)
 
-// If true, enable QUIC version 49.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_enable_version_49, true)
-
 // If true, GFE will not request private keys when fetching QUIC ServerConfigs
 // from Leto.
 QUIC_FLAG(bool,
@@ -199,27 +187,9 @@ QUIC_FLAG(bool,
           FLAGS_quic_reloadable_flag_quic_conservative_cwnd_and_pacing_gains,
           false)
 
-// When true, QUIC Version Negotiation packets will randomly include fake
-// versions.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_version_negotiation_grease,
-          true)
-
 // If true, use predictable version negotiation versions.
 QUIC_FLAG(bool, FLAGS_quic_disable_version_negotiation_grease_randomness, false)
 
-// If true, do not add connection ID of packets with unknown connection ID
-// and no version to time wait list, instead, send appropriate responses
-// depending on the packets' sizes and drop them.
-QUIC_FLAG(
-    bool,
-    FLAGS_quic_reloadable_flag_quic_reject_unprocessable_packets_statelessly,
-    false)
-
-// If true, when RTO fires and there is no packet to be RTOed, let connection
-// send.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_fix_rto_retransmission3, true)
-
 // Maximum number of tracked packets.
 QUIC_FLAG(int64_t, FLAGS_quic_max_tracked_packet_count, 10000)
 
@@ -227,9 +197,6 @@ QUIC_FLAG(int64_t, FLAGS_quic_max_tracked_packet_count, 10000)
 // descendents) will be automatically converted to lower case.
 QUIC_FLAG(bool, FLAGS_quic_client_convert_http_header_name_to_lowercase, true)
 
-// If true, do not send STOP_WAITING if no_stop_waiting_frame_.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_simplify_stop_waiting, false)
-
 // If true, allow client to enable BBRv2 on server via connection option 'B2ON'.
 QUIC_FLAG(bool,
           FLAGS_quic_reloadable_flag_quic_allow_client_enabled_bbr_v2,
@@ -242,31 +209,12 @@ QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_negotiate_ack_delay_time, false)
 // length-prefixed connection IDs.
 QUIC_FLAG(bool, FLAGS_quic_prober_uses_length_prefixed_connection_ids, false)
 
-// When true, QuicFramer allows parsing failures of source connection ID for
-// the PROX version.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_parse_prox_source_connection_id,
-          true)
-
 // If true and H2PR connection option is received, write_blocked_streams_ uses
 // HTTP2 (tree-style) priority write scheduler.
 QUIC_FLAG(bool,
           FLAGS_quic_reloadable_flag_quic_use_http2_priority_write_scheduler,
           true)
 
-// If true, close connection if there are too many (> 1000) buffered control
-// frames.
-QUIC_FLAG(
-    bool,
-    FLAGS_quic_reloadable_flag_quic_add_upper_limit_of_buffered_control_frames3,
-    true)
-
-// If true, static streams should never be closed before QuicSession
-// destruction.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_active_streams_never_negative,
-          true)
-
 // If true and FIFO connection option is received, write_blocked_streams uses
 // FIFO(stream with smallest ID has highest priority) write scheduler.
 QUIC_FLAG(bool,
@@ -279,68 +227,16 @@ QUIC_FLAG(bool,
           FLAGS_quic_reloadable_flag_quic_enable_lifo_write_scheduler,
           true)
 
-// When true, remove obsolete functionality intended to test IETF QUIC recovery.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_sent_packet_manager_cleanup,
-          true)
-
-// If true, QuicSession::ShouldKeepConnectionAlive() will not consider locally
-// closed streams whose highest byte offset is not received yet.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_aggressive_connection_aliveness,
-          true)
-
-// If true, QuicStreamSequencer will not take in new data if the stream is
-// reset.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_no_stream_data_after_reset,
-          false)
-
 // If true, enable IETF style probe timeout.
 QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_enable_pto, true)
 
-// When true, QuicFramer will use QueueUndecryptablePacket on all QUIC versions.
-QUIC_FLAG(bool,
-          FLAGS_quic_restart_flag_quic_framer_uses_undecryptable_upcall,
-          true)
-
-// When true, QuicUtils::GenerateStatelessResetToken will hash connection IDs
-// instead of XORing the bytes
-QUIC_FLAG(bool,
-          FLAGS_quic_restart_flag_quic_use_hashed_stateless_reset_tokens,
-          true)
-
-// This flag enables a temporary workaround which makes us reply to a specific
-// invalid packet that is sent by an Android UDP network conformance test.
-QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_reply_to_old_android_conformance_test,
-          true)
-
-// If true, no SPDY SETTINGS will be sent after handshake is confirmed.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_do_not_send_settings, true)
-
 // The maximum amount of CRYPTO frame data that can be buffered.
 QUIC_FLAG(int32_t, FLAGS_quic_max_buffered_crypto_bytes, 16 * 1024)
 
-// If true, use the saved time of the last sent inflight packet rather than
-// traversing the deque.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_simple_inflight_time, true)
-
 // If true, QUIC supports both QUIC Crypto and TLS 1.3 for the handshake
 // protocol.
 QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_supports_tls_handshake, true)
 
-// If true, deprecate SpuriousRetransmitDetected and call SpuriousLossDetected
-// instead.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_detect_spurious_loss, true)
-
-// If true, a stream will reset itself if it receives a stream frame that
-// includes a data beyond the close offset.
-QUIC_FLAG(
-    bool,
-    FLAGS_quic_reloadable_flag_quic_rst_if_stream_frame_beyond_close_offset,
-    true)
-
 // If true, enable IETF loss detection as described in
 // https://tools.ietf.org/html/draft-ietf-quic-recovery-22#section-6.1.
 QUIC_FLAG(bool,
@@ -354,42 +250,132 @@ QUIC_FLAG(bool,
 // If true, enable HTTP/2 default scheduling(round robin).
 QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_enable_rr_write_scheduler, true)
 
-// If true, when timer fires in RTO or PTO mode, make sure there is enough
-// credits to retransmit one packet.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_grant_enough_credits, false)
+// Call NeuterHandshakePackets() at most once per connection.
+QUIC_FLAG(bool,
+          FLAGS_quic_reloadable_flag_quic_neuter_handshake_packets_once2,
+          true)
+
+// If true, support HTTP/3 priority in v99.
+QUIC_FLAG(bool, FLAGS_quic_allow_http3_priority, false)
 
-// If true, combine QuicPacketGenerator and QuicPacketCreator.
+// If true, enable QUIC version 50.
+QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_enable_version_50, true)
+
+// If the bandwidth during ack aggregation is smaller than (estimated
+// bandwidth * this flag), consider the current aggregation completed
+// and starts a new one.
+QUIC_FLAG(double, FLAGS_quic_ack_aggregation_bandwidth_threshold, 1.0)
+
+// If set to non-zero, the maximum number of consecutive pings that can be sent
+// with aggressive initial retransmittable on wire timeout if there is no new
+// data received. After which, the timeout will be exponentially back off until
+// exceeds the default ping timeout.
+QUIC_FLAG(int32_t,
+          FLAGS_quic_max_aggressive_retransmittable_on_wire_ping_count,
+          0)
+
+// If true, Adjacent stream frames will be combined into one stream frame before
+// the packet is serialized.
+QUIC_FLAG(bool, FLAGS_quic_restart_flag_quic_coalesce_stream_frames_2, false)
+
+// If true, connection will be closed if a stream receives stream frame or
+// RESET_STREAM frame with bad close offset.
 QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_combine_generator_and_creator,
+          FLAGS_quic_reloadable_flag_quic_close_connection_on_wrong_offset,
           true)
 
-// If true, QuicFramer does not create an encrypter/decrypter for the
-// ENCRYPTION_INITIAL level.
+// If true, re-calculate pacing rate when cwnd gets bootstrapped.
+QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_bbr_fix_pacing_rate, true)
+
+// The maximum congestion window in packets.
+QUIC_FLAG(int32_t, FLAGS_quic_max_congestion_window, 2000)
+
+// If true, QuicCryptoStream::OnCryptoFrame() will never use the frame's
+// encryption level.
+QUIC_FLAG(bool,
+          FLAGS_quic_reloadable_flag_quic_use_connection_encryption_level,
+          true)
+
+// If true, do not inject bandwidth in BbrSender::AdjustNetworkParameters.
+QUIC_FLAG(bool,
+          FLAGS_quic_reloadable_flag_quic_bbr_donot_inject_bandwidth,
+          true)
+
+// If true, close connection if CreateAndSerializeStreamFrame fails.
 QUIC_FLAG(
     bool,
-    FLAGS_quic_reloadable_flag_quic_framer_doesnt_create_initial_encrypter,
+    FLAGS_quic_reloadable_flag_quic_close_connection_on_failed_consume_data_fast_path,
     true)
 
-// If true, server drops client initial packets in datagrams < 1200 bytes.
+// If true, add a up call when N packet numbers get skipped.
 QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_donot_process_small_initial_packets,
-          true)
+          FLAGS_quic_reloadable_flag_quic_on_packet_numbers_skipped,
+          false)
+
+// The default minimum duration for BBRv2-native probes, in milliseconds.
+QUIC_FLAG(int32_t, FLAGS_quic_bbr2_default_probe_bw_base_duration_ms, 2000)
+
+// The default upper bound of the random amount of BBRv2-native
+// probes, in milliseconds.
+QUIC_FLAG(int32_t, FLAGS_quic_bbr2_default_probe_bw_max_rand_duration_ms, 1000)
 
-// If true, treat queued QUIC packets as sent.
+// The default period for entering PROBE_RTT, in milliseconds.
+QUIC_FLAG(int32_t, FLAGS_quic_bbr2_default_probe_rtt_period_ms, 10000)
+
+// The default loss threshold for QUIC BBRv2, should be a value
+// between 0 and 1.
+QUIC_FLAG(double, FLAGS_quic_bbr2_default_loss_threshold, 0.3)
+
+// The default minimum number of loss marking events to exit STARTUP.
+QUIC_FLAG(int32_t, FLAGS_quic_bbr2_default_startup_full_loss_count, 8)
+
+// The default fraction of unutilized headroom to try to leave in path
+// upon high loss.
+QUIC_FLAG(double, FLAGS_quic_bbr2_default_inflight_hi_headroom, 0.01)
+
+// If true, when a stream receives data with wrong close offset, it closes the
+// connection. And the stream frame data will be discarded.
+QUIC_FLAG(
+    bool,
+    FLAGS_quic_reloadable_flag_quic_close_connection_and_discard_data_on_wrong_offset,
+    false)
+
+// If true, log number of ack aggregation epochs in QUIC transport connection
+// stats.
 QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_treat_queued_packets_as_sent,
+          FLAGS_quic_reloadable_flag_quic_log_ack_aggregation_stats,
           false)
 
-// Call NeuterHandshakePackets() at most once per connection.
+// If true, for server QUIC connections, set version_negotiated_ to true by
+// default.
+QUIC_FLAG(
+    bool,
+    FLAGS_quic_reloadable_flag_quic_version_negotiated_by_default_at_server,
+    false)
+
+// If true, QuicSession::SendRstStreamInner will be factored out and deleted.
 QUIC_FLAG(bool,
-          FLAGS_quic_reloadable_flag_quic_neuter_handshake_packets_once,
+          FLAGS_quic_reloadable_flag_quic_delete_send_rst_stream_inner,
           false)
 
-// If true, support HTTP/3 priority in v99.
-QUIC_FLAG(bool, FLAGS_quic_allow_http3_priority, false)
+// If true, QUIC crypto handshaker uses handshaker delegate to notify session
+// about handshake events.
+QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_use_handshaker_delegate, false)
 
-// If true, enable QUIC version 50.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_enable_version_50, false)
+// If true, for QUIC BBRv2 flows, exit PROBE_BW_DOWN phase after one round trip
+// time.
+QUIC_FLAG(bool,
+          FLAGS_quic_reloadable_flag_quic_bbr2_exit_probe_bw_down_after_one_rtt,
+          false)
 
-// If true, enable QUIC MTU discovery version 2.
-QUIC_FLAG(bool, FLAGS_quic_reloadable_flag_quic_mtu_discovery_v2, false)
+// If true, QUIC connection close packet will be sent at all available
+// encryption levels.
+QUIC_FLAG(bool,
+          FLAGS_quic_reloadable_flag_quic_close_all_encryptions_levels2,
+          false)
+
+// If true, then a MAX_PUSH_ID frame will be send when the initial SETTINGS
+// frame is sent in HTTP/3.
+QUIC_FLAG(bool,
+          FLAGS_quic_reloadable_flag_quic_send_max_push_id_with_settings,
+          true)
diff --git a/chromium/net/quic/quic_http_stream.cc b/chromium/net/quic/quic_http_stream.cc
index af8df9d007f..9cd9173df6c 100644
--- a/chromium/net/quic/quic_http_stream.cc
+++ b/chromium/net/quic/quic_http_stream.cc
@@ -85,26 +85,30 @@ QuicHttpStream::~QuicHttpStream() {
 }
 
 HttpResponseInfo::ConnectionInfo QuicHttpStream::ConnectionInfoFromQuicVersion(
-    quic::QuicTransportVersion quic_version) {
-  switch (quic_version) {
+    quic::ParsedQuicVersion quic_version) {
+  switch (quic_version.transport_version) {
     case quic::QUIC_VERSION_UNSUPPORTED:
       return HttpResponseInfo::CONNECTION_INFO_QUIC_UNKNOWN_VERSION;
-    case quic::QUIC_VERSION_39:
-      return HttpResponseInfo::CONNECTION_INFO_QUIC_39;
     case quic::QUIC_VERSION_43:
       return HttpResponseInfo::CONNECTION_INFO_QUIC_43;
     case quic::QUIC_VERSION_46:
       return HttpResponseInfo::CONNECTION_INFO_QUIC_46;
-    case quic::QUIC_VERSION_47:
-      return HttpResponseInfo::CONNECTION_INFO_QUIC_47;
     case quic::QUIC_VERSION_48:
-      return HttpResponseInfo::CONNECTION_INFO_QUIC_48;
+      return quic_version.handshake_protocol == quic::PROTOCOL_TLS1_3
+                 ? HttpResponseInfo::CONNECTION_INFO_QUIC_T048
+                 : HttpResponseInfo::CONNECTION_INFO_QUIC_Q048;
     case quic::QUIC_VERSION_49:
-      return HttpResponseInfo::CONNECTION_INFO_QUIC_49;
+      return quic_version.handshake_protocol == quic::PROTOCOL_TLS1_3
+                 ? HttpResponseInfo::CONNECTION_INFO_QUIC_T049
+                 : HttpResponseInfo::CONNECTION_INFO_QUIC_Q049;
     case quic::QUIC_VERSION_50:
-      return HttpResponseInfo::CONNECTION_INFO_QUIC_50;
+      return quic_version.handshake_protocol == quic::PROTOCOL_TLS1_3
+                 ? HttpResponseInfo::CONNECTION_INFO_QUIC_T050
+                 : HttpResponseInfo::CONNECTION_INFO_QUIC_Q050;
     case quic::QUIC_VERSION_99:
-      return HttpResponseInfo::CONNECTION_INFO_QUIC_99;
+      return quic_version.handshake_protocol == quic::PROTOCOL_TLS1_3
+                 ? HttpResponseInfo::CONNECTION_INFO_QUIC_T099
+                 : HttpResponseInfo::CONNECTION_INFO_QUIC_Q099;
     case quic::QUIC_VERSION_RESERVED_FOR_NEGOTIATION:
       return HttpResponseInfo::CONNECTION_INFO_QUIC_999;
   }
@@ -352,7 +356,7 @@ int64_t QuicHttpStream::GetTotalReceivedBytes() const {
   // When QPACK is enabled, headers are sent and received on the stream, so
   // the headers bytes do not need to be accounted for independently.
   int64_t total_received_bytes =
-      quic::VersionUsesHttp3(quic_session()->GetQuicVersion())
+      quic::VersionUsesHttp3(quic_session()->GetQuicVersion().transport_version)
           ? 0
           : headers_bytes_received_;
   if (stream_) {
@@ -369,7 +373,7 @@ int64_t QuicHttpStream::GetTotalSentBytes() const {
   // When QPACK is enabled, headers are sent and received on the stream, so
   // the headers bytes do not need to be accounted for independently.
   int64_t total_sent_bytes =
-      quic::VersionUsesHttp3(quic_session()->GetQuicVersion())
+      quic::VersionUsesHttp3(quic_session()->GetQuicVersion().transport_version)
           ? 0
           : headers_bytes_sent_;
   if (stream_) {
diff --git a/chromium/net/quic/quic_http_stream.h b/chromium/net/quic/quic_http_stream.h
index 0440c765387..5f56553d0c3 100644
--- a/chromium/net/quic/quic_http_stream.h
+++ b/chromium/net/quic/quic_http_stream.h
@@ -68,7 +68,7 @@ class NET_EXPORT_PRIVATE QuicHttpStream : public MultiplexedHttpStream {
   void SetPriority(RequestPriority priority) override;
 
   static HttpResponseInfo::ConnectionInfo ConnectionInfoFromQuicVersion(
-      quic::QuicTransportVersion quic_version);
+      quic::ParsedQuicVersion quic_version);
 
  private:
   friend class test::QuicHttpStreamPeer;
diff --git a/chromium/net/quic/quic_http_stream_test.cc b/chromium/net/quic/quic_http_stream_test.cc
index 8b2949fe996..1a058f95410 100644
--- a/chromium/net/quic/quic_http_stream_test.cc
+++ b/chromium/net/quic/quic_http_stream_test.cc
@@ -656,9 +656,9 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<TestParams>,
     if (version_.transport_version != quic::QUIC_VERSION_99) {
       return "";
     }
-    quic::HttpEncoder encoder;
     std::unique_ptr<char[]> buffer;
-    auto header_length = encoder.SerializeDataFrameHeader(body_len, &buffer);
+    auto header_length =
+        quic::HttpEncoder::SerializeDataFrameHeader(body_len, &buffer);
     return std::string(buffer.get(), header_length);
   }
 
@@ -698,7 +698,7 @@ class QuicHttpStreamTest : public ::testing::TestWithParam<TestParams>,
   const quic::ParsedQuicVersion version_;
   const bool client_headers_include_h2_stream_dependency_;
 
-  BoundTestNetLog net_log_;
+  RecordingBoundTestNetLog net_log_;
   quic::test::MockSendAlgorithm* send_algorithm_;
   scoped_refptr<TestTaskRunner> runner_;
   std::unique_ptr<MockWrite[]> mock_writes_;
diff --git a/chromium/net/quic/quic_http_utils.cc b/chromium/net/quic/quic_http_utils.cc
index 26cda909009..548be79a942 100644
--- a/chromium/net/quic/quic_http_utils.cc
+++ b/chromium/net/quic/quic_http_utils.cc
@@ -8,7 +8,6 @@
 
 #include "base/metrics/histogram_macros.h"
 #include "net/spdy/spdy_log_util.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 
 namespace net {
 
diff --git a/chromium/net/quic/quic_http_utils_test.cc b/chromium/net/quic/quic_http_utils_test.cc
index a901cb5b1be..d1609675277 100644
--- a/chromium/net/quic/quic_http_utils_test.cc
+++ b/chromium/net/quic/quic_http_utils_test.cc
@@ -8,7 +8,6 @@
 
 #include <limits>
 
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_alt_svc_wire_format.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -41,19 +40,25 @@ TEST(QuicHttpUtilsTest, ConvertQuicPriorityToRequestPriority) {
 }
 
 TEST(QuicHttpUtilsTest, FilterSupportedAltSvcVersions) {
+  // Supported versions are versions A and C, the alt service
+  // versions are versions B and C. FilterSupportedAltSvcVersions
+  // finds the intersection of the two sets ... version C.  Note that
+  // as QUIC versions are defined/undefined, the exact version numbers
+  // used may need to change.  The actual version numbers are not
+  // important.
   quic::ParsedQuicVersionVector supported_versions = {
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_46),
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_39),
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_48),
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_43),
   };
 
-  std::vector<uint32_t> alt_svc_versions_google = {quic::QUIC_VERSION_46,
-                                                   quic::QUIC_VERSION_43};
+  std::vector<uint32_t> alt_svc_versions_google = {quic::QUIC_VERSION_48,
+                                                   quic::QUIC_VERSION_46};
   std::vector<uint32_t> alt_svc_versions_ietf = {
-      QuicVersionToQuicVersionLabel(quic::QUIC_VERSION_46),
-      QuicVersionToQuicVersionLabel(quic::QUIC_VERSION_43)};
+      QuicVersionToQuicVersionLabel(quic::QUIC_VERSION_48),
+      QuicVersionToQuicVersionLabel(quic::QUIC_VERSION_46)};
 
   quic::ParsedQuicVersionVector supported_alt_svc_versions = {
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_46)};
+      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_48)};
   spdy::SpdyAltSvcWireFormat::AlternativeService altsvc;
 
   altsvc.protocol_id = "quic";
diff --git a/chromium/net/quic/quic_network_transaction_unittest.cc b/chromium/net/quic/quic_network_transaction_unittest.cc
index ffda8beb265..1057deefb16 100644
--- a/chromium/net/quic/quic_network_transaction_unittest.cc
+++ b/chromium/net/quic/quic_network_transaction_unittest.cc
@@ -47,6 +47,7 @@
 #include "net/proxy_resolution/proxy_resolver.h"
 #include "net/quic/crypto/proof_verifier_chromium.h"
 #include "net/quic/mock_crypto_client_stream_factory.h"
+#include "net/quic/mock_quic_context.h"
 #include "net/quic/mock_quic_data.h"
 #include "net/quic/quic_chromium_alarm_factory.h"
 #include "net/quic/quic_http_stream.h"
@@ -174,11 +175,8 @@ std::vector<TestParams> GetTestParams() {
   quic::ParsedQuicVersionVector all_supported_versions =
       quic::AllSupportedVersions();
   for (const quic::ParsedQuicVersion version : all_supported_versions) {
-    // TODO(rch): crbug.com/978745 - Make this work with TLS
-    if (version.handshake_protocol != quic::PROTOCOL_TLS1_3) {
-      params.push_back(TestParams{version, false});
-      params.push_back(TestParams{version, true});
-    }
+    params.push_back(TestParams{version, false});
+    params.push_back(TestParams{version, true});
   }
   return params;
 }
@@ -188,15 +186,12 @@ std::vector<PoolingTestParams> GetPoolingTestParams() {
   quic::ParsedQuicVersionVector all_supported_versions =
       quic::AllSupportedVersions();
   for (const quic::ParsedQuicVersion version : all_supported_versions) {
-    // TODO(rch): crbug.com/978745 - Make this work with TLS
-    if (version.handshake_protocol != quic::PROTOCOL_TLS1_3) {
-      params.push_back(PoolingTestParams{version, SAME_AS_FIRST, false});
-      params.push_back(PoolingTestParams{version, SAME_AS_FIRST, true});
-      params.push_back(PoolingTestParams{version, SAME_AS_SECOND, false});
-      params.push_back(PoolingTestParams{version, SAME_AS_SECOND, true});
-      params.push_back(PoolingTestParams{version, DIFFERENT, false});
-      params.push_back(PoolingTestParams{version, DIFFERENT, true});
-    }
+    params.push_back(PoolingTestParams{version, SAME_AS_FIRST, false});
+    params.push_back(PoolingTestParams{version, SAME_AS_FIRST, true});
+    params.push_back(PoolingTestParams{version, SAME_AS_SECOND, false});
+    params.push_back(PoolingTestParams{version, SAME_AS_SECOND, true});
+    params.push_back(PoolingTestParams{version, DIFFERENT, false});
+    params.push_back(PoolingTestParams{version, DIFFERENT, true});
   }
   return params;
 }
@@ -295,22 +290,21 @@ class QuicNetworkTransactionTest
         client_headers_include_h2_stream_dependency_(
             GetParam().client_headers_include_h2_stream_dependency),
         supported_versions_(quic::test::SupportedVersions(version_)),
-        random_generator_(0),
-        client_maker_(
-            version_,
-            quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-            &clock_,
-            kDefaultServerHostName,
-            quic::Perspective::IS_CLIENT,
-            client_headers_include_h2_stream_dependency_),
-        server_maker_(
-            version_,
-            quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-            &clock_,
-            kDefaultServerHostName,
-            quic::Perspective::IS_SERVER,
-            false),
-        quic_task_runner_(new TestTaskRunner(&clock_)),
+        client_maker_(version_,
+                      quic::QuicUtils::CreateRandomConnectionId(
+                          context_.random_generator()),
+                      context_.clock(),
+                      kDefaultServerHostName,
+                      quic::Perspective::IS_CLIENT,
+                      client_headers_include_h2_stream_dependency_),
+        server_maker_(version_,
+                      quic::QuicUtils::CreateRandomConnectionId(
+                          context_.random_generator()),
+                      context_.clock(),
+                      kDefaultServerHostName,
+                      quic::Perspective::IS_SERVER,
+                      false),
+        quic_task_runner_(new TestTaskRunner(context_.mock_clock())),
         cert_transparency_verifier_(new MultiLogCTVerifier()),
         ssl_config_service_(new SSLConfigServiceDefaults),
         proxy_resolution_service_(ProxyResolutionService::CreateDirect()),
@@ -324,7 +318,7 @@ class QuicNetworkTransactionTest
     request_.load_flags = 0;
     request_.traffic_annotation =
         net::MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
-    clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(20));
+    context_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(20));
 
     scoped_refptr<X509Certificate> cert(
         ImportCertFromFile(GetTestCertsDirectory(), "wildcard.pem"));
@@ -664,21 +658,19 @@ class QuicNetworkTransactionTest
     if (version_.transport_version != quic::QUIC_VERSION_99) {
       return "";
     }
-    quic::HttpEncoder encoder;
     std::unique_ptr<char[]> buffer;
-    auto header_length = encoder.SerializeDataFrameHeader(body_len, &buffer);
+    auto header_length =
+        quic::HttpEncoder::SerializeDataFrameHeader(body_len, &buffer);
     return std::string(buffer.get(), header_length);
   }
 
   void CreateSession(const quic::ParsedQuicVersionVector& supported_versions) {
     session_params_.enable_quic = true;
-    session_params_.quic_params.supported_versions = supported_versions;
-    session_params_.quic_params.max_allowed_push_id = quic::kMaxQuicStreamId;
-    session_params_.quic_params.headers_include_h2_stream_dependency =
+    context_.params()->supported_versions = supported_versions;
+    context_.params()->headers_include_h2_stream_dependency =
         client_headers_include_h2_stream_dependency_;
 
-    session_context_.quic_clock = &clock_;
-    session_context_.quic_random = &random_generator_;
+    session_context_.quic_context = &context_;
     session_context_.client_socket_factory = &socket_factory_;
     session_context_.quic_crypto_client_stream_factory =
         &crypto_client_stream_factory_;
@@ -705,18 +697,22 @@ class QuicNetworkTransactionTest
 
   void CreateSession() { return CreateSession(supported_versions_); }
 
-  void CheckWasQuicResponse(HttpNetworkTransaction* trans) {
+  void CheckWasQuicResponse(HttpNetworkTransaction* trans,
+                            const std::string& status_line) {
     const HttpResponseInfo* response = trans->GetResponseInfo();
     ASSERT_TRUE(response != nullptr);
     ASSERT_TRUE(response->headers.get() != nullptr);
-    EXPECT_EQ("HTTP/1.1 200 OK", response->headers->GetStatusLine());
+    EXPECT_EQ(status_line, response->headers->GetStatusLine());
     EXPECT_TRUE(response->was_fetched_via_spdy);
     EXPECT_TRUE(response->was_alpn_negotiated);
-    EXPECT_EQ(QuicHttpStream::ConnectionInfoFromQuicVersion(
-                  version_.transport_version),
+    EXPECT_EQ(QuicHttpStream::ConnectionInfoFromQuicVersion(version_),
               response->connection_info);
   }
 
+  void CheckWasQuicResponse(HttpNetworkTransaction* trans) {
+    CheckWasQuicResponse(trans, "HTTP/1.1 200 OK");
+  }
+
   void CheckResponsePort(HttpNetworkTransaction* trans, uint16_t port) {
     const HttpResponseInfo* response = trans->GetResponseInfo();
     ASSERT_TRUE(response != nullptr);
@@ -785,6 +781,11 @@ class QuicNetworkTransactionTest
       EXPECT_TRUE(trans.GetResponseInfo()->proxy_server.is_direct());
     }
   }
+  void SendRequestAndExpectQuicResponse(const std::string& expected,
+                                        const std::string& status_line) {
+    SendRequestAndExpectQuicResponseMaybeFromProxy(expected, false, 443,
+                                                   status_line);
+  }
 
   void SendRequestAndExpectQuicResponse(const std::string& expected) {
     SendRequestAndExpectQuicResponseMaybeFromProxy(expected, false, 443);
@@ -862,10 +863,9 @@ class QuicNetworkTransactionTest
   }
 
   void SetUpTestForRetryConnectionOnAlternateNetwork() {
-    session_params_.quic_params.migrate_sessions_on_network_change_v2 = true;
-    session_params_.quic_params.migrate_sessions_early_v2 = true;
-    session_params_.quic_params.retry_on_alternate_network_before_handshake =
-        true;
+    context_.params()->migrate_sessions_on_network_change_v2 = true;
+    context_.params()->migrate_sessions_early_v2 = true;
+    context_.params()->retry_on_alternate_network_before_handshake = true;
     scoped_mock_change_notifier_.reset(new ScopedMockNetworkChangeNotifier());
     MockNetworkChangeNotifier* mock_ncn =
         scoped_mock_change_notifier_->mock_network_change_notifier();
@@ -962,12 +962,15 @@ class QuicNetworkTransactionTest
   // expecting it to be used. The new QUIC session is not closed.
   void AddQuicDataAndRunRequest() {
     QuicTestPacketMaker client_maker(
-        version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-        &clock_, kDefaultServerHostName, quic::Perspective::IS_CLIENT,
+        version_,
+        quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+        context_.clock(), kDefaultServerHostName, quic::Perspective::IS_CLIENT,
         client_headers_include_h2_stream_dependency_);
     QuicTestPacketMaker server_maker(
-        version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-        &clock_, kDefaultServerHostName, quic::Perspective::IS_SERVER, false);
+        version_,
+        quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+        context_.clock(), kDefaultServerHostName, quic::Perspective::IS_SERVER,
+        false);
     MockQuicData quic_data(version_);
     int packet_number = 1;
     client_maker.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -1021,8 +1024,7 @@ class QuicNetworkTransactionTest
   const bool client_headers_include_h2_stream_dependency_;
   quic::ParsedQuicVersionVector supported_versions_;
   QuicFlagSaver flags_;  // Save/restore all QUIC flag values.
-  quic::MockClock clock_;
-  quic::test::MockRandom random_generator_;
+  MockQuicContext context_;
   QuicTestPacketMaker client_maker_;
   QuicTestPacketMaker server_maker_;
   scoped_refptr<TestTaskRunner> quic_task_runner_;
@@ -1043,7 +1045,7 @@ class QuicNetworkTransactionTest
   HttpNetworkSession::Params session_params_;
   HttpNetworkSession::Context session_context_;
   HttpRequestInfo request_;
-  BoundTestNetLog net_log_;
+  RecordingBoundTestNetLog net_log_;
   std::vector<std::unique_ptr<StaticSocketDataProvider>> hanging_data_;
   SSLSocketDataProvider ssl_data_;
   std::unique_ptr<ScopedMockNetworkChangeNotifier> scoped_mock_change_notifier_;
@@ -1052,14 +1054,15 @@ class QuicNetworkTransactionTest
   void SendRequestAndExpectQuicResponseMaybeFromProxy(
       const std::string& expected,
       bool used_proxy,
-      uint16_t port) {
+      uint16_t port,
+      const std::string& status_line) {
     HttpNetworkTransaction trans(DEFAULT_PRIORITY, session_.get());
     HeadersHandler headers_handler;
     trans.SetBeforeHeadersSentCallback(
         base::Bind(&HeadersHandler::OnBeforeHeadersSent,
                    base::Unretained(&headers_handler)));
     RunTransaction(&trans);
-    CheckWasQuicResponse(&trans);
+    CheckWasQuicResponse(&trans, status_line);
     CheckResponsePort(&trans, port);
     CheckResponseData(&trans, expected);
     EXPECT_EQ(used_proxy, headers_handler.was_proxied());
@@ -1069,6 +1072,14 @@ class QuicNetworkTransactionTest
       EXPECT_TRUE(trans.GetResponseInfo()->proxy_server.is_direct());
     }
   }
+
+  void SendRequestAndExpectQuicResponseMaybeFromProxy(
+      const std::string& expected,
+      bool used_proxy,
+      uint16_t port) {
+    SendRequestAndExpectQuicResponseMaybeFromProxy(expected, used_proxy, port,
+                                                   "HTTP/1.1 200 OK");
+  }
 };
 
 INSTANTIATE_TEST_SUITE_P(VersionIncludeStreamDependencySequence,
@@ -1080,9 +1091,9 @@ INSTANTIATE_TEST_SUITE_P(VersionIncludeStreamDependencySequence,
 // kAppendInitiatingFrameOriginToNetworkIsolationKey.
 
 TEST_P(QuicNetworkTransactionTest, WriteErrorHandshakeConfirmed) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
   base::HistogramTester histograms;
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::CONFIRM_HANDSHAKE);
@@ -1111,9 +1122,9 @@ TEST_P(QuicNetworkTransactionTest, WriteErrorHandshakeConfirmed) {
 }
 
 TEST_P(QuicNetworkTransactionTest, WriteErrorHandshakeConfirmedAsync) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
   base::HistogramTester histograms;
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::CONFIRM_HANDSHAKE);
@@ -1142,7 +1153,7 @@ TEST_P(QuicNetworkTransactionTest, WriteErrorHandshakeConfirmedAsync) {
 }
 
 TEST_P(QuicNetworkTransactionTest, SocketWatcherEnabled) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data(version_);
@@ -1182,7 +1193,7 @@ TEST_P(QuicNetworkTransactionTest, SocketWatcherEnabled) {
 }
 
 TEST_P(QuicNetworkTransactionTest, SocketWatcherDisabled) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data(version_);
@@ -1222,7 +1233,7 @@ TEST_P(QuicNetworkTransactionTest, SocketWatcherDisabled) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ForceQuic) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data(version_);
@@ -1297,7 +1308,7 @@ TEST_P(QuicNetworkTransactionTest, ForceQuic) {
 }
 
 TEST_P(QuicNetworkTransactionTest, LargeResponseHeaders) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data(version_);
@@ -1372,8 +1383,8 @@ TEST_P(QuicNetworkTransactionTest, LargeResponseHeaders) {
 }
 
 TEST_P(QuicNetworkTransactionTest, TooLargeResponseHeaders) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data(version_);
@@ -1456,7 +1467,7 @@ TEST_P(QuicNetworkTransactionTest, TooLargeResponseHeaders) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ForceQuicForAll) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(HostPortPair());
+  context_.params()->origins_to_force_quic_on.insert(HostPortPair());
 
   AddQuicAlternateProtocolMapping(MockCryptoClientStream::CONFIRM_HANDSHAKE);
 
@@ -1493,6 +1504,43 @@ TEST_P(QuicNetworkTransactionTest, ForceQuicForAll) {
       test_socket_performance_watcher_factory_.rtt_notification_received());
 }
 
+// Regression test for https://crbug.com/695225
+TEST_P(QuicNetworkTransactionTest, 408Response) {
+  context_.params()->origins_to_force_quic_on.insert(HostPortPair());
+
+  AddQuicAlternateProtocolMapping(MockCryptoClientStream::CONFIRM_HANDSHAKE);
+
+  MockQuicData mock_quic_data(version_);
+  int packet_num = 1;
+  if (VersionUsesHttp3(version_.transport_version)) {
+    mock_quic_data.AddWrite(SYNCHRONOUS,
+                            ConstructInitialSettingsPacket(packet_num++));
+  }
+  mock_quic_data.AddWrite(
+      SYNCHRONOUS,
+      ConstructClientRequestHeadersPacket(
+          packet_num++, GetNthClientInitiatedBidirectionalStreamId(0), true,
+          true, GetRequestHeaders("GET", "https", "/")));
+  mock_quic_data.AddRead(
+      ASYNC, ConstructServerResponseHeadersPacket(
+                 1, GetNthClientInitiatedBidirectionalStreamId(0), false, false,
+                 GetResponseHeaders("408 Request Timeout")));
+  std::string header = ConstructDataHeader(6);
+  mock_quic_data.AddRead(
+      ASYNC, ConstructServerDataPacket(
+                 2, GetNthClientInitiatedBidirectionalStreamId(0), false, true,
+                 header + "hello!"));
+  mock_quic_data.AddWrite(SYNCHRONOUS,
+                          ConstructClientAckPacket(packet_num++, 2, 1, 1));
+  mock_quic_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
+
+  mock_quic_data.AddSocketDataToFactory(&socket_factory_);
+
+  CreateSession();
+
+  SendRequestAndExpectQuicResponse("hello!", "HTTP/1.1 408 Request Timeout");
+}
+
 TEST_P(QuicNetworkTransactionTest, QuicProxy) {
   session_params_.enable_quic = true;
   proxy_resolution_service_ = ProxyResolutionService::CreateFixedFromPacResult(
@@ -1597,7 +1645,7 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyWithCert) {
 }
 
 TEST_P(QuicNetworkTransactionTest, AlternativeServicesDifferentHost) {
-  session_params_.quic_params.allow_remote_alt_svc = true;
+  context_.params()->allow_remote_alt_svc = true;
   HostPortPair origin("www.example.org", 443);
   HostPortPair alternative("mail.example.org", 443);
 
@@ -1849,7 +1897,7 @@ TEST_P(QuicNetworkTransactionTest, RetryMisdirectedRequest) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ForceQuicWithErrorConnecting) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data1(version_);
@@ -1886,7 +1934,7 @@ TEST_P(QuicNetworkTransactionTest, ForceQuicWithErrorConnecting) {
 
 TEST_P(QuicNetworkTransactionTest, DoNotForceQuicForHttps) {
   // Attempt to "force" quic on 443, which will not be honored.
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("www.google.com:443"));
 
   MockRead http_reads[] = {
@@ -2561,6 +2609,10 @@ TEST_P(QuicNetworkTransactionTest, GoAwayWithConnectionMigrationOnPortsOnly) {
 // alternate network as well, QUIC is marked as broken and the brokenness will
 // not expire when default network changes.
 TEST_P(QuicNetworkTransactionTest, QuicFailsOnBothNetworksWhileTCPSucceeds) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
   SetUpTestForRetryConnectionOnAlternateNetwork();
 
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -2580,11 +2632,6 @@ TEST_P(QuicNetworkTransactionTest, QuicFailsOnBothNetworksWhileTCPSucceeds) {
                      client_maker_.MakeDummyCHLOPacket(packet_num++));
   quic_data.AddWrite(SYNCHRONOUS,
                      client_maker_.MakeDummyCHLOPacket(packet_num++));
-  // TODO(zhongyi): remove condition check once b/115926584 is fixed.
-  if (version_.transport_version <= quic::QUIC_VERSION_39) {
-    quic_data.AddWrite(SYNCHRONOUS,
-                       client_maker_.MakeDummyCHLOPacket(packet_num++));
-  }
   // After timeout, connection will be closed with QUIC_NETWORK_IDLE_TIMEOUT.
   quic_data.AddWrite(SYNCHRONOUS,
                      client_maker_.MakeConnectionClosePacket(
@@ -2624,7 +2671,7 @@ TEST_P(QuicNetworkTransactionTest, QuicFailsOnBothNetworksWhileTCPSucceeds) {
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
   // Add alternate protocol mapping to race QUIC and TCP.
   // QUIC connection requires handshake to be confirmed and sends CHLO to the
   // peer.
@@ -2670,6 +2717,11 @@ TEST_P(QuicNetworkTransactionTest, QuicFailsOnBothNetworksWhileTCPSucceeds) {
 // alternate network, QUIC is marked as broken. The brokenness will expire when
 // the default network changes.
 TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPSucceeds) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetUpTestForRetryConnectionOnAlternateNetwork();
 
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -2689,11 +2741,6 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPSucceeds) {
                      client_maker_.MakeDummyCHLOPacket(packet_num++));
   quic_data.AddWrite(SYNCHRONOUS,
                      client_maker_.MakeDummyCHLOPacket(packet_num++));
-  // TODO(zhongyi): remove condition check once b/115926584 is fixed.
-  if (version_.transport_version <= quic::QUIC_VERSION_39) {
-    quic_data.AddWrite(SYNCHRONOUS,
-                       client_maker_.MakeDummyCHLOPacket(packet_num++));
-  }
   // After timeout, connection will be closed with QUIC_NETWORK_IDLE_TIMEOUT.
   quic_data.AddWrite(SYNCHRONOUS,
                      client_maker_.MakeConnectionClosePacket(
@@ -2739,7 +2786,7 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPSucceeds) {
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
   // Add alternate protocol mapping to race QUIC and TCP.
   // QUIC connection requires handshake to be confirmed and sends CHLO to the
   // peer.
@@ -2790,6 +2837,11 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPSucceeds) {
 // Much like above test, but verifies NetworkIsolationKeys are respected.
 TEST_P(QuicNetworkTransactionTest,
        RetryOnAlternateNetworkWhileTCPSucceedsWithNetworkIsolationKey) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   const url::Origin kOrigin1 = url::Origin::Create(GURL("https://foo.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
   const url::Origin kOrigin2 = url::Origin::Create(GURL("https://bar.test/"));
@@ -2827,11 +2879,6 @@ TEST_P(QuicNetworkTransactionTest,
                      client_maker_.MakeDummyCHLOPacket(packet_num++));
   quic_data.AddWrite(SYNCHRONOUS,
                      client_maker_.MakeDummyCHLOPacket(packet_num++));
-  // TODO(zhongyi): remove condition check once b/115926584 is fixed.
-  if (version_.transport_version <= quic::QUIC_VERSION_39) {
-    quic_data.AddWrite(SYNCHRONOUS,
-                       client_maker_.MakeDummyCHLOPacket(packet_num++));
-  }
   // After timeout, connection will be closed with QUIC_NETWORK_IDLE_TIMEOUT.
   quic_data.AddWrite(SYNCHRONOUS,
                      client_maker_.MakeConnectionClosePacket(
@@ -2877,7 +2924,7 @@ TEST_P(QuicNetworkTransactionTest,
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
   // Add alternate protocol mapping to race QUIC and TCP.
   // QUIC connection requires handshake to be confirmed and sends CHLO to the
   // peer.
@@ -2936,6 +2983,11 @@ TEST_P(QuicNetworkTransactionTest,
 // before handshake is confirmed. If TCP doesn't succeed but QUIC on the
 // alternative network succeeds, QUIC is not marked as broken.
 TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPHanging) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   SetUpTestForRetryConnectionOnAlternateNetwork();
 
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -2955,12 +3007,6 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPHanging) {
                      client_maker_.MakeDummyCHLOPacket(packet_num++));
   quic_data.AddWrite(SYNCHRONOUS,
                      client_maker_.MakeDummyCHLOPacket(packet_num++));
-  // TODO(zhongyi): remove condition check once b/115926584 is fixed, i.e.,
-  // quic_fix_has_pending_crypto_data is introduced and enabled.
-  if (version_.transport_version <= quic::QUIC_VERSION_39) {
-    quic_data.AddWrite(SYNCHRONOUS,
-                       client_maker_.MakeDummyCHLOPacket(packet_num++));
-  }
   // After timeout, connection will be closed with QUIC_NETWORK_IDLE_TIMEOUT.
   quic_data.AddWrite(SYNCHRONOUS,
                      client_maker_.MakeConnectionClosePacket(
@@ -3015,7 +3061,7 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPHanging) {
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
   // Add alternate protocol mapping to race QUIC and TCP.
   // QUIC connection requires handshake to be confirmed and sends CHLO to the
   // peer.
@@ -3059,9 +3105,13 @@ TEST_P(QuicNetworkTransactionTest, RetryOnAlternateNetworkWhileTCPHanging) {
 // Verify that if a QUIC connection times out, the QuicHttpStream will
 // return QUIC_PROTOCOL_ERROR.
 TEST_P(QuicNetworkTransactionTest, TimeoutAfterHandshakeConfirmed) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.quic_params.idle_connection_timeout =
-      base::TimeDelta::FromSeconds(5);
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
+  context_.params()->idle_connection_timeout = base::TimeDelta::FromSeconds(5);
 
   // The request will initially go out over QUIC.
   MockQuicData quic_data(version_);
@@ -3153,7 +3203,7 @@ TEST_P(QuicNetworkTransactionTest, TimeoutAfterHandshakeConfirmed) {
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
 
   AddQuicAlternateProtocolMapping(MockCryptoClientStream::ZERO_RTT);
 
@@ -3179,8 +3229,13 @@ TEST_P(QuicNetworkTransactionTest, TimeoutAfterHandshakeConfirmed) {
 // Verify that if a QUIC connection RTOs, the QuicHttpStream will
 // return QUIC_PROTOCOL_ERROR.
 TEST_P(QuicNetworkTransactionTest, TooManyRtosAfterHandshakeConfirmed) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.quic_params.connection_options.push_back(quic::k5RTO);
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
+  context_.params()->connection_options.push_back(quic::k5RTO);
 
   // The request will initially go out over QUIC.
   MockQuicData quic_data(version_);
@@ -3276,7 +3331,7 @@ TEST_P(QuicNetworkTransactionTest, TooManyRtosAfterHandshakeConfirmed) {
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
 
   AddQuicAlternateProtocolMapping(MockCryptoClientStream::ZERO_RTT);
 
@@ -3303,7 +3358,12 @@ TEST_P(QuicNetworkTransactionTest, TooManyRtosAfterHandshakeConfirmed) {
 // QUIC will not be marked as broken.
 TEST_P(QuicNetworkTransactionTest,
        TooManyRtosAfterHandshakeConfirmedAndStreamReset) {
-  session_params_.quic_params.connection_options.push_back(quic::k5RTO);
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
+  context_.params()->connection_options.push_back(quic::k5RTO);
 
   // The request will initially go out over QUIC.
   MockQuicData quic_data(version_);
@@ -3459,7 +3519,7 @@ TEST_P(QuicNetworkTransactionTest,
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
 
   AddQuicAlternateProtocolMapping(MockCryptoClientStream::ZERO_RTT);
 
@@ -3489,7 +3549,12 @@ TEST_P(QuicNetworkTransactionTest,
 // Verify that if a QUIC protocol error occurs after the handshake is confirmed
 // the request fails with QUIC_PROTOCOL_ERROR.
 TEST_P(QuicNetworkTransactionTest, ProtocolErrorAfterHandshakeConfirmed) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
   // The request will initially go out over QUIC.
   MockQuicData quic_data(version_);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -3560,8 +3625,12 @@ TEST_P(QuicNetworkTransactionTest, ProtocolErrorAfterHandshakeConfirmed) {
 // connection times out, then QUIC will be marked as broken and the request
 // retried over TCP.
 TEST_P(QuicNetworkTransactionTest, TimeoutAfterHandshakeConfirmedThenBroken2) {
-  session_params_.quic_params.idle_connection_timeout =
-      base::TimeDelta::FromSeconds(5);
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
+  context_.params()->idle_connection_timeout = base::TimeDelta::FromSeconds(5);
 
   // The request will initially go out over QUIC.
   MockQuicData quic_data(version_);
@@ -3664,7 +3733,7 @@ TEST_P(QuicNetworkTransactionTest, TimeoutAfterHandshakeConfirmedThenBroken2) {
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
 
   AddQuicAlternateProtocolMapping(MockCryptoClientStream::ZERO_RTT);
 
@@ -3704,8 +3773,12 @@ TEST_P(QuicNetworkTransactionTest, TimeoutAfterHandshakeConfirmedThenBroken2) {
 // retried over TCP and the QUIC will be marked as broken.
 TEST_P(QuicNetworkTransactionTest,
        ProtocolErrorAfterHandshakeConfirmedThenBroken) {
-  session_params_.quic_params.idle_connection_timeout =
-      base::TimeDelta::FromSeconds(5);
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
+  context_.params()->idle_connection_timeout = base::TimeDelta::FromSeconds(5);
 
   // The request will initially go out over QUIC.
   MockQuicData quic_data(version_);
@@ -3799,6 +3872,11 @@ TEST_P(QuicNetworkTransactionTest,
 // Much like above test, but verifies that NetworkIsolationKey is respected.
 TEST_P(QuicNetworkTransactionTest,
        ProtocolErrorAfterHandshakeConfirmedThenBrokenWithNetworkIsolationKey) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   const url::Origin kOrigin1 = url::Origin::Create(GURL("https://foo.test/"));
   const net::NetworkIsolationKey kNetworkIsolationKey1(kOrigin1, kOrigin1);
   const url::Origin kOrigin2 = url::Origin::Create(GURL("https://bar.test/"));
@@ -3815,8 +3893,7 @@ TEST_P(QuicNetworkTransactionTest,
   // one.
   http_server_properties_ = std::make_unique<HttpServerProperties>();
 
-  session_params_.quic_params.idle_connection_timeout =
-      base::TimeDelta::FromSeconds(5);
+  context_.params()->idle_connection_timeout = base::TimeDelta::FromSeconds(5);
 
   // The request will initially go out over QUIC.
   MockQuicData quic_data(version_);
@@ -3927,6 +4004,11 @@ TEST_P(QuicNetworkTransactionTest,
 // request is reset from, then QUIC will be marked as broken and the request
 // retried over TCP.
 TEST_P(QuicNetworkTransactionTest, ResetAfterHandshakeConfirmedThenBroken) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   // The request will initially go out over QUIC.
   MockQuicData quic_data(version_);
   spdy::SpdyPriority priority =
@@ -4018,7 +4100,7 @@ TEST_P(QuicNetworkTransactionTest, ResetAfterHandshakeConfirmedThenBroken) {
 // the remote Alt-Svc.
 // This is a regression test for crbug/825646.
 TEST_P(QuicNetworkTransactionTest, RemoteAltSvcWorkingWhileLocalAltSvcBroken) {
-  session_params_.quic_params.allow_remote_alt_svc = true;
+  context_.params()->allow_remote_alt_svc = true;
 
   GURL origin1 = request_.url;  // mail.example.org
   GURL origin2("https://www.example.org/");
@@ -4074,11 +4156,11 @@ TEST_P(QuicNetworkTransactionTest, RemoteAltSvcWorkingWhileLocalAltSvcBroken) {
   alternative_services.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           local_alternative, expiration,
-          session_->params().quic_params.supported_versions));
+          context_.params()->supported_versions));
   alternative_services.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           remote_alternative, expiration,
-          session_->params().quic_params.supported_versions));
+          context_.params()->supported_versions));
   http_server_properties_->SetAlternativeServices(url::SchemeHostPort(origin1),
                                                   NetworkIsolationKey(),
                                                   alternative_services);
@@ -4089,6 +4171,61 @@ TEST_P(QuicNetworkTransactionTest, RemoteAltSvcWorkingWhileLocalAltSvcBroken) {
   SendRequestAndExpectQuicResponse("hello!");
 }
 
+// Verify that when multiple alternatives are broken,
+// ALTERNATE_PROTOCOL_USAGE_BROKEN is only logged once.
+// This is a regression test for crbug/1024613.
+TEST_P(QuicNetworkTransactionTest, BrokenAlternativeOnlyRecordedOnce) {
+  base::HistogramTester histogram_tester;
+
+  MockRead http_reads[] = {
+      MockRead("HTTP/1.1 200 OK\r\n"), MockRead(kQuicAlternativeServiceHeader),
+      MockRead("hello world"),
+      MockRead(SYNCHRONOUS, ERR_TEST_PEER_CLOSE_AFTER_NEXT_MOCK_READ),
+      MockRead(ASYNC, OK)};
+
+  StaticSocketDataProvider http_data(http_reads, base::span<MockWrite>());
+  socket_factory_.AddSocketDataProvider(&http_data);
+  AddCertificate(&ssl_data_);
+  socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
+
+  GURL origin1 = request_.url;  // mail.example.org
+
+  scoped_refptr<X509Certificate> cert(
+      ImportCertFromFile(GetTestCertsDirectory(), "wildcard.pem"));
+  ASSERT_TRUE(cert->VerifyNameMatch("mail.example.org"));
+
+  ProofVerifyDetailsChromium verify_details;
+  verify_details.cert_verify_result.verified_cert = cert;
+  verify_details.cert_verify_result.is_issued_by_known_root = true;
+  crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
+
+  CreateSession();
+
+  // Set up alternative service for |origin1|.
+  AlternativeService local_alternative(kProtoQUIC, "mail.example.org", 443);
+  base::Time expiration = base::Time::Now() + base::TimeDelta::FromDays(1);
+  AlternativeServiceInfoVector alternative_services;
+  alternative_services.push_back(
+      AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
+          local_alternative, expiration,
+          context_.params()->supported_versions));
+  alternative_services.push_back(
+      AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
+          local_alternative, expiration,
+          context_.params()->supported_versions));
+  http_server_properties_->SetAlternativeServices(url::SchemeHostPort(origin1),
+                                                  NetworkIsolationKey(),
+                                                  alternative_services);
+
+  http_server_properties_->MarkAlternativeServiceBroken(local_alternative,
+                                                        NetworkIsolationKey());
+
+  SendRequestAndExpectHttpResponse("hello world");
+
+  histogram_tester.ExpectBucketCount("Net.AlternateProtocolUsage",
+                                     ALTERNATE_PROTOCOL_USAGE_BROKEN, 1);
+}
+
 // Verify that with retry_without_alt_svc_on_quic_errors enabled, if a QUIC
 // request is reset from, then QUIC will be marked as broken and the request
 // retried over TCP. Then, subsequent requests will go over a new TCP
@@ -4096,7 +4233,7 @@ TEST_P(QuicNetworkTransactionTest, RemoteAltSvcWorkingWhileLocalAltSvcBroken) {
 // This is a regression tests for crbug/731303.
 TEST_P(QuicNetworkTransactionTest,
        ResetPooledAfterHandshakeConfirmedThenBroken) {
-  session_params_.quic_params.allow_remote_alt_svc = true;
+  context_.params()->allow_remote_alt_svc = true;
 
   GURL origin1 = request_.url;
   GURL origin2("https://www.example.org/");
@@ -4140,12 +4277,14 @@ TEST_P(QuicNetworkTransactionTest,
   // Second request will go over the pooled QUIC connection, but will be
   // reset by the server.
   QuicTestPacketMaker client_maker2(
-      version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-      &clock_, origin2.host(), quic::Perspective::IS_CLIENT,
+      version_,
+      quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+      context_.clock(), origin2.host(), quic::Perspective::IS_CLIENT,
       client_headers_include_h2_stream_dependency_);
   QuicTestPacketMaker server_maker2(
-      version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-      &clock_, origin2.host(), quic::Perspective::IS_SERVER, false);
+      version_,
+      quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+      context_.clock(), origin2.host(), quic::Perspective::IS_SERVER, false);
   mock_quic_data.AddWrite(
       SYNCHRONOUS,
       ConstructClientRequestHeadersPacket(
@@ -4183,7 +4322,7 @@ TEST_P(QuicNetworkTransactionTest,
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
 
   // Set up alternative service for |origin1|.
   base::Time expiration = base::Time::Now() + base::TimeDelta::FromDays(1);
@@ -4247,7 +4386,7 @@ TEST_P(QuicNetworkTransactionTest,
 // If no existing QUIC session can be used, use the first alternative service
 // from the list.
 TEST_P(QuicNetworkTransactionTest, UseExistingAlternativeServiceForQuic) {
-  session_params_.quic_params.allow_remote_alt_svc = true;
+  context_.params()->allow_remote_alt_svc = true;
   MockRead http_reads[] = {
       MockRead("HTTP/1.1 200 OK\r\n"),
       MockRead("Alt-Svc: quic=\"foo.example.org:443\", quic=\":444\"\r\n\r\n"),
@@ -4320,7 +4459,7 @@ TEST_P(QuicNetworkTransactionTest, UseExistingAlternativeServiceForQuic) {
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
 
   SendRequestAndExpectHttpResponse("hello world");
 
@@ -4403,7 +4542,7 @@ TEST_P(QuicNetworkTransactionTest, UseExistingQUICAlternativeProxy) {
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
 
   SendRequestAndExpectQuicResponseFromProxyOnPort("hello!", 443);
   histogram_tester.ExpectUniqueSample("Net.QuicAlternativeProxy.Usage",
@@ -4420,7 +4559,7 @@ TEST_P(QuicNetworkTransactionTest, UseExistingQUICAlternativeProxy) {
 // Pool to existing session with matching quic::QuicServerId
 // even if alternative service destination is different.
 TEST_P(QuicNetworkTransactionTest, PoolByOrigin) {
-  session_params_.quic_params.allow_remote_alt_svc = true;
+  context_.params()->allow_remote_alt_svc = true;
   MockQuicData mock_quic_data(version_);
 
   int packet_num = 1;
@@ -4476,7 +4615,7 @@ TEST_P(QuicNetworkTransactionTest, PoolByOrigin) {
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
 
   const char destination1[] = "first.example.com";
   const char destination2[] = "second.example.com";
@@ -4506,7 +4645,7 @@ TEST_P(QuicNetworkTransactionTest, PoolByOrigin) {
 // even if origin is different, and even if the alternative service with
 // matching destination is not the first one on the list.
 TEST_P(QuicNetworkTransactionTest, PoolByDestination) {
-  session_params_.quic_params.allow_remote_alt_svc = true;
+  context_.params()->allow_remote_alt_svc = true;
   GURL origin1 = request_.url;
   GURL origin2("https://www.example.org/");
   ASSERT_NE(origin1.host(), origin2.host());
@@ -4538,12 +4677,14 @@ TEST_P(QuicNetworkTransactionTest, PoolByDestination) {
 
   // Second request.
   QuicTestPacketMaker client_maker2(
-      version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-      &clock_, origin2.host(), quic::Perspective::IS_CLIENT,
+      version_,
+      quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+      context_.clock(), origin2.host(), quic::Perspective::IS_CLIENT,
       client_headers_include_h2_stream_dependency_);
   QuicTestPacketMaker server_maker2(
-      version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-      &clock_, origin2.host(), quic::Perspective::IS_SERVER, false);
+      version_,
+      quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+      context_.clock(), origin2.host(), quic::Perspective::IS_SERVER, false);
   mock_quic_data.AddWrite(
       SYNCHRONOUS,
       ConstructClientRequestHeadersPacket(
@@ -4573,7 +4714,7 @@ TEST_P(QuicNetworkTransactionTest, PoolByDestination) {
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
 
   const char destination1[] = "first.example.com";
   const char destination2[] = "second.example.com";
@@ -4594,11 +4735,11 @@ TEST_P(QuicNetworkTransactionTest, PoolByDestination) {
   alternative_services.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           alternative_service2, expiration,
-          session_->params().quic_params.supported_versions));
+          context_.params()->supported_versions));
   alternative_services.push_back(
       AlternativeServiceInfo::CreateQuicAlternativeServiceInfo(
           alternative_service1, expiration,
-          session_->params().quic_params.supported_versions));
+          context_.params()->supported_versions));
   http_server_properties_->SetAlternativeServices(url::SchemeHostPort(origin2),
                                                   NetworkIsolationKey(),
                                                   alternative_services);
@@ -4619,7 +4760,7 @@ TEST_P(QuicNetworkTransactionTest, PoolByDestination) {
 // if this is also the first existing QUIC session.
 TEST_P(QuicNetworkTransactionTest,
        UseSharedExistingAlternativeServiceForQuicWithValidCert) {
-  session_params_.quic_params.allow_remote_alt_svc = true;
+  context_.params()->allow_remote_alt_svc = true;
   // Default cert is valid for *.example.org
 
   // HTTP data for request to www.example.org.
@@ -4648,8 +4789,9 @@ TEST_P(QuicNetworkTransactionTest,
   socket_factory_.AddSSLSocketDataProvider(&ssl_data_);
 
   QuicTestPacketMaker client_maker(
-      version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-      &clock_, "mail.example.org", quic::Perspective::IS_CLIENT,
+      version_,
+      quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+      context_.clock(), "mail.example.org", quic::Perspective::IS_CLIENT,
       client_headers_include_h2_stream_dependency_);
   server_maker_.set_hostname("www.example.org");
   client_maker_.set_hostname("www.example.org");
@@ -4705,7 +4847,7 @@ TEST_P(QuicNetworkTransactionTest,
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
 
   // Send two HTTP requests, responses set up alt-svc lists for the origins.
   request_.url = GURL("https://www.example.org/");
@@ -5058,6 +5200,11 @@ TEST_P(QuicNetworkTransactionTest, HungAlternativeService) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ZeroRTTWithHttpRace) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   MockQuicData mock_quic_data(version_);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   int packet_num = 1;
@@ -5100,6 +5247,11 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithHttpRace) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ZeroRTTWithNoHttpRace) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   MockQuicData mock_quic_data(version_);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
   int packet_number = 1;
@@ -5172,6 +5324,11 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithProxy) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ZeroRTTWithConfirmationRequired) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   MockQuicData mock_quic_data(version_);
   int packet_num = 1;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -5231,6 +5388,11 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithConfirmationRequired) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ZeroRTTWithTooEarlyResponse) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   uint64_t packet_number = 1;
   MockQuicData mock_quic_data(version_);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -5291,7 +5453,7 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithTooEarlyResponse) {
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
 
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session_.get());
   TestCompletionCallback callback;
@@ -5314,6 +5476,11 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithTooEarlyResponse) {
 }
 
 TEST_P(QuicNetworkTransactionTest, ZeroRTTWithMultipleTooEarlyResponse) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   uint64_t packet_number = 1;
   MockQuicData mock_quic_data(version_);
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -5371,7 +5538,7 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithMultipleTooEarlyResponse) {
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner_.get(),
-                                                 &clock_));
+                                                 context_.clock()));
 
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session_.get());
   TestCompletionCallback callback;
@@ -5395,14 +5562,18 @@ TEST_P(QuicNetworkTransactionTest, ZeroRTTWithMultipleTooEarlyResponse) {
   EXPECT_EQ("HTTP/1.1 425 TOO_EARLY", response->headers->GetStatusLine());
   EXPECT_TRUE(response->was_fetched_via_spdy);
   EXPECT_TRUE(response->was_alpn_negotiated);
-  EXPECT_EQ(
-      QuicHttpStream::ConnectionInfoFromQuicVersion(version_.transport_version),
-      response->connection_info);
+  EXPECT_EQ(QuicHttpStream::ConnectionInfoFromQuicVersion(version_),
+            response->connection_info);
 }
 
 TEST_P(QuicNetworkTransactionTest,
        LogGranularQuicErrorCodeOnQuicProtocolErrorLocal) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
   MockQuicData mock_quic_data(version_);
   int packet_num = 1;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -5459,7 +5630,12 @@ TEST_P(QuicNetworkTransactionTest,
 
 TEST_P(QuicNetworkTransactionTest,
        LogGranularQuicErrorCodeOnQuicProtocolErrorRemote) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
   MockQuicData mock_quic_data(version_);
   int packet_num = 1;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -5521,6 +5697,11 @@ TEST_P(QuicNetworkTransactionTest,
 }
 
 TEST_P(QuicNetworkTransactionTest, RstStreamErrorHandling) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   MockQuicData mock_quic_data(version_);
   int packet_num = 1;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -5582,16 +5763,20 @@ TEST_P(QuicNetworkTransactionTest, RstStreamErrorHandling) {
   EXPECT_EQ("HTTP/1.1 200 OK", response->headers->GetStatusLine());
   EXPECT_TRUE(response->was_fetched_via_spdy);
   EXPECT_TRUE(response->was_alpn_negotiated);
-  EXPECT_EQ(
-      QuicHttpStream::ConnectionInfoFromQuicVersion(version_.transport_version),
-      response->connection_info);
+  EXPECT_EQ(QuicHttpStream::ConnectionInfoFromQuicVersion(version_),
+            response->connection_info);
 
   std::string response_data;
   ASSERT_EQ(ERR_QUIC_PROTOCOL_ERROR, ReadTransaction(&trans, &response_data));
 }
 
 TEST_P(QuicNetworkTransactionTest, RstStreamBeforeHeaders) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
   MockQuicData mock_quic_data(version_);
   int packet_num = 1;
   client_maker_.SetEncryptionLevel(quic::ENCRYPTION_ZERO_RTT);
@@ -5777,6 +5962,11 @@ TEST_P(QuicNetworkTransactionTest, NoBrokenAlternateProtocolIfTcpFails) {
 }
 
 TEST_P(QuicNetworkTransactionTest, DelayTCPOnStartWithQuicSupportOnSameIP) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   // Tests that TCP job is delayed and QUIC job does not require confirmation
   // if QUIC was recently supported on the same IP on start.
 
@@ -5843,6 +6033,11 @@ TEST_P(QuicNetworkTransactionTest, DelayTCPOnStartWithQuicSupportOnSameIP) {
 
 TEST_P(QuicNetworkTransactionTest,
        DelayTCPOnStartWithQuicSupportOnDifferentIP) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   // Tests that TCP job is delayed and QUIC job requires confirmation if QUIC
   // was recently supported on a different IP address on start.
 
@@ -5988,6 +6183,11 @@ TEST_P(QuicNetworkTransactionTest, FailedZeroRttBrokenAlternateProtocol) {
 
 TEST_P(QuicNetworkTransactionTest,
        FailedZeroRttBrokenAlternateProtocolWithNetworkIsolationKey) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // QUIC with TLS1.3 handshake doesn't support 0-rtt.
+    return;
+  }
+
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
@@ -6294,7 +6494,7 @@ TEST_P(QuicNetworkTransactionTest,
 }
 
 TEST_P(QuicNetworkTransactionTest, QuicUpload) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data(version_);
@@ -6330,7 +6530,7 @@ TEST_P(QuicNetworkTransactionTest, QuicUpload) {
 }
 
 TEST_P(QuicNetworkTransactionTest, QuicUploadWriteError) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
   ScopedMockNetworkChangeNotifier network_change_notifier;
   MockNetworkChangeNotifier* mock_ncn =
       network_change_notifier.mock_network_change_notifier();
@@ -6338,9 +6538,9 @@ TEST_P(QuicNetworkTransactionTest, QuicUploadWriteError) {
   mock_ncn->SetConnectedNetworksList(
       {kDefaultNetworkForTests, kNewNetworkForTests});
 
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
-  session_params_.quic_params.migrate_sessions_on_network_change_v2 = true;
+  context_.params()->migrate_sessions_on_network_change_v2 = true;
 
   MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
@@ -6387,7 +6587,7 @@ TEST_P(QuicNetworkTransactionTest, QuicUploadWriteError) {
 }
 
 TEST_P(QuicNetworkTransactionTest, RetryAfterAsyncNoBufferSpace) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData socket_data(version_);
@@ -6414,11 +6614,20 @@ TEST_P(QuicNetworkTransactionTest, RetryAfterAsyncNoBufferSpace) {
   socket_data.AddWrite(SYNCHRONOUS,
                        ConstructClientAckPacket(packet_num++, 2, 1, 1));
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
-  socket_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeAckAndConnectionClosePacket(
-          packet_num++, false, quic::QuicTime::Delta::FromMilliseconds(0), 2, 1,
-          1, quic::QUIC_CONNECTION_CANCELLED, "net error", 0));
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // TLS1.3 supports multiple packet number space, so the ack is no longer
+    // sent.
+    socket_data.AddWrite(
+        SYNCHRONOUS,
+        client_maker_.MakeConnectionClosePacket(
+            packet_num++, false, quic::QUIC_CONNECTION_CANCELLED, "net error"));
+  } else {
+    socket_data.AddWrite(
+        SYNCHRONOUS,
+        client_maker_.MakeAckAndConnectionClosePacket(
+            packet_num++, false, quic::QuicTime::Delta::FromMilliseconds(0), 2,
+            1, 1, quic::QUIC_CONNECTION_CANCELLED, "net error", 0));
+  }
 
   socket_data.AddSocketDataToFactory(&socket_factory_);
 
@@ -6429,7 +6638,7 @@ TEST_P(QuicNetworkTransactionTest, RetryAfterAsyncNoBufferSpace) {
 }
 
 TEST_P(QuicNetworkTransactionTest, RetryAfterSynchronousNoBufferSpace) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData socket_data(version_);
@@ -6456,11 +6665,20 @@ TEST_P(QuicNetworkTransactionTest, RetryAfterSynchronousNoBufferSpace) {
   socket_data.AddWrite(SYNCHRONOUS,
                        ConstructClientAckPacket(packet_num++, 2, 1, 1));
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // No more data to read
-  socket_data.AddWrite(
-      SYNCHRONOUS,
-      client_maker_.MakeAckAndConnectionClosePacket(
-          packet_num++, false, quic::QuicTime::Delta::FromMilliseconds(0), 2, 1,
-          1, quic::QUIC_CONNECTION_CANCELLED, "net error", 0));
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+    // TLS1.3 supports multiple packet number space, so the ack is no longer
+    // sent.
+    socket_data.AddWrite(
+        SYNCHRONOUS,
+        client_maker_.MakeConnectionClosePacket(
+            packet_num++, false, quic::QUIC_CONNECTION_CANCELLED, "net error"));
+  } else {
+    socket_data.AddWrite(
+        SYNCHRONOUS,
+        client_maker_.MakeAckAndConnectionClosePacket(
+            packet_num++, false, quic::QuicTime::Delta::FromMilliseconds(0), 2,
+            1, 1, quic::QUIC_CONNECTION_CANCELLED, "net error", 0));
+  }
 
   socket_data.AddSocketDataToFactory(&socket_factory_);
 
@@ -6471,8 +6689,8 @@ TEST_P(QuicNetworkTransactionTest, RetryAfterSynchronousNoBufferSpace) {
 }
 
 TEST_P(QuicNetworkTransactionTest, MaxRetriesAfterAsyncNoBufferSpace) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData socket_data(version_);
@@ -6489,7 +6707,7 @@ TEST_P(QuicNetworkTransactionTest, MaxRetriesAfterAsyncNoBufferSpace) {
   QuicStreamFactoryPeer::SetTaskRunner(session_->quic_stream_factory(),
                                        quic_task_runner_.get());
 
-  quic::QuicTime start = clock_.Now();
+  quic::QuicTime start = context_.clock()->Now();
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session_.get());
   TestCompletionCallback callback;
   int rv = trans.Start(&request_, callback.callback(), net_log_.bound());
@@ -6503,13 +6721,15 @@ TEST_P(QuicNetworkTransactionTest, MaxRetriesAfterAsyncNoBufferSpace) {
   EXPECT_TRUE(socket_data.AllReadDataConsumed());
   EXPECT_TRUE(socket_data.AllWriteDataConsumed());
   // Backoff should take between 4 - 5 seconds.
-  EXPECT_TRUE(clock_.Now() - start > quic::QuicTime::Delta::FromSeconds(4));
-  EXPECT_TRUE(clock_.Now() - start < quic::QuicTime::Delta::FromSeconds(5));
+  EXPECT_TRUE(context_.clock()->Now() - start >
+              quic::QuicTime::Delta::FromSeconds(4));
+  EXPECT_TRUE(context_.clock()->Now() - start <
+              quic::QuicTime::Delta::FromSeconds(5));
 }
 
 TEST_P(QuicNetworkTransactionTest, MaxRetriesAfterSynchronousNoBufferSpace) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData socket_data(version_);
@@ -6526,7 +6746,7 @@ TEST_P(QuicNetworkTransactionTest, MaxRetriesAfterSynchronousNoBufferSpace) {
   QuicStreamFactoryPeer::SetTaskRunner(session_->quic_stream_factory(),
                                        quic_task_runner_.get());
 
-  quic::QuicTime start = clock_.Now();
+  quic::QuicTime start = context_.clock()->Now();
   HttpNetworkTransaction trans(DEFAULT_PRIORITY, session_.get());
   TestCompletionCallback callback;
   int rv = trans.Start(&request_, callback.callback(), net_log_.bound());
@@ -6540,13 +6760,15 @@ TEST_P(QuicNetworkTransactionTest, MaxRetriesAfterSynchronousNoBufferSpace) {
   EXPECT_TRUE(socket_data.AllReadDataConsumed());
   EXPECT_TRUE(socket_data.AllWriteDataConsumed());
   // Backoff should take between 4 - 5 seconds.
-  EXPECT_TRUE(clock_.Now() - start > quic::QuicTime::Delta::FromSeconds(4));
-  EXPECT_TRUE(clock_.Now() - start < quic::QuicTime::Delta::FromSeconds(5));
+  EXPECT_TRUE(context_.clock()->Now() - start >
+              quic::QuicTime::Delta::FromSeconds(4));
+  EXPECT_TRUE(context_.clock()->Now() - start <
+              quic::QuicTime::Delta::FromSeconds(5));
 }
 
 TEST_P(QuicNetworkTransactionTest, NoMigrationForMsgTooBig) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
   const std::string error_details =
       quic::QuicStrCat("Write failed with error: ", ERR_MSG_TOO_BIG, " (",
@@ -6582,7 +6804,9 @@ TEST_P(QuicNetworkTransactionTest, NoMigrationForMsgTooBig) {
 
 // Adds coverage to catch regression such as https://crbug.com/622043
 TEST_P(QuicNetworkTransactionTest, QuicServerPush) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  client_maker_.set_max_allowed_push_id(quic::kMaxQuicStreamId);
+  context_.params()->max_allowed_push_id = quic::kMaxQuicStreamId;
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data(version_);
@@ -6672,8 +6896,10 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPush) {
 // is closed before the pushed headers arrive, but after the connection
 // is closed and before the callbacks are executed.
 TEST_P(QuicNetworkTransactionTest, CancelServerPushAfterConnectionClose) {
-  session_params_.quic_params.retry_without_alt_svc_on_quic_errors = false;
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  client_maker_.set_max_allowed_push_id(quic::kMaxQuicStreamId);
+  context_.params()->max_allowed_push_id = quic::kMaxQuicStreamId;
+  context_.params()->retry_without_alt_svc_on_quic_errors = false;
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data(version_);
@@ -6765,7 +6991,7 @@ TEST_P(QuicNetworkTransactionTest, CancelServerPushAfterConnectionClose) {
 }
 
 TEST_P(QuicNetworkTransactionTest, QuicForceHolBlocking) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data(version_);
@@ -6861,7 +7087,7 @@ class QuicURLRequestContext : public URLRequestContext {
 };
 
 TEST_P(QuicNetworkTransactionTest, RawHeaderSizeSuccessfullRequest) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data(version_);
@@ -6933,7 +7159,9 @@ TEST_P(QuicNetworkTransactionTest, RawHeaderSizeSuccessfullRequest) {
 }
 
 TEST_P(QuicNetworkTransactionTest, RawHeaderSizeSuccessfullPushHeadersFirst) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  client_maker_.set_max_allowed_push_id(quic::kMaxQuicStreamId);
+  context_.params()->max_allowed_push_id = quic::kMaxQuicStreamId;
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data(version_);
@@ -7137,7 +7365,6 @@ class QuicNetworkTransactionWithDestinationTest
         ssl_config_service_(new SSLConfigServiceDefaults),
         proxy_resolution_service_(ProxyResolutionService::CreateDirect()),
         auth_handler_factory_(HttpAuthHandlerFactory::CreateDefault()),
-        random_generator_(0),
         ssl_data_(ASYNC, OK) {}
 
   void SetUp() override {
@@ -7146,22 +7373,21 @@ class QuicNetworkTransactionWithDestinationTest
 
     HttpNetworkSession::Params session_params;
     session_params.enable_quic = true;
-    session_params.quic_params.allow_remote_alt_svc = true;
-    session_params.quic_params.supported_versions = supported_versions_;
-    session_params.quic_params.headers_include_h2_stream_dependency =
+    context_.params()->allow_remote_alt_svc = true;
+    context_.params()->supported_versions = supported_versions_;
+    context_.params()->headers_include_h2_stream_dependency =
         client_headers_include_h2_stream_dependency_;
 
     HttpNetworkSession::Context session_context;
 
-    clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(20));
-    session_context.quic_clock = &clock_;
+    context_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(20));
 
     crypto_client_stream_factory_.set_handshake_mode(
         MockCryptoClientStream::CONFIRM_HANDSHAKE);
     session_context.quic_crypto_client_stream_factory =
         &crypto_client_stream_factory_;
 
-    session_context.quic_random = &random_generator_;
+    session_context.quic_context = &context_;
     session_context.client_socket_factory = &socket_factory_;
     session_context.host_resolver = &host_resolver_;
     session_context.cert_verifier = &cert_verifier_;
@@ -7250,9 +7476,9 @@ class QuicNetworkTransactionWithDestinationTest
       QuicTestPacketMaker* maker) {
     std::string header = "";
     if (version_.transport_version == quic::QUIC_VERSION_99) {
-      quic::HttpEncoder encoder;
       std::unique_ptr<char[]> buffer;
-      auto header_length = encoder.SerializeDataFrameHeader(5, &buffer);
+      auto header_length =
+          quic::HttpEncoder::SerializeDataFrameHeader(5, &buffer);
       header = std::string(buffer.get(), header_length);
     }
     return maker->MakeDataPacket(packet_number, stream_id, false, true,
@@ -7328,8 +7554,7 @@ class QuicNetworkTransactionWithDestinationTest
     EXPECT_EQ("HTTP/1.1 200 OK", response->headers->GetStatusLine());
     EXPECT_TRUE(response->was_fetched_via_spdy);
     EXPECT_TRUE(response->was_alpn_negotiated);
-    EXPECT_EQ(QuicHttpStream::ConnectionInfoFromQuicVersion(
-                  version_.transport_version),
+    EXPECT_EQ(QuicHttpStream::ConnectionInfoFromQuicVersion(version_),
               response->connection_info);
     EXPECT_EQ(443, response->remote_endpoint.port());
   }
@@ -7339,13 +7564,13 @@ class QuicNetworkTransactionWithDestinationTest
         version_.transport_version, n);
   }
 
-  quic::MockClock clock_;
   const quic::ParsedQuicVersion version_;
   const bool client_headers_include_h2_stream_dependency_;
   quic::ParsedQuicVersionVector supported_versions_;
   DestinationType destination_type_;
   std::string origin1_;
   std::string origin2_;
+  MockQuicContext context_;
   std::unique_ptr<HttpNetworkSession> session_;
   MockClientSocketFactory socket_factory_;
   MockHostResolver host_resolver_;
@@ -7357,9 +7582,8 @@ class QuicNetworkTransactionWithDestinationTest
   std::unique_ptr<SSLConfigServiceDefaults> ssl_config_service_;
   std::unique_ptr<ProxyResolutionService> proxy_resolution_service_;
   std::unique_ptr<HttpAuthHandlerFactory> auth_handler_factory_;
-  quic::test::MockRandom random_generator_;
   HttpServerProperties http_server_properties_;
-  BoundTestNetLog net_log_;
+  RecordingBoundTestNetLog net_log_;
   MockCryptoClientStreamFactory crypto_client_stream_factory_;
   std::vector<std::unique_ptr<StaticSocketDataProvider>>
       static_socket_data_provider_vector_;
@@ -7439,12 +7663,14 @@ TEST_P(QuicNetworkTransactionWithDestinationTest, PoolIfCertificateValid) {
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
   QuicTestPacketMaker client_maker(
-      version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-      &clock_, origin1_, quic::Perspective::IS_CLIENT,
+      version_,
+      quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+      context_.clock(), origin1_, quic::Perspective::IS_CLIENT,
       client_headers_include_h2_stream_dependency_);
   QuicTestPacketMaker server_maker(
-      version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-      &clock_, origin1_, quic::Perspective::IS_SERVER, false);
+      version_,
+      quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+      context_.clock(), origin1_, quic::Perspective::IS_SERVER, false);
 
   MockQuicData mock_quic_data(version_);
   int packet_num = 1;
@@ -7496,11 +7722,12 @@ TEST_P(QuicNetworkTransactionWithDestinationTest, PoolIfCertificateValid) {
   AddHangingSocketData();
   AddHangingSocketData();
 
-  scoped_refptr<TestTaskRunner> quic_task_runner(new TestTaskRunner(&clock_));
+  scoped_refptr<TestTaskRunner> quic_task_runner(
+      new TestTaskRunner(context_.mock_clock()));
   QuicStreamFactoryPeer::SetAlarmFactory(
       session_->quic_stream_factory(),
       std::make_unique<QuicChromiumAlarmFactory>(quic_task_runner.get(),
-                                                 &clock_));
+                                                 context_.clock()));
 
   SendRequestAndExpectQuicResponse(origin1_);
   SendRequestAndExpectQuicResponse(origin2_);
@@ -7542,12 +7769,14 @@ TEST_P(QuicNetworkTransactionWithDestinationTest,
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details2);
 
   QuicTestPacketMaker client_maker1(
-      version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-      &clock_, origin1_, quic::Perspective::IS_CLIENT,
+      version_,
+      quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+      context_.clock(), origin1_, quic::Perspective::IS_CLIENT,
       client_headers_include_h2_stream_dependency_);
   QuicTestPacketMaker server_maker1(
-      version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-      &clock_, origin1_, quic::Perspective::IS_SERVER, false);
+      version_,
+      quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+      context_.clock(), origin1_, quic::Perspective::IS_SERVER, false);
 
   MockQuicData mock_quic_data1(version_);
   int packet_num = 1;
@@ -7577,12 +7806,14 @@ TEST_P(QuicNetworkTransactionWithDestinationTest,
   mock_quic_data1.AddSocketDataToFactory(&socket_factory_);
 
   QuicTestPacketMaker client_maker2(
-      version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-      &clock_, origin2_, quic::Perspective::IS_CLIENT,
+      version_,
+      quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+      context_.clock(), origin2_, quic::Perspective::IS_CLIENT,
       client_headers_include_h2_stream_dependency_);
   QuicTestPacketMaker server_maker2(
-      version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-      &clock_, origin2_, quic::Perspective::IS_SERVER, false);
+      version_,
+      quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+      context_.clock(), origin2_, quic::Perspective::IS_SERVER, false);
 
   MockQuicData mock_quic_data2(version_);
   int packet_num2 = 1;
@@ -7620,7 +7851,9 @@ TEST_P(QuicNetworkTransactionWithDestinationTest,
 // crbug.com/705109 - this confirms that matching request with a body
 // triggers a crash (pre-fix).
 TEST_P(QuicNetworkTransactionTest, QuicServerPushMatchesRequestWithBody) {
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  client_maker_.set_max_allowed_push_id(quic::kMaxQuicStreamId);
+  context_.params()->max_allowed_push_id = quic::kMaxQuicStreamId;
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data(version_);
@@ -7743,13 +7976,16 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushMatchesRequestWithBody) {
 // valid URL with empty hostname, then X509Certificate::VerifyHostname() must
 // not be called (otherwise a DCHECK fails).
 TEST_P(QuicNetworkTransactionTest, QuicServerPushWithEmptyHostname) {
+  client_maker_.set_max_allowed_push_id(quic::kMaxQuicStreamId);
+  context_.params()->max_allowed_push_id = quic::kMaxQuicStreamId;
+
   spdy::SpdyHeaderBlock pushed_request_headers;
   pushed_request_headers[":authority"] = "";
   pushed_request_headers[":method"] = "GET";
   pushed_request_headers[":path"] = "/";
   pushed_request_headers[":scheme"] = "nosuchscheme";
 
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   MockQuicData mock_quic_data(version_);
@@ -8728,12 +8964,15 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyAuth) {
   // reused. See http://crbug.com/544255.
   for (int i = 0; i < 2; ++i) {
     client_maker.reset(new QuicTestPacketMaker(
-        version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-        &clock_, kDefaultServerHostName, quic::Perspective::IS_CLIENT,
+        version_,
+        quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+        context_.clock(), kDefaultServerHostName, quic::Perspective::IS_CLIENT,
         client_headers_include_h2_stream_dependency_));
     server_maker.reset(new QuicTestPacketMaker(
-        version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-        &clock_, kDefaultServerHostName, quic::Perspective::IS_SERVER, false));
+        version_,
+        quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+        context_.clock(), kDefaultServerHostName, quic::Perspective::IS_SERVER,
+        false));
 
     session_params_.enable_quic = true;
     session_params_.enable_quic_proxies_for_https_urls = true;
@@ -8889,6 +9128,9 @@ TEST_P(QuicNetworkTransactionTest, QuicProxyAuth) {
 }
 
 TEST_P(QuicNetworkTransactionTest, QuicServerPushUpdatesPriority) {
+  client_maker_.set_max_allowed_push_id(quic::kMaxQuicStreamId);
+  context_.params()->max_allowed_push_id = quic::kMaxQuicStreamId;
+
   // Only run this test if HTTP/2 stream dependency info is sent by client (sent
   // in HEADERS frames for requests and PRIORITY frames).
   if (version_.transport_version < quic::QUIC_VERSION_43 ||
@@ -8901,7 +9143,7 @@ TEST_P(QuicNetworkTransactionTest, QuicServerPushUpdatesPriority) {
     return;
   }
 
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   const quic::QuicStreamId client_stream_0 =
@@ -9084,7 +9326,7 @@ TEST_P(QuicNetworkTransactionTest, NetworkIsolation) {
   NetworkIsolationKey network_isolation_key1(kOrigin1, kOrigin1);
   NetworkIsolationKey network_isolation_key2(kOrigin2, kOrigin2);
 
-  session_params_.quic_params.origins_to_force_quic_on.insert(
+  context_.params()->origins_to_force_quic_on.insert(
       HostPortPair::FromString("mail.example.org:443"));
 
   // Whether to use an H2 proxy. When false, uses HTTPS H2 requests without a
@@ -9130,19 +9372,23 @@ TEST_P(QuicNetworkTransactionTest, NetworkIsolation) {
       // Reads and writes for the unpartitioned case, where only one socket is
       // used.
 
-      session_params_.quic_params.origins_to_force_quic_on.insert(
+      context_.params()->origins_to_force_quic_on.insert(
           HostPortPair::FromString("mail.example.org:443"));
 
       MockQuicData unpartitioned_mock_quic_data(version_);
       QuicTestPacketMaker client_maker1(
           version_,
-          quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-          &clock_, kDefaultServerHostName, quic::Perspective::IS_CLIENT,
+          quic::QuicUtils::CreateRandomConnectionId(
+              context_.random_generator()),
+          context_.clock(), kDefaultServerHostName,
+          quic::Perspective::IS_CLIENT,
           client_headers_include_h2_stream_dependency_);
       QuicTestPacketMaker server_maker1(
           version_,
-          quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-          &clock_, kDefaultServerHostName, quic::Perspective::IS_SERVER, false);
+          quic::QuicUtils::CreateRandomConnectionId(
+              context_.random_generator()),
+          context_.clock(), kDefaultServerHostName,
+          quic::Perspective::IS_SERVER, false);
 
       int packet_num = 1;
       if (VersionUsesHttp3(version_.transport_version)) {
@@ -9212,13 +9458,17 @@ TEST_P(QuicNetworkTransactionTest, NetworkIsolation) {
       MockQuicData partitioned_mock_quic_data1(version_);
       QuicTestPacketMaker client_maker2(
           version_,
-          quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-          &clock_, kDefaultServerHostName, quic::Perspective::IS_CLIENT,
+          quic::QuicUtils::CreateRandomConnectionId(
+              context_.random_generator()),
+          context_.clock(), kDefaultServerHostName,
+          quic::Perspective::IS_CLIENT,
           client_headers_include_h2_stream_dependency_);
       QuicTestPacketMaker server_maker2(
           version_,
-          quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-          &clock_, kDefaultServerHostName, quic::Perspective::IS_SERVER, false);
+          quic::QuicUtils::CreateRandomConnectionId(
+              context_.random_generator()),
+          context_.clock(), kDefaultServerHostName,
+          quic::Perspective::IS_SERVER, false);
 
       int packet_num2 = 1;
       if (VersionUsesHttp3(version_.transport_version)) {
@@ -9270,13 +9520,17 @@ TEST_P(QuicNetworkTransactionTest, NetworkIsolation) {
       MockQuicData partitioned_mock_quic_data2(version_);
       QuicTestPacketMaker client_maker3(
           version_,
-          quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-          &clock_, kDefaultServerHostName, quic::Perspective::IS_CLIENT,
+          quic::QuicUtils::CreateRandomConnectionId(
+              context_.random_generator()),
+          context_.clock(), kDefaultServerHostName,
+          quic::Perspective::IS_CLIENT,
           client_headers_include_h2_stream_dependency_);
       QuicTestPacketMaker server_maker3(
           version_,
-          quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-          &clock_, kDefaultServerHostName, quic::Perspective::IS_SERVER, false);
+          quic::QuicUtils::CreateRandomConnectionId(
+              context_.random_generator()),
+          context_.clock(), kDefaultServerHostName,
+          quic::Perspective::IS_SERVER, false);
 
       int packet_num3 = 1;
       if (VersionUsesHttp3(version_.transport_version)) {
@@ -9395,12 +9649,15 @@ TEST_P(QuicNetworkTransactionTest, NetworkIsolationTunnel) {
 
   for (int index : {0, 1}) {
     QuicTestPacketMaker client_maker(
-        version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-        &clock_, kDefaultServerHostName, quic::Perspective::IS_CLIENT,
+        version_,
+        quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+        context_.clock(), kDefaultServerHostName, quic::Perspective::IS_CLIENT,
         client_headers_include_h2_stream_dependency_);
     QuicTestPacketMaker server_maker(
-        version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-        &clock_, kDefaultServerHostName, quic::Perspective::IS_SERVER, false);
+        version_,
+        quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+        context_.clock(), kDefaultServerHostName, quic::Perspective::IS_SERVER,
+        false);
 
     int packet_num = 1;
     if (VersionUsesHttp3(version_.transport_version)) {
diff --git a/chromium/net/quic/quic_proxy_client_socket_unittest.cc b/chromium/net/quic/quic_proxy_client_socket_unittest.cc
index 7cbdda041e4..4779e78a88d 100644
--- a/chromium/net/quic/quic_proxy_client_socket_unittest.cc
+++ b/chromium/net/quic/quic_proxy_client_socket_unittest.cc
@@ -99,11 +99,8 @@ std::vector<TestParams> GetTestParams() {
   quic::ParsedQuicVersionVector all_supported_versions =
       quic::AllSupportedVersions();
   for (const auto& version : all_supported_versions) {
-    // TODO(rch): crbug.com/978745 - Make this work with v99.
-    if (version.transport_version != quic::QUIC_VERSION_99) {
-      params.push_back(TestParams{version, false});
-      params.push_back(TestParams{version, true});
-    }
+    params.push_back(TestParams{version, false});
+    params.push_back(TestParams{version, true});
   }
   return params;
 }
@@ -151,8 +148,15 @@ class QuicProxyClientSocketTest : public ::testing::TestWithParam<TestParams>,
   QuicProxyClientSocketTest()
       : version_(GetParam().version),
         client_data_stream_id1_(
-            quic::QuicUtils::GetHeadersStreamId(version_.transport_version) +
-            quic::QuicUtils::StreamIdDelta(version_.transport_version)),
+            quic::VersionUsesHttp3(version_.transport_version)
+                ? quic::QuicUtils::GetFirstBidirectionalStreamId(
+                      version_.transport_version,
+                      quic::Perspective::IS_CLIENT)
+                : quic::QuicUtils::GetFirstBidirectionalStreamId(
+                      version_.transport_version,
+                      quic::Perspective::IS_CLIENT) +
+                      quic::QuicUtils::StreamIdDelta(
+                          version_.transport_version)),
         client_headers_include_h2_stream_dependency_(
             GetParam().client_headers_include_h2_stream_dependency),
         mock_quic_data_(version_),
@@ -175,6 +179,8 @@ class QuicProxyClientSocketTest : public ::testing::TestWithParam<TestParams>,
         user_agent_(kUserAgent),
         proxy_host_port_(kProxyHost, kProxyPort),
         endpoint_host_port_(kOriginHost, kOriginPort),
+        http_auth_cache_(
+            false /* key_server_entries_by_network_isolation_key */),
         host_resolver_(new MockCachingHostResolver()),
         http_auth_handler_factory_(HttpAuthHandlerFactory::CreateDefault()) {
     IPAddress ip(192, 0, 2, 33);
@@ -292,11 +298,11 @@ class QuicProxyClientSocketTest : public ::testing::TestWithParam<TestParams>,
     sock_.reset(new QuicProxyClientSocket(
         std::move(stream_handle), std::move(session_handle_), user_agent_,
         endpoint_host_port_, net_log_.bound(),
-        new HttpAuthController(
-            HttpAuth::AUTH_PROXY,
-            GURL("https://" + proxy_host_port_.ToString()), &http_auth_cache_,
-            http_auth_handler_factory_.get(), host_resolver_.get(),
-            HttpAuthPreferences::ALLOW_DEFAULT_CREDENTIALS)));
+        new HttpAuthController(HttpAuth::AUTH_PROXY,
+                               GURL("https://" + proxy_host_port_.ToString()),
+                               NetworkIsolationKey(), &http_auth_cache_,
+                               http_auth_handler_factory_.get(),
+                               host_resolver_.get())));
 
     session_->StartReading();
   }
@@ -442,13 +448,14 @@ class QuicProxyClientSocketTest : public ::testing::TestWithParam<TestParams>,
 
   std::unique_ptr<quic::QuicReceivedPacket> ConstructServerConnectReplyPacket(
       uint64_t packet_number,
-      bool fin) {
+      bool fin,
+      size_t* header_length = nullptr) {
     spdy::SpdyHeaderBlock block;
     block[":status"] = "200";
 
     return server_maker_.MakeResponseHeadersPacket(
         packet_number, client_data_stream_id1_, !kIncludeVersion, fin,
-        std::move(block), nullptr);
+        std::move(block), header_length);
   }
 
   std::unique_ptr<quic::QuicReceivedPacket>
@@ -560,13 +567,13 @@ class QuicProxyClientSocketTest : public ::testing::TestWithParam<TestParams>,
     if (version_.transport_version != quic::QUIC_VERSION_99) {
       return "";
     }
-    quic::HttpEncoder encoder;
     std::unique_ptr<char[]> buffer;
-    auto header_length = encoder.SerializeDataFrameHeader(body_len, &buffer);
+    auto header_length =
+        quic::HttpEncoder::SerializeDataFrameHeader(body_len, &buffer);
     return std::string(buffer.get(), header_length);
   }
 
-  BoundTestNetLog net_log_;
+  RecordingBoundTestNetLog net_log_;
   QuicFlagSaver saver_;
   const quic::ParsedQuicVersion version_;
   const quic::QuicStreamId client_data_stream_id1_;
@@ -680,7 +687,8 @@ TEST_P(QuicProxyClientSocketTest, ConnectWithAuthCredentials) {
   // Add auth to cache
   const base::string16 kFoo(base::ASCIIToUTF16("foo"));
   const base::string16 kBar(base::ASCIIToUTF16("bar"));
-  http_auth_cache_.Add(GURL(kProxyUrl), "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC,
+  http_auth_cache_.Add(GURL(kProxyUrl), HttpAuth::AUTH_PROXY, "MyRealm1",
+                       HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
                        "Basic realm=MyRealm1", AuthCredentials(kFoo, kBar),
                        "/");
 
@@ -842,15 +850,17 @@ TEST_P(QuicProxyClientSocketTest, GetTotalReceivedBytes) {
     mock_quic_data_.AddWrite(SYNCHRONOUS,
                              ConstructSettingsPacket(packet_number++));
   }
+  size_t header_length;
   mock_quic_data_.AddWrite(SYNCHRONOUS,
                            ConstructConnectRequestPacket(packet_number++));
-  mock_quic_data_.AddRead(ASYNC, ConstructServerConnectReplyPacket(1, !kFin));
+  mock_quic_data_.AddRead(
+      ASYNC, ConstructServerConnectReplyPacket(1, !kFin, &header_length));
   mock_quic_data_.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
 
-  std::string header = ConstructDataHeader(kLen333);
-  mock_quic_data_.AddRead(
-      ASYNC,
-      ConstructServerDataPacket(2, header + std::string(kMsg333, kLen333)));
+  std::string data_header = ConstructDataHeader(kLen333);
+  mock_quic_data_.AddRead(ASYNC,
+                          ConstructServerDataPacket(
+                              2, data_header + std::string(kMsg333, kLen333)));
   mock_quic_data_.AddWrite(SYNCHRONOUS,
                            ConstructAckPacket(packet_number++, 2, 1, 1));
   mock_quic_data_.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
@@ -864,30 +874,43 @@ TEST_P(QuicProxyClientSocketTest, GetTotalReceivedBytes) {
 
   AssertConnectSucceeds();
 
-  EXPECT_EQ(0, sock_->GetTotalReceivedBytes());
+  if (!VersionUsesHttp3(version_.transport_version)) {
+    header_length = 0;
+    EXPECT_EQ(0, sock_->GetTotalReceivedBytes());
+  } else {
+    // HTTP/3 sends and receives HTTP headers on the request stream.
+    EXPECT_EQ((int64_t)(header_length), sock_->GetTotalReceivedBytes());
+  }
 
   // The next read is consumed and buffered.
   ResumeAndRun();
 
-  EXPECT_EQ(0, sock_->GetTotalReceivedBytes());
+  if (!VersionUsesHttp3(version_.transport_version)) {
+    EXPECT_EQ(0, sock_->GetTotalReceivedBytes());
+  } else {
+    // HTTP/3 encodes data with DATA frame. The header is consumed.
+    EXPECT_EQ((int64_t)(header_length + data_header.length()),
+              sock_->GetTotalReceivedBytes());
+  }
 
   // The payload from the single large data frame will be read across
   // two different reads.
   AssertSyncReadEquals(kMsg33, kLen33);
 
-  EXPECT_EQ((int64_t)(kLen33 + header.length()),
+  EXPECT_EQ((int64_t)(header_length + data_header.length() + kLen33),
             sock_->GetTotalReceivedBytes());
 
   AssertSyncReadEquals(kMsg3, kLen3);
 
-  EXPECT_EQ((int64_t)(kLen333 + header.length()),
+  EXPECT_EQ((int64_t)(header_length + kLen333 + data_header.length()),
             sock_->GetTotalReceivedBytes());
 }
 
 TEST_P(QuicProxyClientSocketTest, SetStreamPriority) {
   int packet_number = 1;
   if (VersionUsesHttp3(version_.transport_version)) {
-    mock_quic_data_.AddWrite(SYNCHRONOUS, ConstructSettingsPacket(1));
+    mock_quic_data_.AddWrite(SYNCHRONOUS,
+                             ConstructSettingsPacket(packet_number++));
   }
   // Despite setting the priority to HIGHEST, the requets initial priority of
   // LOWEST is used.
diff --git a/chromium/net/quic/quic_stream_factory.cc b/chromium/net/quic/quic_stream_factory.cc
index db6fe07fa4b..ee0fd904aea 100644
--- a/chromium/net/quic/quic_stream_factory.cc
+++ b/chromium/net/quic/quic_stream_factory.cc
@@ -45,6 +45,7 @@
 #include "net/quic/quic_chromium_connection_helper.h"
 #include "net/quic/quic_chromium_packet_reader.h"
 #include "net/quic/quic_chromium_packet_writer.h"
+#include "net/quic/quic_context.h"
 #include "net/quic/quic_crypto_client_stream_factory.h"
 #include "net/quic/quic_http_stream.h"
 #include "net/quic/quic_server_info.h"
@@ -171,6 +172,21 @@ void LogRacingStatus(ConnectionStateAfterDNS status) {
   UMA_HISTOGRAM_ENUMERATION("Net.QuicSession.ConnectionStateAfterDNS", status);
 }
 
+void LogStaleConnectionTime(base::TimeTicks start_time) {
+  UMA_HISTOGRAM_TIMES("Net.QuicSession.StaleConnectionTime",
+                      base::TimeTicks::Now() - start_time);
+}
+
+void LogValidConnectionTime(base::TimeTicks start_time) {
+  UMA_HISTOGRAM_TIMES("Net.QuicSession.ValidConnectionTime",
+                      base::TimeTicks::Now() - start_time);
+}
+
+void LogFreshDnsResolveTime(base::TimeTicks start_time) {
+  UMA_HISTOGRAM_TIMES("Net.QuicSession.FreshDnsResolutionTime",
+                      base::TimeTicks::Now() - start_time);
+}
+
 void SetInitialRttEstimate(base::TimeDelta estimate,
                            enum InitialRttEstimateSource source,
                            quic::QuicConfig* config) {
@@ -180,26 +196,22 @@ void SetInitialRttEstimate(base::TimeDelta estimate,
     config->SetInitialRoundTripTimeUsToSend(estimate.InMicroseconds());
 }
 
-quic::QuicConfig InitializeQuicConfig(
-    const quic::QuicTagVector& connection_options,
-    const quic::QuicTagVector& client_connection_options,
-    base::TimeDelta idle_connection_timeout,
-    base::TimeDelta max_time_before_crypto_handshake,
-    base::TimeDelta max_idle_time_before_crypto_handshake) {
-  DCHECK_GT(idle_connection_timeout, base::TimeDelta());
+quic::QuicConfig InitializeQuicConfig(const QuicParams& params) {
+  DCHECK_GT(params.idle_connection_timeout, base::TimeDelta());
   quic::QuicConfig config;
-  config.SetIdleNetworkTimeout(quic::QuicTime::Delta::FromMicroseconds(
-                                   idle_connection_timeout.InMicroseconds()),
-                               quic::QuicTime::Delta::FromMicroseconds(
-                                   idle_connection_timeout.InMicroseconds()));
+  config.SetIdleNetworkTimeout(
+      quic::QuicTime::Delta::FromMicroseconds(
+          params.idle_connection_timeout.InMicroseconds()),
+      quic::QuicTime::Delta::FromMicroseconds(
+          params.idle_connection_timeout.InMicroseconds()));
   config.set_max_time_before_crypto_handshake(
       quic::QuicTime::Delta::FromMicroseconds(
-          max_time_before_crypto_handshake.InMicroseconds()));
+          params.max_time_before_crypto_handshake.InMicroseconds()));
   config.set_max_idle_time_before_crypto_handshake(
       quic::QuicTime::Delta::FromMicroseconds(
-          max_idle_time_before_crypto_handshake.InMicroseconds()));
-  config.SetConnectionOptionsToSend(connection_options);
-  config.SetClientConnectionOptions(client_connection_options);
+          params.max_idle_time_before_crypto_handshake.InMicroseconds()));
+  config.SetConnectionOptionsToSend(params.connection_options);
+  config.SetClientConnectionOptions(params.client_connection_options);
   return config;
 }
 
@@ -237,22 +249,6 @@ std::set<std::string> HostsFromOrigins(std::set<HostPortPair> origins) {
 
 }  // namespace
 
-QuicParams::QuicParams()
-    : max_packet_length(quic::kDefaultMaxPacketSize),
-      reduced_ping_timeout(
-          base::TimeDelta::FromSeconds(quic::kPingTimeoutSecs)),
-      max_time_before_crypto_handshake(
-          base::TimeDelta::FromSeconds(quic::kMaxTimeForCryptoHandshakeSecs)),
-      max_idle_time_before_crypto_handshake(
-          base::TimeDelta::FromSeconds(quic::kInitialIdleTimeoutSecs)) {
-  supported_versions.push_back(quic::ParsedQuicVersion(
-      quic::PROTOCOL_QUIC_CRYPTO, quic::QUIC_VERSION_46));
-}
-
-QuicParams::QuicParams(const QuicParams& other) = default;
-
-QuicParams::~QuicParams() = default;
-
 // Responsible for verifying the certificates saved in
 // quic::QuicCryptoClientConfig, and for notifying any associated requests when
 // complete. Results from cert verification are ignored.
@@ -600,6 +596,7 @@ class QuicStreamFactory::Job {
   std::unique_ptr<HostResolver::ResolveHostRequest> fresh_resolve_host_request_;
   base::TimeTicks dns_resolution_start_time_;
   base::TimeTicks dns_resolution_end_time_;
+  base::TimeTicks quic_connection_start_time_;
   std::set<QuicStreamRequest*> stream_requests_;
   base::WeakPtrFactory<Job> weak_factory_{this};
 
@@ -716,6 +713,8 @@ void QuicStreamFactory::Job::OnSessionClosed(
 void QuicStreamFactory::Job::OnResolveHostComplete(int rv) {
   DCHECK(!host_resolution_finished_);
 
+  LogFreshDnsResolveTime(dns_resolution_start_time_);
+
   if (fresh_resolve_host_request_) {
     DCHECK(race_stale_dns_on_connection_);
     dns_resolution_end_time_ = base::TimeTicks::Now();
@@ -775,8 +774,10 @@ void QuicStreamFactory::Job::OnResolveHostComplete(int rv) {
 void QuicStreamFactory::Job::OnConnectComplete(int rv) {
   // This early return will be triggered when CloseSessionOnError is called
   // before crypto handshake has completed.
-  if (!session_)
+  if (!session_) {
+    LogStaleConnectionTime(quic_connection_start_time_);
     return;
+  }
 
   rv = DoLoop(rv);
   if (rv != ERR_IO_PENDING && !callback_.is_null())
@@ -788,7 +789,7 @@ void QuicStreamFactory::Job::PopulateNetErrorDetails(
   if (!session_)
     return;
   details->connection_info = QuicHttpStream::ConnectionInfoFromQuicVersion(
-      session_->connection()->transport_version());
+      session_->connection()->version());
   details->quic_connection_error = session_->error();
 }
 
@@ -810,8 +811,9 @@ int QuicStreamFactory::Job::DoResolveHost() {
   }
   if (key_.session_key().disable_secure_dns())
     parameters.secure_dns_mode_override = DnsConfig::SecureDnsMode::OFF;
-  resolve_host_request_ =
-      host_resolver_->CreateRequest(key_.destination(), net_log_, parameters);
+  resolve_host_request_ = host_resolver_->CreateRequest(
+      key_.destination(), key_.session_key().network_isolation_key(), net_log_,
+      parameters);
   // Unretained is safe because |this| owns the request, ensuring cancellation
   // on destruction.
   // When race_stale_dns_on_connection_ is on, this request will query for stale
@@ -821,6 +823,10 @@ int QuicStreamFactory::Job::DoResolveHost() {
 
   if (rv == ERR_IO_PENDING || !resolve_host_request_->GetStaleInfo() ||
       !resolve_host_request_->GetStaleInfo().value().is_stale()) {
+    // Returns non-stale result synchronously.
+    if (rv != ERR_IO_PENDING) {
+      LogFreshDnsResolveTime(dns_resolution_start_time_);
+    }
     // Not a stale result.
     if (race_stale_dns_on_connection_)
       LogStaleHostRacing(false);
@@ -832,8 +838,9 @@ int QuicStreamFactory::Job::DoResolveHost() {
 
   parameters.cache_usage =
       HostResolver::ResolveHostParameters::CacheUsage::DISALLOWED;
-  fresh_resolve_host_request_ =
-      host_resolver_->CreateRequest(key_.destination(), net_log_, parameters);
+  fresh_resolve_host_request_ = host_resolver_->CreateRequest(
+      key_.destination(), key_.session_key().network_isolation_key(), net_log_,
+      parameters);
   // Unretained is safe because |this| owns the request, ensuring cancellation
   // on destruction.
   // This request will only query fresh host resolution.
@@ -841,6 +848,7 @@ int QuicStreamFactory::Job::DoResolveHost() {
       &QuicStreamFactory::Job::OnResolveHostComplete, base::Unretained(this)));
   if (fresh_rv != ERR_IO_PENDING) {
     // Fresh request returned immediate results.
+    LogFreshDnsResolveTime(dns_resolution_start_time_);
     LogStaleHostRacing(false);
     resolve_host_request_ = std::move(fresh_resolve_host_request_);
     return fresh_rv;
@@ -884,6 +892,7 @@ int QuicStreamFactory::Job::DoResolveHostComplete(int rv) {
 }
 
 int QuicStreamFactory::Job::DoConnect() {
+  quic_connection_start_time_ = base::TimeTicks::Now();
   DCHECK(dns_resolution_end_time_ != base::TimeTicks());
   io_state_ = STATE_CONNECT_COMPLETE;
   bool require_confirmation = was_alternative_service_recently_broken_;
@@ -925,6 +934,7 @@ int QuicStreamFactory::Job::DoConnect() {
 
 int QuicStreamFactory::Job::DoConnectComplete(int rv) {
   if (!fresh_resolve_host_request_) {
+    LogValidConnectionTime(quic_connection_start_time_);
     io_state_ = STATE_CONFIRM_CONNECTION;
     return rv;
   }
@@ -937,6 +947,7 @@ int QuicStreamFactory::Job::DoConnectComplete(int rv) {
   // Connection from stale host resolution failed, has been closed and will
   // be deleted soon. Update Job status accordingly to wait for fresh host
   // resolution.
+  LogStaleConnectionTime(quic_connection_start_time_);
   resolve_host_request_ = std::move(fresh_resolve_host_request_);
   session_ = nullptr;
   io_state_ = STATE_RESOLVE_HOST_COMPLETE;
@@ -947,6 +958,7 @@ int QuicStreamFactory::Job::DoConnectComplete(int rv) {
 // have finished successfully.
 int QuicStreamFactory::Job::DoValidateHost() {
   if (DoesPeerAddressMatchWithFreshAddressList()) {
+    LogValidConnectionTime(quic_connection_start_time_);
     LogRacingStatus(ConnectionStateAfterDNS::kCryptoFinishedDnsMatch);
     LogStaleAndFreshHostMatched(true);
     fresh_resolve_host_request_ = nullptr;
@@ -955,6 +967,7 @@ int QuicStreamFactory::Job::DoValidateHost() {
     return OK;
   }
 
+  LogStaleConnectionTime(quic_connection_start_time_);
   LogRacingStatus(ConnectionStateAfterDNS::kCryptoFinishedDnsNoMatch);
   LogStaleAndFreshHostMatched(false);
   resolve_host_request_ = std::move(fresh_resolve_host_request_);
@@ -1190,9 +1203,7 @@ QuicStreamFactory::QuicStreamFactory(
     CTVerifier* cert_transparency_verifier,
     SocketPerformanceWatcherFactory* socket_performance_watcher_factory,
     QuicCryptoClientStreamFactory* quic_crypto_client_stream_factory,
-    quic::QuicRandom* random_generator,
-    quic::QuicClock* clock,
-    const QuicParams& params)
+    QuicContext* quic_context)
     : is_quic_known_to_work_on_current_network_(false),
       net_log_(net_log),
       host_resolver_(host_resolver),
@@ -1204,23 +1215,21 @@ QuicStreamFactory::QuicStreamFactory(
       transport_security_state_(transport_security_state),
       cert_transparency_verifier_(cert_transparency_verifier),
       quic_crypto_client_stream_factory_(quic_crypto_client_stream_factory),
-      random_generator_(random_generator),
-      clock_(clock),
-      params_(params),
+      random_generator_(quic_context->random_generator()),
+      clock_(quic_context->clock()),
+      // TODO(vasilvv): figure out how to avoid having multiple copies of
+      // QuicParams.
+      params_(*quic_context->params()),
       clock_skew_detector_(base::TimeTicks::Now(), base::Time::Now()),
       socket_performance_watcher_factory_(socket_performance_watcher_factory),
       recent_crypto_config_map_(kMaxRecentCryptoConfigs),
-      config_(
-          InitializeQuicConfig(params.connection_options,
-                               params.client_connection_options,
-                               params.idle_connection_timeout,
-                               params.max_time_before_crypto_handshake,
-                               params.max_idle_time_before_crypto_handshake)),
+      config_(InitializeQuicConfig(*quic_context->params())),
       ping_timeout_(quic::QuicTime::Delta::FromSeconds(quic::kPingTimeoutSecs)),
       reduced_ping_timeout_(quic::QuicTime::Delta::FromMicroseconds(
-          params.reduced_ping_timeout.InMicroseconds())),
+          quic_context->params()->reduced_ping_timeout.InMicroseconds())),
       retransmittable_on_wire_timeout_(quic::QuicTime::Delta::FromMicroseconds(
-          params.retransmittable_on_wire_timeout.InMicroseconds())),
+          quic_context->params()
+              ->retransmittable_on_wire_timeout.InMicroseconds())),
       yield_after_packets_(kQuicYieldAfterPacketsRead),
       yield_after_duration_(quic::QuicTime::Delta::FromMilliseconds(
           kQuicYieldAfterDurationMilliseconds)),
@@ -1985,11 +1994,6 @@ int QuicStreamFactory::CreateSession(
     *session = nullptr;
     return ERR_CONNECTION_CLOSED;
   }
-  if (connection->version().KnowsWhichDecrypterToUse()) {
-    connection->InstallDecrypter(
-        quic::ENCRYPTION_FORWARD_SECURE,
-        std::make_unique<quic::NullDecrypter>(quic::Perspective::IS_CLIENT));
-  }
   return OK;
 }
 
diff --git a/chromium/net/quic/quic_stream_factory.h b/chromium/net/quic/quic_stream_factory.h
index 12d4c688163..8a388cd73c7 100644
--- a/chromium/net/quic/quic_stream_factory.h
+++ b/chromium/net/quic/quic_stream_factory.h
@@ -35,6 +35,7 @@
 #include "net/quic/network_connection.h"
 #include "net/quic/quic_chromium_client_session.h"
 #include "net/quic/quic_clock_skew_detector.h"
+#include "net/quic/quic_context.h"
 #include "net/quic/quic_crypto_client_config_handle.h"
 #include "net/quic/quic_session_key.h"
 #include "net/socket/client_socket_pool.h"
@@ -73,6 +74,7 @@ class QuicChromiumConnectionHelper;
 class QuicCryptoClientStreamFactory;
 class QuicServerInfo;
 class QuicStreamFactory;
+class QuicContext;
 class SocketPerformanceWatcherFactory;
 class SocketTag;
 class TransportSecurityState;
@@ -81,34 +83,6 @@ namespace test {
 class QuicStreamFactoryPeer;
 }  // namespace test
 
-// When a connection is idle for 30 seconds it will be closed.
-constexpr base::TimeDelta kIdleConnectionTimeout =
-    base::TimeDelta::FromSeconds(30);
-
-// Sessions can migrate if they have been idle for less than this period.
-constexpr base::TimeDelta kDefaultIdleSessionMigrationPeriod =
-    base::TimeDelta::FromSeconds(30);
-
-// The default maximum time allowed to have no retransmittable packets on the
-// wire (after sending the first retransmittable packet) if
-// |migrate_session_early_v2_| is true. PING frames will be sent as needed to
-// enforce this.
-constexpr base::TimeDelta kDefaultRetransmittableOnWireTimeout =
-    base::TimeDelta::FromMilliseconds(200);
-
-// The default maximum time QUIC session could be on non-default network before
-// migrate back to default network.
-constexpr base::TimeDelta kMaxTimeOnNonDefaultNetwork =
-    base::TimeDelta::FromSeconds(128);
-
-// The default maximum number of migrations to non default network on write
-// error per network.
-const int64_t kMaxMigrationsToNonDefaultNetworkOnWriteError = 5;
-
-// The default maximum number of migrations to non default network on path
-// degrading per network.
-const int64_t kMaxMigrationsToNonDefaultNetworkOnPathDegrading = 5;
-
 // Maximum number of not currently in use QuicCryptoClientConfig that can be
 // stored in |recent_crypto_config_map_|.
 //
@@ -118,115 +92,6 @@ const int64_t kMaxMigrationsToNonDefaultNetworkOnPathDegrading = 5;
 // will also influence the ideal value.
 const int kMaxRecentCryptoConfigs = 100;
 
-// Structure containing simple configuration options and experiments for QUIC.
-struct NET_EXPORT QuicParams {
-  QuicParams();
-  QuicParams(const QuicParams& other);
-  ~QuicParams();
-
-  // QUIC runtime configuration options.
-
-  // Versions of QUIC which may be used.
-  quic::ParsedQuicVersionVector supported_versions;
-  // User agent description to send in the QUIC handshake.
-  std::string user_agent_id;
-  // Limit on the size of QUIC packets.
-  size_t max_packet_length;
-  // Maximum number of server configs that are to be stored in
-  // HttpServerProperties, instead of the disk cache.
-  size_t max_server_configs_stored_in_properties = 0u;
-  // QUIC will be used for all connections in this set.
-  std::set<HostPortPair> origins_to_force_quic_on;
-  // Set of QUIC tags to send in the handshake's connection options.
-  quic::QuicTagVector connection_options;
-  // Set of QUIC tags to send in the handshake's connection options that only
-  // affect the client.
-  quic::QuicTagVector client_connection_options;
-  // Enables experimental optimization for receiving data in UDPSocket.
-  bool enable_socket_recv_optimization = false;
-  // Initial value of QuicSpdyClientSessionBase::max_allowed_push_id_.
-  quic::QuicStreamId max_allowed_push_id = 0;
-
-  // Active QUIC experiments
-
-  // Retry requests which fail with QUIC_PROTOCOL_ERROR, and mark QUIC
-  // broken if the retry succeeds.
-  bool retry_without_alt_svc_on_quic_errors = true;
-  // If true, all QUIC sessions are closed when any local IP address changes.
-  bool close_sessions_on_ip_change = false;
-  // If true, all QUIC sessions are marked as goaway when any local IP address
-  // changes.
-  bool goaway_sessions_on_ip_change = false;
-  // Specifies QUIC idle connection state lifetime.
-  base::TimeDelta idle_connection_timeout = kIdleConnectionTimeout;
-  // Specifies the reduced ping timeout subsequent connections should use when
-  // a connection was timed out with open streams.
-  base::TimeDelta reduced_ping_timeout;
-  // Maximum time that a session can have no retransmittable packets on the
-  // wire. Set to zero if not specified and no retransmittable PING will be
-  // sent to peer when the wire has no retransmittable packets.
-  base::TimeDelta retransmittable_on_wire_timeout;
-  // Maximum time the session can be alive before crypto handshake is
-  // finished.
-  base::TimeDelta max_time_before_crypto_handshake;
-  // Maximum idle time before the crypto handshake has completed.
-  base::TimeDelta max_idle_time_before_crypto_handshake;
-  // If true, connection migration v2 will be used to migrate existing
-  // sessions to network when the platform indicates that the default network
-  // is changing.
-  bool migrate_sessions_on_network_change_v2 = false;
-  // If true, connection migration v2 may be used to migrate active QUIC
-  // sessions to alternative network if current network connectivity is poor.
-  bool migrate_sessions_early_v2 = false;
-  // If true, a new connection may be kicked off on an alternate network when
-  // a connection fails on the default network before handshake is confirmed.
-  bool retry_on_alternate_network_before_handshake = false;
-  // If true, an idle session will be migrated within the idle migration
-  // period.
-  bool migrate_idle_sessions = false;
-  // If true, sessions with open streams will attempt to migrate to a different
-  // port when the current path is poor.
-  bool allow_port_migration = false;
-  // A session can be migrated if its idle time is within this period.
-  base::TimeDelta idle_session_migration_period =
-      kDefaultIdleSessionMigrationPeriod;
-  // Maximum time the session could be on the non-default network before
-  // migrates back to default network. Defaults to
-  // kMaxTimeOnNonDefaultNetwork.
-  base::TimeDelta max_time_on_non_default_network = kMaxTimeOnNonDefaultNetwork;
-  // Maximum number of migrations to the non-default network on write error
-  // per network for each session.
-  int max_migrations_to_non_default_network_on_write_error =
-      kMaxMigrationsToNonDefaultNetworkOnWriteError;
-  // Maximum number of migrations to the non-default network on path
-  // degrading per network for each session.
-  int max_migrations_to_non_default_network_on_path_degrading =
-      kMaxMigrationsToNonDefaultNetworkOnPathDegrading;
-  // If true, allows migration of QUIC connections to a server-specified
-  // alternate server address.
-  bool allow_server_migration = false;
-  // If true, allows QUIC to use alternative services with a different
-  // hostname from the origin.
-  bool allow_remote_alt_svc = true;
-  // If true, the quic stream factory may race connection from stale dns
-  // result with the original dns resolution
-  bool race_stale_dns_on_connection = false;
-  // If true, the quic session may mark itself as GOAWAY on path degrading.
-  bool go_away_on_path_degrading = false;
-  // If true, bidirectional streams over QUIC will be disabled.
-  bool disable_bidirectional_streams = false;
-  // If true, race cert verification with host resolution.
-  bool race_cert_verification = false;
-  // If true, estimate the initial RTT for QUIC connections based on network.
-  bool estimate_initial_rtt = false;
-  // If true, client headers will include HTTP/2 stream dependency info
-  // derived from the request priority.
-  bool headers_include_h2_stream_dependency = false;
-  // The initial rtt that will be used in crypto handshake if no cached
-  // smoothed rtt is present.
-  base::TimeDelta initial_rtt_for_handshake;
-};
-
 enum QuicPlatformNotification {
   NETWORK_CONNECTED,
   NETWORK_MADE_DEFAULT,
@@ -374,9 +239,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
       CTVerifier* cert_transparency_verifier,
       SocketPerformanceWatcherFactory* socket_performance_watcher_factory,
       QuicCryptoClientStreamFactory* quic_crypto_client_stream_factory,
-      quic::QuicRandom* random_generator,
-      quic::QuicClock* clock,
-      const QuicParams& params);
+      QuicContext* context);
   ~QuicStreamFactory() override;
 
   // Returns true if there is an existing session for |session_key| or if the
@@ -643,7 +506,7 @@ class NET_EXPORT_PRIVATE QuicStreamFactory
   CTVerifier* const cert_transparency_verifier_;
   QuicCryptoClientStreamFactory* quic_crypto_client_stream_factory_;
   quic::QuicRandom* random_generator_;  // Unowned.
-  quic::QuicClock* clock_;              // Unowned.
+  const quic::QuicClock* clock_;        // Unowned.
   QuicParams params_;
   QuicClockSkewDetector clock_skew_detector_;
 
diff --git a/chromium/net/quic/quic_stream_factory_fuzzer.cc b/chromium/net/quic/quic_stream_factory_fuzzer.cc
index 36829e9cd52..70edf65c8db 100644
--- a/chromium/net/quic/quic_stream_factory_fuzzer.cc
+++ b/chromium/net/quic/quic_stream_factory_fuzzer.cc
@@ -18,6 +18,7 @@
 #include "net/http/http_server_properties.h"
 #include "net/http/transport_security_state.h"
 #include "net/quic/mock_crypto_client_stream_factory.h"
+#include "net/quic/mock_quic_context.h"
 #include "net/quic/quic_http_stream.h"
 #include "net/quic/test_task_runner.h"
 #include "net/socket/fuzzed_datagram_client_socket.h"
@@ -25,8 +26,6 @@
 #include "net/socket/socket_tag.h"
 #include "net/ssl/ssl_config_service_defaults.h"
 #include "net/test/gtest_util.h"
-#include "net/third_party/quiche/src/quic/test_tools/mock_clock.h"
-#include "net/third_party/quiche/src/quic/test_tools/mock_random.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
 
 namespace net {
@@ -53,8 +52,8 @@ const int kCertVerifyFlags = 0;
 
 // Static initialization for persistent factory data
 struct Env {
-  Env() : host_port_pair(kServerHostName, kServerPort), random_generator(0) {
-    clock.AdvanceTime(quic::QuicTime::Delta::FromSeconds(1));
+  Env() : host_port_pair(kServerHostName, kServerPort) {
+    quic_context.AdvanceTime(quic::QuicTime::Delta::FromSeconds(1));
     ssl_config_service = std::make_unique<SSLConfigServiceDefaults>();
     crypto_client_stream_factory.set_use_mock_crypter(true);
     cert_verifier = std::make_unique<MockCertVerifier>();
@@ -65,12 +64,10 @@ struct Env {
     verify_details.cert_verify_result.is_issued_by_known_root = true;
   }
 
-  quic::MockClock clock;
   std::unique_ptr<SSLConfigService> ssl_config_service;
   ProofVerifyDetailsChromium verify_details;
   MockCryptoClientStreamFactory crypto_client_stream_factory;
   HostPortPair host_port_pair;
-  quic::test::MockRandom random_generator;
   NetLogWithSource net_log;
   std::unique_ptr<CertVerifier> cert_verifier;
   TransportSecurityState transport_security_state;
@@ -78,6 +75,7 @@ struct Env {
   quic::QuicTagVector client_connection_options;
   std::unique_ptr<CTVerifier> cert_transparency_verifier;
   DefaultCTPolicyEnforcer ct_policy_enforcer;
+  MockQuicContext quic_context;
 };
 
 static struct Env* env = new Env();
@@ -94,7 +92,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // Initialize this on each loop since some options mutate this.
   HttpServerProperties http_server_properties;
 
-  QuicParams params;
+  QuicParams& params = *env->quic_context.params();
   params.max_server_configs_stored_in_properties =
       data_provider.ConsumeBool() ? 1 : 0;
   params.close_sessions_on_ip_change = data_provider.ConsumeBool();
@@ -139,10 +137,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
           &http_server_properties, env->cert_verifier.get(),
           &env->ct_policy_enforcer, &env->transport_security_state,
           env->cert_transparency_verifier.get(), nullptr,
-          &env->crypto_client_stream_factory, &env->random_generator,
-          &env->clock, params);
+          &env->crypto_client_stream_factory, &env->quic_context);
 
   SetQuicReloadableFlag(quic_supports_tls_handshake, true);
+  SetQuicRestartFlag(quic_coalesce_stream_frames_2, true);
   QuicStreamRequest request(factory.get());
   TestCompletionCallback callback;
   NetErrorDetails net_error_details;
diff --git a/chromium/net/quic/quic_stream_factory_test.cc b/chromium/net/quic/quic_stream_factory_test.cc
index 3aa01beef17..769d384959f 100644
--- a/chromium/net/quic/quic_stream_factory_test.cc
+++ b/chromium/net/quic/quic_stream_factory_test.cc
@@ -26,7 +26,9 @@
 #include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/do_nothing_ct_verifier.h"
 #include "net/cert/mock_cert_verifier.h"
+#include "net/dns/host_resolver_source.h"
 #include "net/dns/mock_host_resolver.h"
+#include "net/dns/public/dns_query_type.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_response_info.h"
 #include "net/http/http_server_properties.h"
@@ -36,6 +38,7 @@
 #include "net/quic/address_utils.h"
 #include "net/quic/crypto/proof_verifier_chromium.h"
 #include "net/quic/mock_crypto_client_stream_factory.h"
+#include "net/quic/mock_quic_context.h"
 #include "net/quic/mock_quic_data.h"
 #include "net/quic/properties_based_quic_server_info.h"
 #include "net/quic/quic_chromium_alarm_factory.h"
@@ -124,11 +127,8 @@ std::vector<TestParams> GetTestParams() {
   quic::ParsedQuicVersionVector all_supported_versions =
       quic::AllSupportedVersions();
   for (const auto& version : all_supported_versions) {
-    // TODO(rch): crbug.com/978745 - Make this work with TLS
-    if (version.handshake_protocol != quic::PROTOCOL_TLS1_3) {
       params.push_back(TestParams{version, false});
       params.push_back(TestParams{version, true});
-    }
   }
   return params;
 }
@@ -166,15 +166,12 @@ std::vector<PoolingTestParams> GetPoolingTestParams() {
   quic::ParsedQuicVersionVector all_supported_versions =
       quic::AllSupportedVersions();
   for (const quic::ParsedQuicVersion version : all_supported_versions) {
-    // TODO(rch): crbug.com/978745 - Make this work with TLS
-    if (version.handshake_protocol != quic::PROTOCOL_TLS1_3) {
-      params.push_back(PoolingTestParams{version, SAME_AS_FIRST, false});
-      params.push_back(PoolingTestParams{version, SAME_AS_FIRST, true});
-      params.push_back(PoolingTestParams{version, SAME_AS_SECOND, false});
-      params.push_back(PoolingTestParams{version, SAME_AS_SECOND, true});
-      params.push_back(PoolingTestParams{version, DIFFERENT, false});
-      params.push_back(PoolingTestParams{version, DIFFERENT, true});
-    }
+    params.push_back(PoolingTestParams{version, SAME_AS_FIRST, false});
+    params.push_back(PoolingTestParams{version, SAME_AS_FIRST, true});
+    params.push_back(PoolingTestParams{version, SAME_AS_SECOND, false});
+    params.push_back(PoolingTestParams{version, SAME_AS_SECOND, true});
+    params.push_back(PoolingTestParams{version, DIFFERENT, false});
+    params.push_back(PoolingTestParams{version, DIFFERENT, true});
   }
   return params;
 }
@@ -219,23 +216,22 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
       : host_resolver_(new MockHostResolver),
         ssl_config_service_(new SSLConfigServiceDefaults),
         socket_factory_(new MockClientSocketFactory),
-        random_generator_(0),
-        runner_(new TestTaskRunner(&clock_)),
+        runner_(new TestTaskRunner(context_.mock_clock())),
         version_(version),
-        client_maker_(
-            version_,
-            quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-            &clock_,
-            kDefaultServerHostName,
-            quic::Perspective::IS_CLIENT,
-            client_headers_include_h2_stream_dependency),
-        server_maker_(
-            version_,
-            quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-            &clock_,
-            kDefaultServerHostName,
-            quic::Perspective::IS_SERVER,
-            false),
+        client_maker_(version_,
+                      quic::QuicUtils::CreateRandomConnectionId(
+                          context_.random_generator()),
+                      context_.clock(),
+                      kDefaultServerHostName,
+                      quic::Perspective::IS_CLIENT,
+                      client_headers_include_h2_stream_dependency),
+        server_maker_(version_,
+                      quic::QuicUtils::CreateRandomConnectionId(
+                          context_.random_generator()),
+                      context_.clock(),
+                      kDefaultServerHostName,
+                      quic::Perspective::IS_SERVER,
+                      false),
         http_server_properties_(std::make_unique<HttpServerProperties>()),
         cert_verifier_(std::make_unique<MockCertVerifier>()),
         cert_transparency_verifier_(std::make_unique<DoNothingCTVerifier>()),
@@ -250,10 +246,11 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
         failed_on_default_network_callback_(base::BindRepeating(
             &QuicStreamFactoryTestBase::OnFailedOnDefaultNetwork,
             base::Unretained(this))),
-        failed_on_default_network_(false) {
-    test_params_.quic_params.headers_include_h2_stream_dependency =
+        failed_on_default_network_(false),
+        quic_params_(context_.params()) {
+    quic_params_->headers_include_h2_stream_dependency =
         client_headers_include_h2_stream_dependency;
-    clock_.AdvanceTime(quic::QuicTime::Delta::FromSeconds(1));
+    context_.AdvanceTime(quic::QuicTime::Delta::FromSeconds(1));
   }
 
   void Initialize() {
@@ -264,8 +261,7 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
         cert_verifier_.get(), &ct_policy_enforcer_, &transport_security_state_,
         cert_transparency_verifier_.get(),
         /*SocketPerformanceWatcherFactory*/ nullptr,
-        &crypto_client_stream_factory_, &random_generator_, &clock_,
-        test_params_.quic_params);
+        &crypto_client_stream_factory_, &context_);
   }
 
   void InitializeConnectionMigrationV2Test(
@@ -276,9 +272,9 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
         scoped_mock_network_change_notifier_->mock_network_change_notifier();
     mock_ncn->ForceNetworkHandlesSupported();
     mock_ncn->SetConnectedNetworksList(connected_networks);
-    test_params_.quic_params.migrate_sessions_on_network_change_v2 = true;
-    test_params_.quic_params.migrate_sessions_early_v2 = true;
-    test_params_.quic_params.allow_port_migration = false;
+    quic_params_->migrate_sessions_on_network_change_v2 = true;
+    quic_params_->migrate_sessions_early_v2 = true;
+    quic_params_->allow_port_migration = false;
     socket_factory_.reset(new TestMigrationSocketFactory);
     Initialize();
   }
@@ -481,7 +477,7 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
   // Helper method for server migration tests.
   void VerifyServerMigration(const quic::QuicConfig& config,
                              IPEndPoint expected_address) {
-    test_params_.quic_params.allow_server_migration = true;
+    quic_params_->allow_server_migration = true;
     Initialize();
 
     ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -583,9 +579,8 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
                                            PRIVACY_MODE_DISABLED);
     }
 
-    test_params_.quic_params.max_server_configs_stored_in_properties = 1;
-    test_params_.quic_params.idle_connection_timeout =
-        base::TimeDelta::FromSeconds(500);
+    quic_params_->max_server_configs_stored_in_properties = 1;
+    quic_params_->idle_connection_timeout = base::TimeDelta::FromSeconds(500);
     Initialize();
     factory_->set_is_quic_known_to_work_on_current_network(true);
     ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -816,9 +811,9 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
     if (version_.transport_version != quic::QUIC_VERSION_99) {
       return "";
     }
-    quic::HttpEncoder encoder;
     std::unique_ptr<char[]> buffer;
-    auto header_length = encoder.SerializeDataFrameHeader(body_len, &buffer);
+    auto header_length =
+        quic::HttpEncoder::SerializeDataFrameHeader(body_len, &buffer);
     return std::string(buffer.get(), header_length);
   }
 
@@ -882,8 +877,7 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
   std::unique_ptr<SSLConfigService> ssl_config_service_;
   std::unique_ptr<MockClientSocketFactory> socket_factory_;
   MockCryptoClientStreamFactory crypto_client_stream_factory_;
-  quic::test::MockRandom random_generator_;
-  quic::MockClock clock_;
+  MockQuicContext context_;
   scoped_refptr<TestTaskRunner> runner_;
   const quic::ParsedQuicVersion version_;
   QuicTestPacketMaker client_maker_;
@@ -909,8 +903,7 @@ class QuicStreamFactoryTestBase : public WithTaskEnvironment {
   bool failed_on_default_network_;
   NetErrorDetails net_error_details_;
 
-  // Variables to configure QuicStreamFactory.
-  HttpNetworkSession::Params test_params_;
+  QuicParams* quic_params_;
 };
 
 class QuicStreamFactoryTest : public QuicStreamFactoryTestBase,
@@ -984,6 +977,11 @@ TEST_P(QuicStreamFactoryTest, Create) {
 }
 
 TEST_P(QuicStreamFactoryTest, CreateZeroRtt) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
   Initialize();
   factory_->set_is_quic_known_to_work_on_current_network(true);
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -1074,6 +1072,11 @@ TEST_P(QuicStreamFactoryTest, FactoryDestroyedWhenJobPending) {
 }
 
 TEST_P(QuicStreamFactoryTest, RequireConfirmation) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::ZERO_RTT);
   host_resolver_->set_synchronous_mode(true);
@@ -1116,6 +1119,11 @@ TEST_P(QuicStreamFactoryTest, RequireConfirmation) {
 }
 
 TEST_P(QuicStreamFactoryTest, DontRequireConfirmationFromSameIP) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::ZERO_RTT);
   host_resolver_->set_synchronous_mode(true);
@@ -1164,7 +1172,7 @@ TEST_P(QuicStreamFactoryTest, CachedInitialRtt) {
   stats.srtt = base::TimeDelta::FromMilliseconds(10);
   http_server_properties_->SetServerNetworkStats(url::SchemeHostPort(url_),
                                                  NetworkIsolationKey(), stats);
-  test_params_.quic_params.estimate_initial_rtt = true;
+  quic_params_->estimate_initial_rtt = true;
 
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -1220,7 +1228,7 @@ TEST_P(QuicStreamFactoryTest, CachedInitialRttWithNetworkIsolationKey) {
   stats.srtt = base::TimeDelta::FromMilliseconds(10);
   http_server_properties_->SetServerNetworkStats(url::SchemeHostPort(url_),
                                                  kNetworkIsolationKey1, stats);
-  test_params_.quic_params.estimate_initial_rtt = true;
+  quic_params_->estimate_initial_rtt = true;
   Initialize();
 
   for (const auto& network_isolation_key :
@@ -1231,9 +1239,10 @@ TEST_P(QuicStreamFactoryTest, CachedInitialRttWithNetworkIsolationKey) {
     crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
     QuicTestPacketMaker packet_maker(
-        version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-        &clock_, kDefaultServerHostName, quic::Perspective::IS_CLIENT,
-        test_params_.quic_params.headers_include_h2_stream_dependency);
+        version_,
+        quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+        context_.clock(), kDefaultServerHostName, quic::Perspective::IS_CLIENT,
+        quic_params_->headers_include_h2_stream_dependency);
 
     MockQuicData socket_data(version_);
     socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
@@ -1274,7 +1283,7 @@ TEST_P(QuicStreamFactoryTest, 2gInitialRtt) {
   ScopedMockNetworkChangeNotifier notifier;
   notifier.mock_network_change_notifier()->SetConnectionType(
       NetworkChangeNotifier::CONNECTION_2G);
-  test_params_.quic_params.estimate_initial_rtt = true;
+  quic_params_->estimate_initial_rtt = true;
 
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -1309,7 +1318,7 @@ TEST_P(QuicStreamFactoryTest, 3gInitialRtt) {
   ScopedMockNetworkChangeNotifier notifier;
   notifier.mock_network_change_notifier()->SetConnectionType(
       NetworkChangeNotifier::CONNECTION_3G);
-  test_params_.quic_params.estimate_initial_rtt = true;
+  quic_params_->estimate_initial_rtt = true;
 
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -1452,9 +1461,10 @@ TEST_P(QuicStreamFactoryTest, ServerNetworkStatsWithNetworkIsolationKey) {
     crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
 
     QuicTestPacketMaker packet_maker(
-        version_, quic::QuicUtils::CreateRandomConnectionId(&random_generator_),
-        &clock_, kDefaultServerHostName, quic::Perspective::IS_CLIENT,
-        test_params_.quic_params.headers_include_h2_stream_dependency);
+        version_,
+        quic::QuicUtils::CreateRandomConnectionId(context_.random_generator()),
+        context_.clock(), kDefaultServerHostName, quic::Perspective::IS_CLIENT,
+        quic_params_->headers_include_h2_stream_dependency);
 
     MockQuicData socket_data(version_);
     socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
@@ -2327,7 +2337,7 @@ TEST_P(QuicStreamFactoryTest, WriteErrorInCryptoConnectWithSyncHostResolution) {
 }
 
 TEST_P(QuicStreamFactoryTest, CloseSessionsOnIPAddressChanged) {
-  test_params_.quic_params.close_sessions_on_ip_change = true;
+  quic_params_->close_sessions_on_ip_change = true;
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
@@ -2420,7 +2430,7 @@ TEST_P(QuicStreamFactoryTest, CloseSessionsOnIPAddressChanged) {
 // as going away on IP address change instead of being closed. New requests will
 // go to a new connection.
 TEST_P(QuicStreamFactoryTest, GoAwaySessionsOnIPAddressChanged) {
-  test_params_.quic_params.goaway_sessions_on_ip_change = true;
+  quic_params_->goaway_sessions_on_ip_change = true;
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
@@ -3053,7 +3063,7 @@ TEST_P(QuicStreamFactoryTest,
 
 void QuicStreamFactoryTestBase::TestOnNetworkMadeDefaultNonMigratableStream(
     bool migrate_idle_sessions) {
-  test_params_.quic_params.migrate_idle_sessions = migrate_idle_sessions;
+  quic_params_->migrate_idle_sessions = migrate_idle_sessions;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -3067,14 +3077,28 @@ void QuicStreamFactoryTestBase::TestOnNetworkMadeDefaultNonMigratableStream(
                          ConstructInitialSettingsPacket(packet_num++));
   }
   if (!migrate_idle_sessions) {
-    socket_data.AddWrite(
-        SYNCHRONOUS, client_maker_.MakeRstAckAndConnectionClosePacket(
-                         packet_num + 1, false,
-                         GetNthClientInitiatedBidirectionalStreamId(0),
-                         quic::QUIC_STREAM_CANCELLED,
-                         quic::QuicTime::Delta::FromMilliseconds(0), 1, 1, 1,
-                         quic::QUIC_CONNECTION_MIGRATION_NO_MIGRATABLE_STREAMS,
-                         "net error"));
+    if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+      // TLS1.3 supports multiple packet number space, so a proactive ack is no
+      // longer sent.
+      socket_data.AddWrite(
+          SYNCHRONOUS,
+          client_maker_.MakeRstAndConnectionClosePacket(
+              packet_num + 1, false,
+              GetNthClientInitiatedBidirectionalStreamId(0),
+              quic::QUIC_STREAM_CANCELLED,
+              quic::QUIC_CONNECTION_MIGRATION_NO_MIGRATABLE_STREAMS,
+              "net error"));
+    } else {
+      socket_data.AddWrite(
+          SYNCHRONOUS,
+          client_maker_.MakeRstAckAndConnectionClosePacket(
+              packet_num + 1, false,
+              GetNthClientInitiatedBidirectionalStreamId(0),
+              quic::QUIC_STREAM_CANCELLED,
+              quic::QuicTime::Delta::FromMilliseconds(0), 1, 1, 1,
+              quic::QUIC_CONNECTION_MIGRATION_NO_MIGRATABLE_STREAMS,
+              "net error"));
+    }
   }
 
   socket_data.AddSocketDataToFactory(socket_factory_.get());
@@ -3230,7 +3254,7 @@ TEST_P(QuicStreamFactoryTest,
 
 void QuicStreamFactoryTestBase::TestOnNetworkDisconnectedNonMigratableStream(
     bool migrate_idle_sessions) {
-  test_params_.quic_params.migrate_idle_sessions = migrate_idle_sessions;
+  quic_params_->migrate_idle_sessions = migrate_idle_sessions;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -3399,7 +3423,7 @@ TEST_P(QuicStreamFactoryTest,
 
 void QuicStreamFactoryTestBase::TestOnNetworkMadeDefaultNoOpenStreams(
     bool migrate_idle_sessions) {
-  test_params_.quic_params.migrate_idle_sessions = migrate_idle_sessions;
+  quic_params_->migrate_idle_sessions = migrate_idle_sessions;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -3486,7 +3510,7 @@ TEST_P(QuicStreamFactoryTest,
 
 void QuicStreamFactoryTestBase::TestOnNetworkDisconnectedNoOpenStreams(
     bool migrate_idle_sessions) {
-  test_params_.quic_params.migrate_idle_sessions = migrate_idle_sessions;
+  quic_params_->migrate_idle_sessions = migrate_idle_sessions;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -4163,7 +4187,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnPathDegrading(
 // Verifies that port migration can be attempted and succeed when path degrading
 // is detected, even if NetworkHandle is not supported.
 TEST_P(QuicStreamFactoryTest, MigratePortOnPathDegrading_WithoutNetworkHandle) {
-  test_params_.quic_params.allow_port_migration = true;
+  quic_params_->allow_port_migration = true;
   socket_factory_.reset(new TestMigrationSocketFactory);
   Initialize();
 
@@ -4179,7 +4203,7 @@ TEST_P(QuicStreamFactoryTest, MigratePortOnPathDegrading_WithNetworkHandle) {
       scoped_mock_network_change_notifier_->mock_network_change_notifier();
   mock_ncn->ForceNetworkHandlesSupported();
   mock_ncn->SetConnectedNetworksList({kDefaultNetworkForTests});
-  test_params_.quic_params.allow_port_migration = true;
+  quic_params_->allow_port_migration = true;
   socket_factory_.reset(new TestMigrationSocketFactory);
   Initialize();
 
@@ -4201,8 +4225,8 @@ TEST_P(QuicStreamFactoryTest, MigratePortOnPathDegrading_WithMigration) {
   mock_ncn->ForceNetworkHandlesSupported();
   mock_ncn->SetConnectedNetworksList({kDefaultNetworkForTests});
   // Enable migration on network change.
-  test_params_.quic_params.migrate_sessions_on_network_change_v2 = true;
-  test_params_.quic_params.allow_port_migration = true;
+  quic_params_->migrate_sessions_on_network_change_v2 = true;
+  quic_params_->allow_port_migration = true;
   socket_factory_.reset(new TestMigrationSocketFactory);
   Initialize();
 
@@ -4350,10 +4374,181 @@ void QuicStreamFactoryTestBase::TestSimplePortMigrationOnPathDegrading() {
   EXPECT_TRUE(quic_data2.AllWriteDataConsumed());
 }
 
+// Regression test for https://crbug.com/1014092.
+TEST_P(QuicStreamFactoryTest, MultiplePortMigrationsExceedsMaxLimit) {
+  quic_params_->allow_port_migration = true;
+  socket_factory_.reset(new TestMigrationSocketFactory);
+  Initialize();
+
+  ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
+  crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
+  crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
+
+  // Using a testing task runner so that we can control time.
+  auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
+  QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
+
+  int packet_number = 1;
+  MockQuicData quic_data1(version_);
+  quic_data1.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // Hanging Read.
+  if (VersionUsesHttp3(version_.transport_version)) {
+    quic_data1.AddWrite(SYNCHRONOUS,
+                        ConstructInitialSettingsPacket(packet_number++));
+  }
+  quic_data1.AddWrite(
+      SYNCHRONOUS,
+      ConstructGetRequestPacket(packet_number++,
+                                GetNthClientInitiatedBidirectionalStreamId(0),
+                                true, true));
+  quic_data1.AddSocketDataToFactory(socket_factory_.get());
+
+  // Create request and QuicHttpStream.
+  QuicStreamRequest request(factory_.get());
+  EXPECT_EQ(
+      ERR_IO_PENDING,
+      request.Request(
+          host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
+          SocketTag(), NetworkIsolationKey(), false /* disable_secure_dns */,
+          /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
+          failed_on_default_network_callback_, callback_.callback()));
+  EXPECT_THAT(callback_.WaitForResult(), IsOk());
+  std::unique_ptr<HttpStream> stream = CreateStream(&request);
+  EXPECT_TRUE(stream.get());
+
+  // Cause QUIC stream to be created.
+  HttpRequestInfo request_info;
+  request_info.method = "GET";
+  request_info.url = url_;
+  request_info.traffic_annotation =
+      MutableNetworkTrafficAnnotationTag(TRAFFIC_ANNOTATION_FOR_TESTS);
+  EXPECT_EQ(OK, stream->InitializeStream(&request_info, true, DEFAULT_PRIORITY,
+                                         net_log_, CompletionOnceCallback()));
+
+  // Ensure that session is alive and active.
+  QuicChromiumClientSession* session = GetActiveSession(host_port_pair_);
+  EXPECT_TRUE(QuicStreamFactoryPeer::IsLiveSession(factory_.get(), session));
+  EXPECT_TRUE(HasActiveSession(host_port_pair_));
+
+  // Send GET request on stream.
+  HttpResponseInfo response;
+  HttpRequestHeaders request_headers;
+  EXPECT_EQ(OK, stream->SendRequest(request_headers, &response,
+                                    callback_.callback()));
+
+  int server_packet_num = 1;
+  base::TimeDelta next_task_delay;
+  // Perform 4 round of successful migration, and the 5th round will
+  // cancel after successful probing due to hitting the limit.
+  for (int i = 0; i <= 4; i++) {
+    // Set up a different socket data provider that is used for
+    // probing and migration.
+    MockQuicData quic_data2(version_);
+    // Connectivity probe to be sent on the new path.
+    quic_data2.AddWrite(SYNCHRONOUS,
+                        client_maker_.MakeConnectivityProbingPacket(
+                            packet_number, packet_number == 2));
+    packet_number++;
+    quic_data2.AddRead(ASYNC, ERR_IO_PENDING);  // Pause
+    // Connectivity probe to receive from the server.
+    quic_data2.AddRead(ASYNC, server_maker_.MakeConnectivityProbingPacket(
+                                  server_packet_num++, false));
+    // Ping packet to send after migration is completed.
+    if (i == 0) {
+      // First ack and PING are bundled, and version flag is set.
+      quic_data2.AddWrite(SYNCHRONOUS, client_maker_.MakeAckAndPingPacket(
+                                           packet_number++, false, 1, 1, 1));
+    } else if (i != 4) {
+      // ACK and PING post migration after successful probing.
+      quic_data2.AddWrite(
+          SYNCHRONOUS, client_maker_.MakeAckPacket(packet_number++, 1 + 2 * i,
+                                                   1 + 2 * i, 1, true));
+      quic_data2.AddWrite(SYNCHRONOUS,
+                          client_maker_.MakePingPacket(packet_number++, false));
+    }
+    if (i == 4) {
+      // Add one more synchronous read on the last probing reader. The
+      // reader should be deleted on the read before this one.
+      // The test will verify this read is not consumed.
+      quic_data2.AddRead(SYNCHRONOUS,
+                         server_maker_.MakeConnectivityProbingPacket(
+                             server_packet_num++, false));
+    } else {
+      quic_data2.AddRead(ASYNC, server_maker_.MakeConnectivityProbingPacket(
+                                    server_packet_num++, false));
+    }
+    if (i == 3) {
+      // On the last allowed port migration, read one more packet so
+      // that ACK is sent. The next round of migration (which hists the limit)
+      // will not send any proactive ACK when reading the successful probing
+      // response.
+      quic_data2.AddRead(ASYNC, server_maker_.MakeConnectivityProbingPacket(
+                                    server_packet_num++, false));
+      quic_data2.AddWrite(SYNCHRONOUS, client_maker_.MakeAckPacket(
+                                           packet_number++, 9, 9, 1, true));
+    }
+    quic_data2.AddRead(SYNCHRONOUS, ERR_IO_PENDING);  // EOF.
+    quic_data2.AddSocketDataToFactory(socket_factory_.get());
+
+    // Cause the connection to report path degrading to the session.
+    // Session will start to probe a different port.
+    session->connection()->OnPathDegradingTimeout();
+
+    // Next connectivity probe is scheduled to be sent in 2 *
+    // kDefaultRTTMilliSecs.
+    EXPECT_EQ(1u, task_runner->GetPendingTaskCount());
+    next_task_delay = task_runner->NextPendingTaskDelay();
+    EXPECT_EQ(base::TimeDelta::FromMilliseconds(2 * kDefaultRTTMilliSecs),
+              next_task_delay);
+
+    // The connection should still be alive, and not marked as going away.
+    EXPECT_TRUE(QuicStreamFactoryPeer::IsLiveSession(factory_.get(), session));
+    EXPECT_TRUE(HasActiveSession(host_port_pair_));
+    EXPECT_EQ(1u, session->GetNumActiveStreams());
+
+    // Resume quic data and a connectivity probe response will be read on the
+    // new socket.
+    quic_data2.Resume();
+    base::RunLoop().RunUntilIdle();
+
+    EXPECT_TRUE(QuicStreamFactoryPeer::IsLiveSession(factory_.get(), session));
+    EXPECT_TRUE(HasActiveSession(host_port_pair_));
+    EXPECT_EQ(1u, session->GetNumActiveStreams());
+
+    if (i < 4) {
+      // There should be pending tasks, the nearest one will complete
+      // migration to the new port.
+      EXPECT_EQ(2u, task_runner->GetPendingTaskCount());
+      next_task_delay = task_runner->NextPendingTaskDelay();
+      EXPECT_EQ(base::TimeDelta(), next_task_delay);
+    } else {
+      // Last attempt to migrate will abort due to hitting the limit of max
+      // number of allowed migrations.
+      EXPECT_EQ(1u, task_runner->GetPendingTaskCount());
+      next_task_delay = task_runner->NextPendingTaskDelay();
+      EXPECT_NE(base::TimeDelta(), next_task_delay);
+    }
+    task_runner->FastForwardBy(next_task_delay);
+    EXPECT_TRUE(quic_data2.AllWriteDataConsumed());
+    // The last round of migration will abort upon reading the probing response.
+    // Future reads in the same socket is ignored.
+    EXPECT_EQ(i != 4, quic_data2.AllReadDataConsumed());
+  }
+
+  EXPECT_EQ(0u, task_runner->GetPendingTaskCount());
+
+  // Verify that the session is still alive.
+  EXPECT_TRUE(QuicStreamFactoryPeer::IsLiveSession(factory_.get(), session));
+  EXPECT_TRUE(HasActiveSession(host_port_pair_));
+
+  stream.reset();
+  EXPECT_TRUE(quic_data1.AllReadDataConsumed());
+  EXPECT_TRUE(quic_data1.AllWriteDataConsumed());
+}
+
 // This test verifies that the session marks itself GOAWAY on path degrading
 // and it does not receive any new request
 TEST_P(QuicStreamFactoryTest, GoawayOnPathDegrading) {
-  test_params_.quic_params.go_away_on_path_degrading = true;
+  quic_params_->go_away_on_path_degrading = true;
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
@@ -5154,7 +5349,7 @@ TEST_P(QuicStreamFactoryTest,
 
 void QuicStreamFactoryTestBase::TestMigrateSessionEarlyNonMigratableStream(
     bool migrate_idle_sessions) {
-  test_params_.quic_params.migrate_idle_sessions = migrate_idle_sessions;
+  quic_params_->migrate_idle_sessions = migrate_idle_sessions;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -5168,14 +5363,28 @@ void QuicStreamFactoryTestBase::TestMigrateSessionEarlyNonMigratableStream(
                          ConstructInitialSettingsPacket(packet_num++));
   }
   if (!migrate_idle_sessions) {
-    socket_data.AddWrite(
-        SYNCHRONOUS, client_maker_.MakeRstAckAndConnectionClosePacket(
-                         packet_num + 1, false,
-                         GetNthClientInitiatedBidirectionalStreamId(0),
-                         quic::QUIC_STREAM_CANCELLED,
-                         quic::QuicTime::Delta::FromMilliseconds(0), 1, 1, 1,
-                         quic::QUIC_CONNECTION_MIGRATION_NO_MIGRATABLE_STREAMS,
-                         "net error"));
+    if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3) {
+      // TLS1.3 supports multiple packet number. So a proactive ack is no longer
+      // sent.
+      socket_data.AddWrite(
+          SYNCHRONOUS,
+          client_maker_.MakeRstAndConnectionClosePacket(
+              packet_num + 1, false,
+              GetNthClientInitiatedBidirectionalStreamId(0),
+              quic::QUIC_STREAM_CANCELLED,
+              quic::QUIC_CONNECTION_MIGRATION_NO_MIGRATABLE_STREAMS,
+              "net error"));
+    } else {
+      socket_data.AddWrite(
+          SYNCHRONOUS,
+          client_maker_.MakeRstAckAndConnectionClosePacket(
+              packet_num + 1, false,
+              GetNthClientInitiatedBidirectionalStreamId(0),
+              quic::QUIC_STREAM_CANCELLED,
+              quic::QuicTime::Delta::FromMilliseconds(0), 1, 1, 1,
+              quic::QUIC_CONNECTION_MIGRATION_NO_MIGRATABLE_STREAMS,
+              "net error"));
+    }
   }
   socket_data.AddSocketDataToFactory(socket_factory_.get());
 
@@ -5786,7 +5995,7 @@ void QuicStreamFactoryTestBase::
         quic::QuicErrorCode quic_error) {
   DCHECK(quic_error == quic::QUIC_NETWORK_IDLE_TIMEOUT ||
          quic_error == quic::QUIC_HANDSHAKE_TIMEOUT);
-  test_params_.quic_params.retry_on_alternate_network_before_handshake = true;
+  quic_params_->retry_on_alternate_network_before_handshake = true;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
 
@@ -5942,7 +6151,7 @@ void QuicStreamFactoryTestBase::
 // is triggered before handshake is confirmed and connection migration is turned
 // on.
 TEST_P(QuicStreamFactoryTest, MigrationOnWriteErrorBeforeHandshakeConfirmed) {
-  DCHECK(!test_params_.quic_params.retry_on_alternate_network_before_handshake);
+  DCHECK(!quic_params_->retry_on_alternate_network_before_handshake);
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
 
@@ -6016,7 +6225,7 @@ TEST_P(QuicStreamFactoryTest, MigrationOnWriteErrorBeforeHandshakeConfirmed) {
 // on, a new connection will be retried on the alternate network.
 TEST_P(QuicStreamFactoryTest,
        RetryConnectionOnWriteErrorBeforeHandshakeConfirmed) {
-  test_params_.quic_params.retry_on_alternate_network_before_handshake = true;
+  quic_params_->retry_on_alternate_network_before_handshake = true;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
 
@@ -6758,7 +6967,7 @@ void QuicStreamFactoryTestBase::TestMigrationOnWriteErrorNonMigratableStream(
   DVLOG(1) << "Write error mode: "
            << ((write_error_mode == SYNCHRONOUS) ? "SYNCHRONOUS" : "ASYNC");
   DVLOG(1) << "Migrate idle sessions: " << migrate_idle_sessions;
-  test_params_.quic_params.migrate_idle_sessions = migrate_idle_sessions;
+  quic_params_->migrate_idle_sessions = migrate_idle_sessions;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -7922,8 +8131,8 @@ TEST_P(QuicStreamFactoryTest, DefaultRetransmittableOnWireTimeoutForMigration) {
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
   QuicStreamFactoryPeer::SetAlarmFactory(
-      factory_.get(),
-      std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
+      factory_.get(), std::make_unique<QuicChromiumAlarmFactory>(
+                          task_runner.get(), context_.clock()));
 
   MockQuicData socket_data(version_);
   int packet_num = 1;
@@ -8030,14 +8239,14 @@ TEST_P(QuicStreamFactoryTest, DefaultRetransmittableOnWireTimeoutForMigration) {
   base::TimeDelta delay = task_runner->NextPendingTaskDelay();
   EXPECT_GT(kDefaultRetransmittableOnWireTimeout, delay);
   // Fire the ack alarm, since ack has been sent, no ack will be sent.
-  clock_.AdvanceTime(
+  context_.AdvanceTime(
       quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   // Fire the ping alarm with retransmittable-on-wire timeout, send PING.
   delay = kDefaultRetransmittableOnWireTimeout - delay;
   EXPECT_EQ(delay, task_runner->NextPendingTaskDelay());
-  clock_.AdvanceTime(
+  context_.AdvanceTime(
       quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
@@ -8068,8 +8277,7 @@ TEST_P(QuicStreamFactoryTest, DefaultRetransmittableOnWireTimeoutForMigration) {
 TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeoutForMigration) {
   constexpr base::TimeDelta custom_timeout_value =
       base::TimeDelta::FromMilliseconds(200);
-  test_params_.quic_params.retransmittable_on_wire_timeout =
-      custom_timeout_value;
+  quic_params_->retransmittable_on_wire_timeout = custom_timeout_value;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -8080,8 +8288,8 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeoutForMigration) {
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
   QuicStreamFactoryPeer::SetAlarmFactory(
-      factory_.get(),
-      std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
+      factory_.get(), std::make_unique<QuicChromiumAlarmFactory>(
+                          task_runner.get(), context_.clock()));
 
   MockQuicData socket_data(version_);
   int packet_num = 1;
@@ -8187,14 +8395,14 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeoutForMigration) {
   base::TimeDelta delay = task_runner->NextPendingTaskDelay();
   EXPECT_GT(custom_timeout_value, delay);
   // Fire the ack alarm, since ack has been sent, no ack will be sent.
-  clock_.AdvanceTime(
+  context_.AdvanceTime(
       quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   // Fire the ping alarm with retransmittable-on-wire timeout, send PING.
   delay = custom_timeout_value - delay;
   EXPECT_EQ(delay, task_runner->NextPendingTaskDelay());
-  clock_.AdvanceTime(
+  context_.AdvanceTime(
       quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
@@ -8225,8 +8433,7 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeoutForMigration) {
 TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeout) {
   constexpr base::TimeDelta custom_timeout_value =
       base::TimeDelta::FromMilliseconds(200);
-  test_params_.quic_params.retransmittable_on_wire_timeout =
-      custom_timeout_value;
+  quic_params_->retransmittable_on_wire_timeout = custom_timeout_value;
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
@@ -8236,8 +8443,8 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeout) {
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
   QuicStreamFactoryPeer::SetAlarmFactory(
-      factory_.get(),
-      std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
+      factory_.get(), std::make_unique<QuicChromiumAlarmFactory>(
+                          task_runner.get(), context_.clock()));
 
   MockQuicData socket_data1(version_);
   int packet_num = 1;
@@ -8327,14 +8534,14 @@ TEST_P(QuicStreamFactoryTest, CustomRetransmittableOnWireTimeout) {
   base::TimeDelta delay = task_runner->NextPendingTaskDelay();
   EXPECT_GT(custom_timeout_value, delay);
   // Fire the ack alarm, since ack has been sent, no ack will be sent.
-  clock_.AdvanceTime(
+  context_.AdvanceTime(
       quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   // Fire the ping alarm with retransmittable-on-wire timeout, send PING.
   delay = custom_timeout_value - delay;
   EXPECT_EQ(delay, task_runner->NextPendingTaskDelay());
-  clock_.AdvanceTime(
+  context_.AdvanceTime(
       quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
@@ -8367,7 +8574,7 @@ TEST_P(QuicStreamFactoryTest, NoRetransmittableOnWireTimeout) {
   stats.srtt = base::TimeDelta::FromMilliseconds(200);
   http_server_properties_->SetServerNetworkStats(url::SchemeHostPort(url_),
                                                  NetworkIsolationKey(), stats);
-  test_params_.quic_params.estimate_initial_rtt = true;
+  quic_params_->estimate_initial_rtt = true;
 
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -8378,8 +8585,8 @@ TEST_P(QuicStreamFactoryTest, NoRetransmittableOnWireTimeout) {
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
   QuicStreamFactoryPeer::SetAlarmFactory(
-      factory_.get(),
-      std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
+      factory_.get(), std::make_unique<QuicChromiumAlarmFactory>(
+                          task_runner.get(), context_.clock()));
 
   MockQuicData socket_data1(version_);
   int packet_num = 1;
@@ -8465,7 +8672,7 @@ TEST_P(QuicStreamFactoryTest, NoRetransmittableOnWireTimeout) {
   base::TimeDelta delay = task_runner->NextPendingTaskDelay();
   EXPECT_GT(kDefaultRetransmittableOnWireTimeout, delay);
   // Fire the ack alarm, since ack has been sent, no ack will be sent.
-  clock_.AdvanceTime(
+  context_.AdvanceTime(
       quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
@@ -8473,7 +8680,7 @@ TEST_P(QuicStreamFactoryTest, NoRetransmittableOnWireTimeout) {
   base::TimeDelta wrong_delay = kDefaultRetransmittableOnWireTimeout - delay;
   delay = task_runner->NextPendingTaskDelay();
   EXPECT_NE(wrong_delay, delay);
-  clock_.AdvanceTime(
+  context_.AdvanceTime(
       quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
@@ -8500,9 +8707,8 @@ TEST_P(QuicStreamFactoryTest,
        CustomeRetransmittableOnWireTimeoutWithMigrationOnNetworkChangeOnly) {
   constexpr base::TimeDelta custom_timeout_value =
       base::TimeDelta::FromMilliseconds(200);
-  test_params_.quic_params.retransmittable_on_wire_timeout =
-      custom_timeout_value;
-  test_params_.quic_params.migrate_sessions_on_network_change_v2 = true;
+  quic_params_->retransmittable_on_wire_timeout = custom_timeout_value;
+  quic_params_->migrate_sessions_on_network_change_v2 = true;
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
@@ -8512,8 +8718,8 @@ TEST_P(QuicStreamFactoryTest,
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
   QuicStreamFactoryPeer::SetAlarmFactory(
-      factory_.get(),
-      std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
+      factory_.get(), std::make_unique<QuicChromiumAlarmFactory>(
+                          task_runner.get(), context_.clock()));
 
   MockQuicData socket_data1(version_);
   int packet_num = 1;
@@ -8603,14 +8809,14 @@ TEST_P(QuicStreamFactoryTest,
   base::TimeDelta delay = task_runner->NextPendingTaskDelay();
   EXPECT_GT(custom_timeout_value, delay);
   // Fire the ack alarm, since ack has been sent, no ack will be sent.
-  clock_.AdvanceTime(
+  context_.AdvanceTime(
       quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
   // Fire the ping alarm with retransmittable-on-wire timeout, send PING.
   delay = custom_timeout_value - delay;
   EXPECT_EQ(delay, task_runner->NextPendingTaskDelay());
-  clock_.AdvanceTime(
+  context_.AdvanceTime(
       quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
@@ -8644,8 +8850,8 @@ TEST_P(QuicStreamFactoryTest,
   stats.srtt = base::TimeDelta::FromMilliseconds(200);
   http_server_properties_->SetServerNetworkStats(url::SchemeHostPort(url_),
                                                  NetworkIsolationKey(), stats);
-  test_params_.quic_params.estimate_initial_rtt = true;
-  test_params_.quic_params.migrate_sessions_on_network_change_v2 = true;
+  quic_params_->estimate_initial_rtt = true;
+  quic_params_->migrate_sessions_on_network_change_v2 = true;
   Initialize();
 
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -8656,8 +8862,8 @@ TEST_P(QuicStreamFactoryTest,
   auto task_runner = base::MakeRefCounted<base::TestMockTimeTaskRunner>();
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
   QuicStreamFactoryPeer::SetAlarmFactory(
-      factory_.get(),
-      std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
+      factory_.get(), std::make_unique<QuicChromiumAlarmFactory>(
+                          task_runner.get(), context_.clock()));
 
   MockQuicData socket_data1(version_);
   int packet_num = 1;
@@ -8743,7 +8949,7 @@ TEST_P(QuicStreamFactoryTest,
   base::TimeDelta delay = task_runner->NextPendingTaskDelay();
   EXPECT_GT(kDefaultRetransmittableOnWireTimeout, delay);
   // Fire the ack alarm, since ack has been sent, no ack will be sent.
-  clock_.AdvanceTime(
+  context_.AdvanceTime(
       quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
@@ -8751,7 +8957,7 @@ TEST_P(QuicStreamFactoryTest,
   base::TimeDelta wrong_delay = kDefaultRetransmittableOnWireTimeout - delay;
   delay = task_runner->NextPendingTaskDelay();
   EXPECT_NE(wrong_delay, delay);
-  clock_.AdvanceTime(
+  context_.AdvanceTime(
       quic::QuicTime::Delta::FromMilliseconds(delay.InMilliseconds()));
   task_runner->FastForwardBy(task_runner->NextPendingTaskDelay());
 
@@ -9074,7 +9280,7 @@ void QuicStreamFactoryTestBase::
 // default network or the idle migration period threshold is exceeded.
 // The default threshold is 30s.
 TEST_P(QuicStreamFactoryTest, DefaultIdleMigrationPeriod) {
-  test_params_.quic_params.migrate_idle_sessions = true;
+  quic_params_->migrate_idle_sessions = true;
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -9201,8 +9407,8 @@ TEST_P(QuicStreamFactoryTest, DefaultIdleMigrationPeriod) {
 
 TEST_P(QuicStreamFactoryTest, CustomIdleMigrationPeriod) {
   // The customized threshold is 15s.
-  test_params_.quic_params.migrate_idle_sessions = true;
-  test_params_.quic_params.idle_session_migration_period =
+  quic_params_->migrate_idle_sessions = true;
+  quic_params_->idle_session_migration_period =
       base::TimeDelta::FromSeconds(15);
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
@@ -9324,7 +9530,7 @@ TEST_P(QuicStreamFactoryTest, CustomIdleMigrationPeriod) {
 }
 
 TEST_P(QuicStreamFactoryTest, ServerMigration) {
-  test_params_.quic_params.allow_server_migration = true;
+  quic_params_->allow_server_migration = true;
   Initialize();
 
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -9468,7 +9674,7 @@ TEST_P(QuicStreamFactoryTest, ServerMigrationIPv6ToIPv4) {
 }
 
 TEST_P(QuicStreamFactoryTest, ServerMigrationIPv4ToIPv6Fails) {
-  test_params_.quic_params.allow_server_migration = true;
+  quic_params_->allow_server_migration = true;
   Initialize();
 
   // Add a resolver rule to make initial connection to an IPv4 address.
@@ -9697,6 +9903,11 @@ TEST_P(QuicStreamFactoryTest, CryptoConfigWhenProofIsInvalid) {
 }
 
 TEST_P(QuicStreamFactoryTest, EnableNotLoadFromDiskCache) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
   Initialize();
   factory_->set_is_quic_known_to_work_on_current_network(true);
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -9737,8 +9948,7 @@ TEST_P(QuicStreamFactoryTest, EnableNotLoadFromDiskCache) {
 }
 
 TEST_P(QuicStreamFactoryTest, ReducePingTimeoutOnConnectionTimeOutOpenStreams) {
-  test_params_.quic_params.reduced_ping_timeout =
-      base::TimeDelta::FromSeconds(10);
+  quic_params_->reduced_ping_timeout = base::TimeDelta::FromSeconds(10);
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
@@ -9843,10 +10053,20 @@ TEST_P(QuicStreamFactoryTest, ReducePingTimeoutOnConnectionTimeOutOpenStreams) {
 
 // Verifies that the QUIC stream factory is initialized correctly.
 TEST_P(QuicStreamFactoryTest, MaybeInitialize) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
   VerifyInitialization(false /* vary_network_isolation_key */);
 }
 
 TEST_P(QuicStreamFactoryTest, MaybeInitializeWithNetworkIsolationKey) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
   base::test::ScopedFeatureList feature_list;
   feature_list.InitWithFeatures(
       // enabled_features
@@ -10074,6 +10294,11 @@ TEST_P(QuicStreamFactoryTest, CryptoConfigCacheMRUWithNetworkIsolationKey) {
 // around, so evictions happen immediately.
 TEST_P(QuicStreamFactoryTest,
        CryptoConfigCacheMRUWithRealRequestsAndWithNetworkIsolationKey) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
   const int kNumSessionsToMake = kMaxRecentCryptoConfigs + 5;
 
   base::test::ScopedFeatureList feature_list;
@@ -10099,9 +10324,8 @@ TEST_P(QuicStreamFactoryTest,
   const quic::QuicServerId kQuicServerId(
       kDefaultServerHostName, kDefaultServerPort, PRIVACY_MODE_DISABLED);
 
-  test_params_.quic_params.max_server_configs_stored_in_properties = 1;
-  test_params_.quic_params.idle_connection_timeout =
-      base::TimeDelta::FromSeconds(500);
+  quic_params_->max_server_configs_stored_in_properties = 1;
+  quic_params_->idle_connection_timeout = base::TimeDelta::FromSeconds(500);
   Initialize();
   factory_->set_is_quic_known_to_work_on_current_network(true);
   crypto_client_stream_factory_.set_handshake_mode(
@@ -10288,6 +10512,11 @@ TEST_P(QuicStreamFactoryTest, StartCertVerifyJob) {
 }
 
 TEST_P(QuicStreamFactoryTest, YieldAfterPackets) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
   Initialize();
   factory_->set_is_quic_known_to_work_on_current_network(true);
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -10340,6 +10569,11 @@ TEST_P(QuicStreamFactoryTest, YieldAfterPackets) {
 }
 
 TEST_P(QuicStreamFactoryTest, YieldAfterDuration) {
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
   Initialize();
   factory_->set_is_quic_known_to_work_on_current_network(true);
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -11052,19 +11286,18 @@ TEST_P(QuicStreamFactoryTest, ClearCachedStatesInCryptoConfig) {
 // Passes connection options and client connection options to QuicStreamFactory,
 // then checks that its internal quic::QuicConfig is correct.
 TEST_P(QuicStreamFactoryTest, ConfigConnectionOptions) {
-  test_params_.quic_params.connection_options.push_back(quic::kTIME);
-  test_params_.quic_params.connection_options.push_back(quic::kTBBR);
-  test_params_.quic_params.connection_options.push_back(quic::kREJ);
+  quic_params_->connection_options.push_back(quic::kTIME);
+  quic_params_->connection_options.push_back(quic::kTBBR);
+  quic_params_->connection_options.push_back(quic::kREJ);
 
-  test_params_.quic_params.client_connection_options.push_back(quic::kTBBR);
-  test_params_.quic_params.client_connection_options.push_back(quic::k1RTT);
+  quic_params_->client_connection_options.push_back(quic::kTBBR);
+  quic_params_->client_connection_options.push_back(quic::k1RTT);
 
   Initialize();
 
   const quic::QuicConfig* config =
       QuicStreamFactoryPeer::GetConfig(factory_.get());
-  EXPECT_EQ(test_params_.quic_params.connection_options,
-            config->SendConnectionOptions());
+  EXPECT_EQ(quic_params_->connection_options, config->SendConnectionOptions());
   EXPECT_TRUE(config->HasClientRequestedIndependentOption(
       quic::kTBBR, quic::Perspective::IS_CLIENT));
   EXPECT_TRUE(config->HasClientRequestedIndependentOption(
@@ -11142,9 +11375,20 @@ TEST_P(QuicStreamFactoryTest, HostResolverRequestReprioritizedOnSetPriority) {
   EXPECT_EQ(DEFAULT_PRIORITY, host_resolver_->request_priority(2));
 }
 
-// Verifies that the host resolver uses the disable secure DNS setting passed to
-// QuicStreamRequest::Request().
-TEST_P(QuicStreamFactoryTest, HostResolverUsesDisableSecureDns) {
+// Verifies that the host resolver uses the disable secure DNS setting and
+// NetworkIsolationKey passed to QuicStreamRequest::Request().
+TEST_P(QuicStreamFactoryTest, HostResolverUsesParams) {
+  const url::Origin kOrigin1 = url::Origin::Create(GURL("https://foo.test/"));
+  const url::Origin kOrigin2 = url::Origin::Create(GURL("https://bar.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey(kOrigin1, kOrigin1);
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitWithFeatures(
+      // enabled_features
+      {features::kPartitionConnectionsByNetworkIsolationKey,
+       features::kSplitHostCacheByNetworkIsolationKey},
+      // disabled_features
+      {});
+
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
   crypto_client_stream_factory_.AddProofVerifyDetails(&verify_details);
@@ -11160,7 +11404,7 @@ TEST_P(QuicStreamFactoryTest, HostResolverUsesDisableSecureDns) {
       ERR_IO_PENDING,
       request.Request(
           host_port_pair_, version_, privacy_mode_, DEFAULT_PRIORITY,
-          SocketTag(), NetworkIsolationKey(), true /* disable_secure_dns */,
+          SocketTag(), kNetworkIsolationKey, true /* disable_secure_dns */,
           /*cert_verify_flags=*/0, url_, net_log_, &net_error_details_,
           failed_on_default_network_callback_, callback_.callback()));
 
@@ -11168,8 +11412,12 @@ TEST_P(QuicStreamFactoryTest, HostResolverUsesDisableSecureDns) {
   std::unique_ptr<HttpStream> stream = CreateStream(&request);
   EXPECT_TRUE(stream.get());
 
+  ASSERT_TRUE(host_resolver_->last_secure_dns_mode_override().has_value());
   EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF,
             host_resolver_->last_secure_dns_mode_override().value());
+  ASSERT_TRUE(host_resolver_->last_request_network_isolation_key().has_value());
+  EXPECT_EQ(kNetworkIsolationKey,
+            host_resolver_->last_request_network_isolation_key().value());
 
   EXPECT_TRUE(socket_data.AllReadDataConsumed());
   EXPECT_TRUE(socket_data.AllWriteDataConsumed());
@@ -11179,9 +11427,9 @@ TEST_P(QuicStreamFactoryTest, HostResolverUsesDisableSecureDns) {
 // |quic_max_idle_time_before_crypto_handshake| to QuicStreamFactory,
 // checks that its internal quic::QuicConfig is correct.
 TEST_P(QuicStreamFactoryTest, ConfigMaxTimeBeforeCryptoHandshake) {
-  test_params_.quic_params.max_time_before_crypto_handshake =
+  quic_params_->max_time_before_crypto_handshake =
       base::TimeDelta::FromSeconds(11);
-  test_params_.quic_params.max_idle_time_before_crypto_handshake =
+  quic_params_->max_idle_time_before_crypto_handshake =
       base::TimeDelta::FromSeconds(13);
   Initialize();
 
@@ -11443,7 +11691,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterHostResolutionCallbackFailAsync) {
 // the final connection is established through the resolved DNS. No racing
 // connection.
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceAndHostResolutionSync) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -11455,7 +11703,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceAndHostResolutionSync) {
                                             kNonCachedIPAddress, "");
 
   // Set up a different address in stale resolver cache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -11540,7 +11789,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceAndHostResolutionAsync) {
 // With dns race experiment on, DNS resolve returns async, stale dns used,
 // connects synchrounously, and then the resolved DNS matches.
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncStaleMatch) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -11552,7 +11801,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncStaleMatch) {
                                             kCachedIPAddress.ToString(), "");
 
   // Set up the same address in the stale resolver cache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -11600,7 +11850,12 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncStaleMatch) {
 // async, and then the result matches.
 TEST_P(QuicStreamFactoryTest,
        ResultAfterDNSRaceHostResolveAsyncConnectAsyncStaleMatch) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -11615,7 +11870,8 @@ TEST_P(QuicStreamFactoryTest,
                                             kCachedIPAddress.ToString(), "");
 
   // Set up the same address in the stale resolver cache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -11670,7 +11926,12 @@ TEST_P(QuicStreamFactoryTest,
 // return, then connection finishes and matches with the result.
 TEST_P(QuicStreamFactoryTest,
        ResultAfterDNSRaceHostResolveAsyncStaleMatchConnectAsync) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -11685,7 +11946,8 @@ TEST_P(QuicStreamFactoryTest,
                                             kCachedIPAddress.ToString(), "");
 
   // Set up the same address in the stale resolver cache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -11736,7 +11998,7 @@ TEST_P(QuicStreamFactoryTest,
 // sync, but dns no match
 TEST_P(QuicStreamFactoryTest,
        ResultAfterDNSRaceHostResolveAsyncStaleSyncNoMatch) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -11748,7 +12010,8 @@ TEST_P(QuicStreamFactoryTest,
                                             kNonCachedIPAddress, "");
 
   // Set up a different address in the stale resolver cache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -11813,7 +12076,12 @@ TEST_P(QuicStreamFactoryTest,
 // With dns race experiment on, dns resolve async, stale used and connects
 // async, finishes before dns, but no match
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleAsyncResolveAsyncNoMatch) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -11828,7 +12096,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleAsyncResolveAsyncNoMatch) {
                                             kNonCachedIPAddress, "");
 
   // Set up a different address in the stale resolvercache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -11897,7 +12166,12 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleAsyncResolveAsyncNoMatch) {
 // With dns race experiment on, dns resolve async, stale used and connects
 // async, dns finishes first, but no match
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncStaleAsyncNoMatch) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -11912,7 +12186,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncStaleAsyncNoMatch) {
                                             kNonCachedIPAddress, "");
 
   // Set up a different address in the stale resolver cache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -11972,7 +12247,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncStaleAsyncNoMatch) {
 // With dns race experiment on, dns resolve returns error sync, same behavior
 // as experiment is not on
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveError) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -11998,7 +12273,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveError) {
 // With dns race experiment on, no cache available, dns resolve returns error
 // async
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncError) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -12028,7 +12303,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsyncError) {
 // With dns race experiment on, dns resolve async, staled used and connects
 // sync, dns returns error and no connection is established.
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleSyncHostResolveError) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -12039,7 +12314,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleSyncHostResolveError) {
   host_resolver_->rules()->AddSimulatedFailure(host_port_pair_.host());
 
   // Set up an address in the stale cache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -12088,7 +12364,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleSyncHostResolveError) {
 // return error, then dns matches.
 // This serves as a regression test for crbug.com/956374.
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSMatches) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -12100,7 +12376,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSMatches) {
                                             kCachedIPAddress.ToString(), "");
 
   // Set up the same address in the stale resolver cache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -12138,7 +12415,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSMatches) {
 // With dns race experiment on, dns resolve async, stale used and connection
 // returns error, dns no match, new connection is established
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatch) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -12150,7 +12427,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatch) {
                                             kNonCachedIPAddress, "");
 
   // Set up a different address in stale resolver cache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -12203,7 +12481,7 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatch) {
 // With dns race experiment on, dns resolve async, stale used and connection
 // returns error, dns no match, new connection error
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatchError) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -12215,7 +12493,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatchError) {
                                             kNonCachedIPAddress, "");
 
   // Set up a different address in the stale cache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -12257,7 +12536,12 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceStaleErrorDNSNoMatchError) {
 // With dns race experiment on, dns resolve async and stale connect async, dns
 // resolve returns error and then preconnect finishes
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncErrorStaleAsync) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -12271,7 +12555,8 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncErrorStaleAsync) {
       MockCryptoClientStream::ZERO_RTT);
 
   // Set up an address in stale resolver cache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -12317,7 +12602,12 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceResolveAsyncErrorStaleAsync) {
 // resolve returns error and then preconnect fails.
 TEST_P(QuicStreamFactoryTest,
        ResultAfterDNSRaceResolveAsyncErrorStaleAsyncError) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -12331,7 +12621,8 @@ TEST_P(QuicStreamFactoryTest,
   host_resolver_->rules()->AddSimulatedFailure(host_port_pair_.host());
 
   // Set up an address in stale resolver cache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -12376,7 +12667,7 @@ TEST_P(QuicStreamFactoryTest,
 // With dns race experiment on, test that host resolution callback behaves
 // normal as experiment is not on
 TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsync) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   Initialize();
   ProofVerifyDetailsChromium verify_details = DefaultProofVerifyDetails();
@@ -12422,7 +12713,12 @@ TEST_P(QuicStreamFactoryTest, ResultAfterDNSRaceHostResolveAsync) {
 // With stale dns and migration before handshake experiment on, migration failed
 // after handshake confirmed, and then fresh resolve returns.
 TEST_P(QuicStreamFactoryTest, StaleNetworkFailedAfterHandshake) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
 
   InitializeConnectionMigrationV2Test(
@@ -12436,7 +12732,8 @@ TEST_P(QuicStreamFactoryTest, StaleNetworkFailedAfterHandshake) {
                                             kNonCachedIPAddress, "");
 
   // Set up the same address in the stale resolver cache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -12496,7 +12793,12 @@ TEST_P(QuicStreamFactoryTest, StaleNetworkFailedAfterHandshake) {
 // With stale dns experiment on,  the stale session is killed while waiting for
 // handshake
 TEST_P(QuicStreamFactoryTest, StaleNetworkFailedBeforeHandshake) {
-  test_params_.quic_params.race_stale_dns_on_connection = true;
+  if (version_.handshake_protocol == quic::PROTOCOL_TLS1_3 &&
+      version_.transport_version == quic::QUIC_VERSION_99) {
+    // 0-rtt is not supported in IETF QUIC yet.
+    return;
+  }
+  quic_params_->race_stale_dns_on_connection = true;
   host_resolver_ = std::make_unique<MockCachingHostResolver>();
   InitializeConnectionMigrationV2Test(
       {kDefaultNetworkForTests, kNewNetworkForTests});
@@ -12512,7 +12814,8 @@ TEST_P(QuicStreamFactoryTest, StaleNetworkFailedBeforeHandshake) {
                                             kNonCachedIPAddress, "");
 
   // Set up a different address in the stale resolvercache.
-  HostCache::Key key(host_port_pair_.host(), ADDRESS_FAMILY_UNSPECIFIED, 0);
+  HostCache::Key key(host_port_pair_.host(), DnsQueryType::UNSPECIFIED, 0,
+                     HostResolverSource::ANY, NetworkIsolationKey());
   HostCache::Entry entry(OK,
                          AddressList::CreateFromIPAddress(kCachedIPAddress, 0),
                          HostCache::Entry::SOURCE_DNS);
@@ -12573,9 +12876,13 @@ TEST_P(QuicStreamFactoryTest, StaleNetworkFailedBeforeHandshake) {
 }
 
 TEST_P(QuicStreamFactoryTest, ConfigInitialRttForHandshake) {
+  if (version_.SupportsAntiAmplificationLimit()) {
+    // IETF QUIC uses a different handshake timeout management system.
+    return;
+  }
   constexpr base::TimeDelta kInitialRtt =
       base::TimeDelta::FromMilliseconds(400);
-  test_params_.quic_params.initial_rtt_for_handshake = kInitialRtt;
+  quic_params_->initial_rtt_for_handshake = kInitialRtt;
   crypto_client_stream_factory_.set_handshake_mode(
       MockCryptoClientStream::COLD_START_WITH_CHLO_SENT);
   Initialize();
@@ -12588,8 +12895,8 @@ TEST_P(QuicStreamFactoryTest, ConfigInitialRttForHandshake) {
 
   QuicStreamFactoryPeer::SetTaskRunner(factory_.get(), task_runner.get());
   QuicStreamFactoryPeer::SetAlarmFactory(
-      factory_.get(),
-      std::make_unique<QuicChromiumAlarmFactory>(task_runner.get(), &clock_));
+      factory_.get(), std::make_unique<QuicChromiumAlarmFactory>(
+                          task_runner.get(), context_.clock()));
 
   MockQuicData socket_data(version_);
   socket_data.AddRead(SYNCHRONOUS, ERR_IO_PENDING);
@@ -12625,7 +12932,7 @@ TEST_P(QuicStreamFactoryTest, ConfigInitialRttForHandshake) {
 
   // The alarm factory dependes on |clock_|, so clock is advanced to trigger
   // retransmission alarm.
-  clock_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(
+  context_.AdvanceTime(quic::QuicTime::Delta::FromMilliseconds(
       handshake_timeout.InMilliseconds()));
   task_runner->FastForwardBy(handshake_timeout);
 
diff --git a/chromium/net/quic/quic_test_packet_maker.cc b/chromium/net/quic/quic_test_packet_maker.cc
index 564a8912ea5..0621ec6e5f9 100644
--- a/chromium/net/quic/quic_test_packet_maker.cc
+++ b/chromium/net/quic/quic_test_packet_maker.cc
@@ -120,7 +120,7 @@ void QuicTestPacketMaker::EncoderStreamSenderDelegate::WriteStreamData(
 QuicTestPacketMaker::QuicTestPacketMaker(
     quic::ParsedQuicVersion version,
     quic::QuicConnectionId connection_id,
-    quic::MockClock* clock,
+    const quic::QuicClock* clock,
     const std::string& host,
     quic::Perspective perspective,
     bool client_headers_include_h2_stream_dependency)
@@ -128,6 +128,7 @@ QuicTestPacketMaker::QuicTestPacketMaker(
       connection_id_(connection_id),
       clock_(clock),
       host_(host),
+      max_allowed_push_id_(0),
       spdy_request_framer_(spdy::SpdyFramer::ENABLE_COMPRESSION),
       spdy_response_framer_(spdy::SpdyFramer::ENABLE_COMPRESSION),
       coalesce_http_frames_(false),
@@ -156,6 +157,10 @@ void QuicTestPacketMaker::set_hostname(const std::string& host) {
   host_.assign(host);
 }
 
+void QuicTestPacketMaker::set_max_allowed_push_id(quic::QuicStreamId push_id) {
+  max_allowed_push_id_ = push_id;
+}
+
 std::unique_ptr<quic::QuicReceivedPacket>
 QuicTestPacketMaker::MakeConnectivityProbingPacket(uint64_t num,
                                                    bool include_version) {
@@ -289,7 +294,10 @@ std::unique_ptr<quic::QuicReceivedPacket> QuicTestPacketMaker::MakeRstPacket(
 
   quic::QuicRstStreamFrame rst(1, stream_id, error_code,
                                stream_offsets_[stream_id]);
-  frames.push_back(quic::QuicFrame(&rst));
+  if (version_.transport_version != quic::QUIC_VERSION_99 ||
+      quic::QuicUtils::IsBidirectionalStreamId(stream_id)) {
+    frames.push_back(quic::QuicFrame(&rst));
+  }
   DVLOG(1) << "Adding frame: " << frames.back();
 
   // The STOP_SENDING frame must be outside of the if (version==99) so that it
@@ -432,8 +440,11 @@ QuicTestPacketMaker::MakeAckAndRstPacket(
 
   quic::QuicRstStreamFrame rst(1, stream_id, error_code,
                                stream_offsets_[stream_id]);
-  frames.push_back(quic::QuicFrame(&rst));
-  DVLOG(1) << "Adding frame: " << frames.back();
+  if (version_.transport_version != quic::QUIC_VERSION_99 ||
+      quic::QuicUtils::IsBidirectionalStreamId(stream_id)) {
+    frames.push_back(quic::QuicFrame(&rst));
+    DVLOG(1) << "Adding frame: " << frames.back();
+  }
 
   // The STOP_SENDING frame must be outside of the if (version==99) so that it
   // stays in scope until the packet is built.
@@ -499,6 +510,40 @@ QuicTestPacketMaker::MakeRstAckAndConnectionClosePacket(
 }
 
 std::unique_ptr<quic::QuicReceivedPacket>
+QuicTestPacketMaker::MakeRstAndConnectionClosePacket(
+    uint64_t num,
+    bool include_version,
+    quic::QuicStreamId stream_id,
+    quic::QuicRstStreamErrorCode error_code,
+    quic::QuicErrorCode quic_error,
+    const std::string& quic_error_details) {
+  InitializeHeader(num, include_version);
+
+  quic::QuicFrames frames;
+  quic::QuicRstStreamFrame rst(1, stream_id, error_code, 0);
+  frames.push_back(quic::QuicFrame(&rst));
+  DVLOG(1) << "Adding frame: " << frames.back();
+
+  // The STOP_SENDING frame must be outside of the if (version==99) so that it
+  // stays in scope until the packet is built.
+  quic::QuicStopSendingFrame stop(
+      1, stream_id, static_cast<quic::QuicApplicationErrorCode>(error_code));
+  if (version_.transport_version == quic::QUIC_VERSION_99) {
+    frames.push_back(quic::QuicFrame(&stop));
+    DVLOG(1) << "Adding frame: " << frames.back();
+  }
+
+  quic::QuicConnectionCloseFrame close(version_.transport_version, quic_error,
+                                       quic_error_details,
+                                       /*transport_close_frame_type=*/0);
+
+  frames.push_back(quic::QuicFrame(&close));
+  DVLOG(1) << "Adding frame: " << frames.back();
+
+  return MakeMultipleFramesPacket(header_, frames, nullptr);
+}
+
+std::unique_ptr<quic::QuicReceivedPacket>
 QuicTestPacketMaker::MakeAckAndConnectionClosePacket(
     uint64_t num,
     bool include_version,
@@ -962,7 +1007,8 @@ QuicTestPacketMaker::MakePushPromisePacket(
     frame.headers = encoded_headers;
     std::unique_ptr<char[]> buffer;
     quic::QuicByteCount frame_length =
-        http_encoder_.SerializePushPromiseFrameWithOnlyPushId(frame, &buffer);
+        quic::HttpEncoder::SerializePushPromiseFrameWithOnlyPushId(frame,
+                                                                   &buffer);
     std::string push_promise_data(buffer.get(), frame_length);
     frames.push_back(
         GenerateNextStreamFrame(stream_id, false, push_promise_data));
@@ -1236,7 +1282,7 @@ QuicTestPacketMaker::MakePriorityPacket(uint64_t packet_number,
           : quic::REQUEST_STREAM;
   std::unique_ptr<char[]> buffer;
   quic::QuicByteCount frame_length =
-      http_encoder_.SerializePriorityFrame(frame, &buffer);
+      quic::HttpEncoder::SerializePriorityFrame(frame, &buffer);
   std::string priority_data = std::string(buffer.get(), frame_length);
 
   InitializeHeader(packet_number, should_include_version);
@@ -1378,8 +1424,8 @@ std::vector<std::string> QuicTestPacketMaker::QpackEncodeHeaders(
   // Generate HEADERS frame header.
   std::unique_ptr<char[]> headers_frame_header;
   const size_t headers_frame_header_length =
-      http_encoder_.SerializeHeadersFrameHeader(encoded_headers.size(),
-                                                &headers_frame_header);
+      quic::HttpEncoder::SerializeHeadersFrameHeader(encoded_headers.size(),
+                                                     &headers_frame_header);
 
   // Possible add a PUSH stream type.
   if (!quic::QuicUtils::IsBidirectionalStreamId(stream_id) &&
@@ -1489,7 +1535,16 @@ std::string QuicTestPacketMaker::GenerateHttp3SettingsData() {
       quic::kDefaultMaximumBlockedStreams;
   std::unique_ptr<char[]> buffer;
   quic::QuicByteCount frame_length =
-      http_encoder_.SerializeSettingsFrame(settings, &buffer);
+      quic::HttpEncoder::SerializeSettingsFrame(settings, &buffer);
+  return std::string(buffer.get(), frame_length);
+}
+
+std::string QuicTestPacketMaker::GenerateHttp3MaxPushIdData() {
+  quic::MaxPushIdFrame max_push_id;
+  max_push_id.push_id = max_allowed_push_id_;
+  std::unique_ptr<char[]> buffer;
+  quic::QuicByteCount frame_length =
+      quic::HttpEncoder::SerializeMaxPushIdFrame(max_push_id, &buffer);
   return std::string(buffer.get(), frame_length);
 }
 
@@ -1504,7 +1559,7 @@ std::string QuicTestPacketMaker::GenerateHttp3PriorityData(
 
   std::unique_ptr<char[]> buffer;
   quic::QuicByteCount frame_length =
-      http_encoder_.SerializePriorityFrame(frame, &buffer);
+      quic::HttpEncoder::SerializePriorityFrame(frame, &buffer);
   return std::string(buffer.get(), frame_length);
 }
 
@@ -1523,26 +1578,22 @@ void QuicTestPacketMaker::MaybeAddHttp3SettingsFrames(
   // stream first.
   std::string type(1, 0x00);
   std::string settings_data = GenerateHttp3SettingsData();
+  std::string max_push_id_data = GenerateHttp3MaxPushIdData();
 
   // The type and the SETTINGS frame may be sent in multiple QUIC STREAM
   // frames.
   std::vector<std::string> data;
   if (coalesce_http_frames_) {
-    data = {type + settings_data};
+    data = {type + settings_data + max_push_id_data};
   } else {
-    data = {type, settings_data};
+    data = {type, settings_data, max_push_id_data};
   }
 
   for (const auto& frame : GenerateNextStreamFrames(stream_id, false, data))
     frames->push_back(frame);
 
-  if (coalesce_http_frames_) {
-    frames->push_back(GenerateNextStreamFrame(stream_id + 4, false, "\x03"));
-    frames->push_back(GenerateNextStreamFrame(stream_id + 8, false, "\x02"));
-  } else {
-    frames->push_back(GenerateNextStreamFrame(stream_id + 8, false, "\x02"));
-    frames->push_back(GenerateNextStreamFrame(stream_id + 4, false, "\x03"));
-  }
+  frames->push_back(GenerateNextStreamFrame(stream_id + 4, false, "\x03"));
+  frames->push_back(GenerateNextStreamFrame(stream_id + 8, false, "\x02"));
 }
 
 }  // namespace test
diff --git a/chromium/net/quic/quic_test_packet_maker.h b/chromium/net/quic/quic_test_packet_maker.h
index 1a12e997054..df04ae493fa 100644
--- a/chromium/net/quic/quic_test_packet_maker.h
+++ b/chromium/net/quic/quic_test_packet_maker.h
@@ -20,8 +20,8 @@
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_stream_frame_data_producer.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_clock.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
-#include "net/third_party/quiche/src/quic/test_tools/mock_clock.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_random.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_framer.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
@@ -45,13 +45,15 @@ class QuicTestPacketMaker {
   // the parent stream ID set to 0 (ignoring the |parent_stream_id| param).
   QuicTestPacketMaker(quic::ParsedQuicVersion version,
                       quic::QuicConnectionId connection_id,
-                      quic::MockClock* clock,
+                      const quic::QuicClock* clock,
                       const std::string& host,
                       quic::Perspective perspective,
                       bool client_headers_include_h2_stream_dependency);
   ~QuicTestPacketMaker();
 
   void set_hostname(const std::string& host);
+  void set_max_allowed_push_id(quic::QuicStreamId push_id);
+
   std::unique_ptr<quic::QuicReceivedPacket> MakeConnectivityProbingPacket(
       uint64_t num,
       bool include_version);
@@ -134,6 +136,13 @@ class QuicTestPacketMaker {
       uint64_t least_unacked,
       quic::QuicErrorCode quic_error,
       const std::string& quic_error_details);
+  std::unique_ptr<quic::QuicReceivedPacket> MakeRstAndConnectionClosePacket(
+      uint64_t num,
+      bool include_version,
+      quic::QuicStreamId stream_id,
+      quic::QuicRstStreamErrorCode error_code,
+      quic::QuicErrorCode quic_error,
+      const std::string& quic_error_details);
   std::unique_ptr<quic::QuicReceivedPacket> MakeAckAndConnectionClosePacket(
       uint64_t num,
       bool include_version,
@@ -401,6 +410,7 @@ class QuicTestPacketMaker {
   quic::QuicStreamId GetHeadersStreamId() const;
 
   std::string GenerateHttp3SettingsData();
+  std::string GenerateHttp3MaxPushIdData();
   std::string GenerateHttp3PriorityData(spdy::SpdyPriority priority,
                                         quic::QuicStreamId stream_id);
 
@@ -408,11 +418,11 @@ class QuicTestPacketMaker {
 
   quic::ParsedQuicVersion version_;
   quic::QuicConnectionId connection_id_;
-  quic::MockClock* clock_;  // Owned by QuicStreamFactory.
+  const quic::QuicClock* clock_;  // Not owned.
   std::string host_;
+  quic::QuicStreamId max_allowed_push_id_;
   spdy::SpdyFramer spdy_request_framer_;
   spdy::SpdyFramer spdy_response_framer_;
-  quic::HttpEncoder http_encoder_;
   bool coalesce_http_frames_;
   bool save_packet_frames_;
   DecoderStreamErrorDelegate decoder_stream_error_delegate_;
diff --git a/chromium/net/quic/platform/impl/quic_endian_impl.h b/chromium/net/quiche/common/platform/impl/quiche_endian_impl.h
index ab4ae6c129c..a29fb5db28f 100644
--- a/chromium/net/quic/platform/impl/quic_endian_impl.h
+++ b/chromium/net/quiche/common/platform/impl/quiche_endian_impl.h
@@ -1,15 +1,16 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef NET_QUIC_PLATFORM_IMPL_QUIC_ENDIAN_IMPL_H_
-#define NET_QUIC_PLATFORM_IMPL_QUIC_ENDIAN_IMPL_H_
+#ifndef NET_QUICHE_COMMON_PLATFORM_IMPL_QUICHE_ENDIAN_IMPL_H_
+#define NET_QUICHE_COMMON_PLATFORM_IMPL_QUICHE_ENDIAN_IMPL_H_
 
 #include "base/sys_byteorder.h"
+#include "build/build_config.h"
 
-namespace quic {
+namespace quiche {
 
-class QuicEndianImpl {
+class QuicheEndianImpl {
  public:
   // Convert |x| from host order (can be either little or big endian depending
   // on the platform) to network order (big endian).
@@ -33,6 +34,6 @@ class QuicEndianImpl {
   }
 };
 
-}  // namespace quic
+}  // namespace quiche
 
-#endif  // NET_QUIC_PLATFORM_IMPL_QUIC_ENDIAN_IMPL_H_
+#endif  // NET_QUICHE_COMMON_PLATFORM_IMPL_QUICHE_ENDIAN_IMPL_H_
diff --git a/chromium/net/quiche/common/platform/impl/quiche_export_impl.h b/chromium/net/quiche/common/platform/impl/quiche_export_impl.h
new file mode 100644
index 00000000000..3e9d531877a
--- /dev/null
+++ b/chromium/net/quiche/common/platform/impl/quiche_export_impl.h
@@ -0,0 +1,17 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_QUICHE_COMMON_PLATFORM_IMPL_QUICHE_EXPORT_IMPL_H_
+#define NET_QUICHE_COMMON_PLATFORM_IMPL_QUICHE_EXPORT_IMPL_H_
+
+#include "net/base/net_export.h"
+
+// These macros are documented in:
+// net/third_party/quiche/src/common/platform/api/quiche_export.h
+
+#define QUICHE_EXPORT NET_EXPORT
+#define QUICHE_EXPORT_PRIVATE NET_EXPORT_PRIVATE
+#define QUICHE_NO_EXPORT
+
+#endif  // NET_QUICHE_COMMON_PLATFORM_IMPL_QUICHE_EXPORT_IMPL_H_
diff --git a/chromium/net/quiche/common/platform/impl/quiche_ptr_util_impl.h b/chromium/net/quiche/common/platform/impl/quiche_ptr_util_impl.h
deleted file mode 100644
index 8f7dd21e66f..00000000000
--- a/chromium/net/quiche/common/platform/impl/quiche_ptr_util_impl.h
+++ /dev/null
@@ -1,19 +0,0 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_QUICHE_COMMON_PLATFORM_IMPL_QUICHE_PTR_UTIL_IMPL_H_
-#define NET_QUICHE_COMMON_PLATFORM_IMPL_QUICHE_PTR_UTIL_IMPL_H_
-
-#include <memory>
-
-namespace quiche {
-
-template <typename T, typename... Args>
-std::unique_ptr<T> QuicheMakeUniqueImpl(Args&&... args) {
-  return std::make_unique<T>(std::forward<Args>(args)...);
-}
-
-}  // namespace quiche
-
-#endif  // NET_QUICHE_COMMON_PLATFORM_IMPL_QUICHE_PTR_UTIL_IMPL_H_
diff --git a/chromium/net/quiche/common/platform/impl/quiche_test_impl.h b/chromium/net/quiche/common/platform/impl/quiche_test_impl.h
index 11ae28c5b05..705a250f3e4 100644
--- a/chromium/net/quiche/common/platform/impl/quiche_test_impl.h
+++ b/chromium/net/quiche/common/platform/impl/quiche_test_impl.h
@@ -8,4 +8,10 @@
 #include "testing/gmock/include/gmock/gmock.h"  // IWYU pragma: export
 #include "testing/gtest/include/gtest/gtest.h"  // IWYU pragma: export
 
+namespace quiche {
+namespace test {
+class QuicheTest : public ::testing::Test {};
+}  // namespace test
+}  // namespace quiche
+
 #endif  // NET_QUICHE_COMMON_PLATFORM_IMPL_QUICHE_TEST_IMPL_H_
diff --git a/chromium/net/reporting/OWNERS b/chromium/net/reporting/OWNERS
index 7117a80a72b..cb7da64f211 100644
--- a/chromium/net/reporting/OWNERS
+++ b/chromium/net/reporting/OWNERS
@@ -1 +1,3 @@
 chlily@chromium.org
+
+# Component: Internals>Network>ReportingAndNEL
diff --git a/chromium/net/reporting/reporting_uploader_unittest.cc b/chromium/net/reporting/reporting_uploader_unittest.cc
index f3e0edfbdba..b1fb4ad3122 100644
--- a/chromium/net/reporting/reporting_uploader_unittest.cc
+++ b/chromium/net/reporting/reporting_uploader_unittest.cc
@@ -452,7 +452,7 @@ TEST_F(ReportingUploaderTest, DontSendCookies) {
   auto cookie = CanonicalCookie::Create(url, "foo=bar", base::Time::Now(),
                                         base::nullopt /* server_time */);
   context_.cookie_store()->SetCanonicalCookieAsync(
-      std::move(cookie), url.scheme(), CookieOptions(),
+      std::move(cookie), url.scheme(), CookieOptions::MakeAllInclusive(),
       cookie_callback.MakeCallback());
   cookie_callback.WaitUntilDone();
   ASSERT_TRUE(cookie_callback.result().IsInclude());
@@ -485,7 +485,7 @@ TEST_F(ReportingUploaderTest, DontSaveCookies) {
 
   GetCookieListCallback cookie_callback;
   context_.cookie_store()->GetCookieListWithOptionsAsync(
-      server_.GetURL("/"), CookieOptions(),
+      server_.GetURL("/"), CookieOptions::MakeAllInclusive(),
       base::BindOnce(&GetCookieListCallback::Run,
                      base::Unretained(&cookie_callback)));
   cookie_callback.WaitUntilDone();
diff --git a/chromium/net/server/http_server_fuzzer.cc b/chromium/net/server/http_server_fuzzer.cc
index 9f7aa9c1344..0509bde4ca7 100644
--- a/chromium/net/server/http_server_fuzzer.cc
+++ b/chromium/net/server/http_server_fuzzer.cc
@@ -95,7 +95,7 @@ class WaitTillHttpCloseDelegate : public net::HttpServer::Delegate {
 //
 // |data| is used to create a FuzzedServerSocket.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  net::TestNetLog test_net_log;
+  net::RecordingTestNetLog test_net_log;
   FuzzedDataProvider data_provider(data, size);
 
   std::unique_ptr<net::ServerSocket> server_socket(
diff --git a/chromium/net/server/http_server_request_info.h b/chromium/net/server/http_server_request_info.h
index 014142cac74..9eeb10d70ca 100644
--- a/chromium/net/server/http_server_request_info.h
+++ b/chromium/net/server/http_server_request_info.h
@@ -46,8 +46,8 @@ class HttpServerRequestInfo {
 
   // A map of the names -> values for HTTP headers. These should always
   // contain lower case field names.
-  typedef std::map<std::string, std::string> HeadersMap;
-  mutable HeadersMap headers;
+  using HeadersMap = std::map<std::string, std::string>;
+  HeadersMap headers;
 };
 
 }  // namespace net
diff --git a/chromium/net/server/web_socket_encoder.cc b/chromium/net/server/web_socket_encoder.cc
index 772cf7d6cbe..e6d4c64248b 100644
--- a/chromium/net/server/web_socket_encoder.cc
+++ b/chromium/net/server/web_socket_encoder.cc
@@ -180,7 +180,7 @@ void EncodeFrameHybi17(base::StringPiece message,
   } else {
     frame.insert(frame.end(), data, data + data_length);
   }
-  *output = std::string(&frame[0], frame.size());
+  *output = std::string(frame.data(), frame.size());
 }
 
 }  // anonymous namespace
@@ -329,7 +329,7 @@ bool WebSocketEncoder::Inflate(std::string* message) {
   }
 
   *message =
-      output.size() ? std::string(&output[0], output.size()) : std::string();
+      output.size() ? std::string(output.data(), output.size()) : std::string();
   return true;
 }
 
diff --git a/chromium/net/socket/client_socket_pool_base_unittest.cc b/chromium/net/socket/client_socket_pool_base_unittest.cc
index eebd2c4992f..6d7ee44c97e 100644
--- a/chromium/net/socket/client_socket_pool_base_unittest.cc
+++ b/chromium/net/socket/client_socket_pool_base_unittest.cc
@@ -15,7 +15,6 @@
 #include "base/logging.h"
 #include "base/memory/ref_counted.h"
 #include "base/memory/weak_ptr.h"
-#include "base/message_loop/message_loop.h"
 #include "base/optional.h"
 #include "base/run_loop.h"
 #include "base/single_thread_task_runner.h"
@@ -702,7 +701,7 @@ class ClientSocketPoolBaseTest : public TestWithTaskEnvironment {
   // synchronous completions are not registered by this count.
   size_t completion_count() const { return test_base_.completion_count(); }
 
-  TestNetLog net_log_;
+  RecordingTestNetLog net_log_;
   bool connect_backup_jobs_enabled_;
   MockClientSocketFactory client_socket_factory_;
   TestConnectJobFactory* connect_job_factory_;
@@ -720,7 +719,7 @@ TEST_F(ClientSocketPoolBaseTest, BasicSynchronous) {
 
   TestCompletionCallback callback;
   ClientSocketHandle handle;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   TestLoadTimingInfoNotConnected(handle);
 
   EXPECT_EQ(OK, handle.Init(
@@ -755,7 +754,7 @@ TEST_F(ClientSocketPoolBaseTest, InitConnectionFailure) {
   CreatePool(kDefaultMaxSockets, kDefaultMaxSocketsPerGroup);
 
   connect_job_factory_->set_job_type(TestConnectJob::kMockFailingJob);
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
 
   ClientSocketHandle handle;
   TestCompletionCallback callback;
@@ -1897,7 +1896,7 @@ TEST_F(ClientSocketPoolBaseTest, CloseIdleSocketsForced) {
   CreatePool(kDefaultMaxSockets, kDefaultMaxSocketsPerGroup);
   ClientSocketHandle handle;
   TestCompletionCallback callback;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   int rv = handle.Init(
       TestGroupId("a"), params_, base::nullopt, LOWEST, SocketTag(),
       ClientSocketPool::RespectLimits::ENABLED, callback.callback(),
@@ -1911,7 +1910,7 @@ TEST_F(ClientSocketPoolBaseTest, CloseIdleSocketsForced) {
 TEST_F(ClientSocketPoolBaseTest, CloseIdleSocketsInGroupForced) {
   CreatePool(kDefaultMaxSockets, kDefaultMaxSocketsPerGroup);
   TestCompletionCallback callback;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   ClientSocketHandle handle1;
   int rv = handle1.Init(
       TestGroupId("a"), params_, base::nullopt, LOWEST, SocketTag(),
@@ -1941,7 +1940,7 @@ TEST_F(ClientSocketPoolBaseTest, CleanUpUnusableIdleSockets) {
   CreatePool(kDefaultMaxSockets, kDefaultMaxSocketsPerGroup);
   ClientSocketHandle handle;
   TestCompletionCallback callback;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   int rv = handle.Init(
       TestGroupId("a"), params_, base::nullopt, LOWEST, SocketTag(),
       ClientSocketPool::RespectLimits::ENABLED, callback.callback(),
@@ -2008,7 +2007,7 @@ TEST_F(ClientSocketPoolBaseTest, BasicAsynchronous) {
   connect_job_factory_->set_job_type(TestConnectJob::kMockPendingJob);
   ClientSocketHandle handle;
   TestCompletionCallback callback;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   int rv = handle.Init(
       TestGroupId("a"), params_, base::nullopt, LOWEST, SocketTag(),
       ClientSocketPool::RespectLimits::ENABLED, callback.callback(),
@@ -2049,7 +2048,7 @@ TEST_F(ClientSocketPoolBaseTest,
   connect_job_factory_->set_job_type(TestConnectJob::kMockPendingFailingJob);
   ClientSocketHandle handle;
   TestCompletionCallback callback;
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   // Set the additional error state members to ensure that they get cleared.
   handle.set_is_ssl_error(true);
   handle.set_ssl_cert_request_info(base::MakeRefCounted<SSLCertRequestInfo>());
@@ -2113,7 +2112,7 @@ TEST_F(ClientSocketPoolBaseTest, TwoRequestsCancelOne) {
                   SocketTag(), ClientSocketPool::RespectLimits::ENABLED,
                   callback.callback(), ClientSocketPool::ProxyAuthCallback(),
                   pool_.get(), NetLogWithSource()));
-  BoundTestNetLog log2;
+  RecordingBoundTestNetLog log2;
   EXPECT_EQ(
       ERR_IO_PENDING,
       handle2.Init(TestGroupId("a"), params_, base::nullopt, DEFAULT_PRIORITY,
@@ -2535,7 +2534,7 @@ TEST_F(ClientSocketPoolBaseTest, CleanupTimedOutIdleSocketsReuse) {
 
   // Request a new socket. This should reuse the old socket and complete
   // synchronously.
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   rv = handle.Init(
       TestGroupId("a"), params_, base::nullopt, LOWEST, SocketTag(),
       ClientSocketPool::RespectLimits::ENABLED, CompletionOnceCallback(),
@@ -2611,7 +2610,7 @@ TEST_F(ClientSocketPoolBaseTest, CleanupTimedOutIdleSocketsNoReuse) {
 
   // Request a new socket. This should cleanup the unused and timed out ones.
   // A new socket will be created rather than reusing the idle one.
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
   TestCompletionCallback callback3;
   rv = handle.Init(TestGroupId("a"), params_, base::nullopt, LOWEST,
                    SocketTag(), ClientSocketPool::RespectLimits::ENABLED,
diff --git a/chromium/net/socket/client_socket_pool_unittest.cc b/chromium/net/socket/client_socket_pool_unittest.cc
index 1c75c9b5975..5ad3af21205 100644
--- a/chromium/net/socket/client_socket_pool_unittest.cc
+++ b/chromium/net/socket/client_socket_pool_unittest.cc
@@ -95,8 +95,9 @@ TEST(ClientSocketPool, GroupIdOperators) {
 
 TEST(ClientSocketPool, GroupIdToString) {
   base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndEnableFeature(
-      features::kPartitionConnectionsByNetworkIsolationKey);
+  feature_list.InitWithFeatures(
+      {features::kPartitionConnectionsByNetworkIsolationKey},
+      {features::kAppendFrameOriginToNetworkIsolationKey});
 
   EXPECT_EQ("foo:80 <null>",
             ClientSocketPool::GroupId(
diff --git a/chromium/net/socket/connect_job.cc b/chromium/net/socket/connect_job.cc
index 7aad80e89a3..c7b03ba53da 100644
--- a/chromium/net/socket/connect_job.cc
+++ b/chromium/net/socket/connect_job.cc
@@ -115,8 +115,13 @@ std::unique_ptr<ConnectJob> ConnectJob::CreateConnectJob(
   scoped_refptr<SOCKSSocketParams> socks_params;
 
   if (!proxy_server.is_direct()) {
+    // No need to use a NetworkIsolationKey for looking up the proxy's IP
+    // address. Cached proxy IP addresses doesn't really expose useful
+    // information to destination sites, and not caching them has a performance
+    // cost.
     auto proxy_tcp_params = base::MakeRefCounted<TransportSocketParams>(
-        proxy_server.host_port_pair(), disable_secure_dns, resolution_callback);
+        proxy_server.host_port_pair(), NetworkIsolationKey(),
+        disable_secure_dns, resolution_callback);
 
     if (proxy_server.is_http() || proxy_server.is_https() ||
         proxy_server.is_quic()) {
@@ -141,7 +146,7 @@ std::unique_ptr<ConnectJob> ConnectJob::CreateConnectJob(
       socks_params = base::MakeRefCounted<SOCKSSocketParams>(
           std::move(proxy_tcp_params),
           proxy_server.scheme() == ProxyServer::SCHEME_SOCKS5, endpoint,
-          *proxy_annotation_tag);
+          network_isolation_key, *proxy_annotation_tag);
     }
   }
 
@@ -151,7 +156,8 @@ std::unique_ptr<ConnectJob> ConnectJob::CreateConnectJob(
     scoped_refptr<TransportSocketParams> ssl_tcp_params;
     if (proxy_server.is_direct()) {
       ssl_tcp_params = base::MakeRefCounted<TransportSocketParams>(
-          endpoint, disable_secure_dns, resolution_callback);
+          endpoint, network_isolation_key, disable_secure_dns,
+          resolution_callback);
     }
     auto ssl_params = base::MakeRefCounted<SSLSocketParams>(
         std::move(ssl_tcp_params), std::move(socks_params),
@@ -176,7 +182,7 @@ std::unique_ptr<ConnectJob> ConnectJob::CreateConnectJob(
 
   DCHECK(proxy_server.is_direct());
   auto tcp_params = base::MakeRefCounted<TransportSocketParams>(
-      endpoint, disable_secure_dns, resolution_callback);
+      endpoint, network_isolation_key, disable_secure_dns, resolution_callback);
   return TransportConnectJob::CreateTransportConnectJob(
       std::move(tcp_params), request_priority, socket_tag,
       common_connect_job_params, delegate, nullptr /* net_log */);
diff --git a/chromium/net/socket/connect_job_unittest.cc b/chromium/net/socket/connect_job_unittest.cc
index 208e8579e89..242cd9aaf2e 100644
--- a/chromium/net/socket/connect_job_unittest.cc
+++ b/chromium/net/socket/connect_job_unittest.cc
@@ -109,7 +109,7 @@ class ConnectJobTest : public testing::Test {
 
  protected:
   base::test::TaskEnvironment task_environment_;
-  TestNetLog net_log_;
+  RecordingTestNetLog net_log_;
   const CommonConnectJobParams common_connect_job_params_;
   TestConnectJobDelegate delegate_;
 };
diff --git a/chromium/net/socket/socket_bio_adapter.cc b/chromium/net/socket/socket_bio_adapter.cc
index 6f134af6634..182b9d6eaa4 100644
--- a/chromium/net/socket/socket_bio_adapter.cc
+++ b/chromium/net/socket/socket_bio_adapter.cc
@@ -22,7 +22,7 @@
 
 namespace {
 
-net::NetworkTrafficAnnotationTag kTrafficAnnotation =
+const net::NetworkTrafficAnnotationTag kTrafficAnnotation =
     net::DefineNetworkTrafficAnnotation("socket_bio_adapter", R"(
       semantics {
         sender: "Socket BIO Adapter"
diff --git a/chromium/net/socket/socket_posix.cc b/chromium/net/socket/socket_posix.cc
index dec819a8425..61cc75851ca 100644
--- a/chromium/net/socket/socket_posix.cc
+++ b/chromium/net/socket/socket_posix.cc
@@ -536,7 +536,7 @@ void SocketPosix::WriteCompleted() {
 
   bool ok = write_socket_watcher_.StopWatchingFileDescriptor();
   DCHECK(ok);
-  write_buf_ = NULL;
+  write_buf_.reset();
   write_buf_len_ = 0;
   std::move(write_callback_).Run(rv);
 }
@@ -565,7 +565,7 @@ void SocketPosix::StopWatchingAndCleanUp(bool close_socket) {
   }
 
   if (!read_callback_.is_null()) {
-    read_buf_ = NULL;
+    read_buf_.reset();
     read_buf_len_ = 0;
     read_callback_.Reset();
   }
@@ -573,7 +573,7 @@ void SocketPosix::StopWatchingAndCleanUp(bool close_socket) {
   read_if_ready_callback_.Reset();
 
   if (!write_callback_.is_null()) {
-    write_buf_ = NULL;
+    write_buf_.reset();
     write_buf_len_ = 0;
     write_callback_.Reset();
   }
diff --git a/chromium/net/socket/socket_test_util.cc b/chromium/net/socket/socket_test_util.cc
index 493cd306461..d3aa05a1d71 100644
--- a/chromium/net/socket/socket_test_util.cc
+++ b/chromium/net/socket/socket_test_util.cc
@@ -141,6 +141,12 @@ void DumpMockReadWrite(const MockReadWrite<type>& r) {
   DVLOG(1) << "Stage:   " << (r.sequence_number & ~MockRead::STOPLOOP) << stop;
 }
 
+void RunClosureIfNonNull(base::OnceClosure closure) {
+  if (!closure.is_null()) {
+    std::move(closure).Run();
+  }
+}
+
 }  // namespace
 
 MockConnect::MockConnect() : mode(ASYNC), result(OK) {
@@ -1520,6 +1526,7 @@ int MockSSLClientSocket::Connect(CompletionOnceCallback callback) {
   data_->is_connect_data_consumed = true;
   if (data_->connect.result == OK)
     connected_ = true;
+  RunClosureIfNonNull(std::move(data_->connect_callback));
   if (data_->connect.mode == ASYNC) {
     RunCallbackAsync(std::move(callback), data_->connect.result);
     return ERR_IO_PENDING;
@@ -1543,6 +1550,7 @@ int MockSSLClientSocket::ConfirmHandshake(CompletionOnceCallback callback) {
   DCHECK(stream_socket_->IsConnected());
   if (data_->is_confirm_data_consumed)
     return data_->confirm.result;
+  RunClosureIfNonNull(std::move(data_->confirm_callback));
   if (data_->confirm.mode == ASYNC) {
     RunCallbackAsync(
         base::BindOnce(&MockSSLClientSocket::RunConfirmHandshakeCallback,
diff --git a/chromium/net/socket/socket_test_util.h b/chromium/net/socket/socket_test_util.h
index 26690f97356..df6e1170b8b 100644
--- a/chromium/net/socket/socket_test_util.h
+++ b/chromium/net/socket/socket_test_util.h
@@ -475,9 +475,16 @@ struct SSLSocketDataProvider {
 
   // Result for Connect().
   MockConnect connect;
+  // Callback to run when Connect() is called. This is called at most once per
+  // socket but is repeating because SSLSocketDataProvider is copyable.
+  base::RepeatingClosure connect_callback;
 
-  // Result for Confirm().
+  // Result for ConfirmHandshake().
   MockConfirm confirm;
+  // Callback to run when ConfirmHandshake() is called. This is called at most
+  // once per socket but is repeating because SSLSocketDataProvider is
+  // copyable.
+  base::RepeatingClosure confirm_callback;
 
   // Result for GetNegotiatedProtocol().
   NextProto next_proto;
diff --git a/chromium/net/socket/socks5_client_socket_fuzzer.cc b/chromium/net/socket/socks5_client_socket_fuzzer.cc
index 1437ede5306..6e79976c310 100644
--- a/chromium/net/socket/socks5_client_socket_fuzzer.cc
+++ b/chromium/net/socket/socks5_client_socket_fuzzer.cc
@@ -26,7 +26,7 @@
 // class for details.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // Use a test NetLog, to exercise logging code.
-  net::TestNetLog test_net_log;
+  net::RecordingTestNetLog test_net_log;
 
   FuzzedDataProvider data_provider(data, size);
 
diff --git a/chromium/net/socket/socks5_client_socket_unittest.cc b/chromium/net/socket/socks5_client_socket_unittest.cc
index 3d790701b5f..51e10310936 100644
--- a/chromium/net/socket/socks5_client_socket_unittest.cc
+++ b/chromium/net/socket/socks5_client_socket_unittest.cc
@@ -57,7 +57,7 @@ class SOCKS5ClientSocketTest : public PlatformTest, public WithTaskEnvironment {
 
  protected:
   const uint16_t kNwPort;
-  TestNetLog net_log_;
+  RecordingTestNetLog net_log_;
   std::unique_ptr<SOCKS5ClientSocket> user_sock_;
   AddressList address_list_;
   // Filled in by BuildMockSocket() and owned by its return value
@@ -359,7 +359,7 @@ TEST_F(SOCKS5ClientSocketTest, PartialReadWrites) {
 
 TEST_F(SOCKS5ClientSocketTest, Tag) {
   StaticSocketDataProvider data;
-  TestNetLog log;
+  RecordingTestNetLog log;
   MockTaggingStreamSocket* tagging_sock =
       new MockTaggingStreamSocket(std::unique_ptr<StreamSocket>(
           new MockTCPClientSocket(address_list_, &log, &data)));
diff --git a/chromium/net/socket/socks_client_socket.cc b/chromium/net/socket/socks_client_socket.cc
index d849eea6b62..848a9cbde53 100644
--- a/chromium/net/socket/socks_client_socket.cc
+++ b/chromium/net/socket/socks_client_socket.cc
@@ -62,6 +62,7 @@ static_assert(sizeof(SOCKS4ServerResponse) == kReadHeaderSize,
 SOCKSClientSocket::SOCKSClientSocket(
     std::unique_ptr<StreamSocket> transport_socket,
     const HostPortPair& destination,
+    const NetworkIsolationKey& network_isolation_key,
     RequestPriority priority,
     HostResolver* host_resolver,
     bool disable_secure_dns,
@@ -75,6 +76,7 @@ SOCKSClientSocket::SOCKSClientSocket(
       host_resolver_(host_resolver),
       disable_secure_dns_(disable_secure_dns),
       destination_(destination),
+      network_isolation_key_(network_isolation_key),
       priority_(priority),
       net_log_(transport_socket_->NetLog()),
       traffic_annotation_(traffic_annotation) {}
@@ -309,8 +311,8 @@ int SOCKSClientSocket::DoResolveHost() {
   parameters.initial_priority = priority_;
   if (disable_secure_dns_)
     parameters.secure_dns_mode_override = DnsConfig::SecureDnsMode::OFF;
-  resolve_host_request_ =
-      host_resolver_->CreateRequest(destination_, net_log_, parameters);
+  resolve_host_request_ = host_resolver_->CreateRequest(
+      destination_, network_isolation_key_, net_log_, parameters);
 
   return resolve_host_request_->Start(
       base::BindOnce(&SOCKSClientSocket::OnIOComplete, base::Unretained(this)));
diff --git a/chromium/net/socket/socks_client_socket.h b/chromium/net/socket/socks_client_socket.h
index 20339fdda61..526b4f5bc08 100644
--- a/chromium/net/socket/socks_client_socket.h
+++ b/chromium/net/socket/socks_client_socket.h
@@ -31,8 +31,10 @@ class NET_EXPORT_PRIVATE SOCKSClientSocket : public StreamSocket {
  public:
   // |destination| contains the hostname and port to which the socket above will
   // communicate to via the socks layer. For testing the referrer is optional.
+  // |network_isolation_key| is used for host resolution.
   SOCKSClientSocket(std::unique_ptr<StreamSocket> transport_socket,
                     const HostPortPair& destination,
+                    const NetworkIsolationKey& network_isolation_key,
                     RequestPriority priority,
                     HostResolver* host_resolver,
                     bool disable_secure_dns,
@@ -140,6 +142,7 @@ class NET_EXPORT_PRIVATE SOCKSClientSocket : public StreamSocket {
   bool disable_secure_dns_;
   std::unique_ptr<HostResolver::ResolveHostRequest> resolve_host_request_;
   const HostPortPair destination_;
+  const NetworkIsolationKey network_isolation_key_;
   RequestPriority priority_;
 
   NetLogWithSource net_log_;
diff --git a/chromium/net/socket/socks_client_socket_fuzzer.cc b/chromium/net/socket/socks_client_socket_fuzzer.cc
index 9a999351420..ebf9849bcdd 100644
--- a/chromium/net/socket/socks_client_socket_fuzzer.cc
+++ b/chromium/net/socket/socks_client_socket_fuzzer.cc
@@ -12,6 +12,7 @@
 #include "base/logging.h"
 #include "net/base/address_list.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/test_completion_callback.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/mock_host_resolver.h"
@@ -26,7 +27,7 @@
 // class for details.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
   // Use a test NetLog, to exercise logging code.
-  net::TestNetLog test_net_log;
+  net::RecordingTestNetLog test_net_log;
 
   FuzzedDataProvider data_provider(data, size);
 
@@ -56,7 +57,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
   net::SOCKSClientSocket socket(
       std::move(fuzzed_socket), net::HostPortPair("foo", 80),
-      net::DEFAULT_PRIORITY, &mock_host_resolver,
+      net::NetworkIsolationKey(), net::DEFAULT_PRIORITY, &mock_host_resolver,
       false /* disable_secure_dns */, TRAFFIC_ANNOTATION_FOR_TESTS);
   int result = socket.Connect(callback.callback());
   callback.GetResult(result);
diff --git a/chromium/net/socket/socks_client_socket_unittest.cc b/chromium/net/socket/socks_client_socket_unittest.cc
index f02c23abb9b..e974ca03765 100644
--- a/chromium/net/socket/socks_client_socket_unittest.cc
+++ b/chromium/net/socket/socks_client_socket_unittest.cc
@@ -94,8 +94,8 @@ std::unique_ptr<SOCKSClientSocket> SOCKSClientSocketTest::BuildMockSocket(
   // non-owning pointer to it.
   tcp_sock_ = socket.get();
   return std::make_unique<SOCKSClientSocket>(
-      std::move(socket), HostPortPair(hostname, port), DEFAULT_PRIORITY,
-      host_resolver, false /* disable_secure_dns */,
+      std::move(socket), HostPortPair(hostname, port), NetworkIsolationKey(),
+      DEFAULT_PRIORITY, host_resolver, false /* disable_secure_dns */,
       TRAFFIC_ANNOTATION_FOR_TESTS);
 }
 
@@ -113,7 +113,7 @@ TEST_F(SOCKSClientSocketTest, CompleteHandshake) {
     MockRead data_reads[] = {
         MockRead(ASYNC, kSOCKS4OkReply, kSOCKS4OkReplyLength),
         MockRead(ASYNC, payload_read.data(), payload_read.size())};
-    TestNetLog log;
+    RecordingTestNetLog log;
 
     user_sock_ = BuildMockSocket(data_reads, data_writes, host_resolver_.get(),
                                  "localhost", 80, &log);
@@ -232,7 +232,7 @@ TEST_F(SOCKSClientSocketTest, HandshakeFailures) {
                   kSOCKS4OkRequestLocalHostPort80Length)};
     MockRead data_reads[] = {
         MockRead(SYNCHRONOUS, test.fail_reply, base::size(test.fail_reply))};
-    TestNetLog log;
+    RecordingTestNetLog log;
 
     user_sock_ = BuildMockSocket(data_reads, data_writes, host_resolver_.get(),
                                  "localhost", 80, &log);
@@ -265,7 +265,7 @@ TEST_F(SOCKSClientSocketTest, PartialServerReads) {
   MockRead data_reads[] = {
       MockRead(ASYNC, kSOCKSPartialReply1, base::size(kSOCKSPartialReply1)),
       MockRead(ASYNC, kSOCKSPartialReply2, base::size(kSOCKSPartialReply2))};
-  TestNetLog log;
+  RecordingTestNetLog log;
 
   user_sock_ = BuildMockSocket(data_reads, data_writes, host_resolver_.get(),
                                "localhost", 80, &log);
@@ -299,7 +299,7 @@ TEST_F(SOCKSClientSocketTest, PartialClientWrites) {
   };
   MockRead data_reads[] = {
       MockRead(ASYNC, kSOCKS4OkReply, kSOCKS4OkReplyLength)};
-  TestNetLog log;
+  RecordingTestNetLog log;
 
   user_sock_ = BuildMockSocket(data_reads, data_writes, host_resolver_.get(),
                                "localhost", 80, &log);
@@ -326,7 +326,7 @@ TEST_F(SOCKSClientSocketTest, FailedSocketRead) {
       MockRead(ASYNC, kSOCKS4OkReply, kSOCKS4OkReplyLength - 2),
       // close connection unexpectedly
       MockRead(SYNCHRONOUS, 0)};
-  TestNetLog log;
+  RecordingTestNetLog log;
 
   user_sock_ = BuildMockSocket(data_reads, data_writes, host_resolver_.get(),
                                "localhost", 80, &log);
@@ -351,7 +351,7 @@ TEST_F(SOCKSClientSocketTest, FailedDNS) {
 
   host_resolver_->rules()->AddSimulatedFailure(hostname);
 
-  TestNetLog log;
+  RecordingTestNetLog log;
 
   user_sock_ = BuildMockSocket(base::span<MockRead>(), base::span<MockWrite>(),
                                host_resolver_.get(), hostname, 80, &log);
@@ -425,7 +425,7 @@ TEST_F(SOCKSClientSocketTest, NoIPv6RealResolver) {
 
 TEST_F(SOCKSClientSocketTest, Tag) {
   StaticSocketDataProvider data;
-  TestNetLog log;
+  RecordingTestNetLog log;
   MockTaggingStreamSocket* tagging_sock =
       new MockTaggingStreamSocket(std::unique_ptr<StreamSocket>(
           new MockTCPClientSocket(address_list_, &log, &data)));
@@ -435,8 +435,9 @@ TEST_F(SOCKSClientSocketTest, Tag) {
   // non-owning pointer to it.
   MockHostResolver host_resolver;
   SOCKSClientSocket socket(std::unique_ptr<StreamSocket>(tagging_sock),
-                           HostPortPair("localhost", 80), DEFAULT_PRIORITY,
-                           &host_resolver, false /* disable_secure_dns */,
+                           HostPortPair("localhost", 80), NetworkIsolationKey(),
+                           DEFAULT_PRIORITY, &host_resolver,
+                           false /* disable_secure_dns */,
                            TRAFFIC_ANNOTATION_FOR_TESTS);
 
   EXPECT_EQ(tagging_sock->tag(), SocketTag());
@@ -450,12 +451,12 @@ TEST_F(SOCKSClientSocketTest, Tag) {
 TEST_F(SOCKSClientSocketTest, SetDisableSecureDns) {
   for (bool disable_secure_dns : {false, true}) {
     StaticSocketDataProvider data;
-    TestNetLog log;
+    RecordingTestNetLog log;
     MockHostResolver host_resolver;
     SOCKSClientSocket socket(
         std::make_unique<MockTCPClientSocket>(address_list_, &log, &data),
-        HostPortPair("localhost", 80), DEFAULT_PRIORITY, &host_resolver,
-        disable_secure_dns, TRAFFIC_ANNOTATION_FOR_TESTS);
+        HostPortPair("localhost", 80), NetworkIsolationKey(), DEFAULT_PRIORITY,
+        &host_resolver, disable_secure_dns, TRAFFIC_ANNOTATION_FOR_TESTS);
 
     EXPECT_EQ(ERR_IO_PENDING, socket.Connect(callback_.callback()));
     EXPECT_EQ(disable_secure_dns,
diff --git a/chromium/net/socket/socks_connect_job.cc b/chromium/net/socket/socks_connect_job.cc
index cb2e542e41f..fb4a628126f 100644
--- a/chromium/net/socket/socks_connect_job.cc
+++ b/chromium/net/socket/socks_connect_job.cc
@@ -26,10 +26,12 @@ SOCKSSocketParams::SOCKSSocketParams(
     scoped_refptr<TransportSocketParams> proxy_server_params,
     bool socks_v5,
     const HostPortPair& host_port_pair,
+    const NetworkIsolationKey& network_isolation_key,
     const NetworkTrafficAnnotationTag& traffic_annotation)
     : transport_params_(std::move(proxy_server_params)),
       destination_(host_port_pair),
       socks_v5_(socks_v5),
+      network_isolation_key_(network_isolation_key),
       traffic_annotation_(traffic_annotation) {}
 
 SOCKSSocketParams::~SOCKSSocketParams() = default;
@@ -165,7 +167,7 @@ int SOCKSConnectJob::DoSOCKSConnect() {
   } else {
     socket_.reset(new SOCKSClientSocket(
         transport_connect_job_->PassSocket(), socks_params_->destination(),
-        priority(), host_resolver(),
+        socks_params_->network_isolation_key(), priority(), host_resolver(),
         socks_params_->transport_params()->disable_secure_dns(),
         socks_params_->traffic_annotation()));
   }
diff --git a/chromium/net/socket/socks_connect_job.h b/chromium/net/socket/socks_connect_job.h
index f3d4131bafe..54745149c4a 100644
--- a/chromium/net/socket/socks_connect_job.h
+++ b/chromium/net/socket/socks_connect_job.h
@@ -14,6 +14,7 @@
 #include "net/base/completion_once_callback.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_export.h"
+#include "net/base/network_isolation_key.h"
 #include "net/base/request_priority.h"
 #include "net/socket/connect_job.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
@@ -30,6 +31,7 @@ class NET_EXPORT_PRIVATE SOCKSSocketParams
   SOCKSSocketParams(scoped_refptr<TransportSocketParams> proxy_server_params,
                     bool socks_v5,
                     const HostPortPair& host_port_pair,
+                    const NetworkIsolationKey& network_isolation_key,
                     const NetworkTrafficAnnotationTag& traffic_annotation);
 
   const scoped_refptr<TransportSocketParams>& transport_params() const {
@@ -37,6 +39,9 @@ class NET_EXPORT_PRIVATE SOCKSSocketParams
   }
   const HostPortPair& destination() const { return destination_; }
   bool is_socks_v5() const { return socks_v5_; }
+  const NetworkIsolationKey& network_isolation_key() {
+    return network_isolation_key_;
+  }
 
   const NetworkTrafficAnnotationTag traffic_annotation() {
     return traffic_annotation_;
@@ -51,6 +56,7 @@ class NET_EXPORT_PRIVATE SOCKSSocketParams
   // This is the HTTP destination.
   const HostPortPair destination_;
   const bool socks_v5_;
+  const NetworkIsolationKey network_isolation_key_;
 
   NetworkTrafficAnnotationTag traffic_annotation_;
 
diff --git a/chromium/net/socket/socks_connect_job_unittest.cc b/chromium/net/socket/socks_connect_job_unittest.cc
index 7ad2fc2d238..b1c9478bdbe 100644
--- a/chromium/net/socket/socks_connect_job_unittest.cc
+++ b/chromium/net/socket/socks_connect_job_unittest.cc
@@ -14,6 +14,7 @@
 #include "net/base/load_timing_info.h"
 #include "net/base/load_timing_info_test_util.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/log/net_log.h"
 #include "net/socket/client_socket_factory.h"
@@ -59,7 +60,7 @@ class SOCKSConnectJobTest : public testing::Test, public WithTaskEnvironment {
             nullptr /* ssl_client_context */,
             nullptr /* socket_performance_watcher_factory */,
             nullptr /* network_quality_estimator */,
-            &net_log_,
+            NetLog::Get(),
             nullptr /* websocket_endpoint_lock_manager */) {}
 
   ~SOCKSConnectJobTest() override {}
@@ -69,17 +70,16 @@ class SOCKSConnectJobTest : public testing::Test, public WithTaskEnvironment {
       bool disable_secure_dns = false) {
     return base::MakeRefCounted<SOCKSSocketParams>(
         base::MakeRefCounted<TransportSocketParams>(
-            HostPortPair(kProxyHostName, kProxyPort), disable_secure_dns,
-            OnHostResolutionCallback()),
+            HostPortPair(kProxyHostName, kProxyPort), NetworkIsolationKey(),
+            disable_secure_dns, OnHostResolutionCallback()),
         socks_version == SOCKSVersion::V5,
         socks_version == SOCKSVersion::V4
             ? HostPortPair(kSOCKS4TestHost, kSOCKS4TestPort)
             : HostPortPair(kSOCKS5TestHost, kSOCKS5TestPort),
-        TRAFFIC_ANNOTATION_FOR_TESTS);
+        NetworkIsolationKey(), TRAFFIC_ANNOTATION_FOR_TESTS);
   }
 
  protected:
-  NetLog net_log_;
   MockHostResolver host_resolver_;
   MockTaggingClientSocketFactory client_socket_factory_;
   const CommonConnectJobParams common_connect_job_params_;
diff --git a/chromium/net/socket/ssl_client_socket_impl.cc b/chromium/net/socket/ssl_client_socket_impl.cc
index df4f720c314..173e0ad8cc5 100644
--- a/chromium/net/socket/ssl_client_socket_impl.cc
+++ b/chromium/net/socket/ssl_client_socket_impl.cc
@@ -323,6 +323,12 @@ class SSLClientSocketImpl::SSLContext {
         ssl_ctx_.get(), TLSEXT_cert_compression_brotli,
         nullptr /* compression not supported */, DecompressBrotliCert);
 #endif
+
+    if (base::FeatureList::IsEnabled(features::kPostQuantumCECPQ2)) {
+      static const int kCurves[] = {NID_CECPQ2, NID_X25519,
+                                    NID_X9_62_prime256v1, NID_secp384r1};
+      SSL_CTX_set1_curves(ssl_ctx_.get(), kCurves, base::size(kCurves));
+    }
   }
 
   static int ClientCertRequestCallback(SSL* ssl, void* arg) {
@@ -943,9 +949,6 @@ int SSLClientSocketImpl::DoHandshake() {
 }
 
 int SSLClientSocketImpl::DoHandshakeComplete(int result) {
-  if (in_confirm_handshake_)
-    MaybeRecordEarlyDataResult();
-
   if (result < 0)
     return result;
 
@@ -1072,12 +1075,18 @@ int SSLClientSocketImpl::DoHandshakeComplete(int result) {
       details = SSLHandshakeDetails::kTLS12Full;
     }
   } else {
+    bool used_hello_retry_request = SSL_used_hello_retry_request(ssl_.get());
     if (SSL_in_early_data(ssl_.get())) {
+      DCHECK(!used_hello_retry_request);
       details = SSLHandshakeDetails::kTLS13Early;
     } else if (SSL_session_reused(ssl_.get())) {
-      details = SSLHandshakeDetails::kTLS13Resume;
+      details = used_hello_retry_request
+                    ? SSLHandshakeDetails::kTLS13ResumeWithHelloRetryRequest
+                    : SSLHandshakeDetails::kTLS13Resume;
     } else {
-      details = SSLHandshakeDetails::kTLS13Full;
+      details = used_hello_retry_request
+                    ? SSLHandshakeDetails::kTLS13FullWithHelloRetryRequest
+                    : SSLHandshakeDetails::kTLS13Full;
     }
   }
   UMA_HISTOGRAM_ENUMERATION("Net.SSLHandshakeDetails", details);
@@ -1253,6 +1262,7 @@ ssl_verify_result_t SSLClientSocketImpl::HandleVerifyResult() {
 
   is_fatal_cert_error_ =
       IsCertStatusError(server_cert_verify_result_.cert_status) &&
+      result != ERR_CERT_KNOWN_INTERCEPTION_BLOCKED &&
       context_->transport_security_state()->ShouldSSLErrorsBeFatal(
           host_and_port_.host());
 
@@ -1372,8 +1382,6 @@ int SSLClientSocketImpl::DoPayloadRead(IOBuffer* buf, int buf_len) {
       DCHECK_NE(kSSLClientSocketNoPendingResult, signature_result_);
       pending_read_error_ = ERR_IO_PENDING;
     } else {
-      if (pending_read_ssl_error_ == SSL_ERROR_EARLY_DATA_REJECTED)
-        MaybeRecordEarlyDataResult();
       pending_read_error_ = MapLastOpenSSLError(
           pending_read_ssl_error_, err_tracer, &pending_read_error_info_);
     }
@@ -1391,8 +1399,6 @@ int SSLClientSocketImpl::DoPayloadRead(IOBuffer* buf, int buf_len) {
     // next call of DoPayloadRead.
     rv = total_bytes_read;
 
-    MaybeRecordEarlyDataResult();
-
     // Do not treat insufficient data as an error to return in the next call to
     // DoPayloadRead() - instead, let the call fall through to check SSL_read()
     // again. The transport may have data available by then.
@@ -1456,6 +1462,29 @@ void SSLClientSocketImpl::DoPeek() {
 
   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
 
+  if (ssl_config_.early_data_enabled && !recorded_early_data_result_) {
+    // |SSL_peek| will implicitly run |SSL_do_handshake| if needed, but run it
+    // manually to pick up the reject reason.
+    int rv = SSL_do_handshake(ssl_.get());
+    int ssl_err = SSL_get_error(ssl_.get(), rv);
+    if (ssl_err == SSL_ERROR_WANT_READ || ssl_err == SSL_ERROR_WANT_WRITE) {
+      return;
+    }
+
+    // Since the two-parameter version of the macro (which asks for a max value)
+    // requires that the max value sentinel be named |kMaxValue|, transform the
+    // max-value sentinel into a one-past-the-end ("boundary") sentinel by
+    // adding 1, in order to be able to use the three-parameter macro.
+    UMA_HISTOGRAM_ENUMERATION("Net.SSLHandshakeEarlyDataReason",
+                              SSL_get_early_data_reason(ssl_.get()),
+                              ssl_early_data_reason_max_value + 1);
+    recorded_early_data_result_ = true;
+    if (ssl_err != SSL_ERROR_NONE) {
+      peek_complete_ = true;
+      return;
+    }
+  }
+
   char byte;
   int rv = SSL_peek(ssl_.get(), &byte, 1);
   int ssl_err = SSL_get_error(ssl_.get(), rv);
@@ -1817,22 +1846,6 @@ void SSLClientSocketImpl::RecordNegotiatedProtocol() const {
                             negotiated_protocol_, kProtoLast + 1);
 }
 
-void SSLClientSocketImpl::MaybeRecordEarlyDataResult() {
-  DCHECK(ssl_);
-  if (!ssl_config_.early_data_enabled || recorded_early_data_result_)
-    return;
-
-  recorded_early_data_result_ = true;
-  // Since the two-parameter version of the macro (which asks for a max
-  // value) requires that the max value sentinel be named |kMaxValue|,
-  // transform the max-value sentinel into a one-past-the-end ("boundary")
-  // sentinel by adding 1, in order to be able to use the three-parameter
-  // macro.
-  UMA_HISTOGRAM_ENUMERATION("Net.SSLHandshakeEarlyDataReason",
-                            SSL_get_early_data_reason(ssl_.get()),
-                            ssl_early_data_reason_max_value + 1);
-}
-
 int SSLClientSocketImpl::MapLastOpenSSLError(
     int ssl_error,
     const crypto::OpenSSLErrStackTracer& tracer,
diff --git a/chromium/net/socket/ssl_client_socket_impl.h b/chromium/net/socket/ssl_client_socket_impl.h
index 69e755bdcb6..9ffa83052e8 100644
--- a/chromium/net/socket/ssl_client_socket_impl.h
+++ b/chromium/net/socket/ssl_client_socket_impl.h
@@ -201,11 +201,6 @@ class SSLClientSocketImpl : public SSLClientSocket,
   // in a UMA histogram.
   void RecordNegotiatedProtocol() const;
 
-  // Records the result of a handshake where early data was requested
-  // in the corresponding UMA histogram.  This will happen at most once
-  // during the lifetime of the socket.
-  void MaybeRecordEarlyDataResult();
-
   // Returns the net error corresponding to the most recent OpenSSL
   // error. ssl_error is the output of SSL_get_error.
   int MapLastOpenSSLError(int ssl_error,
diff --git a/chromium/net/socket/ssl_client_socket_unittest.cc b/chromium/net/socket/ssl_client_socket_unittest.cc
index cee53dd4548..87ea2242bfd 100644
--- a/chromium/net/socket/ssl_client_socket_unittest.cc
+++ b/chromium/net/socket/ssl_client_socket_unittest.cc
@@ -16,6 +16,7 @@
 #include "base/files/file_util.h"
 #include "base/location.h"
 #include "base/memory/ref_counted.h"
+#include "base/optional.h"
 #include "base/run_loop.h"
 #include "base/single_thread_task_runner.h"
 #include "base/stl_util.h"
@@ -790,6 +791,55 @@ class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate {
                                   const HashValueVector& hashes));
 };
 
+class ManySmallRecordsHttpResponse : public test_server::HttpResponse {
+ public:
+  static std::unique_ptr<test_server::HttpResponse> HandleRequest(
+      const test_server::HttpRequest& request) {
+    if (request.relative_url != "/ssl-many-small-records") {
+      return nullptr;
+    }
+
+    // Write ~26K of data, in 1350 byte chunks
+    return std::make_unique<ManySmallRecordsHttpResponse>(/*chunk_size=*/1350,
+                                                          /*chunk_count=*/20);
+  }
+
+  ManySmallRecordsHttpResponse(size_t chunk_size, size_t chunk_count)
+      : chunk_size_(chunk_size), chunk_count_(chunk_count) {}
+
+  void SendResponse(const test_server::SendBytesCallback& send,
+                    test_server::SendCompleteCallback done) override {
+    std::string headers = base::StringPrintf(
+        "HTTP/1.1 200 OK\r\n"
+        "Connection: close\r\n"
+        "Content-Length: %zu\r\n"
+        "Content-Type: text/plain\r\n\r\n",
+        chunk_size_ * chunk_count_);
+    send.Run(headers, base::BindOnce(&SendChunks, chunk_size_, chunk_count_,
+                                     send, std::move(done)));
+  }
+
+ private:
+  static void SendChunks(size_t chunk_size,
+                         size_t chunk_count,
+                         const test_server::SendBytesCallback& send,
+                         test_server::SendCompleteCallback done) {
+    if (chunk_count == 0) {
+      std::move(done).Run();
+      return;
+    }
+
+    std::string chunk(chunk_size, '*');
+    // This assumes that splitting output into separate |send| calls will
+    // produce separate TLS records.
+    send.Run(chunk, base::BindOnce(&SendChunks, chunk_size, chunk_count - 1,
+                                   send, std::move(done)));
+  }
+
+  size_t chunk_size_;
+  size_t chunk_count_;
+};
+
 class SSLClientSocketTest : public PlatformTest, public WithTaskEnvironment {
  public:
   SSLClientSocketTest()
@@ -861,6 +911,8 @@ class SSLClientSocketTest : public PlatformTest, public WithTaskEnvironment {
   // May be overridden by the subclass to customize the EmbeddedTestServer.
   virtual void RegisterEmbeddedTestServerHandlers(EmbeddedTestServer* server) {
     server->AddDefaultHandlers(base::FilePath());
+    server->RegisterRequestHandler(
+        base::BindRepeating(&ManySmallRecordsHttpResponse::HandleRequest));
   }
 
   // Starts the spawned test server with SSL configuration |ssl_options|.
@@ -932,10 +984,14 @@ class SSLClientSocketTest : public PlatformTest, public WithTaskEnvironment {
   // Must be called after StartTestServer has been called.
   void AddServerCertStatusToSSLConfig(CertStatus status,
                                       SSLConfig* ssl_config) {
-    ASSERT_TRUE(spawned_test_server());
+    ASSERT_TRUE(spawned_test_server() || embedded_test_server());
     // Find out the certificate the server is using.
-    scoped_refptr<X509Certificate> server_cert =
-        spawned_test_server()->GetCertificate();
+    scoped_refptr<X509Certificate> server_cert;
+    if (spawned_test_server()) {
+      server_cert = spawned_test_server()->GetCertificate();
+    } else {
+      server_cert = embedded_test_server()->GetCertificate();
+    }
     // Get the MockCertVerifier to verify it as an EV cert.
     CertVerifyResult verify_result;
     verify_result.cert_status = status;
@@ -943,7 +999,7 @@ class SSLClientSocketTest : public PlatformTest, public WithTaskEnvironment {
     cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
   }
 
-  TestNetLog log_;
+  RecordingTestNetLog log_;
   ClientSocketFactory* socket_factory_;
   std::unique_ptr<TestSSLConfigService> ssl_config_service_;
   std::unique_ptr<MockCertVerifier> cert_verifier_;
@@ -1044,11 +1100,48 @@ class ClientSocketFactoryWithoutReadIfReady : public ClientSocketFactory {
   ClientSocketFactory* const factory_;
 };
 
+std::vector<uint16_t> GetTLSVersions() {
+  return {SSL_PROTOCOL_VERSION_TLS1, SSL_PROTOCOL_VERSION_TLS1_1,
+          SSL_PROTOCOL_VERSION_TLS1_2, SSL_PROTOCOL_VERSION_TLS1_3};
+}
+
+base::Optional<SpawnedTestServer::SSLOptions::TLSMaxVersion>
+ProtocolVersionToSpawnedTestServer(uint16_t version) {
+  switch (version) {
+    case SSL_PROTOCOL_VERSION_TLS1:
+      return SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_0;
+    case SSL_PROTOCOL_VERSION_TLS1_1:
+      return SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_1;
+    case SSL_PROTOCOL_VERSION_TLS1_2:
+      return SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_2;
+    case SSL_PROTOCOL_VERSION_TLS1_3:
+      // SpawnedTestServer does not support TLS 1.3.
+      return base::nullopt;
+    default:
+      ADD_FAILURE() << "Unknown version " << version;
+      return base::nullopt;
+  }
+}
+
+class SSLClientSocketVersionTest
+    : public SSLClientSocketTest,
+      public ::testing::WithParamInterface<uint16_t> {
+ protected:
+  uint16_t version() const { return GetParam(); }
+
+  SSLServerConfig GetServerConfig() {
+    SSLServerConfig config;
+    config.version_max = version();
+    config.version_min = version();
+    return config;
+  }
+};
+
 // If GetParam(), try ReadIfReady() and fall back to Read() if needed.
 class SSLClientSocketReadTest
     : public SSLClientSocketTest,
       public ::testing::WithParamInterface<
-          std::tuple<ReadIfReadyTransport, ReadIfReadySSL>> {
+          std::tuple<ReadIfReadyTransport, ReadIfReadySSL, uint16_t>> {
  protected:
   SSLClientSocketReadTest() : SSLClientSocketTest() {
     if (!read_if_ready_supported()) {
@@ -1096,6 +1189,13 @@ class SSLClientSocketReadTest
     return WaitForReadCompletion(socket, buf, buf_len, &callback, rv);
   }
 
+  SSLServerConfig GetServerConfig() {
+    SSLServerConfig config;
+    config.version_max = version();
+    config.version_min = version();
+    return config;
+  }
+
   bool test_ssl_read_if_ready() const {
     return std::get<1>(GetParam()) == TEST_SSL_READ_IF_READY;
   }
@@ -1104,6 +1204,8 @@ class SSLClientSocketReadTest
     return std::get<0>(GetParam()) == READ_IF_READY_SUPPORTED;
   }
 
+  uint16_t version() const { return std::get<2>(GetParam()); }
+
  private:
   std::unique_ptr<ClientSocketFactory> wrapped_socket_factory_;
 };
@@ -1111,47 +1213,28 @@ class SSLClientSocketReadTest
 INSTANTIATE_TEST_SUITE_P(
     /* no prefix */,
     SSLClientSocketReadTest,
-    ::testing::Combine(
-        ::testing::Values(READ_IF_READY_SUPPORTED, READ_IF_READY_NOT_SUPPORTED),
-        ::testing::Values(TEST_SSL_READ_IF_READY, TEST_SSL_READ)));
+    ::testing::Combine(::testing::Values(READ_IF_READY_SUPPORTED,
+                                         READ_IF_READY_NOT_SUPPORTED),
+                       ::testing::Values(TEST_SSL_READ_IF_READY, TEST_SSL_READ),
+                       ::testing::ValuesIn(GetTLSVersions())));
 
 // Verifies the correctness of GetSSLCertRequestInfo.
-class SSLClientSocketCertRequestInfoTest : public SSLClientSocketTest {
+class SSLClientSocketCertRequestInfoTest : public SSLClientSocketVersionTest {
  protected:
-  // Creates a test server with the given SSLOptions, connects to it and returns
-  // the SSLCertRequestInfo reported by the socket.
-  scoped_refptr<SSLCertRequestInfo> GetCertRequest(
-      SpawnedTestServer::SSLOptions ssl_options) {
-    SpawnedTestServer spawned_test_server(SpawnedTestServer::TYPE_HTTPS,
-                                          ssl_options, base::FilePath());
-    if (!spawned_test_server.Start())
-      return nullptr;
-
-    AddressList addr;
-    if (!spawned_test_server.GetAddressList(&addr))
+  // Connects to the test server and returns the SSLCertRequestInfo reported by
+  // the socket.
+  scoped_refptr<SSLCertRequestInfo> GetCertRequest() {
+    int rv;
+    if (!CreateAndConnectSSLClientSocket(SSLConfig(), &rv)) {
       return nullptr;
-
-    TestCompletionCallback callback;
-    TestNetLog log;
-    std::unique_ptr<StreamSocket> transport(
-        new TCPClientSocket(addr, nullptr, &log, NetLogSource()));
-    int rv = callback.GetResult(transport->Connect(callback.callback()));
-    EXPECT_THAT(rv, IsOk());
-
-    std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-        std::move(transport), spawned_test_server.host_port_pair(),
-        SSLConfig()));
-    EXPECT_FALSE(sock->IsConnected());
-
-    rv = callback.GetResult(sock->Connect(callback.callback()));
+    }
     EXPECT_THAT(rv, IsError(ERR_SSL_CLIENT_AUTH_CERT_NEEDED));
 
     auto request_info = base::MakeRefCounted<SSLCertRequestInfo>();
-    sock->GetSSLCertRequestInfo(request_info.get());
-    sock->Disconnect();
-    EXPECT_FALSE(sock->IsConnected());
-    EXPECT_TRUE(spawned_test_server.host_port_pair().Equals(
-        request_info->host_and_port));
+    sock_->GetSSLCertRequestInfo(request_info.get());
+    sock_->Disconnect();
+    EXPECT_FALSE(sock_->IsConnected());
+    EXPECT_TRUE(host_port_pair().Equals(request_info->host_and_port));
 
     return request_info;
   }
@@ -1302,7 +1385,7 @@ class ZeroRTTResponse : public test_server::HttpResponse {
   ~ZeroRTTResponse() override {}
 
   void SendResponse(const test_server::SendBytesCallback& send,
-                    const test_server::SendCompleteCallback& done) override {
+                    test_server::SendCompleteCallback done) override {
     std::string response;
     if (zero_rtt_) {
       response = "1";
@@ -1313,7 +1396,7 @@ class ZeroRTTResponse : public test_server::HttpResponse {
     // Since the EmbeddedTestServer doesn't keep the socket open by default, it
     // is explicitly kept alive to allow the remaining leg of the 0RTT handshake
     // to be received after the early data.
-    send.Run(response, base::BindRepeating([]() {}));
+    send.Run(response, base::BindOnce([]() {}));
   }
 
  private:
@@ -1499,19 +1582,23 @@ class HangingCertVerifier : public CertVerifier {
 // TODO(950069): Add testing for frame_origin in NetworkIsolationKey
 // using kAppendInitiatingFrameOriginToNetworkIsolationKey.
 
-TEST_F(SSLClientSocketTest, Connect) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+INSTANTIATE_TEST_SUITE_P(TLSVersion,
+                         SSLClientSocketVersionTest,
+                         ::testing::ValuesIn(GetTLSVersions()));
+
+TEST_P(SSLClientSocketVersionTest, Connect) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   TestCompletionCallback callback;
-  TestNetLog log;
+  RecordingTestNetLog log;
   std::unique_ptr<StreamSocket> transport(
       new TCPClientSocket(addr(), nullptr, &log, NetLogSource()));
   int rv = callback.GetResult(transport->Connect(callback.callback()));
   EXPECT_THAT(rv, IsOk());
 
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
 
   EXPECT_FALSE(sock->IsConnected());
 
@@ -1530,8 +1617,9 @@ TEST_F(SSLClientSocketTest, Connect) {
   EXPECT_FALSE(sock->IsConnected());
 }
 
-TEST_F(SSLClientSocketTest, ConnectSyncVerify) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+TEST_P(SSLClientSocketVersionTest, ConnectSyncVerify) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   cert_verifier_->set_async(false);
   int rv;
@@ -1539,10 +1627,9 @@ TEST_F(SSLClientSocketTest, ConnectSyncVerify) {
   EXPECT_THAT(rv, IsError(OK));
 }
 
-TEST_F(SSLClientSocketTest, ConnectExpired) {
-  SpawnedTestServer::SSLOptions ssl_options(
-      SpawnedTestServer::SSLOptions::CERT_EXPIRED);
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, ConnectExpired) {
+  ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_EXPIRED,
+                                      GetServerConfig()));
 
   cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
 
@@ -1558,10 +1645,9 @@ TEST_F(SSLClientSocketTest, ConnectExpired) {
   EXPECT_TRUE(LogContainsEndEvent(entries, -1, NetLogEventType::SSL_CONNECT));
 }
 
-TEST_F(SSLClientSocketTest, ConnectExpiredSyncVerify) {
-  SpawnedTestServer::SSLOptions ssl_options(
-      SpawnedTestServer::SSLOptions::CERT_EXPIRED);
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, ConnectExpiredSyncVerify) {
+  ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_EXPIRED,
+                                      GetServerConfig()));
 
   cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
   cert_verifier_->set_async(false);
@@ -1573,8 +1659,9 @@ TEST_F(SSLClientSocketTest, ConnectExpiredSyncVerify) {
 
 // Test that SSLClientSockets may be destroyed while waiting on a certificate
 // verification.
-TEST_F(SSLClientSocketTest, SocketDestroyedDuringVerify) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+TEST_P(SSLClientSocketVersionTest, SocketDestroyedDuringVerify) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   HangingCertVerifier verifier;
   context_ = std::make_unique<SSLClientContext>(
@@ -1589,8 +1676,7 @@ TEST_F(SSLClientSocketTest, SocketDestroyedDuringVerify) {
   ASSERT_THAT(rv, IsOk());
 
   std::unique_ptr<SSLClientSocket> sock = CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig());
+      std::move(transport), host_port_pair(), SSLConfig());
   rv = sock->Connect(callback.callback());
   EXPECT_THAT(rv, IsError(ERR_IO_PENDING));
 
@@ -1605,10 +1691,9 @@ TEST_F(SSLClientSocketTest, SocketDestroyedDuringVerify) {
   context_ = nullptr;
 }
 
-TEST_F(SSLClientSocketTest, ConnectMismatched) {
-  SpawnedTestServer::SSLOptions ssl_options(
-      SpawnedTestServer::SSLOptions::CERT_MISMATCHED_NAME);
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, ConnectMismatched) {
+  ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_MISMATCHED_NAME,
+                                      GetServerConfig()));
 
   cert_verifier_->set_default_result(ERR_CERT_COMMON_NAME_INVALID);
 
@@ -1627,10 +1712,9 @@ TEST_F(SSLClientSocketTest, ConnectMismatched) {
 // Tests that certificates parsable by SSLClientSocket's internal SSL
 // implementation, but not X509Certificate are treated as fatal connection
 // errors. This is a regression test for https://crbug.com/91341.
-TEST_F(SSLClientSocketTest, ConnectBadValidity) {
-  SpawnedTestServer::SSLOptions ssl_options(
-      SpawnedTestServer::SSLOptions::CERT_BAD_VALIDITY);
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, ConnectBadValidity) {
+  ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_BAD_VALIDITY,
+                                      GetServerConfig()));
   cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
 
   SSLConfig ssl_config;
@@ -1641,10 +1725,9 @@ TEST_F(SSLClientSocketTest, ConnectBadValidity) {
 
 // Ignoring the certificate error from an invalid certificate should
 // allow a complete connection.
-TEST_F(SSLClientSocketTest, ConnectBadValidityIgnoreCertErrors) {
-  SpawnedTestServer::SSLOptions ssl_options(
-      SpawnedTestServer::SSLOptions::CERT_BAD_VALIDITY);
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, ConnectBadValidityIgnoreCertErrors) {
+  ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_BAD_VALIDITY,
+                                      GetServerConfig()));
   cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
 
   SSLConfig ssl_config;
@@ -1657,10 +1740,11 @@ TEST_F(SSLClientSocketTest, ConnectBadValidityIgnoreCertErrors) {
 
 // Attempt to connect to a page which requests a client certificate. It should
 // return an error code on connect.
-TEST_F(SSLClientSocketTest, ConnectClientAuthCertRequested) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ssl_options.request_client_certificate = true;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, ConnectClientAuthCertRequested) {
+  SSLServerConfig server_config = GetServerConfig();
+  server_config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
 
   int rv;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
@@ -1673,15 +1757,13 @@ TEST_F(SSLClientSocketTest, ConnectClientAuthCertRequested) {
 
 // Connect to a server requesting optional client authentication. Send it a
 // null certificate. It should allow the connection.
-//
-// TODO(davidben): Also test providing an actual certificate.
-TEST_F(SSLClientSocketTest, ConnectClientAuthSendNullCert) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ssl_options.request_client_certificate = true;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, ConnectClientAuthSendNullCert) {
+  SSLServerConfig server_config = GetServerConfig();
+  server_config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
 
   // Our test server accepts certificate-less connections.
-  // TODO(davidben): Add a test which requires them and verify the error.
   context_->SetClientCertificate(host_port_pair(), nullptr, nullptr);
 
   int rv;
@@ -1707,7 +1789,8 @@ TEST_F(SSLClientSocketTest, ConnectClientAuthSendNullCert) {
 // Tests that the socket can be read from successfully. Also test that a peer's
 // close_notify alert is successfully processed without error.
 TEST_P(SSLClientSocketReadTest, Read) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> transport(
@@ -1718,8 +1801,7 @@ TEST_P(SSLClientSocketReadTest, Read) {
   EXPECT_THAT(rv, IsOk());
 
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
   EXPECT_EQ(0, sock->GetTotalReceivedBytes());
 
   rv = callback.GetResult(sock->Connect(callback.callback()));
@@ -1764,7 +1846,8 @@ TEST_P(SSLClientSocketReadTest, Read) {
 // Tests that SSLClientSocket properly handles when the underlying transport
 // synchronously fails a transport write in during the handshake.
 TEST_F(SSLClientSocketTest, Connect_WithSynchronousError) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -1776,8 +1859,7 @@ TEST_F(SSLClientSocketTest, Connect_WithSynchronousError) {
 
   SynchronousErrorStreamSocket* raw_transport = transport.get();
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
 
   raw_transport->SetNextWriteError(ERR_CONNECTION_RESET);
 
@@ -1791,7 +1873,8 @@ TEST_F(SSLClientSocketTest, Connect_WithSynchronousError) {
 // the socket connection uncleanly.
 // This is a regression test for http://crbug.com/238536
 TEST_P(SSLClientSocketReadTest, Read_WithSynchronousError) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -1804,8 +1887,8 @@ TEST_P(SSLClientSocketReadTest, Read_WithSynchronousError) {
   SSLConfig config;
   config.disable_post_handshake_peek_for_testing = true;
   SynchronousErrorStreamSocket* raw_transport = transport.get();
-  std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(), config));
+  std::unique_ptr<SSLClientSocket> sock(
+      CreateSSLClientSocket(std::move(transport), host_port_pair(), config));
 
   rv = callback.GetResult(sock->Connect(callback.callback()));
   EXPECT_THAT(rv, IsOk());
@@ -1839,8 +1922,9 @@ TEST_P(SSLClientSocketReadTest, Read_WithSynchronousError) {
 // asynchronously returns an error code while writing data - such as if an
 // intermediary terminates the socket connection uncleanly.
 // This is a regression test for http://crbug.com/249848
-TEST_F(SSLClientSocketTest, Write_WithSynchronousError) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+TEST_P(SSLClientSocketVersionTest, Write_WithSynchronousError) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -1857,8 +1941,7 @@ TEST_F(SSLClientSocketTest, Write_WithSynchronousError) {
   EXPECT_THAT(rv, IsOk());
 
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
 
   rv = callback.GetResult(sock->Connect(callback.callback()));
   EXPECT_THAT(rv, IsOk());
@@ -1904,8 +1987,9 @@ TEST_F(SSLClientSocketTest, Write_WithSynchronousError) {
 // the write error will not be returned to the client until a future Read or
 // Write operation, SSLClientSocket should not spin attempting to re-write on
 // the socket. This is a regression test for part of https://crbug.com/381160.
-TEST_F(SSLClientSocketTest, Write_WithSynchronousErrorNoRead) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+TEST_P(SSLClientSocketVersionTest, Write_WithSynchronousErrorNoRead) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -1922,8 +2006,7 @@ TEST_F(SSLClientSocketTest, Write_WithSynchronousErrorNoRead) {
   ASSERT_THAT(rv, IsOk());
 
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(counting_socket), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(counting_socket), host_port_pair(), SSLConfig()));
 
   rv = callback.GetResult(sock->Connect(callback.callback()));
   ASSERT_THAT(rv, IsOk());
@@ -1963,7 +2046,8 @@ TEST_F(SSLClientSocketTest, Write_WithSynchronousErrorNoRead) {
 // Test the full duplex mode, with Read and Write pending at the same time.
 // This test also serves as a regression test for http://crbug.com/29815.
 TEST_P(SSLClientSocketReadTest, Read_FullDuplex) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   int rv;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
@@ -1972,9 +2056,9 @@ TEST_P(SSLClientSocketReadTest, Read_FullDuplex) {
   // Issue a "hanging" Read first.
   TestCompletionCallback callback;
   scoped_refptr<IOBuffer> buf = base::MakeRefCounted<IOBuffer>(4096);
-  rv = Read(sock_.get(), buf.get(), 4096, callback.callback());
+  int read_rv = Read(sock_.get(), buf.get(), 4096, callback.callback());
   // We haven't written the request, so there should be no response yet.
-  ASSERT_THAT(rv, IsError(ERR_IO_PENDING));
+  ASSERT_THAT(read_rv, IsError(ERR_IO_PENDING));
 
   // Write the request.
   // The request is padded with a User-Agent header to a size that causes the
@@ -1994,8 +2078,9 @@ TEST_P(SSLClientSocketReadTest, Read_FullDuplex) {
   EXPECT_EQ(static_cast<int>(request_text.size()), rv);
 
   // Now get the Read result.
-  rv = WaitForReadCompletion(sock_.get(), buf.get(), 4096, &callback, rv);
-  EXPECT_GT(rv, 0);
+  read_rv =
+      WaitForReadCompletion(sock_.get(), buf.get(), 4096, &callback, read_rv);
+  EXPECT_GT(read_rv, 0);
 }
 
 // Attempts to Read() and Write() from an SSLClientSocketNSS in full duplex
@@ -2005,7 +2090,8 @@ TEST_P(SSLClientSocketReadTest, Read_FullDuplex) {
 // callback, the Write() callback should not be invoked.
 // Regression test for http://crbug.com/232633
 TEST_P(SSLClientSocketReadTest, Read_DeleteWhilePendingFullDuplex) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -2024,8 +2110,8 @@ TEST_P(SSLClientSocketReadTest, Read_DeleteWhilePendingFullDuplex) {
 
   SSLConfig config;
   config.disable_post_handshake_peek_for_testing = true;
-  std::unique_ptr<SSLClientSocket> sock = CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(), config);
+  std::unique_ptr<SSLClientSocket> sock =
+      CreateSSLClientSocket(std::move(transport), host_port_pair(), config);
 
   rv = callback.GetResult(sock->Connect(callback.callback()));
   EXPECT_THAT(rv, IsOk());
@@ -2088,7 +2174,8 @@ TEST_P(SSLClientSocketReadTest, Read_DeleteWhilePendingFullDuplex) {
 // error in a SPDY socket.
 // Regression test for http://crbug.com/335557
 TEST_P(SSLClientSocketReadTest, Read_WithWriteError) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -2106,8 +2193,7 @@ TEST_P(SSLClientSocketReadTest, Read_WithWriteError) {
   EXPECT_THAT(rv, IsOk());
 
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
 
   rv = callback.GetResult(sock->Connect(callback.callback()));
   EXPECT_THAT(rv, IsOk());
@@ -2175,7 +2261,10 @@ TEST_P(SSLClientSocketReadTest, Read_WithWriteError) {
 // Tests that SSLClientSocket fails the handshake if the underlying
 // transport is cleanly closed.
 TEST_F(SSLClientSocketTest, Connect_WithZeroReturn) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  // There is no need to vary by TLS version because this test never reads a
+  // response from the server.
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -2185,11 +2274,9 @@ TEST_F(SSLClientSocketTest, Connect_WithZeroReturn) {
   int rv = callback.GetResult(transport->Connect(callback.callback()));
   EXPECT_THAT(rv, IsOk());
 
-  SSLConfig config;
-  config.disable_post_handshake_peek_for_testing = true;
   SynchronousErrorStreamSocket* raw_transport = transport.get();
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(), config));
+      std::move(transport), host_port_pair(), SSLConfig()));
 
   raw_transport->SetNextReadError(0);
 
@@ -2202,7 +2289,8 @@ TEST_F(SSLClientSocketTest, Connect_WithZeroReturn) {
 // is cleanly closed, but the peer does not send close_notify.
 // This is a regression test for https://crbug.com/422246
 TEST_P(SSLClientSocketReadTest, Read_WithZeroReturn) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -2215,8 +2303,8 @@ TEST_P(SSLClientSocketReadTest, Read_WithZeroReturn) {
   SSLConfig config;
   config.disable_post_handshake_peek_for_testing = true;
   SynchronousErrorStreamSocket* raw_transport = transport.get();
-  std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(), config));
+  std::unique_ptr<SSLClientSocket> sock(
+      CreateSSLClientSocket(std::move(transport), host_port_pair(), config));
 
   rv = callback.GetResult(sock->Connect(callback.callback()));
   EXPECT_THAT(rv, IsOk());
@@ -2232,7 +2320,8 @@ TEST_P(SSLClientSocketReadTest, Read_WithZeroReturn) {
 // underlying socket is cleanly closed asynchronously.
 // This is a regression test for https://crbug.com/422246
 TEST_P(SSLClientSocketReadTest, Read_WithAsyncZeroReturn) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -2248,8 +2337,8 @@ TEST_P(SSLClientSocketReadTest, Read_WithAsyncZeroReturn) {
 
   SSLConfig config;
   config.disable_post_handshake_peek_for_testing = true;
-  std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(), config));
+  std::unique_ptr<SSLClientSocket> sock(
+      CreateSSLClientSocket(std::move(transport), host_port_pair(), config));
 
   rv = callback.GetResult(sock->Connect(callback.callback()));
   EXPECT_THAT(rv, IsOk());
@@ -2271,6 +2360,11 @@ TEST_P(SSLClientSocketReadTest, Read_WithAsyncZeroReturn) {
 // test for https://crbug.com/466303.
 TEST_P(SSLClientSocketReadTest, Read_WithFatalAlert) {
   SpawnedTestServer::SSLOptions ssl_options;
+  auto tls_max_version = ProtocolVersionToSpawnedTestServer(version());
+  if (!tls_max_version) {
+    return;
+  }
+  ssl_options.tls_max_version = *tls_max_version;
   ssl_options.alert_after_handshake = true;
   ASSERT_TRUE(StartTestServer(ssl_options));
 
@@ -2286,7 +2380,8 @@ TEST_P(SSLClientSocketReadTest, Read_WithFatalAlert) {
 }
 
 TEST_P(SSLClientSocketReadTest, Read_SmallChunks) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   int rv;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
@@ -2311,7 +2406,8 @@ TEST_P(SSLClientSocketReadTest, Read_SmallChunks) {
 }
 
 TEST_P(SSLClientSocketReadTest, Read_ManySmallRecords) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   TestCompletionCallback callback;
 
@@ -2325,8 +2421,8 @@ TEST_P(SSLClientSocketReadTest, Read_ManySmallRecords) {
 
   SSLConfig config;
   config.disable_post_handshake_peek_for_testing = true;
-  std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(), config));
+  std::unique_ptr<SSLClientSocket> sock(
+      CreateSSLClientSocket(std::move(transport), host_port_pair(), config));
 
   rv = callback.GetResult(sock->Connect(callback.callback()));
   ASSERT_THAT(rv, IsOk());
@@ -2360,7 +2456,8 @@ TEST_P(SSLClientSocketReadTest, Read_ManySmallRecords) {
 }
 
 TEST_P(SSLClientSocketReadTest, Read_Interrupted) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   int rv;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
@@ -2384,10 +2481,11 @@ TEST_P(SSLClientSocketReadTest, Read_Interrupted) {
 }
 
 TEST_P(SSLClientSocketReadTest, Read_FullLogging) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   TestCompletionCallback callback;
-  TestNetLog log;
+  RecordingTestNetLog log;
   log.SetObserverCaptureMode(NetLogCaptureMode::kEverything);
   std::unique_ptr<StreamSocket> transport(
       new TCPClientSocket(addr(), nullptr, &log, NetLogSource()));
@@ -2395,8 +2493,7 @@ TEST_P(SSLClientSocketReadTest, Read_FullLogging) {
   EXPECT_THAT(rv, IsOk());
 
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
 
   rv = callback.GetResult(sock->Connect(callback.callback()));
   EXPECT_THAT(rv, IsOk());
@@ -2433,7 +2530,8 @@ TEST_P(SSLClientSocketReadTest, Read_FullLogging) {
 
 // Regression test for http://crbug.com/42538
 TEST_F(SSLClientSocketTest, PrematureApplicationData) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
 
   static const unsigned char application_data[] = {
       0x17, 0x03, 0x01, 0x00, 0x4a, 0x02, 0x00, 0x00, 0x46, 0x03, 0x01, 0x4b,
@@ -2463,8 +2561,7 @@ TEST_F(SSLClientSocketTest, PrematureApplicationData) {
   EXPECT_THAT(rv, IsOk());
 
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
 
   rv = callback.GetResult(sock->Connect(callback.callback()));
   EXPECT_THAT(rv, IsError(ERR_SSL_PROTOCOL_ERROR));
@@ -2500,7 +2597,8 @@ TEST_F(SSLClientSocketTest, CipherSuiteDisables) {
 // Here we verify that such a simple ClientSocketHandle, not associated with any
 // client socket pool, can be destroyed safely.
 TEST_F(SSLClientSocketTest, ClientSocketHandleNotFromPool) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> transport(
@@ -2509,8 +2607,7 @@ TEST_F(SSLClientSocketTest, ClientSocketHandleNotFromPool) {
   EXPECT_THAT(rv, IsOk());
 
   std::unique_ptr<SSLClientSocket> sock(socket_factory_->CreateSSLClientSocket(
-      context_.get(), std::move(transport),
-      spawned_test_server()->host_port_pair(), SSLConfig()));
+      context_.get(), std::move(transport), host_port_pair(), SSLConfig()));
 
   EXPECT_FALSE(sock->IsConnected());
   rv = callback.GetResult(sock->Connect(callback.callback()));
@@ -2519,8 +2616,9 @@ TEST_F(SSLClientSocketTest, ClientSocketHandleNotFromPool) {
 
 // Verifies that SSLClientSocket::ExportKeyingMaterial return a success
 // code and different keying label results in different keying material.
-TEST_F(SSLClientSocketTest, ExportKeyingMaterial) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+TEST_P(SSLClientSocketVersionTest, ExportKeyingMaterial) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   int rv;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
@@ -2550,13 +2648,18 @@ TEST_F(SSLClientSocketTest, ExportKeyingMaterial) {
   EXPECT_EQ(rv, OK);
   EXPECT_NE(memcmp(client_out1, client_out2, kKeyingMaterialSize), 0);
 
-  // Using an empty context should give different key material from not using a
-  // context at all.
+  // Prior to TLS 1.3, using an empty context should give different key material
+  // from not using a context at all. In TLS 1.3, the distinction is deprecated
+  // and they are the same.
   memset(client_out2, 0, sizeof(client_out2));
   rv = sock_->ExportKeyingMaterial(kKeyingLabel1, true, kKeyingContext1,
                                    client_out2, sizeof(client_out2));
   EXPECT_EQ(rv, OK);
-  EXPECT_NE(memcmp(client_out1, client_out2, kKeyingMaterialSize), 0);
+  if (version() >= SSL_PROTOCOL_VERSION_TLS1_3) {
+    EXPECT_EQ(memcmp(client_out1, client_out2, kKeyingMaterialSize), 0);
+  } else {
+    EXPECT_NE(memcmp(client_out1, client_out2, kKeyingMaterialSize), 0);
+  }
 }
 
 TEST(SSLClientSocket, SerializeNextProtos) {
@@ -2582,16 +2685,15 @@ TEST(SSLClientSocket, SerializeNextProtos) {
 
 // Test that the server certificates are properly retrieved from the underlying
 // SSL stack.
-TEST_F(SSLClientSocketTest, VerifyServerChainProperlyOrdered) {
+TEST_P(SSLClientSocketVersionTest, VerifyServerChainProperlyOrdered) {
   // The connection does not have to be successful.
   cert_verifier_->set_default_result(ERR_CERT_INVALID);
 
   // Set up a test server with CERT_CHAIN_WRONG_ROOT.
   // This makes the server present redundant-server-chain.pem, which contains
   // intermediate certificates.
-  SpawnedTestServer::SSLOptions ssl_options(
-      SpawnedTestServer::SSLOptions::CERT_CHAIN_WRONG_ROOT);
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_CHAIN_WRONG_ROOT,
+                                      GetServerConfig()));
 
   int rv;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
@@ -2645,7 +2747,7 @@ TEST_F(SSLClientSocketTest, VerifyServerChainProperlyOrdered) {
 // floating around. Servers may supply C2 as an intermediate, but the
 // SSLClientSocket should return the chain that was verified, from
 // verify_result, instead.
-TEST_F(SSLClientSocketTest, VerifyReturnChainProperlyOrdered) {
+TEST_P(SSLClientSocketVersionTest, VerifyReturnChainProperlyOrdered) {
   // By default, cause the CertVerifier to treat all certificates as
   // expired.
   cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
@@ -2684,9 +2786,8 @@ TEST_F(SSLClientSocketTest, VerifyReturnChainProperlyOrdered) {
   ScopedTestRoot scoped_root(root_cert.get());
 
   // Set up a test server with CERT_CHAIN_WRONG_ROOT.
-  SpawnedTestServer::SSLOptions ssl_options(
-      SpawnedTestServer::SSLOptions::CERT_CHAIN_WRONG_ROOT);
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_CHAIN_WRONG_ROOT,
+                                      GetServerConfig()));
 
   int rv;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
@@ -2729,12 +2830,16 @@ TEST_F(SSLClientSocketTest, VerifyReturnChainProperlyOrdered) {
   EXPECT_FALSE(sock_->IsConnected());
 }
 
-TEST_F(SSLClientSocketCertRequestInfoTest,
+INSTANTIATE_TEST_SUITE_P(TLSVersion,
+                         SSLClientSocketCertRequestInfoTest,
+                         ::testing::ValuesIn(GetTLSVersions()));
+
+TEST_P(SSLClientSocketCertRequestInfoTest,
        DontRequestClientCertsIfServerCertInvalid) {
-  SpawnedTestServer::SSLOptions ssl_options(
-      SpawnedTestServer::SSLOptions::CERT_EXPIRED);
-  ssl_options.request_client_certificate = true;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  SSLServerConfig config = GetServerConfig();
+  config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_EXPIRED, config));
 
   cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
   int rv;
@@ -2742,17 +2847,16 @@ TEST_F(SSLClientSocketCertRequestInfoTest,
   EXPECT_THAT(rv, IsError(ERR_CERT_DATE_INVALID));
 }
 
-TEST_F(SSLClientSocketCertRequestInfoTest, NoAuthorities) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ssl_options.request_client_certificate = true;
-  scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options);
+TEST_P(SSLClientSocketCertRequestInfoTest, NoAuthorities) {
+  SSLServerConfig config = GetServerConfig();
+  config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
+  ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, config));
+  scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest();
   ASSERT_TRUE(request_info.get());
   EXPECT_EQ(0u, request_info->cert_authorities.size());
 }
 
-TEST_F(SSLClientSocketCertRequestInfoTest, TwoAuthorities) {
-  const base::FilePath::CharType kThawteFile[] =
-      FILE_PATH_LITERAL("thawte.single.pem");
+TEST_P(SSLClientSocketCertRequestInfoTest, TwoAuthorities) {
   const unsigned char kThawteDN[] = {
       0x30, 0x4c, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
       0x02, 0x5a, 0x41, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0a,
@@ -2761,10 +2865,7 @@ TEST_F(SSLClientSocketCertRequestInfoTest, TwoAuthorities) {
       0x29, 0x20, 0x4c, 0x74, 0x64, 0x2e, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03,
       0x55, 0x04, 0x03, 0x13, 0x0d, 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20,
       0x53, 0x47, 0x43, 0x20, 0x43, 0x41};
-  const size_t kThawteLen = sizeof(kThawteDN);
 
-  const base::FilePath::CharType kDiginotarFile[] =
-      FILE_PATH_LITERAL("diginotar_root_ca.pem");
   const unsigned char kDiginotarDN[] = {
       0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
       0x02, 0x4e, 0x4c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a,
@@ -2775,30 +2876,31 @@ TEST_F(SSLClientSocketCertRequestInfoTest, TwoAuthorities) {
       0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x11, 0x69, 0x6e, 0x66, 0x6f,
       0x40, 0x64, 0x69, 0x67, 0x69, 0x6e, 0x6f, 0x74, 0x61, 0x72, 0x2e, 0x6e,
       0x6c};
-  const size_t kDiginotarLen = sizeof(kDiginotarDN);
 
-  SpawnedTestServer::SSLOptions ssl_options;
-  ssl_options.request_client_certificate = true;
-  ssl_options.client_authorities.push_back(
-      GetTestClientCertsDirectory().Append(kThawteFile));
-  ssl_options.client_authorities.push_back(
-      GetTestClientCertsDirectory().Append(kDiginotarFile));
-  scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options);
+  SSLServerConfig config = GetServerConfig();
+  config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
+  config.cert_authorities.push_back(
+      std::string(std::begin(kThawteDN), std::end(kThawteDN)));
+  config.cert_authorities.push_back(
+      std::string(std::begin(kDiginotarDN), std::end(kDiginotarDN)));
+  ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, config));
+  scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest();
   ASSERT_TRUE(request_info.get());
-  ASSERT_EQ(2u, request_info->cert_authorities.size());
-  EXPECT_EQ(std::string(reinterpret_cast<const char*>(kThawteDN), kThawteLen),
-            request_info->cert_authorities[0]);
-  EXPECT_EQ(
-      std::string(reinterpret_cast<const char*>(kDiginotarDN), kDiginotarLen),
-      request_info->cert_authorities[1]);
+  EXPECT_EQ(config.cert_authorities, request_info->cert_authorities);
 }
 
-TEST_F(SSLClientSocketCertRequestInfoTest, CertKeyTypes) {
+TEST_P(SSLClientSocketCertRequestInfoTest, CertKeyTypes) {
   SpawnedTestServer::SSLOptions ssl_options;
+  auto tls_max_version = ProtocolVersionToSpawnedTestServer(version());
+  if (!tls_max_version) {
+    return;
+  }
+  ssl_options.tls_max_version = *tls_max_version;
   ssl_options.request_client_certificate = true;
   ssl_options.client_cert_types.push_back(CLIENT_CERT_RSA_SIGN);
   ssl_options.client_cert_types.push_back(CLIENT_CERT_ECDSA_SIGN);
-  scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest(ssl_options);
+  ASSERT_TRUE(StartTestServer(ssl_options));
+  scoped_refptr<SSLCertRequestInfo> request_info = GetCertRequest();
   ASSERT_TRUE(request_info.get());
   ASSERT_EQ(2u, request_info->cert_key_types.size());
   EXPECT_EQ(CLIENT_CERT_RSA_SIGN, request_info->cert_key_types[0]);
@@ -2840,9 +2942,9 @@ TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsTLSExtension) {
 // Test that when a CT verifier and a CTPolicyEnforcer are defined, and
 // the EV certificate used conforms to the CT/EV policy, its EV status
 // is maintained.
-TEST_F(SSLClientSocketTest, EVCertStatusMaintainedForCompliantCert) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, EVCertStatusMaintainedForCompliantCert) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   SSLConfig ssl_config;
   AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config);
@@ -2865,9 +2967,9 @@ TEST_F(SSLClientSocketTest, EVCertStatusMaintainedForCompliantCert) {
 // Test that when a CT verifier and a CTPolicyEnforcer are defined, but
 // the EV certificate used does not conform to the CT/EV policy, its EV status
 // is removed.
-TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, EVCertStatusRemovedForNonCompliantCert) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   SSLConfig ssl_config;
   AddServerCertStatusToSSLConfig(CERT_STATUS_IS_EV, &ssl_config);
@@ -2890,14 +2992,14 @@ TEST_F(SSLClientSocketTest, EVCertStatusRemovedForNonCompliantCert) {
 
 // Test that when an EV certificate does not conform to the CT policy and its EV
 // status is removed, the corresponding histogram is recorded correctly.
-TEST_F(SSLClientSocketTest, NonCTCompliantEVHistogram) {
+TEST_P(SSLClientSocketVersionTest, NonCTCompliantEVHistogram) {
   const char kHistogramName[] = "Net.CertificateTransparency.EVCompliance2.SSL";
   base::HistogramTester histograms;
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted and chains to a public root.
   CertVerifyResult verify_result;
@@ -2928,14 +3030,14 @@ TEST_F(SSLClientSocketTest, NonCTCompliantEVHistogram) {
 
 // Test that when an EV certificate does conform to the CT policy and its EV
 // status is not removed, the corresponding histogram is recorded correctly.
-TEST_F(SSLClientSocketTest, CTCompliantEVHistogram) {
+TEST_P(SSLClientSocketVersionTest, CTCompliantEVHistogram) {
   const char kHistogramName[] = "Net.CertificateTransparency.EVCompliance2.SSL";
   base::HistogramTester histograms;
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted and chains to a public root.
   CertVerifyResult verify_result;
@@ -2985,8 +3087,9 @@ TEST_F(SSLClientSocketTest, ConnectSignedCertTimestampsEnablesOCSP) {
 }
 
 // Tests that IsConnectedAndIdle and WasEverUsed behave as expected.
-TEST_F(SSLClientSocketTest, ReuseStates) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+TEST_P(SSLClientSocketVersionTest, ReuseStates) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   int rv;
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
@@ -3021,14 +3124,12 @@ TEST_F(SSLClientSocketTest, ReuseStates) {
 
 // Tests that |is_fatal_cert_error| does not get set for a certificate error,
 // on a non-HSTS host.
-TEST_F(SSLClientSocketTest, IsFatalErrorNotSetOnNonFatalError) {
+TEST_P(SSLClientSocketVersionTest, IsFatalErrorNotSetOnNonFatalError) {
   cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
-  SpawnedTestServer::SSLOptions ssl_options(
-      SpawnedTestServer::SSLOptions::CERT_CHAIN_WRONG_ROOT);
-  ASSERT_TRUE(StartTestServer(ssl_options));
-  SSLConfig ssl_config;
+  ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_CHAIN_WRONG_ROOT,
+                                      GetServerConfig()));
   int rv;
-  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
   SSLInfo ssl_info;
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_FALSE(ssl_info.is_fatal_cert_error);
@@ -3036,18 +3137,15 @@ TEST_F(SSLClientSocketTest, IsFatalErrorNotSetOnNonFatalError) {
 
 // Tests that |is_fatal_cert_error| gets set for a certificate error on an
 // HSTS host.
-TEST_F(SSLClientSocketTest, IsFatalErrorSetOnFatalError) {
+TEST_P(SSLClientSocketVersionTest, IsFatalErrorSetOnFatalError) {
   cert_verifier_->set_default_result(ERR_CERT_DATE_INVALID);
-  SpawnedTestServer::SSLOptions ssl_options(
-      SpawnedTestServer::SSLOptions::CERT_CHAIN_WRONG_ROOT);
-  ASSERT_TRUE(StartTestServer(ssl_options));
-  SSLConfig ssl_config;
+  ASSERT_TRUE(StartEmbeddedTestServer(EmbeddedTestServer::CERT_CHAIN_WRONG_ROOT,
+                                      GetServerConfig()));
   int rv;
   const base::Time expiry =
       base::Time::Now() + base::TimeDelta::FromSeconds(1000);
-  transport_security_state_->AddHSTS(
-      spawned_test_server()->host_port_pair().host(), expiry, true);
-  ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
+  transport_security_state_->AddHSTS(host_port_pair().host(), expiry, true);
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
   SSLInfo ssl_info;
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_TRUE(ssl_info.is_fatal_cert_error);
@@ -3056,8 +3154,9 @@ TEST_F(SSLClientSocketTest, IsFatalErrorSetOnFatalError) {
 // Tests that IsConnectedAndIdle treats a socket as idle even if a Write hasn't
 // been flushed completely out of SSLClientSocket's internal buffers. This is a
 // regression test for https://crbug.com/466147.
-TEST_F(SSLClientSocketTest, ReusableAfterWrite) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+TEST_P(SSLClientSocketVersionTest, ReusableAfterWrite) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -3069,8 +3168,7 @@ TEST_F(SSLClientSocketTest, ReusableAfterWrite) {
               IsOk());
 
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
   ASSERT_THAT(callback.GetResult(sock->Connect(callback.callback())), IsOk());
 
   // Block any application data from reaching the network.
@@ -3098,9 +3196,9 @@ TEST_F(SSLClientSocketTest, ReusableAfterWrite) {
 }
 
 // Tests that basic session resumption works.
-TEST_F(SSLClientSocketTest, SessionResumption) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, SessionResumption) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   // First, perform a full handshake.
   SSLConfig ssl_config;
@@ -3111,6 +3209,10 @@ TEST_F(SSLClientSocketTest, SessionResumption) {
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
 
+  // TLS 1.2 with False Start and TLS 1.3 cause the ticket to arrive later, so
+  // use the socket to ensure the session ticket has been picked up.
+  EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
+
   // The next connection should resume.
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
   ASSERT_THAT(rv, IsOk());
@@ -3257,13 +3359,14 @@ TEST_F(SSLClientSocketTest, MAYBE_SessionResumptionAlpn) {
 
 // Tests that the session cache is not sharded by NetworkIsolationKey if the
 // feature is disabled.
-TEST_F(SSLClientSocketTest, SessionResumptionNetworkIsolationKeyDisabled) {
+TEST_P(SSLClientSocketVersionTest,
+       SessionResumptionNetworkIsolationKeyDisabled) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndDisableFeature(
       features::kPartitionSSLSessionsByNetworkIsolationKey);
 
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   // First, perform a full handshake.
   SSLConfig ssl_config;
@@ -3274,11 +3377,17 @@ TEST_F(SSLClientSocketTest, SessionResumptionNetworkIsolationKeyDisabled) {
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
 
+  // TLS 1.2 with False Start and TLS 1.3 cause the ticket to arrive later, so
+  // use the socket to ensure the session ticket has been picked up. Do this for
+  // every connection to avoid problems with TLS 1.3 single-use tickets.
+  EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
+
   // The next connection should resume.
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
   sock_.reset();
 
   // Using a different NetworkIsolationKey shares session cache key because
@@ -3289,6 +3398,7 @@ TEST_F(SSLClientSocketTest, SessionResumptionNetworkIsolationKeyDisabled) {
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
   sock_.reset();
 
   const auto kOriginB = url::Origin::Create(GURL("https://a.test"));
@@ -3297,12 +3407,14 @@ TEST_F(SSLClientSocketTest, SessionResumptionNetworkIsolationKeyDisabled) {
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
   sock_.reset();
 }
 
 // Tests that the session cache is sharded by NetworkIsolationKey if the
 // feature is enabled.
-TEST_F(SSLClientSocketTest, SessionResumptionNetworkIsolationKeyEnabled) {
+TEST_P(SSLClientSocketVersionTest,
+       SessionResumptionNetworkIsolationKeyEnabled) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
       features::kPartitionSSLSessionsByNetworkIsolationKey);
@@ -3312,8 +3424,8 @@ TEST_F(SSLClientSocketTest, SessionResumptionNetworkIsolationKeyEnabled) {
   const NetworkIsolationKey kNetworkIsolationKeyA(kOriginA, kOriginA);
   const NetworkIsolationKey kNetworkIsolationKeyB(kOriginB, kOriginB);
 
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   // First, perform a full handshake.
   SSLConfig ssl_config;
@@ -3324,11 +3436,17 @@ TEST_F(SSLClientSocketTest, SessionResumptionNetworkIsolationKeyEnabled) {
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
 
+  // TLS 1.2 with False Start and TLS 1.3 cause the ticket to arrive later, so
+  // use the socket to ensure the session ticket has been picked up. Do this for
+  // every connection to avoid problems with TLS 1.3 single-use tickets.
+  EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
+
   // The next connection should resume.
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
   sock_.reset();
 
   // Using a different NetworkIsolationKey uses a different session cache key.
@@ -3337,6 +3455,7 @@ TEST_F(SSLClientSocketTest, SessionResumptionNetworkIsolationKeyEnabled) {
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
+  EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
   sock_.reset();
 
   // We, however, can resume under that newly-established session.
@@ -3344,6 +3463,7 @@ TEST_F(SSLClientSocketTest, SessionResumptionNetworkIsolationKeyEnabled) {
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
   sock_.reset();
 
   // Repeat with another non-null key.
@@ -3352,12 +3472,14 @@ TEST_F(SSLClientSocketTest, SessionResumptionNetworkIsolationKeyEnabled) {
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_EQ(SSLInfo::HANDSHAKE_FULL, ssl_info.handshake_type);
+  EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
   sock_.reset();
 
   ASSERT_TRUE(CreateAndConnectSSLClientSocket(ssl_config, &rv));
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
   sock_.reset();
 
   // b.test does not evict a.test's session.
@@ -3366,14 +3488,15 @@ TEST_F(SSLClientSocketTest, SessionResumptionNetworkIsolationKeyEnabled) {
   ASSERT_THAT(rv, IsOk());
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
   EXPECT_EQ(SSLInfo::HANDSHAKE_RESUME, ssl_info.handshake_type);
+  EXPECT_THAT(MakeHTTPRequest(sock_.get()), IsOk());
   sock_.reset();
 }
 
 // Tests that connections with certificate errors do not add entries to the
 // session cache.
-TEST_F(SSLClientSocketTest, CertificateErrorNoResume) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, CertificateErrorNoResume) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   cert_verifier_->set_default_result(ERR_CERT_COMMON_NAME_INVALID);
 
@@ -3842,11 +3965,11 @@ HashValueVector MakeHashValueVector(uint8_t value) {
 
 // Test that |ssl_info.pkp_bypassed| is set when a local trust anchor causes
 // pinning to be bypassed.
-TEST_F(SSLClientSocketTest, PKPBypassedSet) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, PKPBypassedSet) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // The certificate needs to be trusted, but chain to a local root with
   // different public key hashes than specified in the pin.
@@ -3862,10 +3985,9 @@ TEST_F(SSLClientSocketTest, PKPBypassedSet) {
 
   SSLConfig ssl_config;
   int rv;
-  HostPortPair host_port_pair("example.test",
-                              spawned_test_server()->host_port_pair().port());
-  ASSERT_TRUE(
-      CreateAndConnectSSLClientSocketWithHost(ssl_config, host_port_pair, &rv));
+  HostPortPair new_host_port_pair("example.test", host_port_pair().port());
+  ASSERT_TRUE(CreateAndConnectSSLClientSocketWithHost(ssl_config,
+                                                      new_host_port_pair, &rv));
   SSLInfo ssl_info;
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
 
@@ -3876,11 +3998,11 @@ TEST_F(SSLClientSocketTest, PKPBypassedSet) {
   EXPECT_FALSE(ssl_info.cert_status & CERT_STATUS_PINNED_KEY_MISSING);
 }
 
-TEST_F(SSLClientSocketTest, PKPEnforced) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, PKPEnforced) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted, but chains to a public root that doesn't match the
   // pin hashes.
@@ -3896,10 +4018,9 @@ TEST_F(SSLClientSocketTest, PKPEnforced) {
 
   SSLConfig ssl_config;
   int rv;
-  HostPortPair host_port_pair("example.test",
-                              spawned_test_server()->host_port_pair().port());
-  ASSERT_TRUE(
-      CreateAndConnectSSLClientSocketWithHost(ssl_config, host_port_pair, &rv));
+  HostPortPair new_host_port_pair("example.test", host_port_pair().port());
+  ASSERT_TRUE(CreateAndConnectSSLClientSocketWithHost(ssl_config,
+                                                      new_host_port_pair, &rv));
   SSLInfo ssl_info;
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
 
@@ -3979,11 +4100,11 @@ INSTANTIATE_TEST_SUITE_P(RSAKeyUsageInstantiation,
 
 // Test that when CT is required (in this case, by the delegate), the
 // absence of CT information is a socket error.
-TEST_F(SSLClientSocketTest, CTIsRequired) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, CTIsRequired) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted and chains to a public root.
   CertVerifyResult verify_result;
@@ -3999,9 +4120,8 @@ TEST_F(SSLClientSocketTest, CTIsRequired) {
   EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(_, _, _))
       .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
                                  CTRequirementLevel::NOT_REQUIRED));
-  EXPECT_CALL(
-      require_ct_delegate,
-      IsCTRequiredForHost(spawned_test_server()->host_port_pair().host(), _, _))
+  EXPECT_CALL(require_ct_delegate,
+              IsCTRequiredForHost(host_port_pair().host(), _, _))
       .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
                                  CTRequirementLevel::REQUIRED));
   EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
@@ -4022,11 +4142,11 @@ TEST_F(SSLClientSocketTest, CTIsRequired) {
 
 // Test that when CT is required, setting ignore_certificate_errors
 // ignores errors in CT.
-TEST_F(SSLClientSocketTest, IgnoreCertificateErrorsBypassesRequiredCT) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, IgnoreCertificateErrorsBypassesRequiredCT) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted and chains to a public root.
   CertVerifyResult verify_result;
@@ -4042,9 +4162,8 @@ TEST_F(SSLClientSocketTest, IgnoreCertificateErrorsBypassesRequiredCT) {
   EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost(_, _, _))
       .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
                                  CTRequirementLevel::NOT_REQUIRED));
-  EXPECT_CALL(
-      require_ct_delegate,
-      IsCTRequiredForHost(spawned_test_server()->host_port_pair().host(), _, _))
+  EXPECT_CALL(require_ct_delegate,
+              IsCTRequiredForHost(host_port_pair().host(), _, _))
       .WillRepeatedly(Return(TransportSecurityState::RequireCTDelegate::
                                  CTRequirementLevel::REQUIRED));
   EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
@@ -4065,15 +4184,15 @@ TEST_F(SSLClientSocketTest, IgnoreCertificateErrorsBypassesRequiredCT) {
 }
 
 // Test that the CT compliance status is recorded in a histogram.
-TEST_F(SSLClientSocketTest, CTComplianceStatusHistogram) {
+TEST_P(SSLClientSocketVersionTest, CTComplianceStatusHistogram) {
   const char kHistogramName[] =
       "Net.CertificateTransparency.ConnectionComplianceStatus2.SSL";
   base::HistogramTester histograms;
 
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted.
   CertVerifyResult verify_result;
@@ -4100,15 +4219,15 @@ TEST_F(SSLClientSocketTest, CTComplianceStatusHistogram) {
 
 // Test that the CT compliance status histogram is not recorded for
 // locally-installed roots.
-TEST_F(SSLClientSocketTest, CTComplianceStatusHistogramLocalRoot) {
+TEST_P(SSLClientSocketVersionTest, CTComplianceStatusHistogramLocalRoot) {
   const char kHistogramName[] =
       "Net.CertificateTransparency.ConnectionComplianceStatus2.SSL";
   base::HistogramTester histograms;
 
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted but chains to a local root.
   CertVerifyResult verify_result;
@@ -4133,7 +4252,7 @@ TEST_F(SSLClientSocketTest, CTComplianceStatusHistogramLocalRoot) {
 // Test that when CT is required (in this case, by an Expect-CT opt-in) and the
 // connection is compliant, the histogram for CT-required connections is
 // recorded properly.
-TEST_F(SSLClientSocketTest, CTRequiredHistogramCompliant) {
+TEST_P(SSLClientSocketVersionTest, CTRequiredHistogramCompliant) {
   const char kHistogramName[] =
       "Net.CertificateTransparency.CTRequiredConnectionComplianceStatus2.SSL";
   base::HistogramTester histograms;
@@ -4142,10 +4261,10 @@ TEST_F(SSLClientSocketTest, CTRequiredHistogramCompliant) {
   feature_list.InitAndEnableFeature(
       TransportSecurityState::kDynamicExpectCTFeature);
 
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted and chains to a public root.
   CertVerifyResult verify_result;
@@ -4158,9 +4277,9 @@ TEST_F(SSLClientSocketTest, CTRequiredHistogramCompliant) {
   // Set up the Expect-CT opt-in.
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
-  transport_security_state_->AddExpectCT(
-      spawned_test_server()->host_port_pair().host(), expiry,
-      true /* enforce */, GURL("https://example-report.test"));
+  transport_security_state_->AddExpectCT(host_port_pair().host(), expiry,
+                                         true /* enforce */,
+                                         GURL("https://example-report.test"));
   MockExpectCTReporter reporter;
   transport_security_state_->SetExpectCTReporter(&reporter);
 
@@ -4182,15 +4301,15 @@ TEST_F(SSLClientSocketTest, CTRequiredHistogramCompliant) {
 
 // Test that when CT is not required and the connection is compliant, the
 // histogram for CT-required connections is not recorded.
-TEST_F(SSLClientSocketTest, CTNotRequiredHistogram) {
+TEST_P(SSLClientSocketVersionTest, CTNotRequiredHistogram) {
   const char kHistogramName[] =
       "Net.CertificateTransparency.CTRequiredConnectionComplianceStatus2.SSL";
   base::HistogramTester histograms;
 
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted and chains to a private root, so CT is not required.
   CertVerifyResult verify_result;
@@ -4218,7 +4337,7 @@ TEST_F(SSLClientSocketTest, CTNotRequiredHistogram) {
 // Test that when CT is required (in this case, by an Expect-CT opt-in), the
 // absence of CT information is recorded in the histogram for CT-required
 // connections.
-TEST_F(SSLClientSocketTest, CTRequiredHistogramNonCompliant) {
+TEST_P(SSLClientSocketVersionTest, CTRequiredHistogramNonCompliant) {
   const char kHistogramName[] =
       "Net.CertificateTransparency.CTRequiredConnectionComplianceStatus2.SSL";
   base::HistogramTester histograms;
@@ -4227,10 +4346,10 @@ TEST_F(SSLClientSocketTest, CTRequiredHistogramNonCompliant) {
   feature_list.InitAndEnableFeature(
       TransportSecurityState::kDynamicExpectCTFeature);
 
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted and chains to a public root.
   CertVerifyResult verify_result;
@@ -4243,9 +4362,9 @@ TEST_F(SSLClientSocketTest, CTRequiredHistogramNonCompliant) {
   // Set up the Expect-CT opt-in.
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
-  transport_security_state_->AddExpectCT(
-      spawned_test_server()->host_port_pair().host(), expiry,
-      true /* enforce */, GURL("https://example-report.test"));
+  transport_security_state_->AddExpectCT(host_port_pair().host(), expiry,
+                                         true /* enforce */,
+                                         GURL("https://example-report.test"));
   MockExpectCTReporter reporter;
   transport_security_state_->SetExpectCTReporter(&reporter);
 
@@ -4269,11 +4388,11 @@ TEST_F(SSLClientSocketTest, CTRequiredHistogramNonCompliant) {
 
 // Test that when CT is required (in this case, by an Expect-CT opt-in) but the
 // connection is not compliant, the relevant flag is set on the SSLInfo.
-TEST_F(SSLClientSocketTest, CTRequirementsFlagNotMet) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, CTRequirementsFlagNotMet) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted and chains to a public root.
   CertVerifyResult verify_result;
@@ -4286,9 +4405,8 @@ TEST_F(SSLClientSocketTest, CTRequirementsFlagNotMet) {
   // Set up the Expect-CT opt-in.
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
-  transport_security_state_->AddExpectCT(
-      spawned_test_server()->host_port_pair().host(), expiry,
-      true /* enforce */, GURL());
+  transport_security_state_->AddExpectCT(host_port_pair().host(), expiry,
+                                         true /* enforce */, GURL());
 
   EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
       .WillRepeatedly(
@@ -4304,11 +4422,11 @@ TEST_F(SSLClientSocketTest, CTRequirementsFlagNotMet) {
 
 // Test that when CT is required (in this case, by an Expect-CT opt-in) and the
 // connection is compliant, the relevant flag is set on the SSLInfo.
-TEST_F(SSLClientSocketTest, CTRequirementsFlagMet) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, CTRequirementsFlagMet) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted and chains to a public root.
   CertVerifyResult verify_result;
@@ -4321,9 +4439,8 @@ TEST_F(SSLClientSocketTest, CTRequirementsFlagMet) {
   // Set up the Expect-CT opt-in.
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
-  transport_security_state_->AddExpectCT(
-      spawned_test_server()->host_port_pair().host(), expiry,
-      true /* enforce */, GURL());
+  transport_security_state_->AddExpectCT(host_port_pair().host(), expiry,
+                                         true /* enforce */, GURL());
 
   EXPECT_CALL(*ct_policy_enforcer_, CheckCompliance(server_cert.get(), _, _))
       .WillRepeatedly(
@@ -4339,7 +4456,7 @@ TEST_F(SSLClientSocketTest, CTRequirementsFlagMet) {
 
 // Test that when CT is required (in this case, by a CT delegate), the CT
 // required histogram is not recorded for a locally installed root.
-TEST_F(SSLClientSocketTest, CTRequiredHistogramNonCompliantLocalRoot) {
+TEST_P(SSLClientSocketVersionTest, CTRequiredHistogramNonCompliantLocalRoot) {
   const char kHistogramName[] =
       "Net.CertificateTransparency.CTRequiredConnectionComplianceStatus2.SSL";
   base::HistogramTester histograms;
@@ -4348,10 +4465,10 @@ TEST_F(SSLClientSocketTest, CTRequiredHistogramNonCompliantLocalRoot) {
   feature_list.InitAndEnableFeature(
       TransportSecurityState::kDynamicExpectCTFeature);
 
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   CertVerifyResult verify_result;
   verify_result.is_issued_by_known_root = false;
@@ -4387,15 +4504,15 @@ TEST_F(SSLClientSocketTest, CTRequiredHistogramNonCompliantLocalRoot) {
 
 // Test that when CT is required (in this case, by an Expect-CT opt-in), the
 // absence of CT information is a socket error.
-TEST_F(SSLClientSocketTest, CTIsRequiredByExpectCT) {
+TEST_P(SSLClientSocketVersionTest, CTIsRequiredByExpectCT) {
   base::test::ScopedFeatureList feature_list;
   feature_list.InitAndEnableFeature(
       TransportSecurityState::kDynamicExpectCTFeature);
 
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted and chains to a public root.
   CertVerifyResult verify_result;
@@ -4408,9 +4525,9 @@ TEST_F(SSLClientSocketTest, CTIsRequiredByExpectCT) {
   // Set up the Expect-CT opt-in.
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
-  transport_security_state_->AddExpectCT(
-      spawned_test_server()->host_port_pair().host(), expiry,
-      true /* enforce */, GURL("https://example-report.test"));
+  transport_security_state_->AddExpectCT(host_port_pair().host(), expiry,
+                                         true /* enforce */,
+                                         GURL("https://example-report.test"));
   MockExpectCTReporter reporter;
   transport_security_state_->SetExpectCTReporter(&reporter);
 
@@ -4484,11 +4601,11 @@ TEST_F(SSLClientSocketTest, CTIsRequiredByExpectCT) {
 
 // When both PKP and CT are required for a host, and both fail, the more
 // serious error is that the pin validation failed.
-TEST_F(SSLClientSocketTest, PKPMoreImportantThanCT) {
-  SpawnedTestServer::SSLOptions ssl_options;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+TEST_P(SSLClientSocketVersionTest, PKPMoreImportantThanCT) {
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
   scoped_refptr<X509Certificate> server_cert =
-      spawned_test_server()->GetCertificate();
+      embedded_test_server()->GetCertificate();
 
   // Certificate is trusted, but chains to a public root that doesn't match the
   // pin hashes.
@@ -4519,10 +4636,9 @@ TEST_F(SSLClientSocketTest, PKPMoreImportantThanCT) {
 
   SSLConfig ssl_config;
   int rv;
-  HostPortPair host_port_pair(kCTHost,
-                              spawned_test_server()->host_port_pair().port());
-  ASSERT_TRUE(
-      CreateAndConnectSSLClientSocketWithHost(ssl_config, host_port_pair, &rv));
+  HostPortPair ct_host_port_pair(kCTHost, host_port_pair().port());
+  ASSERT_TRUE(CreateAndConnectSSLClientSocketWithHost(ssl_config,
+                                                      ct_host_port_pair, &rv));
   SSLInfo ssl_info;
   ASSERT_TRUE(sock_->GetSSLInfo(&ssl_info));
 
@@ -4536,7 +4652,8 @@ TEST_F(SSLClientSocketTest, PKPMoreImportantThanCT) {
 // Test that handshake_failure alerts at the ServerHello are mapped to
 // ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
 TEST_F(SSLClientSocketTest, HandshakeFailureServerHello) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -4548,8 +4665,7 @@ TEST_F(SSLClientSocketTest, HandshakeFailureServerHello) {
   ASSERT_THAT(rv, IsOk());
 
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
 
   // Connect. Stop before the client processes ServerHello.
   raw_transport->BlockReadResult();
@@ -4569,7 +4685,10 @@ TEST_F(SSLClientSocketTest, HandshakeFailureServerHello) {
 // Test that handshake_failure alerts after the ServerHello but without a
 // CertificateRequest are mapped to ERR_SSL_PROTOCOL_ERROR.
 TEST_F(SSLClientSocketTest, HandshakeFailureNoClientCerts) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  SSLServerConfig server_config;
+  server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -4581,8 +4700,7 @@ TEST_F(SSLClientSocketTest, HandshakeFailureNoClientCerts) {
   ASSERT_THAT(rv, IsOk());
 
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
 
   // Connect. Stop before the client processes ServerHello.
   raw_transport->BlockReadResult();
@@ -4615,9 +4733,11 @@ TEST_F(SSLClientSocketTest, HandshakeFailureNoClientCerts) {
 // common. See https://crbug.com/646567.
 TEST_F(SSLClientSocketTest, LateHandshakeFailureMissingClientCerts) {
   // Request a client certificate.
-  SpawnedTestServer::SSLOptions ssl_options;
-  ssl_options.request_client_certificate = true;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  SSLServerConfig server_config;
+  server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
+  server_config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -4629,11 +4749,9 @@ TEST_F(SSLClientSocketTest, LateHandshakeFailureMissingClientCerts) {
   ASSERT_THAT(rv, IsOk());
 
   // Send no client certificate.
-  context_->SetClientCertificate(spawned_test_server()->host_port_pair(),
-                                 nullptr, nullptr);
+  context_->SetClientCertificate(host_port_pair(), nullptr, nullptr);
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
 
   // Connect. Stop before the client processes ServerHello.
   raw_transport->BlockReadResult();
@@ -4665,9 +4783,11 @@ TEST_F(SSLClientSocketTest, LateHandshakeFailureMissingClientCerts) {
 // assumed servers will send a more appropriate alert in this case.
 TEST_F(SSLClientSocketTest, LateHandshakeFailureSendClientCerts) {
   // Request a client certificate.
-  SpawnedTestServer::SSLOptions ssl_options;
-  ssl_options.request_client_certificate = true;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  SSLServerConfig server_config;
+  server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
+  server_config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -4681,12 +4801,10 @@ TEST_F(SSLClientSocketTest, LateHandshakeFailureSendClientCerts) {
   // Send a client certificate.
   base::FilePath certs_dir = GetTestCertsDirectory();
   context_->SetClientCertificate(
-      spawned_test_server()->host_port_pair(),
-      ImportCertFromFile(certs_dir, "client_1.pem"),
+      host_port_pair(), ImportCertFromFile(certs_dir, "client_1.pem"),
       key_util::LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key")));
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
 
   // Connect. Stop before the client processes ServerHello.
   raw_transport->BlockReadResult();
@@ -4717,7 +4835,11 @@ TEST_F(SSLClientSocketTest, LateHandshakeFailureSendClientCerts) {
 // received on a connection not requesting client certificates. This is an
 // incorrect use of the alert but is common. See https://crbug.com/630883.
 TEST_F(SSLClientSocketTest, AccessDeniedNoClientCerts) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  // Request a client certificate.
+  SSLServerConfig server_config;
+  server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -4729,8 +4851,7 @@ TEST_F(SSLClientSocketTest, AccessDeniedNoClientCerts) {
   ASSERT_THAT(rv, IsOk());
 
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
 
   // Connect. Stop before the client processes ServerHello.
   raw_transport->BlockReadResult();
@@ -4761,9 +4882,11 @@ TEST_F(SSLClientSocketTest, AccessDeniedNoClientCerts) {
 // received on a connection requesting client certificates.
 TEST_F(SSLClientSocketTest, AccessDeniedClientCerts) {
   // Request a client certificate.
-  SpawnedTestServer::SSLOptions ssl_options;
-  ssl_options.request_client_certificate = true;
-  ASSERT_TRUE(StartTestServer(ssl_options));
+  SSLServerConfig server_config;
+  server_config.version_max = SSL_PROTOCOL_VERSION_TLS1_2;
+  server_config.client_cert_type = SSLServerConfig::OPTIONAL_CLIENT_CERT;
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, server_config));
 
   TestCompletionCallback callback;
   std::unique_ptr<StreamSocket> real_transport(
@@ -4777,12 +4900,10 @@ TEST_F(SSLClientSocketTest, AccessDeniedClientCerts) {
   // Send a client certificate.
   base::FilePath certs_dir = GetTestCertsDirectory();
   context_->SetClientCertificate(
-      spawned_test_server()->host_port_pair(),
-      ImportCertFromFile(certs_dir, "client_1.pem"),
+      host_port_pair(), ImportCertFromFile(certs_dir, "client_1.pem"),
       key_util::LoadPrivateKeyOpenSSL(certs_dir.AppendASCII("client_1.key")));
   std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::move(transport), spawned_test_server()->host_port_pair(),
-      SSLConfig()));
+      std::move(transport), host_port_pair(), SSLConfig()));
 
   // Connect. Stop before the client processes ServerHello.
   raw_transport->BlockReadResult();
@@ -5125,7 +5246,8 @@ TEST_F(SSLClientSocketZeroRTTTest, ZeroRTTParallelReadConfirm) {
 
 // Basic test for dumping memory stats.
 TEST_P(SSLClientSocketReadTest, DumpMemoryStats) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, GetServerConfig()));
 
   // This test compares the memory usage when there is and isn't a pending read
   // on the socket, so disable the post-handshake peek.
@@ -5161,6 +5283,10 @@ TEST_P(SSLClientSocketReadTest, DumpMemoryStats) {
   }
   EXPECT_EQ(1u, stats2.cert_count);
   EXPECT_LT(0u, stats2.cert_size);
+
+  // Drop the socket. It has a pending read with a reference to |read_callback|,
+  // so the socket must be dropped before the test returns.
+  sock_ = nullptr;
 }
 
 TEST_P(SSLClientSocketReadTest, IdleAfterRead) {
@@ -5198,7 +5324,7 @@ TEST_P(SSLClientSocketReadTest, IdleAfterRead) {
       crypto::RSAPrivateKey::CreateFromKey(pkey.get());
   ASSERT_TRUE(key);
   std::unique_ptr<SSLServerContext> server_context =
-      CreateSSLServerContext(cert.get(), *key.get(), SSLServerConfig());
+      CreateSSLServerContext(cert.get(), *key.get(), GetServerConfig());
 
   // Complete the SSL handshake on both sides.
   std::unique_ptr<SSLClientSocket> client(CreateSSLClientSocket(
@@ -5339,9 +5465,10 @@ TEST_F(SSLClientSocketTest, SSLOverSSLBadCertificate) {
 }
 
 TEST_F(SSLClientSocketTest, Tag) {
-  ASSERT_TRUE(StartTestServer(SpawnedTestServer::SSLOptions()));
+  ASSERT_TRUE(
+      StartEmbeddedTestServer(EmbeddedTestServer::CERT_OK, SSLServerConfig()));
 
-  TestNetLog log;
+  RecordingTestNetLog log;
   std::unique_ptr<StreamSocket> transport(
       new TCPClientSocket(addr(), nullptr, &log, NetLogSource()));
 
@@ -5350,9 +5477,9 @@ TEST_F(SSLClientSocketTest, Tag) {
 
   // |sock| takes ownership of |tagging_sock|, but keep a
   // non-owning pointer to it.
-  std::unique_ptr<SSLClientSocket> sock(CreateSSLClientSocket(
-      std::unique_ptr<StreamSocket>(tagging_sock),
-      spawned_test_server()->host_port_pair(), SSLConfig()));
+  std::unique_ptr<SSLClientSocket> sock(
+      CreateSSLClientSocket(std::unique_ptr<StreamSocket>(tagging_sock),
+                            host_port_pair(), SSLConfig()));
 
   EXPECT_EQ(tagging_sock->tag(), SocketTag());
 #if defined(OS_ANDROID)
@@ -5362,54 +5489,68 @@ TEST_F(SSLClientSocketTest, Tag) {
 #endif  // OS_ANDROID
 }
 
-// Test downgrade enforcement behaves as expected.
-TEST_F(SSLClientSocketTest, TLS13DowngradeEnforced) {
-  for (auto tls_max_version :
-       {SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_0,
-        SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_1,
-        SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_2}) {
-    for (bool downgrade : {false, true}) {
-      SCOPED_TRACE(downgrade);
-      SCOPED_TRACE(tls_max_version);
-      SpawnedTestServer::SSLOptions ssl_options;
-      ssl_options.simulate_tls13_downgrade = downgrade;
-      ssl_options.tls_max_version = tls_max_version;
-      ASSERT_TRUE(StartTestServer(ssl_options));
-      scoped_refptr<X509Certificate> server_cert =
-          spawned_test_server()->GetCertificate();
-
-      for (bool enable_for_local_anchors : {false, true}) {
-        SCOPED_TRACE(enable_for_local_anchors);
-        SSLContextConfig config;
-        config.version_max = SSL_PROTOCOL_VERSION_TLS1_3;
-        config.tls13_hardening_for_local_anchors_enabled =
-            enable_for_local_anchors;
-        ssl_config_service_->UpdateSSLConfigAndNotify(config);
-
-        for (bool known_root : {false, true}) {
-          SCOPED_TRACE(known_root);
-          CertVerifyResult verify_result;
-          verify_result.is_issued_by_known_root = known_root;
-          verify_result.verified_cert = server_cert;
-          cert_verifier_->ClearRules();
-          cert_verifier_->AddResultForCert(server_cert.get(), verify_result,
-                                           OK);
-
-          bool should_enforce = known_root || enable_for_local_anchors;
-
-          ssl_client_session_cache_->Flush();
-          int rv;
-          ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
-          if (should_enforce && downgrade) {
-            EXPECT_THAT(rv, IsError(ERR_TLS13_DOWNGRADE_DETECTED));
-            EXPECT_FALSE(sock_->IsConnected());
-          } else {
-            EXPECT_THAT(rv, IsOk());
-            EXPECT_TRUE(sock_->IsConnected());
-          }
-        }
-      }
-    }
+class TLS13DowngradeTest
+    : public SSLClientSocketTest,
+      public ::testing::WithParamInterface<
+          std::tuple<SpawnedTestServer::SSLOptions::TLSMaxVersion,
+                     /* simulate_tls13_downgrade */ bool,
+                     /* enable_for_local_anchors */ bool,
+                     /* known_root */ bool>> {
+ public:
+  TLS13DowngradeTest() {}
+  ~TLS13DowngradeTest() {}
+
+  SpawnedTestServer::SSLOptions::TLSMaxVersion tls_max_version() const {
+    return std::get<0>(GetParam());
+  }
+
+  bool simulate_tls13_downgrade() const { return std::get<1>(GetParam()); }
+  bool enable_for_local_anchors() const { return std::get<2>(GetParam()); }
+  bool known_root() const { return std::get<3>(GetParam()); }
+};
+
+INSTANTIATE_TEST_SUITE_P(
+    /* no prefix */,
+    TLS13DowngradeTest,
+    ::testing::Combine(
+        ::testing::Values(
+            SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_0,
+            SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_1,
+            SpawnedTestServer::SSLOptions::TLS_MAX_VERSION_TLS1_2),
+        ::testing::Values(false, true),
+        ::testing::Values(false, true),
+        ::testing::Values(false, true)));
+
+TEST_P(TLS13DowngradeTest, DowngradeEnforced) {
+  SpawnedTestServer::SSLOptions ssl_options;
+  ssl_options.simulate_tls13_downgrade = simulate_tls13_downgrade();
+  ssl_options.tls_max_version = tls_max_version();
+  ASSERT_TRUE(StartTestServer(ssl_options));
+  scoped_refptr<X509Certificate> server_cert =
+      spawned_test_server()->GetCertificate();
+
+  SSLContextConfig config;
+  config.version_max = SSL_PROTOCOL_VERSION_TLS1_3;
+  config.tls13_hardening_for_local_anchors_enabled = enable_for_local_anchors();
+  ssl_config_service_->UpdateSSLConfigAndNotify(config);
+
+  CertVerifyResult verify_result;
+  verify_result.is_issued_by_known_root = known_root();
+  verify_result.verified_cert = server_cert;
+  cert_verifier_->ClearRules();
+  cert_verifier_->AddResultForCert(server_cert.get(), verify_result, OK);
+
+  bool should_enforce = known_root() || enable_for_local_anchors();
+
+  ssl_client_session_cache_->Flush();
+  int rv;
+  ASSERT_TRUE(CreateAndConnectSSLClientSocket(SSLConfig(), &rv));
+  if (should_enforce && simulate_tls13_downgrade()) {
+    EXPECT_THAT(rv, IsError(ERR_TLS13_DOWNGRADE_DETECTED));
+    EXPECT_FALSE(sock_->IsConnected());
+  } else {
+    EXPECT_THAT(rv, IsOk());
+    EXPECT_TRUE(sock_->IsConnected());
   }
 }
 
diff --git a/chromium/net/socket/ssl_connect_job_unittest.cc b/chromium/net/socket/ssl_connect_job_unittest.cc
index a1d33ed48c2..33ac9352ec7 100644
--- a/chromium/net/socket/ssl_connect_job_unittest.cc
+++ b/chromium/net/socket/ssl_connect_job_unittest.cc
@@ -32,6 +32,7 @@
 #include "net/log/net_log_source.h"
 #include "net/log/net_log_with_source.h"
 #include "net/proxy_resolution/proxy_resolution_service.h"
+#include "net/quic/quic_context.h"
 #include "net/socket/connect_job_test_util.h"
 #include "net/socket/connection_attempts.h"
 #include "net/socket/next_proto.h"
@@ -83,16 +84,19 @@ class SSLConnectJobTest : public WithTaskEnvironment, public testing::Test {
         session_(CreateNetworkSession()),
         direct_transport_socket_params_(
             new TransportSocketParams(HostPortPair("host", 443),
+                                      NetworkIsolationKey(),
                                       false /* disable_secure_dns */,
                                       OnHostResolutionCallback())),
         proxy_transport_socket_params_(
             new TransportSocketParams(HostPortPair("proxy", 443),
+                                      NetworkIsolationKey(),
                                       false /* disable_secure_dns */,
                                       OnHostResolutionCallback())),
         socks_socket_params_(
             new SOCKSSocketParams(proxy_transport_socket_params_,
                                   true,
                                   HostPortPair("sockshost", 443),
+                                  NetworkIsolationKey(),
                                   TRAFFIC_ANNOTATION_FOR_TESTS)),
         http_proxy_socket_params_(
             new HttpProxySocketParams(proxy_transport_socket_params_,
@@ -130,7 +134,8 @@ class SSLConnectJobTest : public WithTaskEnvironment, public testing::Test {
     const base::string16 kFoo(base::ASCIIToUTF16("foo"));
     const base::string16 kBar(base::ASCIIToUTF16("bar"));
     session_->http_auth_cache()->Add(
-        GURL("http://proxy:443/"), "MyRealm1", HttpAuth::AUTH_SCHEME_BASIC,
+        GURL("http://proxy:443/"), HttpAuth::AUTH_PROXY, "MyRealm1",
+        HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
         "Basic realm=MyRealm1", AuthCredentials(kFoo, kBar), "/");
   }
 
@@ -147,6 +152,7 @@ class SSLConnectJobTest : public WithTaskEnvironment, public testing::Test {
     session_context.http_auth_handler_factory =
         http_auth_handler_factory_.get();
     session_context.http_server_properties = &http_server_properties_;
+    session_context.quic_context = &quic_context_;
     return new HttpNetworkSession(HttpNetworkSession::Params(),
                                   session_context);
   }
@@ -162,6 +168,7 @@ class SSLConnectJobTest : public WithTaskEnvironment, public testing::Test {
   const std::unique_ptr<SSLConfigService> ssl_config_service_;
   const std::unique_ptr<HttpAuthHandlerFactory> http_auth_handler_factory_;
   HttpServerProperties http_server_properties_;
+  QuicContext quic_context_;
   const std::unique_ptr<HttpNetworkSession> session_;
 
   scoped_refptr<TransportSocketParams> direct_transport_socket_params_;
@@ -415,9 +422,9 @@ TEST_F(SSLConnectJobTest, DisableSecureDns) {
   for (bool disable_secure_dns : {false, true}) {
     TestConnectJobDelegate test_delegate;
     direct_transport_socket_params_ =
-        base::MakeRefCounted<TransportSocketParams>(HostPortPair("host", 443),
-                                                    disable_secure_dns,
-                                                    OnHostResolutionCallback());
+        base::MakeRefCounted<TransportSocketParams>(
+            HostPortPair("host", 443), NetworkIsolationKey(),
+            disable_secure_dns, OnHostResolutionCallback());
     auto common_connect_job_params = session_->CreateCommonConnectJobParams();
     std::unique_ptr<ConnectJob> ssl_connect_job =
         std::make_unique<SSLConnectJob>(DEFAULT_PRIORITY, SocketTag(),
diff --git a/chromium/net/socket/ssl_server_socket_impl.cc b/chromium/net/socket/ssl_server_socket_impl.cc
index f518c97a8b2..4f099dacf54 100644
--- a/chromium/net/socket/ssl_server_socket_impl.cc
+++ b/chromium/net/socket/ssl_server_socket_impl.cc
@@ -955,9 +955,9 @@ void SSLServerContextImpl::Init() {
 
   if (ssl_server_config_.client_cert_type !=
           SSLServerConfig::ClientCertType::NO_CLIENT_CERT &&
-      !ssl_server_config_.cert_authorities_.empty()) {
+      !ssl_server_config_.cert_authorities.empty()) {
     bssl::UniquePtr<STACK_OF(CRYPTO_BUFFER)> stack(sk_CRYPTO_BUFFER_new_null());
-    for (const auto& authority : ssl_server_config_.cert_authorities_) {
+    for (const auto& authority : ssl_server_config_.cert_authorities) {
       sk_CRYPTO_BUFFER_push(stack.get(),
                             x509_util::CreateCryptoBuffer(authority).release());
     }
diff --git a/chromium/net/socket/ssl_server_socket_unittest.cc b/chromium/net/socket/ssl_server_socket_unittest.cc
index e98796fed54..7d303e5b26d 100644
--- a/chromium/net/socket/ssl_server_socket_unittest.cc
+++ b/chromium/net/socket/ssl_server_socket_unittest.cc
@@ -453,7 +453,7 @@ class SSLServerSocketTest : public PlatformTest, public WithTaskEnvironment {
     static const uint8_t kClientCertCAName[] = {
         0x30, 0x0f, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x03, 0x55,
         0x04, 0x03, 0x0c, 0x04, 0x42, 0x20, 0x43, 0x41};
-    server_ssl_config_.cert_authorities_.push_back(std::string(
+    server_ssl_config_.cert_authorities.push_back(std::string(
         std::begin(kClientCertCAName), std::end(kClientCertCAName)));
 
     scoped_refptr<X509Certificate> expected_client_cert(
diff --git a/chromium/net/socket/tcp_client_socket_unittest.cc b/chromium/net/socket/tcp_client_socket_unittest.cc
index 0c41330cbd8..a1947d93673 100644
--- a/chromium/net/socket/tcp_client_socket_unittest.cc
+++ b/chromium/net/socket/tcp_client_socket_unittest.cc
@@ -604,14 +604,7 @@ TEST_F(TCPClientSocketTest, SuspendDuringRead) {
               IsError(ERR_NETWORK_IO_SUSPENDED));
 }
 
-// TODO(https://crbug.com/1005042): close(socket_fd_) hangs on Fuchsia in this
-// test.
-#if defined(OS_FUCHSIA)
-#define MAYBE_SuspendDuringWrite DISABLED_SuspendDuringWrite
-#else
-#define MAYBE_SuspendDuringWrite SuspendDuringWrite
-#endif
-TEST_F(TCPClientSocketTest, MAYBE_SuspendDuringWrite) {
+TEST_F(TCPClientSocketTest, SuspendDuringWrite) {
   std::unique_ptr<StreamSocket> accepted_socket;
   std::unique_ptr<TCPClientSocket> client_socket;
   CreateConnectedSockets(&accepted_socket, &client_socket);
diff --git a/chromium/net/socket/transport_client_socket_pool_unittest.cc b/chromium/net/socket/transport_client_socket_pool_unittest.cc
index 507ac4a8035..b6aa9004c4a 100644
--- a/chromium/net/socket/transport_client_socket_pool_unittest.cc
+++ b/chromium/net/socket/transport_client_socket_pool_unittest.cc
@@ -52,6 +52,8 @@
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
+#include "url/origin.h"
 
 using net::test::IsError;
 using net::test::IsOk;
@@ -179,7 +181,7 @@ class TransportClientSocketPoolTest : public ::testing::Test,
   size_t completion_count() const { return test_base_.completion_count(); }
 
   bool connect_backup_jobs_enabled_;
-  TestNetLog net_log_;
+  RecordingTestNetLog net_log_;
 
   // |group_id_| and |params_| correspond to the same group.
   const ClientSocketPool::GroupId group_id_;
@@ -1610,6 +1612,284 @@ TEST_F(TransportClientSocketPoolTest, HttpTunnelSetupRedirect) {
   }
 }
 
+TEST_F(TransportClientSocketPoolTest, NetworkIsolationKey) {
+  const auto kOrigin = url::Origin::Create(GURL("https://foo.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey(kOrigin, kOrigin);
+  const char kHost[] = "bar.test";
+
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitWithFeatures(
+      // enabled_features
+      {features::kPartitionConnectionsByNetworkIsolationKey,
+       features::kSplitHostCacheByNetworkIsolationKey},
+      // disabled_features
+      {});
+
+  session_deps_.host_resolver->set_ondemand_mode(true);
+
+  TransportClientSocketPool::GroupId group_id(
+      HostPortPair(kHost, 80), ClientSocketPool::SocketType::kHttp,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey,
+      false /* disable_secure_dns */);
+  ClientSocketHandle handle;
+  TestCompletionCallback callback;
+  EXPECT_THAT(
+      handle.Init(group_id,
+                  base::MakeRefCounted<ClientSocketPool::SocketParams>(
+                      nullptr /* ssl_config_for_origin */,
+                      nullptr /* ssl_config_for_proxy */),
+                  TRAFFIC_ANNOTATION_FOR_TESTS, LOW, SocketTag(),
+                  ClientSocketPool::RespectLimits::ENABLED, callback.callback(),
+                  ClientSocketPool::ProxyAuthCallback(), pool_.get(),
+                  NetLogWithSource()),
+      IsError(ERR_IO_PENDING));
+
+  ASSERT_EQ(1u, session_deps_.host_resolver->last_id());
+  EXPECT_EQ(kHost, session_deps_.host_resolver->request_host(1));
+  EXPECT_EQ(kNetworkIsolationKey,
+            session_deps_.host_resolver->request_network_isolation_key(1));
+}
+
+TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySsl) {
+  const auto kOrigin = url::Origin::Create(GURL("https://foo.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey(kOrigin, kOrigin);
+  const char kHost[] = "bar.test";
+
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitWithFeatures(
+      // enabled_features
+      {features::kPartitionConnectionsByNetworkIsolationKey,
+       features::kSplitHostCacheByNetworkIsolationKey},
+      // disabled_features
+      {});
+
+  session_deps_.host_resolver->set_ondemand_mode(true);
+
+  TransportClientSocketPool::GroupId group_id(
+      HostPortPair(kHost, 443), ClientSocketPool::SocketType::kSsl,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey,
+      false /* disable_secure_dns */);
+  ClientSocketHandle handle;
+  TestCompletionCallback callback;
+  EXPECT_THAT(
+      handle.Init(group_id,
+                  base::MakeRefCounted<ClientSocketPool::SocketParams>(
+                      std::make_unique<SSLConfig>() /* ssl_config_for_origin */,
+                      nullptr /* ssl_config_for_proxy */),
+                  TRAFFIC_ANNOTATION_FOR_TESTS, LOW, SocketTag(),
+                  ClientSocketPool::RespectLimits::ENABLED, callback.callback(),
+                  ClientSocketPool::ProxyAuthCallback(), pool_.get(),
+                  NetLogWithSource()),
+      IsError(ERR_IO_PENDING));
+
+  ASSERT_EQ(1u, session_deps_.host_resolver->last_id());
+  EXPECT_EQ(kHost, session_deps_.host_resolver->request_host(1));
+  EXPECT_EQ(kNetworkIsolationKey,
+            session_deps_.host_resolver->request_network_isolation_key(1));
+}
+
+// Test that, in the case of an HTTP proxy, the NetworkIsolationKey is not used.
+TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeyHttpProxy) {
+  const auto kOrigin = url::Origin::Create(GURL("https://foo.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey(kOrigin, kOrigin);
+  const char kHost[] = "bar.test";
+  const ProxyServer kProxyServer = ProxyServer::FromURI(
+      "http://proxy.test", ProxyServer::SCHEME_HTTP /* default_scheme */);
+
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitWithFeatures(
+      // enabled_features
+      {features::kPartitionConnectionsByNetworkIsolationKey,
+       features::kSplitHostCacheByNetworkIsolationKey},
+      // disabled_features
+      {});
+
+  session_deps_.host_resolver->set_ondemand_mode(true);
+
+  TransportClientSocketPool proxy_pool(
+      kMaxSockets, kMaxSocketsPerGroup, kUnusedIdleSocketTimeout, kProxyServer,
+      false /* is_for_websockets */, tagging_common_connect_job_params_.get());
+
+  TransportClientSocketPool::GroupId group_id(
+      HostPortPair(kHost, 80), ClientSocketPool::SocketType::kHttp,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey,
+      false /* disable_secure_dns */);
+  ClientSocketHandle handle;
+  TestCompletionCallback callback;
+  EXPECT_THAT(
+      handle.Init(group_id,
+                  base::MakeRefCounted<ClientSocketPool::SocketParams>(
+                      nullptr /* ssl_config_for_origin */,
+                      nullptr /* ssl_config_for_proxy */),
+                  TRAFFIC_ANNOTATION_FOR_TESTS, LOW, SocketTag(),
+                  ClientSocketPool::RespectLimits::ENABLED, callback.callback(),
+                  ClientSocketPool::ProxyAuthCallback(), &proxy_pool,
+                  NetLogWithSource()),
+      IsError(ERR_IO_PENDING));
+
+  ASSERT_EQ(1u, session_deps_.host_resolver->last_id());
+  EXPECT_EQ(kProxyServer.host_port_pair().host(),
+            session_deps_.host_resolver->request_host(1));
+  EXPECT_EQ(NetworkIsolationKey(),
+            session_deps_.host_resolver->request_network_isolation_key(1));
+}
+
+// Test that, in the case of an HTTPS proxy, the NetworkIsolationKey is not
+// used.
+TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeyHttpsProxy) {
+  const auto kOrigin = url::Origin::Create(GURL("https://foo.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey(kOrigin, kOrigin);
+  const char kHost[] = "bar.test";
+  const ProxyServer kProxyServer = ProxyServer::FromURI(
+      "https://proxy.test", ProxyServer::SCHEME_HTTP /* default_scheme */);
+
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitWithFeatures(
+      // enabled_features
+      {features::kPartitionConnectionsByNetworkIsolationKey,
+       features::kSplitHostCacheByNetworkIsolationKey},
+      // disabled_features
+      {});
+
+  session_deps_.host_resolver->set_ondemand_mode(true);
+
+  TransportClientSocketPool proxy_pool(
+      kMaxSockets, kMaxSocketsPerGroup, kUnusedIdleSocketTimeout, kProxyServer,
+      false /* is_for_websockets */, tagging_common_connect_job_params_.get());
+
+  TransportClientSocketPool::GroupId group_id(
+      HostPortPair(kHost, 80), ClientSocketPool::SocketType::kHttp,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey,
+      false /* disable_secure_dns */);
+  ClientSocketHandle handle;
+  TestCompletionCallback callback;
+  EXPECT_THAT(
+      handle.Init(group_id,
+                  base::MakeRefCounted<ClientSocketPool::SocketParams>(
+                      nullptr /* ssl_config_for_origin */,
+                      std::make_unique<SSLConfig>() /* ssl_config_for_proxy */),
+                  TRAFFIC_ANNOTATION_FOR_TESTS, LOW, SocketTag(),
+                  ClientSocketPool::RespectLimits::ENABLED, callback.callback(),
+                  ClientSocketPool::ProxyAuthCallback(), &proxy_pool,
+                  NetLogWithSource()),
+      IsError(ERR_IO_PENDING));
+
+  ASSERT_EQ(1u, session_deps_.host_resolver->last_id());
+  EXPECT_EQ(kProxyServer.host_port_pair().host(),
+            session_deps_.host_resolver->request_host(1));
+  EXPECT_EQ(NetworkIsolationKey(),
+            session_deps_.host_resolver->request_network_isolation_key(1));
+}
+
+// Test that, in the case of a SOCKS5 proxy, the NetworkIsolationKey is only
+// used for the destination DNS lookup, not the proxy DNS lookup.
+TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySocks4Proxy) {
+  const auto kOrigin = url::Origin::Create(GURL("https://foo.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey(kOrigin, kOrigin);
+  const char kHost[] = "bar.test";
+  const ProxyServer kProxyServer = ProxyServer::FromURI(
+      "socks4://proxy.test", ProxyServer::SCHEME_HTTP /* default_scheme */);
+
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitWithFeatures(
+      // enabled_features
+      {features::kPartitionConnectionsByNetworkIsolationKey,
+       features::kSplitHostCacheByNetworkIsolationKey},
+      // disabled_features
+      {});
+
+  session_deps_.host_resolver->set_ondemand_mode(true);
+
+  // Test will establish a connection, but never use it to transfer data, since
+  // it stalls at the second DNS lookup.
+  StaticSocketDataProvider data;
+  data.set_connect_data(MockConnect(SYNCHRONOUS, OK));
+  tagging_client_socket_factory_.AddSocketDataProvider(&data);
+
+  TransportClientSocketPool proxy_pool(
+      kMaxSockets, kMaxSocketsPerGroup, kUnusedIdleSocketTimeout, kProxyServer,
+      false /* is_for_websockets */, tagging_common_connect_job_params_.get());
+
+  TransportClientSocketPool::GroupId group_id(
+      HostPortPair(kHost, 80), ClientSocketPool::SocketType::kHttp,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey,
+      false /* disable_secure_dns */);
+  ClientSocketHandle handle;
+  TestCompletionCallback callback;
+  EXPECT_THAT(
+      handle.Init(group_id,
+                  base::MakeRefCounted<ClientSocketPool::SocketParams>(
+                      nullptr /* ssl_config_for_origin */,
+                      nullptr /* ssl_config_for_proxy */),
+                  TRAFFIC_ANNOTATION_FOR_TESTS, LOW, SocketTag(),
+                  ClientSocketPool::RespectLimits::ENABLED, callback.callback(),
+                  ClientSocketPool::ProxyAuthCallback(), &proxy_pool,
+                  NetLogWithSource()),
+      IsError(ERR_IO_PENDING));
+
+  // First lookup is for the proxy's hostname, and should not use the NIK.
+  ASSERT_EQ(1u, session_deps_.host_resolver->last_id());
+  EXPECT_EQ(kProxyServer.host_port_pair().host(),
+            session_deps_.host_resolver->request_host(1));
+  EXPECT_EQ(NetworkIsolationKey(),
+            session_deps_.host_resolver->request_network_isolation_key(1));
+
+  // First lookup completes, starting the second one. The second lookup is for
+  // the destination's hostname, and should use the NIK.
+  session_deps_.host_resolver->ResolveOnlyRequestNow();
+  ASSERT_EQ(2u, session_deps_.host_resolver->last_id());
+  EXPECT_EQ(kHost, session_deps_.host_resolver->request_host(2));
+  EXPECT_EQ(kNetworkIsolationKey,
+            session_deps_.host_resolver->request_network_isolation_key(2));
+}
+
+// Test that, in the case of a SOCKS5 proxy, the NetworkIsolationKey is not
+// used.
+TEST_F(TransportClientSocketPoolTest, NetworkIsolationKeySocks5Proxy) {
+  const auto kOrigin = url::Origin::Create(GURL("https://foo.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey(kOrigin, kOrigin);
+  const char kHost[] = "bar.test";
+  const ProxyServer kProxyServer = ProxyServer::FromURI(
+      "socks5://proxy.test", ProxyServer::SCHEME_HTTP /* default_scheme */);
+
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitWithFeatures(
+      // enabled_features
+      {features::kPartitionConnectionsByNetworkIsolationKey,
+       features::kSplitHostCacheByNetworkIsolationKey},
+      // disabled_features
+      {});
+
+  session_deps_.host_resolver->set_ondemand_mode(true);
+
+  TransportClientSocketPool proxy_pool(
+      kMaxSockets, kMaxSocketsPerGroup, kUnusedIdleSocketTimeout, kProxyServer,
+      false /* is_for_websockets */, tagging_common_connect_job_params_.get());
+
+  TransportClientSocketPool::GroupId group_id(
+      HostPortPair(kHost, 80), ClientSocketPool::SocketType::kHttp,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey,
+      false /* disable_secure_dns */);
+  ClientSocketHandle handle;
+  TestCompletionCallback callback;
+  EXPECT_THAT(
+      handle.Init(group_id,
+                  base::MakeRefCounted<ClientSocketPool::SocketParams>(
+                      nullptr /* ssl_config_for_origin */,
+                      nullptr /* ssl_config_for_proxy */),
+                  TRAFFIC_ANNOTATION_FOR_TESTS, LOW, SocketTag(),
+                  ClientSocketPool::RespectLimits::ENABLED, callback.callback(),
+                  ClientSocketPool::ProxyAuthCallback(), &proxy_pool,
+                  NetLogWithSource()),
+      IsError(ERR_IO_PENDING));
+
+  ASSERT_EQ(1u, session_deps_.host_resolver->last_id());
+  EXPECT_EQ(kProxyServer.host_port_pair().host(),
+            session_deps_.host_resolver->request_host(1));
+  EXPECT_EQ(NetworkIsolationKey(),
+            session_deps_.host_resolver->request_network_isolation_key(1));
+}
+
 // Test that SocketTag passed into TransportClientSocketPool is applied to
 // returned sockets.
 #if defined(OS_ANDROID)
diff --git a/chromium/net/socket/transport_client_socket_unittest.cc b/chromium/net/socket/transport_client_socket_unittest.cc
index 2dc4cc4f39d..b7cf052f072 100644
--- a/chromium/net/socket/transport_client_socket_unittest.cc
+++ b/chromium/net/socket/transport_client_socket_unittest.cc
@@ -91,7 +91,7 @@ class TransportClientSocketTest
  protected:
   base::RunLoop connect_loop_;
   uint16_t listen_port_;
-  TestNetLog net_log_;
+  RecordingTestNetLog net_log_;
   ClientSocketFactory* const socket_factory_;
   std::unique_ptr<StreamSocket> sock_;
   std::unique_ptr<StreamSocket> connected_sock_;
diff --git a/chromium/net/socket/transport_connect_job.cc b/chromium/net/socket/transport_connect_job.cc
index 4a734a79954..23575474807 100644
--- a/chromium/net/socket/transport_connect_job.cc
+++ b/chromium/net/socket/transport_connect_job.cc
@@ -47,9 +47,11 @@ bool AddressListOnlyContainsIPv6(const AddressList& list) {
 
 TransportSocketParams::TransportSocketParams(
     const HostPortPair& host_port_pair,
+    const NetworkIsolationKey& network_isolation_key,
     bool disable_secure_dns,
     const OnHostResolutionCallback& host_resolution_callback)
     : destination_(host_port_pair),
+      network_isolation_key_(network_isolation_key),
       disable_secure_dns_(disable_secure_dns),
       host_resolution_callback_(host_resolution_callback) {}
 
@@ -263,8 +265,9 @@ int TransportConnectJob::DoResolveHost() {
   parameters.initial_priority = priority();
   if (params_->disable_secure_dns())
     parameters.secure_dns_mode_override = DnsConfig::SecureDnsMode::OFF;
-  request_ = host_resolver()->CreateRequest(params_->destination(), net_log(),
-                                            parameters);
+  request_ = host_resolver()->CreateRequest(params_->destination(),
+                                            params_->network_isolation_key(),
+                                            net_log(), parameters);
 
   return request_->Start(base::BindOnce(&TransportConnectJob::OnIOComplete,
                                         base::Unretained(this)));
diff --git a/chromium/net/socket/transport_connect_job.h b/chromium/net/socket/transport_connect_job.h
index 0d0292996e7..ad4804ee2f0 100644
--- a/chromium/net/socket/transport_connect_job.h
+++ b/chromium/net/socket/transport_connect_job.h
@@ -16,6 +16,7 @@
 #include "base/timer/timer.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_export.h"
+#include "net/base/network_isolation_key.h"
 #include "net/dns/host_resolver.h"
 #include "net/socket/connect_job.h"
 #include "net/socket/connection_attempts.h"
@@ -30,14 +31,19 @@ class NET_EXPORT_PRIVATE TransportSocketParams
     : public base::RefCounted<TransportSocketParams> {
  public:
   // |host_resolution_callback| will be invoked after the the hostname is
-  // resolved.  If |host_resolution_callback| does not return OK, then the
+  // resolved. |network_isolation_key| is passed to the HostResolver to prevent
+  // cross-NIK leaks. If |host_resolution_callback| does not return OK, then the
   // connection will be aborted with that value.
   TransportSocketParams(
       const HostPortPair& host_port_pair,
+      const NetworkIsolationKey& network_isolation_key,
       bool disable_secure_dns,
       const OnHostResolutionCallback& host_resolution_callback);
 
   const HostPortPair& destination() const { return destination_; }
+  const NetworkIsolationKey& network_isolation_key() const {
+    return network_isolation_key_;
+  }
   bool disable_secure_dns() const { return disable_secure_dns_; }
   const OnHostResolutionCallback& host_resolution_callback() const {
     return host_resolution_callback_;
@@ -48,6 +54,7 @@ class NET_EXPORT_PRIVATE TransportSocketParams
   ~TransportSocketParams();
 
   const HostPortPair destination_;
+  const NetworkIsolationKey network_isolation_key_;
   const bool disable_secure_dns_;
   const OnHostResolutionCallback host_resolution_callback_;
 
diff --git a/chromium/net/socket/transport_connect_job_unittest.cc b/chromium/net/socket/transport_connect_job_unittest.cc
index 59a90e83340..3f5800717a6 100644
--- a/chromium/net/socket/transport_connect_job_unittest.cc
+++ b/chromium/net/socket/transport_connect_job_unittest.cc
@@ -56,12 +56,12 @@ class TransportConnectJobTest : public WithTaskEnvironment,
 
   static scoped_refptr<TransportSocketParams> DefaultParams() {
     return base::MakeRefCounted<TransportSocketParams>(
-        HostPortPair(kHostName, 80), false /* disable_secure_dns */,
-        OnHostResolutionCallback());
+        HostPortPair(kHostName, 80), NetworkIsolationKey(),
+        false /* disable_secure_dns */, OnHostResolutionCallback());
   }
 
  protected:
-  TestNetLog net_log_;
+  RecordingTestNetLog net_log_;
   MockHostResolver host_resolver_;
   MockTransportClientSocketFactory client_socket_factory_;
   const CommonConnectJobParams common_connect_job_params_;
@@ -262,9 +262,9 @@ TEST_F(TransportConnectJobTest, DisableSecureDns) {
     TestConnectJobDelegate test_delegate;
     TransportConnectJob transport_connect_job(
         DEFAULT_PRIORITY, SocketTag(), &common_connect_job_params_,
-        base::MakeRefCounted<TransportSocketParams>(HostPortPair(kHostName, 80),
-                                                    disable_secure_dns,
-                                                    OnHostResolutionCallback()),
+        base::MakeRefCounted<TransportSocketParams>(
+            HostPortPair(kHostName, 80), NetworkIsolationKey(),
+            disable_secure_dns, OnHostResolutionCallback()),
         &test_delegate, nullptr /* net_log */);
     test_delegate.StartJobExpectingResult(&transport_connect_job, OK,
                                           false /* expect_sync_result */);
diff --git a/chromium/net/socket/udp_socket_posix.cc b/chromium/net/socket/udp_socket_posix.cc
index abe242cd6db..572472a6993 100644
--- a/chromium/net/socket/udp_socket_posix.cc
+++ b/chromium/net/socket/udp_socket_posix.cc
@@ -295,11 +295,11 @@ void UDPSocketPosix::Close() {
     return;
 
   // Zero out any pending read/write callback state.
-  read_buf_ = NULL;
+  read_buf_.reset();
   read_buf_len_ = 0;
   read_callback_.Reset();
   recv_from_address_ = NULL;
-  write_buf_ = NULL;
+  write_buf_.reset();
   write_buf_len_ = 0;
   write_callback_.Reset();
   send_to_address_.reset();
@@ -739,7 +739,7 @@ void UDPSocketPosix::DidCompleteRead() {
   int result =
       InternalRecvFrom(read_buf_.get(), read_buf_len_, recv_from_address_);
   if (result != ERR_IO_PENDING) {
-    read_buf_ = NULL;
+    read_buf_.reset();
     read_buf_len_ = 0;
     recv_from_address_ = NULL;
     bool ok = read_socket_watcher_.StopWatchingFileDescriptor();
@@ -776,7 +776,7 @@ void UDPSocketPosix::DidCompleteWrite() {
       InternalSendTo(write_buf_.get(), write_buf_len_, send_to_address_.get());
 
   if (result != ERR_IO_PENDING) {
-    write_buf_ = NULL;
+    write_buf_.reset();
     write_buf_len_ = 0;
     send_to_address_.reset();
     write_socket_watcher_.StopWatchingFileDescriptor();
diff --git a/chromium/net/socket/udp_socket_posix_unittest.cc b/chromium/net/socket/udp_socket_posix_unittest.cc
index 3baf54bb471..730d966ad40 100644
--- a/chromium/net/socket/udp_socket_posix_unittest.cc
+++ b/chromium/net/socket/udp_socket_posix_unittest.cc
@@ -218,7 +218,7 @@ class UDPSocketPosixTest : public TestWithTaskEnvironment {
         .WillOnce(Return(kNumMsgs));
   }
 
-  TestNetLog client_log_;
+  RecordingTestNetLog client_log_;
   MockUDPSocketPosix socket_;
   DatagramBuffers buffers_;
   bool callback_fired_;
diff --git a/chromium/net/socket/udp_socket_unittest.cc b/chromium/net/socket/udp_socket_unittest.cc
index ea1ce207719..18eb55670ca 100644
--- a/chromium/net/socket/udp_socket_unittest.cc
+++ b/chromium/net/socket/udp_socket_unittest.cc
@@ -161,7 +161,7 @@ void UDPSocketTest::ConnectTest(bool use_nonblocking_io) {
 
   // Setup the server to listen.
   IPEndPoint server_address(IPAddress::IPv4Localhost(), 0 /* port */);
-  TestNetLog server_log;
+  RecordingTestNetLog server_log;
   std::unique_ptr<UDPServerSocket> server(
       new UDPServerSocket(&server_log, NetLogSource()));
   if (use_nonblocking_io)
@@ -172,7 +172,7 @@ void UDPSocketTest::ConnectTest(bool use_nonblocking_io) {
   ASSERT_THAT(server->GetLocalAddress(&server_address), IsOk());
 
   // Setup the client.
-  TestNetLog client_log;
+  RecordingTestNetLog client_log;
   auto client = std::make_unique<UDPClientSocket>(DatagramSocket::DEFAULT_BIND,
                                                   &client_log, NetLogSource());
   if (use_nonblocking_io)
@@ -325,7 +325,7 @@ TEST_F(UDPSocketTest, MAYBE_LocalBroadcast) {
   IPEndPoint listen_address;
   ASSERT_TRUE(CreateUDPAddress("0.0.0.0", 0 /* port */, &listen_address));
 
-  TestNetLog server1_log, server2_log;
+  RecordingTestNetLog server1_log, server2_log;
   std::unique_ptr<UDPServerSocket> server1(
       new UDPServerSocket(&server1_log, NetLogSource()));
   std::unique_ptr<UDPServerSocket> server2(
diff --git a/chromium/net/socket/websocket_transport_client_socket_pool_unittest.cc b/chromium/net/socket/websocket_transport_client_socket_pool_unittest.cc
index fc2c62e11b4..b71c082590d 100644
--- a/chromium/net/socket/websocket_transport_client_socket_pool_unittest.cc
+++ b/chromium/net/socket/websocket_transport_client_socket_pool_unittest.cc
@@ -15,8 +15,10 @@
 #include "base/single_thread_task_runner.h"
 #include "base/stl_util.h"
 #include "base/strings/stringprintf.h"
+#include "base/test/scoped_feature_list.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/time/time.h"
+#include "net/base/features.h"
 #include "net/base/ip_endpoint.h"
 #include "net/base/load_timing_info.h"
 #include "net/base/load_timing_info_test_util.h"
@@ -39,6 +41,8 @@
 #include "net/test/test_with_task_environment.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
+#include "url/origin.h"
 
 using net::test::IsError;
 using net::test::IsOk;
@@ -129,7 +133,7 @@ class WebSocketTransportClientSocketPoolTest : public TestWithTaskEnvironment {
   }
   size_t completion_count() const { return test_base_.completion_count(); }
 
-  TestNetLog net_log_;
+  RecordingTestNetLog net_log_;
   // |group_id_| and |params_| correspond to the same socket parameters.
   const ClientSocketPool::GroupId group_id_;
   scoped_refptr<ClientSocketPool::SocketParams> params_;
@@ -1125,6 +1129,40 @@ TEST_F(WebSocketTransportClientSocketPoolTest, EndpointLockIsOnlyReleasedOnce) {
             request(2)->handle()->GetLoadState());
 }
 
+// Make sure that WebSocket requests use the correct NetworkIsolationKey.
+TEST_F(WebSocketTransportClientSocketPoolTest, NetworkIsolationKey) {
+  const auto kOrigin = url::Origin::Create(GURL("https://foo.test/"));
+  const NetworkIsolationKey kNetworkIsolationKey(kOrigin, kOrigin);
+
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitWithFeatures(
+      // enabled_features
+      {features::kPartitionConnectionsByNetworkIsolationKey,
+       features::kSplitHostCacheByNetworkIsolationKey},
+      // disabled_features
+      {});
+
+  host_resolver_->set_ondemand_mode(true);
+
+  TestCompletionCallback callback;
+  ClientSocketHandle handle;
+  ClientSocketPool::GroupId group_id(
+      HostPortPair("www.google.com", 80), ClientSocketPool::SocketType::kHttp,
+      PrivacyMode::PRIVACY_MODE_DISABLED, kNetworkIsolationKey,
+      false /* disable_secure_dns */);
+  EXPECT_THAT(
+      handle.Init(group_id, params_, base::nullopt /* proxy_annotation_tag */,
+                  kDefaultPriority, SocketTag(),
+                  ClientSocketPool::RespectLimits::ENABLED, callback.callback(),
+                  ClientSocketPool::ProxyAuthCallback(), &pool_,
+                  NetLogWithSource()),
+      IsError(ERR_IO_PENDING));
+
+  ASSERT_EQ(1u, host_resolver_->last_id());
+  EXPECT_EQ(kNetworkIsolationKey,
+            host_resolver_->request_network_isolation_key(1));
+}
+
 }  // namespace
 
 }  // namespace net
diff --git a/chromium/net/socket/websocket_transport_connect_job.cc b/chromium/net/socket/websocket_transport_connect_job.cc
index 926cf670ecb..c96d542e8c9 100644
--- a/chromium/net/socket/websocket_transport_connect_job.cc
+++ b/chromium/net/socket/websocket_transport_connect_job.cc
@@ -110,8 +110,9 @@ int WebSocketTransportConnectJob::DoResolveHost() {
   HostResolver::ResolveHostParameters parameters;
   parameters.initial_priority = priority();
   DCHECK(!params_->disable_secure_dns());
-  request_ = host_resolver()->CreateRequest(params_->destination(), net_log(),
-                                            parameters);
+  request_ = host_resolver()->CreateRequest(params_->destination(),
+                                            params_->network_isolation_key(),
+                                            net_log(), parameters);
 
   return request_->Start(base::BindOnce(
       &WebSocketTransportConnectJob::OnIOComplete, base::Unretained(this)));
diff --git a/chromium/net/spdy/bidirectional_stream_spdy_impl.cc b/chromium/net/spdy/bidirectional_stream_spdy_impl.cc
index 4e6b93282bf..ba029b04faa 100644
--- a/chromium/net/spdy/bidirectional_stream_spdy_impl.cc
+++ b/chromium/net/spdy/bidirectional_stream_spdy_impl.cc
@@ -282,6 +282,10 @@ void BidirectionalStreamSpdyImpl::OnClose(int status) {
     OnDataSent();
 }
 
+bool BidirectionalStreamSpdyImpl::CanGreaseFrameType() const {
+  return false;
+}
+
 NetLogSource BidirectionalStreamSpdyImpl::source_dependency() const {
   return source_dependency_;
 }
diff --git a/chromium/net/spdy/bidirectional_stream_spdy_impl.h b/chromium/net/spdy/bidirectional_stream_spdy_impl.h
index 954a678252a..8ee9a67528b 100644
--- a/chromium/net/spdy/bidirectional_stream_spdy_impl.h
+++ b/chromium/net/spdy/bidirectional_stream_spdy_impl.h
@@ -72,6 +72,7 @@ class NET_EXPORT_PRIVATE BidirectionalStreamSpdyImpl
   void OnDataSent() override;
   void OnTrailers(const spdy::SpdyHeaderBlock& trailers) override;
   void OnClose(int status) override;
+  bool CanGreaseFrameType() const override;
   NetLogSource source_dependency() const override;
 
  private:
diff --git a/chromium/net/spdy/bidirectional_stream_spdy_impl_unittest.cc b/chromium/net/spdy/bidirectional_stream_spdy_impl_unittest.cc
index bddadca34c7..95fbca97059 100644
--- a/chromium/net/spdy/bidirectional_stream_spdy_impl_unittest.cc
+++ b/chromium/net/spdy/bidirectional_stream_spdy_impl_unittest.cc
@@ -278,7 +278,7 @@ class BidirectionalStreamSpdyImplTest : public testing::TestWithParam<bool>,
     session_ = CreateSpdySession(http_session_.get(), key_, net_log_.bound());
   }
 
-  BoundTestNetLog net_log_;
+  RecordingBoundTestNetLog net_log_;
   SpdyTestUtil spdy_util_;
   SpdySessionDependencies session_deps_;
   const GURL default_url_;
diff --git a/chromium/net/spdy/header_coalescer_test.cc b/chromium/net/spdy/header_coalescer_test.cc
index b6aa1b5acf9..30a44e3d7f7 100644
--- a/chromium/net/spdy/header_coalescer_test.cc
+++ b/chromium/net/spdy/header_coalescer_test.cc
@@ -42,7 +42,7 @@ class HeaderCoalescerTest : public ::testing::Test {
   }
 
  protected:
-  BoundTestNetLog net_log_;
+  RecordingBoundTestNetLog net_log_;
   HeaderCoalescer header_coalescer_;
 };
 
diff --git a/chromium/net/spdy/platform/impl/spdy_ptr_util_impl.h b/chromium/net/spdy/platform/impl/spdy_ptr_util_impl.h
index 8d80fd70128..8c186b83e7c 100644
--- a/chromium/net/spdy/platform/impl/spdy_ptr_util_impl.h
+++ b/chromium/net/spdy/platform/impl/spdy_ptr_util_impl.h
@@ -12,11 +12,6 @@
 
 namespace spdy {
 
-template <typename T, typename... Args>
-std::unique_ptr<T> SpdyMakeUniqueImpl(Args&&... args) {
-  return std::make_unique<T>(std::forward<Args>(args)...);
-}
-
 template <typename T>
 std::unique_ptr<T> SpdyWrapUniqueImpl(T* ptr) {
   return base::WrapUnique<T>(ptr);
diff --git a/chromium/net/spdy/platform/impl/spdy_string_utils_impl.h b/chromium/net/spdy/platform/impl/spdy_string_utils_impl.h
index f9cbf6f6e9e..a6218097039 100644
--- a/chromium/net/spdy/platform/impl/spdy_string_utils_impl.h
+++ b/chromium/net/spdy/platform/impl/spdy_string_utils_impl.h
@@ -35,7 +35,10 @@ inline char SpdyHexDigitToIntImpl(char c) {
 }
 
 inline std::string SpdyHexDecodeImpl(SpdyStringPiece data) {
-  return net::HexDecode(data);
+  std::string result;
+  if (!base::HexStringToString(data, &result))
+    result.clear();
+  return result;
 }
 
 NET_EXPORT_PRIVATE bool SpdyHexDecodeToUInt32Impl(SpdyStringPiece data,
diff --git a/chromium/net/spdy/server_push_delegate.h b/chromium/net/spdy/server_push_delegate.h
index ed2d4f2351b..6f95735c312 100644
--- a/chromium/net/spdy/server_push_delegate.h
+++ b/chromium/net/spdy/server_push_delegate.h
@@ -27,6 +27,9 @@ class NET_EXPORT_PRIVATE ServerPushDelegate {
 
     // Gets the URL of the pushed request.
     virtual const GURL& GetURL() const = 0;
+
+    // Gets the network isolation key for the pushed request.
+    virtual NetworkIsolationKey GetNetworkIsolationKey() const = 0;
   };
 
   virtual ~ServerPushDelegate() {}
diff --git a/chromium/net/spdy/spdy_http_stream.cc b/chromium/net/spdy/spdy_http_stream.cc
index 0d644da0bc8..85e4e32f95d 100644
--- a/chromium/net/spdy/spdy_http_stream.cc
+++ b/chromium/net/spdy/spdy_http_stream.cc
@@ -259,17 +259,29 @@ bool SpdyHttpStream::GetLoadTimingInfo(LoadTimingInfo* load_timing_info) const {
     if (!closed_stream_has_load_timing_info_)
       return false;
     *load_timing_info = closed_stream_load_timing_info_;
-    return true;
+  } else {
+    // If |stream_| has yet to be created, or does not yet have an ID, fail.
+    // The reused flag can only be correctly set once a stream has an ID.
+    // Streams get their IDs once the request has been successfully sent, so
+    // this does not behave that differently from other stream types.
+    if (!stream_ || stream_->stream_id() == 0)
+      return false;
+
+    if (!stream_->GetLoadTimingInfo(load_timing_info))
+      return false;
   }
 
-  // If |stream_| has yet to be created, or does not yet have an ID, fail.
-  // The reused flag can only be correctly set once a stream has an ID.  Streams
-  // get their IDs once the request has been successfully sent, so this does not
-  // behave that differently from other stream types.
-  if (!stream_ || stream_->stream_id() == 0)
-    return false;
+  // If the request waited for handshake confirmation, shift |ssl_end| to
+  // include that time.
+  if (!load_timing_info->connect_timing.ssl_end.is_null() &&
+      !stream_request_.confirm_handshake_end().is_null()) {
+    load_timing_info->connect_timing.ssl_end =
+        stream_request_.confirm_handshake_end();
+    load_timing_info->connect_timing.connect_end =
+        stream_request_.confirm_handshake_end();
+  }
 
-  return stream_->GetLoadTimingInfo(load_timing_info);
+  return true;
 }
 
 int SpdyHttpStream::SendRequest(const HttpRequestHeaders& request_headers,
@@ -340,9 +352,11 @@ int SpdyHttpStream::SendRequest(const HttpRequestHeaders& request_headers,
         return SpdyHeaderBlockNetLogParams(&headers, capture_mode);
       });
   DispatchRequestHeadersCallback(headers);
+
+  bool will_send_data = HasUploadData() | spdy_session_->GreasedFramesEnabled();
   result = stream_->SendRequestHeaders(
       std::move(headers),
-      HasUploadData() ? MORE_DATA_TO_SEND : NO_MORE_DATA_TO_SEND);
+      will_send_data ? MORE_DATA_TO_SEND : NO_MORE_DATA_TO_SEND);
 
   if (result == ERR_IO_PENDING) {
     CHECK(request_callback_.is_null());
@@ -363,6 +377,8 @@ void SpdyHttpStream::Cancel() {
 void SpdyHttpStream::OnHeadersSent() {
   if (HasUploadData()) {
     ReadAndSendRequestBodyData();
+  } else if (spdy_session_->GreasedFramesEnabled()) {
+    SendEmptyBody();
   } else {
     MaybePostRequestCallback(OK);
   }
@@ -436,8 +452,12 @@ void SpdyHttpStream::OnDataReceived(std::unique_ptr<SpdyBuffer> buffer) {
 }
 
 void SpdyHttpStream::OnDataSent() {
-  request_body_buf_size_ = 0;
-  ReadAndSendRequestBodyData();
+  if (HasUploadData()) {
+    request_body_buf_size_ = 0;
+    ReadAndSendRequestBodyData();
+  } else {
+    CHECK(spdy_session_->GreasedFramesEnabled());
+  }
 }
 
 // TODO(xunjieli): Maybe do something with the trailers. crbug.com/422958.
@@ -480,6 +500,10 @@ void SpdyHttpStream::OnClose(int status) {
   }
 }
 
+bool SpdyHttpStream::CanGreaseFrameType() const {
+  return true;
+}
+
 NetLogSource SpdyHttpStream::source_dependency() const {
   return source_dependency_;
 }
@@ -527,6 +551,14 @@ void SpdyHttpStream::ReadAndSendRequestBodyData() {
     OnRequestBodyReadCompleted(rv);
 }
 
+void SpdyHttpStream::SendEmptyBody() {
+  CHECK(!HasUploadData());
+  CHECK(spdy_session_->GreasedFramesEnabled());
+
+  auto buffer = base::MakeRefCounted<IOBuffer>(/* buffer_size = */ 0);
+  stream_->SendData(buffer.get(), /* length = */ 0, NO_MORE_DATA_TO_SEND);
+}
+
 void SpdyHttpStream::InitializeStreamHelper() {
   stream_->SetDelegate(this);
   was_alpn_negotiated_ = stream_->WasAlpnNegotiated();
diff --git a/chromium/net/spdy/spdy_http_stream.h b/chromium/net/spdy/spdy_http_stream.h
index fc38beacdc2..3986e004a88 100644
--- a/chromium/net/spdy/spdy_http_stream.h
+++ b/chromium/net/spdy/spdy_http_stream.h
@@ -93,6 +93,7 @@ class NET_EXPORT_PRIVATE SpdyHttpStream : public SpdyStream::Delegate,
   void OnDataSent() override;
   void OnTrailers(const spdy::SpdyHeaderBlock& trailers) override;
   void OnClose(int status) override;
+  bool CanGreaseFrameType() const override;
   NetLogSource source_dependency() const override;
 
  private:
@@ -114,6 +115,12 @@ class NET_EXPORT_PRIVATE SpdyHttpStream : public SpdyStream::Delegate,
   // when HasUploadData() is true.
   void ReadAndSendRequestBodyData();
 
+  // Send an empty body.  Must only be called if there is no upload data and
+  // sending greased HTTP/2 frames is enabled.  This allows SpdyStream to
+  // prepend a greased HTTP/2 frame to the empty DATA frame that closes the
+  // stream.
+  void SendEmptyBody();
+
   // Called when data has just been read from the request body stream;
   // does the actual sending of data.
   void OnRequestBodyReadCompleted(int status);
diff --git a/chromium/net/spdy/spdy_http_stream_unittest.cc b/chromium/net/spdy/spdy_http_stream_unittest.cc
index ac44b862eed..085940ee069 100644
--- a/chromium/net/spdy/spdy_http_stream_unittest.cc
+++ b/chromium/net/spdy/spdy_http_stream_unittest.cc
@@ -165,7 +165,7 @@ class SpdyHttpStreamTest : public TestWithTaskEnvironment {
   }
 
   SpdyTestUtil spdy_util_;
-  TestNetLog net_log_;
+  RecordingTestNetLog net_log_;
   SpdySessionDependencies session_deps_;
   const GURL url_;
   const HostPortPair host_port_pair_;
diff --git a/chromium/net/spdy/spdy_network_transaction_unittest.cc b/chromium/net/spdy/spdy_network_transaction_unittest.cc
index efbeb0427f9..9da9f83dfaa 100644
--- a/chromium/net/spdy/spdy_network_transaction_unittest.cc
+++ b/chromium/net/spdy/spdy_network_transaction_unittest.cc
@@ -87,7 +87,9 @@ const char kPushedUrl[] = "https://www.example.org/foo.dat";
 class SpdyNetworkTransactionTest : public TestWithTaskEnvironment {
  protected:
   SpdyNetworkTransactionTest()
-      : default_url_(kDefaultUrl),
+      : TestWithTaskEnvironment(
+            base::test::TaskEnvironment::TimeSource::MOCK_TIME),
+        default_url_(kDefaultUrl),
         host_port_pair_(HostPortPair::FromURL(default_url_)) {}
 
   ~SpdyNetworkTransactionTest() override {
@@ -561,6 +563,11 @@ class SpdyNetworkTransactionTest : public TestWithTaskEnvironment {
     return session->stream_hi_water_mark_;
   }
 
+  base::RepeatingClosure FastForwardByCallback(base::TimeDelta delta) {
+    return base::BindRepeating(&SpdyNetworkTransactionTest::FastForwardBy,
+                               base::Unretained(this), delta);
+  }
+
   const GURL default_url_;
   const HostPortPair host_port_pair_;
   HttpRequestInfo request_;
@@ -2777,6 +2784,8 @@ TEST_F(SpdyNetworkTransactionTest, ServerPushDisabled) {
   initial_settings[spdy::SETTINGS_ENABLE_PUSH] = 0;
   initial_settings[spdy::SETTINGS_MAX_CONCURRENT_STREAMS] =
       kSpdyMaxConcurrentPushedStreams;
+  initial_settings[spdy::SETTINGS_MAX_HEADER_LIST_SIZE] =
+      kSpdyMaxHeaderListSize;
   spdy::SpdySerializedFrame initial_settings_frame(
       spdy_util_.ConstructSpdySettings(initial_settings));
 
@@ -4690,7 +4699,7 @@ TEST_F(SpdyNetworkTransactionTest, NetLog) {
       MockRead(ASYNC, 0, 3)  // EOF
   };
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
 
   SequencedSocketData data(reads, writes);
   request_.extra_headers.SetHeader("User-Agent", "Chrome");
@@ -6318,7 +6327,7 @@ class SpdyNetworkTransactionPushHeaderTest
   }
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          SpdyNetworkTransactionPushHeaderTest,
                          ::testing::ValuesIn(push_header_test_cases));
 
@@ -6525,7 +6534,7 @@ class SpdyNetworkTransactionPushUrlTest
   }
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          SpdyNetworkTransactionPushUrlTest,
                          ::testing::ValuesIn(push_url_test_cases));
 
@@ -7142,6 +7151,8 @@ TEST_F(SpdyNetworkTransactionTest, WindowUpdateSent) {
       kSpdyMaxConcurrentPushedStreams;
   initial_settings[spdy::SETTINGS_INITIAL_WINDOW_SIZE] =
       stream_max_recv_window_size;
+  initial_settings[spdy::SETTINGS_MAX_HEADER_LIST_SIZE] =
+      kSpdyMaxHeaderListSize;
   spdy::SpdySerializedFrame initial_settings_frame(
       spdy_util_.ConstructSpdySettings(initial_settings));
 
@@ -9591,6 +9602,7 @@ TEST_F(SpdyNetworkTransactionTest,
 #endif  // BUILDFLAG(ENABLE_WEBSOCKETS)
 
 TEST_F(SpdyNetworkTransactionTest, ZeroRTTDoesntConfirm) {
+  static const base::TimeDelta kDelay = base::TimeDelta::FromMilliseconds(10);
   spdy::SpdySerializedFrame req(
       spdy_util_.ConstructSpdyGet(nullptr, 0, 1, LOWEST));
   MockWrite writes[] = {CreateMockWrite(req, 0)};
@@ -9609,14 +9621,26 @@ TEST_F(SpdyNetworkTransactionTest, ZeroRTTDoesntConfirm) {
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_,
                                      std::move(session_deps));
   auto ssl_provider = std::make_unique<SSLSocketDataProvider>(ASYNC, OK);
+  ssl_provider->connect_callback = FastForwardByCallback(kDelay);
   // Configure |ssl_provider| to fail if ConfirmHandshake is called. The request
   // should still succeed.
   ssl_provider->confirm = MockConfirm(SYNCHRONOUS, ERR_SSL_PROTOCOL_ERROR);
+  ssl_provider->confirm_callback = FastForwardByCallback(kDelay);
+  base::TimeTicks start_time = base::TimeTicks::Now();
   helper.RunToCompletionWithSSLData(&data, std::move(ssl_provider));
   TransactionHelperResult out = helper.output();
   EXPECT_THAT(out.rv, IsOk());
   EXPECT_EQ("HTTP/1.1 200", out.status_line);
   EXPECT_EQ("hello!", out.response_data);
+
+  // The handshake time should include the time it took to run Connect(), but
+  // not ConfirmHandshake().
+  LoadTimingInfo load_timing_info;
+  EXPECT_TRUE(helper.trans()->GetLoadTimingInfo(&load_timing_info));
+  EXPECT_EQ(load_timing_info.connect_timing.connect_start, start_time);
+  EXPECT_EQ(load_timing_info.connect_timing.ssl_start, start_time);
+  EXPECT_EQ(load_timing_info.connect_timing.ssl_end, start_time + kDelay);
+  EXPECT_EQ(load_timing_info.connect_timing.connect_end, start_time + kDelay);
 }
 
 // Run multiple concurrent streams that don't require handshake confirmation.
@@ -9949,6 +9973,7 @@ TEST_F(SpdyNetworkTransactionTest, ZeroRTTNoConfirmConfirmStreams) {
 }
 
 TEST_F(SpdyNetworkTransactionTest, ZeroRTTSyncConfirmSyncWrite) {
+  static const base::TimeDelta kDelay = base::TimeDelta::FromMilliseconds(10);
   spdy::SpdySerializedFrame req(spdy_util_.ConstructSpdyPost(
       kDefaultUrl, 1, kUploadDataSize, LOWEST, nullptr, 0));
   spdy::SpdySerializedFrame body(spdy_util_.ConstructSpdyDataFrame(1, true));
@@ -9970,12 +9995,26 @@ TEST_F(SpdyNetworkTransactionTest, ZeroRTTSyncConfirmSyncWrite) {
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_,
                                      std::move(session_deps));
   auto ssl_provider = std::make_unique<SSLSocketDataProvider>(ASYNC, OK);
+  ssl_provider->connect_callback = FastForwardByCallback(kDelay);
   ssl_provider->confirm = MockConfirm(SYNCHRONOUS, OK);
+  ssl_provider->confirm_callback = FastForwardByCallback(kDelay);
+  base::TimeTicks start_time = base::TimeTicks::Now();
   helper.RunToCompletionWithSSLData(&data, std::move(ssl_provider));
   TransactionHelperResult out = helper.output();
   EXPECT_THAT(out.rv, IsOk());
   EXPECT_EQ("HTTP/1.1 200", out.status_line);
   EXPECT_EQ("hello!", out.response_data);
+
+  // The handshake time should include the time it took to run Connect(), but
+  // not ConfirmHandshake(). If ConfirmHandshake() returns synchronously, we
+  // assume the connection did not negotiate 0-RTT or the handshake was already
+  // confirmed.
+  LoadTimingInfo load_timing_info;
+  EXPECT_TRUE(helper.trans()->GetLoadTimingInfo(&load_timing_info));
+  EXPECT_EQ(load_timing_info.connect_timing.connect_start, start_time);
+  EXPECT_EQ(load_timing_info.connect_timing.ssl_start, start_time);
+  EXPECT_EQ(load_timing_info.connect_timing.ssl_end, start_time + kDelay);
+  EXPECT_EQ(load_timing_info.connect_timing.connect_end, start_time + kDelay);
 }
 
 TEST_F(SpdyNetworkTransactionTest, ZeroRTTSyncConfirmAsyncWrite) {
@@ -10009,6 +10048,7 @@ TEST_F(SpdyNetworkTransactionTest, ZeroRTTSyncConfirmAsyncWrite) {
 }
 
 TEST_F(SpdyNetworkTransactionTest, ZeroRTTAsyncConfirmSyncWrite) {
+  static const base::TimeDelta kDelay = base::TimeDelta::FromMilliseconds(10);
   spdy::SpdySerializedFrame req(spdy_util_.ConstructSpdyPost(
       kDefaultUrl, 1, kUploadDataSize, LOWEST, nullptr, 0));
   spdy::SpdySerializedFrame body(spdy_util_.ConstructSpdyDataFrame(1, true));
@@ -10030,12 +10070,25 @@ TEST_F(SpdyNetworkTransactionTest, ZeroRTTAsyncConfirmSyncWrite) {
   NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_,
                                      std::move(session_deps));
   auto ssl_provider = std::make_unique<SSLSocketDataProvider>(ASYNC, OK);
+  ssl_provider->connect_callback = FastForwardByCallback(kDelay);
   ssl_provider->confirm = MockConfirm(ASYNC, OK);
+  ssl_provider->confirm_callback = FastForwardByCallback(kDelay);
+  base::TimeTicks start_time = base::TimeTicks::Now();
   helper.RunToCompletionWithSSLData(&data, std::move(ssl_provider));
   TransactionHelperResult out = helper.output();
   EXPECT_THAT(out.rv, IsOk());
   EXPECT_EQ("HTTP/1.1 200", out.status_line);
   EXPECT_EQ("hello!", out.response_data);
+
+  // The handshake time should include the time it took to run Connect() and
+  // ConfirmHandshake().
+  LoadTimingInfo load_timing_info;
+  EXPECT_TRUE(helper.trans()->GetLoadTimingInfo(&load_timing_info));
+  EXPECT_EQ(load_timing_info.connect_timing.connect_start, start_time);
+  EXPECT_EQ(load_timing_info.connect_timing.ssl_start, start_time);
+  EXPECT_EQ(load_timing_info.connect_timing.ssl_end, start_time + 2 * kDelay);
+  EXPECT_EQ(load_timing_info.connect_timing.connect_end,
+            start_time + 2 * kDelay);
 }
 
 TEST_F(SpdyNetworkTransactionTest, ZeroRTTAsyncConfirmAsyncWrite) {
@@ -10126,4 +10179,196 @@ TEST_F(SpdyNetworkTransactionTest, ZeroRTTConfirmErrorAsync) {
   EXPECT_THAT(out.rv, IsError(ERR_SSL_PROTOCOL_ERROR));
 }
 
+TEST_F(SpdyNetworkTransactionTest, GreaseFrameTypeWithGetRequest) {
+  auto session_deps = std::make_unique<SpdySessionDependencies>();
+
+  const uint8_t type = 0x0b;
+  const uint8_t flags = 0xcc;
+  const std::string payload("foo");
+  session_deps->greased_http2_frame =
+      base::Optional<net::SpdySessionPool::GreasedHttp2Frame>(
+          {type, flags, payload});
+
+  NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_,
+                                     std::move(session_deps));
+
+  spdy::SpdyHeaderBlock headers(
+      spdy_util_.ConstructGetHeaderBlock(kDefaultUrl));
+  spdy::SpdySerializedFrame req(
+      spdy_util_.ConstructSpdyHeaders(1, std::move(headers), DEFAULT_PRIORITY,
+                                      /* fin = */ false));
+
+  const char kRawFrameData[] = {
+      0x00, 0x00, 0x03,        // length
+      0x0b,                    // type
+      0xcc,                    // flags
+      0x00, 0x00, 0x00, 0x01,  // stream ID
+      'f',  'o',  'o'          // payload
+  };
+  spdy::SpdySerializedFrame grease(const_cast<char*>(kRawFrameData),
+                                   base::size(kRawFrameData),
+                                   /* owns_buffer = */ false);
+  spdy::SpdySerializedFrame empty_body(
+      spdy_util_.ConstructSpdyDataFrame(1, "", true));
+
+  MockWrite writes[] = {CreateMockWrite(req, 0), CreateMockWrite(grease, 1),
+                        CreateMockWrite(empty_body, 2)};
+
+  spdy::SpdySerializedFrame resp(
+      spdy_util_.ConstructSpdyGetReply(nullptr, 0, 1));
+  spdy::SpdySerializedFrame response_body(
+      spdy_util_.ConstructSpdyDataFrame(1, true));
+
+  MockRead reads[] = {CreateMockRead(resp, 3), CreateMockRead(response_body, 4),
+                      MockRead(ASYNC, 0, 5)};
+
+  SequencedSocketData data(reads, writes);
+  helper.RunPreTestSetup();
+  helper.AddData(&data);
+
+  TestCompletionCallback callback;
+  int rv = helper.trans()->Start(&request_, callback.callback(), log_);
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+
+  base::RunLoop().RunUntilIdle();
+
+  helper.VerifyDataConsumed();
+}
+
+TEST_F(SpdyNetworkTransactionTest, GreaseFrameTypeWithPostRequest) {
+  UsePostRequest();
+
+  auto session_deps = std::make_unique<SpdySessionDependencies>();
+
+  const uint8_t type = 0x0b;
+  const uint8_t flags = 0xcc;
+  const std::string payload("foo");
+  session_deps->greased_http2_frame =
+      base::Optional<net::SpdySessionPool::GreasedHttp2Frame>(
+          {type, flags, payload});
+
+  NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_,
+                                     std::move(session_deps));
+
+  spdy::SpdySerializedFrame req(spdy_util_.ConstructSpdyPost(
+      kDefaultUrl, 1, kUploadDataSize, LOWEST, nullptr, 0));
+
+  const char kRawFrameData[] = {
+      0x00, 0x00, 0x03,        // length
+      0x0b,                    // type
+      0xcc,                    // flags
+      0x00, 0x00, 0x00, 0x01,  // stream ID
+      'f',  'o',  'o'          // payload
+  };
+  spdy::SpdySerializedFrame grease(const_cast<char*>(kRawFrameData),
+                                   base::size(kRawFrameData),
+                                   /* owns_buffer = */ false);
+  spdy::SpdySerializedFrame request_body(
+      spdy_util_.ConstructSpdyDataFrame(1, true));
+
+  MockWrite writes[] = {CreateMockWrite(req, 0), CreateMockWrite(grease, 1),
+                        CreateMockWrite(request_body, 2)};
+
+  spdy::SpdySerializedFrame resp(
+      spdy_util_.ConstructSpdyGetReply(nullptr, 0, 1));
+  spdy::SpdySerializedFrame response_body(
+      spdy_util_.ConstructSpdyDataFrame(1, true));
+
+  MockRead reads[] = {CreateMockRead(resp, 3), CreateMockRead(response_body, 4),
+                      MockRead(ASYNC, 0, 5)};
+
+  SequencedSocketData data(reads, writes);
+  helper.RunPreTestSetup();
+  helper.AddData(&data);
+
+  TestCompletionCallback callback;
+  int rv = helper.trans()->Start(&request_, callback.callback(), log_);
+  EXPECT_THAT(callback.GetResult(rv), IsOk());
+
+  base::RunLoop().RunUntilIdle();
+
+  helper.VerifyDataConsumed();
+}
+
+// According to https://httpwg.org/specs/rfc7540.html#CONNECT, "frame types
+// other than DATA or stream management frames (RST_STREAM, WINDOW_UPDATE, and
+// PRIORITY) MUST NOT be sent on a connected stream".
+TEST_F(SpdyNetworkTransactionTest, DoNotGreaseFrameTypeWithConnect) {
+  auto session_deps = std::make_unique<SpdySessionDependencies>(
+      ProxyResolutionService::CreateFixedFromPacResult(
+          "HTTPS myproxy:70", TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  const uint8_t type = 0x0b;
+  const uint8_t flags = 0xcc;
+  const std::string payload("foo");
+  session_deps->greased_http2_frame =
+      base::Optional<net::SpdySessionPool::GreasedHttp2Frame>(
+          {type, flags, payload});
+
+  NormalSpdyTransactionHelper helper(request_, DEFAULT_PRIORITY, log_,
+                                     std::move(session_deps));
+
+  // CONNECT to proxy.
+  spdy::SpdySerializedFrame connect_req(spdy_util_.ConstructSpdyConnect(
+      nullptr, 0, 1, HttpProxyConnectJob::kH2QuicTunnelPriority,
+      HostPortPair("www.example.org", 443)));
+  spdy::SpdySerializedFrame connect_response(
+      spdy_util_.ConstructSpdyGetReply(nullptr, 0, 1));
+
+  // Tunneled transaction wrapped in DATA frames.
+  const char req[] =
+      "GET / HTTP/1.1\r\n"
+      "Host: www.example.org\r\n"
+      "Connection: keep-alive\r\n\r\n";
+  spdy::SpdySerializedFrame tunneled_req(
+      spdy_util_.ConstructSpdyDataFrame(1, req, false));
+
+  const char resp[] =
+      "HTTP/1.1 200 OK\r\n"
+      "Content-Length: 5\r\n\r\n"
+      "hello";
+  spdy::SpdySerializedFrame tunneled_response(
+      spdy_util_.ConstructSpdyDataFrame(1, resp, false));
+
+  MockWrite writes[] = {CreateMockWrite(connect_req, 0),
+                        CreateMockWrite(tunneled_req, 2)};
+
+  MockRead reads[] = {CreateMockRead(connect_response, 1),
+                      CreateMockRead(tunneled_response, 3),
+                      MockRead(ASYNC, 0, 4)};
+
+  SequencedSocketData data0(reads, writes);
+
+  // HTTP/2 connection to proxy.
+  auto ssl_provider0 = std::make_unique<SSLSocketDataProvider>(ASYNC, OK);
+  ssl_provider0->next_proto = kProtoHTTP2;
+  helper.AddDataWithSSLSocketDataProvider(&data0, std::move(ssl_provider0));
+
+  // HTTP/1.1 to destination.
+  SSLSocketDataProvider ssl_provider1(ASYNC, OK);
+  ssl_provider1.next_proto = kProtoHTTP11;
+  helper.session_deps()->socket_factory->AddSSLSocketDataProvider(
+      &ssl_provider1);
+
+  helper.RunPreTestSetup();
+  helper.StartDefaultTest();
+  helper.FinishDefaultTestWithoutVerification();
+  helper.VerifyDataConsumed();
+
+  const HttpResponseInfo* response = helper.trans()->GetResponseInfo();
+  ASSERT_TRUE(response);
+  ASSERT_TRUE(response->headers);
+  EXPECT_EQ("HTTP/1.1 200 OK", response->headers->GetStatusLine());
+  EXPECT_FALSE(response->was_fetched_via_spdy);
+  EXPECT_EQ(HttpResponseInfo::CONNECTION_INFO_HTTP1_1,
+            response->connection_info);
+  EXPECT_TRUE(response->was_alpn_negotiated);
+  EXPECT_TRUE(request_.url.SchemeIs("https"));
+  EXPECT_EQ("127.0.0.1", response->remote_endpoint.ToStringWithoutPort());
+  EXPECT_EQ(70, response->remote_endpoint.port());
+  std::string response_data;
+  ASSERT_THAT(ReadTransaction(helper.trans(), &response_data), IsOk());
+  EXPECT_EQ("hello", response_data);
+}
+
 }  // namespace net
diff --git a/chromium/net/spdy/spdy_proxy_client_socket.cc b/chromium/net/spdy/spdy_proxy_client_socket.cc
index c5c41ad2490..2156b4b2a8a 100644
--- a/chromium/net/spdy/spdy_proxy_client_socket.cc
+++ b/chromium/net/spdy/spdy_proxy_client_socket.cc
@@ -521,6 +521,10 @@ void SpdyProxyClientSocket::OnClose(int status)  {
     std::move(write_callback).Run(ERR_CONNECTION_CLOSED);
 }
 
+bool SpdyProxyClientSocket::CanGreaseFrameType() const {
+  return false;
+}
+
 NetLogSource SpdyProxyClientSocket::source_dependency() const {
   return source_dependency_;
 }
diff --git a/chromium/net/spdy/spdy_proxy_client_socket.h b/chromium/net/spdy/spdy_proxy_client_socket.h
index eb47162cf2e..744a2b8f0d2 100644
--- a/chromium/net/spdy/spdy_proxy_client_socket.h
+++ b/chromium/net/spdy/spdy_proxy_client_socket.h
@@ -103,6 +103,7 @@ class NET_EXPORT_PRIVATE SpdyProxyClientSocket : public ProxyClientSocket,
   void OnDataSent() override;
   void OnTrailers(const spdy::SpdyHeaderBlock& trailers) override;
   void OnClose(int status) override;
+  bool CanGreaseFrameType() const override;
   NetLogSource source_dependency() const override;
 
  private:
diff --git a/chromium/net/spdy/spdy_proxy_client_socket_unittest.cc b/chromium/net/spdy/spdy_proxy_client_socket_unittest.cc
index 837256a9598..988f0f4ea89 100644
--- a/chromium/net/spdy/spdy_proxy_client_socket_unittest.cc
+++ b/chromium/net/spdy/spdy_proxy_client_socket_unittest.cc
@@ -17,7 +17,6 @@
 #include "net/base/test_completion_callback.h"
 #include "net/base/winsock_init.h"
 #include "net/dns/mock_host_resolver.h"
-#include "net/http/http_auth_preferences.h"
 #include "net/http/http_proxy_connect_job.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_response_info.h"
@@ -93,8 +92,8 @@ base::WeakPtr<SpdySession> CreateSpdyProxySession(
       NetLogWithSource()));
 
   auto transport_params = base::MakeRefCounted<TransportSocketParams>(
-      key.host_port_pair(), false /* disable_secure_dns */,
-      OnHostResolutionCallback());
+      key.host_port_pair(), NetworkIsolationKey(),
+      false /* disable_secure_dns */, OnHostResolutionCallback());
 
   SSLConfig ssl_config;
   auto ssl_params = base::MakeRefCounted<SSLSocketParams>(
@@ -158,12 +157,10 @@ class SpdyProxyClientSocketTest : public PlatformTest,
   void AddAuthToCache() {
     const base::string16 kFoo(base::ASCIIToUTF16("foo"));
     const base::string16 kBar(base::ASCIIToUTF16("bar"));
-    session_->http_auth_cache()->Add(GURL(kProxyUrl),
-                                     "MyRealm1",
-                                     HttpAuth::AUTH_SCHEME_BASIC,
-                                     "Basic realm=MyRealm1",
-                                     AuthCredentials(kFoo, kBar),
-                                     "/");
+    session_->http_auth_cache()->Add(
+        GURL(kProxyUrl), HttpAuth::AUTH_PROXY, "MyRealm1",
+        HttpAuth::AUTH_SCHEME_BASIC, NetworkIsolationKey(),
+        "Basic realm=MyRealm1", AuthCredentials(kFoo, kBar), "/");
   }
 
   void ResumeAndRun() {
@@ -180,7 +177,7 @@ class SpdyProxyClientSocketTest : public PlatformTest,
   // Whether to use net::Socket::ReadIfReady() instead of net::Socket::Read().
   bool use_read_if_ready() const { return GetParam(); }
 
-  BoundTestNetLog net_log_;
+  RecordingBoundTestNetLog net_log_;
   SpdyTestUtil spdy_util_;
   std::unique_ptr<SpdyProxyClientSocket> sock_;
   TestCompletionCallback read_callback_;
@@ -271,9 +268,8 @@ void SpdyProxyClientSocketTest::Initialize(base::span<const MockRead> reads,
       spdy_stream, user_agent_, endpoint_host_port_pair_, net_log_.bound(),
       new HttpAuthController(
           HttpAuth::AUTH_PROXY, GURL("https://" + proxy_host_port_.ToString()),
-          session_->http_auth_cache(), session_->http_auth_handler_factory(),
-          session_->host_resolver(),
-          HttpAuthPreferences::ALLOW_DEFAULT_CREDENTIALS));
+          NetworkIsolationKey(), session_->http_auth_cache(),
+          session_->http_auth_handler_factory(), session_->host_resolver()));
 }
 
 scoped_refptr<IOBufferWithSize> SpdyProxyClientSocketTest::CreateBuffer(
diff --git a/chromium/net/spdy/spdy_session.cc b/chromium/net/spdy/spdy_session.cc
index fc2cb7cd24e..4716724c7b4 100644
--- a/chromium/net/spdy/spdy_session.cc
+++ b/chromium/net/spdy/spdy_session.cc
@@ -100,9 +100,6 @@ const uint32_t kDefaultInitialEnablePush = 1;
 const uint32_t kDefaultInitialInitialWindowSize = 65535;
 const uint32_t kDefaultInitialMaxFrameSize = 16384;
 
-// The maximum size of header list that the server is allowed to send.
-const uint32_t kSpdyMaxHeaderListSize = 256 * 1024;
-
 // Values of Vary response header on pushed streams.  This is logged to
 // Net.PushedStreamVaryResponseHeader, entries must not be changed.
 enum PushedStreamVaryResponseHeaderValues {
@@ -474,6 +471,13 @@ class SpdyServerPushHelper : public ServerPushDelegate::ServerPushHelper {
 
   const GURL& GetURL() const override { return request_url_; }
 
+  NetworkIsolationKey GetNetworkIsolationKey() const override {
+    if (session_) {
+      return session_->spdy_session_key().network_isolation_key();
+    }
+    return NetworkIsolationKey();
+  }
+
  private:
   base::WeakPtr<SpdySession> session_;
   const GURL request_url_;
@@ -651,33 +655,44 @@ int SpdyStreamRequest::StartRequest(
   type_ = type;
   session_ = session;
   url_ = SimplifyUrlForRequest(url);
-  can_send_early_ = can_send_early;
   priority_ = priority;
   socket_tag_ = socket_tag;
   net_log_ = net_log;
   callback_ = std::move(callback);
   traffic_annotation_ = MutableNetworkTrafficAnnotationTag(traffic_annotation);
 
-  next_state_ = STATE_WAIT_FOR_CONFIRMATION;
-  int rv = DoLoop(OK);
-  if (rv != OK)
+  // If early data is not allowed, confirm the handshake first.
+  int rv = OK;
+  if (!can_send_early) {
+    rv = session_->ConfirmHandshake(
+        base::BindOnce(&SpdyStreamRequest::OnConfirmHandshakeComplete,
+                       weak_ptr_factory_.GetWeakPtr()));
+  }
+  if (rv != OK) {
+    // If rv is ERR_IO_PENDING, OnConfirmHandshakeComplete() will call
+    // TryCreateStream() later.
     return rv;
+  }
 
   base::WeakPtr<SpdyStream> stream;
   rv = session->TryCreateStream(weak_ptr_factory_.GetWeakPtr(), &stream);
-  if (rv != OK)
+  if (rv != OK) {
+    // If rv is ERR_IO_PENDING, the SpdySession will call
+    // OnRequestCompleteSuccess() or OnRequestCompleteFailure() later.
     return rv;
+  }
 
   Reset();
   stream_ = stream;
-  return rv;
+  return OK;
 }
 
 void SpdyStreamRequest::CancelRequest() {
   if (session_)
     session_->CancelStreamRequest(weak_ptr_factory_.GetWeakPtr());
   Reset();
-  // Do this to cancel any pending CompleteStreamRequest() tasks.
+  // Do this to cancel any pending CompleteStreamRequest() and
+  // OnConfirmHandshakeComplete() tasks.
   weak_ptr_factory_.InvalidateWeakPtrs();
 }
 
@@ -732,74 +747,33 @@ void SpdyStreamRequest::Reset() {
   session_.reset();
   stream_.reset();
   url_ = GURL();
-  can_send_early_ = false;
   priority_ = MINIMUM_PRIORITY;
   socket_tag_ = SocketTag();
   net_log_ = NetLogWithSource();
   callback_.Reset();
   traffic_annotation_.reset();
-  next_state_ = STATE_NONE;
 }
 
-void SpdyStreamRequest::OnIOComplete(int rv) {
+void SpdyStreamRequest::OnConfirmHandshakeComplete(int rv) {
+  DCHECK_NE(ERR_IO_PENDING, rv);
   if (rv != OK) {
     OnRequestCompleteFailure(rv);
-  } else {
-    DoLoop(rv);
-  }
-}
-
-int SpdyStreamRequest::DoLoop(int rv) {
-  do {
-    State state = next_state_;
-    next_state_ = STATE_NONE;
-    switch (state) {
-      case STATE_WAIT_FOR_CONFIRMATION:
-        CHECK_EQ(OK, rv);
-        return DoWaitForConfirmation();
-        break;
-      case STATE_REQUEST_STREAM:
-        CHECK_EQ(OK, rv);
-        return DoRequestStream(rv);
-        break;
-      default:
-        NOTREACHED() << "next_state_: " << next_state_;
-        break;
-    }
-  } while (next_state_ != STATE_NONE && next_state_ && rv != ERR_IO_PENDING);
-  return rv;
-}
-
-int SpdyStreamRequest::DoWaitForConfirmation() {
-  if (can_send_early_) {
-    next_state_ = STATE_NONE;
-    return OK;
+    return;
   }
 
-  int rv = session_->ConfirmHandshake(base::BindOnce(
-      &SpdyStreamRequest::OnIOComplete, weak_ptr_factory_.GetWeakPtr()));
-  // If ConfirmHandshake returned synchronously, exit the state machine early
-  // so StartRequest can call TryCreateStream synchronously. Otherwise,
-  // TryCreateStream will be called asynchronously as part of the confirmation
-  // state machine.
-  next_state_ = rv == ERR_IO_PENDING ? STATE_REQUEST_STREAM : STATE_NONE;
-  return rv;
-}
-
-int SpdyStreamRequest::DoRequestStream(int rv) {
-  DCHECK_NE(ERR_IO_PENDING, rv);
-  next_state_ = STATE_NONE;
-  if (rv < 0)
-    return rv;
+  // ConfirmHandshake() completed asynchronously. Record the time so the caller
+  // can adjust LoadTimingInfo.
+  confirm_handshake_end_ = base::TimeTicks::Now();
 
   base::WeakPtr<SpdyStream> stream;
   rv = session_->TryCreateStream(weak_ptr_factory_.GetWeakPtr(), &stream);
   if (rv == OK) {
     OnRequestCompleteSuccess(stream);
   } else if (rv != ERR_IO_PENDING) {
+    // If rv is ERR_IO_PENDING, the SpdySession will call
+    // OnRequestCompleteSuccess() or OnRequestCompleteFailure() later.
     OnRequestCompleteFailure(rv);
   }
-  return rv;
 }
 
 // static
@@ -1078,6 +1052,22 @@ void SpdySession::EnqueueStreamWrite(
                stream->traffic_annotation());
 }
 
+bool SpdySession::GreasedFramesEnabled() const {
+  return greased_http2_frame_.has_value();
+}
+
+void SpdySession::EnqueueGreasedFrame(const base::WeakPtr<SpdyStream>& stream) {
+  if (availability_state_ == STATE_DRAINING)
+    return;
+
+  EnqueueWrite(
+      stream->priority(),
+      static_cast<spdy::SpdyFrameType>(greased_http2_frame_.value().type),
+      std::make_unique<GreasedBufferProducer>(
+          stream, &greased_http2_frame_.value(), buffered_spdy_framer_.get()),
+      stream, stream->traffic_annotation());
+}
+
 int SpdySession::ConfirmHandshake(CompletionOnceCallback callback) {
   int rv = ERR_IO_PENDING;
   if (!in_confirm_handshake_) {
@@ -1648,11 +1638,9 @@ void SpdySession::InitializeInternal(SpdySessionPool* pool) {
   session_send_window_size_ = kDefaultInitialWindowSize;
   session_recv_window_size_ = kDefaultInitialWindowSize;
 
-  auto it = initial_settings_.find(spdy::SETTINGS_MAX_HEADER_LIST_SIZE);
-  uint32_t spdy_max_header_list_size =
-      (it == initial_settings_.end()) ? kSpdyMaxHeaderListSize : it->second;
   buffered_spdy_framer_ = std::make_unique<BufferedSpdyFramer>(
-      spdy_max_header_list_size, net_log_, time_func_);
+      initial_settings_.find(spdy::SETTINGS_MAX_HEADER_LIST_SIZE)->second,
+      net_log_, time_func_);
   buffered_spdy_framer_->set_visitor(this);
   buffered_spdy_framer_->set_debug_visitor(this);
   buffered_spdy_framer_->UpdateHeaderDecoderTableSize(max_header_table_size_);
@@ -2382,7 +2370,7 @@ int SpdySession::DoWrite() {
         // We've exhausted the stream ID space, and no new streams may be
         // created after this one.
         MakeUnavailable();
-        StartGoingAway(kLastStreamId, ERR_ABORTED);
+        StartGoingAway(kLastStreamId, ERR_HTTP2_PROTOCOL_ERROR);
       }
     }
 
@@ -2733,6 +2721,15 @@ void SpdySession::EnqueueSessionWrite(
                std::make_unique<SimpleBufferProducer>(std::move(buffer)),
                base::WeakPtr<SpdyStream>(),
                kSpdySessionCommandsTrafficAnnotation);
+  if (greased_http2_frame_ && frame_type == spdy::SpdyFrameType::SETTINGS) {
+    EnqueueWrite(
+        priority,
+        static_cast<spdy::SpdyFrameType>(greased_http2_frame_.value().type),
+        std::make_unique<GreasedBufferProducer>(base::WeakPtr<SpdyStream>(),
+                                                &greased_http2_frame_.value(),
+                                                buffered_spdy_framer_.get()),
+        base::WeakPtr<SpdyStream>(), kSpdySessionCommandsTrafficAnnotation);
+  }
 }
 
 void SpdySession::EnqueueWrite(
@@ -2746,15 +2743,6 @@ void SpdySession::EnqueueWrite(
 
   write_queue_.Enqueue(priority, frame_type, std::move(producer), stream,
                        traffic_annotation);
-  if (greased_http2_frame_ && (frame_type == spdy::SpdyFrameType::SETTINGS ||
-                               frame_type == spdy::SpdyFrameType::HEADERS)) {
-    write_queue_.Enqueue(
-        priority,
-        static_cast<spdy::SpdyFrameType>(greased_http2_frame_.value().type),
-        std::make_unique<GreasedBufferProducer>(
-            stream, &greased_http2_frame_.value(), buffered_spdy_framer_.get()),
-        stream, traffic_annotation);
-  }
   MaybePostWriteLoop();
 }
 
diff --git a/chromium/net/spdy/spdy_session.h b/chromium/net/spdy/spdy_session.h
index a93faf5ffda..6e9ed3fea10 100644
--- a/chromium/net/spdy/spdy_session.h
+++ b/chromium/net/spdy/spdy_session.h
@@ -199,6 +199,12 @@ class NET_EXPORT_PRIVATE SpdyStreamRequest {
   // Calls CancelRequest().
   ~SpdyStreamRequest();
 
+  // Returns the time when ConfirmHandshake() completed, if this request had to
+  // wait for ConfirmHandshake().
+  base::TimeTicks confirm_handshake_end() const {
+    return confirm_handshake_end_;
+  }
+
   // Starts the request to create a stream. If OK is returned, then
   // ReleaseStream() may be called. If ERR_IO_PENDING is returned,
   // then when the stream is created, |callback| will be called, at
@@ -248,16 +254,7 @@ class NET_EXPORT_PRIVATE SpdyStreamRequest {
  private:
   friend class SpdySession;
 
-  enum State {
-    STATE_NONE,
-    STATE_WAIT_FOR_CONFIRMATION,
-    STATE_REQUEST_STREAM,
-  };
-
-  void OnIOComplete(int rv);
-  int DoLoop(int rv);
-  int DoWaitForConfirmation();
-  int DoRequestStream(int rv);
+  void OnConfirmHandshakeComplete(int rv);
 
   // Called by |session_| when the stream attempt has finished
   // successfully.
@@ -280,13 +277,12 @@ class NET_EXPORT_PRIVATE SpdyStreamRequest {
   base::WeakPtr<SpdySession> session_;
   base::WeakPtr<SpdyStream> stream_;
   GURL url_;
-  bool can_send_early_;
   RequestPriority priority_;
   SocketTag socket_tag_;
   NetLogWithSource net_log_;
   CompletionOnceCallback callback_;
   MutableNetworkTrafficAnnotationTag traffic_annotation_;
-  State next_state_;
+  base::TimeTicks confirm_handshake_end_;
 
   base::WeakPtrFactory<SpdyStreamRequest> weak_ptr_factory_{this};
 
@@ -404,6 +400,14 @@ class NET_EXPORT SpdySession : public BufferedSpdyFramerVisitorInterface,
                           spdy::SpdyFrameType frame_type,
                           std::unique_ptr<SpdyBufferProducer> producer);
 
+  // Returns true if this session is configured to send greased HTTP/2 frames.
+  // For more details on greased frames, see
+  // https://tools.ietf.org/html/draft-bishop-httpbis-grease-00.
+  bool GreasedFramesEnabled() const;
+
+  // Send greased frame, that is, a frame of reserved type.
+  void EnqueueGreasedFrame(const base::WeakPtr<SpdyStream>& stream);
+
   // Runs the handshake to completion to confirm the handshake with the server.
   // If ERR_IO_PENDING is returned, then when the handshake is confirmed,
   // |callback| will be called.
diff --git a/chromium/net/spdy/spdy_session_fuzzer.cc b/chromium/net/spdy/spdy_session_fuzzer.cc
index 550c88dc9b2..a3ccf8f6e93 100644
--- a/chromium/net/spdy/spdy_session_fuzzer.cc
+++ b/chromium/net/spdy/spdy_session_fuzzer.cc
@@ -39,8 +39,8 @@ class FuzzerDelegate : public net::SpdyStream::Delegate {
   void OnDataReceived(std::unique_ptr<net::SpdyBuffer> buffer) override {}
   void OnDataSent() override {}
   void OnTrailers(const spdy::SpdyHeaderBlock& trailers) override {}
-
   void OnClose(int status) override { done_closure_.Run(); }
+  bool CanGreaseFrameType() const override { return false; }
 
   net::NetLogSource source_dependency() const override {
     return net::NetLogSource();
@@ -102,7 +102,7 @@ FuzzedSocketFactoryWithMockSSLData::CreateSSLClientSocket(
 //
 // |data| is used to create a FuzzedServerSocket.
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  net::BoundTestNetLog bound_test_net_log;
+  net::RecordingBoundTestNetLog bound_test_net_log;
   FuzzedDataProvider data_provider(data, size);
   net::FuzzedSocketFactoryWithMockSSLData socket_factory(&data_provider);
   socket_factory.set_fuzz_connect_result(false);
diff --git a/chromium/net/spdy/spdy_session_pool_unittest.cc b/chromium/net/spdy/spdy_session_pool_unittest.cc
index d478557f70a..b670818d41e 100644
--- a/chromium/net/spdy/spdy_session_pool_unittest.cc
+++ b/chromium/net/spdy/spdy_session_pool_unittest.cc
@@ -191,6 +191,8 @@ class SessionOpeningDelegate : public SpdyStream::Delegate {
     ignore_result(CreateFakeSpdySession(spdy_session_pool_, key_));
   }
 
+  bool CanGreaseFrameType() const override { return false; }
+
   NetLogSource source_dependency() const override { return NetLogSource(); }
 
  private:
@@ -706,7 +708,7 @@ TEST_F(SpdySessionPoolTest, IPPoolingNetLog) {
       http_session_.get(), test_hosts[0].key, NetLogWithSource());
 
   // The second host should pool to the existing connection.
-  BoundTestNetLog net_log;
+  RecordingBoundTestNetLog net_log;
   base::HistogramTester histogram_tester;
   EXPECT_TRUE(TryCreateAliasedSpdySession(spdy_session_pool_, test_hosts[1].key,
                                           test_hosts[1].iplist));
@@ -1169,7 +1171,7 @@ TEST_F(SpdySessionPoolTest, IPConnectionPoolingWithWebSockets) {
 
   // SpdySession does not support Websocket before SETTINGS frame is read.
   EXPECT_FALSE(session->support_websocket());
-  BoundTestNetLog net_log;
+  RecordingBoundTestNetLog net_log;
   // TryCreateAliasedSpdySession should not find |session| for either
   // SpdySessionKeys if |is_websocket| argument is set.
   EXPECT_FALSE(TryCreateAliasedSpdySession(
diff --git a/chromium/net/spdy/spdy_session_test_util.cc b/chromium/net/spdy/spdy_session_test_util.cc
index 603750b67fa..717924236da 100644
--- a/chromium/net/spdy/spdy_session_test_util.cc
+++ b/chromium/net/spdy/spdy_session_test_util.cc
@@ -22,8 +22,8 @@ SpdySessionTestTaskObserver::~SpdySessionTestTaskObserver() {
 }
 
 void SpdySessionTestTaskObserver::WillProcessTask(
-    const base::PendingTask& pending_task) {
-}
+    const base::PendingTask& pending_task,
+    bool was_blocked_or_low_priority) {}
 
 void SpdySessionTestTaskObserver::DidProcessTask(
     const base::PendingTask& pending_task) {
diff --git a/chromium/net/spdy/spdy_session_test_util.h b/chromium/net/spdy/spdy_session_test_util.h
index 2bdec6d1288..4b24e29d3c8 100644
--- a/chromium/net/spdy/spdy_session_test_util.h
+++ b/chromium/net/spdy/spdy_session_test_util.h
@@ -30,7 +30,8 @@ class SpdySessionTestTaskObserver : public base::TaskObserver {
   ~SpdySessionTestTaskObserver() override;
 
   // Implements TaskObserver.
-  void WillProcessTask(const base::PendingTask& pending_task) override;
+  void WillProcessTask(const base::PendingTask& pending_task,
+                       bool was_blocked_or_low_priority) override;
   void DidProcessTask(const base::PendingTask& pending_task) override;
 
   // Returns the number of tasks posted by the given function and file.
diff --git a/chromium/net/spdy/spdy_session_unittest.cc b/chromium/net/spdy/spdy_session_unittest.cc
index fc085590509..f481bea0efc 100644
--- a/chromium/net/spdy/spdy_session_unittest.cc
+++ b/chromium/net/spdy/spdy_session_unittest.cc
@@ -363,7 +363,7 @@ class SpdySessionTest : public PlatformTest, public WithTaskEnvironment {
                url, session_.get()) != kNoPushedStreamFound;
   }
 
-  BoundTestNetLog log_;
+  RecordingBoundTestNetLog log_;
 
   // Original socket limits.  Some tests set these.  Safest to always restore
   // them once each test has been run.
@@ -1351,8 +1351,8 @@ TEST_F(SpdySessionTest, StreamIdSpaceExhausted) {
 
   // Session is going away. Created and stalled streams were aborted.
   EXPECT_TRUE(session_->IsGoingAway());
-  EXPECT_THAT(delegate3.WaitForClose(), IsError(ERR_ABORTED));
-  EXPECT_THAT(callback4.WaitForResult(), IsError(ERR_ABORTED));
+  EXPECT_THAT(delegate3.WaitForClose(), IsError(ERR_HTTP2_PROTOCOL_ERROR));
+  EXPECT_THAT(callback4.WaitForResult(), IsError(ERR_HTTP2_PROTOCOL_ERROR));
   EXPECT_EQ(0u, num_created_streams());
   EXPECT_EQ(0u, pending_create_stream_queue_size(MEDIUM));
 
@@ -6004,7 +6004,7 @@ TEST_F(SpdySessionTest, EnableWebSocketThenDisableIsProtocolError) {
   EXPECT_FALSE(session_);
 }
 
-TEST_F(SpdySessionTest, GreaseFrameType) {
+TEST_F(SpdySessionTest, GreaseFrameTypeAfterSettings) {
   const uint8_t type = 0x0b;
   const uint8_t flags = 0xcc;
   const std::string payload("foo");
@@ -6023,6 +6023,8 @@ TEST_F(SpdySessionTest, GreaseFrameType) {
   expected_settings[spdy::SETTINGS_HEADER_TABLE_SIZE] = kSpdyMaxHeaderTableSize;
   expected_settings[spdy::SETTINGS_MAX_CONCURRENT_STREAMS] =
       kSpdyMaxConcurrentPushedStreams;
+  expected_settings[spdy::SETTINGS_MAX_HEADER_LIST_SIZE] =
+      kSpdyMaxHeaderListSize;
   spdy::SpdySerializedFrame settings_frame(
       spdy_util_.ConstructSpdySettings(expected_settings));
 
@@ -6030,64 +6032,31 @@ TEST_F(SpdySessionTest, GreaseFrameType) {
       CombineFrames({&preface, &settings_frame});
 
   // Greased frame sent on stream 0 after initial SETTINGS frame.
-  const char kRawFrameData0[] = {
+  const char kRawFrameData[] = {
       0x00, 0x00, 0x03,        // length
       0x0b,                    // type
       0xcc,                    // flags
       0x00, 0x00, 0x00, 0x00,  // stream ID
       'f',  'o',  'o'          // payload
   };
-  spdy::SpdySerializedFrame grease0(const_cast<char*>(kRawFrameData0),
-                                    base::size(kRawFrameData0),
-                                    /* owns_buffer = */ false);
-  spdy::SpdySerializedFrame req(
-      spdy_util_.ConstructSpdyGet(nullptr, 0, 1, DEFAULT_PRIORITY));
-
-  // Greased frame sent on stream 1 after request.
-  const char kRawFrameData1[] = {
-      0x00, 0x00, 0x03,        // length
-      0x0b,                    // type
-      0xcc,                    // flags
-      0x00, 0x00, 0x00, 0x01,  // stream ID
-      'f',  'o',  'o'          // payload
-  };
-  spdy::SpdySerializedFrame grease1(const_cast<char*>(kRawFrameData1),
-                                    base::size(kRawFrameData1),
-                                    /* owns_buffer = */ false);
+  spdy::SpdySerializedFrame grease(const_cast<char*>(kRawFrameData),
+                                   base::size(kRawFrameData),
+                                   /* owns_buffer = */ false);
 
   MockWrite writes[] = {CreateMockWrite(combined_frame, 0),
-                        CreateMockWrite(grease0, 1), CreateMockWrite(req, 2),
-                        CreateMockWrite(grease1, 3)};
-
-  spdy::SpdySerializedFrame resp(
-      spdy_util_.ConstructSpdyGetReply(nullptr, 0, 1));
-  spdy::SpdySerializedFrame body(spdy_util_.ConstructSpdyDataFrame(1, true));
+                        CreateMockWrite(grease, 1)};
 
-  MockRead reads[] = {CreateMockRead(resp, 4), CreateMockRead(body, 5),
-                      MockRead(ASYNC, 0, 6)};
+  MockRead reads[] = {MockRead(ASYNC, 0, 2)};
 
   SequencedSocketData data(reads, writes);
   session_deps_.socket_factory->AddSocketDataProvider(&data);
   AddSSLSocketData();
-
   CreateNetworkSession();
 
   SpdySessionPoolPeer pool_peer(spdy_session_pool_);
   pool_peer.SetEnableSendingInitialData(true);
 
   CreateSpdySession();
-
-  base::WeakPtr<SpdyStream> stream = CreateStreamSynchronously(
-      SPDY_REQUEST_RESPONSE_STREAM, session_, test_url_, DEFAULT_PRIORITY,
-      NetLogWithSource());
-  test::StreamDelegateDoNothing delegate(stream);
-  stream->SetDelegate(&delegate);
-
-  stream->SendRequestHeaders(spdy_util_.ConstructGetHeaderBlock(kDefaultUrl),
-                             NO_MORE_DATA_TO_SEND);
-
-  EXPECT_THAT(delegate.WaitForClose(), IsOk());
-
   base::RunLoop().RunUntilIdle();
 
   EXPECT_TRUE(data.AllWriteDataConsumed());
@@ -6201,6 +6170,8 @@ TEST_F(SendInitialSettingsOnNewSpdySessionTest, Empty) {
   expected_settings[spdy::SETTINGS_HEADER_TABLE_SIZE] = kSpdyMaxHeaderTableSize;
   expected_settings[spdy::SETTINGS_MAX_CONCURRENT_STREAMS] =
       kSpdyMaxConcurrentPushedStreams;
+  expected_settings[spdy::SETTINGS_MAX_HEADER_LIST_SIZE] =
+      kSpdyMaxHeaderListSize;
   RunInitialSettingsTest(expected_settings);
 }
 
@@ -6216,6 +6187,8 @@ TEST_F(SendInitialSettingsOnNewSpdySessionTest, ProtocolDefault) {
   spdy::SettingsMap expected_settings;
   expected_settings[spdy::SETTINGS_MAX_CONCURRENT_STREAMS] =
       kSpdyMaxConcurrentPushedStreams;
+  expected_settings[spdy::SETTINGS_MAX_HEADER_LIST_SIZE] =
+      kSpdyMaxHeaderListSize;
   RunInitialSettingsTest(expected_settings);
 }
 
@@ -6247,6 +6220,8 @@ TEST_F(SendInitialSettingsOnNewSpdySessionTest, UnknownSettings) {
   expected_settings[spdy::SETTINGS_HEADER_TABLE_SIZE] = kSpdyMaxHeaderTableSize;
   expected_settings[spdy::SETTINGS_MAX_CONCURRENT_STREAMS] =
       kSpdyMaxConcurrentPushedStreams;
+  expected_settings[spdy::SETTINGS_MAX_HEADER_LIST_SIZE] =
+      kSpdyMaxHeaderListSize;
   expected_settings[7] = 1234;
   expected_settings[25] = 5678;
   RunInitialSettingsTest(expected_settings);
diff --git a/chromium/net/spdy/spdy_stream.cc b/chromium/net/spdy/spdy_stream.cc
index 8df8a74d6fb..73f264f1004 100644
--- a/chromium/net/spdy/spdy_stream.cc
+++ b/chromium/net/spdy/spdy_stream.cc
@@ -867,6 +867,11 @@ void SpdyStream::QueueNextDataFrame() {
         &SpdyStream::OnWriteBufferConsumed, GetWeakPtr(), payload_size));
   }
 
+  if (session_->GreasedFramesEnabled() && delegate_ &&
+      delegate_->CanGreaseFrameType()) {
+    session_->EnqueueGreasedFrame(GetWeakPtr());
+  }
+
   session_->EnqueueStreamWrite(
       GetWeakPtr(), spdy::SpdyFrameType::DATA,
       std::make_unique<SimpleBufferProducer>(std::move(data_buffer)));
diff --git a/chromium/net/spdy/spdy_stream.h b/chromium/net/spdy/spdy_stream.h
index efdc0d9b022..e9245b01b6f 100644
--- a/chromium/net/spdy/spdy_stream.h
+++ b/chromium/net/spdy/spdy_stream.h
@@ -107,6 +107,10 @@ class NET_EXPORT_PRIVATE SpdyStream {
     // handle it gracefully.
     virtual void OnClose(int status) = 0;
 
+    // Returns whether it is allowed to send greased (reserved type) frames on
+    // the HTTP/2 stream.
+    virtual bool CanGreaseFrameType() const = 0;
+
     virtual NetLogSource source_dependency() const = 0;
 
    protected:
diff --git a/chromium/net/spdy/spdy_stream_test_util.cc b/chromium/net/spdy/spdy_stream_test_util.cc
index 92b78082f8b..8307e999c69 100644
--- a/chromium/net/spdy/spdy_stream_test_util.cc
+++ b/chromium/net/spdy/spdy_stream_test_util.cc
@@ -40,6 +40,10 @@ void ClosingDelegate::OnClose(int status) {
   // The |stream_| may still be alive (if it is our delegate).
 }
 
+bool ClosingDelegate::CanGreaseFrameType() const {
+  return false;
+}
+
 NetLogSource ClosingDelegate::source_dependency() const {
   return NetLogSource();
 }
@@ -83,6 +87,10 @@ void StreamDelegateBase::OnClose(int status) {
   callback_.callback().Run(status);
 }
 
+bool StreamDelegateBase::CanGreaseFrameType() const {
+  return false;
+}
+
 NetLogSource StreamDelegateBase::source_dependency() const {
   return NetLogSource();
 }
diff --git a/chromium/net/spdy/spdy_stream_test_util.h b/chromium/net/spdy/spdy_stream_test_util.h
index f593f95899c..cb1dd50875d 100644
--- a/chromium/net/spdy/spdy_stream_test_util.h
+++ b/chromium/net/spdy/spdy_stream_test_util.h
@@ -37,6 +37,7 @@ class ClosingDelegate : public SpdyStream::Delegate {
   void OnDataSent() override;
   void OnTrailers(const spdy::SpdyHeaderBlock& trailers) override;
   void OnClose(int status) override;
+  bool CanGreaseFrameType() const override;
   NetLogSource source_dependency() const override;
 
   // Returns whether or not the stream is closed.
@@ -61,6 +62,7 @@ class StreamDelegateBase : public SpdyStream::Delegate {
   void OnDataSent() override;
   void OnTrailers(const spdy::SpdyHeaderBlock& trailers) override;
   void OnClose(int status) override;
+  bool CanGreaseFrameType() const override;
   NetLogSource source_dependency() const override;
 
   // Waits for the stream to be closed and returns the status passed
diff --git a/chromium/net/spdy/spdy_stream_unittest.cc b/chromium/net/spdy/spdy_stream_unittest.cc
index e2620f00a13..4f6c5ff5919 100644
--- a/chromium/net/spdy/spdy_stream_unittest.cc
+++ b/chromium/net/spdy/spdy_stream_unittest.cc
@@ -415,7 +415,7 @@ TEST_F(SpdyStreamTest, StreamError) {
 
   AddReadEOF();
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
 
   SequencedSocketData data(GetReads(), GetWrites());
   MockConnect connect_data(SYNCHRONOUS, OK);
@@ -1254,7 +1254,7 @@ TEST_F(SpdyStreamTest, IncreaseSendWindowSizeOverflow) {
 
   AddReadEOF();
 
-  BoundTestNetLog log;
+  RecordingBoundTestNetLog log;
 
   SequencedSocketData data(GetReads(), GetWrites());
   MockConnect connect_data(SYNCHRONOUS, OK);
diff --git a/chromium/net/spdy/spdy_test_util_common.cc b/chromium/net/spdy/spdy_test_util_common.cc
index 379530cc115..c30243ac161 100644
--- a/chromium/net/spdy/spdy_test_util_common.cc
+++ b/chromium/net/spdy/spdy_test_util_common.cc
@@ -26,6 +26,7 @@
 #include "net/http/http_network_transaction.h"
 #include "net/http/http_proxy_connect_job.h"
 #include "net/log/net_log_with_source.h"
+#include "net/quic/quic_context.h"
 #include "net/socket/client_socket_handle.h"
 #include "net/socket/next_proto.h"
 #include "net/socket/socket_tag.h"
@@ -331,6 +332,7 @@ SpdySessionDependencies::SpdySessionDependencies(
       socket_factory(std::make_unique<MockClientSocketFactory>()),
       http_auth_handler_factory(HttpAuthHandlerFactory::CreateDefault()),
       http_server_properties(std::make_unique<HttpServerProperties>()),
+      quic_context(std::make_unique<QuicContext>()),
       enable_ip_pooling(true),
       enable_ping(false),
       enable_user_alternate_protocol_ports(false),
@@ -344,8 +346,7 @@ SpdySessionDependencies::SpdySessionDependencies(
       net_log(nullptr),
       disable_idle_sockets_close_on_memory_pressure(false),
       enable_early_data(false),
-      allow_default_credentials(
-          HttpAuthPreferences::ALLOW_DEFAULT_CREDENTIALS) {
+      key_auth_cache_server_entries_by_network_isolation_key(false) {
   http2_settings[spdy::SETTINGS_INITIAL_WINDOW_SIZE] =
       kDefaultInitialWindowSize;
 }
@@ -399,7 +400,8 @@ HttpNetworkSession::Params SpdySessionDependencies::CreateSessionParams(
   params.disable_idle_sockets_close_on_memory_pressure =
       session_deps->disable_idle_sockets_close_on_memory_pressure;
   params.enable_early_data = session_deps->enable_early_data;
-  params.allow_default_credentials = session_deps->allow_default_credentials;
+  params.key_auth_cache_server_entries_by_network_isolation_key =
+      session_deps->key_auth_cache_server_entries_by_network_isolation_key;
   return params;
 }
 
@@ -422,6 +424,7 @@ HttpNetworkSession::Context SpdySessionDependencies::CreateSessionContext(
   context.http_auth_handler_factory =
       session_deps->http_auth_handler_factory.get();
   context.http_server_properties = session_deps->http_server_properties.get();
+  context.quic_context = session_deps->quic_context.get();
   context.net_log = session_deps->net_log;
 #if BUILDFLAG(ENABLE_REPORTING)
   context.reporting_service = session_deps->reporting_service.get();
@@ -444,6 +447,7 @@ SpdyURLRequestContext::SpdyURLRequestContext() : storage_(this) {
   storage_.set_http_auth_handler_factory(
       HttpAuthHandlerFactory::CreateDefault());
   storage_.set_http_server_properties(std::make_unique<HttpServerProperties>());
+  storage_.set_quic_context(std::make_unique<QuicContext>());
   storage_.set_job_factory(std::make_unique<URLRequestJobFactoryImpl>());
   HttpNetworkSession::Params session_params;
   session_params.enable_spdy_ping_based_connection_checking = false;
@@ -459,6 +463,7 @@ SpdyURLRequestContext::SpdyURLRequestContext() : storage_(this) {
   session_context.ssl_config_service = ssl_config_service();
   session_context.http_auth_handler_factory = http_auth_handler_factory();
   session_context.http_server_properties = http_server_properties();
+  session_context.quic_context = quic_context();
   storage_.set_http_network_session(
       std::make_unique<HttpNetworkSession>(session_params, session_context));
   SpdySessionPoolPeer pool_peer(
diff --git a/chromium/net/spdy/spdy_test_util_common.h b/chromium/net/spdy/spdy_test_util_common.h
index 304584b301e..a9c7b0e3c9b 100644
--- a/chromium/net/spdy/spdy_test_util_common.h
+++ b/chromium/net/spdy/spdy_test_util_common.h
@@ -25,7 +25,6 @@
 #include "net/cert/cert_verifier.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/http/http_auth_handler_factory.h"
-#include "net/http/http_auth_preferences.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_response_info.h"
 #include "net/http/http_server_properties.h"
@@ -54,6 +53,7 @@ class CTPolicyEnforcer;
 class HashValue;
 class HostPortPair;
 class HostResolver;
+class QuicContext;
 class HttpUserAgentSettings;
 class NetLogWithSource;
 class SpdySessionKey;
@@ -218,6 +218,7 @@ struct SpdySessionDependencies {
   std::unique_ptr<MockClientSocketFactory> socket_factory;
   std::unique_ptr<HttpAuthHandlerFactory> http_auth_handler_factory;
   std::unique_ptr<HttpServerProperties> http_server_properties;
+  std::unique_ptr<QuicContext> quic_context;
 #if BUILDFLAG(ENABLE_REPORTING)
   std::unique_ptr<ReportingService> reporting_service;
   std::unique_ptr<NetworkErrorLoggingService> network_error_logging_service;
@@ -237,7 +238,7 @@ struct SpdySessionDependencies {
   NetLog* net_log;
   bool disable_idle_sockets_close_on_memory_pressure;
   bool enable_early_data;
-  HttpAuthPreferences::DefaultCredentials allow_default_credentials;
+  bool key_auth_cache_server_entries_by_network_isolation_key;
 };
 
 class SpdyURLRequestContext : public URLRequestContext {
diff --git a/chromium/net/ssl/client_cert_store_nss_unittest.cc b/chromium/net/ssl/client_cert_store_nss_unittest.cc
index 964b9fbe809..52536a9cf9c 100644
--- a/chromium/net/ssl/client_cert_store_nss_unittest.cc
+++ b/chromium/net/ssl/client_cert_store_nss_unittest.cc
@@ -18,7 +18,7 @@
 #include "base/test/task_environment.h"
 #include "crypto/nss_util.h"
 #include "crypto/scoped_test_nss_db.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 #include "net/cert/x509_certificate.h"
 #include "net/cert/x509_util_nss.h"
 #include "net/ssl/client_cert_identity_test_util.h"
diff --git a/chromium/net/ssl/client_cert_store_unittest-inl.h b/chromium/net/ssl/client_cert_store_unittest-inl.h
index ea2a7205755..83ce480c790 100644
--- a/chromium/net/ssl/client_cert_store_unittest-inl.h
+++ b/chromium/net/ssl/client_cert_store_unittest-inl.h
@@ -12,7 +12,7 @@
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/memory/ref_counted.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 #include "net/cert/x509_util.h"
 #include "net/ssl/ssl_cert_request_info.h"
 #include "net/test/cert_test_util.h"
diff --git a/chromium/net/ssl/ssl_handshake_details.h b/chromium/net/ssl/ssl_handshake_details.h
index a9a024f40a8..f34f429f71e 100644
--- a/chromium/net/ssl/ssl_handshake_details.h
+++ b/chromium/net/ssl/ssl_handshake_details.h
@@ -15,13 +15,19 @@ enum class SSLHandshakeDetails {
   kTLS12Resume = 1,
   // TLS 1.2 full handshake with False Start (1-RTT)
   kTLS12FalseStart = 2,
-  // TLS 1.3 full handshake (1-RTT, usually)
-  kTLS13Full = 3,
-  // TLS 1.3 resumption handshake (1-RTT, usually)
-  kTLS13Resume = 4,
+  // 3 was previously used for TLS 1.3 full handshakes with or without HRR.
+  // 4 was previously used for TLS 1.3 resumptions with or without HRR.
   // TLS 1.3 0-RTT handshake (0-RTT)
   kTLS13Early = 5,
-  kMaxValue = kTLS13Early,
+  // TLS 1.3 full handshake without HelloRetryRequest (1-RTT)
+  kTLS13Full = 6,
+  // TLS 1.3 resumption handshake without HelloRetryRequest (1-RTT)
+  kTLS13Resume = 7,
+  // TLS 1.3 full handshake with HelloRetryRequest (2-RTT)
+  kTLS13FullWithHelloRetryRequest = 8,
+  // TLS 1.3 resumption handshake with HelloRetryRequest (2-RTT)
+  kTLS13ResumeWithHelloRetryRequest = 9,
+  kMaxValue = kTLS13ResumeWithHelloRetryRequest,
 };
 
 }  // namespace net
diff --git a/chromium/net/ssl/ssl_info.cc b/chromium/net/ssl/ssl_info.cc
index 4c074fb4b13..0ca220aee65 100644
--- a/chromium/net/ssl/ssl_info.cc
+++ b/chromium/net/ssl/ssl_info.cc
@@ -20,10 +20,6 @@ void SSLInfo::Reset() {
   *this = SSLInfo();
 }
 
-void SSLInfo::SetCertError(int error) {
-  cert_status |= MapNetErrorToCertStatus(error);
-}
-
 void SSLInfo::UpdateCertificateTransparencyInfo(
     const ct::CTVerifyResult& ct_verify_result) {
   signed_certificate_timestamps.insert(signed_certificate_timestamps.end(),
diff --git a/chromium/net/ssl/ssl_info.h b/chromium/net/ssl/ssl_info.h
index f68ece8d7f3..b8fe946de96 100644
--- a/chromium/net/ssl/ssl_info.h
+++ b/chromium/net/ssl/ssl_info.h
@@ -45,9 +45,6 @@ class NET_EXPORT SSLInfo {
 
   bool is_valid() const { return cert.get() != nullptr; }
 
-  // Adds the specified |error| to the cert status.
-  void SetCertError(int error);
-
   // Adds the SignedCertificateTimestamps and policy compliance details
   // from ct_verify_result to |signed_certificate_timestamps| and
   // |ct_policy_compliance_details|. SCTs are held in three separate
diff --git a/chromium/net/ssl/ssl_platform_key_android_unittest.cc b/chromium/net/ssl/ssl_platform_key_android_unittest.cc
index 2991098a29d..745a63c69a3 100644
--- a/chromium/net/ssl/ssl_platform_key_android_unittest.cc
+++ b/chromium/net/ssl/ssl_platform_key_android_unittest.cc
@@ -100,7 +100,7 @@ TEST_P(SSLPlatformKeyAndroidTest, Matches) {
   TestSSLPrivateKeyMatches(key.get(), key_bytes);
 }
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          SSLPlatformKeyAndroidTest,
                          testing::ValuesIn(kTestKeys),
                          TestKeyToString);
diff --git a/chromium/net/ssl/ssl_platform_key_mac_unittest.cc b/chromium/net/ssl/ssl_platform_key_mac_unittest.cc
index 26c03d1bd93..a479e269235 100644
--- a/chromium/net/ssl/ssl_platform_key_mac_unittest.cc
+++ b/chromium/net/ssl/ssl_platform_key_mac_unittest.cc
@@ -84,7 +84,7 @@ TEST_P(SSLPlatformKeyMacTest, KeyMatches) {
   TestSSLPrivateKeyMatches(key.get(), pkcs8);
 }
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          SSLPlatformKeyMacTest,
                          testing::ValuesIn(kTestKeys),
                          TestKeyToString);
diff --git a/chromium/net/ssl/ssl_platform_key_nss_unittest.cc b/chromium/net/ssl/ssl_platform_key_nss_unittest.cc
index 4198579ffd1..d0fc8aec640 100644
--- a/chromium/net/ssl/ssl_platform_key_nss_unittest.cc
+++ b/chromium/net/ssl/ssl_platform_key_nss_unittest.cc
@@ -4,19 +4,11 @@
 
 #include "net/ssl/ssl_platform_key_nss.h"
 
-#include <keyhi.h>
-#include <pk11pub.h>
-#include <stdint.h>
-#include <string.h>
-
-#include <memory>
 #include <string>
-#include <vector>
 
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/memory/ref_counted.h"
-#include "crypto/ec_private_key.h"
 #include "crypto/nss_crypto_module_delegate.h"
 #include "crypto/scoped_nss_types.h"
 #include "crypto/scoped_test_nss_db.h"
@@ -27,12 +19,7 @@
 #include "net/test/test_data_directory.h"
 #include "net/test/test_with_task_environment.h"
 #include "testing/gtest/include/gtest/gtest.h"
-#include "third_party/boringssl/src/include/openssl/bytestring.h"
-#include "third_party/boringssl/src/include/openssl/ec.h"
-#include "third_party/boringssl/src/include/openssl/ec_key.h"
 #include "third_party/boringssl/src/include/openssl/evp.h"
-#include "third_party/boringssl/src/include/openssl/mem.h"
-#include "third_party/boringssl/src/include/openssl/ssl.h"
 
 namespace net {
 
@@ -71,62 +58,12 @@ TEST_P(SSLPlatformKeyNSSTest, KeyMatches) {
 
   // Import the key into a test NSS database.
   crypto::ScopedTestNSSDB test_db;
-  scoped_refptr<X509Certificate> cert;
   ScopedCERTCertificate nss_cert;
-  if (test_key.type == EVP_PKEY_EC) {
-    // NSS cannot import unencrypted ECDSA keys, so we encrypt it with an empty
-    // password and import manually.
-    std::vector<uint8_t> pkcs8_vector(pkcs8.begin(), pkcs8.end());
-    std::unique_ptr<crypto::ECPrivateKey> ec_private_key =
-        crypto::ECPrivateKey::CreateFromPrivateKeyInfo(pkcs8_vector);
-    ASSERT_TRUE(ec_private_key);
-    std::vector<uint8_t> encrypted;
-    ASSERT_TRUE(ec_private_key->ExportEncryptedPrivateKey(&encrypted));
-
-    SECItem encrypted_item = {siBuffer, encrypted.data(),
-                              static_cast<unsigned>(encrypted.size())};
-    SECKEYEncryptedPrivateKeyInfo epki;
-    memset(&epki, 0, sizeof(epki));
-    crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
-    ASSERT_EQ(SECSuccess,
-              SEC_QuickDERDecodeItem(
-                  arena.get(), &epki,
-                  SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate),
-                  &encrypted_item));
-
-    // NSS uses the serialized public key in X9.62 form as the "public value"
-    // for key ID purposes.
-    bssl::ScopedCBB cbb;
-    ASSERT_TRUE(CBB_init(cbb.get(), 0));
-    EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(ec_private_key->key());
-    ASSERT_TRUE(EC_POINT_point2cbb(cbb.get(), EC_KEY_get0_group(ec_key),
-                                   EC_KEY_get0_public_key(ec_key),
-                                   POINT_CONVERSION_UNCOMPRESSED, nullptr));
-    uint8_t* public_value;
-    size_t public_value_len;
-    ASSERT_TRUE(CBB_finish(cbb.get(), &public_value, &public_value_len));
-    bssl::UniquePtr<uint8_t> scoped_public_value(public_value);
-    SECItem public_item = {siBuffer, public_value,
-                           static_cast<unsigned>(public_value_len)};
-
-    SECItem password_item = {siBuffer, nullptr, 0};
-    ASSERT_EQ(SECSuccess,
-              PK11_ImportEncryptedPrivateKeyInfo(
-                  test_db.slot(), &epki, &password_item, nullptr /* nickname */,
-                  &public_item, PR_TRUE /* permanent */, PR_TRUE /* private */,
-                  ecKey, KU_DIGITAL_SIGNATURE, nullptr /* wincx */));
-
-    cert = ImportCertFromFile(GetTestCertsDirectory(), test_key.cert_file);
-    ASSERT_TRUE(cert);
-    nss_cert = ImportClientCertToSlot(cert, test_db.slot());
-    ASSERT_TRUE(nss_cert);
-  } else {
-    cert = ImportClientCertAndKeyFromFile(GetTestCertsDirectory(),
-                                          test_key.cert_file, test_key.key_file,
-                                          test_db.slot(), &nss_cert);
-    ASSERT_TRUE(cert);
-    ASSERT_TRUE(nss_cert);
-  }
+  scoped_refptr<X509Certificate> cert = ImportClientCertAndKeyFromFile(
+      GetTestCertsDirectory(), test_key.cert_file, test_key.key_file,
+      test_db.slot(), &nss_cert);
+  ASSERT_TRUE(cert);
+  ASSERT_TRUE(nss_cert);
 
   // Look up the key.
   scoped_refptr<SSLPrivateKey> key =
@@ -141,7 +78,7 @@ TEST_P(SSLPlatformKeyNSSTest, KeyMatches) {
   TestSSLPrivateKeyMatches(key.get(), pkcs8);
 }
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          SSLPlatformKeyNSSTest,
                          testing::ValuesIn(kTestKeys),
                          TestKeyToString);
diff --git a/chromium/net/ssl/ssl_platform_key_win_unittest.cc b/chromium/net/ssl/ssl_platform_key_win_unittest.cc
index bcebd20e96e..083bb905e54 100644
--- a/chromium/net/ssl/ssl_platform_key_win_unittest.cc
+++ b/chromium/net/ssl/ssl_platform_key_win_unittest.cc
@@ -268,7 +268,7 @@ TEST_P(SSLPlatformKeyCNGTest, KeyMatches) {
   TestSSLPrivateKeyMatches(key.get(), pkcs8);
 }
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          SSLPlatformKeyCNGTest,
                          testing::ValuesIn(kTestKeys),
                          TestKeyToString);
diff --git a/chromium/net/ssl/ssl_server_config.h b/chromium/net/ssl/ssl_server_config.h
index 01bd03908c1..bf3b79b1f2e 100644
--- a/chromium/net/ssl/ssl_server_config.h
+++ b/chromium/net/ssl/ssl_server_config.h
@@ -73,7 +73,7 @@ struct NET_EXPORT SSLServerConfig {
   // List of DER-encoded X.509 DistinguishedName of certificate authorities
   // to be included in the CertificateRequest handshake message,
   // if client certificates are required.
-  std::vector<std::string> cert_authorities_;
+  std::vector<std::string> cert_authorities;
 
   // Provides the ClientCertVerifier that is to be used to verify
   // client certificates during the handshake.
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServer.java b/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServer.java
index 815524c97c3..22a7a11f065 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServer.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServer.java
@@ -39,7 +39,7 @@ import javax.annotation.concurrent.GuardedBy;
  * Note that this runs net::test_server::EmbeddedTestServer in a service in a separate APK.
  */
 public class EmbeddedTestServer {
-    private static final String TAG = "cr_TestServer";
+    private static final String TAG = "TestServer";
 
     private static final String EMBEDDED_TEST_SERVER_SERVICE =
             "org.chromium.net.test.EMBEDDED_TEST_SERVER_SERVICE";
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerImpl.java b/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerImpl.java
index 6fabece2e1f..513766ff75c 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerImpl.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/EmbeddedTestServerImpl.java
@@ -30,7 +30,7 @@ import java.util.concurrent.atomic.AtomicInteger;
  */
 @JNINamespace("net::test_server")
 public class EmbeddedTestServerImpl extends IEmbeddedTestServerImpl.Stub {
-    private static final String TAG = "cr_TestServer";
+    private static final String TAG = "TestServer";
 
     private static AtomicInteger sCount = new AtomicInteger();
 
diff --git a/chromium/net/test/android/javatests/src/org/chromium/net/test/util/WebServer.java b/chromium/net/test/android/javatests/src/org/chromium/net/test/util/WebServer.java
index 2ed62905f14..f3829e4c8a0 100644
--- a/chromium/net/test/android/javatests/src/org/chromium/net/test/util/WebServer.java
+++ b/chromium/net/test/android/javatests/src/org/chromium/net/test/util/WebServer.java
@@ -181,8 +181,18 @@ public class WebServer {
             return matchingHeaders;
         }
 
+        private static boolean hasChunkedTransferEncoding(HTTPRequest req) {
+            List<String> transferEncodings = req.headerValues("Transfer-Encoding");
+            for (String encoding : transferEncodings) {
+                if (encoding.equals("chunked")) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
         /** Parses an HTTP request from an input stream. */
-        static public HTTPRequest parse(InputStream stream) throws InvalidRequest, IOException {
+        public static HTTPRequest parse(InputStream stream) throws InvalidRequest, IOException {
             boolean firstLine = true;
             HTTPRequest req = new HTTPRequest();
             ArrayList<HTTPHeader> mHeaders = new ArrayList<HTTPHeader>();
@@ -250,7 +260,7 @@ public class WebServer {
                     offset += bytesRead;
                 }
                 req.mBody = content;
-            } else {
+            } else if (hasChunkedTransferEncoding(req)) {
                 ByteArrayOutputStream mBody = new ByteArrayOutputStream();
                 byte[] buffer = new byte[1000];
                 int bytesRead;
diff --git a/chromium/net/test/cert_builder.cc b/chromium/net/test/cert_builder.cc
index 74c0bea66f4..827bfe3e4c1 100644
--- a/chromium/net/test/cert_builder.cc
+++ b/chromium/net/test/cert_builder.cc
@@ -29,8 +29,8 @@ std::string MakeRandomHexString(size_t num_bytes) {
   std::vector<char> rand_bytes;
   rand_bytes.resize(num_bytes);
 
-  base::RandBytes(&rand_bytes[0], rand_bytes.size());
-  return base::HexEncode(&rand_bytes[0], rand_bytes.size());
+  base::RandBytes(rand_bytes.data(), rand_bytes.size());
+  return base::HexEncode(rand_bytes.data(), rand_bytes.size());
 }
 
 std::string Sha256WithRSAEncryption() {
diff --git a/chromium/net/test/cert_test_util.h b/chromium/net/test/cert_test_util.h
index d6870ed6be4..9085fded217 100644
--- a/chromium/net/test/cert_test_util.h
+++ b/chromium/net/test/cert_test_util.h
@@ -6,6 +6,7 @@
 #define NET_TEST_CERT_TEST_UTIL_H_
 
 #include <string>
+#include <vector>
 
 #include "base/memory/ref_counted.h"
 #include "net/cert/x509_cert_types.h"
diff --git a/chromium/net/test/cert_test_util_nss.cc b/chromium/net/test/cert_test_util_nss.cc
index b7197d1affd..2b55ebc979c 100644
--- a/chromium/net/test/cert_test_util_nss.cc
+++ b/chromium/net/test/cert_test_util_nss.cc
@@ -6,14 +6,23 @@
 
 #include <pk11pub.h>
 #include <secmodt.h>
+#include <string.h>
+
+#include <memory>
 
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
+#include "crypto/ec_private_key.h"
 #include "crypto/nss_key_util.h"
 #include "crypto/nss_util.h"
 #include "crypto/scoped_nss_types.h"
 #include "net/cert/cert_type.h"
 #include "net/cert/x509_util_nss.h"
+#include "third_party/boringssl/src/include/openssl/bytestring.h"
+#include "third_party/boringssl/src/include/openssl/ec.h"
+#include "third_party/boringssl/src/include/openssl/ec_key.h"
+#include "third_party/boringssl/src/include/openssl/evp.h"
+#include "third_party/boringssl/src/include/openssl/mem.h"
 
 namespace net {
 
@@ -28,10 +37,74 @@ bool ImportSensitiveKeyFromFile(const base::FilePath& dir,
     return false;
   }
 
-  const uint8_t* key_pkcs8_begin =
-      reinterpret_cast<const uint8_t*>(key_pkcs8.data());
-  std::vector<uint8_t> key_vector(key_pkcs8_begin,
-                                  key_pkcs8_begin + key_pkcs8.length());
+  std::vector<uint8_t> key_vector(key_pkcs8.begin(), key_pkcs8.end());
+
+  // Prior to NSS 3.30, NSS cannot import unencrypted ECDSA private keys. Detect
+  // such keys and encrypt with an empty password before importing. Once our
+  // minimum version is raised to NSS 3.30, this logic can be removed. See
+  // https://bugzilla.mozilla.org/show_bug.cgi?id=1295121
+  CBS cbs;
+  CBS_init(&cbs, key_vector.data(), key_vector.size());
+  bssl::UniquePtr<EVP_PKEY> evp_pkey(EVP_parse_private_key(&cbs));
+  if (!evp_pkey) {
+    LOG(ERROR) << "Could not parse private key from file " << key_path.value();
+    return false;
+  }
+  if (EVP_PKEY_id(evp_pkey.get()) == EVP_PKEY_EC) {
+    std::unique_ptr<crypto::ECPrivateKey> ec_private_key =
+        crypto::ECPrivateKey::CreateFromPrivateKeyInfo(key_vector);
+    std::vector<uint8_t> encrypted;
+    if (!ec_private_key ||
+        !ec_private_key->ExportEncryptedPrivateKey(&encrypted)) {
+      LOG(ERROR) << "Error importing private key from file "
+                 << key_path.value();
+      return false;
+    }
+
+    SECItem encrypted_item = {siBuffer, encrypted.data(),
+                              static_cast<unsigned>(encrypted.size())};
+    SECKEYEncryptedPrivateKeyInfo epki;
+    memset(&epki, 0, sizeof(epki));
+    crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+    if (SEC_QuickDERDecodeItem(
+            arena.get(), &epki,
+            SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate),
+            &encrypted_item) != SECSuccess) {
+      LOG(ERROR) << "Error importing private key from file "
+                 << key_path.value();
+      return false;
+    }
+
+    // NSS uses the serialized public key in X9.62 form as the "public value"
+    // for key ID purposes.
+    EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(ec_private_key->key());
+    bssl::ScopedCBB cbb;
+    uint8_t* public_value;
+    size_t public_value_len;
+    if (!CBB_init(cbb.get(), 0) ||
+        !EC_POINT_point2cbb(cbb.get(), EC_KEY_get0_group(ec_key),
+                            EC_KEY_get0_public_key(ec_key),
+                            POINT_CONVERSION_UNCOMPRESSED, nullptr) ||
+        !CBB_finish(cbb.get(), &public_value, &public_value_len)) {
+      LOG(ERROR) << "Error importing private key from file "
+                 << key_path.value();
+      return false;
+    }
+    bssl::UniquePtr<uint8_t> scoped_public_value(public_value);
+    SECItem public_item = {siBuffer, public_value,
+                           static_cast<unsigned>(public_value_len)};
+
+    SECItem password_item = {siBuffer, nullptr, 0};
+    if (PK11_ImportEncryptedPrivateKeyInfo(
+            slot, &epki, &password_item, nullptr /* nickname */, &public_item,
+            PR_TRUE /* permanent */, PR_TRUE /* private */, ecKey,
+            KU_DIGITAL_SIGNATURE, nullptr /* wincx */) != SECSuccess) {
+      LOG(ERROR) << "Error importing private key from file "
+                 << key_path.value();
+      return false;
+    }
+    return true;
+  }
 
   crypto::ScopedSECKEYPrivateKey private_key(
       crypto::ImportNSSKeyFromPrivateKeyInfo(slot, key_vector,
@@ -75,19 +148,19 @@ scoped_refptr<X509Certificate> ImportClientCertAndKeyFromFile(
     ScopedCERTCertificate* nss_cert) {
   if (!ImportSensitiveKeyFromFile(dir, key_filename, slot)) {
     LOG(ERROR) << "Could not import private key from file " << key_filename;
-    return NULL;
+    return nullptr;
   }
 
   scoped_refptr<X509Certificate> cert(ImportCertFromFile(dir, cert_filename));
 
   if (!cert.get()) {
     LOG(ERROR) << "Failed to parse cert from file " << cert_filename;
-    return NULL;
+    return nullptr;
   }
 
   *nss_cert = ImportClientCertToSlot(cert, slot);
   if (!*nss_cert)
-    return NULL;
+    return nullptr;
 
   // |cert| continues to point to the original X509Certificate before the
   // import to |slot|. However this should not make a difference as NSS handles
diff --git a/chromium/net/test/ct_test_util.cc b/chromium/net/test/ct_test_util.cc
index 28f6ca3aa0f..d01b59ca19a 100644
--- a/chromium/net/test/ct_test_util.cc
+++ b/chromium/net/test/ct_test_util.cc
@@ -13,6 +13,7 @@
 #include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
+#include "net/base/hex_utils.h"
 #include "net/cert/ct_serialization.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/merkle_tree_leaf.h"
@@ -25,14 +26,6 @@ namespace ct {
 
 namespace {
 
-std::string HexToBytes(const char* hex_data) {
-  std::vector<uint8_t> output;
-  std::string result;
-  if (base::HexStringToBytes(hex_data, &output))
-    result.assign(reinterpret_cast<const char*>(&output[0]), output.size());
-  return result;
-}
-
 // The following test vectors are from
 // http://code.google.com/p/certificate-transparency
 
@@ -171,48 +164,57 @@ const char kSampleSTHTreeHeadSignature[] =
     "d3";
 size_t kSampleSTHTreeSize = 21u;
 
+std::string HexDecode(base::StringPiece input) {
+  std::string result;
+  if (!base::HexStringToString(input, &result))
+    result.clear();
+  return result;
+}
+
 }  // namespace
 
 void GetX509CertSignedEntry(SignedEntryData* entry) {
   entry->type = ct::SignedEntryData::LOG_ENTRY_TYPE_X509;
-  entry->leaf_certificate = HexToBytes(kDefaultDerCert);
+  entry->leaf_certificate = HexDecode(kDefaultDerCert);
 }
 
 void GetX509CertTreeLeaf(MerkleTreeLeaf* tree_leaf) {
   tree_leaf->timestamp = base::Time::FromJsTime(kTestTimestamp);
   GetX509CertSignedEntry(&tree_leaf->signed_entry);
-  tree_leaf->extensions = HexToBytes(kDefaultExtensions);
+  tree_leaf->extensions = HexDecode(kDefaultExtensions);
 }
 
-std::string GetDerEncodedX509Cert() { return HexToBytes(kDefaultDerCert); }
+std::string GetDerEncodedX509Cert() {
+  return HexDecode(kDefaultDerCert);
+}
 
 void GetPrecertSignedEntry(SignedEntryData* entry) {
   entry->type = ct::SignedEntryData::LOG_ENTRY_TYPE_PRECERT;
-  std::string issuer_hash(HexToBytes(kDefaultIssuerKeyHash));
+  std::string issuer_hash(HexDecode(kDefaultIssuerKeyHash));
   memcpy(entry->issuer_key_hash.data, issuer_hash.data(), issuer_hash.size());
-  entry->tbs_certificate = HexToBytes(kDefaultDerTbsCert);
+  entry->tbs_certificate = HexDecode(kDefaultDerTbsCert);
 }
 
 void GetPrecertTreeLeaf(MerkleTreeLeaf* tree_leaf) {
   tree_leaf->timestamp = base::Time::FromJsTime(kTestTimestamp);
   GetPrecertSignedEntry(&tree_leaf->signed_entry);
-  tree_leaf->extensions = HexToBytes(kDefaultExtensions);
+  tree_leaf->extensions = HexDecode(kDefaultExtensions);
 }
 
 std::string GetTestDigitallySigned() {
-  return HexToBytes(kTestDigitallySigned);
+  return HexDecode(kTestDigitallySigned);
 }
 
 std::string GetTestSignedCertificateTimestamp() {
-  return HexToBytes(kTestSignedCertificateTimestamp);
+  return HexDecode(kTestSignedCertificateTimestamp);
 }
 
 std::string GetTestPublicKey() {
-  return HexToBytes(kEcP256PublicKey);
+  return HexDecode(kEcP256PublicKey);
 }
 
 std::string GetTestPublicKeyId() {
-  return HexToBytes(kTestKeyId);
+  return HexDecode(kTestKeyId);
 }
 
 void GetX509CertSCT(scoped_refptr<SignedCertificateTimestamp>* sct_ref) {
@@ -220,7 +222,7 @@ void GetX509CertSCT(scoped_refptr<SignedCertificateTimestamp>* sct_ref) {
   *sct_ref = new SignedCertificateTimestamp();
   SignedCertificateTimestamp *const sct(sct_ref->get());
   sct->version = ct::SignedCertificateTimestamp::V1;
-  sct->log_id = HexToBytes(kTestKeyId);
+  sct->log_id = HexDecode(kTestKeyId);
   // Time the log issued a SCT for this certificate, which is
   // Fri Apr  5 10:04:16.089 2013
   sct->timestamp = base::Time::UnixEpoch() +
@@ -229,7 +231,7 @@ void GetX509CertSCT(scoped_refptr<SignedCertificateTimestamp>* sct_ref) {
 
   sct->signature.hash_algorithm = ct::DigitallySigned::HASH_ALGO_SHA256;
   sct->signature.signature_algorithm = ct::DigitallySigned::SIG_ALGO_ECDSA;
-  sct->signature.signature_data = HexToBytes(kTestSCTSignatureData);
+  sct->signature.signature_data = HexDecode(kTestSCTSignatureData);
 }
 
 void GetPrecertSCT(scoped_refptr<SignedCertificateTimestamp>* sct_ref) {
@@ -237,7 +239,7 @@ void GetPrecertSCT(scoped_refptr<SignedCertificateTimestamp>* sct_ref) {
   *sct_ref = new SignedCertificateTimestamp();
   SignedCertificateTimestamp *const sct(sct_ref->get());
   sct->version = ct::SignedCertificateTimestamp::V1;
-  sct->log_id = HexToBytes(kTestKeyId);
+  sct->log_id = HexDecode(kTestKeyId);
   // Time the log issued a SCT for this Precertificate, which is
   // Fri Apr  5 10:04:16.275 2013
   sct->timestamp = base::Time::UnixEpoch() +
@@ -246,27 +248,27 @@ void GetPrecertSCT(scoped_refptr<SignedCertificateTimestamp>* sct_ref) {
 
   sct->signature.hash_algorithm = ct::DigitallySigned::HASH_ALGO_SHA256;
   sct->signature.signature_algorithm = ct::DigitallySigned::SIG_ALGO_ECDSA;
-  sct->signature.signature_data = HexToBytes(kTestSCTPrecertSignatureData);
+  sct->signature.signature_data = HexDecode(kTestSCTPrecertSignatureData);
 }
 
 std::string GetDefaultIssuerKeyHash() {
-  return HexToBytes(kDefaultIssuerKeyHash);
+  return HexDecode(kDefaultIssuerKeyHash);
 }
 
 std::string GetDerEncodedFakeOCSPResponse() {
-return HexToBytes(kFakeOCSPResponse);
+  return HexDecode(kFakeOCSPResponse);
 }
 
 std::string GetFakeOCSPExtensionValue() {
-  return HexToBytes(kFakeOCSPExtensionValue);
+  return HexDecode(kFakeOCSPExtensionValue);
 }
 
 std::string GetDerEncodedFakeOCSPResponseCert() {
-  return HexToBytes(kFakeOCSPResponseCert);
+  return HexDecode(kFakeOCSPResponseCert);
 }
 
 std::string GetDerEncodedFakeOCSPResponseIssuerCert() {
-  return HexToBytes(kFakeOCSPResponseIssuerCert);
+  return HexDecode(kFakeOCSPResponseIssuerCert);
 }
 
 // A sample, valid STH
@@ -287,12 +289,12 @@ bool GetSampleEmptySignedTreeHead(SignedTreeHead* sth) {
   sth->timestamp = base::Time::UnixEpoch() +
                    base::TimeDelta::FromMilliseconds(INT64_C(1450443594920));
   sth->tree_size = 0;
-  std::string empty_root_hash = HexToBytes(
+  std::string empty_root_hash = HexDecode(
       "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
   memcpy(sth->sha256_root_hash, empty_root_hash.c_str(), kSthRootHashLength);
   sth->log_id = GetTestPublicKeyId();
 
-  std::string tree_head_signature = HexToBytes(
+  std::string tree_head_signature = HexDecode(
       "040300463044022046c26401de9416403da54762dc1f1687c38eafd791b15e484ab4c5f7"
       "f52721fe02201bf537a3bbea47109fc76c2273fe0f3349f493a07de9335c266330105fb0"
       "2a4a");
@@ -308,7 +310,7 @@ bool GetBadEmptySignedTreeHead(SignedTreeHead* sth) {
   memset(sth->sha256_root_hash, 'f', kSthRootHashLength);
   sth->log_id = GetTestPublicKeyId();
 
-  std::string tree_head_signature = HexToBytes(
+  std::string tree_head_signature = HexDecode(
       "04030046304402207cab04c62dee5d1cbc95fec30cd8417313f71587b75f133ad2e6f324"
       "74f164d702205e2f3a9bce46f87d7e20e951a4e955da3cb502f8717a22fabd7c5d7e1bef"
       "46ea");
@@ -317,15 +319,15 @@ bool GetBadEmptySignedTreeHead(SignedTreeHead* sth) {
 }
 
 std::string GetSampleSTHSHA256RootHash() {
-  return HexToBytes(kSampleSTHSHA256RootHash);
+  return HexDecode(kSampleSTHSHA256RootHash);
 }
 
 std::string GetSampleSTHTreeHeadSignature() {
-  return HexToBytes(kSampleSTHTreeHeadSignature);
+  return HexDecode(kSampleSTHTreeHeadSignature);
 }
 
 bool GetSampleSTHTreeHeadDecodedSignature(DigitallySigned* signature) {
-  std::string tree_head_signature = HexToBytes(kSampleSTHTreeHeadSignature);
+  std::string tree_head_signature = HexDecode(kSampleSTHTreeHeadSignature);
   base::StringPiece sp(tree_head_signature);
   return DecodeDigitallySigned(&sp, signature) && sp.empty();
 }
diff --git a/chromium/net/test/embedded_test_server/controllable_http_response.cc b/chromium/net/test/embedded_test_server/controllable_http_response.cc
index e7470f2bf71..f393163dcb8 100644
--- a/chromium/net/test/embedded_test_server/controllable_http_response.cc
+++ b/chromium/net/test/embedded_test_server/controllable_http_response.cc
@@ -26,12 +26,12 @@ class ControllableHttpResponse::Interceptor : public HttpResponse {
 
  private:
   void SendResponse(const SendBytesCallback& send,
-                    const SendCompleteCallback& done) override {
+                    SendCompleteCallback done) override {
     controller_task_runner_->PostTask(
         FROM_HERE,
         base::BindOnce(&ControllableHttpResponse::OnRequest, controller_,
-                       base::ThreadTaskRunnerHandle::Get(), send, done,
-                       std::move(http_request_)));
+                       base::ThreadTaskRunnerHandle::Get(), send,
+                       std::move(done), std::move(http_request_)));
   }
 
   base::WeakPtr<ControllableHttpResponse> controller_;
@@ -96,7 +96,7 @@ void ControllableHttpResponse::Done() {
   DCHECK_EQ(State::READY_TO_SEND_DATA, state_) << "Done() called without any "
                                                   "opened connection. Did you "
                                                   "call WaitForRequest()?";
-  embedded_test_server_task_runner_->PostTask(FROM_HERE, done_);
+  embedded_test_server_task_runner_->PostTask(FROM_HERE, std::move(done_));
   state_ = State::DONE;
 }
 
@@ -104,14 +104,14 @@ void ControllableHttpResponse::OnRequest(
     scoped_refptr<base::SingleThreadTaskRunner>
         embedded_test_server_task_runner,
     const SendBytesCallback& send,
-    const SendCompleteCallback& done,
+    SendCompleteCallback done,
     std::unique_ptr<HttpRequest> http_request) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
   DCHECK(!embedded_test_server_task_runner_)
       << "A ControllableHttpResponse can only handle one request at a time";
   embedded_test_server_task_runner_ = embedded_test_server_task_runner;
   send_ = send;
-  done_ = done;
+  done_ = std::move(done);
   http_request_ = std::move(http_request);
   loop_.Quit();
 }
diff --git a/chromium/net/test/embedded_test_server/controllable_http_response.h b/chromium/net/test/embedded_test_server/controllable_http_response.h
index 22406a70056..41fa34a8687 100644
--- a/chromium/net/test/embedded_test_server/controllable_http_response.h
+++ b/chromium/net/test/embedded_test_server/controllable_http_response.h
@@ -68,7 +68,7 @@ class ControllableHttpResponse {
   void OnRequest(scoped_refptr<base::SingleThreadTaskRunner>
                      embedded_test_server_task_runner,
                  const SendBytesCallback& send,
-                 const SendCompleteCallback& done,
+                 SendCompleteCallback done,
                  std::unique_ptr<HttpRequest> http_request);
 
   static std::unique_ptr<HttpResponse> RequestHandler(
diff --git a/chromium/net/test/embedded_test_server/default_handlers.cc b/chromium/net/test/embedded_test_server/default_handlers.cc
index 5c635872997..bab85b4a6d3 100644
--- a/chromium/net/test/embedded_test_server/default_handlers.cc
+++ b/chromium/net/test/embedded_test_server/default_handlers.cc
@@ -102,6 +102,7 @@ std::unique_ptr<HttpResponse> HandleEchoHeader(const std::string& url,
   http_response->AddCustomHeader("Vary", vary);
   http_response->set_content(content);
   http_response->set_content_type("text/plain");
+  http_response->AddCustomHeader("Access-Control-Allow-Origin", "*");
   http_response->AddCustomHeader("Cache-Control", cache_control);
   return http_response;
 }
@@ -315,6 +316,25 @@ std::unique_ptr<HttpResponse> HandleSetHeader(const HttpRequest& request) {
   return http_response;
 }
 
+// /iframe?URL
+// Returns a page that iframes the specified URL.
+std::unique_ptr<HttpResponse> HandleIframe(const HttpRequest& request) {
+  GURL request_url = request.GetURL();
+
+  auto http_response = std::make_unique<BasicHttpResponse>();
+  http_response->set_content_type("text/html");
+
+  GURL iframe_url("about:blank");
+  if (request_url.has_query()) {
+    iframe_url = GURL(UnescapeBinaryURLComponent(request_url.query()));
+  }
+
+  http_response->set_content(
+      base::StringPrintf("<html><body><iframe src=\"%s\"></body></html>",
+                         iframe_url.spec().c_str()));
+  return http_response;
+}
+
 // /nocontent
 // Returns a NO_CONTENT response.
 std::unique_ptr<HttpResponse> HandleNoContent(const HttpRequest& request) {
@@ -659,7 +679,7 @@ class HungHttpResponse : public HttpResponse {
   HungHttpResponse() = default;
 
   void SendResponse(const SendBytesCallback& send,
-                    const SendCompleteCallback& done) override {}
+                    SendCompleteCallback done) override {}
 
  private:
   DISALLOW_COPY_AND_ASSIGN(HungHttpResponse);
@@ -677,7 +697,7 @@ class HungAfterHeadersHttpResponse : public HttpResponse {
   HungAfterHeadersHttpResponse() = default;
 
   void SendResponse(const SendBytesCallback& send,
-                    const SendCompleteCallback& done) override {
+                    SendCompleteCallback done) override {
     send.Run("HTTP/1.1 OK\r\n\r\n", base::DoNothing());
   }
 
@@ -694,28 +714,27 @@ std::unique_ptr<HttpResponse> HandleHungAfterHeadersResponse(
 
 // /exabyte_response
 // A HttpResponse that is almost never ending (with an Exabyte content-length).
-class ExabyteResponse : public net::test_server::BasicHttpResponse {
+class ExabyteResponse : public BasicHttpResponse {
  public:
   ExabyteResponse() {}
 
-  void SendResponse(
-      const net::test_server::SendBytesCallback& send,
-      const net::test_server::SendCompleteCallback& done) override {
+  void SendResponse(const SendBytesCallback& send,
+                    SendCompleteCallback done) override {
     // Use 10^18 bytes (exabyte) as the content length so that the client will
     // be expecting data.
     send.Run("HTTP/1.1 200 OK\r\nContent-Length:1000000000000000000\r\n\r\n",
-             base::BindRepeating(&ExabyteResponse::SendExabyte, send));
+             base::BindOnce(&ExabyteResponse::SendExabyte, send));
   }
 
  private:
   // Keeps sending the word "echo" over and over again. It can go further to
   // limit the response to exactly an exabyte, but it shouldn't be necessary
   // for the purpose of testing.
-  static void SendExabyte(const net::test_server::SendBytesCallback& send) {
+  static void SendExabyte(const SendBytesCallback& send) {
     base::ThreadTaskRunnerHandle::Get()->PostTask(
-        FROM_HERE, base::BindOnce(send, "echo",
-                                  base::BindRepeating(
-                                      &ExabyteResponse::SendExabyte, send)));
+        FROM_HERE,
+        base::BindOnce(send, "echo",
+                       base::BindOnce(&ExabyteResponse::SendExabyte, send)));
   }
 
   DISALLOW_COPY_AND_ASSIGN(ExabyteResponse);
@@ -723,8 +742,8 @@ class ExabyteResponse : public net::test_server::BasicHttpResponse {
 
 // /exabyte_response
 // Almost never ending response.
-std::unique_ptr<net::test_server::HttpResponse> HandleExabyteResponse(
-    const net::test_server::HttpRequest& request) {
+std::unique_ptr<HttpResponse> HandleExabyteResponse(
+    const HttpRequest& request) {
   return std::make_unique<ExabyteResponse>();
 }
 
@@ -799,6 +818,7 @@ void RegisterDefaultHandlers(EmbeddedTestServer* server) {
       PREFIXED_HANDLER("/expect-and-set-cookie", &HandleExpectAndSetCookie));
   server->RegisterDefaultHandler(
       PREFIXED_HANDLER("/set-header", &HandleSetHeader));
+  server->RegisterDefaultHandler(PREFIXED_HANDLER("/iframe", &HandleIframe));
   server->RegisterDefaultHandler(
       PREFIXED_HANDLER("/nocontent", &HandleNoContent));
   server->RegisterDefaultHandler(
diff --git a/chromium/net/test/embedded_test_server/embedded_test_server.cc b/chromium/net/test/embedded_test_server/embedded_test_server.cc
index 1c548b1628d..6415f1a44dd 100644
--- a/chromium/net/test/embedded_test_server/embedded_test_server.cc
+++ b/chromium/net/test/embedded_test_server/embedded_test_server.cc
@@ -25,7 +25,7 @@
 #include "net/base/ip_endpoint.h"
 #include "net/base/net_errors.h"
 #include "net/base/port_util.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 #include "net/cert/test_root_certs.h"
 #include "net/log/net_log_source.h"
 #include "net/socket/ssl_server_socket.h"
@@ -87,6 +87,12 @@ void EmbeddedTestServer::SetConnectionListener(
   connection_listener_ = listener;
 }
 
+EmbeddedTestServerHandle EmbeddedTestServer::StartAndReturnHandle(int port) {
+  if (!Start(port))
+    return EmbeddedTestServerHandle();
+  return EmbeddedTestServerHandle(this);
+}
+
 bool EmbeddedTestServer::Start(int port) {
   bool success = InitializeAndListen(port);
   if (!success)
@@ -166,6 +172,7 @@ void EmbeddedTestServer::InitializeSSLServerContext() {
 
   std::unique_ptr<crypto::RSAPrivateKey> server_key(
       crypto::RSAPrivateKey::CreateFromPrivateKeyInfo(key_vector));
+  CHECK(server_key);
   context_ =
       CreateSSLServerContext(GetCertificate().get(), *server_key, ssl_config_);
 }
@@ -243,9 +250,10 @@ void EmbeddedTestServer::HandleRequest(HttpConnection* connection,
   }
 
   response->SendResponse(
-      base::Bind(&HttpConnection::SendResponseBytes, connection->GetWeakPtr()),
-      base::Bind(&EmbeddedTestServer::DidClose, weak_factory_.GetWeakPtr(),
-                 connection));
+      base::BindRepeating(&HttpConnection::SendResponseBytes,
+                          connection->GetWeakPtr()),
+      base::BindOnce(&EmbeddedTestServer::DidClose, weak_factory_.GetWeakPtr(),
+                     connection));
 }
 
 GURL EmbeddedTestServer::GetURL(const std::string& relative_url) const {
@@ -310,12 +318,20 @@ std::string EmbeddedTestServer::GetCertificateName() const {
       return "localhost_cert.pem";
     case CERT_EXPIRED:
       return "expired_cert.pem";
+    case CERT_CHAIN_WRONG_ROOT:
+      // This chain uses its own dedicated test root certificate to avoid
+      // side-effects that may affect testing.
+      return "redundant-server-chain.pem";
     case CERT_COMMON_NAME_ONLY:
       return "common_name_only.pem";
     case CERT_SHA1_LEAF:
       return "sha1_leaf.pem";
     case CERT_OK_BY_INTERMEDIATE:
       return "ok_cert_by_intermediate.pem";
+    case CERT_BAD_VALIDITY:
+      return "bad_validity.pem";
+    case CERT_TEST_NAMES:
+      return "test_names.pem";
   }
 
   return "ok_cert.pem";
@@ -521,5 +537,27 @@ bool EmbeddedTestServer::PostTaskToIOThreadAndWait(
   return true;
 }
 
+EmbeddedTestServerHandle::EmbeddedTestServerHandle(
+    EmbeddedTestServerHandle&& other) {
+  operator=(std::move(other));
+}
+
+EmbeddedTestServerHandle& EmbeddedTestServerHandle::operator=(
+    EmbeddedTestServerHandle&& other) {
+  EmbeddedTestServerHandle temporary;
+  std::swap(other.test_server_, temporary.test_server_);
+  std::swap(temporary.test_server_, test_server_);
+  return *this;
+}
+
+EmbeddedTestServerHandle::EmbeddedTestServerHandle(
+    EmbeddedTestServer* test_server)
+    : test_server_(test_server) {}
+
+EmbeddedTestServerHandle::~EmbeddedTestServerHandle() {
+  if (test_server_)
+    EXPECT_TRUE(test_server_->ShutdownAndWaitUntilComplete());
+}
+
 }  // namespace test_server
 }  // namespace net
diff --git a/chromium/net/test/embedded_test_server/embedded_test_server.h b/chromium/net/test/embedded_test_server/embedded_test_server.h
index cb41613711f..c01fd40fa8a 100644
--- a/chromium/net/test/embedded_test_server/embedded_test_server.h
+++ b/chromium/net/test/embedded_test_server/embedded_test_server.h
@@ -38,6 +38,7 @@ class TCPServerSocket;
 namespace test_server {
 
 class EmbeddedTestServerConnectionListener;
+class EmbeddedTestServerHandle;
 class HttpConnection;
 class HttpResponse;
 struct HttpRequest;
@@ -53,7 +54,7 @@ struct HttpRequest;
 //   test_server_ = std::make_unique<EmbeddedTestServer>();
 //   test_server_->RegisterRequestHandler(
 //       base::Bind(&FooTest::HandleRequest, base::Unretained(this)));
-//   ASSERT_TRUE(test_server_.Start());
+//   ASSERT_TRUE((test_server_handle_ = test_server_.StartAndReturnHandle()));
 // }
 //
 // std::unique_ptr<HttpResponse> HandleRequest(const HttpRequest& request) {
@@ -100,6 +101,12 @@ class EmbeddedTestServer {
     CERT_MISMATCHED_NAME,
     CERT_EXPIRED,
 
+    // Cross-signed certificate to test PKIX path building. Contains an
+    // intermediate cross-signed by an unknown root, while the client (via
+    // TestRootStore) is expected to have a self-signed version of the
+    // intermediate.
+    CERT_CHAIN_WRONG_ROOT,
+
     // Causes the testserver to use a hostname that is a domain
     // instead of an IP.
     CERT_COMMON_NAME_IS_DOMAIN,
@@ -113,6 +120,15 @@ class EmbeddedTestServer {
 
     // A certificate that is signed by an intermediate certificate.
     CERT_OK_BY_INTERMEDIATE,
+
+    // A certificate with invalid notBefore and notAfter times. Windows'
+    // certificate library will not parse this certificate.
+    CERT_BAD_VALIDITY,
+
+    // A certificate that covers a number of test names. See [test_names] in
+    // net/data/ssl/scripts/ee.cnf. More may be added by editing this list and
+    // and rerunning net/data/ssl/scripts/generate-test-certs.sh.
+    CERT_TEST_NAMES,
   };
 
   typedef base::RepeatingCallback<std::unique_ptr<HttpResponse>(
@@ -147,7 +163,12 @@ class EmbeddedTestServer {
   // Initializes and waits until the server is ready to accept requests.
   // This is the equivalent of calling InitializeAndListen() followed by
   // StartAcceptingConnections().
-  // Returns whether a listening socket has been successfully created.
+  // Returns a "handle" which will ShutdownAndWaitUntilComplete() when
+  // destroyed, or null if the listening socket could not be created.
+  EmbeddedTestServerHandle StartAndReturnHandle(int port = 0)
+      WARN_UNUSED_RESULT;
+
+  // Deprecated equivalent of StartAndReturnHandle().
   bool Start(int port = 0) WARN_UNUSED_RESULT;
 
   // Starts listening for incoming connections but will not yet accept them.
@@ -324,6 +345,23 @@ class EmbeddedTestServer {
   DISALLOW_COPY_AND_ASSIGN(EmbeddedTestServer);
 };
 
+class EmbeddedTestServerHandle {
+ public:
+  EmbeddedTestServerHandle() = default;
+  EmbeddedTestServerHandle(EmbeddedTestServerHandle&& other);
+  EmbeddedTestServerHandle& operator=(EmbeddedTestServerHandle&& other);
+
+  ~EmbeddedTestServerHandle();
+
+  explicit operator bool() const { return test_server_; }
+
+ private:
+  friend class EmbeddedTestServer;
+
+  explicit EmbeddedTestServerHandle(EmbeddedTestServer* test_server);
+  EmbeddedTestServer* test_server_ = nullptr;
+};
+
 }  // namespace test_server
 
 // TODO(svaldez): Refactor EmbeddedTestServer to be in the net namespace.
diff --git a/chromium/net/test/embedded_test_server/embedded_test_server_unittest.cc b/chromium/net/test/embedded_test_server/embedded_test_server_unittest.cc
index a79865933c7..da1d148e775 100644
--- a/chromium/net/test/embedded_test_server/embedded_test_server_unittest.cc
+++ b/chromium/net/test/embedded_test_server/embedded_test_server_unittest.cc
@@ -313,7 +313,7 @@ TEST_P(EmbeddedTestServerTest, DefaultNotFoundResponse) {
 TEST_P(EmbeddedTestServerTest, ConnectionListenerAccept) {
   ASSERT_TRUE(server_->Start());
 
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   net::AddressList address_list;
   EXPECT_TRUE(server_->GetAddressList(&address_list));
 
@@ -416,7 +416,7 @@ class InfiniteResponse : public BasicHttpResponse {
   InfiniteResponse() {}
 
   void SendResponse(const SendBytesCallback& send,
-                    const SendCompleteCallback& done) override {
+                    SendCompleteCallback done) override {
     send.Run(ToResponseString(),
              base::Bind(&InfiniteResponse::SendInfinite,
                         weak_ptr_factory_.GetWeakPtr(), send));
diff --git a/chromium/net/test/embedded_test_server/http_connection.cc b/chromium/net/test/embedded_test_server/http_connection.cc
index d979963749f..5077814c8d2 100644
--- a/chromium/net/test/embedded_test_server/http_connection.cc
+++ b/chromium/net/test/embedded_test_server/http_connection.cc
@@ -7,6 +7,7 @@
 #include <utility>
 
 #include "base/bind.h"
+#include "base/callback_helpers.h"
 #include "net/base/net_errors.h"
 #include "net/socket/stream_socket.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
@@ -25,16 +26,16 @@ HttpConnection::~HttpConnection() {
 }
 
 void HttpConnection::SendResponseBytes(const std::string& response_string,
-                                       const SendCompleteCallback& callback) {
+                                       SendCompleteCallback callback) {
   if (response_string.length() > 0) {
     scoped_refptr<DrainableIOBuffer> write_buf =
         base::MakeRefCounted<DrainableIOBuffer>(
             base::MakeRefCounted<StringIOBuffer>(response_string),
             response_string.length());
 
-    SendInternal(callback, write_buf);
+    SendInternal(std::move(callback), write_buf);
   } else {
-    callback.Run();
+    std::move(callback).Run();
   }
 }
 
@@ -51,14 +52,16 @@ bool HttpConnection::ConsumeData(int size) {
   return false;
 }
 
-void HttpConnection::SendInternal(const base::Closure& callback,
+void HttpConnection::SendInternal(base::OnceClosure callback,
                                   scoped_refptr<DrainableIOBuffer> buf) {
+  base::RepeatingClosure repeating_callback =
+      base::AdaptCallbackForRepeating(std::move(callback));
   while (buf->BytesRemaining() > 0) {
-    int rv =
-        socket_->Write(buf.get(), buf->BytesRemaining(),
-                       base::BindOnce(&HttpConnection::OnSendInternalDone,
-                                      base::Unretained(this), callback, buf),
-                       TRAFFIC_ANNOTATION_FOR_TESTS);
+    int rv = socket_->Write(
+        buf.get(), buf->BytesRemaining(),
+        base::BindOnce(&HttpConnection::OnSendInternalDone,
+                       base::Unretained(this), repeating_callback, buf),
+        TRAFFIC_ANNOTATION_FOR_TESTS);
     if (rv == ERR_IO_PENDING)
       return;
 
@@ -69,18 +72,18 @@ void HttpConnection::SendInternal(const base::Closure& callback,
 
   // The HttpConnection will be deleted by the callback since we only need to
   // serve a single request.
-  callback.Run();
+  repeating_callback.Run();
 }
 
-void HttpConnection::OnSendInternalDone(const base::Closure& callback,
+void HttpConnection::OnSendInternalDone(base::OnceClosure callback,
                                         scoped_refptr<DrainableIOBuffer> buf,
                                         int rv) {
   if (rv < 0) {
-    callback.Run();
+    std::move(callback).Run();
     return;
   }
   buf->DidConsume(rv);
-  SendInternal(callback, buf);
+  SendInternal(std::move(callback), buf);
 }
 
 base::WeakPtr<HttpConnection> HttpConnection::GetWeakPtr() {
diff --git a/chromium/net/test/embedded_test_server/http_connection.h b/chromium/net/test/embedded_test_server/http_connection.h
index 041cea53028..6c9dcfa77a7 100644
--- a/chromium/net/test/embedded_test_server/http_connection.h
+++ b/chromium/net/test/embedded_test_server/http_connection.h
@@ -27,8 +27,8 @@ class HttpConnection;
 
 // Calblack called when a request is parsed. Response should be sent
 // using HttpConnection::SendResponse() on the |connection| argument.
-typedef base::Callback<void(HttpConnection* connection,
-                            std::unique_ptr<HttpRequest> request)>
+typedef base::RepeatingCallback<void(HttpConnection* connection,
+                                     std::unique_ptr<HttpRequest> request)>
     HandleRequestCallback;
 
 // Wraps the connection socket. Accepts incoming data and sends responses.
@@ -41,7 +41,7 @@ class HttpConnection {
 
   // Sends the |response_string| to the client and calls |callback| once done.
   void SendResponseBytes(const std::string& response_string,
-                         const SendCompleteCallback& callback);
+                         SendCompleteCallback callback);
 
   // Accepts raw chunk of data from the client. Internally, passes it to the
   // HttpRequestParser class. If a request is parsed, then |callback_| is
@@ -53,9 +53,9 @@ class HttpConnection {
  private:
   friend class EmbeddedTestServer;
 
-  void SendInternal(const base::Closure& callback,
+  void SendInternal(base::OnceClosure callback,
                     scoped_refptr<DrainableIOBuffer> buffer);
-  void OnSendInternalDone(const base::Closure& callback,
+  void OnSendInternalDone(base::OnceClosure callback,
                           scoped_refptr<DrainableIOBuffer> buffer,
                           int rv);
 
diff --git a/chromium/net/test/embedded_test_server/http_response.cc b/chromium/net/test/embedded_test_server/http_response.cc
index cc5e99b826a..adf79c5bf1c 100644
--- a/chromium/net/test/embedded_test_server/http_response.cc
+++ b/chromium/net/test/embedded_test_server/http_response.cc
@@ -4,6 +4,8 @@
 
 #include "net/test/embedded_test_server/http_response.h"
 
+#include <utility>
+
 #include "base/bind.h"
 #include "base/format_macros.h"
 #include "base/logging.h"
@@ -24,7 +26,7 @@ RawHttpResponse::RawHttpResponse(const std::string& headers,
 RawHttpResponse::~RawHttpResponse() = default;
 
 void RawHttpResponse::SendResponse(const SendBytesCallback& send,
-                                   const SendCompleteCallback& done) {
+                                   SendCompleteCallback done) {
   std::string response;
   if (!headers_.empty()) {
     response = headers_;
@@ -38,7 +40,7 @@ void RawHttpResponse::SendResponse(const SendBytesCallback& send,
   } else {
     response = contents_;
   }
-  send.Run(response, done);
+  send.Run(response, std::move(done));
 }
 
 void RawHttpResponse::AddHeader(const std::string& key_value_pair) {
@@ -83,8 +85,8 @@ std::string BasicHttpResponse::ToResponseString() const {
 }
 
 void BasicHttpResponse::SendResponse(const SendBytesCallback& send,
-                                     const SendCompleteCallback& done) {
-  send.Run(ToResponseString(), done);
+                                     SendCompleteCallback done) {
+  send.Run(ToResponseString(), std::move(done));
 }
 
 DelayedHttpResponse::DelayedHttpResponse(const base::TimeDelta delay)
@@ -93,13 +95,14 @@ DelayedHttpResponse::DelayedHttpResponse(const base::TimeDelta delay)
 DelayedHttpResponse::~DelayedHttpResponse() = default;
 
 void DelayedHttpResponse::SendResponse(const SendBytesCallback& send,
-                                       const SendCompleteCallback& done) {
+                                       SendCompleteCallback done) {
   base::SequencedTaskRunnerHandle::Get()->PostDelayedTask(
-      FROM_HERE, base::BindOnce(send, ToResponseString(), done), delay_);
+      FROM_HERE, base::BindOnce(send, ToResponseString(), std::move(done)),
+      delay_);
 }
 
 void HungResponse::SendResponse(const SendBytesCallback& send,
-                                const SendCompleteCallback& done) {}
+                                SendCompleteCallback done) {}
 
 }  // namespace test_server
 }  // namespace net
diff --git a/chromium/net/test/embedded_test_server/http_response.h b/chromium/net/test/embedded_test_server/http_response.h
index d78dda259c0..e7366f74661 100644
--- a/chromium/net/test/embedded_test_server/http_response.h
+++ b/chromium/net/test/embedded_test_server/http_response.h
@@ -18,14 +18,14 @@ namespace net {
 namespace test_server {
 
 // Callback called when the response is done being sent.
-using SendCompleteCallback = base::Callback<void(void)>;
+using SendCompleteCallback = base::OnceClosure;
 
 // Callback called when the response is ready to be sent that takes the
 // |response| that is being sent along with the callback |write_done| that is
 // called when the response has been fully written.
 using SendBytesCallback =
-    base::Callback<void(const std::string& response,
-                        const SendCompleteCallback& write_done)>;
+    base::RepeatingCallback<void(const std::string& response,
+                                 SendCompleteCallback write_done)>;
 
 // Interface for HTTP response implementations.
 class HttpResponse{
@@ -36,7 +36,7 @@ class HttpResponse{
   // |write_done| when complete. When the entire response has been sent,
   // |done| must be called.
   virtual void SendResponse(const SendBytesCallback& send,
-                            const SendCompleteCallback& done) = 0;
+                            SendCompleteCallback done) = 0;
 };
 
 // This class is used to handle basic HTTP responses with commonly used
@@ -69,7 +69,7 @@ class BasicHttpResponse : public HttpResponse {
   std::string ToResponseString() const;
 
   void SendResponse(const SendBytesCallback& send,
-                    const SendCompleteCallback& done) override;
+                    SendCompleteCallback done) override;
 
  private:
   HttpStatusCode code_;
@@ -87,7 +87,7 @@ class DelayedHttpResponse : public BasicHttpResponse {
 
   // Issues a delayed send to the to the task runner.
   void SendResponse(const SendBytesCallback& send,
-                    const SendCompleteCallback& done) override;
+                    SendCompleteCallback done) override;
 
  private:
   // The delay time for the response.
@@ -102,7 +102,7 @@ class RawHttpResponse : public HttpResponse {
   ~RawHttpResponse() override;
 
   void SendResponse(const SendBytesCallback& send,
-                    const SendCompleteCallback& done) override;
+                    SendCompleteCallback done) override;
 
   void AddHeader(const std::string& key_value_pair);
 
@@ -121,7 +121,7 @@ class HungResponse : public HttpResponse {
   ~HungResponse() override {}
 
   void SendResponse(const SendBytesCallback& send,
-                    const SendCompleteCallback& done) override;
+                    SendCompleteCallback done) override;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(HungResponse);
diff --git a/chromium/net/test/embedded_test_server/request_handler_util.cc b/chromium/net/test/embedded_test_server/request_handler_util.cc
index 6a28316e83b..91d4275f94b 100644
--- a/chromium/net/test/embedded_test_server/request_handler_util.cc
+++ b/chromium/net/test/embedded_test_server/request_handler_util.cc
@@ -52,10 +52,14 @@ std::string GetContentType(const base::FilePath& path) {
     return "application/json";
   if (path.MatchesExtension(FILE_PATH_LITERAL(".pdf")))
     return "application/pdf";
+  if (path.MatchesExtension(FILE_PATH_LITERAL(".svg")))
+    return "image/svg+xml";
   if (path.MatchesExtension(FILE_PATH_LITERAL(".txt")))
     return "text/plain";
   if (path.MatchesExtension(FILE_PATH_LITERAL(".wav")))
     return "audio/wav";
+  if (path.MatchesExtension(FILE_PATH_LITERAL(".webp")))
+    return "image/webp";
   if (path.MatchesExtension(FILE_PATH_LITERAL(".xml")))
     return "text/xml";
   if (path.MatchesExtension(FILE_PATH_LITERAL(".mhtml")))
diff --git a/chromium/net/test/python_utils_unittest.cc b/chromium/net/test/python_utils_unittest.cc
index cdc02907b02..6a957246c5f 100644
--- a/chromium/net/test/python_utils_unittest.cc
+++ b/chromium/net/test/python_utils_unittest.cc
@@ -39,7 +39,7 @@ TEST(PythonUtils, PythonRunTime) {
   // we want.
   cmd_line.AppendArg("-c");
   std::string input("PythonUtilsTest");
-  std::string python_cmd = base::StringPrintf("print '%s';", input.c_str());
+  std::string python_cmd = base::StringPrintf("print('%s');", input.c_str());
   cmd_line.AppendArg(python_cmd);
   std::string output;
   EXPECT_TRUE(base::GetAppOutput(cmd_line, &output));
diff --git a/chromium/net/test/spawned_test_server/local_test_server_posix.cc b/chromium/net/test/spawned_test_server/local_test_server_posix.cc
index 8c0b2a81b50..19a50a8ea23 100644
--- a/chromium/net/test/spawned_test_server/local_test_server_posix.cc
+++ b/chromium/net/test/spawned_test_server/local_test_server_posix.cc
@@ -19,7 +19,6 @@
 #include "base/process/process_iterator.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
-#include "base/test/test_timeouts.h"
 #include "net/test/python_utils.h"
 
 namespace {
@@ -59,13 +58,9 @@ class OrphanedTestServerFilter : public base::ProcessFilter {
 
 // Given a file descriptor, reads into |buffer| until |bytes_max|
 // bytes has been read or an error has been encountered.  Returns true
-// if the read was successful.  |remaining_time| is used as a timeout.
-bool ReadData(int fd,
-              ssize_t bytes_max,
-              uint8_t* buffer,
-              base::TimeDelta* remaining_time) {
+// if the read was successful.
+bool ReadData(int fd, ssize_t bytes_max, uint8_t* buffer) {
   ssize_t bytes_read = 0;
-  base::TimeTicks previous_time = base::TimeTicks::Now();
   while (bytes_read < bytes_max) {
     struct pollfd poll_fds[1];
 
@@ -73,8 +68,8 @@ bool ReadData(int fd,
     poll_fds[0].events = POLLIN | POLLPRI;
     poll_fds[0].revents = 0;
 
-    int rv = HANDLE_EINTR(poll(poll_fds, 1,
-                               remaining_time->InMilliseconds()));
+    // Each test itself has its own timeout, so no need to use one here.
+    int rv = HANDLE_EINTR(poll(poll_fds, 1, -1));
     if (rv == 0) {
       LOG(ERROR) << "poll() timed out; bytes_read=" << bytes_read;
       return false;
@@ -84,12 +79,6 @@ bool ReadData(int fd,
       return false;
     }
 
-    base::TimeTicks current_time = base::TimeTicks::Now();
-    base::TimeDelta elapsed_time_cycle = current_time - previous_time;
-    DCHECK_GE(elapsed_time_cycle.InMilliseconds(), 0);
-    *remaining_time -= elapsed_time_cycle;
-    previous_time = current_time;
-
     ssize_t num_bytes = HANDLE_EINTR(read(fd, buffer + bytes_read,
                                           bytes_max - bytes_read));
     if (num_bytes <= 0)
@@ -163,18 +152,15 @@ bool LocalTestServer::LaunchPython(
 bool LocalTestServer::WaitToStart() {
   base::ScopedFD our_fd(child_fd_.release());
 
-  base::TimeDelta remaining_time = TestTimeouts::action_timeout();
-
   uint32_t server_data_len = 0;
   if (!ReadData(our_fd.get(), sizeof(server_data_len),
-                reinterpret_cast<uint8_t*>(&server_data_len),
-                &remaining_time)) {
+                reinterpret_cast<uint8_t*>(&server_data_len))) {
     LOG(ERROR) << "Could not read server_data_len";
     return false;
   }
   std::string server_data(server_data_len, '\0');
   if (!ReadData(our_fd.get(), server_data_len,
-                reinterpret_cast<uint8_t*>(&server_data[0]), &remaining_time)) {
+                reinterpret_cast<uint8_t*>(&server_data[0]))) {
     LOG(ERROR) << "Could not read server_data (" << server_data_len
                << " bytes)";
     return false;
diff --git a/chromium/net/test/spawned_test_server/local_test_server_win.cc b/chromium/net/test/spawned_test_server/local_test_server_win.cc
index e5c1fa60b11..085a3f8cd59 100644
--- a/chromium/net/test/spawned_test_server/local_test_server_win.cc
+++ b/chromium/net/test/spawned_test_server/local_test_server_win.cc
@@ -13,32 +13,14 @@
 #include "base/files/file_path.h"
 #include "base/path_service.h"
 #include "base/process/launch.h"
-#include "base/single_thread_task_runner.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
-#include "base/test/test_timeouts.h"
-#include "base/threading/thread.h"
-#include "base/threading/thread_restrictions.h"
 #include "base/win/scoped_handle.h"
 #include "net/test/python_utils.h"
 
 namespace {
 
-// Writes |size| bytes to |handle| and sets |*unblocked| to true.
-// Used as a crude timeout mechanism by ReadData().
-void UnblockPipe(HANDLE handle, DWORD size, bool* unblocked) {
-  std::string unblock_data(size, '\0');
-  // Unblock the ReadFile in LocalTestServer::WaitToStart by writing to the
-  // pipe. Make sure the call succeeded, otherwise we are very likely to hang.
-  DWORD bytes_written = 0;
-  LOG(WARNING) << "Timeout reached; unblocking pipe by writing "
-               << size << " bytes";
-  CHECK(WriteFile(handle, unblock_data.data(), size, &bytes_written, nullptr));
-  CHECK_EQ(size, bytes_written);
-  *unblocked = true;
-}
-
 // Given a file handle, reads into |buffer| until |bytes_max| bytes
 // has been read or an error has been encountered.  Returns
 // true if the read was successful.
@@ -46,16 +28,6 @@ bool ReadData(HANDLE read_fd,
               HANDLE write_fd,
               DWORD bytes_max,
               uint8_t* buffer) {
-  base::Thread thread("test_server_watcher");
-  if (!thread.Start())
-    return false;
-
-  // Prepare a timeout in case the server fails to start.
-  bool unblocked = false;
-  thread.task_runner()->PostDelayedTask(
-      FROM_HERE, base::BindOnce(UnblockPipe, write_fd, bytes_max, &unblocked),
-      TestTimeouts::action_max_timeout());
-
   DWORD bytes_read = 0;
   while (bytes_read < bytes_max) {
     DWORD num_bytes;
@@ -71,15 +43,6 @@ bool ReadData(HANDLE read_fd,
     bytes_read += num_bytes;
   }
 
-  base::ScopedAllowBaseSyncPrimitivesForTesting allow_thread_join;
-  thread.Stop();
-
-  // If the timeout kicked in, abort.
-  if (unblocked) {
-    LOG(ERROR) << "Timeout exceeded for ReadData";
-    return false;
-  }
-
   return true;
 }
 
diff --git a/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.cc b/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.cc
index 91aacd5038c..5cc61bdd24c 100644
--- a/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.cc
+++ b/chromium/net/test/spawned_test_server/remote_test_server_spawner_request.cc
@@ -12,10 +12,7 @@
 #include "base/macros.h"
 #include "base/single_thread_task_runner.h"
 #include "base/synchronization/waitable_event.h"
-#include "base/test/test_timeouts.h"
 #include "base/threading/thread_task_runner_handle.h"
-#include "base/time/time.h"
-#include "base/timer/timer.h"
 #include "build/build_config.h"
 #include "net/base/elements_upload_data_stream.h"
 #include "net/base/io_buffer.h"
@@ -50,7 +47,6 @@ class RemoteTestServerSpawnerRequest::Core : public URLRequest::Delegate {
 
   void ReadResponse();
   void OnCommandCompleted(int net_error);
-  void OnTimeout();
 
   // Request results.
   int result_code_ = 0;
@@ -64,8 +60,6 @@ class RemoteTestServerSpawnerRequest::Core : public URLRequest::Delegate {
 
   scoped_refptr<IOBuffer> read_buffer_;
 
-  std::unique_ptr<base::OneShotTimer> timeout_timer_;
-
   THREAD_CHECKER(thread_checker_);
 
   DISALLOW_COPY_AND_ASSIGN(Core);
@@ -102,10 +96,6 @@ void RemoteTestServerSpawnerRequest::Core::SendRequest(
                                           /*override=*/true);
   }
 
-  timeout_timer_ = std::make_unique<base::OneShotTimer>();
-  timeout_timer_->Start(FROM_HERE, TestTimeouts::action_max_timeout(),
-                        base::Bind(&Core::OnTimeout, base::Unretained(this)));
-
   request_->Start();
 }
 
@@ -124,13 +114,6 @@ bool RemoteTestServerSpawnerRequest::Core::WaitForCompletion(
   return result_code_ == OK;
 }
 
-void RemoteTestServerSpawnerRequest::Core::OnTimeout() {
-  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
-
-  int result = request_->CancelWithError(ERR_TIMED_OUT);
-  OnCommandCompleted(result);
-}
-
 void RemoteTestServerSpawnerRequest::Core::OnCommandCompleted(int net_error) {
   DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
   DCHECK_NE(ERR_IO_PENDING, net_error);
@@ -152,7 +135,6 @@ void RemoteTestServerSpawnerRequest::Core::OnCommandCompleted(int net_error) {
 
   request_.reset();
   context_.reset();
-  timeout_timer_.reset();
 
   event_.Signal();
 }
diff --git a/chromium/net/test/url_request/url_request_test_job_backed_by_file_unittest.cc b/chromium/net/test/url_request/url_request_test_job_backed_by_file_unittest.cc
index db0d808625a..2f18b2014d7 100644
--- a/chromium/net/test/url_request/url_request_test_job_backed_by_file_unittest.cc
+++ b/chromium/net/test/url_request/url_request_test_job_backed_by_file_unittest.cc
@@ -204,6 +204,7 @@ class URLRequestTestJobBackedByFileEventsTest : public TestWithTaskEnvironment {
                           bool* done_reading,
                           std::string* observed_content);
 
+  base::ScopedTempDir directory_;
   TestURLRequestContext context_;
   TestDelegate delegate_;
 };
@@ -214,6 +215,8 @@ URLRequestTestJobBackedByFileEventsTest::
 void URLRequestTestJobBackedByFileEventsTest::TearDown() {
   // Gives a chance to close the opening file.
   base::RunLoop().RunUntilIdle();
+  ASSERT_TRUE(!directory_.IsValid() || directory_.Delete());
+  TestWithTaskEnvironment::TearDown();
 }
 
 void URLRequestTestJobBackedByFileEventsTest::RunSuccessfulRequestWithString(
@@ -228,9 +231,8 @@ void URLRequestTestJobBackedByFileEventsTest::RunSuccessfulRequestWithString(
     const std::string& expected_content,
     const base::FilePath::StringPieceType& file_extension,
     const Range* range) {
-  base::ScopedTempDir directory;
-  ASSERT_TRUE(directory.CreateUniqueTempDir());
-  base::FilePath path = directory.GetPath().Append(FILE_PATH_LITERAL("test"));
+  ASSERT_TRUE(directory_.CreateUniqueTempDir());
+  base::FilePath path = directory_.GetPath().Append(FILE_PATH_LITERAL("test"));
   if (!file_extension.empty())
     path = path.AddExtension(file_extension);
   ASSERT_TRUE(CreateFileWithContent(raw_content, path));
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_endian.h b/chromium/net/third_party/quiche/src/common/platform/api/quiche_endian.h
index 65edd51690f..f8a9ee68665 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_endian.h
+++ b/chromium/net/third_party/quiche/src/common/platform/api/quiche_endian.h
@@ -1,13 +1,14 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
+// Copyright 2019 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef QUICHE_QUIC_PLATFORM_API_QUIC_ENDIAN_H_
-#define QUICHE_QUIC_PLATFORM_API_QUIC_ENDIAN_H_
+#ifndef QUICHE_COMMON_PLATFORM_API_QUICHE_ENDIAN_H_
+#define QUICHE_COMMON_PLATFORM_API_QUICHE_ENDIAN_H_
 
-#include "net/quic/platform/impl/quic_endian_impl.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_export.h"
+#include "net/quiche/common/platform/impl/quiche_endian_impl.h"
 
-namespace quic {
+namespace quiche {
 
 enum Endianness {
   NETWORK_BYTE_ORDER,  // big endian
@@ -17,38 +18,38 @@ enum Endianness {
 // Provide utility functions that convert from/to network order (big endian)
 // to/from host order (can be either little or big endian depending on the
 // platform).
-class QuicEndian {
+class QUICHE_EXPORT_PRIVATE QuicheEndian {
  public:
   // Convert |x| from host order (can be either little or big endian depending
   // on the platform) to network order (big endian).
   static uint16_t HostToNet16(uint16_t x) {
-    return QuicEndianImpl::HostToNet16(x);
+    return QuicheEndianImpl::HostToNet16(x);
   }
   static uint32_t HostToNet32(uint32_t x) {
-    return QuicEndianImpl::HostToNet32(x);
+    return QuicheEndianImpl::HostToNet32(x);
   }
   static uint64_t HostToNet64(uint64_t x) {
-    return QuicEndianImpl::HostToNet64(x);
+    return QuicheEndianImpl::HostToNet64(x);
   }
 
   // Convert |x| from network order (big endian) to host order (can be either
   // little or big endian depending on the platform).
   static uint16_t NetToHost16(uint16_t x) {
-    return QuicEndianImpl::NetToHost16(x);
+    return QuicheEndianImpl::NetToHost16(x);
   }
   static uint32_t NetToHost32(uint32_t x) {
-    return QuicEndianImpl::NetToHost32(x);
+    return QuicheEndianImpl::NetToHost32(x);
   }
   static uint64_t NetToHost64(uint64_t x) {
-    return QuicEndianImpl::NetToHost64(x);
+    return QuicheEndianImpl::NetToHost64(x);
   }
 
   // Returns true if current host order is little endian.
   static bool HostIsLittleEndian() {
-    return QuicEndianImpl::HostIsLittleEndian();
+    return QuicheEndianImpl::HostIsLittleEndian();
   }
 };
 
-}  // namespace quic
+}  // namespace quiche
 
-#endif  // QUICHE_QUIC_PLATFORM_API_QUIC_ENDIAN_H_
+#endif  // QUICHE_COMMON_PLATFORM_API_QUICHE_ENDIAN_H_
diff --git a/chromium/net/third_party/quiche/src/common/platform/api/quiche_endian_test.cc b/chromium/net/third_party/quiche/src/common/platform/api/quiche_endian_test.cc
new file mode 100644
index 00000000000..98e16febd2f
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/common/platform/api/quiche_endian_test.cc
@@ -0,0 +1,59 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_test.h"
+
+namespace quiche {
+namespace test {
+namespace {
+
+const uint16_t k16BitTestData = 0xaabb;
+const uint16_t k16BitSwappedTestData = 0xbbaa;
+const uint32_t k32BitTestData = 0xaabbccdd;
+const uint32_t k32BitSwappedTestData = 0xddccbbaa;
+const uint64_t k64BitTestData = 0xaabbccdd44332211;
+const uint64_t k64BitSwappedTestData = 0x11223344ddccbbaa;
+
+class QuicheEndianTest : public QuicheTest {};
+
+TEST_F(QuicheEndianTest, HostToNet) {
+  if (quiche::QuicheEndian::HostIsLittleEndian()) {
+    EXPECT_EQ(k16BitSwappedTestData,
+              quiche::QuicheEndian::HostToNet16(k16BitTestData));
+    EXPECT_EQ(k32BitSwappedTestData,
+              quiche::QuicheEndian::HostToNet32(k32BitTestData));
+    EXPECT_EQ(k64BitSwappedTestData,
+              quiche::QuicheEndian::HostToNet64(k64BitTestData));
+  } else {
+    EXPECT_EQ(k16BitTestData,
+              quiche::QuicheEndian::HostToNet16(k16BitTestData));
+    EXPECT_EQ(k32BitTestData,
+              quiche::QuicheEndian::HostToNet32(k32BitTestData));
+    EXPECT_EQ(k64BitTestData,
+              quiche::QuicheEndian::HostToNet64(k64BitTestData));
+  }
+}
+
+TEST_F(QuicheEndianTest, NetToHost) {
+  if (quiche::QuicheEndian::HostIsLittleEndian()) {
+    EXPECT_EQ(k16BitTestData,
+              quiche::QuicheEndian::NetToHost16(k16BitSwappedTestData));
+    EXPECT_EQ(k32BitTestData,
+              quiche::QuicheEndian::NetToHost32(k32BitSwappedTestData));
+    EXPECT_EQ(k64BitTestData,
+              quiche::QuicheEndian::NetToHost64(k64BitSwappedTestData));
+  } else {
+    EXPECT_EQ(k16BitSwappedTestData,
+              quiche::QuicheEndian::NetToHost16(k16BitSwappedTestData));
+    EXPECT_EQ(k32BitSwappedTestData,
+              quiche::QuicheEndian::NetToHost32(k32BitSwappedTestData));
+    EXPECT_EQ(k64BitSwappedTestData,
+              quiche::QuicheEndian::NetToHost64(k64BitSwappedTestData));
+  }
+}
+
+}  // namespace
+}  // namespace test
+}  // namespace quiche
diff --git a/chromium/net/third_party/quiche/src/common/platform/api/quiche_export.h b/chromium/net/third_party/quiche/src/common/platform/api/quiche_export.h
new file mode 100644
index 00000000000..22cc1f92dc8
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/common/platform/api/quiche_export.h
@@ -0,0 +1,17 @@
+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef THIRD_PARTY_QUICHE_PLATFORM_API_QUICHE_EXPORT_H_
+#define THIRD_PARTY_QUICHE_PLATFORM_API_QUICHE_EXPORT_H_
+
+#include "net/quiche/common/platform/impl/quiche_export_impl.h"
+
+// quiche_export_impl.h defines the following macros:
+// - QUICHE_EXPORT is not meant to be used.
+// - QUICHE_EXPORT_PRIVATE is meant for QUICHE functionality that is built in
+//   Chromium as part of //net, and not fully contained in headers.
+// - QUICHE_NO_EXPORT is meant for QUICHE functionality that is either fully
+//   defined in a header, or is built in Chromium as part of tests or tools.
+
+#endif  // THIRD_PARTY_QUICHE_PLATFORM_API_QUICHE_EXPORT_H_
diff --git a/chromium/net/third_party/quiche/src/common/platform/api/quiche_ptr_util.h b/chromium/net/third_party/quiche/src/common/platform/api/quiche_ptr_util.h
deleted file mode 100644
index 26b152bd47f..00000000000
--- a/chromium/net/third_party/quiche/src/common/platform/api/quiche_ptr_util.h
+++ /dev/null
@@ -1,21 +0,0 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_COMMON_PLATFORM_API_QUICHE_PTR_UTIL_H_
-#define QUICHE_COMMON_PLATFORM_API_QUICHE_PTR_UTIL_H_
-
-#include <memory>
-
-#include "net/quiche/common/platform/impl/quiche_ptr_util_impl.h"
-
-namespace quiche {
-
-template <typename T, typename... Args>
-std::unique_ptr<T> QuicheMakeUnique(Args&&... args) {
-  return QuicheMakeUniqueImpl<T>(std::forward<Args>(args)...);
-}
-
-}  // namespace quiche
-
-#endif  // QUICHE_COMMON_PLATFORM_API_QUICHE_PTR_UTIL_H_
diff --git a/chromium/net/third_party/quiche/src/common/simple_linked_hash_map_test.cc b/chromium/net/third_party/quiche/src/common/simple_linked_hash_map_test.cc
index 0ea7d8a015d..cb45a0f2971 100644
--- a/chromium/net/third_party/quiche/src/common/simple_linked_hash_map_test.cc
+++ b/chromium/net/third_party/quiche/src/common/simple_linked_hash_map_test.cc
@@ -9,7 +9,6 @@
 #include <memory>
 #include <utility>
 
-#include "net/third_party/quiche/src/common/platform/api/quiche_ptr_util.h"
 #include "net/third_party/quiche/src/common/platform/api/quiche_test.h"
 
 using testing::Pair;
@@ -23,8 +22,8 @@ namespace test {
 TEST(LinkedHashMapTest, Move) {
   // Use unique_ptr as an example of a non-copyable type.
   SimpleLinkedHashMap<int, std::unique_ptr<int>> m;
-  m[2] = QuicheMakeUnique<int>(12);
-  m[3] = QuicheMakeUnique<int>(13);
+  m[2] = std::make_unique<int>(12);
+  m[3] = std::make_unique<int>(13);
   SimpleLinkedHashMap<int, std::unique_ptr<int>> n = std::move(m);
   EXPECT_THAT(n,
               UnorderedElementsAre(Pair(2, Pointee(12)), Pair(3, Pointee(13))));
diff --git a/chromium/net/third_party/quiche/src/http2/platform/api/http2_ptr_util.h b/chromium/net/third_party/quiche/src/http2/platform/api/http2_ptr_util.h
deleted file mode 100644
index 2530e7ccf58..00000000000
--- a/chromium/net/third_party/quiche/src/http2/platform/api/http2_ptr_util.h
+++ /dev/null
@@ -1,22 +0,0 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_HTTP2_PLATFORM_API_HTTP2_PTR_UTIL_H_
-#define QUICHE_HTTP2_PLATFORM_API_HTTP2_PTR_UTIL_H_
-
-#include <memory>
-#include <utility>
-
-#include "net/http2/platform/impl/http2_ptr_util_impl.h"
-
-namespace http2 {
-
-template <typename T, typename... Args>
-std::unique_ptr<T> Http2MakeUnique(Args&&... args) {
-  return Http2MakeUniqueImpl<T>(std::forward<Args>(args)...);
-}
-
-}  // namespace http2
-
-#endif  // QUICHE_HTTP2_PLATFORM_API_HTTP2_PTR_UTIL_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/chlo_extractor.h b/chromium/net/third_party/quiche/src/quic/core/chlo_extractor.h
index 3cf0d24b3b5..89dffe16a24 100644
--- a/chromium/net/third_party/quiche/src/quic/core/chlo_extractor.h
+++ b/chromium/net/third_party/quiche/src/quic/core/chlo_extractor.h
@@ -12,9 +12,9 @@ namespace quic {
 
 // A utility for extracting QUIC Client Hello messages from packets,
 // without needs to spin up a full QuicSession.
-class ChloExtractor {
+class QUIC_NO_EXPORT ChloExtractor {
  public:
-  class Delegate {
+  class QUIC_NO_EXPORT Delegate {
    public:
     virtual ~Delegate() {}
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.cc
index 19158435ac6..cc90cb00539 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.cc
@@ -21,6 +21,7 @@ QuicByteCount MaxAckHeightTracker::Update(QuicBandwidth bandwidth_estimate,
   if (aggregation_epoch_start_time_ == QuicTime::Zero()) {
     aggregation_epoch_bytes_ = bytes_acked;
     aggregation_epoch_start_time_ = ack_time;
+    ++num_ack_aggregation_epochs_;
     return 0;
   }
 
@@ -30,10 +31,13 @@ QuicByteCount MaxAckHeightTracker::Update(QuicBandwidth bandwidth_estimate,
       bandwidth_estimate * (ack_time - aggregation_epoch_start_time_);
   // Reset the current aggregation epoch as soon as the ack arrival rate is less
   // than or equal to the max bandwidth.
-  if (aggregation_epoch_bytes_ <= expected_bytes_acked) {
+  if (aggregation_epoch_bytes_ <=
+      GetQuicFlag(FLAGS_quic_ack_aggregation_bandwidth_threshold) *
+          expected_bytes_acked) {
     // Reset to start measuring a new aggregation epoch.
     aggregation_epoch_bytes_ = bytes_acked;
     aggregation_epoch_start_time_ = ack_time;
+    ++num_ack_aggregation_epochs_;
     return 0;
   }
 
@@ -195,7 +199,7 @@ BandwidthSample BandwidthSampler::OnPacketAcknowledgedInner(
     } else {
       QUIC_CODE_COUNT_N(quic_prev_ack_time_larger_than_current_ack_time, 2, 2);
     }
-    QUIC_LOG_EVERY_N_SEC(ERROR, 5)
+    QUIC_LOG_EVERY_N_SEC(ERROR, 60)
         << "Time of the previously acked packet:"
         << sent_packet.last_acked_packet_ack_time.ToDebuggingValue()
         << " is larger than the ack time of the current packet:"
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.h
index 5bbb6ba7487..51f5e870819 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler.h
@@ -100,6 +100,10 @@ class QUIC_EXPORT_PRIVATE MaxAckHeightTracker {
     max_ack_height_filter_.Reset(new_height, new_time);
   }
 
+  uint64_t num_ack_aggregation_epochs() const {
+    return num_ack_aggregation_epochs_;
+  }
+
  private:
   // Tracks the maximum number of bytes acked faster than the estimated
   // bandwidth.
@@ -113,6 +117,9 @@ class QUIC_EXPORT_PRIVATE MaxAckHeightTracker {
   // The time this aggregation started and the number of bytes acked during it.
   QuicTime aggregation_epoch_start_time_ = QuicTime::Zero();
   QuicByteCount aggregation_epoch_bytes_ = 0;
+  // The number of ack aggregation epochs ever started, including the ongoing
+  // one. Stats only.
+  uint64_t num_ack_aggregation_epochs_ = 0;
 };
 
 // An interface common to any class that can provide bandwidth samples from the
@@ -273,6 +280,10 @@ class QUIC_EXPORT_PRIVATE BandwidthSampler : public BandwidthSamplerInterface {
 
   QuicByteCount max_ack_height() const { return max_ack_height_tracker_.Get(); }
 
+  uint64_t num_ack_aggregation_epochs() const {
+    return max_ack_height_tracker_.num_ack_aggregation_epochs();
+  }
+
   void SetMaxAckHeightTrackerWindowLength(QuicRoundTripCount length) {
     max_ack_height_tracker_.SetFilterWindowLength(length);
   }
@@ -289,7 +300,7 @@ class QUIC_EXPORT_PRIVATE BandwidthSampler : public BandwidthSamplerInterface {
   // and the state of the connection at the moment the packet was sent,
   // specifically the information about the most recently acknowledged packet at
   // that moment.
-  struct ConnectionStateOnSentPacket {
+  struct QUIC_EXPORT_PRIVATE ConnectionStateOnSentPacket {
     // Time at which the packet is sent.
     QuicTime sent_time;
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler_test.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler_test.cc
index 558971aab69..59318a98590 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bandwidth_sampler_test.cc
@@ -551,6 +551,7 @@ TEST_F(MaxAckHeightTrackerTest, VeryAggregatedLargeAck) {
 
   AggregationEpisode(bandwidth_ * 20, QuicTime::Delta::FromMilliseconds(6),
                      1200, false);
+  EXPECT_EQ(2u, tracker_.num_ack_aggregation_epochs());
 }
 
 TEST_F(MaxAckHeightTrackerTest, VeryAggregatedSmallAcks) {
@@ -562,6 +563,7 @@ TEST_F(MaxAckHeightTrackerTest, VeryAggregatedSmallAcks) {
 
   AggregationEpisode(bandwidth_ * 20, QuicTime::Delta::FromMilliseconds(6), 300,
                      false);
+  EXPECT_EQ(2u, tracker_.num_ack_aggregation_epochs());
 }
 
 TEST_F(MaxAckHeightTrackerTest, SomewhatAggregatedLargeAck) {
@@ -573,6 +575,7 @@ TEST_F(MaxAckHeightTrackerTest, SomewhatAggregatedLargeAck) {
 
   AggregationEpisode(bandwidth_ * 2, QuicTime::Delta::FromMilliseconds(50),
                      1000, false);
+  EXPECT_EQ(2u, tracker_.num_ack_aggregation_epochs());
 }
 
 TEST_F(MaxAckHeightTrackerTest, SomewhatAggregatedSmallAcks) {
@@ -584,11 +587,13 @@ TEST_F(MaxAckHeightTrackerTest, SomewhatAggregatedSmallAcks) {
 
   AggregationEpisode(bandwidth_ * 2, QuicTime::Delta::FromMilliseconds(50), 100,
                      false);
+  EXPECT_EQ(2u, tracker_.num_ack_aggregation_epochs());
 }
 
 TEST_F(MaxAckHeightTrackerTest, NotAggregated) {
   AggregationEpisode(bandwidth_, QuicTime::Delta::FromMilliseconds(100), 100,
                      true);
+  EXPECT_LT(2u, tracker_.num_ack_aggregation_epochs());
 }
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_drain.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_drain.h
index 546962bfc1f..e083aeb655b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_drain.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_drain.h
@@ -18,6 +18,7 @@ class QUIC_EXPORT_PRIVATE Bbr2DrainMode final : public Bbr2ModeBase {
   using Bbr2ModeBase::Bbr2ModeBase;
 
   void Enter(const Bbr2CongestionEvent& congestion_event) override;
+  void Leave(const Bbr2CongestionEvent& /*congestion_event*/) override {}
 
   Bbr2Mode OnCongestionEvent(
       QuicByteCount prior_in_flight,
@@ -32,7 +33,7 @@ class QUIC_EXPORT_PRIVATE Bbr2DrainMode final : public Bbr2ModeBase {
 
   bool IsProbingForBandwidth() const override { return false; }
 
-  struct DebugState {
+  struct QUIC_EXPORT_PRIVATE DebugState {
     QuicByteCount drain_target;
   };
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h
index d5b2742ec0d..8f08a58c6fc 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_misc.h
@@ -331,6 +331,10 @@ class QUIC_EXPORT_PRIVATE Bbr2NetworkModel {
     return bandwidth_sampler_.max_ack_height();
   }
 
+  uint64_t num_ack_aggregation_epochs() const {
+    return bandwidth_sampler_.num_ack_aggregation_epochs();
+  }
+
   bool MaybeExpireMinRtt(const Bbr2CongestionEvent& congestion_event);
 
   QuicBandwidth BandwidthEstimate() const {
@@ -372,7 +376,10 @@ class QUIC_EXPORT_PRIVATE Bbr2NetworkModel {
 
   QuicBandwidth bandwidth_latest() const { return bandwidth_latest_; }
   QuicBandwidth bandwidth_lo() const { return bandwidth_lo_; }
-  void clear_bandwidth_lo() { bandwidth_lo_ = QuicBandwidth::Infinite(); }
+  static QuicBandwidth bandwidth_lo_default() {
+    return QuicBandwidth::Infinite();
+  }
+  void clear_bandwidth_lo() { bandwidth_lo_ = bandwidth_lo_default(); }
 
   QuicByteCount inflight_latest() const { return inflight_latest_; }
   QuicByteCount inflight_lo() const { return inflight_lo_; }
@@ -420,7 +427,7 @@ class QUIC_EXPORT_PRIVATE Bbr2NetworkModel {
   // Max bandwidth in the current round. Updated once per congestion event.
   QuicBandwidth bandwidth_latest_ = QuicBandwidth::Zero();
   // Max bandwidth of recent rounds. Updated once per round.
-  QuicBandwidth bandwidth_lo_ = QuicBandwidth::Infinite();
+  QuicBandwidth bandwidth_lo_ = bandwidth_lo_default();
 
   // Max inflight in the current round. Updated once per congestion event.
   QuicByteCount inflight_latest_ = 0;
@@ -470,7 +477,9 @@ class QUIC_EXPORT_PRIVATE Bbr2ModeBase {
 
   virtual ~Bbr2ModeBase() = default;
 
+  // Called when entering/leaving this mode.
   virtual void Enter(const Bbr2CongestionEvent& congestion_event) = 0;
+  virtual void Leave(const Bbr2CongestionEvent& congestion_event) = 0;
 
   virtual Bbr2Mode OnCongestionEvent(
       QuicByteCount prior_in_flight,
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.cc
index 887d553371f..4487cbf879b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.cc
@@ -48,6 +48,8 @@ Bbr2Mode Bbr2ProbeBwMode::OnCongestionEvent(
     }
   }
 
+  bool switch_to_probe_rtt = false;
+
   if (cycle_.phase == CyclePhase::PROBE_UP) {
     UpdateProbeUp(prior_in_flight, congestion_event);
   } else if (cycle_.phase == CyclePhase::PROBE_DOWN) {
@@ -55,7 +57,7 @@ Bbr2Mode Bbr2ProbeBwMode::OnCongestionEvent(
     // Maybe transition to PROBE_RTT at the end of this cycle.
     if (cycle_.phase != CyclePhase::PROBE_DOWN &&
         model_->MaybeExpireMinRtt(congestion_event)) {
-      return Bbr2Mode::PROBE_RTT;
+      switch_to_probe_rtt = true;
     }
   } else if (cycle_.phase == CyclePhase::PROBE_CRUISE) {
     UpdateProbeCruise(congestion_event);
@@ -63,10 +65,14 @@ Bbr2Mode Bbr2ProbeBwMode::OnCongestionEvent(
     UpdateProbeRefill(congestion_event);
   }
 
-  model_->set_pacing_gain(PacingGainForPhase(cycle_.phase));
-  model_->set_cwnd_gain(Params().probe_bw_cwnd_gain);
+  // Do not need to set the gains if switching to PROBE_RTT, they will be set
+  // when Bbr2ProbeRttMode::Enter is called.
+  if (!switch_to_probe_rtt) {
+    model_->set_pacing_gain(PacingGainForPhase(cycle_.phase));
+    model_->set_cwnd_gain(Params().probe_bw_cwnd_gain);
+  }
 
-  return Bbr2Mode::PROBE_BW;
+  return switch_to_probe_rtt ? Bbr2Mode::PROBE_RTT : Bbr2Mode::PROBE_BW;
 }
 
 Limits<QuicByteCount> Bbr2ProbeBwMode::GetCwndLimits() const {
@@ -194,6 +200,15 @@ bool Bbr2ProbeBwMode::IsTimeToProbeBandwidth(
 // long, as seen in some multi-sender simulator tests.
 bool Bbr2ProbeBwMode::HasStayedLongEnoughInProbeDown(
     const Bbr2CongestionEvent& congestion_event) const {
+  if (exit_probe_down_after_one_rtt_) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_bbr2_exit_probe_bw_down_after_one_rtt);
+    // Stay in PROBE_DOWN for at most the time of a min rtt, as it is done in
+    // BBRv1. The intention here is to figure out whether the performance
+    // regression in BBRv2 is because it stays in PROBE_DOWN for too long.
+    // TODO(wub): Consider exit after a full round instead, which typically
+    // indicates most(if not all) packets sent during PROBE_UP have been acked.
+    return HasPhaseLasted(model_->MinRtt(), congestion_event);
+  }
   // The amount of time to stay in PROBE_DOWN, as a fraction of probe wait time.
   const double kProbeWaitFraction = 0.2;
   return HasCycleLasted(cycle_.probe_wait_time * kProbeWaitFraction,
@@ -271,9 +286,7 @@ void Bbr2ProbeBwMode::ProbeInflightHighUpward(
     return;
   }
 
-  if (GetQuicReloadableFlag(quic_bbr2_fix_inflight_bounds) &&
-      congestion_event.prior_cwnd < model_->inflight_hi()) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_bbr2_fix_inflight_bounds, 1, 2);
+  if (congestion_event.prior_cwnd < model_->inflight_hi()) {
     QUIC_DVLOG(3)
         << sender_
         << " Raising inflight_hi early return: inflight_hi not fully used.";
@@ -296,7 +309,7 @@ void Bbr2ProbeBwMode::ProbeInflightHighUpward(
                     << ", (new)probe_up_acked:" << cycle_.probe_up_acked;
 
       model_->set_inflight_hi(new_inflight_hi);
-    } else if (GetQuicReloadableFlag(quic_bbr2_fix_inflight_bounds)) {
+    } else {
       QUIC_BUG << "Not growing inflight_hi due to wrap around. Old value:"
                << model_->inflight_hi() << ", new value:" << new_inflight_hi;
     }
@@ -417,10 +430,8 @@ void Bbr2ProbeBwMode::EnterProbeCruise(
                 << congestion_event.event_time - cycle_.phase_start_time
                 << ", or " << cycle_.rounds_in_phase << " rounds.  @ "
                 << congestion_event.event_time;
-  if (GetQuicReloadableFlag(quic_bbr2_fix_inflight_bounds)) {
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_bbr2_fix_inflight_bounds, 2, 2);
-    model_->cap_inflight_lo(model_->inflight_hi());
-  }
+
+  model_->cap_inflight_lo(model_->inflight_hi());
   cycle_.phase = CyclePhase::PROBE_CRUISE;
   cycle_.rounds_in_phase = 0;
   cycle_.phase_start_time = congestion_event.event_time;
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.h
index 407056b5f49..45b5a73835e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_bw.h
@@ -11,6 +11,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_time.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 
 namespace quic {
 
@@ -20,6 +21,7 @@ class QUIC_EXPORT_PRIVATE Bbr2ProbeBwMode final : public Bbr2ModeBase {
   using Bbr2ModeBase::Bbr2ModeBase;
 
   void Enter(const Bbr2CongestionEvent& congestion_event) override;
+  void Leave(const Bbr2CongestionEvent& /*congestion_event*/) override {}
 
   Bbr2Mode OnCongestionEvent(
       QuicByteCount prior_in_flight,
@@ -42,7 +44,7 @@ class QUIC_EXPORT_PRIVATE Bbr2ProbeBwMode final : public Bbr2ModeBase {
 
   static const char* CyclePhaseToString(CyclePhase phase);
 
-  struct DebugState {
+  struct QUIC_EXPORT_PRIVATE DebugState {
     CyclePhase phase;
     QuicTime cycle_start_time = QuicTime::Zero();
     QuicTime phase_start_time = QuicTime::Zero();
@@ -102,7 +104,7 @@ class QUIC_EXPORT_PRIVATE Bbr2ProbeBwMode final : public Bbr2ModeBase {
   void RaiseInflightHighSlope();
   void ProbeInflightHighUpward(const Bbr2CongestionEvent& congestion_event);
 
-  struct Cycle {
+  struct QUIC_EXPORT_PRIVATE Cycle {
     QuicTime cycle_start_time = QuicTime::Zero();
     CyclePhase phase = CyclePhase::PROBE_NOT_STARTED;
     uint64_t rounds_in_phase = 0;
@@ -120,6 +122,10 @@ class QUIC_EXPORT_PRIVATE Bbr2ProbeBwMode final : public Bbr2ModeBase {
 
   bool last_cycle_probed_too_high_;
   bool last_cycle_stopped_risky_probe_;
+
+  // Latched value of --quic_bbr2_exit_probe_bw_down_after_one_rtt.
+  const bool exit_probe_down_after_one_rtt_ =
+      GetQuicReloadableFlag(quic_bbr2_exit_probe_bw_down_after_one_rtt);
 };
 
 QUIC_EXPORT_PRIVATE std::ostream& operator<<(
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.cc
index fe4506b5bc0..f9c77097324 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.cc
@@ -26,6 +26,12 @@ Bbr2Mode Bbr2ProbeRttMode::OnCongestionEvent(
         congestion_event.bytes_in_flight <=
             sender_->GetMinimumCongestionWindow()) {
       exit_time_ = congestion_event.event_time + Params().probe_rtt_duration;
+      QUIC_DVLOG(2) << sender_ << " PROBE_RTT exit time set to " << exit_time_
+                    << ". bytes_inflight:" << congestion_event.bytes_in_flight
+                    << ", inflight_target:" << InflightTarget()
+                    << ", min_congestion_window:"
+                    << sender_->GetMinimumCongestionWindow() << "  @ "
+                    << congestion_event.event_time;
     }
     return Bbr2Mode::PROBE_RTT;
   }
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.h
index 811c6467fa0..80a9d93d423 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_probe_rtt.h
@@ -18,6 +18,7 @@ class QUIC_EXPORT_PRIVATE Bbr2ProbeRttMode final : public Bbr2ModeBase {
   using Bbr2ModeBase::Bbr2ModeBase;
 
   void Enter(const Bbr2CongestionEvent& congestion_event) override;
+  void Leave(const Bbr2CongestionEvent& /*congestion_event*/) override {}
 
   Bbr2Mode OnCongestionEvent(
       QuicByteCount prior_in_flight,
@@ -30,7 +31,7 @@ class QUIC_EXPORT_PRIVATE Bbr2ProbeRttMode final : public Bbr2ModeBase {
 
   bool IsProbingForBandwidth() const override { return false; }
 
-  struct DebugState {
+  struct QUIC_EXPORT_PRIVATE DebugState {
     QuicByteCount inflight_target;
     QuicTime exit_time = QuicTime::Zero();
   };
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.cc
index 9cd40b93621..31bf29946e5 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.cc
@@ -57,11 +57,12 @@ Bbr2Sender::Bbr2Sender(QuicTime now,
                        QuicPacketCount initial_cwnd_in_packets,
                        QuicPacketCount max_cwnd_in_packets,
                        QuicRandom* random,
-                       QuicConnectionStats* /*stats*/)
+                       QuicConnectionStats* stats)
     : mode_(Bbr2Mode::STARTUP),
       rtt_stats_(rtt_stats),
       unacked_packets_(unacked_packets),
       random_(random),
+      connection_stats_(stats),
       params_(kDefaultMinimumCongestionWindow,
               max_cwnd_in_packets * kDefaultTCPMSS),
       model_(&params_,
@@ -75,7 +76,7 @@ Bbr2Sender::Bbr2Sender(QuicTime now,
       pacing_rate_(kInitialPacingGain * QuicBandwidth::FromBytesAndTimeDelta(
                                             cwnd_,
                                             rtt_stats->SmoothedOrInitialRtt())),
-      startup_(this, &model_),
+      startup_(this, &model_, now),
       drain_(this, &model_),
       probe_bw_(this, &model_),
       probe_rtt_(this, &model_),
@@ -114,10 +115,8 @@ const Limits<QuicByteCount>& Bbr2Sender::cwnd_limits() const {
   return params_.cwnd_limits;
 }
 
-void Bbr2Sender::AdjustNetworkParameters(QuicBandwidth bandwidth,
-                                         QuicTime::Delta rtt,
-                                         bool allow_cwnd_to_decrease) {
-  model_.UpdateNetworkParameters(bandwidth, rtt);
+void Bbr2Sender::AdjustNetworkParameters(const NetworkParams& params) {
+  model_.UpdateNetworkParameters(params.bandwidth, params.rtt);
 
   if (mode_ == Bbr2Mode::STARTUP) {
     const QuicByteCount prior_cwnd = cwnd_;
@@ -127,7 +126,7 @@ void Bbr2Sender::AdjustNetworkParameters(QuicBandwidth bandwidth,
     // we are reducing the number of updates needed to arrive at the target.
     cwnd_ = model_.BDP(model_.BandwidthEstimate());
     UpdateCongestionWindow(0);
-    if (!allow_cwnd_to_decrease) {
+    if (!params.allow_cwnd_to_decrease) {
       cwnd_ = std::max(cwnd_, prior_cwnd);
     }
   }
@@ -170,6 +169,7 @@ void Bbr2Sender::OnCongestionEvent(bool /*rtt_updated*/,
 
     QUIC_DVLOG(2) << this << " Mode change:  " << mode_ << " ==> " << next_mode
                   << "  @ " << event_time;
+    BBR2_MODE_DISPATCH(Leave(congestion_event));
     mode_ = next_mode;
     BBR2_MODE_DISPATCH(Enter(congestion_event));
     --mode_changes_allowed;
@@ -311,6 +311,10 @@ void Bbr2Sender::OnApplicationLimited(QuicByteCount bytes_in_flight) {
                 << ", CWND: " << GetCongestionWindow();
 }
 
+void Bbr2Sender::PopulateConnectionStats(QuicConnectionStats* stats) const {
+  stats->num_ack_aggregation_epochs = model_.num_ack_aggregation_epochs();
+}
+
 bool Bbr2Sender::ShouldSendProbingPacket() const {
   // TODO(wub): Implement ShouldSendProbingPacket properly.
   if (!BBR2_MODE_DISPATCH(IsProbingForBandwidth())) {
@@ -363,6 +367,9 @@ Bbr2Sender::DebugState Bbr2Sender::ExportDebugState() const {
   s.bandwidth_hi = model_.MaxBandwidth();
   s.bandwidth_lo = model_.bandwidth_lo();
   s.bandwidth_est = BandwidthEstimate();
+  s.inflight_hi = model_.inflight_hi();
+  s.inflight_lo = model_.inflight_lo();
+  s.max_ack_height = model_.MaxAckHeight();
   s.min_rtt = model_.MinRtt();
   s.min_rtt_timestamp = model_.MinRttTimestamp();
   s.congestion_window = cwnd_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h
index b58dd93e271..4cfd34c74c7 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_sender.h
@@ -30,7 +30,7 @@ class QUIC_EXPORT_PRIVATE Bbr2Sender final : public SendAlgorithmInterface {
              QuicPacketCount initial_cwnd_in_packets,
              QuicPacketCount max_cwnd_in_packets,
              QuicRandom* random,
-             QuicConnectionStats* /*stats*/);
+             QuicConnectionStats* stats);
 
   ~Bbr2Sender() override = default;
 
@@ -47,9 +47,7 @@ class QUIC_EXPORT_PRIVATE Bbr2Sender final : public SendAlgorithmInterface {
   void SetFromConfig(const QuicConfig& config,
                      Perspective perspective) override;
 
-  void AdjustNetworkParameters(QuicBandwidth bandwidth,
-                               QuicTime::Delta rtt,
-                               bool allow_cwnd_to_decrease) override;
+  void AdjustNetworkParameters(const NetworkParams& params) override;
 
   void SetInitialCongestionWindowInPackets(
       QuicPacketCount congestion_window) override;
@@ -89,6 +87,8 @@ class QUIC_EXPORT_PRIVATE Bbr2Sender final : public SendAlgorithmInterface {
   std::string GetDebugState() const override;
 
   void OnApplicationLimited(QuicByteCount bytes_in_flight) override;
+
+  void PopulateConnectionStats(QuicConnectionStats* stats) const override;
   // End implementation of SendAlgorithmInterface.
 
   const Bbr2Params& Params() const { return params_; }
@@ -97,7 +97,7 @@ class QUIC_EXPORT_PRIVATE Bbr2Sender final : public SendAlgorithmInterface {
     return cwnd_limits().Min();
   }
 
-  struct DebugState {
+  struct QUIC_EXPORT_PRIVATE DebugState {
     Bbr2Mode mode;
 
     // Shared states.
@@ -105,6 +105,9 @@ class QUIC_EXPORT_PRIVATE Bbr2Sender final : public SendAlgorithmInterface {
     QuicBandwidth bandwidth_hi = QuicBandwidth::Zero();
     QuicBandwidth bandwidth_lo = QuicBandwidth::Zero();
     QuicBandwidth bandwidth_est = QuicBandwidth::Zero();
+    QuicByteCount inflight_hi;
+    QuicByteCount inflight_lo;
+    QuicByteCount max_ack_height;
     QuicTime::Delta min_rtt = QuicTime::Delta::Zero();
     QuicTime min_rtt_timestamp = QuicTime::Zero();
     QuicByteCount congestion_window;
@@ -156,6 +159,7 @@ class QUIC_EXPORT_PRIVATE Bbr2Sender final : public SendAlgorithmInterface {
   const RttStats* const rtt_stats_;
   const QuicUnackedPacketMap* const unacked_packets_;
   QuicRandom* random_;
+  QuicConnectionStats* connection_stats_;
 
   const Bbr2Params params_;
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_simulator_test.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_simulator_test.cc
index 71f3048198a..005e11deae7 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_simulator_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_simulator_test.cc
@@ -24,6 +24,10 @@
 #include "net/third_party/quiche/src/quic/test_tools/simulator/switch.h"
 #include "net/third_party/quiche/src/quic/test_tools/simulator/traffic_policer.h"
 
+using testing::AllOf;
+using testing::Ge;
+using testing::Le;
+
 namespace quic {
 
 using CyclePhase = Bbr2ProbeBwMode::CyclePhase;
@@ -135,9 +139,13 @@ class Bbr2DefaultTopologyTest : public Bbr2SimulatorTest {
   ~Bbr2DefaultTopologyTest() {
     const auto* test_info =
         ::testing::UnitTest::GetInstance()->current_test_info();
+    const Bbr2Sender::DebugState& debug_state = sender_->ExportDebugState();
     QUIC_LOG(INFO) << "Bbr2DefaultTopologyTest." << test_info->name()
                    << " completed at simulated time: "
-                   << SimulatedNow().ToDebuggingValue() / 1e6 << " sec.";
+                   << SimulatedNow().ToDebuggingValue() / 1e6
+                   << " sec. packet loss:"
+                   << sender_loss_rate_in_packets() * 100
+                   << "%, bw_hi:" << debug_state.bandwidth_hi;
   }
 
   Bbr2Sender* SetupBbr2Sender(simulator::QuicEndpoint* endpoint) {
@@ -147,8 +155,9 @@ class Bbr2DefaultTopologyTest : public Bbr2SimulatorTest {
         endpoint->connection()->sent_packet_manager().GetRttStats(),
         QuicSentPacketManagerPeer::GetUnackedPacketMap(
             QuicConnectionPeer::GetSentPacketManager(endpoint->connection())),
-        kDefaultInitialCwndPackets, kDefaultMaxCongestionWindowPackets,
-        &random_, QuicConnectionPeer::GetStats(endpoint->connection()));
+        kDefaultInitialCwndPackets,
+        GetQuicFlag(FLAGS_quic_max_congestion_window), &random_,
+        QuicConnectionPeer::GetStats(endpoint->connection()));
     QuicConnectionPeer::SetSendAlgorithm(endpoint->connection(), sender);
     endpoint->RecordTrace();
     return sender;
@@ -413,7 +422,7 @@ TEST_F(Bbr2DefaultTopologyTest, SimpleTransferAckDecimation) {
 }
 
 // Test Bbr2's reaction to a 100x bandwidth decrease during a transfer.
-TEST_F(Bbr2DefaultTopologyTest, BandwidthDecrease) {
+TEST_F(Bbr2DefaultTopologyTest, QUIC_SLOW_TEST(BandwidthDecrease)) {
   DefaultTopologyParams params;
   params.local_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(15000);
   params.test_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(10000);
@@ -442,7 +451,7 @@ TEST_F(Bbr2DefaultTopologyTest, BandwidthDecrease) {
 }
 
 // Test Bbr2's reaction to a 100x bandwidth increase during a transfer.
-TEST_F(Bbr2DefaultTopologyTest, BandwidthIncrease) {
+TEST_F(Bbr2DefaultTopologyTest, QUIC_SLOW_TEST(BandwidthIncrease)) {
   DefaultTopologyParams params;
   params.local_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(15000);
   params.test_link.bandwidth = QuicBandwidth::FromKBitsPerSecond(100);
@@ -668,7 +677,26 @@ TEST_F(Bbr2DefaultTopologyTest, SenderPoliced) {
   EXPECT_TRUE(Bbr2ModeIsOneOf({Bbr2Mode::PROBE_BW, Bbr2Mode::PROBE_RTT}));
   // TODO(wub): Fix (long-term) bandwidth overestimation in policer mode, then
   // reduce the loss rate upper bound.
-  EXPECT_LE(sender_loss_rate_in_packets(), 0.15);
+  EXPECT_LE(sender_loss_rate_in_packets(), 0.30);
+}
+
+// TODO(wub): Add other slowstart stats to BBRv2.
+TEST_F(Bbr2DefaultTopologyTest, StartupStats) {
+  DefaultTopologyParams params;
+  CreateNetwork(params);
+
+  DriveOutOfStartup(params);
+  ASSERT_FALSE(sender_->InSlowStart());
+
+  const QuicConnectionStats& stats = sender_connection_stats();
+  EXPECT_EQ(1u, stats.slowstart_count);
+  EXPECT_FALSE(stats.slowstart_duration.IsRunning());
+  EXPECT_THAT(stats.slowstart_duration.GetTotalElapsedTime(),
+              AllOf(Ge(QuicTime::Delta::FromMilliseconds(500)),
+                    Le(QuicTime::Delta::FromMilliseconds(1500))));
+  EXPECT_EQ(stats.slowstart_duration.GetTotalElapsedTime(),
+            QuicConnectionPeer::GetSentPacketManager(sender_connection())
+                ->GetSlowStartDuration());
 }
 
 // All Bbr2MultiSenderTests uses the following network topology:
@@ -741,7 +769,7 @@ class Bbr2MultiSenderTest : public Bbr2SimulatorTest {
  protected:
   Bbr2MultiSenderTest() {
     uint64_t first_connection_id = 42;
-    std::vector<simulator::QuicEndpoint*> receiver_endpoint_pointers;
+    std::vector<simulator::QuicEndpointBase*> receiver_endpoint_pointers;
     for (size_t i = 0; i < MultiSenderTopologyParams::kNumLocalLinks; ++i) {
       std::string sender_name = QuicStrCat("Sender", i + 1);
       std::string receiver_name = QuicStrCat("Receiver", i + 1);
@@ -770,7 +798,17 @@ class Bbr2MultiSenderTest : public Bbr2SimulatorTest {
         ::testing::UnitTest::GetInstance()->current_test_info();
     QUIC_LOG(INFO) << "Bbr2MultiSenderTest." << test_info->name()
                    << " completed at simulated time: "
-                   << SimulatedNow().ToDebuggingValue() / 1e6 << " sec.";
+                   << SimulatedNow().ToDebuggingValue() / 1e6
+                   << " sec. Per sender stats:";
+    for (size_t i = 0; i < sender_endpoints_.size(); ++i) {
+      QUIC_LOG(INFO) << "sender[" << i << "]: "
+                     << sender_connection(i)
+                            ->sent_packet_manager()
+                            .GetSendAlgorithm()
+                            ->GetCongestionControlType()
+                     << ", packet_loss:"
+                     << 100.0 * sender_loss_rate_in_packets(i) << "%";
+    }
   }
 
   Bbr2Sender* SetupBbr2Sender(simulator::QuicEndpoint* endpoint) {
@@ -780,8 +818,9 @@ class Bbr2MultiSenderTest : public Bbr2SimulatorTest {
         endpoint->connection()->sent_packet_manager().GetRttStats(),
         QuicSentPacketManagerPeer::GetUnackedPacketMap(
             QuicConnectionPeer::GetSentPacketManager(endpoint->connection())),
-        kDefaultInitialCwndPackets, kDefaultMaxCongestionWindowPackets,
-        &random_, QuicConnectionPeer::GetStats(endpoint->connection()));
+        kDefaultInitialCwndPackets,
+        GetQuicFlag(FLAGS_quic_max_congestion_window), &random_,
+        QuicConnectionPeer::GetStats(endpoint->connection()));
     QuicConnectionPeer::SetSendAlgorithm(endpoint->connection(), sender);
     endpoint->RecordTrace();
     return sender;
@@ -794,8 +833,9 @@ class Bbr2MultiSenderTest : public Bbr2SimulatorTest {
         endpoint->connection()->sent_packet_manager().GetRttStats(),
         QuicSentPacketManagerPeer::GetUnackedPacketMap(
             QuicConnectionPeer::GetSentPacketManager(endpoint->connection())),
-        kDefaultInitialCwndPackets, kDefaultMaxCongestionWindowPackets,
-        &random_, QuicConnectionPeer::GetStats(endpoint->connection()));
+        kDefaultInitialCwndPackets,
+        GetQuicFlag(FLAGS_quic_max_congestion_window), &random_,
+        QuicConnectionPeer::GetStats(endpoint->connection()));
     QuicConnectionPeer::SetSendAlgorithm(endpoint->connection(), sender);
     endpoint->RecordTrace();
     return sender;
@@ -808,7 +848,8 @@ class Bbr2MultiSenderTest : public Bbr2SimulatorTest {
     TcpCubicSenderBytes* sender = new TcpCubicSenderBytes(
         endpoint->connection()->clock(),
         endpoint->connection()->sent_packet_manager().GetRttStats(), reno,
-        kDefaultInitialCwndPackets, kDefaultMaxCongestionWindowPackets,
+        kDefaultInitialCwndPackets,
+        GetQuicFlag(FLAGS_quic_max_congestion_window),
         QuicConnectionPeer::GetStats(endpoint->connection()));
     QuicConnectionPeer::SetSendAlgorithm(endpoint->connection(), sender);
     endpoint->RecordTrace();
@@ -834,6 +875,19 @@ class Bbr2MultiSenderTest : public Bbr2SimulatorTest {
 
   QuicTime SimulatedNow() const { return simulator_.GetClock()->Now(); }
 
+  QuicConnection* sender_connection(size_t which) {
+    return sender_endpoints_[which]->connection();
+  }
+
+  const QuicConnectionStats& sender_connection_stats(size_t which) {
+    return sender_connection(which)->GetStats();
+  }
+
+  float sender_loss_rate_in_packets(size_t which) {
+    return static_cast<float>(sender_connection_stats(which).packets_lost) /
+           sender_connection_stats(which).packets_sent;
+  }
+
   simulator::Simulator simulator_;
   std::vector<std::unique_ptr<simulator::QuicEndpoint>> sender_endpoints_;
   std::vector<std::unique_ptr<simulator::QuicEndpoint>> receiver_endpoints_;
@@ -876,7 +930,7 @@ TEST_F(Bbr2MultiSenderTest, Bbr2VsBbr2) {
   ASSERT_TRUE(simulator_result);
 }
 
-TEST_F(Bbr2MultiSenderTest, MultipleBbr2s) {
+TEST_F(Bbr2MultiSenderTest, QUIC_SLOW_TEST(MultipleBbr2s)) {
   const int kTotalNumSenders = 6;
   for (int i = 1; i < kTotalNumSenders; ++i) {
     SetupBbr2Sender(sender_endpoints_[i].get());
@@ -992,7 +1046,7 @@ TEST_F(Bbr2MultiSenderTest, Bbr2VsBbr1) {
   ASSERT_TRUE(simulator_result);
 }
 
-TEST_F(Bbr2MultiSenderTest, Bbr2VsReno) {
+TEST_F(Bbr2MultiSenderTest, QUIC_SLOW_TEST(Bbr2VsReno)) {
   SetupTcpSender(sender_endpoints_[1].get(), /*reno=*/true);
 
   MultiSenderTopologyParams params;
@@ -1023,7 +1077,7 @@ TEST_F(Bbr2MultiSenderTest, Bbr2VsReno) {
   ASSERT_TRUE(simulator_result);
 }
 
-TEST_F(Bbr2MultiSenderTest, Bbr2VsCubic) {
+TEST_F(Bbr2MultiSenderTest, QUIC_SLOW_TEST(Bbr2VsCubic)) {
   SetupTcpSender(sender_endpoints_[1].get(), /*reno=*/false);
 
   MultiSenderTopologyParams params;
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.cc
index 5ff10503025..187b349b327 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.cc
@@ -12,17 +12,30 @@
 namespace quic {
 
 Bbr2StartupMode::Bbr2StartupMode(const Bbr2Sender* sender,
-                                 Bbr2NetworkModel* model)
+                                 Bbr2NetworkModel* model,
+                                 QuicTime now)
     : Bbr2ModeBase(sender, model),
       full_bandwidth_reached_(false),
       full_bandwidth_baseline_(QuicBandwidth::Zero()),
       rounds_without_bandwidth_growth_(0),
-      loss_events_in_round_(0) {}
+      loss_events_in_round_(0) {
+  // Clear some startup stats if |sender_->connection_stats_| has been used by
+  // another sender, which happens e.g. when QuicConnection switch send
+  // algorithms.
+  sender_->connection_stats_->slowstart_count = 1;
+  sender_->connection_stats_->slowstart_duration = QuicTimeAccumulator();
+  sender_->connection_stats_->slowstart_duration.Start(now);
+}
 
 void Bbr2StartupMode::Enter(const Bbr2CongestionEvent& /*congestion_event*/) {
   QUIC_BUG << "Bbr2StartupMode::Enter should not be called";
 }
 
+void Bbr2StartupMode::Leave(const Bbr2CongestionEvent& congestion_event) {
+  sender_->connection_stats_->slowstart_duration.Stop(
+      congestion_event.event_time);
+}
+
 Bbr2Mode Bbr2StartupMode::OnCongestionEvent(
     QuicByteCount /*prior_in_flight*/,
     QuicTime /*event_time*/,
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.h
index df3f9a747c7..80539d9a108 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr2_startup.h
@@ -16,9 +16,12 @@ namespace quic {
 class Bbr2Sender;
 class QUIC_EXPORT_PRIVATE Bbr2StartupMode final : public Bbr2ModeBase {
  public:
-  Bbr2StartupMode(const Bbr2Sender* sender, Bbr2NetworkModel* model);
+  Bbr2StartupMode(const Bbr2Sender* sender,
+                  Bbr2NetworkModel* model,
+                  QuicTime now);
 
   void Enter(const Bbr2CongestionEvent& congestion_event) override;
+  void Leave(const Bbr2CongestionEvent& congestion_event) override;
 
   Bbr2Mode OnCongestionEvent(
       QuicByteCount prior_in_flight,
@@ -35,7 +38,7 @@ class QUIC_EXPORT_PRIVATE Bbr2StartupMode final : public Bbr2ModeBase {
 
   bool FullBandwidthReached() const { return full_bandwidth_reached_; }
 
-  struct DebugState {
+  struct QUIC_EXPORT_PRIVATE DebugState {
     bool full_bandwidth_reached;
     QuicBandwidth full_bandwidth_baseline = QuicBandwidth::Zero();
     QuicRoundTripCount round_trips_without_bandwidth_growth;
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.cc
index b0fd50d4c8b..0096ca5b095 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.cc
@@ -11,6 +11,7 @@
 #include "net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.h"
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h"
 #include "net/third_party/quiche/src/quic/core/quic_time.h"
+#include "net/third_party/quiche/src/quic/core/quic_time_accumulator.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_fallthrough.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
@@ -136,8 +137,10 @@ BbrSender::BbrSender(QuicTime now,
       app_limited_since_last_probe_rtt_(false),
       min_rtt_since_last_probe_rtt_(QuicTime::Delta::Infinite()) {
   if (stats_) {
+    // Clear some startup stats if |stats_| has been used by another sender,
+    // which happens e.g. when QuicConnection switch send algorithms.
     stats_->slowstart_count = 0;
-    stats_->slowstart_start_time = QuicTime::Zero();
+    stats_->slowstart_duration = QuicTimeAccumulator();
   }
   EnterStartupMode(now);
 }
@@ -324,27 +327,31 @@ void BbrSender::SetFromConfig(const QuicConfig& config,
   }
 }
 
-void BbrSender::AdjustNetworkParameters(QuicBandwidth bandwidth,
-                                        QuicTime::Delta rtt,
-                                        bool allow_cwnd_to_decrease) {
-  if (!bandwidth.IsZero()) {
+void BbrSender::AdjustNetworkParameters(const NetworkParams& params) {
+  const QuicBandwidth& bandwidth = params.bandwidth;
+  const QuicTime::Delta& rtt = params.rtt;
+
+  if (GetQuicReloadableFlag(quic_bbr_donot_inject_bandwidth)) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_bbr_donot_inject_bandwidth);
+  } else if (!bandwidth.IsZero()) {
     max_bandwidth_.Update(bandwidth, round_trip_count_);
   }
   if (!rtt.IsZero() && (min_rtt_ > rtt || min_rtt_.IsZero())) {
     min_rtt_ = rtt;
   }
-  if (GetQuicReloadableFlag(quic_fix_bbr_cwnd_in_bandwidth_resumption) &&
-      mode_ == STARTUP) {
+
+  if (params.quic_fix_bbr_cwnd_in_bandwidth_resumption && mode_ == STARTUP) {
     if (bandwidth.IsZero()) {
       // Ignore bad bandwidth samples.
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_fix_bbr_cwnd_in_bandwidth_resumption, 3,
-                                   3);
       return;
     }
-    const QuicByteCount new_cwnd =
-        std::max(kMinInitialCongestionWindow * kDefaultTCPMSS,
-                 std::min(kMaxInitialCongestionWindow * kDefaultTCPMSS,
-                          bandwidth * rtt_stats_->SmoothedOrInitialRtt()));
+    const QuicByteCount new_cwnd = std::max(
+        kMinInitialCongestionWindow * kDefaultTCPMSS,
+        std::min(
+            kMaxInitialCongestionWindow * kDefaultTCPMSS,
+            bandwidth * (GetQuicReloadableFlag(quic_bbr_donot_inject_bandwidth)
+                             ? GetMinRtt()
+                             : rtt_stats_->SmoothedOrInitialRtt())));
     if (!rtt_stats_->smoothed_rtt().IsZero()) {
       QUIC_CODE_COUNT(quic_smoothed_rtt_available);
     } else if (rtt_stats_->initial_rtt() !=
@@ -353,14 +360,7 @@ void BbrSender::AdjustNetworkParameters(QuicBandwidth bandwidth,
     } else {
       QUIC_CODE_COUNT(quic_default_initial_rtt);
     }
-    if (new_cwnd > congestion_window_) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_fix_bbr_cwnd_in_bandwidth_resumption, 1,
-                                   3);
-    } else {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_fix_bbr_cwnd_in_bandwidth_resumption, 2,
-                                   3);
-    }
-    if (new_cwnd < congestion_window_ && !allow_cwnd_to_decrease) {
+    if (new_cwnd < congestion_window_ && !params.allow_cwnd_to_decrease) {
       // Only decrease cwnd if allow_cwnd_to_decrease is true.
       return;
     }
@@ -372,6 +372,12 @@ void BbrSender::AdjustNetworkParameters(QuicBandwidth bandwidth,
       set_high_cwnd_gain(kDerivedHighCWNDGain);
     }
     congestion_window_ = new_cwnd;
+    if (params.quic_bbr_fix_pacing_rate) {
+      // Pace at the rate of new_cwnd / RTT.
+      QuicBandwidth new_pacing_rate =
+          QuicBandwidth::FromBytesAndTimeDelta(congestion_window_, GetMinRtt());
+      pacing_rate_ = std::max(pacing_rate_, new_pacing_rate);
+    }
   }
 }
 
@@ -462,8 +468,7 @@ QuicByteCount BbrSender::ProbeRttCongestionWindow() const {
 void BbrSender::EnterStartupMode(QuicTime now) {
   if (stats_) {
     ++stats_->slowstart_count;
-    DCHECK_EQ(stats_->slowstart_start_time, QuicTime::Zero()) << mode_;
-    stats_->slowstart_start_time = now;
+    stats_->slowstart_duration.Start(now);
   }
   mode_ = STARTUP;
   pacing_gain_ = high_gain_;
@@ -668,12 +673,7 @@ void BbrSender::MaybeExitStartupOrDrain(QuicTime now) {
 void BbrSender::OnExitStartup(QuicTime now) {
   DCHECK_EQ(mode_, STARTUP);
   if (stats_) {
-    DCHECK_NE(stats_->slowstart_start_time, QuicTime::Zero());
-    if (now > stats_->slowstart_start_time) {
-      stats_->slowstart_duration =
-          now - stats_->slowstart_start_time + stats_->slowstart_duration;
-    }
-    stats_->slowstart_start_time = QuicTime::Zero();
+    stats_->slowstart_duration.Stop(now);
   }
 }
 
@@ -877,6 +877,7 @@ void BbrSender::CalculateRecoveryWindow(QuicByteCount bytes_acked,
   recovery_window_ = std::max(
       recovery_window_, unacked_packets_->bytes_in_flight() + bytes_acked);
   if (GetQuicReloadableFlag(quic_bbr_one_mss_conservation)) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_bbr_one_mss_conservation);
     recovery_window_ =
         std::max(recovery_window_,
                  unacked_packets_->bytes_in_flight() + kMaxSegmentSize);
@@ -904,6 +905,10 @@ void BbrSender::OnApplicationLimited(QuicByteCount bytes_in_flight) {
                 << last_sent_packet_ << ", CWND: " << GetCongestionWindow();
 }
 
+void BbrSender::PopulateConnectionStats(QuicConnectionStats* stats) const {
+  stats->num_ack_aggregation_epochs = sampler_.num_ack_aggregation_epochs();
+}
+
 BbrSender::DebugState BbrSender::ExportDebugState() const {
   return DebugState(*this);
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.h
index 8321b8c9e27..dc512cf59be 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender.h
@@ -62,7 +62,7 @@ class QUIC_EXPORT_PRIVATE BbrSender : public SendAlgorithmInterface {
 
   // Debug state can be exported in order to troubleshoot potential congestion
   // control issues.
-  struct DebugState {
+  struct QUIC_EXPORT_PRIVATE DebugState {
     explicit DebugState(const BbrSender& sender);
     DebugState(const DebugState& state);
 
@@ -105,9 +105,7 @@ class QUIC_EXPORT_PRIVATE BbrSender : public SendAlgorithmInterface {
   void SetFromConfig(const QuicConfig& config,
                      Perspective perspective) override;
 
-  void AdjustNetworkParameters(QuicBandwidth bandwidth,
-                               QuicTime::Delta rtt,
-                               bool allow_cwnd_to_decrease) override;
+  void AdjustNetworkParameters(const NetworkParams& params) override;
   void SetInitialCongestionWindowInPackets(
       QuicPacketCount congestion_window) override;
   void OnCongestionEvent(bool rtt_updated,
@@ -130,6 +128,7 @@ class QUIC_EXPORT_PRIVATE BbrSender : public SendAlgorithmInterface {
   CongestionControlType GetCongestionControlType() const override;
   std::string GetDebugState() const override;
   void OnApplicationLimited(QuicByteCount bytes_in_flight) override;
+  void PopulateConnectionStats(QuicConnectionStats* stats) const override;
   // End implementation of SendAlgorithmInterface.
 
   // Gets the number of RTTs BBR remains in STARTUP phase.
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender_test.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender_test.cc
index 8ecab8736ae..6acfe80519a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/bbr_sender_test.cc
@@ -135,8 +135,9 @@ class BbrSenderTest : public QuicTest {
         endpoint->connection()->clock()->Now(), rtt_stats,
         QuicSentPacketManagerPeer::GetUnackedPacketMap(
             QuicConnectionPeer::GetSentPacketManager(endpoint->connection())),
-        kInitialCongestionWindowPackets, kDefaultMaxCongestionWindowPackets,
-        &random_, QuicConnectionPeer::GetStats(endpoint->connection()));
+        kInitialCongestionWindowPackets,
+        GetQuicFlag(FLAGS_quic_max_congestion_window), &random_,
+        QuicConnectionPeer::GetStats(endpoint->connection()));
     QuicConnectionPeer::SetSendAlgorithm(endpoint->connection(), sender);
     endpoint->RecordTrace();
     return sender;
@@ -379,8 +380,9 @@ TEST_F(BbrSenderTest, SimpleTransferAckDecimation) {
       bbr_sender_.connection()->clock()->Now(), rtt_stats_,
       QuicSentPacketManagerPeer::GetUnackedPacketMap(
           QuicConnectionPeer::GetSentPacketManager(bbr_sender_.connection())),
-      kInitialCongestionWindowPackets, kDefaultMaxCongestionWindowPackets,
-      &random_, QuicConnectionPeer::GetStats(bbr_sender_.connection()));
+      kInitialCongestionWindowPackets,
+      GetQuicFlag(FLAGS_quic_max_congestion_window), &random_,
+      QuicConnectionPeer::GetStats(bbr_sender_.connection()));
   QuicConnectionPeer::SetSendAlgorithm(bbr_sender_.connection(), sender_);
   // Enable Ack Decimation on the receiver.
   QuicConnectionPeer::SetAckMode(receiver_.connection(),
@@ -1247,10 +1249,18 @@ TEST_F(BbrSenderTest, SimpleCompetition) {
 TEST_F(BbrSenderTest, ResumeConnectionState) {
   CreateDefaultSetup();
 
-  bbr_sender_.connection()->AdjustNetworkParameters(kTestLinkBandwidth,
-                                                    kTestRtt, false);
-  EXPECT_EQ(kTestLinkBandwidth, sender_->ExportDebugState().max_bandwidth);
-  EXPECT_EQ(kTestLinkBandwidth, sender_->BandwidthEstimate());
+  bbr_sender_.connection()->AdjustNetworkParameters(
+      SendAlgorithmInterface::NetworkParams(kTestLinkBandwidth, kTestRtt,
+                                            false));
+  if (!GetQuicReloadableFlag(quic_bbr_donot_inject_bandwidth)) {
+    EXPECT_EQ(kTestLinkBandwidth, sender_->ExportDebugState().max_bandwidth);
+    EXPECT_EQ(kTestLinkBandwidth, sender_->BandwidthEstimate());
+  }
+  EXPECT_EQ(kTestLinkBandwidth * kTestRtt,
+            sender_->ExportDebugState().congestion_window);
+  if (GetQuicReloadableFlag(quic_bbr_fix_pacing_rate)) {
+    EXPECT_EQ(kTestLinkBandwidth, sender_->PacingRate(/*bytes_in_flight=*/0));
+  }
   EXPECT_APPROX_EQ(kTestRtt, sender_->ExportDebugState().min_rtt, 0.01f);
 
   DriveOutOfStartup();
@@ -1299,14 +1309,88 @@ TEST_F(BbrSenderTest, StartupStats) {
   EXPECT_THAT(stats.slowstart_bytes_sent, AllOf(Ge(100000u), Le(1000000u)));
   EXPECT_LE(stats.slowstart_packets_lost, 10u);
   EXPECT_LE(stats.slowstart_bytes_lost, 10000u);
-  EXPECT_THAT(stats.slowstart_duration,
+  EXPECT_FALSE(stats.slowstart_duration.IsRunning());
+  EXPECT_THAT(stats.slowstart_duration.GetTotalElapsedTime(),
               AllOf(Ge(QuicTime::Delta::FromMilliseconds(500)),
                     Le(QuicTime::Delta::FromMilliseconds(1500))));
-  EXPECT_EQ(QuicTime::Zero(), stats.slowstart_start_time);
-  EXPECT_EQ(stats.slowstart_duration,
+  EXPECT_EQ(stats.slowstart_duration.GetTotalElapsedTime(),
             QuicConnectionPeer::GetSentPacketManager(bbr_sender_.connection())
                 ->GetSlowStartDuration());
 }
 
+// Regression test for b/143540157.
+TEST_F(BbrSenderTest, RecalculatePacingRateOnCwndChange1RTT) {
+  CreateDefaultSetup();
+
+  bbr_sender_.AddBytesToTransfer(1 * 1024 * 1024);
+  // Wait until an ACK comes back.
+  const QuicTime::Delta timeout = QuicTime::Delta::FromSeconds(5);
+  bool simulator_result = simulator_.RunUntilOrTimeout(
+      [this]() { return !sender_->ExportDebugState().min_rtt.IsZero(); },
+      timeout);
+  ASSERT_TRUE(simulator_result);
+  const QuicByteCount previous_cwnd =
+      sender_->ExportDebugState().congestion_window;
+
+  // Bootstrap cwnd.
+  bbr_sender_.connection()->AdjustNetworkParameters(
+      SendAlgorithmInterface::NetworkParams(kTestLinkBandwidth,
+                                            QuicTime::Delta::Zero(), false));
+  if (!GetQuicReloadableFlag(quic_bbr_donot_inject_bandwidth)) {
+    EXPECT_EQ(kTestLinkBandwidth, sender_->ExportDebugState().max_bandwidth);
+    EXPECT_EQ(kTestLinkBandwidth, sender_->BandwidthEstimate());
+  }
+  EXPECT_LT(previous_cwnd, sender_->ExportDebugState().congestion_window);
+
+  if (GetQuicReloadableFlag(quic_bbr_fix_pacing_rate)) {
+    // Verify pacing rate is re-calculated based on the new cwnd and min_rtt.
+    EXPECT_APPROX_EQ(QuicBandwidth::FromBytesAndTimeDelta(
+                         sender_->ExportDebugState().congestion_window,
+                         sender_->ExportDebugState().min_rtt),
+                     sender_->PacingRate(/*bytes_in_flight=*/0), 0.01f);
+  } else {
+    // Pacing rate is still based on initial cwnd.
+    EXPECT_APPROX_EQ(QuicBandwidth::FromBytesAndTimeDelta(
+                         kInitialCongestionWindowPackets * kDefaultTCPMSS,
+                         sender_->ExportDebugState().min_rtt),
+                     sender_->PacingRate(/*bytes_in_flight=*/0), 0.01f);
+  }
+}
+
+TEST_F(BbrSenderTest, RecalculatePacingRateOnCwndChange0RTT) {
+  CreateDefaultSetup();
+  // Initial RTT is available.
+  const_cast<RttStats*>(rtt_stats_)->set_initial_rtt(kTestRtt);
+
+  // Bootstrap cwnd.
+  bbr_sender_.connection()->AdjustNetworkParameters(
+      SendAlgorithmInterface::NetworkParams(kTestLinkBandwidth,
+                                            QuicTime::Delta::Zero(), false));
+  if (!GetQuicReloadableFlag(quic_bbr_donot_inject_bandwidth)) {
+    EXPECT_EQ(kTestLinkBandwidth, sender_->ExportDebugState().max_bandwidth);
+    EXPECT_EQ(kTestLinkBandwidth, sender_->BandwidthEstimate());
+  }
+  EXPECT_LT(kInitialCongestionWindowPackets * kDefaultTCPMSS,
+            sender_->ExportDebugState().congestion_window);
+  // No Rtt sample is available.
+  EXPECT_TRUE(sender_->ExportDebugState().min_rtt.IsZero());
+
+  if (GetQuicReloadableFlag(quic_bbr_fix_pacing_rate)) {
+    // Verify pacing rate is re-calculated based on the new cwnd and initial
+    // RTT.
+    EXPECT_APPROX_EQ(QuicBandwidth::FromBytesAndTimeDelta(
+                         sender_->ExportDebugState().congestion_window,
+                         rtt_stats_->initial_rtt()),
+                     sender_->PacingRate(/*bytes_in_flight=*/0), 0.01f);
+  } else {
+    // Pacing rate is still based on initial cwnd.
+    EXPECT_APPROX_EQ(
+        2.885f * QuicBandwidth::FromBytesAndTimeDelta(
+                     kInitialCongestionWindowPackets * kDefaultTCPMSS,
+                     rtt_stats_->initial_rtt()),
+        sender_->PacingRate(/*bytes_in_flight=*/0), 0.01f);
+  }
+}
+
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.cc
index 3502031a7c7..8798322eb76 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.cc
@@ -32,6 +32,7 @@ GeneralLossAlgorithm::GeneralLossAlgorithm(LossDetectionType loss_type)
     : loss_detection_timeout_(QuicTime::Zero()),
       reordering_threshold_(kNumberOfNacksBeforeRetransmission),
       use_adaptive_reordering_threshold_(false),
+      use_adaptive_time_threshold_(false),
       least_in_flight_(1),
       packet_number_space_(NUM_PACKET_NUMBER_SPACES) {
   SetLossDetectionType(loss_type);
@@ -39,7 +40,6 @@ GeneralLossAlgorithm::GeneralLossAlgorithm(LossDetectionType loss_type)
 
 void GeneralLossAlgorithm::SetLossDetectionType(LossDetectionType loss_type) {
   loss_detection_timeout_ = QuicTime::Zero();
-  largest_sent_on_spurious_retransmit_.Clear();
   loss_type_ = loss_type;
   if (loss_type == kAdaptiveTime) {
     reordering_shift_ = kDefaultAdaptiveLossDelayShift;
@@ -185,43 +185,14 @@ QuicTime GeneralLossAlgorithm::GetLossTimeout() const {
   return loss_detection_timeout_;
 }
 
-void GeneralLossAlgorithm::SpuriousRetransmitDetected(
-    const QuicUnackedPacketMap& unacked_packets,
-    QuicTime time,
-    const RttStats& rtt_stats,
-    QuicPacketNumber spurious_retransmission) {
-  if (loss_type_ != kAdaptiveTime || reordering_shift_ == 0) {
-    return;
-  }
-  // Calculate the extra time needed so this wouldn't have been declared lost.
-  // Extra time needed is based on how long it's been since the spurious
-  // retransmission was sent, because the SRTT and latest RTT may have changed.
-  QuicTime::Delta extra_time_needed =
-      time -
-      unacked_packets.GetTransmissionInfo(spurious_retransmission).sent_time;
-  // Increase the reordering fraction until enough time would be allowed.
-  QuicTime::Delta max_rtt =
-      std::max(rtt_stats.previous_srtt(), rtt_stats.latest_rtt());
-
-  if (largest_sent_on_spurious_retransmit_.IsInitialized() &&
-      spurious_retransmission <= largest_sent_on_spurious_retransmit_) {
-    return;
-  }
-  largest_sent_on_spurious_retransmit_ = unacked_packets.largest_sent_packet();
-  QuicTime::Delta proposed_extra_time(QuicTime::Delta::Zero());
-  do {
-    proposed_extra_time = max_rtt >> reordering_shift_;
-    --reordering_shift_;
-  } while (proposed_extra_time < extra_time_needed && reordering_shift_ > 0);
-}
-
 void GeneralLossAlgorithm::SpuriousLossDetected(
     const QuicUnackedPacketMap& unacked_packets,
     const RttStats& rtt_stats,
     QuicTime ack_receive_time,
     QuicPacketNumber packet_number,
     QuicPacketNumber previous_largest_acked) {
-  if (loss_type_ == kAdaptiveTime && reordering_shift_ > 0) {
+  if ((loss_type_ == kAdaptiveTime || use_adaptive_time_threshold_) &&
+      reordering_shift_ > 0) {
     // Increase reordering fraction such that the packet would not have been
     // declared lost.
     QuicTime::Delta time_needed =
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.h
index c9da8370e20..fb85523c63e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm.h
@@ -47,13 +47,6 @@ class QUIC_EXPORT_PRIVATE GeneralLossAlgorithm : public LossDetectionInterface {
   // Returns a non-zero value when the early retransmit timer is active.
   QuicTime GetLossTimeout() const override;
 
-  // Increases the loss detection threshold for time loss detection.
-  void SpuriousRetransmitDetected(
-      const QuicUnackedPacketMap& unacked_packets,
-      QuicTime time,
-      const RttStats& rtt_stats,
-      QuicPacketNumber spurious_retransmission) override;
-
   // Called to increases time and/or packet threshold.
   void SpuriousLossDetected(const QuicUnackedPacketMap& unacked_packets,
                             const RttStats& rtt_stats,
@@ -77,11 +70,14 @@ class QUIC_EXPORT_PRIVATE GeneralLossAlgorithm : public LossDetectionInterface {
     use_adaptive_reordering_threshold_ = true;
   }
 
+  bool use_adaptive_time_threshold() const {
+    return use_adaptive_time_threshold_;
+  }
+
+  void enable_adaptive_time_threshold() { use_adaptive_time_threshold_ = true; }
+
  private:
   QuicTime loss_detection_timeout_;
-  // Largest sent packet when a spurious retransmit is detected.
-  // Prevents increasing the reordering threshold multiple times per epoch.
-  QuicPacketNumber largest_sent_on_spurious_retransmit_;
   LossDetectionType loss_type_;
   // Fraction of a max(SRTT, latest_rtt) to permit reordering before declaring
   // loss.  Fraction calculated by shifting max(SRTT, latest_rtt) to the right
@@ -91,6 +87,8 @@ class QUIC_EXPORT_PRIVATE GeneralLossAlgorithm : public LossDetectionInterface {
   QuicPacketCount reordering_threshold_;
   // If true, uses adaptive reordering threshold for loss detection.
   bool use_adaptive_reordering_threshold_;
+  // If true, uses adaptive time threshold for time based loss detection.
+  bool use_adaptive_time_threshold_;
   // The largest newly acked from the previous call to DetectLosses.
   QuicPacketNumber largest_previously_acked_;
   // The least in flight packet. Loss detection should start from this. Please
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm_test.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm_test.cc
index dba6d5b5484..aaf9c7c32bc 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/general_loss_algorithm_test.cc
@@ -41,16 +41,16 @@ class GeneralLossAlgorithmTest : public QuicTest {
                             PACKET_1BYTE_PACKET_NUMBER, nullptr, kDefaultLength,
                             false, false);
     packet.retransmittable_frames.push_back(QuicFrame(frame));
-    unacked_packets_.AddSentPacket(&packet, QuicPacketNumber(),
-                                   NOT_RETRANSMISSION, clock_.Now(), true);
+    unacked_packets_.AddSentPacket(&packet, NOT_RETRANSMISSION, clock_.Now(),
+                                   true);
   }
 
   void SendAckPacket(uint64_t packet_number) {
     SerializedPacket packet(QuicPacketNumber(packet_number),
                             PACKET_1BYTE_PACKET_NUMBER, nullptr, kDefaultLength,
                             true, false);
-    unacked_packets_.AddSentPacket(&packet, QuicPacketNumber(),
-                                   NOT_RETRANSMISSION, clock_.Now(), false);
+    unacked_packets_.AddSentPacket(&packet, NOT_RETRANSMISSION, clock_.Now(),
+                                   false);
   }
 
   void VerifyLosses(uint64_t largest_newly_acked,
@@ -514,21 +514,51 @@ TEST_F(GeneralLossAlgorithmTest, IncreaseThresholdUponSpuriousLoss) {
   // Advance the time 1/4 RTT and indicate the loss was spurious.
   // The new threshold should be 1/2 RTT.
   clock_.AdvanceTime(rtt_stats_.smoothed_rtt() * (1.0f / 4));
-  if (GetQuicReloadableFlag(quic_detect_spurious_loss)) {
-    loss_algorithm_.SpuriousLossDetected(unacked_packets_, rtt_stats_,
-                                         clock_.Now(), QuicPacketNumber(1),
-                                         QuicPacketNumber(2));
-    EXPECT_EQ(1, loss_algorithm_.reordering_shift());
-    return;
-  }
-  loss_algorithm_.SpuriousRetransmitDetected(unacked_packets_, clock_.Now(),
-                                             rtt_stats_, QuicPacketNumber(11));
+  loss_algorithm_.SpuriousLossDetected(unacked_packets_, rtt_stats_,
+                                       clock_.Now(), QuicPacketNumber(1),
+                                       QuicPacketNumber(2));
   EXPECT_EQ(1, loss_algorithm_.reordering_shift());
+}
+
+TEST_F(GeneralLossAlgorithmTest, IncreaseTimeThresholdUponSpuriousLoss) {
+  loss_algorithm_.SetLossDetectionType(kIetfLossDetection);
+  loss_algorithm_.enable_adaptive_time_threshold();
+  loss_algorithm_.set_reordering_shift(kDefaultLossDelayShift);
+  EXPECT_EQ(kDefaultLossDelayShift, loss_algorithm_.reordering_shift());
+  EXPECT_TRUE(loss_algorithm_.use_adaptive_time_threshold());
+  const size_t kNumSentPackets = 10;
+  // Transmit 2 packets at 1/10th an RTT interval.
+  for (size_t i = 1; i <= kNumSentPackets; ++i) {
+    SendDataPacket(i);
+    clock_.AdvanceTime(0.1 * rtt_stats_.smoothed_rtt());
+  }
+  EXPECT_EQ(QuicTime::Zero() + rtt_stats_.smoothed_rtt(), clock_.Now());
+  AckedPacketVector packets_acked;
+  // Expect the timer to not be set.
+  EXPECT_EQ(QuicTime::Zero(), loss_algorithm_.GetLossTimeout());
+  // Packet 1 should not be lost until 1/4 RTTs pass.
+  unacked_packets_.RemoveFromInFlight(QuicPacketNumber(2));
+  packets_acked.push_back(AckedPacket(
+      QuicPacketNumber(2), kMaxOutgoingPacketSize, QuicTime::Zero()));
+  VerifyLosses(2, packets_acked, std::vector<uint64_t>{});
+  packets_acked.clear();
+  // Expect the timer to be set to 1/4 RTT's in the future.
+  EXPECT_EQ(rtt_stats_.smoothed_rtt() * (1.0f / 4),
+            loss_algorithm_.GetLossTimeout() - clock_.Now());
+  VerifyLosses(2, packets_acked, std::vector<uint64_t>{});
+  clock_.AdvanceTime(rtt_stats_.smoothed_rtt() * (1.0f / 4));
+  VerifyLosses(2, packets_acked, {1});
+  EXPECT_EQ(QuicTime::Zero(), loss_algorithm_.GetLossTimeout());
+  // Retransmit packet 1 as 11 and 2 as 12.
+  SendDataPacket(11);
+  SendDataPacket(12);
 
-  // Detect another spurious retransmit and ensure the threshold doesn't
-  // increase again.
-  loss_algorithm_.SpuriousRetransmitDetected(unacked_packets_, clock_.Now(),
-                                             rtt_stats_, QuicPacketNumber(12));
+  // Advance the time 1/4 RTT and indicate the loss was spurious.
+  // The new threshold should be 1/2 RTT.
+  clock_.AdvanceTime(rtt_stats_.smoothed_rtt() * (1.0f / 4));
+  loss_algorithm_.SpuriousLossDetected(unacked_packets_, rtt_stats_,
+                                       clock_.Now(), QuicPacketNumber(1),
+                                       QuicPacketNumber(2));
   EXPECT_EQ(1, loss_algorithm_.reordering_shift());
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/loss_detection_interface.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/loss_detection_interface.h
index f6867853dab..af9c1962656 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/loss_detection_interface.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/loss_detection_interface.h
@@ -35,16 +35,6 @@ class QUIC_EXPORT_PRIVATE LossDetectionInterface {
   // Returns QuicTime::Zero if no alarm needs to be set.
   virtual QuicTime GetLossTimeout() const = 0;
 
-  // Called when a |spurious_retransmission| is detected.  The original
-  // transmission must have been caused by DetectLosses.
-  // TODO(fayang): Remove this method when deprecating
-  // quic_detect_spurious_loss.
-  virtual void SpuriousRetransmitDetected(
-      const QuicUnackedPacketMap& unacked_packets,
-      QuicTime time,
-      const RttStats& rtt_stats,
-      QuicPacketNumber spurious_retransmission) = 0;
-
   // Called when |packet_number| was detected lost but gets acked later.
   virtual void SpuriousLossDetected(
       const QuicUnackedPacketMap& unacked_packets,
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.h
index 997faa402e8..1c0466a424f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats.h
@@ -73,11 +73,6 @@ class QUIC_EXPORT_PRIVATE RttStats {
 
   QuicTime::Delta mean_deviation() const { return mean_deviation_; }
 
-  QuicTime::Delta max_ack_delay() const {
-    DCHECK(!GetQuicReloadableFlag(quic_sent_packet_manager_cleanup));
-    return max_ack_delay_;
-  }
-
   QuicTime last_update_time() const { return last_update_time_; }
 
   bool ignore_max_ack_delay() const { return ignore_max_ack_delay_; }
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats_test.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats_test.cc
index 4d259d3b248..be5f4d679f0 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/rtt_stats_test.cc
@@ -35,28 +35,17 @@ TEST_F(RttStatsTest, SmoothedRtt) {
                        QuicTime::Zero());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(300), rtt_stats_.latest_rtt());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(300), rtt_stats_.smoothed_rtt());
-  if (!GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)) {
-    EXPECT_EQ(QuicTime::Delta::Zero(), rtt_stats_.max_ack_delay());
-  }
   // Verify that a plausible ack delay increases the max ack delay.
   rtt_stats_.UpdateRtt(QuicTime::Delta::FromMilliseconds(400),
                        QuicTime::Delta::FromMilliseconds(100),
                        QuicTime::Zero());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(300), rtt_stats_.latest_rtt());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(300), rtt_stats_.smoothed_rtt());
-  if (!GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)) {
-    EXPECT_EQ(QuicTime::Delta::FromMilliseconds(100),
-              rtt_stats_.max_ack_delay());
-  }
   // Verify that Smoothed RTT includes max ack delay if it's reasonable.
   rtt_stats_.UpdateRtt(QuicTime::Delta::FromMilliseconds(350),
                        QuicTime::Delta::FromMilliseconds(50), QuicTime::Zero());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(300), rtt_stats_.latest_rtt());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(300), rtt_stats_.smoothed_rtt());
-  if (!GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)) {
-    EXPECT_EQ(QuicTime::Delta::FromMilliseconds(100),
-              rtt_stats_.max_ack_delay());
-  }
   // Verify that large erroneous ack_delay does not change Smoothed RTT.
   rtt_stats_.UpdateRtt(QuicTime::Delta::FromMilliseconds(200),
                        QuicTime::Delta::FromMilliseconds(300),
@@ -64,10 +53,6 @@ TEST_F(RttStatsTest, SmoothedRtt) {
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(200), rtt_stats_.latest_rtt());
   EXPECT_EQ(QuicTime::Delta::FromMicroseconds(287500),
             rtt_stats_.smoothed_rtt());
-  if (!GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)) {
-    EXPECT_EQ(QuicTime::Delta::FromMilliseconds(100),
-              rtt_stats_.max_ack_delay());
-  }
 }
 
 TEST_F(RttStatsTest, SmoothedRttIgnoreAckDelay) {
@@ -78,18 +63,12 @@ TEST_F(RttStatsTest, SmoothedRttIgnoreAckDelay) {
                        QuicTime::Zero());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(300), rtt_stats_.latest_rtt());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(300), rtt_stats_.smoothed_rtt());
-  if (!GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)) {
-    EXPECT_EQ(QuicTime::Delta::Zero(), rtt_stats_.max_ack_delay());
-  }
   // Verify that a plausible ack delay increases the max ack delay.
   rtt_stats_.UpdateRtt(QuicTime::Delta::FromMilliseconds(300),
                        QuicTime::Delta::FromMilliseconds(100),
                        QuicTime::Zero());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(300), rtt_stats_.latest_rtt());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(300), rtt_stats_.smoothed_rtt());
-  if (!GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)) {
-    EXPECT_EQ(QuicTime::Delta::Zero(), rtt_stats_.max_ack_delay());
-  }
   // Verify that Smoothed RTT includes max ack delay if it's reasonable.
   rtt_stats_.UpdateRtt(QuicTime::Delta::FromMilliseconds(300),
                        QuicTime::Delta::FromMilliseconds(50), QuicTime::Zero());
@@ -102,9 +81,6 @@ TEST_F(RttStatsTest, SmoothedRttIgnoreAckDelay) {
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(200), rtt_stats_.latest_rtt());
   EXPECT_EQ(QuicTime::Delta::FromMicroseconds(287500),
             rtt_stats_.smoothed_rtt());
-  if (!GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)) {
-    EXPECT_EQ(QuicTime::Delta::Zero(), rtt_stats_.max_ack_delay());
-  }
 }
 
 // Ensure that the potential rounding artifacts in EWMA calculation do not cause
@@ -225,9 +201,6 @@ TEST_F(RttStatsTest, ResetAfterConnectionMigrations) {
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(200), rtt_stats_.latest_rtt());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(200), rtt_stats_.smoothed_rtt());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(200), rtt_stats_.min_rtt());
-  if (!GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)) {
-    EXPECT_EQ(QuicTime::Delta::FromMilliseconds(0), rtt_stats_.max_ack_delay());
-  }
 
   rtt_stats_.UpdateRtt(QuicTime::Delta::FromMilliseconds(300),
                        QuicTime::Delta::FromMilliseconds(100),
@@ -235,19 +208,12 @@ TEST_F(RttStatsTest, ResetAfterConnectionMigrations) {
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(200), rtt_stats_.latest_rtt());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(200), rtt_stats_.smoothed_rtt());
   EXPECT_EQ(QuicTime::Delta::FromMilliseconds(200), rtt_stats_.min_rtt());
-  if (!GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)) {
-    EXPECT_EQ(QuicTime::Delta::FromMilliseconds(100),
-              rtt_stats_.max_ack_delay());
-  }
 
   // Reset rtt stats on connection migrations.
   rtt_stats_.OnConnectionMigration();
   EXPECT_EQ(QuicTime::Delta::Zero(), rtt_stats_.latest_rtt());
   EXPECT_EQ(QuicTime::Delta::Zero(), rtt_stats_.smoothed_rtt());
   EXPECT_EQ(QuicTime::Delta::Zero(), rtt_stats_.min_rtt());
-  if (!GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)) {
-    EXPECT_EQ(QuicTime::Delta::Zero(), rtt_stats_.max_ack_delay());
-  }
 }
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.cc
index b641eb4bb3d..83529c6e76c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.cc
@@ -27,7 +27,8 @@ SendAlgorithmInterface* SendAlgorithmInterface::Create(
     QuicRandom* random,
     QuicConnectionStats* stats,
     QuicPacketCount initial_congestion_window) {
-  QuicPacketCount max_congestion_window = kDefaultMaxCongestionWindowPackets;
+  QuicPacketCount max_congestion_window =
+      GetQuicFlag(FLAGS_quic_max_congestion_window);
   switch (congestion_control_type) {
     case kGoogCC:  // GoogCC is not supported by quic/core, fall back to BBR.
     case kBBR:
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.h
index dab8fc294a7..628e0d62e0c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/send_algorithm_interface.h
@@ -29,10 +29,42 @@ typedef uint64_t QuicRoundTripCount;
 class CachedNetworkParameters;
 class RttStats;
 
-const QuicPacketCount kDefaultMaxCongestionWindowPackets = 2000;
-
 class QUIC_EXPORT_PRIVATE SendAlgorithmInterface {
  public:
+  // Network Params for AdjustNetworkParameters.
+  struct QUIC_NO_EXPORT NetworkParams {
+    NetworkParams()
+        : NetworkParams(QuicBandwidth::Zero(), QuicTime::Delta::Zero(), false) {
+    }
+    NetworkParams(const QuicBandwidth& bandwidth,
+                  const QuicTime::Delta& rtt,
+                  bool allow_cwnd_to_decrease)
+        : bandwidth(bandwidth),
+          rtt(rtt),
+          allow_cwnd_to_decrease(allow_cwnd_to_decrease),
+          quic_fix_bbr_cwnd_in_bandwidth_resumption(
+              GetQuicReloadableFlag(quic_fix_bbr_cwnd_in_bandwidth_resumption)),
+          quic_bbr_fix_pacing_rate(
+              GetQuicReloadableFlag(quic_bbr_fix_pacing_rate)) {}
+
+    bool operator==(const NetworkParams& other) const {
+      return bandwidth == other.bandwidth && rtt == other.rtt &&
+             allow_cwnd_to_decrease == other.allow_cwnd_to_decrease &&
+             quic_fix_bbr_cwnd_in_bandwidth_resumption ==
+                 other.quic_fix_bbr_cwnd_in_bandwidth_resumption &&
+             quic_bbr_fix_pacing_rate == other.quic_bbr_fix_pacing_rate;
+    }
+
+    QuicBandwidth bandwidth;
+    QuicTime::Delta rtt;
+    bool allow_cwnd_to_decrease;
+    // Code changes that are controlled by flags.
+    // TODO(b/131899599): Remove when impact of fix is measured.
+    bool quic_fix_bbr_cwnd_in_bandwidth_resumption;
+    // TODO(b/143540157): Remove when impact of fix is measured.
+    bool quic_bbr_fix_pacing_rate;
+  };
+
   static SendAlgorithmInterface* Create(
       const QuicClock* clock,
       const RttStats* rtt_stats,
@@ -117,9 +149,7 @@ class QUIC_EXPORT_PRIVATE SendAlgorithmInterface {
   // Notifies the congestion control algorithm of an external network
   // measurement or prediction.  Either |bandwidth| or |rtt| may be zero if no
   // sample is available.
-  virtual void AdjustNetworkParameters(QuicBandwidth bandwidth,
-                                       QuicTime::Delta rtt,
-                                       bool allow_cwnd_to_decrease) = 0;
+  virtual void AdjustNetworkParameters(const NetworkParams& params) = 0;
 
   // Retrieves debugging information about the current state of the
   // send algorithm.
@@ -138,6 +168,9 @@ class QUIC_EXPORT_PRIVATE SendAlgorithmInterface {
   // such cases, it should use the internal state it uses for congestion control
   // for that.
   virtual void OnApplicationLimited(QuicByteCount bytes_in_flight) = 0;
+
+  // Called before connection close to collect stats.
+  virtual void PopulateConnectionStats(QuicConnectionStats* stats) const = 0;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.cc
index 28f284e4ce0..cf400e5a1cc 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.cc
@@ -105,15 +105,11 @@ void TcpCubicSenderBytes::SetFromConfig(const QuicConfig& config,
   }
 }
 
-void TcpCubicSenderBytes::AdjustNetworkParameters(
-    QuicBandwidth bandwidth,
-    QuicTime::Delta rtt,
-    bool /*allow_cwnd_to_decrease*/) {
-  if (bandwidth.IsZero() || rtt.IsZero()) {
+void TcpCubicSenderBytes::AdjustNetworkParameters(const NetworkParams& params) {
+  if (params.bandwidth.IsZero() || params.rtt.IsZero()) {
     return;
   }
-
-  SetCongestionWindowFromBandwidthAndRtt(bandwidth, rtt);
+  SetCongestionWindowFromBandwidthAndRtt(params.bandwidth, params.rtt);
 }
 
 float TcpCubicSenderBytes::RenoBeta() const {
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.h
index 50f7981b81e..9144b8a5913 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes.h
@@ -46,9 +46,7 @@ class QUIC_EXPORT_PRIVATE TcpCubicSenderBytes : public SendAlgorithmInterface {
   // Start implementation of SendAlgorithmInterface.
   void SetFromConfig(const QuicConfig& config,
                      Perspective perspective) override;
-  void AdjustNetworkParameters(QuicBandwidth bandwidth,
-                               QuicTime::Delta rtt,
-                               bool allow_cwnd_to_decrease) override;
+  void AdjustNetworkParameters(const NetworkParams& params) override;
   void SetNumEmulatedConnections(int num_connections);
   void SetInitialCongestionWindowInPackets(
       QuicPacketCount congestion_window) override;
@@ -75,6 +73,7 @@ class QUIC_EXPORT_PRIVATE TcpCubicSenderBytes : public SendAlgorithmInterface {
   bool ShouldSendProbingPacket() const override;
   std::string GetDebugState() const override;
   void OnApplicationLimited(QuicByteCount bytes_in_flight) override;
+  void PopulateConnectionStats(QuicConnectionStats* /*stats*/) const override {}
   // End implementation of SendAlgorithmInterface.
 
   QuicByteCount min_congestion_window() const { return min_congestion_window_; }
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes_test.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes_test.cc
index 4c51742cd3e..04c0e8a41ec 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/tcp_cubic_sender_bytes_test.cc
@@ -677,20 +677,29 @@ TEST_F(TcpCubicSenderBytesTest, BandwidthResumption) {
   const QuicBandwidth kBandwidthEstimate =
       QuicBandwidth::FromBytesPerSecond(kNumberOfPackets * kDefaultTCPMSS);
   const QuicTime::Delta kRttEstimate = QuicTime::Delta::FromSeconds(1);
-  sender_->AdjustNetworkParameters(kBandwidthEstimate, kRttEstimate, false);
+
+  SendAlgorithmInterface::NetworkParams network_param;
+  network_param.bandwidth = kBandwidthEstimate;
+  network_param.rtt = kRttEstimate;
+  sender_->AdjustNetworkParameters(network_param);
   EXPECT_EQ(kNumberOfPackets * kDefaultTCPMSS, sender_->GetCongestionWindow());
 
   // Resume with an illegal value of 0 and verify the server ignores it.
-  sender_->AdjustNetworkParameters(QuicBandwidth::Zero(), kRttEstimate, false);
+  SendAlgorithmInterface::NetworkParams network_param_no_bandwidth;
+  network_param_no_bandwidth.bandwidth = QuicBandwidth::Zero();
+  network_param_no_bandwidth.rtt = kRttEstimate;
+  sender_->AdjustNetworkParameters(network_param_no_bandwidth);
   EXPECT_EQ(kNumberOfPackets * kDefaultTCPMSS, sender_->GetCongestionWindow());
 
   // Resumed CWND is limited to be in a sensible range.
   const QuicBandwidth kUnreasonableBandwidth =
-      QuicBandwidth::FromBytesPerSecond((kMaxCongestionWindowPackets + 1) *
+      QuicBandwidth::FromBytesPerSecond((kMaxResumptionCongestionWindow + 1) *
                                         kDefaultTCPMSS);
-  sender_->AdjustNetworkParameters(kUnreasonableBandwidth,
-                                   QuicTime::Delta::FromSeconds(1), false);
-  EXPECT_EQ(kMaxCongestionWindowPackets * kDefaultTCPMSS,
+  SendAlgorithmInterface::NetworkParams network_param_large_bandwidth;
+  network_param_large_bandwidth.bandwidth = kUnreasonableBandwidth;
+  network_param_large_bandwidth.rtt = QuicTime::Delta::FromSeconds(1);
+  sender_->AdjustNetworkParameters(network_param_large_bandwidth);
+  EXPECT_EQ(kMaxResumptionCongestionWindow * kDefaultTCPMSS,
             sender_->GetCongestionWindow());
 }
 
@@ -781,14 +790,16 @@ TEST_F(TcpCubicSenderBytesTest, DefaultMaxCwnd) {
 
   AckedPacketVector acked_packets;
   LostPacketVector missing_packets;
-  for (uint64_t i = 1; i < kDefaultMaxCongestionWindowPackets; ++i) {
+  QuicPacketCount max_congestion_window =
+      GetQuicFlag(FLAGS_quic_max_congestion_window);
+  for (uint64_t i = 1; i < max_congestion_window; ++i) {
     acked_packets.clear();
     acked_packets.push_back(
         AckedPacket(QuicPacketNumber(i), 1350, QuicTime::Zero()));
     sender->OnCongestionEvent(true, sender->GetCongestionWindow(), clock_.Now(),
                               acked_packets, missing_packets);
   }
-  EXPECT_EQ(kDefaultMaxCongestionWindowPackets,
+  EXPECT_EQ(max_congestion_window,
             sender->GetCongestionWindow() / kDefaultTCPMSS);
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.cc
index 3b669e23e25..4e7f07b3b10 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.cc
@@ -70,17 +70,6 @@ QuicTime UberLossAlgorithm::GetLossTimeout() const {
   return loss_timeout;
 }
 
-void UberLossAlgorithm::SpuriousRetransmitDetected(
-    const QuicUnackedPacketMap& unacked_packets,
-    QuicTime time,
-    const RttStats& rtt_stats,
-    QuicPacketNumber spurious_retransmission) {
-  general_loss_algorithms_[unacked_packets.GetPacketNumberSpace(
-                               spurious_retransmission)]
-      .SpuriousRetransmitDetected(unacked_packets, time, rtt_stats,
-                                  spurious_retransmission);
-}
-
 void UberLossAlgorithm::SpuriousLossDetected(
     const QuicUnackedPacketMap& unacked_packets,
     const RttStats& rtt_stats,
@@ -104,4 +93,10 @@ void UberLossAlgorithm::EnableAdaptiveReorderingThreshold() {
   }
 }
 
+void UberLossAlgorithm::EnableAdaptiveTimeThreshold() {
+  for (int8_t i = INITIAL_DATA; i < NUM_PACKET_NUMBER_SPACES; ++i) {
+    general_loss_algorithms_[i].enable_adaptive_time_threshold();
+  }
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.h
index 0d2b788ea96..f922bba1abf 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.h
@@ -41,13 +41,6 @@ class QUIC_EXPORT_PRIVATE UberLossAlgorithm : public LossDetectionInterface {
   // Returns the earliest time the early retransmit timer should be active.
   QuicTime GetLossTimeout() const override;
 
-  // Increases the loss detection threshold for time loss detection.
-  void SpuriousRetransmitDetected(
-      const QuicUnackedPacketMap& unacked_packets,
-      QuicTime time,
-      const RttStats& rtt_stats,
-      QuicPacketNumber spurious_retransmission) override;
-
   // Called to increases time or packet threshold.
   void SpuriousLossDetected(const QuicUnackedPacketMap& unacked_packets,
                             const RttStats& rtt_stats,
@@ -61,6 +54,9 @@ class QUIC_EXPORT_PRIVATE UberLossAlgorithm : public LossDetectionInterface {
   // Enable adaptive reordering threshold of all packet number spaces.
   void EnableAdaptiveReorderingThreshold();
 
+  // Enable adaptive time threshold of all packet number spaces.
+  void EnableAdaptiveTimeThreshold();
+
  private:
   friend class test::QuicSentPacketManagerPeer;
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm_test.cc b/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm_test.cc
index 8d69c136c0a..79d0ff76867 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm_test.cc
@@ -48,8 +48,8 @@ class UberLossAlgorithmTest : public QuicTest {
                             false, false);
     packet.encryption_level = encryption_level;
     packet.retransmittable_frames.push_back(QuicFrame(frame));
-    unacked_packets_->AddSentPacket(&packet, QuicPacketNumber(),
-                                    NOT_RETRANSMISSION, clock_.Now(), true);
+    unacked_packets_->AddSentPacket(&packet, NOT_RETRANSMISSION, clock_.Now(),
+                                    true);
   }
 
   void AckPackets(const std::vector<uint64_t>& packets_acked) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/congestion_control/windowed_filter.h b/chromium/net/third_party/quiche/src/quic/core/congestion_control/windowed_filter.h
index 8729895d9e0..4176d730536 100644
--- a/chromium/net/third_party/quiche/src/quic/core/congestion_control/windowed_filter.h
+++ b/chromium/net/third_party/quiche/src/quic/core/congestion_control/windowed_filter.h
@@ -38,14 +38,14 @@ namespace quic {
 // Compares two values and returns true if the first is less than or equal
 // to the second.
 template <class T>
-struct MinFilter {
+struct QUIC_EXPORT_PRIVATE MinFilter {
   bool operator()(const T& lhs, const T& rhs) const { return lhs <= rhs; }
 };
 
 // Compares two values and returns true if the first is greater than or equal
 // to the second.
 template <class T>
-struct MaxFilter {
+struct QUIC_EXPORT_PRIVATE MaxFilter {
   bool operator()(const T& lhs, const T& rhs) const { return lhs >= rhs; }
 };
 
@@ -63,7 +63,7 @@ struct MaxFilter {
 //    two timestamps.  Has to be the type of (a - b) if both |a| and |b| are
 //    of type TimeT.
 template <class T, class Compare, typename TimeT, typename TimeDeltaT>
-class WindowedFilter {
+class QUIC_EXPORT_PRIVATE WindowedFilter {
  public:
   // |window_length| is the period after which a best estimate expires.
   // |zero_value| is used as the uninitialized value for objects of T.
@@ -143,7 +143,7 @@ class WindowedFilter {
   T GetThirdBest() const { return estimates_[2].sample; }
 
  private:
-  struct Sample {
+  struct QUIC_EXPORT_PRIVATE Sample {
     T sample;
     TimeT time;
     Sample(T init_sample, TimeT init_time)
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/aead_base_encrypter.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/aead_base_encrypter.cc
index 405292ea083..a3173f54456 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/aead_base_encrypter.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/aead_base_encrypter.cc
@@ -168,7 +168,7 @@ size_t AeadBaseEncrypter::GetIVSize() const {
 }
 
 size_t AeadBaseEncrypter::GetMaxPlaintextSize(size_t ciphertext_size) const {
-  return ciphertext_size - auth_tag_size_;
+  return ciphertext_size - std::min(ciphertext_size, auth_tag_size_);
 }
 
 size_t AeadBaseEncrypter::GetCiphertextSize(size_t plaintext_size) const {
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_decrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_decrypter_test.cc
index dd8a680ec32..9ce4bda19ba 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_decrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_decrypter_test.cc
@@ -269,7 +269,7 @@ TEST_F(Aes128Gcm12DecrypterTest, Decrypt) {
                            // handle an AAD that is set to nullptr, as opposed
                            // to a zero-length, non-nullptr pointer.
                            aad.length() ? aad : QuicStringPiece(), ciphertext));
-      if (!decrypted.get()) {
+      if (!decrypted) {
         EXPECT_FALSE(has_pt);
         continue;
       }
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_encrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_encrypter_test.cc
index 5ccc44da3c6..d529d5d60d4 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_encrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_12_encrypter_test.cc
@@ -228,6 +228,7 @@ TEST_F(Aes128Gcm12EncrypterTest, GetMaxPlaintextSize) {
   EXPECT_EQ(1000u, encrypter.GetMaxPlaintextSize(1012));
   EXPECT_EQ(100u, encrypter.GetMaxPlaintextSize(112));
   EXPECT_EQ(10u, encrypter.GetMaxPlaintextSize(22));
+  EXPECT_EQ(0u, encrypter.GetMaxPlaintextSize(11));
 }
 
 TEST_F(Aes128Gcm12EncrypterTest, GetCiphertextSize) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_decrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_decrypter_test.cc
index 54793f8c6e2..579f76d498d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_decrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_128_gcm_decrypter_test.cc
@@ -258,7 +258,7 @@ TEST_F(Aes128GcmDecrypterTest, Decrypt) {
                            // handle an AAD that is set to nullptr, as opposed
                            // to a zero-length, non-nullptr pointer.
                            aad.length() ? aad : QuicStringPiece(), ciphertext));
-      if (!decrypted.get()) {
+      if (!decrypted) {
         EXPECT_FALSE(has_pt);
         continue;
       }
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_256_gcm_decrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_256_gcm_decrypter_test.cc
index 73a3b3deec4..b3d61c7798f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/aes_256_gcm_decrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/aes_256_gcm_decrypter_test.cc
@@ -262,7 +262,7 @@ TEST_F(Aes256GcmDecrypterTest, Decrypt) {
                            // handle an AAD that is set to nullptr, as opposed
                            // to a zero-length, non-nullptr pointer.
                            aad.length() ? aad : QuicStringPiece(), ciphertext));
-      if (!decrypted.get()) {
+      if (!decrypted) {
         EXPECT_FALSE(has_pt);
         continue;
       }
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_decrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_decrypter_test.cc
index a9c4999683b..930af24a3b3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_decrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_decrypter_test.cc
@@ -159,7 +159,7 @@ TEST_F(ChaCha20Poly1305DecrypterTest, Decrypt) {
         // is set to nullptr, as opposed to a zero-length, non-nullptr pointer.
         QuicStringPiece(aad.length() ? aad.data() : nullptr, aad.length()),
         ct));
-    if (!decrypted.get()) {
+    if (!decrypted) {
       EXPECT_FALSE(has_pt);
       continue;
     }
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_tls_decrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_tls_decrypter_test.cc
index ce4dea9f385..90052d60520 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_tls_decrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha20_poly1305_tls_decrypter_test.cc
@@ -154,7 +154,7 @@ TEST_F(ChaCha20Poly1305TlsDecrypterTest, Decrypt) {
         // is set to nullptr, as opposed to a zero-length, non-nullptr pointer.
         QuicStringPiece(aad.length() ? aad.data() : nullptr, aad.length()),
         ct));
-    if (!decrypted.get()) {
+    if (!decrypted) {
       EXPECT_FALSE(has_pt);
       continue;
     }
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha_base_decrypter.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha_base_decrypter.cc
index eb1e95fb98c..c67fd89d4ef 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha_base_decrypter.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha_base_decrypter.cc
@@ -10,6 +10,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_data_reader.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
@@ -30,7 +31,7 @@ std::string ChaChaBaseDecrypter::GenerateHeaderProtectionMask(
   }
   const uint8_t* nonce = reinterpret_cast<const uint8_t*>(sample.data()) + 4;
   uint32_t counter;
-  QuicDataReader(sample.data(), 4, Endianness::HOST_BYTE_ORDER)
+  QuicDataReader(sample.data(), 4, quiche::HOST_BYTE_ORDER)
       .ReadUInt32(&counter);
   const uint8_t zeroes[] = {0, 0, 0, 0, 0};
   std::string out(QUIC_ARRAYSIZE(zeroes), 0);
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha_base_encrypter.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha_base_encrypter.cc
index 04d902f4b4c..9c465a944c9 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/chacha_base_encrypter.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/chacha_base_encrypter.cc
@@ -8,6 +8,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_data_reader.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
@@ -27,7 +28,7 @@ std::string ChaChaBaseEncrypter::GenerateHeaderProtectionMask(
   }
   const uint8_t* nonce = reinterpret_cast<const uint8_t*>(sample.data()) + 4;
   uint32_t counter;
-  QuicDataReader(sample.data(), 4, Endianness::HOST_BYTE_ORDER)
+  QuicDataReader(sample.data(), 4, quiche::HOST_BYTE_ORDER)
       .ReadUInt32(&counter);
   const uint8_t zeroes[] = {0, 0, 0, 0, 0};
   std::string out(QUIC_ARRAYSIZE(zeroes), 0);
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_framer.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_framer.cc
index 6feaa8a0e9d..c3dd2aa142b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_framer.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_framer.cc
@@ -15,6 +15,7 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
@@ -117,7 +118,8 @@ bool CryptoFramer::HasTag(QuicTag tag) const {
 }
 
 void CryptoFramer::ForceHandshake() {
-  QuicDataReader reader(buffer_.data(), buffer_.length(), HOST_BYTE_ORDER);
+  QuicDataReader reader(buffer_.data(), buffer_.length(),
+                        quiche::HOST_BYTE_ORDER);
   for (const std::pair<QuicTag, size_t>& item : tags_and_lengths_) {
     QuicStringPiece value;
     if (reader.BytesRemaining() < item.second) {
@@ -156,7 +158,7 @@ std::unique_ptr<QuicData> CryptoFramer::ConstructHandshakeMessage(
   }
 
   std::unique_ptr<char[]> buffer(new char[len]);
-  QuicDataWriter writer(len, buffer.get(), HOST_BYTE_ORDER);
+  QuicDataWriter writer(len, buffer.get(), quiche::HOST_BYTE_ORDER);
   if (!writer.WriteTag(message.tag())) {
     DCHECK(false) << "Failed to write message tag.";
     return nullptr;
@@ -244,7 +246,8 @@ void CryptoFramer::Clear() {
 QuicErrorCode CryptoFramer::Process(QuicStringPiece input) {
   // Add this data to the buffer.
   buffer_.append(input.data(), input.length());
-  QuicDataReader reader(buffer_.data(), buffer_.length(), HOST_BYTE_ORDER);
+  QuicDataReader reader(buffer_.data(), buffer_.length(),
+                        quiche::HOST_BYTE_ORDER);
 
   switch (state_) {
     case STATE_READING_TAG:
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message.cc
index 022a86b9227..56f0bd62a1f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message.cc
@@ -12,10 +12,10 @@
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_socket_address_coder.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_map_util.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
@@ -57,7 +57,7 @@ void CryptoHandshakeMessage::Clear() {
 }
 
 const QuicData& CryptoHandshakeMessage::GetSerialized() const {
-  if (!serialized_.get()) {
+  if (!serialized_) {
     serialized_ = CryptoFramer::ConstructHandshakeMessage(*this);
   }
   return *serialized_;
@@ -73,14 +73,15 @@ void CryptoHandshakeMessage::SetVersionVector(
   QuicVersionLabelVector version_labels;
   for (ParsedQuicVersion version : versions) {
     version_labels.push_back(
-        QuicEndian::HostToNet32(CreateQuicVersionLabel(version)));
+        quiche::QuicheEndian::HostToNet32(CreateQuicVersionLabel(version)));
   }
   SetVector(tag, version_labels);
 }
 
 void CryptoHandshakeMessage::SetVersion(QuicTag tag,
                                         ParsedQuicVersion version) {
-  SetValue(tag, QuicEndian::HostToNet32(CreateQuicVersionLabel(version)));
+  SetValue(tag,
+           quiche::QuicheEndian::HostToNet32(CreateQuicVersionLabel(version)));
 }
 
 void CryptoHandshakeMessage::SetStringPiece(QuicTag tag,
@@ -128,7 +129,7 @@ QuicErrorCode CryptoHandshakeMessage::GetVersionLabelList(
   }
 
   for (size_t i = 0; i < out->size(); ++i) {
-    (*out)[i] = QuicEndian::HostToNet32((*out)[i]);
+    (*out)[i] = quiche::QuicheEndian::HostToNet32((*out)[i]);
   }
 
   return QUIC_NO_ERROR;
@@ -142,7 +143,7 @@ QuicErrorCode CryptoHandshakeMessage::GetVersionLabel(
     return error;
   }
 
-  *out = QuicEndian::HostToNet32(*out);
+  *out = quiche::QuicheEndian::HostToNet32(*out);
   return QUIC_NO_ERROR;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message_test.cc
index f595581601f..b6dfdd4cdaa 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message_test.cc
@@ -6,8 +6,8 @@
 
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_handshake.h"
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 namespace test {
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_message_printer_bin.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_message_printer_bin.cc
index ecbcab82e53..67cd531dd72 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_message_printer_bin.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_message_printer_bin.cc
@@ -14,7 +14,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 
-using quic::Perspective;
 using std::cerr;
 using std::cout;
 using std::endl;
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h
index 4d5a890bba2..9707fb5b0ca 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h
@@ -176,6 +176,11 @@ const QuicTag kILD3 = TAG('I', 'L', 'D', '3');   // IETF style loss detection
                                                  // with 1/4 RTT time threshold
                                                  // and adaptive packet
                                                  // threshold
+const QuicTag kILD4 = TAG('I', 'L', 'D', '4');   // IETF style loss detection
+                                                 // with both adaptive time
+                                                 // threshold (default 1/4 RTT)
+                                                 // and adaptive packet
+                                                 // threshold
 // TODO(fayang): Remove this connection option when QUIC_VERSION_35, is removed
 // Since MAX_HEADER_LIST_SIZE settings frame is supported instead.
 const QuicTag kSMHL = TAG('S', 'M', 'H', 'L');   // Support MAX_HEADER_LIST_SIZE
@@ -194,6 +199,16 @@ const QuicTag k8PTO = TAG('8', 'P', 'T', 'O');   // Closes connection on 8
                                                  // consecutive PTOs.
 const QuicTag kPTOS = TAG('P', 'T', 'O', 'S');   // Skip packet number before
                                                  // sending the last PTO.
+const QuicTag kPTOA = TAG('P', 'T', 'O', 'A');   // Do not add max ack delay
+                                                 // when computing PTO timeout
+                                                 // if an immediate ACK is
+                                                 // expected.
+const QuicTag kPEB1 = TAG('P', 'E', 'B', '1');   // Start exponential backoff
+                                                 // since 1st PTO.
+const QuicTag kPEB2 = TAG('P', 'E', 'B', '2');   // Start exponential backoff
+                                                 // since 2nd PTO.
+const QuicTag kPVS1 = TAG('P', 'V', 'S', '1');   // Use 2 * rttvar when
+                                                 // calculating PTO timeout.
 
 // Optional support of truncated Connection IDs.  If sent by a peer, the value
 // is the minimum number of bytes allowed for the connection ID sent to the
@@ -217,6 +232,12 @@ const QuicTag kBWS2 = TAG('B', 'W', 'S', '2');  // Server bw resumption v2.
 const QuicTag kBWS3 = TAG('B', 'W', 'S', '3');  // QUIC Initial CWND - Control.
 const QuicTag kBWS4 = TAG('B', 'W', 'S', '4');  // QUIC Initial CWND - Enabled.
 const QuicTag kBWS5 = TAG('B', 'W', 'S', '5');  // QUIC Initial CWND up and down
+const QuicTag kBWS6 = TAG('B', 'W', 'S', '6');  // QUIC Initial CWND - Enabled
+                                                // with 0.5 * default
+                                                // multiplier.
+const QuicTag kBWS7 = TAG('B', 'W', 'S', '7');  // QUIC Initial CWND - Enabled
+                                                // with 0.75 * default
+                                                // multiplier.
 
 // Enable path MTU discovery experiment.
 const QuicTag kMTUH = TAG('M', 'T', 'U', 'H');  // High-target MTU discovery.
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_server_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_server_test.cc
index b869f8bdeea..2db49d22a42 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_server_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_server_test.cc
@@ -22,7 +22,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_socket_address_coder.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
@@ -33,6 +32,7 @@
 #include "net/third_party/quiche/src/quic/test_tools/mock_random.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_crypto_server_config_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 namespace test {
@@ -125,7 +125,7 @@ class CryptoServerTest : public QuicTestWithParam<TestParams> {
         config_.GenerateConfig(rand_, &clock_, config_options_);
     primary_config.set_primary_time(clock_.WallNow().ToUNIXSeconds());
     std::unique_ptr<CryptoHandshakeMessage> msg(
-        config_.AddConfig(std::move(primary_config), clock_.WallNow()));
+        config_.AddConfig(primary_config, clock_.WallNow()));
 
     QuicStringPiece orbit;
     CHECK(msg->GetStringPiece(kORBT, &orbit));
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_utils.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_utils.cc
index 59cc9673653..037990ae797 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_utils.cc
@@ -30,6 +30,7 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
@@ -109,8 +110,8 @@ void CryptoUtils::SetKeyAndIV(const EVP_MD* prf,
 
 namespace {
 
-static_assert(kQuicIetfDraftVersion == 23, "Salts do not match draft version");
-// Salt from https://tools.ietf.org/html/draft-ietf-quic-tls-23#section-5.2
+static_assert(kQuicIetfDraftVersion == 24, "Salts do not match draft version");
+// Salt from https://tools.ietf.org/html/draft-ietf-quic-tls-24#section-5.2
 const uint8_t kDraft23InitialSalt[] = {0xc3, 0xee, 0xf7, 0x12, 0xc7, 0x2e, 0xbb,
                                        0x5a, 0x11, 0xa7, 0xd2, 0x43, 0x2b, 0xb4,
                                        0x63, 0x65, 0xbe, 0xf9, 0xf5, 0x02};
@@ -141,7 +142,7 @@ const uint8_t kQ099Salt[] = {0xc0, 0xa2, 0xee, 0x20, 0xc7, 0xe1, 0x83,
 
 const uint8_t* InitialSaltForVersion(const ParsedQuicVersion& version,
                                      size_t* out_len) {
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync with initial encryption salts");
   switch (version.handshake_protocol) {
     case PROTOCOL_QUIC_CRYPTO:
@@ -299,7 +300,7 @@ bool CryptoUtils::DeriveKeys(const ParsedQuicVersion& version,
 
     psk_premaster_secret = std::make_unique<char[]>(psk_premaster_secret_size);
     QuicDataWriter writer(psk_premaster_secret_size, psk_premaster_secret.get(),
-                          HOST_BYTE_ORDER);
+                          quiche::HOST_BYTE_ORDER);
 
     if (!writer.WriteStringPiece(label) || !writer.WriteUInt8(0) ||
         !writer.WriteStringPiece(pre_shared_key) ||
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_utils.h b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_utils.h
index cb02dd79542..da746e3d63c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/crypto_utils.h
@@ -32,7 +32,7 @@ class QUIC_EXPORT_PRIVATE CryptoUtils {
   // Diversification is a utility class that's used to act like a union type.
   // Values can be created by calling the functions like |NoDiversification|,
   // below.
-  class Diversification {
+  class QUIC_EXPORT_PRIVATE Diversification {
    public:
     enum Mode {
       NEVER,  // Key diversification will never be used. Forward secure
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/key_exchange.h b/chromium/net/third_party/quiche/src/quic/core/crypto/key_exchange.h
index c695523ef32..127dc62ea14 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/key_exchange.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/key_exchange.h
@@ -25,7 +25,7 @@ class QUIC_EXPORT_PRIVATE AsynchronousKeyExchange {
 
   // Callback base class for receiving the results of an async call to
   // CalculateSharedKeys.
-  class Callback {
+  class QUIC_EXPORT_PRIVATE Callback {
    public:
     Callback() = default;
     virtual ~Callback() = default;
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/null_decrypter.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/null_decrypter.cc
index af0a8868cb5..51d8b11695b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/null_decrypter.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/null_decrypter.cc
@@ -10,6 +10,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_uint128.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
@@ -50,7 +51,7 @@ bool NullDecrypter::DecryptPacket(uint64_t /*packet_number*/,
                                   size_t* output_length,
                                   size_t max_output_length) {
   QuicDataReader reader(ciphertext.data(), ciphertext.length(),
-                        HOST_BYTE_ORDER);
+                        quiche::HOST_BYTE_ORDER);
   QuicUint128 hash;
 
   if (!ReadHash(&reader, &hash)) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/null_encrypter.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/null_encrypter.cc
index 4ad9b2ad382..1fe0fdfc8bf 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/null_encrypter.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/null_encrypter.cc
@@ -75,7 +75,7 @@ size_t NullEncrypter::GetIVSize() const {
 }
 
 size_t NullEncrypter::GetMaxPlaintextSize(size_t ciphertext_size) const {
-  return ciphertext_size - GetHashLength();
+  return ciphertext_size - std::min(ciphertext_size, GetHashLength());
 }
 
 size_t NullEncrypter::GetCiphertextSize(size_t plaintext_size) const {
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/null_encrypter_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/null_encrypter_test.cc
index fd95cc6fb76..c6a89efbf29 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/null_encrypter_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/null_encrypter_test.cc
@@ -87,6 +87,7 @@ TEST_F(NullEncrypterTest, GetMaxPlaintextSize) {
   EXPECT_EQ(1000u, encrypter.GetMaxPlaintextSize(1012));
   EXPECT_EQ(100u, encrypter.GetMaxPlaintextSize(112));
   EXPECT_EQ(10u, encrypter.GetMaxPlaintextSize(22));
+  EXPECT_EQ(0u, encrypter.GetMaxPlaintextSize(11));
 }
 
 TEST_F(NullEncrypterTest, GetCiphertextSize) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/proof_source.h b/chromium/net/third_party/quiche/src/quic/core/crypto/proof_source.h
index fd890987d5d..f774efc3f22 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/proof_source.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/proof_source.h
@@ -37,13 +37,13 @@ class QUIC_EXPORT_PRIVATE ProofSource {
 
   // Details is an abstract class which acts as a container for any
   // implementation-specific details that a ProofSource wants to return.
-  class Details {
+  class QUIC_EXPORT_PRIVATE Details {
    public:
     virtual ~Details() {}
   };
 
   // Callback base class for receiving the results of an async call to GetProof.
-  class Callback {
+  class QUIC_EXPORT_PRIVATE Callback {
    public:
     Callback() {}
     virtual ~Callback() {}
@@ -74,7 +74,7 @@ class QUIC_EXPORT_PRIVATE ProofSource {
   };
 
   // Base class for signalling the completion of a call to ComputeTlsSignature.
-  class SignatureCallback {
+  class QUIC_EXPORT_PRIVATE SignatureCallback {
    public:
     SignatureCallback() {}
     virtual ~SignatureCallback() = default;
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_compressed_certs_cache.h b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_compressed_certs_cache.h
index 20031874c83..586ea88f676 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_compressed_certs_cache.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_compressed_certs_cache.h
@@ -52,7 +52,7 @@ class QUIC_EXPORT_PRIVATE QuicCompressedCertsCache {
   // A wrapper of the tuple:
   //   |chain, client_common_set_hashes, client_cached_cert_hashes|
   // to identify uncompressed representation of certs.
-  struct UncompressedCerts {
+  struct QUIC_EXPORT_PRIVATE UncompressedCerts {
     UncompressedCerts();
     UncompressedCerts(
         const QuicReferenceCountedPointer<ProofSource::Chain>& chain,
@@ -68,7 +68,7 @@ class QUIC_EXPORT_PRIVATE QuicCompressedCertsCache {
   // Certs stored by QuicCompressedCertsCache where uncompressed certs data is
   // used to identify the uncompressed representation of certs and
   // |compressed_cert| is the cached compressed representation.
-  class CachedCerts {
+  class QUIC_EXPORT_PRIVATE CachedCerts {
    public:
     CachedCerts();
     CachedCerts(const UncompressedCerts& uncompressed_certs,
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.cc
index 75b2e6a2884..d674126b6df 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.cc
@@ -28,7 +28,6 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_client_stats.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_hostname_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_map_util.h"
@@ -61,7 +60,13 @@ void RecordDiskCacheServerConfigState(
 
 QuicCryptoClientConfig::QuicCryptoClientConfig(
     std::unique_ptr<ProofVerifier> proof_verifier)
+    : QuicCryptoClientConfig(std::move(proof_verifier), nullptr) {}
+
+QuicCryptoClientConfig::QuicCryptoClientConfig(
+    std::unique_ptr<ProofVerifier> proof_verifier,
+    std::unique_ptr<SessionCache> session_cache)
     : proof_verifier_(std::move(proof_verifier)),
+      session_cache_(std::move(session_cache)),
       ssl_ctx_(TlsClientConnection::CreateSslCtx()) {
   DCHECK(proof_verifier_.get());
   SetDefaults();
@@ -120,7 +125,7 @@ QuicCryptoClientConfig::CachedState::GetServerConfig() const {
     return nullptr;
   }
 
-  if (!scfg_.get()) {
+  if (!scfg_) {
     scfg_ = CryptoFramer::ParseMessage(server_config_);
     DCHECK(scfg_.get());
   }
@@ -850,6 +855,10 @@ ProofVerifier* QuicCryptoClientConfig::proof_verifier() const {
   return proof_verifier_.get();
 }
 
+SessionCache* QuicCryptoClientConfig::session_cache() const {
+  return session_cache_.get();
+}
+
 SSL_CTX* QuicCryptoClientConfig::ssl_ctx() const {
   return ssl_ctx_.get();
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.h b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.h
index 838b2eef010..a3e1bcd18b2 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.h
@@ -12,8 +12,10 @@
 #include <vector>
 
 #include "third_party/boringssl/src/include/openssl/base.h"
+#include "third_party/boringssl/src/include/openssl/ssl.h"
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_handshake.h"
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h"
+#include "net/third_party/quiche/src/quic/core/crypto/transport_parameters.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_server_id.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
@@ -27,6 +29,53 @@ class ProofVerifier;
 class ProofVerifyDetails;
 class QuicRandom;
 
+// QuicResumptionState stores the state a client needs for performing connection
+// resumption.
+struct QUIC_EXPORT_PRIVATE QuicResumptionState {
+  // |tls_session| holds the cryptographic state necessary for a resumption. It
+  // includes the ALPN negotiated on the connection where the ticket was
+  // received.
+  bssl::UniquePtr<SSL_SESSION> tls_session;
+
+  // If the application using QUIC doesn't support 0-RTT handshakes or the
+  // client didn't receive a 0-RTT capable session ticket from the server,
+  // |transport_params| will be null. Otherwise, it will contain the transport
+  // parameters received from the server on the original connection.
+  std::unique_ptr<TransportParameters> transport_params;
+
+  // If |transport_params| is null, then |application_state| is ignored and
+  // should be empty. |application_state| contains serialized state that the
+  // client received from the server at the application layer that the client
+  // needs to remember when performing a 0-RTT handshake.
+  std::vector<uint8_t> application_state;
+};
+
+// SessionCache is an interface for managing storing and retrieving
+// QuicResumptionState structs.
+class QUIC_EXPORT_PRIVATE SessionCache {
+ public:
+  virtual ~SessionCache() {}
+
+  // Inserts |state| into the cache, keyed by |server_id|. Insert is called
+  // after a session ticket is received. If the session ticket is valid for
+  // 0-RTT, there may be a delay between its receipt and the call to Insert
+  // while waiting for application state for |state|.
+  //
+  // Insert may be called multiple times per connection. SessionCache
+  // implementations should support storing multiple entries per server ID.
+  virtual void Insert(const QuicServerId& server_id,
+                      std::unique_ptr<QuicResumptionState> state) = 0;
+
+  // Lookup is called once at the beginning of each TLS handshake to potentially
+  // provide the saved state both for the TLS handshake and for sending 0-RTT
+  // data (if supported). Lookup may return a nullptr. Implementations should
+  // delete cache entries after returning them in Lookup so that session tickets
+  // are used only once.
+  virtual std::unique_ptr<QuicResumptionState> Lookup(
+      const QuicServerId& server_id,
+      const SSL_CTX* ctx) = 0;
+};
+
 // QuicCryptoClientConfig contains crypto-related configuration settings for a
 // client. Note that this object isn't thread-safe. It's designed to be used on
 // a single thread at a time.
@@ -195,7 +244,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
   };
 
   // Used to filter server ids for partial config deletion.
-  class ServerIdFilter {
+  class QUIC_EXPORT_PRIVATE ServerIdFilter {
    public:
     virtual ~ServerIdFilter() {}
 
@@ -203,8 +252,11 @@ class QUIC_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
     virtual bool Matches(const QuicServerId& server_id) const = 0;
   };
 
+  // DEPRECATED: Use the constructor below instead.
   explicit QuicCryptoClientConfig(
       std::unique_ptr<ProofVerifier> proof_verifier);
+  QuicCryptoClientConfig(std::unique_ptr<ProofVerifier> proof_verifier,
+                         std::unique_ptr<SessionCache> session_cache);
   QuicCryptoClientConfig(const QuicCryptoClientConfig&) = delete;
   QuicCryptoClientConfig& operator=(const QuicCryptoClientConfig&) = delete;
   ~QuicCryptoClientConfig();
@@ -309,7 +361,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
       std::string* error_details);
 
   ProofVerifier* proof_verifier() const;
-
+  SessionCache* session_cache() const;
   SSL_CTX* ssl_ctx() const;
 
   // Initialize the CachedState from |canonical_crypto_config| for the
@@ -388,6 +440,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoClientConfig : public QuicCryptoConfig {
   std::vector<std::string> canonical_suffixes_;
 
   std::unique_ptr<ProofVerifier> proof_verifier_;
+  std::unique_ptr<SessionCache> session_cache_;
   bssl::UniquePtr<SSL_CTX> ssl_ctx_;
 
   // The |user_agent_id_| passed in QUIC's CHLO message.
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config_test.cc
index 683180bf030..8b5f116d107 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config_test.cc
@@ -10,7 +10,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_server_id.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_random.h"
@@ -115,11 +114,9 @@ TEST_F(QuicCryptoClientConfigTest, CachedState_ServerDesignatedConnectionId) {
 TEST_F(QuicCryptoClientConfigTest, CachedState_ServerIdConsumedBeforeSet) {
   QuicCryptoClientConfig::CachedState state;
   EXPECT_FALSE(state.has_server_designated_connection_id());
-#if GTEST_HAS_DEATH_TEST && !defined(NDEBUG)
-  EXPECT_DEBUG_DEATH(state.GetNextServerDesignatedConnectionId(),
-                     "Attempting to consume a connection id "
-                     "that was never designated.");
-#endif  // GTEST_HAS_DEATH_TEST && !defined(NDEBUG)
+  EXPECT_QUIC_DEBUG_DEATH(state.GetNextServerDesignatedConnectionId(),
+                          "Attempting to consume a connection id "
+                          "that was never designated.");
 }
 
 TEST_F(QuicCryptoClientConfigTest, CachedState_ServerNonce) {
@@ -156,11 +153,9 @@ TEST_F(QuicCryptoClientConfigTest, CachedState_ServerNonce) {
 TEST_F(QuicCryptoClientConfigTest, CachedState_ServerNonceConsumedBeforeSet) {
   QuicCryptoClientConfig::CachedState state;
   EXPECT_FALSE(state.has_server_nonce());
-#if GTEST_HAS_DEATH_TEST && !defined(NDEBUG)
-  EXPECT_DEBUG_DEATH(state.GetNextServerNonce(),
-                     "Attempting to consume a server nonce "
-                     "that was never designated.");
-#endif  // GTEST_HAS_DEATH_TEST && !defined(NDEBUG)
+  EXPECT_QUIC_DEBUG_DEATH(state.GetNextServerNonce(),
+                          "Attempting to consume a server nonce "
+                          "that was never designated.");
 }
 
 TEST_F(QuicCryptoClientConfigTest, CachedState_InitializeFrom) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.cc
index c211cdb3345..d5689862fcf 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.cc
@@ -38,7 +38,6 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_cert_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_clock.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_fallthrough.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
@@ -385,14 +384,14 @@ std::unique_ptr<CryptoHandshakeMessage> QuicCryptoServerConfig::AddConfig(
   std::unique_ptr<CryptoHandshakeMessage> msg =
       CryptoFramer::ParseMessage(protobuf.config());
 
-  if (!msg.get()) {
+  if (!msg) {
     QUIC_LOG(WARNING) << "Failed to parse server config message";
     return nullptr;
   }
 
   QuicReferenceCountedPointer<Config> config =
       ParseConfigProtobuf(protobuf, /* is_fallback = */ false);
-  if (!config.get()) {
+  if (!config) {
     QUIC_LOG(WARNING) << "Failed to parse server config message";
     return nullptr;
   }
@@ -896,7 +895,7 @@ void QuicCryptoServerConfig::ProcessClientHelloAfterCalculateSharedKeys(
     }
     std::unique_ptr<CryptoHandshakeMessage> cetv(CryptoFramer::ParseMessage(
         QuicStringPiece(plaintext, plaintext_length)));
-    if (!cetv.get()) {
+    if (!cetv) {
       context->Fail(QUIC_INVALID_CRYPTO_MESSAGE_PARAMETER, "CETV parse error");
       return;
     }
@@ -1281,7 +1280,6 @@ void QuicCryptoServerConfig::EvaluateClientHello(
   // Server nonce is optional, and used for key derivation if present.
   client_hello.GetStringPiece(kServerNonceTag, &info->server_nonce);
 
-  QUIC_DVLOG(1) << "No 0-RTT replay protection in QUIC_VERSION_33 and higher.";
   // If the server nonce is empty and we're requiring handshake confirmation
   // for DoS reasons then we must reject the CHLO.
   if (GetQuicReloadableFlag(quic_require_handshake_confirmation) &&
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h
index 3fb424d4022..809ebaec575 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h
@@ -41,7 +41,7 @@ struct QuicSignedServerConfig;
 
 // ClientHelloInfo contains information about a client hello message that is
 // only kept for as long as it's being processed.
-struct ClientHelloInfo {
+struct QUIC_EXPORT_PRIVATE ClientHelloInfo {
   ClientHelloInfo(const QuicIpAddress& in_client_ip, QuicWallTime in_now);
   ClientHelloInfo(const ClientHelloInfo& other);
   ~ClientHelloInfo();
@@ -68,7 +68,7 @@ class QuicCryptoServerConfigPeer;
 }  // namespace test
 
 // Hook that allows application code to subscribe to primary config changes.
-class PrimaryConfigChangedCallback {
+class QUIC_EXPORT_PRIVATE PrimaryConfigChangedCallback {
  public:
   PrimaryConfigChangedCallback();
   PrimaryConfigChangedCallback(const PrimaryConfigChangedCallback&) = delete;
@@ -128,7 +128,7 @@ class QUIC_EXPORT_PRIVATE ProcessClientHelloResultCallback {
 
 // Callback used to receive the results of a call to
 // BuildServerConfigUpdateMessage.
-class BuildServerConfigUpdateMessageResultCallback {
+class QUIC_EXPORT_PRIVATE BuildServerConfigUpdateMessageResultCallback {
  public:
   BuildServerConfigUpdateMessageResultCallback() = default;
   virtual ~BuildServerConfigUpdateMessageResultCallback() {}
@@ -141,7 +141,7 @@ class BuildServerConfigUpdateMessageResultCallback {
 
 // Object that is interested in built rejections (which include REJ, SREJ and
 // cheap SREJ).
-class RejectionObserver {
+class QUIC_EXPORT_PRIVATE RejectionObserver {
  public:
   RejectionObserver() = default;
   virtual ~RejectionObserver() {}
@@ -511,7 +511,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerConfig {
       QUIC_SHARED_LOCKS_REQUIRED(configs_lock_);
 
   // A snapshot of the configs associated with an in-progress handshake.
-  struct Configs {
+  struct QUIC_EXPORT_PRIVATE Configs {
     QuicReferenceCountedPointer<Config> requested;
     QuicReferenceCountedPointer<Config> primary;
     QuicReferenceCountedPointer<Config> fallback;
@@ -552,7 +552,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerConfig {
 
   // Convenience class which carries the arguments passed to
   // |ProcessClientHellp| along.
-  class ProcessClientHelloContext {
+  class QUIC_EXPORT_PRIVATE ProcessClientHelloContext {
    public:
     ProcessClientHelloContext(
         QuicReferenceCountedPointer<ValidateClientHelloResultCallback::Result>
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config_test.cc
index bc9b2efe200..8f9e4ba776a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config_test.cc
@@ -18,6 +18,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_time.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_socket_address.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_clock.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_crypto_server_config_peer.h"
@@ -351,7 +352,7 @@ class CryptoServerConfigsTest : public QuicTest {
           QuicCryptoServerConfig::GenerateConfig(rand_, &clock_, options);
       protobuf.set_primary_time(primary_time);
       protobuf.set_priority(priority);
-      if (std::string(server_config_id).find("INVALID") == 0) {
+      if (QuicTextUtils::StartsWith(std::string(server_config_id), "INVALID")) {
         protobuf.clear_key();
         has_invalid = true;
       }
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_hkdf.h b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_hkdf.h
index 09006eef4db..94d45bc91a6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/quic_hkdf.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/quic_hkdf.h
@@ -15,7 +15,7 @@ namespace quic {
 // QuicHKDF implements the key derivation function specified in RFC 5869
 // (using SHA-256) and outputs key material, as needed by QUIC.
 // See https://tools.ietf.org/html/rfc5869 for details.
-class QUIC_EXPORT QuicHKDF {
+class QUIC_EXPORT_PRIVATE QuicHKDF {
  public:
   // |secret|: the input shared secret (or, from RFC 5869, the IKM).
   // |salt|: an (optional) public salt / non-secret random value. While
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.cc
index f28af660e90..7d112245b3c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.cc
@@ -14,11 +14,14 @@ TlsClientConnection::TlsClientConnection(SSL_CTX* ssl_ctx, Delegate* delegate)
 bssl::UniquePtr<SSL_CTX> TlsClientConnection::CreateSslCtx() {
   bssl::UniquePtr<SSL_CTX> ssl_ctx = TlsConnection::CreateSslCtx();
   // Configure certificate verification.
-  // TODO(nharper): This only verifies certs on initial connection, not on
-  // resumption. Chromium has this callback be a no-op and verifies the
-  // certificate after the connection is complete. We need to re-verify on
-  // resumption in case of expiration or revocation/distrust.
   SSL_CTX_set_custom_verify(ssl_ctx.get(), SSL_VERIFY_PEER, &VerifyCallback);
+  int reverify_on_resume_enabled = 1;
+  SSL_CTX_set_reverify_on_resume(ssl_ctx.get(), reverify_on_resume_enabled);
+
+  // Configure session caching.
+  SSL_CTX_set_session_cache_mode(
+      ssl_ctx.get(), SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL);
+  SSL_CTX_sess_set_new_cb(ssl_ctx.get(), NewSessionCallback);
   return ssl_ctx;
 }
 
@@ -30,4 +33,11 @@ enum ssl_verify_result_t TlsClientConnection::VerifyCallback(
       ->delegate_->VerifyCert(out_alert);
 }
 
+// static
+int TlsClientConnection::NewSessionCallback(SSL* ssl, SSL_SESSION* session) {
+  static_cast<TlsClientConnection*>(ConnectionFromSsl(ssl))
+      ->delegate_->InsertSession(bssl::UniquePtr<SSL_SESSION>(session));
+  return 1;
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.h b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.h
index a9212ff2a72..035f420a835 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_client_connection.h
@@ -15,7 +15,7 @@ class QUIC_EXPORT_PRIVATE TlsClientConnection : public TlsConnection {
  public:
   // A TlsClientConnection::Delegate implements the client-specific methods that
   // are set as callbacks for an SSL object.
-  class Delegate {
+  class QUIC_EXPORT_PRIVATE Delegate {
    public:
     virtual ~Delegate() {}
 
@@ -26,6 +26,9 @@ class QUIC_EXPORT_PRIVATE TlsClientConnection : public TlsConnection {
     // or ssl_verify_retry if verification is happening asynchronously.
     virtual enum ssl_verify_result_t VerifyCert(uint8_t* out_alert) = 0;
 
+    // Called when a NewSessionTicket is received from the server.
+    virtual void InsertSession(bssl::UniquePtr<SSL_SESSION> session) = 0;
+
     // Provides the delegate for callbacks that are shared between client and
     // server.
     virtual TlsConnection::Delegate* ConnectionDelegate() = 0;
@@ -43,6 +46,10 @@ class QUIC_EXPORT_PRIVATE TlsClientConnection : public TlsConnection {
   // implementation is delegated to Delegate::VerifyCert.
   static enum ssl_verify_result_t VerifyCallback(SSL* ssl, uint8_t* out_alert);
 
+  // Registered as the callback for SSL_CTX_sess_set_new_cb, which calls
+  // Delegate::InsertSession.
+  static int NewSessionCallback(SSL* ssl, SSL_SESSION* session);
+
   Delegate* delegate_;
 };
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_connection.h b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_connection.h
index 4774ba6924d..fd4f64b1978 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_connection.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_connection.h
@@ -26,7 +26,7 @@ class QUIC_EXPORT_PRIVATE TlsConnection {
  public:
   // A TlsConnection::Delegate implements the methods that are set as callbacks
   // of TlsConnection.
-  class Delegate {
+  class QUIC_EXPORT_PRIVATE Delegate {
    public:
     virtual ~Delegate() {}
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.cc
index 927c75af318..f539a089d2c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.cc
@@ -16,6 +16,7 @@ bssl::UniquePtr<SSL_CTX> TlsServerConnection::CreateSslCtx() {
   SSL_CTX_set_tlsext_servername_callback(ssl_ctx.get(),
                                          &SelectCertificateCallback);
   SSL_CTX_set_alpn_select_cb(ssl_ctx.get(), &SelectAlpnCallback, nullptr);
+  SSL_CTX_set_options(ssl_ctx.get(), SSL_OP_NO_TICKET);
   return ssl_ctx;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.h b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.h
index 0e78d1bf015..96d71e2bef1 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/tls_server_connection.h
@@ -15,7 +15,7 @@ class QUIC_EXPORT_PRIVATE TlsServerConnection : public TlsConnection {
  public:
   // A TlsServerConnection::Delegate implement the server-specific methods that
   // are set as callbacks for an SSL object.
-  class Delegate {
+  class QUIC_EXPORT_PRIVATE Delegate {
    public:
     virtual ~Delegate() {}
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.cc
index ce6cc2005c3..a870017b0b3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.cc
@@ -44,6 +44,8 @@ enum TransportParameters::TransportParameterId : uint16_t {
   kPreferredAddress = 0xd,
   kActiveConnectionIdLimit = 0xe,
 
+  kMaxDatagramFrameSize = 0x20,
+
   kGoogleQuicParam = 18257,  // Used for non-standard Google-specific params.
   kGoogleQuicVersion =
       18258,  // Used to transmit version and supported_versions.
@@ -95,6 +97,8 @@ std::string TransportParameterIdToString(
       return "preferred_address";
     case TransportParameters::kActiveConnectionIdLimit:
       return "active_connection_id_limit";
+    case TransportParameters::kMaxDatagramFrameSize:
+      return "max_datagram_frame_size";
     case TransportParameters::kGoogleQuicParam:
       return "google";
     case TransportParameters::kGoogleQuicVersion:
@@ -279,6 +283,7 @@ std::string TransportParameters::ToString() const {
           preferred_address->ToString();
   }
   rv += active_connection_id_limit.ToString(/*for_use_in_list=*/true);
+  rv += max_datagram_frame_size.ToString(/*for_use_in_list=*/true);
   if (google_quic_params) {
     rv += " " + TransportParameterIdToString(kGoogleQuicParam);
   }
@@ -313,7 +318,8 @@ TransportParameters::TransportParameters()
                     0,
                     kMaxMaxAckDelayTransportParam),
       disable_migration(false),
-      active_connection_id_limit(kActiveConnectionIdLimit)
+      active_connection_id_limit(kActiveConnectionIdLimit),
+      max_datagram_frame_size(kMaxDatagramFrameSize)
 // Important note: any new transport parameters must be added
 // to TransportParameters::AreValid, SerializeTransportParameters and
 // ParseTransportParameters.
@@ -354,15 +360,15 @@ bool TransportParameters::AreValid() const {
     QUIC_BUG << "Preferred address family failure";
     return false;
   }
-  const bool ok = idle_timeout_milliseconds.IsValid() &&
-                  max_packet_size.IsValid() && initial_max_data.IsValid() &&
-                  initial_max_stream_data_bidi_local.IsValid() &&
-                  initial_max_stream_data_bidi_remote.IsValid() &&
-                  initial_max_stream_data_uni.IsValid() &&
-                  initial_max_streams_bidi.IsValid() &&
-                  initial_max_streams_uni.IsValid() &&
-                  ack_delay_exponent.IsValid() && max_ack_delay.IsValid() &&
-                  active_connection_id_limit.IsValid();
+  const bool ok =
+      idle_timeout_milliseconds.IsValid() && max_packet_size.IsValid() &&
+      initial_max_data.IsValid() &&
+      initial_max_stream_data_bidi_local.IsValid() &&
+      initial_max_stream_data_bidi_remote.IsValid() &&
+      initial_max_stream_data_uni.IsValid() &&
+      initial_max_streams_bidi.IsValid() && initial_max_streams_uni.IsValid() &&
+      ack_delay_exponent.IsValid() && max_ack_delay.IsValid() &&
+      active_connection_id_limit.IsValid() && max_datagram_frame_size.IsValid();
   if (!ok) {
     QUIC_DLOG(ERROR) << "Invalid transport parameters " << *this;
   }
@@ -445,7 +451,8 @@ bool SerializeTransportParameters(ParsedQuicVersion /*version*/,
       !in.initial_max_streams_uni.WriteToCbb(&params) ||
       !in.ack_delay_exponent.WriteToCbb(&params) ||
       !in.max_ack_delay.WriteToCbb(&params) ||
-      !in.active_connection_id_limit.WriteToCbb(&params)) {
+      !in.active_connection_id_limit.WriteToCbb(&params) ||
+      !in.max_datagram_frame_size.WriteToCbb(&params)) {
     QUIC_BUG << "Failed to write integers for " << in;
     return false;
   }
@@ -734,6 +741,9 @@ bool ParseTransportParameters(ParsedQuicVersion version,
       case TransportParameters::kActiveConnectionIdLimit:
         parse_success = out->active_connection_id_limit.ReadFromCbs(&value);
         break;
+      case TransportParameters::kMaxDatagramFrameSize:
+        parse_success = out->max_datagram_frame_size.ReadFromCbs(&value);
+        break;
       case TransportParameters::kGoogleQuicParam: {
         if (out->google_quic_params) {
           QUIC_DLOG(ERROR) << "Received a second Google parameter";
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.h b/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.h
index 22dc252405c..c5ec1a4f71b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.h
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters.h
@@ -168,6 +168,10 @@ struct QUIC_EXPORT_PRIVATE TransportParameters {
   // to store.
   IntegerParameter active_connection_id_limit;
 
+  // Indicates support for the DATAGRAM frame and the maximum frame size that
+  // the sender accepts. See draft-pauly-quic-datagram.
+  IntegerParameter max_datagram_frame_size;
+
   // Transport parameters used by Google QUIC but not IETF QUIC. This is
   // serialized into a TransportParameter struct with a TransportParameterId of
   // kGoogleQuicParamId.
diff --git a/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters_test.cc b/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters_test.cc
index 90afe221bd7..61a6e0d4d6b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/crypto/transport_parameters_test.cc
@@ -24,14 +24,10 @@ using testing::UnorderedElementsAre;
 const ParsedQuicVersion kVersion(PROTOCOL_TLS1_3, QUIC_VERSION_99);
 const QuicVersionLabel kFakeVersionLabel = 0x01234567;
 const QuicVersionLabel kFakeVersionLabel2 = 0x89ABCDEF;
-const QuicConnectionId kFakeOriginalConnectionId = TestConnectionId(0x1337);
 const uint64_t kFakeIdleTimeoutMilliseconds = 12012;
 const uint8_t kFakeStatelessResetTokenData[16] = {
     0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
     0x98, 0x99, 0x9A, 0x9B, 0x9C, 0x9D, 0x9E, 0x9F};
-const std::vector<uint8_t> kFakeStatelessResetToken(
-    kFakeStatelessResetTokenData,
-    kFakeStatelessResetTokenData + sizeof(kFakeStatelessResetTokenData));
 const uint64_t kFakeMaxPacketSize = 9001;
 const uint64_t kFakeInitialMaxData = 101;
 const uint64_t kFakeInitialMaxStreamDataBidiLocal = 2001;
@@ -43,14 +39,10 @@ const uint64_t kFakeAckDelayExponent = 10;
 const uint64_t kFakeMaxAckDelay = 51;
 const bool kFakeDisableMigration = true;
 const uint64_t kFakeActiveConnectionIdLimit = 52;
-const QuicConnectionId kFakePreferredConnectionId = TestConnectionId(0xBEEF);
 const uint8_t kFakePreferredStatelessResetTokenData[16] = {
     0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
     0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x8D, 0x8E, 0x8F};
-const std::vector<uint8_t> kFakePreferredStatelessResetToken(
-    kFakePreferredStatelessResetTokenData,
-    kFakePreferredStatelessResetTokenData +
-        sizeof(kFakeStatelessResetTokenData));
+
 const auto kCustomParameter1 =
     static_cast<TransportParameters::TransportParameterId>(0xffcd);
 const char* kCustomParameter1Value = "foo";
@@ -58,6 +50,27 @@ const auto kCustomParameter2 =
     static_cast<TransportParameters::TransportParameterId>(0xff34);
 const char* kCustomParameter2Value = "bar";
 
+QuicConnectionId CreateFakeOriginalConnectionId() {
+  return TestConnectionId(0x1337);
+}
+
+QuicConnectionId CreateFakePreferredConnectionId() {
+  return TestConnectionId(0xBEEF);
+}
+
+std::vector<uint8_t> CreateFakeStatelessResetToken() {
+  return std::vector<uint8_t>(
+      kFakeStatelessResetTokenData,
+      kFakeStatelessResetTokenData + sizeof(kFakeStatelessResetTokenData));
+}
+
+std::vector<uint8_t> CreateFakePreferredStatelessResetToken() {
+  return std::vector<uint8_t>(
+      kFakePreferredStatelessResetTokenData,
+      kFakePreferredStatelessResetTokenData +
+          sizeof(kFakePreferredStatelessResetTokenData));
+}
+
 QuicSocketAddress CreateFakeV4SocketAddress() {
   QuicIpAddress ipv4_address;
   if (!ipv4_address.FromString("65.66.67.68")) {  // 0x41, 0x42, 0x43, 0x44
@@ -81,8 +94,9 @@ CreateFakePreferredAddress() {
   TransportParameters::PreferredAddress preferred_address;
   preferred_address.ipv4_socket_address = CreateFakeV4SocketAddress();
   preferred_address.ipv6_socket_address = CreateFakeV6SocketAddress();
-  preferred_address.connection_id = kFakePreferredConnectionId;
-  preferred_address.stateless_reset_token = kFakePreferredStatelessResetToken;
+  preferred_address.connection_id = CreateFakePreferredConnectionId();
+  preferred_address.stateless_reset_token =
+      CreateFakePreferredStatelessResetToken();
   return std::make_unique<TransportParameters::PreferredAddress>(
       preferred_address);
 }
@@ -158,9 +172,9 @@ TEST_F(TransportParametersTest, RoundTripServer) {
   orig_params.version = kFakeVersionLabel;
   orig_params.supported_versions.push_back(kFakeVersionLabel);
   orig_params.supported_versions.push_back(kFakeVersionLabel2);
-  orig_params.original_connection_id = kFakeOriginalConnectionId;
+  orig_params.original_connection_id = CreateFakeOriginalConnectionId();
   orig_params.idle_timeout_milliseconds.set_value(kFakeIdleTimeoutMilliseconds);
-  orig_params.stateless_reset_token = kFakeStatelessResetToken;
+  orig_params.stateless_reset_token = CreateFakeStatelessResetToken();
   orig_params.max_packet_size.set_value(kFakeMaxPacketSize);
   orig_params.initial_max_data.set_value(kFakeInitialMaxData);
   orig_params.initial_max_stream_data_bidi_local.set_value(
@@ -191,10 +205,11 @@ TEST_F(TransportParametersTest, RoundTripServer) {
   EXPECT_EQ(2u, new_params.supported_versions.size());
   EXPECT_EQ(kFakeVersionLabel, new_params.supported_versions[0]);
   EXPECT_EQ(kFakeVersionLabel2, new_params.supported_versions[1]);
-  EXPECT_EQ(kFakeOriginalConnectionId, new_params.original_connection_id);
+  EXPECT_EQ(CreateFakeOriginalConnectionId(),
+            new_params.original_connection_id);
   EXPECT_EQ(kFakeIdleTimeoutMilliseconds,
             new_params.idle_timeout_milliseconds.value());
-  EXPECT_EQ(kFakeStatelessResetToken, new_params.stateless_reset_token);
+  EXPECT_EQ(CreateFakeStatelessResetToken(), new_params.stateless_reset_token);
   EXPECT_EQ(kFakeMaxPacketSize, new_params.max_packet_size.value());
   EXPECT_EQ(kFakeInitialMaxData, new_params.initial_max_data.value());
   EXPECT_EQ(kFakeInitialMaxStreamDataBidiLocal,
@@ -215,9 +230,9 @@ TEST_F(TransportParametersTest, RoundTripServer) {
             new_params.preferred_address->ipv4_socket_address);
   EXPECT_EQ(CreateFakeV6SocketAddress(),
             new_params.preferred_address->ipv6_socket_address);
-  EXPECT_EQ(kFakePreferredConnectionId,
+  EXPECT_EQ(CreateFakePreferredConnectionId(),
             new_params.preferred_address->connection_id);
-  EXPECT_EQ(kFakePreferredStatelessResetToken,
+  EXPECT_EQ(CreateFakePreferredStatelessResetToken(),
             new_params.preferred_address->stateless_reset_token);
   EXPECT_EQ(kFakeActiveConnectionIdLimit,
             new_params.active_connection_id_limit.value());
@@ -272,7 +287,7 @@ TEST_F(TransportParametersTest, NoClientParamsWithStatelessResetToken) {
   orig_params.perspective = Perspective::IS_CLIENT;
   orig_params.version = kFakeVersionLabel;
   orig_params.idle_timeout_milliseconds.set_value(kFakeIdleTimeoutMilliseconds);
-  orig_params.stateless_reset_token = kFakeStatelessResetToken;
+  orig_params.stateless_reset_token = CreateFakeStatelessResetToken();
   orig_params.max_packet_size.set_value(kFakeMaxPacketSize);
 
   std::vector<uint8_t> out;
@@ -543,10 +558,11 @@ TEST_F(TransportParametersTest, ParseServerParams) {
   EXPECT_EQ(2u, new_params.supported_versions.size());
   EXPECT_EQ(kFakeVersionLabel, new_params.supported_versions[0]);
   EXPECT_EQ(kFakeVersionLabel2, new_params.supported_versions[1]);
-  EXPECT_EQ(kFakeOriginalConnectionId, new_params.original_connection_id);
+  EXPECT_EQ(CreateFakeOriginalConnectionId(),
+            new_params.original_connection_id);
   EXPECT_EQ(kFakeIdleTimeoutMilliseconds,
             new_params.idle_timeout_milliseconds.value());
-  EXPECT_EQ(kFakeStatelessResetToken, new_params.stateless_reset_token);
+  EXPECT_EQ(CreateFakeStatelessResetToken(), new_params.stateless_reset_token);
   EXPECT_EQ(kFakeMaxPacketSize, new_params.max_packet_size.value());
   EXPECT_EQ(kFakeInitialMaxData, new_params.initial_max_data.value());
   EXPECT_EQ(kFakeInitialMaxStreamDataBidiLocal,
@@ -567,9 +583,9 @@ TEST_F(TransportParametersTest, ParseServerParams) {
             new_params.preferred_address->ipv4_socket_address);
   EXPECT_EQ(CreateFakeV6SocketAddress(),
             new_params.preferred_address->ipv6_socket_address);
-  EXPECT_EQ(kFakePreferredConnectionId,
+  EXPECT_EQ(CreateFakePreferredConnectionId(),
             new_params.preferred_address->connection_id);
-  EXPECT_EQ(kFakePreferredStatelessResetToken,
+  EXPECT_EQ(CreateFakePreferredStatelessResetToken(),
             new_params.preferred_address->stateless_reset_token);
   EXPECT_EQ(kFakeActiveConnectionIdLimit,
             new_params.active_connection_id_limit.value());
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_ack_frame.cc b/chromium/net/third_party/quiche/src/quic/core/frames/quic_ack_frame.cc
index 389f1c04a0a..2946c01af8b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_ack_frame.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_ack_frame.cc
@@ -15,13 +15,6 @@ namespace {
 
 const QuicPacketCount kMaxPrintRange = 128;
 
-uint64_t PacketNumberIntervalLength(
-    const QuicInterval<QuicPacketNumber>& interval) {
-  if (interval.Empty()) {
-    return 0u;
-  }
-  return interval.max() - interval.min();
-}
 }  // namespace
 
 bool IsAwaitingPacket(const QuicAckFrame& ack_frame,
@@ -86,77 +79,8 @@ void PacketNumberQueue::Add(QuicPacketNumber packet_number) {
   if (!packet_number.IsInitialized()) {
     return;
   }
-  // Check if the deque is empty
-  if (packet_number_deque_.empty()) {
-    packet_number_deque_.push_front(
-        QuicInterval<QuicPacketNumber>(packet_number, packet_number + 1));
-    return;
-  }
-  QuicInterval<QuicPacketNumber> back = packet_number_deque_.back();
-
-  // Check for the typical case,
-  // when the next packet in order is acked
-  if (back.max() == packet_number) {
-    packet_number_deque_.back().SetMax(packet_number + 1);
-    return;
-  }
-  // Check if the next packet in order is skipped
-  if (back.max() < packet_number) {
-    packet_number_deque_.push_back(
-        QuicInterval<QuicPacketNumber>(packet_number, packet_number + 1));
-    return;
-  }
-
-  QuicInterval<QuicPacketNumber> front = packet_number_deque_.front();
-  // Check if the packet can be  popped on the front
-  if (front.min() > packet_number + 1) {
-    packet_number_deque_.push_front(
-        QuicInterval<QuicPacketNumber>(packet_number, packet_number + 1));
-    return;
-  }
-  if (front.min() == packet_number + 1) {
-    packet_number_deque_.front().SetMin(packet_number);
-    return;
-  }
-
-  int i = packet_number_deque_.size() - 1;
-  // Iterating through the queue backwards
-  // to find a proper place for the packet
-  while (i >= 0) {
-    QuicInterval<QuicPacketNumber> packet_interval = packet_number_deque_[i];
-    DCHECK(packet_interval.min() < packet_interval.max());
-    // Check if the packet is contained in an interval already
-    if (packet_interval.Contains(packet_number)) {
-      return;
-    }
-
-    // Check if the packet can extend an interval.
-    if (packet_interval.max() == packet_number) {
-      packet_number_deque_[i].SetMax(packet_number + 1);
-      return;
-    }
-    // Check if the packet can extend an interval
-    // and merge two intervals if needed.
-    // There is no need to merge an interval in the previous
-    // if statement, as all merges will happen here.
-    if (packet_interval.min() == packet_number + 1) {
-      packet_number_deque_[i].SetMin(packet_number);
-      if (i > 0 && packet_number == packet_number_deque_[i - 1].max()) {
-        packet_number_deque_[i - 1].SetMax(packet_interval.max());
-        packet_number_deque_.erase(packet_number_deque_.begin() + i);
-      }
-      return;
-    }
-
-    // Check if we need to make a new interval for the packet
-    if (packet_interval.max() < packet_number + 1) {
-      packet_number_deque_.insert(
-          packet_number_deque_.begin() + i + 1,
-          QuicInterval<QuicPacketNumber>(packet_number, packet_number + 1));
-      return;
-    }
-    i--;
-  }
+  packet_number_intervals_.AddOptimizedForAppend(packet_number,
+                                                 packet_number + 1);
 }
 
 void PacketNumberQueue::AddRange(QuicPacketNumber lower,
@@ -164,136 +88,81 @@ void PacketNumberQueue::AddRange(QuicPacketNumber lower,
   if (!lower.IsInitialized() || !higher.IsInitialized() || lower >= higher) {
     return;
   }
-  if (packet_number_deque_.empty()) {
-    packet_number_deque_.push_front(
-        QuicInterval<QuicPacketNumber>(lower, higher));
-    return;
-  }
-  QuicInterval<QuicPacketNumber> back = packet_number_deque_.back();
 
-  if (back.max() == lower) {
-    // Check for the typical case,
-    // when the next packet in order is acked
-    packet_number_deque_.back().SetMax(higher);
-    return;
-  }
-  if (back.max() < lower) {
-    // Check if the next packet in order is skipped
-    packet_number_deque_.push_back(
-        QuicInterval<QuicPacketNumber>(lower, higher));
-    return;
-  }
-  QuicInterval<QuicPacketNumber> front = packet_number_deque_.front();
-  // Check if the packets are being added in reverse order
-  if (front.min() == higher) {
-    packet_number_deque_.front().SetMin(lower);
-  } else if (front.min() > higher) {
-    packet_number_deque_.push_front(
-        QuicInterval<QuicPacketNumber>(lower, higher));
-
-  } else {
-    // Ranges must be above or below all existing ranges.
-    QUIC_BUG << "AddRange only supports adding packets above or below the "
-             << "current min:" << Min() << " and max:" << Max()
-             << ", but adding [" << lower << "," << higher << ")";
-  }
+  packet_number_intervals_.AddOptimizedForAppend(lower, higher);
 }
 
 bool PacketNumberQueue::RemoveUpTo(QuicPacketNumber higher) {
   if (!higher.IsInitialized() || Empty()) {
     return false;
   }
-  const QuicPacketNumber old_min = Min();
-  while (!packet_number_deque_.empty()) {
-    QuicInterval<QuicPacketNumber> front = packet_number_deque_.front();
-    if (front.max() < higher) {
-      packet_number_deque_.pop_front();
-    } else if (front.min() < higher && front.max() >= higher) {
-      packet_number_deque_.front().SetMin(higher);
-      if (front.max() == higher) {
-        packet_number_deque_.pop_front();
-      }
-      break;
-    } else {
-      break;
-    }
-  }
-
-  return Empty() || old_min != Min();
+  return packet_number_intervals_.TrimLessThan(higher);
 }
 
 void PacketNumberQueue::RemoveSmallestInterval() {
-  QUIC_BUG_IF(packet_number_deque_.size() < 2)
+  // TODO(wub): Move this QUIC_BUG to upper level.
+  QUIC_BUG_IF(packet_number_intervals_.Size() < 2)
       << (Empty() ? "No intervals to remove."
                   : "Can't remove the last interval.");
-  packet_number_deque_.pop_front();
+  packet_number_intervals_.PopFront();
 }
 
 void PacketNumberQueue::Clear() {
-  packet_number_deque_.clear();
+  packet_number_intervals_.Clear();
 }
 
 bool PacketNumberQueue::Contains(QuicPacketNumber packet_number) const {
-  if (!packet_number.IsInitialized() || packet_number_deque_.empty()) {
-    return false;
-  }
-  if (packet_number_deque_.front().min() > packet_number ||
-      packet_number_deque_.back().max() <= packet_number) {
+  if (!packet_number.IsInitialized()) {
     return false;
   }
-  for (QuicInterval<QuicPacketNumber> interval : packet_number_deque_) {
-    if (interval.Contains(packet_number)) {
-      return true;
-    }
-  }
-  return false;
+  return packet_number_intervals_.Contains(packet_number);
 }
 
 bool PacketNumberQueue::Empty() const {
-  return packet_number_deque_.empty();
+  return packet_number_intervals_.Empty();
 }
 
 QuicPacketNumber PacketNumberQueue::Min() const {
   DCHECK(!Empty());
-  return packet_number_deque_.front().min();
+  return packet_number_intervals_.begin()->min();
 }
 
 QuicPacketNumber PacketNumberQueue::Max() const {
   DCHECK(!Empty());
-  return packet_number_deque_.back().max() - 1;
+  return packet_number_intervals_.rbegin()->max() - 1;
 }
 
 QuicPacketCount PacketNumberQueue::NumPacketsSlow() const {
   QuicPacketCount n_packets = 0;
-  for (QuicInterval<QuicPacketNumber> interval : packet_number_deque_) {
-    n_packets += PacketNumberIntervalLength(interval);
+  for (const auto& interval : packet_number_intervals_) {
+    n_packets += interval.Length();
   }
   return n_packets;
 }
 
 size_t PacketNumberQueue::NumIntervals() const {
-  return packet_number_deque_.size();
+  return packet_number_intervals_.Size();
 }
 
 PacketNumberQueue::const_iterator PacketNumberQueue::begin() const {
-  return packet_number_deque_.begin();
+  return packet_number_intervals_.begin();
 }
 
 PacketNumberQueue::const_iterator PacketNumberQueue::end() const {
-  return packet_number_deque_.end();
+  return packet_number_intervals_.end();
 }
 
 PacketNumberQueue::const_reverse_iterator PacketNumberQueue::rbegin() const {
-  return packet_number_deque_.rbegin();
+  return packet_number_intervals_.rbegin();
 }
 
 PacketNumberQueue::const_reverse_iterator PacketNumberQueue::rend() const {
-  return packet_number_deque_.rend();
+  return packet_number_intervals_.rend();
 }
 
 QuicPacketCount PacketNumberQueue::LastIntervalLength() const {
   DCHECK(!Empty());
-  return PacketNumberIntervalLength(packet_number_deque_.back());
+  return packet_number_intervals_.rbegin()->Length();
 }
 
 // Largest min...max range for packet numbers where we print the numbers
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_ack_frame.h b/chromium/net/third_party/quiche/src/quic/core/frames/quic_ack_frame.h
index 771d93e3285..9003c76e3d3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_ack_frame.h
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_ack_frame.h
@@ -8,6 +8,7 @@
 #include <ostream>
 
 #include "net/third_party/quiche/src/quic/core/quic_interval.h"
+#include "net/third_party/quiche/src/quic/core/quic_interval_set.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
@@ -28,16 +29,16 @@ class QUIC_EXPORT_PRIVATE PacketNumberQueue {
   PacketNumberQueue& operator=(const PacketNumberQueue& other);
   PacketNumberQueue& operator=(PacketNumberQueue&& other);
 
-  typedef QuicDeque<QuicInterval<QuicPacketNumber>>::const_iterator
-      const_iterator;
-  typedef QuicDeque<QuicInterval<QuicPacketNumber>>::const_reverse_iterator
+  typedef QuicIntervalSet<QuicPacketNumber>::const_iterator const_iterator;
+  typedef QuicIntervalSet<QuicPacketNumber>::const_reverse_iterator
       const_reverse_iterator;
 
   // Adds |packet_number| to the set of packets in the queue.
   void Add(QuicPacketNumber packet_number);
 
-  // Adds packets between [lower, higher) to the set of packets in the queue. It
-  // is undefined behavior to call this with |higher| < |lower|.
+  // Adds packets between [lower, higher) to the set of packets in the queue.
+  // No-op if |higher| < |lower|.
+  // NOTE(wub): Only used in tests as of Nov 2019.
   void AddRange(QuicPacketNumber lower, QuicPacketNumber higher);
 
   // Removes packets with values less than |higher| from the set of packets in
@@ -86,7 +87,7 @@ class QUIC_EXPORT_PRIVATE PacketNumberQueue {
       const PacketNumberQueue& q);
 
  private:
-  QuicDeque<QuicInterval<QuicPacketNumber>> packet_number_deque_;
+  QuicIntervalSet<QuicPacketNumber> packet_number_intervals_;
 };
 
 struct QUIC_EXPORT_PRIVATE QuicAckFrame {
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.cc b/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.cc
index 5e85fc0b4e3..e640179c460 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.cc
@@ -254,6 +254,101 @@ QuicFrame CopyRetransmittableControlFrame(const QuicFrame& frame) {
   return copy;
 }
 
+QuicFrame CopyQuicFrame(QuicBufferAllocator* allocator,
+                        const QuicFrame& frame) {
+  QuicFrame copy;
+  switch (frame.type) {
+    case PADDING_FRAME:
+      copy = QuicFrame(QuicPaddingFrame(frame.padding_frame));
+      break;
+    case RST_STREAM_FRAME:
+      copy = QuicFrame(new QuicRstStreamFrame(*frame.rst_stream_frame));
+      break;
+    case CONNECTION_CLOSE_FRAME:
+      copy = QuicFrame(
+          new QuicConnectionCloseFrame(*frame.connection_close_frame));
+      break;
+    case GOAWAY_FRAME:
+      copy = QuicFrame(new QuicGoAwayFrame(*frame.goaway_frame));
+      break;
+    case WINDOW_UPDATE_FRAME:
+      copy = QuicFrame(new QuicWindowUpdateFrame(*frame.window_update_frame));
+      break;
+    case BLOCKED_FRAME:
+      copy = QuicFrame(new QuicBlockedFrame(*frame.blocked_frame));
+      break;
+    case STOP_WAITING_FRAME:
+      copy = QuicFrame(QuicStopWaitingFrame(frame.stop_waiting_frame));
+      break;
+    case PING_FRAME:
+      copy = QuicFrame(QuicPingFrame(frame.ping_frame.control_frame_id));
+      break;
+    case CRYPTO_FRAME:
+      copy = QuicFrame(new QuicCryptoFrame(*frame.crypto_frame));
+      break;
+    case STREAM_FRAME:
+      copy = QuicFrame(QuicStreamFrame(frame.stream_frame));
+      break;
+    case ACK_FRAME:
+      copy = QuicFrame(new QuicAckFrame(*frame.ack_frame));
+      break;
+    case MTU_DISCOVERY_FRAME:
+      copy = QuicFrame(QuicMtuDiscoveryFrame(frame.mtu_discovery_frame));
+      break;
+    case NEW_CONNECTION_ID_FRAME:
+      copy = QuicFrame(
+          new QuicNewConnectionIdFrame(*frame.new_connection_id_frame));
+      break;
+    case MAX_STREAMS_FRAME:
+      copy = QuicFrame(QuicMaxStreamsFrame(frame.max_streams_frame));
+      break;
+    case STREAMS_BLOCKED_FRAME:
+      copy = QuicFrame(QuicStreamsBlockedFrame(frame.streams_blocked_frame));
+      break;
+    case PATH_RESPONSE_FRAME:
+      copy = QuicFrame(new QuicPathResponseFrame(*frame.path_response_frame));
+      break;
+    case PATH_CHALLENGE_FRAME:
+      copy = QuicFrame(new QuicPathChallengeFrame(*frame.path_challenge_frame));
+      break;
+    case STOP_SENDING_FRAME:
+      copy = QuicFrame(new QuicStopSendingFrame(*frame.stop_sending_frame));
+      break;
+    case MESSAGE_FRAME:
+      copy = QuicFrame(new QuicMessageFrame(frame.message_frame->message_id));
+      copy.message_frame->data = frame.message_frame->data;
+      copy.message_frame->message_length = frame.message_frame->message_length;
+      for (const auto& slice : frame.message_frame->message_data) {
+        QuicMemSlice copy_slice(allocator, slice.length());
+        memcpy(const_cast<char*>(copy_slice.data()), slice.data(),
+               slice.length());
+        copy.message_frame->message_data.push_back(std::move(copy_slice));
+      }
+      break;
+    case NEW_TOKEN_FRAME:
+      copy = QuicFrame(new QuicNewTokenFrame(*frame.new_token_frame));
+      break;
+    case RETIRE_CONNECTION_ID_FRAME:
+      copy = QuicFrame(
+          new QuicRetireConnectionIdFrame(*frame.retire_connection_id_frame));
+      break;
+    default:
+      QUIC_BUG << "Cannot copy frame: " << frame;
+      copy = QuicFrame(QuicPingFrame(kInvalidControlFrameId));
+      break;
+  }
+  return copy;
+}
+
+QuicFrames CopyQuicFrames(QuicBufferAllocator* allocator,
+                          const QuicFrames& frames) {
+  QuicFrames copy;
+  for (const auto& frame : frames) {
+    copy.push_back(CopyQuicFrame(allocator, frame));
+  }
+  return copy;
+}
+
 std::ostream& operator<<(std::ostream& os, const QuicFrame& frame) {
   switch (frame.type) {
     case PADDING_FRAME: {
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.h b/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.h
index 1fa9e01af56..226cbfb2d83 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.h
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_frame.h
@@ -140,6 +140,14 @@ QUIC_EXPORT_PRIVATE void SetControlFrameId(QuicControlFrameId control_frame_id,
 QUIC_EXPORT_PRIVATE QuicFrame
 CopyRetransmittableControlFrame(const QuicFrame& frame);
 
+// Returns a copy of |frame|.
+QUIC_EXPORT_PRIVATE QuicFrame CopyQuicFrame(QuicBufferAllocator* allocator,
+                                            const QuicFrame& frame);
+
+// Returns a copy of |frames|.
+QUIC_EXPORT_PRIVATE QuicFrames CopyQuicFrames(QuicBufferAllocator* allocator,
+                                              const QuicFrames& frames);
+
 // Human-readable description suitable for logging.
 QUIC_EXPORT_PRIVATE std::string QuicFramesToString(const QuicFrames& frames);
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_frames_test.cc b/chromium/net/third_party/quiche/src/quic/core/frames/quic_frames_test.cc
index 8492a0c5112..1764e170f03 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_frames_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_frames_test.cc
@@ -204,9 +204,9 @@ TEST_F(QuicFramesTest, WindowUpdateFrameToString) {
   EXPECT_EQ(3u, GetControlFrameId(frame));
   std::ostringstream stream;
   window_update.stream_id = 1;
-  window_update.byte_offset = 2;
+  window_update.max_data = 2;
   stream << window_update;
-  EXPECT_EQ("{ control_frame_id: 3, stream_id: 1, byte_offset: 2 }\n",
+  EXPECT_EQ("{ control_frame_id: 3, stream_id: 1, max_data: 2 }\n",
             stream.str());
   EXPECT_TRUE(IsControlFrame(frame.type));
 }
@@ -376,30 +376,27 @@ TEST_F(QuicFramesTest, AddInterval) {
   EXPECT_EQ(QuicPacketNumber(1u), ack_frame1.packets.Min());
   EXPECT_EQ(QuicPacketNumber(99u), ack_frame1.packets.Max());
 
-  std::vector<QuicInterval<QuicPacketNumber>> expected_intervals;
-  expected_intervals.emplace_back(QuicInterval<QuicPacketNumber>(
-      QuicPacketNumber(1), QuicPacketNumber(10)));
-  expected_intervals.emplace_back(QuicInterval<QuicPacketNumber>(
-      QuicPacketNumber(50), QuicPacketNumber(100)));
+  std::vector<QuicInterval<QuicPacketNumber>> expected_intervals{
+      {QuicPacketNumber(1), QuicPacketNumber(10)},
+      {QuicPacketNumber(50), QuicPacketNumber(100)},
+  };
 
   const std::vector<QuicInterval<QuicPacketNumber>> actual_intervals(
       ack_frame1.packets.begin(), ack_frame1.packets.end());
 
   EXPECT_EQ(expected_intervals, actual_intervals);
 
-  // Ensure adding a range within the existing ranges fails.
-  EXPECT_QUIC_BUG(
-      ack_frame1.packets.AddRange(QuicPacketNumber(20), QuicPacketNumber(30)),
-      "");
+  // Add a range in the middle.
+  ack_frame1.packets.AddRange(QuicPacketNumber(20), QuicPacketNumber(30));
 
   const std::vector<QuicInterval<QuicPacketNumber>> actual_intervals2(
       ack_frame1.packets.begin(), ack_frame1.packets.end());
 
-  std::vector<QuicInterval<QuicPacketNumber>> expected_intervals2;
-  expected_intervals2.emplace_back(QuicInterval<QuicPacketNumber>(
-      QuicPacketNumber(1), QuicPacketNumber(10)));
-  expected_intervals2.emplace_back(QuicInterval<QuicPacketNumber>(
-      QuicPacketNumber(50), QuicPacketNumber(100)));
+  std::vector<QuicInterval<QuicPacketNumber>> expected_intervals2{
+      {QuicPacketNumber(1), QuicPacketNumber(10)},
+      {QuicPacketNumber(20), QuicPacketNumber(30)},
+      {QuicPacketNumber(50), QuicPacketNumber(100)},
+  };
 
   EXPECT_EQ(expected_intervals2.size(), ack_frame1.packets.NumIntervals());
   EXPECT_EQ(expected_intervals2, actual_intervals2);
@@ -415,17 +412,13 @@ TEST_F(QuicFramesTest, AddInterval) {
   const std::vector<QuicInterval<QuicPacketNumber>> actual_intervals8(
       ack_frame2.packets.begin(), ack_frame2.packets.end());
 
-  std::vector<QuicInterval<QuicPacketNumber>> expected_intervals8;
-  expected_intervals8.emplace_back(QuicInterval<QuicPacketNumber>(
-      QuicPacketNumber(10), QuicPacketNumber(15)));
-  expected_intervals8.emplace_back(QuicInterval<QuicPacketNumber>(
-      QuicPacketNumber(20), QuicPacketNumber(25)));
-  expected_intervals8.emplace_back(QuicInterval<QuicPacketNumber>(
-      QuicPacketNumber(40), QuicPacketNumber(45)));
-  expected_intervals8.emplace_back(QuicInterval<QuicPacketNumber>(
-      QuicPacketNumber(60), QuicPacketNumber(65)));
-  expected_intervals8.emplace_back(QuicInterval<QuicPacketNumber>(
-      QuicPacketNumber(80), QuicPacketNumber(85)));
+  std::vector<QuicInterval<QuicPacketNumber>> expected_intervals8{
+      {QuicPacketNumber(10), QuicPacketNumber(15)},
+      {QuicPacketNumber(20), QuicPacketNumber(25)},
+      {QuicPacketNumber(40), QuicPacketNumber(45)},
+      {QuicPacketNumber(60), QuicPacketNumber(65)},
+      {QuicPacketNumber(80), QuicPacketNumber(85)},
+  };
 
   EXPECT_EQ(expected_intervals8, actual_intervals8);
 }
@@ -481,6 +474,104 @@ TEST_F(QuicFramesTest, RemoveSmallestInterval) {
   EXPECT_EQ(QuicPacketNumber(99u), ack_frame1.packets.Max());
 }
 
+TEST_F(QuicFramesTest, CopyQuicFrames) {
+  QuicFrames frames;
+  SimpleBufferAllocator allocator;
+  QuicMemSliceStorage storage(nullptr, 0, nullptr, 0);
+  QuicMessageFrame* message_frame =
+      new QuicMessageFrame(1, MakeSpan(&allocator, "message", &storage));
+  // Construct a frame list.
+  for (uint8_t i = 0; i < NUM_FRAME_TYPES; ++i) {
+    switch (i) {
+      case PADDING_FRAME:
+        frames.push_back(QuicFrame(QuicPaddingFrame(-1)));
+        break;
+      case RST_STREAM_FRAME:
+        frames.push_back(QuicFrame(new QuicRstStreamFrame()));
+        break;
+      case CONNECTION_CLOSE_FRAME:
+        frames.push_back(QuicFrame(new QuicConnectionCloseFrame()));
+        break;
+      case GOAWAY_FRAME:
+        frames.push_back(QuicFrame(new QuicGoAwayFrame()));
+        break;
+      case WINDOW_UPDATE_FRAME:
+        frames.push_back(QuicFrame(new QuicWindowUpdateFrame()));
+        break;
+      case BLOCKED_FRAME:
+        frames.push_back(QuicFrame(new QuicBlockedFrame()));
+        break;
+      case STOP_WAITING_FRAME:
+        frames.push_back(QuicFrame(QuicStopWaitingFrame()));
+        break;
+      case PING_FRAME:
+        frames.push_back(QuicFrame(QuicPingFrame()));
+        break;
+      case CRYPTO_FRAME:
+        frames.push_back(QuicFrame(new QuicCryptoFrame()));
+        break;
+      case STREAM_FRAME:
+        frames.push_back(QuicFrame(QuicStreamFrame()));
+        break;
+      case ACK_FRAME:
+        frames.push_back(QuicFrame(new QuicAckFrame()));
+        break;
+      case MTU_DISCOVERY_FRAME:
+        frames.push_back(QuicFrame(QuicMtuDiscoveryFrame()));
+        break;
+      case NEW_CONNECTION_ID_FRAME:
+        frames.push_back(QuicFrame(new QuicNewConnectionIdFrame()));
+        break;
+      case MAX_STREAMS_FRAME:
+        frames.push_back(QuicFrame(QuicMaxStreamsFrame()));
+        break;
+      case STREAMS_BLOCKED_FRAME:
+        frames.push_back(QuicFrame(QuicStreamsBlockedFrame()));
+        break;
+      case PATH_RESPONSE_FRAME:
+        frames.push_back(QuicFrame(new QuicPathResponseFrame()));
+        break;
+      case PATH_CHALLENGE_FRAME:
+        frames.push_back(QuicFrame(new QuicPathChallengeFrame()));
+        break;
+      case STOP_SENDING_FRAME:
+        frames.push_back(QuicFrame(new QuicStopSendingFrame()));
+        break;
+      case MESSAGE_FRAME:
+        frames.push_back(QuicFrame(message_frame));
+        break;
+      case NEW_TOKEN_FRAME:
+        frames.push_back(QuicFrame(new QuicNewTokenFrame()));
+        break;
+      case RETIRE_CONNECTION_ID_FRAME:
+        frames.push_back(QuicFrame(new QuicRetireConnectionIdFrame()));
+        break;
+      default:
+        ASSERT_TRUE(false)
+            << "Please fix CopyQuicFrames if a new frame type is added.";
+        break;
+    }
+  }
+
+  QuicFrames copy = CopyQuicFrames(&allocator, frames);
+  ASSERT_EQ(NUM_FRAME_TYPES, copy.size());
+  for (uint8_t i = 0; i < NUM_FRAME_TYPES; ++i) {
+    EXPECT_EQ(i, copy[i].type);
+    if (i != MESSAGE_FRAME) {
+      continue;
+    }
+    // Verify message frame is correctly copied.
+    EXPECT_EQ(1u, copy[i].message_frame->message_id);
+    EXPECT_EQ(nullptr, copy[i].message_frame->data);
+    EXPECT_EQ(7u, copy[i].message_frame->message_length);
+    ASSERT_EQ(1u, copy[i].message_frame->message_data.size());
+    EXPECT_EQ(0, memcmp(copy[i].message_frame->message_data[0].data(),
+                        frames[i].message_frame->message_data[0].data(), 7));
+  }
+  DeleteFrames(&frames);
+  DeleteFrames(&copy);
+}
+
 class PacketNumberQueueTest : public QuicTest {};
 
 // Tests that a queue contains the expected data after calls to Add().
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_stream_frame.cc b/chromium/net/third_party/quiche/src/quic/core/frames/quic_stream_frame.cc
index b9413c7e271..d0e65d20d13 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_stream_frame.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_stream_frame.cc
@@ -43,4 +43,14 @@ std::ostream& operator<<(std::ostream& os,
   return os;
 }
 
+bool QuicStreamFrame::operator==(const QuicStreamFrame& rhs) const {
+  return fin == rhs.fin && data_length == rhs.data_length &&
+         stream_id == rhs.stream_id && data_buffer == rhs.data_buffer &&
+         offset == rhs.offset;
+}
+
+bool QuicStreamFrame::operator!=(const QuicStreamFrame& rhs) const {
+  return !(*this == rhs);
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_stream_frame.h b/chromium/net/third_party/quiche/src/quic/core/frames/quic_stream_frame.h
index 6cd510d41f5..5c5323b2d57 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_stream_frame.h
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_stream_frame.h
@@ -31,6 +31,10 @@ struct QUIC_EXPORT_PRIVATE QuicStreamFrame
   friend QUIC_EXPORT_PRIVATE std::ostream& operator<<(std::ostream& os,
                                                       const QuicStreamFrame& s);
 
+  bool operator==(const QuicStreamFrame& rhs) const;
+
+  bool operator!=(const QuicStreamFrame& rhs) const;
+
   bool fin;
   QuicPacketLength data_length;
   QuicStreamId stream_id;
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_window_update_frame.cc b/chromium/net/third_party/quiche/src/quic/core/frames/quic_window_update_frame.cc
index 07e31687fbd..81ca125b64c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_window_update_frame.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_window_update_frame.cc
@@ -13,16 +13,16 @@ QuicWindowUpdateFrame::QuicWindowUpdateFrame()
 QuicWindowUpdateFrame::QuicWindowUpdateFrame(
     QuicControlFrameId control_frame_id,
     QuicStreamId stream_id,
-    QuicStreamOffset byte_offset)
+    QuicByteCount max_data)
     : control_frame_id(control_frame_id),
       stream_id(stream_id),
-      byte_offset(byte_offset) {}
+      max_data(max_data) {}
 
 std::ostream& operator<<(std::ostream& os,
                          const QuicWindowUpdateFrame& window_update_frame) {
   os << "{ control_frame_id: " << window_update_frame.control_frame_id
      << ", stream_id: " << window_update_frame.stream_id
-     << ", byte_offset: " << window_update_frame.byte_offset << " }\n";
+     << ", max_data: " << window_update_frame.max_data << " }\n";
   return os;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/frames/quic_window_update_frame.h b/chromium/net/third_party/quiche/src/quic/core/frames/quic_window_update_frame.h
index 73163cecb19..ff4478528dd 100644
--- a/chromium/net/third_party/quiche/src/quic/core/frames/quic_window_update_frame.h
+++ b/chromium/net/third_party/quiche/src/quic/core/frames/quic_window_update_frame.h
@@ -12,15 +12,13 @@
 namespace quic {
 
 // Flow control updates per-stream and at the connection level.
-// Based on SPDY's WINDOW_UPDATE frame, but uses an absolute byte offset rather
-// than a window delta.
-// TODO(rjshade): A possible future optimization is to make stream_id and
-//                byte_offset variable length, similar to stream frames.
+// Based on SPDY's WINDOW_UPDATE frame, but uses an absolute max data bytes
+// rather than a window delta.
 struct QUIC_EXPORT_PRIVATE QuicWindowUpdateFrame {
   QuicWindowUpdateFrame();
   QuicWindowUpdateFrame(QuicControlFrameId control_frame_id,
                         QuicStreamId stream_id,
-                        QuicStreamOffset byte_offset);
+                        QuicByteCount max_data);
 
   friend QUIC_EXPORT_PRIVATE std::ostream& operator<<(
       std::ostream& os,
@@ -34,13 +32,9 @@ struct QUIC_EXPORT_PRIVATE QuicWindowUpdateFrame {
   // connection rather than a specific stream.
   QuicStreamId stream_id;
 
-  // Byte offset in the stream or connection. The receiver of this frame must
-  // not send data which would result in this offset being exceeded.
-  //
-  // TODO(fkastenholz): Rename this to max_data and change the type to
-  // QuicByteCount because the IETF defines this as the "maximum
-  // amount of data that can be sent".
-  QuicStreamOffset byte_offset;
+  // Maximum data allowed in the stream or connection. The receiver of this
+  // frame must not send data which would exceedes this restriction.
+  QuicByteCount max_data;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/handshaker_delegate_interface.h b/chromium/net/third_party/quiche/src/quic/core/handshaker_delegate_interface.h
new file mode 100644
index 00000000000..9eae32ab8cf
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/handshaker_delegate_interface.h
@@ -0,0 +1,53 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_HANDSHAKER_DELEGATE_INTERFACE_H_
+#define QUICHE_QUIC_CORE_HANDSHAKER_DELEGATE_INTERFACE_H_
+
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+
+namespace quic {
+
+class QuicDecrypter;
+class QuicEncrypter;
+
+// Pure virtual class to get notified when particular handshake events occurred.
+class QUIC_EXPORT_PRIVATE HandshakerDelegateInterface {
+ public:
+  virtual ~HandshakerDelegateInterface() {}
+
+  // Called when new keys are available.
+  virtual void OnNewKeysAvailable(EncryptionLevel level,
+                                  std::unique_ptr<QuicDecrypter> decrypter,
+                                  bool set_alternative_decrypter,
+                                  bool latch_once_used,
+                                  std::unique_ptr<QuicEncrypter> encrypter) = 0;
+
+  // Called to set default encryption level to |level|.
+  virtual void SetDefaultEncryptionLevel(EncryptionLevel level) = 0;
+
+  // Called to discard old decryption keys to stop processing packets of
+  // encryption |level|.
+  virtual void DiscardOldDecryptionKey(EncryptionLevel level) = 0;
+
+  // Called to discard old encryption keys (and neuter obsolete data).
+  // TODO(fayang): consider to combine this with DiscardOldDecryptionKey.
+  virtual void DiscardOldEncryptionKey(EncryptionLevel level) = 0;
+
+  // Called to neuter ENCRYPTION_INITIAL data (without discarding initial keys).
+  virtual void NeuterUnencryptedData() = 0;
+
+  // Called to neuter data of HANDSHAKE_DATA packet number space. In QUIC
+  // crypto, this is called 1) when a client switches to forward secure
+  // encryption level and 2) a server successfully processes a forward secure
+  // packet. Temporarily use this method in TLS handshake when both endpoints
+  // switch to forward secure encryption level.
+  // TODO(fayang): use DiscardOldEncryptionKey instead of this method in TLS
+  // handshake when handshake key discarding settles down.
+  virtual void NeuterHandshakeData() = 0;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_HANDSHAKER_DELEGATE_INTERFACE_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/end_to_end_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/end_to_end_test.cc
index e7d0329b2af..df2b458d588 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/end_to_end_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/end_to_end_test.cc
@@ -14,7 +14,6 @@
 #include "net/third_party/quiche/src/quic/core/crypto/null_encrypter.h"
 #include "net/third_party/quiche/src/quic/core/http/http_constants.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_data_writer.h"
 #include "net/third_party/quiche/src/quic/core/quic_epoll_connection_helper.h"
 #include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
@@ -42,6 +41,8 @@
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/packet_dropping_test_writer.h"
 #include "net/third_party/quiche/src/quic/test_tools/packet_reordering_writer.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_client_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_config_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h"
@@ -66,7 +67,6 @@
 #include "net/third_party/quiche/src/quic/tools/quic_simple_server_stream.h"
 
 using spdy::kV3LowestPriority;
-using spdy::SETTINGS_MAX_HEADER_LIST_SIZE;
 using spdy::SpdyFramer;
 using spdy::SpdyHeaderBlock;
 using spdy::SpdySerializedFrame;
@@ -141,12 +141,12 @@ std::vector<TestParams> GetTestParams(bool use_tls_handshake) {
   ParsedQuicVersionVector all_supported_versions =
       FilterSupportedVersions(AllSupportedVersions());
 
-  // Buckets are separated by versions: versions prior to QUIC_VERSION_47 use
+  // Buckets are separated by versions: versions without crypto frames use
   // STREAM frames for the handshake, and only have QUIC crypto as the handshake
-  // protocol. Version 47 and greater use CRYPTO frames for the handshake, and
-  // must also be split based on the handshake protocol. If the handshake
-  // protocol (QUIC crypto or TLS) changes, the ClientHello/CHLO must be
-  // reconstructed for the correct protocol.
+  // protocol. Versions that use CRYPTO frames for the handshake must also be
+  // split based on the handshake protocol. If the handshake protocol (QUIC
+  // crypto or TLS) changes, the ClientHello/CHLO must be reconstructed for the
+  // correct protocol.
   ParsedQuicVersionVector version_buckets[3];
 
   for (const ParsedQuicVersion& version : all_supported_versions) {
@@ -248,7 +248,6 @@ class EndToEndTest : public QuicTestWithParam<TestParams> {
         support_server_push_(false),
         expected_server_connection_id_length_(kQuicDefaultConnectionIdLength) {
     SetQuicReloadableFlag(quic_supports_tls_handshake, true);
-    SetQuicReloadableFlag(quic_simplify_stop_waiting, true);
     client_supported_versions_ = GetParam().client_supported_versions;
     server_supported_versions_ = GetParam().server_supported_versions;
     negotiated_version_ = GetParam().negotiated_version;
@@ -682,6 +681,21 @@ TEST_P(EndToEndTestWithTls, SimpleRequestResponse) {
   EXPECT_EQ("200", client_->response_headers()->find(":status")->second);
 }
 
+TEST_P(EndToEndTestWithTls, SendAndReceiveCoalescedPackets) {
+  ASSERT_TRUE(Initialize());
+  if (!GetClientConnection()->version().CanSendCoalescedPackets()) {
+    return;
+  }
+  EXPECT_EQ(kFooResponseBody, client_->SendSynchronousRequest("/foo"));
+  EXPECT_EQ("200", client_->response_headers()->find(":status")->second);
+  // Verify client successfully processes coalesced packets.
+  QuicConnectionStats client_stats = GetClientConnection()->GetStats();
+  EXPECT_LT(0u, client_stats.num_coalesced_packets_received);
+  EXPECT_EQ(client_stats.num_coalesced_packets_processed,
+            client_stats.num_coalesced_packets_received);
+  // TODO(fayang): verify server successfully processes coalesced packets.
+}
+
 // Simple transaction, but set a non-default ack delay at the client
 // and ensure it gets to the server.
 TEST_P(EndToEndTest, SimpleRequestResponseWithAckDelayChange) {
@@ -1628,8 +1642,9 @@ TEST_P(EndToEndTest, InvalidStream) {
       session, GetNthServerInitiatedBidirectionalId(0));
 
   client_->SendCustomSynchronousRequest(headers, body);
-  EXPECT_EQ(QUIC_STREAM_CONNECTION_ERROR, client_->stream_error());
-  EXPECT_EQ(QUIC_INVALID_STREAM_ID, client_->connection_error());
+  EXPECT_THAT(client_->stream_error(),
+              IsStreamError(QUIC_STREAM_CONNECTION_ERROR));
+  EXPECT_THAT(client_->connection_error(), IsError(QUIC_INVALID_STREAM_ID));
 }
 
 // Test that if the server will close the connection if the client attempts
@@ -1654,11 +1669,11 @@ TEST_P(EndToEndTest, LargeHeaders) {
                            ->client_session()
                            ->connection()
                            ->transport_version())) {
-    EXPECT_EQ(QUIC_HEADERS_STREAM_DATA_DECOMPRESS_FAILURE,
-              client_->connection_error());
+    EXPECT_THAT(client_->connection_error(),
+                IsError(QUIC_HEADERS_STREAM_DATA_DECOMPRESS_FAILURE));
   } else {
-    EXPECT_EQ(QUIC_HEADERS_TOO_LARGE, client_->stream_error());
-    EXPECT_EQ(QUIC_NO_ERROR, client_->connection_error());
+    EXPECT_THAT(client_->stream_error(), IsStreamError(QUIC_HEADERS_TOO_LARGE));
+    EXPECT_THAT(client_->connection_error(), IsQuicNoError());
   }
 }
 
@@ -1679,8 +1694,8 @@ TEST_P(EndToEndTest, EarlyResponseWithQuicStreamNoError) {
   client_->SendCustomSynchronousRequest(headers, large_body);
   EXPECT_EQ("bad", client_->response_body());
   EXPECT_EQ("500", client_->response_headers()->find(":status")->second);
-  EXPECT_EQ(QUIC_STREAM_NO_ERROR, client_->stream_error());
-  EXPECT_EQ(QUIC_NO_ERROR, client_->connection_error());
+  EXPECT_THAT(client_->stream_error(), IsQuicStreamNoError());
+  EXPECT_THAT(client_->connection_error(), IsQuicNoError());
 }
 
 // TODO(rch): this test seems to cause net_unittests timeouts :|
@@ -1726,11 +1741,13 @@ TEST_P(EndToEndTestWithTls, MaxIncomingDynamicStreamsLimitRespected) {
   ASSERT_TRUE(Initialize());
   if (VersionHasIetfQuicFrames(
           GetParam().negotiated_version.transport_version)) {
-    // Do not run this test for /IETF QUIC. Note that the test needs
-    // to be here, after calling Initialize(), because all tests end up calling
-    // EndToEndTest::TearDown(), which asserts that Initialize has been called
-    // and then proceeds to tear things down -- which fails if they are not
-    // properly set up.
+    // Do not run this test for /IETF QUIC. This test relies on the fact that
+    // Google QUIC allows a small number of additional streams beyond the
+    // negotiated limit, which is not supported in IETF QUIC. Note that the test
+    // needs to be here, after calling Initialize(), because all tests end up
+    // calling EndToEndTest::TearDown(), which asserts that Initialize has been
+    // called and then proceeds to tear things down -- which fails if they are
+    // not properly set up.
     return;
   }
   EXPECT_TRUE(client_->client()->WaitForCryptoHandshakeConfirmed());
@@ -1755,8 +1772,8 @@ TEST_P(EndToEndTestWithTls, MaxIncomingDynamicStreamsLimitRespected) {
   client_->WaitForResponse();
 
   EXPECT_TRUE(client_->connected());
-  EXPECT_EQ(QUIC_REFUSED_STREAM, client_->stream_error());
-  EXPECT_EQ(QUIC_NO_ERROR, client_->connection_error());
+  EXPECT_THAT(client_->stream_error(), IsStreamError(QUIC_REFUSED_STREAM));
+  EXPECT_THAT(client_->connection_error(), IsQuicNoError());
 }
 
 TEST_P(EndToEndTest, SetIndependentMaxIncomingDynamicStreamsLimits) {
@@ -2090,7 +2107,7 @@ TEST_P(EndToEndTestWithTls, StreamCancelErrorTest) {
   }
   // It should be completely fine to RST a stream before any data has been
   // received for that stream.
-  EXPECT_EQ(QUIC_NO_ERROR, client_->connection_error());
+  EXPECT_THAT(client_->connection_error(), IsQuicNoError());
 }
 
 TEST_P(EndToEndTest, ConnectionMigrationClientIPChanged) {
@@ -2604,7 +2621,7 @@ TEST_P(EndToEndTestWithTls, ServerSendPublicReset) {
   // The request should fail.
   EXPECT_EQ("", client_->SendSynchronousRequest("/foo"));
   EXPECT_TRUE(client_->response_headers()->empty());
-  EXPECT_EQ(QUIC_PUBLIC_RESET, client_->connection_error());
+  EXPECT_THAT(client_->connection_error(), IsError(QUIC_PUBLIC_RESET));
 }
 
 // Send a public reset from the server for a different connection ID.
@@ -2650,7 +2667,7 @@ TEST_P(EndToEndTestWithTls, ServerSendPublicResetWithDifferentConnectionId) {
     // ID.
     EXPECT_EQ("", client_->SendSynchronousRequest("/foo"));
     EXPECT_TRUE(client_->response_headers()->empty());
-    EXPECT_EQ(QUIC_PUBLIC_RESET, client_->connection_error());
+    EXPECT_THAT(client_->connection_error(), IsError(QUIC_PUBLIC_RESET));
     return;
   }
   // The connection should be unaffected.
@@ -2745,8 +2762,8 @@ TEST_P(EndToEndTestWithTls, BadPacketHeaderTruncated) {
   server_thread_->Pause();
   QuicDispatcher* dispatcher =
       QuicServerPeer::GetDispatcher(server_thread_->server());
-  EXPECT_EQ(QUIC_INVALID_PACKET_HEADER,
-            QuicDispatcherPeer::GetAndClearLastError(dispatcher));
+  EXPECT_THAT(QuicDispatcherPeer::GetAndClearLastError(dispatcher),
+              IsError(QUIC_INVALID_PACKET_HEADER));
   server_thread_->Resume();
 
   // The connection should not be terminated.
@@ -2796,8 +2813,8 @@ TEST_P(EndToEndTestWithTls, BadPacketHeaderFlags) {
   server_thread_->Pause();
   QuicDispatcher* dispatcher =
       QuicServerPeer::GetDispatcher(server_thread_->server());
-  EXPECT_EQ(QUIC_INVALID_PACKET_HEADER,
-            QuicDispatcherPeer::GetAndClearLastError(dispatcher));
+  EXPECT_THAT(QuicDispatcherPeer::GetAndClearLastError(dispatcher),
+              IsError(QUIC_INVALID_PACKET_HEADER));
   server_thread_->Resume();
 
   // The connection should not be terminated.
@@ -2834,8 +2851,8 @@ TEST_P(EndToEndTestWithTls, BadEncryptedData) {
   server_thread_->Pause();
   QuicDispatcher* dispatcher =
       QuicServerPeer::GetDispatcher(server_thread_->server());
-  EXPECT_EQ(QUIC_NO_ERROR,
-            QuicDispatcherPeer::GetAndClearLastError(dispatcher));
+  EXPECT_THAT(QuicDispatcherPeer::GetAndClearLastError(dispatcher),
+              IsQuicNoError());
   server_thread_->Resume();
 
   // The connection should not be terminated.
@@ -3105,7 +3122,6 @@ TEST_P(EndToEndTestWithTls, Trailers) {
 
   SpdyHeaderBlock headers;
   headers[":status"] = "200";
-  headers[":version"] = "HTTP/1.1";
   headers["content-length"] = QuicTextUtils::Uint64ToString(kBody.size());
 
   SpdyHeaderBlock trailers;
@@ -3159,7 +3175,6 @@ class EndToEndTestServerPush : public EndToEndTest {
               ? large_resource
               : QuicStrCat("This is server push response body for ", url);
       SpdyHeaderBlock response_headers;
-      response_headers[":version"] = "HTTP/1.1";
       response_headers[":status"] = "200";
       response_headers["content-length"] =
           QuicTextUtils::Uint64ToString(body.size());
@@ -3235,6 +3250,7 @@ TEST_P(EndToEndTestServerPush, ServerPush) {
 }
 
 TEST_P(EndToEndTestServerPush, ServerPushUnderLimit) {
+  SetQuicReloadableFlag(quic_send_max_push_id_with_settings, true);
   // Tests that sending a request which has 4 push resources will trigger server
   // to push those 4 resources and client can handle pushed resources and match
   // them with requests later.
@@ -3340,6 +3356,7 @@ TEST_P(EndToEndTestServerPush, ServerPushOverLimitNonBlocking) {
 }
 
 TEST_P(EndToEndTestServerPush, ServerPushOverLimitWithBlocking) {
+  SetQuicReloadableFlag(quic_send_max_push_id_with_settings, true);
   // Tests that when server tries to send more large resources(large enough to
   // be blocked by flow control window or congestion control window) than max
   // open outgoing streams , server can open upto max number of outgoing
@@ -3555,8 +3572,8 @@ TEST_P(EndToEndTest, WayTooLongRequestHeaders) {
 
   client_->SendMessage(headers, "");
   client_->WaitForResponse();
-  EXPECT_EQ(QUIC_HEADERS_STREAM_DATA_DECOMPRESS_FAILURE,
-            client_->connection_error());
+  EXPECT_THAT(client_->connection_error(),
+              IsError(QUIC_HEADERS_STREAM_DATA_DECOMPRESS_FAILURE));
 }
 
 class WindowUpdateObserver : public QuicConnectionDebugVisitor {
@@ -3633,7 +3650,7 @@ TEST_P(EndToEndTest,
 
   client_.reset(CreateQuicClient(client_writer_));
   EXPECT_EQ("", client_->SendSynchronousRequest("/foo"));
-  EXPECT_EQ(QUIC_HANDSHAKE_FAILED, client_->connection_error());
+  EXPECT_THAT(client_->connection_error(), IsError(QUIC_HANDSHAKE_FAILED));
 }
 
 // Regression test for b/116200989.
@@ -3670,7 +3687,7 @@ TEST_P(EndToEndTest,
   // Second, a /big_response request with big response should fail.
   EXPECT_LT(client_->SendSynchronousRequest("/big_response").length(),
             kBigResponseBodySize);
-  EXPECT_EQ(QUIC_PUBLIC_RESET, client_->connection_error());
+  EXPECT_THAT(client_->connection_error(), IsError(QUIC_PUBLIC_RESET));
 }
 
 // Regression test of b/70782529.
@@ -3742,7 +3759,7 @@ TEST_P(EndToEndTest, QUIC_TEST_DISABLED_IN_CHROME(PreSharedKeyMismatch)) {
   //    return whether it is successful.
   ASSERT_FALSE(Initialize() &&
                client_->client()->WaitForCryptoHandshakeConfirmed());
-  EXPECT_EQ(QUIC_HANDSHAKE_TIMEOUT, client_->connection_error());
+  EXPECT_THAT(client_->connection_error(), IsError(QUIC_HANDSHAKE_TIMEOUT));
 }
 
 // TODO: reenable once we have a way to make this run faster.
@@ -3754,7 +3771,7 @@ TEST_P(EndToEndTest, QUIC_TEST_DISABLED_IN_CHROME(PreSharedKeyNoClient)) {
   pre_shared_key_server_ = "foobar";
   ASSERT_FALSE(Initialize() &&
                client_->client()->WaitForCryptoHandshakeConfirmed());
-  EXPECT_EQ(QUIC_HANDSHAKE_TIMEOUT, client_->connection_error());
+  EXPECT_THAT(client_->connection_error(), IsError(QUIC_HANDSHAKE_TIMEOUT));
 }
 
 // TODO: reenable once we have a way to make this run faster.
@@ -3766,7 +3783,7 @@ TEST_P(EndToEndTest, QUIC_TEST_DISABLED_IN_CHROME(PreSharedKeyNoServer)) {
   pre_shared_key_client_ = "foobar";
   ASSERT_FALSE(Initialize() &&
                client_->client()->WaitForCryptoHandshakeConfirmed());
-  EXPECT_EQ(QUIC_HANDSHAKE_TIMEOUT, client_->connection_error());
+  EXPECT_THAT(client_->connection_error(), IsError(QUIC_HANDSHAKE_TIMEOUT));
 }
 
 TEST_P(EndToEndTest, RequestAndStreamRstInOnePacket) {
@@ -3801,15 +3818,12 @@ TEST_P(EndToEndTest, RequestAndStreamRstInOnePacket) {
   client_->WaitForDelayedAcks();
 
   // The real expectation is the test does not crash or timeout.
-  EXPECT_EQ(QUIC_NO_ERROR, client_->connection_error());
+  EXPECT_THAT(client_->connection_error(), IsQuicNoError());
 }
 
 TEST_P(EndToEndTest, ResetStreamOnTtlExpires) {
   ASSERT_TRUE(Initialize());
   EXPECT_TRUE(client_->client()->WaitForCryptoHandshakeConfirmed());
-  if (!GetClientSession()->session_decides_what_to_write()) {
-    return;
-  }
   SetPacketLossPercentage(30);
 
   QuicSpdyClientStream* stream = client_->GetOrCreateStream();
@@ -3821,7 +3835,7 @@ TEST_P(EndToEndTest, ResetStreamOnTtlExpires) {
   std::string body(1024 * 1024, 'a');
   stream->WriteOrBufferBody(body, true);
   client_->WaitForResponse();
-  EXPECT_EQ(QUIC_STREAM_TTL_EXPIRED, client_->stream_error());
+  EXPECT_THAT(client_->stream_error(), IsStreamError(QUIC_STREAM_TTL_EXPIRED));
 }
 
 TEST_P(EndToEndTest, SendMessages) {
@@ -3888,7 +3902,7 @@ TEST_P(EndToEndTest, SendMessages) {
                         client_session->GetCurrentLargestMessagePayload() + 1),
                     &storage))
                 .status);
-  EXPECT_EQ(QUIC_NO_ERROR, client_->connection_error());
+  EXPECT_THAT(client_->connection_error(), IsQuicNoError());
 }
 
 class EndToEndPacketReorderingTest : public EndToEndTest {
@@ -4037,14 +4051,15 @@ TEST_P(EndToEndTest, SimpleStopSendingTest) {
   client_->WaitForDelayedAcks();
 
   // The real expectation is the test does not crash or timeout.
-  EXPECT_EQ(QUIC_NO_ERROR, client_->connection_error());
+  EXPECT_THAT(client_->connection_error(), IsQuicNoError());
   // And that the stop-sending code is received.
   QuicSimpleClientStream* client_stream =
       static_cast<QuicSimpleClientStream*>(client_->latest_created_stream());
   ASSERT_NE(nullptr, client_stream);
   // Make sure we have the correct stream
   EXPECT_EQ(stream_id, client_stream->id());
-  EXPECT_EQ(kStopSendingTestCode, client_stream->last_stop_sending_code());
+  EXPECT_EQ(kStopSendingTestCode,
+            static_cast<uint16_t>(client_stream->stream_error()));
 }
 
 TEST_P(EndToEndTest, SimpleStopSendingRstStreamTest) {
@@ -4127,7 +4142,7 @@ TEST_P(EndToEndTest, ZeroRttProtectedConnectionClose) {
   EXPECT_EQ("", client_->SendSynchronousRequest("/foo"));
   // Verify ZERO_RTT_PROTECTED connection close is successfully processed by
   // client which switches to FORWARD_SECURE.
-  EXPECT_EQ(QUIC_PACKET_WRITE_ERROR, client_->connection_error());
+  EXPECT_THAT(client_->connection_error(), IsError(QUIC_PACKET_WRITE_ERROR));
 }
 
 class BadShloPacketWriter2 : public QuicPacketWriterWrapper {
@@ -4185,7 +4200,7 @@ TEST_P(EndToEndTest, ForwardSecureConnectionClose) {
   EXPECT_EQ("", client_->SendSynchronousRequest("/foo"));
   // Verify ZERO_RTT_PROTECTED connection close is successfully processed by
   // client.
-  EXPECT_EQ(QUIC_PACKET_WRITE_ERROR, client_->connection_error());
+  EXPECT_THAT(client_->connection_error(), IsError(QUIC_PACKET_WRITE_ERROR));
 }
 
 // Test that the stream id manager closes the connection if a stream
@@ -4215,8 +4230,9 @@ TEST_P(EndToEndTest, TooBigStreamIdClosesConnection) {
   QuicSessionPeer::SetNextOutgoingBidirectionalStreamId(
       session, GetNthClientInitiatedBidirectionalId(max_number_of_streams + 1));
   client_->SendCustomSynchronousRequest(headers, body);
-  EXPECT_EQ(QUIC_STREAM_CONNECTION_ERROR, client_->stream_error());
-  EXPECT_EQ(QUIC_INVALID_STREAM_ID, GetClientSession()->error());
+  EXPECT_THAT(client_->stream_error(),
+              IsStreamError(QUIC_STREAM_CONNECTION_ERROR));
+  EXPECT_THAT(GetClientSession()->error(), IsError(QUIC_INVALID_STREAM_ID));
   EXPECT_EQ(IETF_QUIC_TRANSPORT_CONNECTION_CLOSE,
             GetClientSession()->close_type());
   EXPECT_TRUE(
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/http_decoder_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/http_decoder_test.cc
index 42b4dd2a5ac..751ca5876bb 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/http_decoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/http_decoder_test.cc
@@ -15,6 +15,7 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 
 using ::testing::_;
 using ::testing::Eq;
@@ -133,7 +134,7 @@ class HttpDecoderTest : public QuicTest {
 };
 
 TEST_F(HttpDecoderTest, InitialState) {
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -171,7 +172,7 @@ TEST_F(HttpDecoderTest, UnknownFrame) {
 
       EXPECT_EQ(total_length, decoder_.ProcessInput(input.get(), total_length));
 
-      EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+      EXPECT_THAT(decoder_.error(), IsQuicNoError());
       ASSERT_EQ("", decoder_.error_detail());
       EXPECT_EQ(frame_type, current_frame_type());
     }
@@ -189,19 +190,19 @@ TEST_F(HttpDecoderTest, CancelPush) {
   EXPECT_CALL(visitor_, OnCancelPushFrame(CancelPushFrame({1})))
       .WillOnce(Return(false));
   EXPECT_EQ(input.size(), ProcessInputWithGarbageAppended(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
   EXPECT_CALL(visitor_, OnCancelPushFrame(CancelPushFrame({1})));
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnCancelPushFrame(CancelPushFrame({1})));
   ProcessInputCharByChar(input);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -233,7 +234,7 @@ TEST_F(HttpDecoderTest, PushPromiseFrame) {
 
   EXPECT_CALL(visitor_, OnPushPromiseFrameEnd()).WillOnce(Return(false));
   EXPECT_EQ(0u, ProcessInputWithGarbageAppended(""));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
@@ -242,7 +243,7 @@ TEST_F(HttpDecoderTest, PushPromiseFrame) {
   EXPECT_CALL(visitor_, OnPushPromiseFramePayload(QuicStringPiece("Headers")));
   EXPECT_CALL(visitor_, OnPushPromiseFrameEnd());
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the frame incrementally.
@@ -257,7 +258,7 @@ TEST_F(HttpDecoderTest, PushPromiseFrame) {
   EXPECT_CALL(visitor_, OnPushPromiseFramePayload(QuicStringPiece("s")));
   EXPECT_CALL(visitor_, OnPushPromiseFrameEnd());
   ProcessInputCharByChar(input);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process push id incrementally and append headers with last byte of push id.
@@ -267,7 +268,7 @@ TEST_F(HttpDecoderTest, PushPromiseFrame) {
   EXPECT_CALL(visitor_, OnPushPromiseFrameEnd());
   ProcessInputCharByChar(input.substr(0, 9));
   EXPECT_EQ(8u, ProcessInput(input.substr(9)));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -286,7 +287,7 @@ TEST_F(HttpDecoderTest, CorruptPushPromiseFrame) {
 
     decoder.ProcessInput(input.data(), input.size());
 
-    EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder.error());
+    EXPECT_THAT(decoder.error(), IsError(QUIC_INVALID_FRAME_DATA));
     EXPECT_EQ("PUSH_PROMISE frame malformed.", decoder.error_detail());
   }
   {
@@ -298,7 +299,7 @@ TEST_F(HttpDecoderTest, CorruptPushPromiseFrame) {
       decoder.ProcessInput(&c, 1);
     }
 
-    EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder.error());
+    EXPECT_THAT(decoder.error(), IsError(QUIC_INVALID_FRAME_DATA));
     EXPECT_EQ("PUSH_PROMISE frame malformed.", decoder.error_detail());
   }
 }
@@ -314,19 +315,19 @@ TEST_F(HttpDecoderTest, MaxPushId) {
   EXPECT_CALL(visitor_, OnMaxPushIdFrame(MaxPushIdFrame({1})))
       .WillOnce(Return(false));
   EXPECT_EQ(input.size(), ProcessInputWithGarbageAppended(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
   EXPECT_CALL(visitor_, OnMaxPushIdFrame(MaxPushIdFrame({1})));
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnMaxPushIdFrame(MaxPushIdFrame({1})));
   ProcessInputCharByChar(input);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -341,19 +342,19 @@ TEST_F(HttpDecoderTest, DuplicatePush) {
   EXPECT_CALL(visitor_, OnDuplicatePushFrame(DuplicatePushFrame({1})))
       .WillOnce(Return(false));
   EXPECT_EQ(input.size(), ProcessInputWithGarbageAppended(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
   EXPECT_CALL(visitor_, OnDuplicatePushFrame(DuplicatePushFrame({1})));
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnDuplicatePushFrame(DuplicatePushFrame({1})));
   ProcessInputCharByChar(input);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -386,21 +387,21 @@ TEST_F(HttpDecoderTest, PriorityFrame) {
   EXPECT_CALL(visitor_, OnPriorityFrame(frame)).WillOnce(Return(false));
   processed_bytes = ProcessInputWithGarbageAppended(remaining_input);
   EXPECT_EQ(remaining_input.size(), processed_bytes);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
   EXPECT_CALL(visitor_, OnPriorityFrameStart(2));
   EXPECT_CALL(visitor_, OnPriorityFrame(frame));
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnPriorityFrameStart(2));
   EXPECT_CALL(visitor_, OnPriorityFrame(frame));
   ProcessInputCharByChar(input);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   std::string input2 = QuicTextUtils::HexDecode(
@@ -417,7 +418,7 @@ TEST_F(HttpDecoderTest, PriorityFrame) {
   EXPECT_CALL(visitor_, OnPriorityFrameStart(2));
   EXPECT_CALL(visitor_, OnPriorityFrame(frame2));
   EXPECT_EQ(input2.size(), ProcessInput(input2));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -462,7 +463,7 @@ TEST_F(HttpDecoderTest, CorruptPriorityFrame) {
     QuicByteCount processed_bytes =
         decoder.ProcessInput(input.data(), input.size());
     EXPECT_EQ(input.size(), processed_bytes);
-    EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder.error());
+    EXPECT_THAT(decoder.error(), IsError(QUIC_INVALID_FRAME_DATA));
     EXPECT_EQ(test_data.error_message, decoder.error_detail());
   }
 }
@@ -495,21 +496,21 @@ TEST_F(HttpDecoderTest, SettingsFrame) {
   EXPECT_CALL(visitor_, OnSettingsFrame(frame)).WillOnce(Return(false));
   processed_bytes = ProcessInputWithGarbageAppended(remaining_input);
   EXPECT_EQ(remaining_input.size(), processed_bytes);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
   EXPECT_CALL(visitor_, OnSettingsFrameStart(2));
   EXPECT_CALL(visitor_, OnSettingsFrame(frame));
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnSettingsFrameStart(2));
   EXPECT_CALL(visitor_, OnSettingsFrame(frame));
   ProcessInputCharByChar(input);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -543,7 +544,7 @@ TEST_F(HttpDecoderTest, CorruptSettingsFrame) {
     QuicByteCount processed_bytes =
         decoder.ProcessInput(input.data(), input.size());
     EXPECT_EQ(input.size(), processed_bytes);
-    EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder.error());
+    EXPECT_THAT(decoder.error(), IsError(QUIC_INVALID_FRAME_DATA));
     EXPECT_EQ(test_data.error_message, decoder.error_detail());
   }
 }
@@ -562,7 +563,7 @@ TEST_F(HttpDecoderTest, DuplicateSettingsIdentifier) {
 
   EXPECT_EQ(input.size(), ProcessInput(input));
 
-  EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsError(QUIC_INVALID_FRAME_DATA));
   EXPECT_EQ("Duplicate SETTINGS identifier.", decoder_.error_detail());
 }
 
@@ -587,7 +588,7 @@ TEST_F(HttpDecoderTest, DataFrame) {
 
   EXPECT_CALL(visitor_, OnDataFrameEnd()).WillOnce(Return(false));
   EXPECT_EQ(0u, ProcessInputWithGarbageAppended(""));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
@@ -595,7 +596,7 @@ TEST_F(HttpDecoderTest, DataFrame) {
   EXPECT_CALL(visitor_, OnDataFramePayload(QuicStringPiece("Data!")));
   EXPECT_CALL(visitor_, OnDataFrameEnd());
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the frame incrementally.
@@ -607,7 +608,7 @@ TEST_F(HttpDecoderTest, DataFrame) {
   EXPECT_CALL(visitor_, OnDataFramePayload(QuicStringPiece("!")));
   EXPECT_CALL(visitor_, OnDataFrameEnd());
   ProcessInputCharByChar(input);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -615,28 +616,27 @@ TEST_F(HttpDecoderTest, FrameHeaderPartialDelivery) {
   InSequence s;
   // A large input that will occupy more than 1 byte in the length field.
   std::string input(2048, 'x');
-  HttpEncoder encoder;
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder.SerializeDataFrameHeader(input.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(input.length(), &buffer);
   std::string header = std::string(buffer.get(), header_length);
   // Partially send only 1 byte of the header to process.
   EXPECT_EQ(1u, decoder_.ProcessInput(header.data(), 1));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Send the rest of the header.
   EXPECT_CALL(visitor_, OnDataFrameStart(3));
   EXPECT_EQ(header_length - 1,
             decoder_.ProcessInput(header.data() + 1, header_length - 1));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Send data.
   EXPECT_CALL(visitor_, OnDataFramePayload(QuicStringPiece(input)));
   EXPECT_CALL(visitor_, OnDataFrameEnd());
   EXPECT_EQ(2048u, decoder_.ProcessInput(input.data(), 2048));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -662,7 +662,7 @@ TEST_F(HttpDecoderTest, PartialDeliveryOfLargeFrameType) {
     EXPECT_EQ(1u, decoder_.ProcessInput(&c, 1));
   }
 
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
   EXPECT_EQ(frame_type, current_frame_type());
 }
@@ -678,19 +678,19 @@ TEST_F(HttpDecoderTest, GoAway) {
   EXPECT_CALL(visitor_, OnGoAwayFrame(GoAwayFrame({1})))
       .WillOnce(Return(false));
   EXPECT_EQ(input.size(), ProcessInputWithGarbageAppended(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
   EXPECT_CALL(visitor_, OnGoAwayFrame(GoAwayFrame({1})));
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnGoAwayFrame(GoAwayFrame({1})));
   ProcessInputCharByChar(input);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -716,7 +716,7 @@ TEST_F(HttpDecoderTest, HeadersFrame) {
 
   EXPECT_CALL(visitor_, OnHeadersFrameEnd()).WillOnce(Return(false));
   EXPECT_EQ(0u, ProcessInputWithGarbageAppended(""));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
@@ -724,7 +724,7 @@ TEST_F(HttpDecoderTest, HeadersFrame) {
   EXPECT_CALL(visitor_, OnHeadersFramePayload(QuicStringPiece("Headers")));
   EXPECT_CALL(visitor_, OnHeadersFrameEnd());
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the frame incrementally.
@@ -738,7 +738,7 @@ TEST_F(HttpDecoderTest, HeadersFrame) {
   EXPECT_CALL(visitor_, OnHeadersFramePayload(QuicStringPiece("s")));
   EXPECT_CALL(visitor_, OnHeadersFrameEnd());
   ProcessInputCharByChar(input);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -754,21 +754,21 @@ TEST_F(HttpDecoderTest, EmptyDataFrame) {
 
   EXPECT_CALL(visitor_, OnDataFrameEnd()).WillOnce(Return(false));
   EXPECT_EQ(0u, ProcessInputWithGarbageAppended(""));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
   EXPECT_CALL(visitor_, OnDataFrameStart(2));
   EXPECT_CALL(visitor_, OnDataFrameEnd());
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnDataFrameStart(2));
   EXPECT_CALL(visitor_, OnDataFrameEnd());
   ProcessInputCharByChar(input);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -784,21 +784,21 @@ TEST_F(HttpDecoderTest, EmptyHeadersFrame) {
 
   EXPECT_CALL(visitor_, OnHeadersFrameEnd()).WillOnce(Return(false));
   EXPECT_EQ(0u, ProcessInputWithGarbageAppended(""));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
   EXPECT_CALL(visitor_, OnHeadersFrameStart(2));
   EXPECT_CALL(visitor_, OnHeadersFrameEnd());
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the frame incrementally.
   EXPECT_CALL(visitor_, OnHeadersFrameStart(2));
   EXPECT_CALL(visitor_, OnHeadersFrameEnd());
   ProcessInputCharByChar(input);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -816,7 +816,7 @@ TEST_F(HttpDecoderTest, PushPromiseFrameNoHeaders) {
 
   EXPECT_CALL(visitor_, OnPushPromiseFrameEnd()).WillOnce(Return(false));
   EXPECT_EQ(0u, ProcessInputWithGarbageAppended(""));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the full frame.
@@ -824,7 +824,7 @@ TEST_F(HttpDecoderTest, PushPromiseFrameNoHeaders) {
   EXPECT_CALL(visitor_, OnPushPromiseFramePushId(1, 1));
   EXPECT_CALL(visitor_, OnPushPromiseFrameEnd());
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 
   // Process the frame incrementally.
@@ -832,7 +832,7 @@ TEST_F(HttpDecoderTest, PushPromiseFrameNoHeaders) {
   EXPECT_CALL(visitor_, OnPushPromiseFramePushId(1, 1));
   EXPECT_CALL(visitor_, OnPushPromiseFrameEnd());
   ProcessInputCharByChar(input);
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -844,7 +844,7 @@ TEST_F(HttpDecoderTest, MalformedFrameWithOverlyLargePayload) {
   // Process the full frame.
   EXPECT_CALL(visitor_, OnError(&decoder_));
   EXPECT_EQ(2u, ProcessInput(input));
-  EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsError(QUIC_INVALID_FRAME_DATA));
   EXPECT_EQ("Frame is too large", decoder_.error_detail());
 }
 
@@ -859,7 +859,7 @@ TEST_F(HttpDecoderTest, MalformedSettingsFrame) {
   writer.WriteStringPiece("Malformed payload");
   EXPECT_CALL(visitor_, OnError(&decoder_));
   EXPECT_EQ(5u, decoder_.ProcessInput(input, QUIC_ARRAYSIZE(input)));
-  EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsError(QUIC_INVALID_FRAME_DATA));
   EXPECT_EQ("Frame is too large", decoder_.error_detail());
 }
 
@@ -891,7 +891,7 @@ TEST_F(HttpDecoderTest, HeadersPausedThenData) {
   processed_bytes = ProcessInput(remaining_input);
   EXPECT_EQ(remaining_input.size(), processed_bytes);
 
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -945,7 +945,7 @@ TEST_F(HttpDecoderTest, CorruptFrame) {
 
       QuicStringPiece input(test_data.input);
       decoder.ProcessInput(input.data(), input.size());
-      EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder.error());
+      EXPECT_THAT(decoder.error(), IsError(QUIC_INVALID_FRAME_DATA));
       EXPECT_EQ(test_data.error_message, decoder.error_detail());
     }
     {
@@ -956,7 +956,7 @@ TEST_F(HttpDecoderTest, CorruptFrame) {
       for (auto c : input) {
         decoder.ProcessInput(&c, 1);
       }
-      EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder.error());
+      EXPECT_THAT(decoder.error(), IsError(QUIC_INVALID_FRAME_DATA));
       EXPECT_EQ(test_data.error_message, decoder.error_detail());
     }
   }
@@ -969,7 +969,7 @@ TEST_F(HttpDecoderTest, EmptyCancelPushFrame) {
 
   EXPECT_CALL(visitor_, OnError(&decoder_));
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsError(QUIC_INVALID_FRAME_DATA));
   EXPECT_EQ("Unable to read push_id", decoder_.error_detail());
 }
 
@@ -984,7 +984,7 @@ TEST_F(HttpDecoderTest, EmptySettingsFrame) {
   EXPECT_CALL(visitor_, OnSettingsFrame(empty_frame));
 
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
@@ -996,7 +996,7 @@ TEST_F(HttpDecoderTest, EmptyPushPromiseFrame) {
 
   EXPECT_CALL(visitor_, OnError(&decoder_));
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsError(QUIC_INVALID_FRAME_DATA));
   EXPECT_EQ("Corrupt PUSH_PROMISE frame.", decoder_.error_detail());
 }
 
@@ -1007,7 +1007,7 @@ TEST_F(HttpDecoderTest, EmptyGoAwayFrame) {
 
   EXPECT_CALL(visitor_, OnError(&decoder_));
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsError(QUIC_INVALID_FRAME_DATA));
   EXPECT_EQ("Unable to read GOAWAY stream_id", decoder_.error_detail());
 }
 
@@ -1018,7 +1018,7 @@ TEST_F(HttpDecoderTest, EmptyMaxPushIdFrame) {
 
   EXPECT_CALL(visitor_, OnError(&decoder_));
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsError(QUIC_INVALID_FRAME_DATA));
   EXPECT_EQ("Unable to read push_id", decoder_.error_detail());
 }
 
@@ -1029,20 +1029,19 @@ TEST_F(HttpDecoderTest, EmptyDuplicatePushFrame) {
 
   EXPECT_CALL(visitor_, OnError(&decoder_));
   EXPECT_EQ(input.size(), ProcessInput(input));
-  EXPECT_EQ(QUIC_INVALID_FRAME_DATA, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsError(QUIC_INVALID_FRAME_DATA));
   EXPECT_EQ("Unable to read push_id", decoder_.error_detail());
 }
 
 TEST_F(HttpDecoderTest, LargeStreamIdInGoAway) {
-  HttpEncoder encoder;
   GoAwayFrame frame;
   frame.stream_id = 1 << 30;
   std::unique_ptr<char[]> buffer;
-  uint64_t length = encoder.SerializeGoAwayFrame(frame, &buffer);
+  uint64_t length = HttpEncoder::SerializeGoAwayFrame(frame, &buffer);
   EXPECT_CALL(visitor_, OnGoAwayFrame(frame));
   EXPECT_GT(length, 0u);
   EXPECT_EQ(length, decoder_.ProcessInput(buffer.get(), length));
-  EXPECT_EQ(QUIC_NO_ERROR, decoder_.error());
+  EXPECT_THAT(decoder_.error(), IsQuicNoError());
   EXPECT_EQ("", decoder_.error_detail());
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.cc b/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.cc
index b97f7f79619..6bb25cf16fe 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.cc
@@ -40,12 +40,45 @@ uint8_t SetPriorityFields(uint8_t num,
   }
 }
 
-}  // namespace
+bool WriteFrameHeader(QuicByteCount length,
+                      HttpFrameType type,
+                      QuicDataWriter* writer) {
+  return writer->WriteVarInt62(static_cast<uint64_t>(type)) &&
+         writer->WriteVarInt62(length);
+}
 
-HttpEncoder::HttpEncoder() {}
+QuicByteCount GetTotalLength(QuicByteCount payload_length, HttpFrameType type) {
+  return QuicDataWriter::GetVarInt62Len(payload_length) +
+         QuicDataWriter::GetVarInt62Len(static_cast<uint64_t>(type)) +
+         payload_length;
+}
+
+// Write prioritized element id and element dependency id if needed.
+bool MaybeWriteIds(const PriorityFrame& priority, QuicDataWriter* writer) {
+  if (priority.prioritized_type != ROOT_OF_TREE) {
+    if (!writer->WriteVarInt62(priority.prioritized_element_id)) {
+      return false;
+    }
+  } else {
+    DCHECK_EQ(0u, priority.prioritized_element_id)
+        << "Prioritized element id should be 0 when prioritized type is "
+           "ROOT_OF_TREE";
+  }
+  if (priority.dependency_type != ROOT_OF_TREE) {
+    if (!writer->WriteVarInt62(priority.element_dependency_id)) {
+      return false;
+    }
+  } else {
+    DCHECK_EQ(0u, priority.element_dependency_id)
+        << "Element dependency id should be 0 when dependency type is "
+           "ROOT_OF_TREE";
+  }
+  return true;
+}
 
-HttpEncoder::~HttpEncoder() {}
+}  // namespace
 
+// static
 QuicByteCount HttpEncoder::SerializeDataFrameHeader(
     QuicByteCount payload_length,
     std::unique_ptr<char[]>* output) {
@@ -65,6 +98,7 @@ QuicByteCount HttpEncoder::SerializeDataFrameHeader(
   return 0;
 }
 
+// static
 QuicByteCount HttpEncoder::SerializeHeadersFrameHeader(
     QuicByteCount payload_length,
     std::unique_ptr<char[]>* output) {
@@ -86,6 +120,7 @@ QuicByteCount HttpEncoder::SerializeHeadersFrameHeader(
   return 0;
 }
 
+// static
 QuicByteCount HttpEncoder::SerializePriorityFrame(
     const PriorityFrame& priority,
     std::unique_ptr<char[]>* output) {
@@ -127,6 +162,7 @@ QuicByteCount HttpEncoder::SerializePriorityFrame(
   return 0;
 }
 
+// static
 QuicByteCount HttpEncoder::SerializeCancelPushFrame(
     const CancelPushFrame& cancel_push,
     std::unique_ptr<char[]>* output) {
@@ -147,6 +183,7 @@ QuicByteCount HttpEncoder::SerializeCancelPushFrame(
   return 0;
 }
 
+// static
 QuicByteCount HttpEncoder::SerializeSettingsFrame(
     const SettingsFrame& settings,
     std::unique_ptr<char[]>* output) {
@@ -180,6 +217,7 @@ QuicByteCount HttpEncoder::SerializeSettingsFrame(
   return total_length;
 }
 
+// static
 QuicByteCount HttpEncoder::SerializePushPromiseFrameWithOnlyPushId(
     const PushPromiseFrame& push_promise,
     std::unique_ptr<char[]>* output) {
@@ -205,6 +243,7 @@ QuicByteCount HttpEncoder::SerializePushPromiseFrameWithOnlyPushId(
   return 0;
 }
 
+// static
 QuicByteCount HttpEncoder::SerializeGoAwayFrame(
     const GoAwayFrame& goaway,
     std::unique_ptr<char[]>* output) {
@@ -225,6 +264,7 @@ QuicByteCount HttpEncoder::SerializeGoAwayFrame(
   return 0;
 }
 
+// static
 QuicByteCount HttpEncoder::SerializeMaxPushIdFrame(
     const MaxPushIdFrame& max_push_id,
     std::unique_ptr<char[]>* output) {
@@ -245,6 +285,7 @@ QuicByteCount HttpEncoder::SerializeMaxPushIdFrame(
   return 0;
 }
 
+// static
 QuicByteCount HttpEncoder::SerializeDuplicatePushFrame(
     const DuplicatePushFrame& duplicate_push,
     std::unique_ptr<char[]>* output) {
@@ -266,41 +307,4 @@ QuicByteCount HttpEncoder::SerializeDuplicatePushFrame(
   return 0;
 }
 
-bool HttpEncoder::WriteFrameHeader(QuicByteCount length,
-                                   HttpFrameType type,
-                                   QuicDataWriter* writer) {
-  return writer->WriteVarInt62(static_cast<uint64_t>(type)) &&
-         writer->WriteVarInt62(length);
-}
-
-QuicByteCount HttpEncoder::GetTotalLength(QuicByteCount payload_length,
-                                          HttpFrameType type) {
-  return QuicDataWriter::GetVarInt62Len(payload_length) +
-         QuicDataWriter::GetVarInt62Len(static_cast<uint64_t>(type)) +
-         payload_length;
-}
-
-bool HttpEncoder::MaybeWriteIds(const PriorityFrame& priority,
-                                QuicDataWriter* writer) {
-  if (priority.prioritized_type != ROOT_OF_TREE) {
-    if (!writer->WriteVarInt62(priority.prioritized_element_id)) {
-      return false;
-    }
-  } else {
-    DCHECK_EQ(0u, priority.prioritized_element_id)
-        << "Prioritized element id should be 0 when prioritized type is "
-           "ROOT_OF_TREE";
-  }
-  if (priority.dependency_type != ROOT_OF_TREE) {
-    if (!writer->WriteVarInt62(priority.element_dependency_id)) {
-      return false;
-    }
-  } else {
-    DCHECK_EQ(0u, priority.element_dependency_id)
-        << "Element dependency id should be 0 when dependency type is "
-           "ROOT_OF_TREE";
-  }
-  return true;
-}
-
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.h b/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.h
index 12c5bab56c2..4420fc65b7b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/http_encoder.h
@@ -17,68 +17,59 @@ class QuicDataWriter;
 // session.
 class QUIC_EXPORT_PRIVATE HttpEncoder {
  public:
-  HttpEncoder();
-
-  ~HttpEncoder();
+  HttpEncoder() = delete;
 
   // Serializes a DATA frame header into a new buffer stored in |output|.
   // Returns the length of the buffer on success, or 0 otherwise.
-  QuicByteCount SerializeDataFrameHeader(QuicByteCount payload_length,
-                                         std::unique_ptr<char[]>* output);
+  static QuicByteCount SerializeDataFrameHeader(
+      QuicByteCount payload_length,
+      std::unique_ptr<char[]>* output);
 
   // Serializes a HEADERS frame header into a new buffer stored in |output|.
   // Returns the length of the buffer on success, or 0 otherwise.
-  QuicByteCount SerializeHeadersFrameHeader(QuicByteCount payload_length,
-                                            std::unique_ptr<char[]>* output);
+  static QuicByteCount SerializeHeadersFrameHeader(
+      QuicByteCount payload_length,
+      std::unique_ptr<char[]>* output);
 
   // Serializes a PRIORITY frame into a new buffer stored in |output|.
   // Returns the length of the buffer on success, or 0 otherwise.
-  QuicByteCount SerializePriorityFrame(const PriorityFrame& priority,
-                                       std::unique_ptr<char[]>* output);
+  static QuicByteCount SerializePriorityFrame(const PriorityFrame& priority,
+                                              std::unique_ptr<char[]>* output);
 
   // Serializes a CANCEL_PUSH frame into a new buffer stored in |output|.
   // Returns the length of the buffer on success, or 0 otherwise.
-  QuicByteCount SerializeCancelPushFrame(const CancelPushFrame& cancel_push,
-                                         std::unique_ptr<char[]>* output);
+  static QuicByteCount SerializeCancelPushFrame(
+      const CancelPushFrame& cancel_push,
+      std::unique_ptr<char[]>* output);
 
   // Serializes a SETTINGS frame into a new buffer stored in |output|.
   // Returns the length of the buffer on success, or 0 otherwise.
-  QuicByteCount SerializeSettingsFrame(const SettingsFrame& settings,
-                                       std::unique_ptr<char[]>* output);
+  static QuicByteCount SerializeSettingsFrame(const SettingsFrame& settings,
+                                              std::unique_ptr<char[]>* output);
 
   // Serializes the header and push_id of a PUSH_PROMISE frame into a new buffer
   // stored in |output|. Returns the length of the buffer on success, or 0
   // otherwise.
-  QuicByteCount SerializePushPromiseFrameWithOnlyPushId(
+  static QuicByteCount SerializePushPromiseFrameWithOnlyPushId(
       const PushPromiseFrame& push_promise,
       std::unique_ptr<char[]>* output);
 
   // Serializes a GOAWAY frame into a new buffer stored in |output|.
   // Returns the length of the buffer on success, or 0 otherwise.
-  QuicByteCount SerializeGoAwayFrame(const GoAwayFrame& goaway,
-                                     std::unique_ptr<char[]>* output);
+  static QuicByteCount SerializeGoAwayFrame(const GoAwayFrame& goaway,
+                                            std::unique_ptr<char[]>* output);
 
   // Serializes a MAX_PUSH frame into a new buffer stored in |output|.
   // Returns the length of the buffer on success, or 0 otherwise.
-  QuicByteCount SerializeMaxPushIdFrame(const MaxPushIdFrame& max_push_id,
-                                        std::unique_ptr<char[]>* output);
+  static QuicByteCount SerializeMaxPushIdFrame(
+      const MaxPushIdFrame& max_push_id,
+      std::unique_ptr<char[]>* output);
 
   // Serialize a DUPLICATE_PUSH frame into a new buffer stored in |output|.
   // Returns the length of the buffer on success, or 0 otherwise.
-  QuicByteCount SerializeDuplicatePushFrame(
+  static QuicByteCount SerializeDuplicatePushFrame(
       const DuplicatePushFrame& duplicate_push,
       std::unique_ptr<char[]>* output);
-
- private:
-  bool WriteFrameHeader(QuicByteCount length,
-                        HttpFrameType type,
-                        QuicDataWriter* writer);
-
-  QuicByteCount GetTotalLength(QuicByteCount payload_length,
-                               HttpFrameType type);
-
-  // Write prioritized element id and element dependency id if needed.
-  bool MaybeWriteIds(const PriorityFrame& priority, QuicDataWriter* writer);
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/http_encoder_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/http_encoder_test.cc
index 43ae7cd4a29..2df89bd4ae6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/http_encoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/http_encoder_test.cc
@@ -11,16 +11,10 @@
 namespace quic {
 namespace test {
 
-class HttpEncoderTest : public QuicTest {
- public:
-  HttpEncoderTest() {}
-  HttpEncoder encoder_;
-};
-
-TEST_F(HttpEncoderTest, SerializeDataFrameHeader) {
+TEST(HttpEncoderTest, SerializeDataFrameHeader) {
   std::unique_ptr<char[]> buffer;
   uint64_t length =
-      encoder_.SerializeDataFrameHeader(/* payload_length = */ 5, &buffer);
+      HttpEncoder::SerializeDataFrameHeader(/* payload_length = */ 5, &buffer);
   char output[] = {// type (DATA)
                    0x00,
                    // length
@@ -30,10 +24,10 @@ TEST_F(HttpEncoderTest, SerializeDataFrameHeader) {
                                 QUIC_ARRAYSIZE(output));
 }
 
-TEST_F(HttpEncoderTest, SerializeHeadersFrameHeader) {
+TEST(HttpEncoderTest, SerializeHeadersFrameHeader) {
   std::unique_ptr<char[]> buffer;
-  uint64_t length =
-      encoder_.SerializeHeadersFrameHeader(/* payload_length = */ 7, &buffer);
+  uint64_t length = HttpEncoder::SerializeHeadersFrameHeader(
+      /* payload_length = */ 7, &buffer);
   char output[] = {// type (HEADERS)
                    0x01,
                    // length
@@ -43,7 +37,7 @@ TEST_F(HttpEncoderTest, SerializeHeadersFrameHeader) {
                                 QUIC_ARRAYSIZE(output));
 }
 
-TEST_F(HttpEncoderTest, SerializePriorityFrame) {
+TEST(HttpEncoderTest, SerializePriorityFrame) {
   PriorityFrame priority;
   priority.prioritized_type = REQUEST_STREAM;
   priority.dependency_type = REQUEST_STREAM;
@@ -65,7 +59,7 @@ TEST_F(HttpEncoderTest, SerializePriorityFrame) {
                    0xFF};
 
   std::unique_ptr<char[]> buffer;
-  uint64_t length = encoder_.SerializePriorityFrame(priority, &buffer);
+  uint64_t length = HttpEncoder::SerializePriorityFrame(priority, &buffer);
   EXPECT_EQ(QUIC_ARRAYSIZE(output), length);
   CompareCharArraysWithHexError("PRIORITY", buffer.get(), length, output,
                                 QUIC_ARRAYSIZE(output));
@@ -86,7 +80,7 @@ TEST_F(HttpEncoderTest, SerializePriorityFrame) {
                     0x04,
                     // weight
                     0xff};
-  length = encoder_.SerializePriorityFrame(priority2, &buffer);
+  length = HttpEncoder::SerializePriorityFrame(priority2, &buffer);
   EXPECT_EQ(QUIC_ARRAYSIZE(output2), length);
   CompareCharArraysWithHexError("PRIORITY", buffer.get(), length, output2,
                                 QUIC_ARRAYSIZE(output2));
@@ -104,13 +98,13 @@ TEST_F(HttpEncoderTest, SerializePriorityFrame) {
                     0xf8,
                     // weight
                     0xff};
-  length = encoder_.SerializePriorityFrame(priority3, &buffer);
+  length = HttpEncoder::SerializePriorityFrame(priority3, &buffer);
   EXPECT_EQ(QUIC_ARRAYSIZE(output3), length);
   CompareCharArraysWithHexError("PRIORITY", buffer.get(), length, output3,
                                 QUIC_ARRAYSIZE(output3));
 }
 
-TEST_F(HttpEncoderTest, SerializeCancelPushFrame) {
+TEST(HttpEncoderTest, SerializeCancelPushFrame) {
   CancelPushFrame cancel_push;
   cancel_push.push_id = 0x01;
   char output[] = {// type (CANCEL_PUSH)
@@ -120,13 +114,13 @@ TEST_F(HttpEncoderTest, SerializeCancelPushFrame) {
                    // Push Id
                    0x01};
   std::unique_ptr<char[]> buffer;
-  uint64_t length = encoder_.SerializeCancelPushFrame(cancel_push, &buffer);
+  uint64_t length = HttpEncoder::SerializeCancelPushFrame(cancel_push, &buffer);
   EXPECT_EQ(QUIC_ARRAYSIZE(output), length);
   CompareCharArraysWithHexError("CANCEL_PUSH", buffer.get(), length, output,
                                 QUIC_ARRAYSIZE(output));
 }
 
-TEST_F(HttpEncoderTest, SerializeSettingsFrame) {
+TEST(HttpEncoderTest, SerializeSettingsFrame) {
   SettingsFrame settings;
   settings.values[1] = 2;
   settings.values[6] = 5;
@@ -148,13 +142,13 @@ TEST_F(HttpEncoderTest, SerializeSettingsFrame) {
                    // content
                    0x04};
   std::unique_ptr<char[]> buffer;
-  uint64_t length = encoder_.SerializeSettingsFrame(settings, &buffer);
+  uint64_t length = HttpEncoder::SerializeSettingsFrame(settings, &buffer);
   EXPECT_EQ(QUIC_ARRAYSIZE(output), length);
   CompareCharArraysWithHexError("SETTINGS", buffer.get(), length, output,
                                 QUIC_ARRAYSIZE(output));
 }
 
-TEST_F(HttpEncoderTest, SerializePushPromiseFrameWithOnlyPushId) {
+TEST(HttpEncoderTest, SerializePushPromiseFrameWithOnlyPushId) {
   PushPromiseFrame push_promise;
   push_promise.push_id = 0x01;
   push_promise.headers = "Headers";
@@ -165,14 +159,14 @@ TEST_F(HttpEncoderTest, SerializePushPromiseFrameWithOnlyPushId) {
                    // Push Id
                    0x01};
   std::unique_ptr<char[]> buffer;
-  uint64_t length =
-      encoder_.SerializePushPromiseFrameWithOnlyPushId(push_promise, &buffer);
+  uint64_t length = HttpEncoder::SerializePushPromiseFrameWithOnlyPushId(
+      push_promise, &buffer);
   EXPECT_EQ(QUIC_ARRAYSIZE(output), length);
   CompareCharArraysWithHexError("PUSH_PROMISE", buffer.get(), length, output,
                                 QUIC_ARRAYSIZE(output));
 }
 
-TEST_F(HttpEncoderTest, SerializeGoAwayFrame) {
+TEST(HttpEncoderTest, SerializeGoAwayFrame) {
   GoAwayFrame goaway;
   goaway.stream_id = 0x1;
   char output[] = {// type (GOAWAY)
@@ -182,13 +176,13 @@ TEST_F(HttpEncoderTest, SerializeGoAwayFrame) {
                    // StreamId
                    0x01};
   std::unique_ptr<char[]> buffer;
-  uint64_t length = encoder_.SerializeGoAwayFrame(goaway, &buffer);
+  uint64_t length = HttpEncoder::SerializeGoAwayFrame(goaway, &buffer);
   EXPECT_EQ(QUIC_ARRAYSIZE(output), length);
   CompareCharArraysWithHexError("GOAWAY", buffer.get(), length, output,
                                 QUIC_ARRAYSIZE(output));
 }
 
-TEST_F(HttpEncoderTest, SerializeMaxPushIdFrame) {
+TEST(HttpEncoderTest, SerializeMaxPushIdFrame) {
   MaxPushIdFrame max_push_id;
   max_push_id.push_id = 0x1;
   char output[] = {// type (MAX_PUSH_ID)
@@ -198,13 +192,13 @@ TEST_F(HttpEncoderTest, SerializeMaxPushIdFrame) {
                    // Push Id
                    0x01};
   std::unique_ptr<char[]> buffer;
-  uint64_t length = encoder_.SerializeMaxPushIdFrame(max_push_id, &buffer);
+  uint64_t length = HttpEncoder::SerializeMaxPushIdFrame(max_push_id, &buffer);
   EXPECT_EQ(QUIC_ARRAYSIZE(output), length);
   CompareCharArraysWithHexError("MAX_PUSH_ID", buffer.get(), length, output,
                                 QUIC_ARRAYSIZE(output));
 }
 
-TEST_F(HttpEncoderTest, SerializeDuplicatePushFrame) {
+TEST(HttpEncoderTest, SerializeDuplicatePushFrame) {
   DuplicatePushFrame duplicate_push;
   duplicate_push.push_id = 0x1;
   char output[] = {// type (DUPLICATE_PUSH)
@@ -215,7 +209,7 @@ TEST_F(HttpEncoderTest, SerializeDuplicatePushFrame) {
                    0x01};
   std::unique_ptr<char[]> buffer;
   uint64_t length =
-      encoder_.SerializeDuplicatePushFrame(duplicate_push, &buffer);
+      HttpEncoder::SerializeDuplicatePushFrame(duplicate_push, &buffer);
   EXPECT_EQ(QUIC_ARRAYSIZE(output), length);
   CompareCharArraysWithHexError("DUPLICATE_PUSH", buffer.get(), length, output,
                                 QUIC_ARRAYSIZE(output));
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/http_frames.h b/chromium/net/third_party/quiche/src/quic/core/http/http_frames.h
index dde8b1e6f9e..215fa568d29 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/http_frames.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/http_frames.h
@@ -34,7 +34,7 @@ enum class HttpFrameType : uint8_t {
 //
 //   DATA frames (type=0x0) convey arbitrary, variable-length sequences of
 //   octets associated with an HTTP request or response payload.
-struct DataFrame {
+struct QUIC_EXPORT_PRIVATE DataFrame {
   QuicStringPiece data;
 };
 
@@ -42,7 +42,7 @@ struct DataFrame {
 //
 //   The HEADERS frame (type=0x1) is used to carry a header block,
 //   compressed using QPACK.
-struct HeadersFrame {
+struct QUIC_EXPORT_PRIVATE HeadersFrame {
   QuicStringPiece headers;
 };
 
@@ -65,7 +65,7 @@ enum PriorityElementType : uint8_t {
   ROOT_OF_TREE = 3
 };
 
-struct PriorityFrame {
+struct QUIC_EXPORT_PRIVATE PriorityFrame {
   PriorityElementType prioritized_type = REQUEST_STREAM;
   PriorityElementType dependency_type = REQUEST_STREAM;
   bool exclusive = false;
@@ -103,7 +103,7 @@ struct PriorityFrame {
 //   server push prior to the push stream being created.
 using PushId = uint64_t;
 
-struct CancelPushFrame {
+struct QUIC_EXPORT_PRIVATE CancelPushFrame {
   PushId push_id;
 
   bool operator==(const CancelPushFrame& rhs) const {
@@ -119,7 +119,7 @@ struct CancelPushFrame {
 
 using SettingsMap = std::map<uint64_t, uint64_t>;
 
-struct SettingsFrame {
+struct QUIC_EXPORT_PRIVATE SettingsFrame {
   SettingsMap values;
 
   bool operator==(const SettingsFrame& rhs) const {
@@ -148,7 +148,7 @@ struct SettingsFrame {
 //
 //   The PUSH_PROMISE frame (type=0x05) is used to carry a request header
 //   set from server to client, as in HTTP/2.
-struct PushPromiseFrame {
+struct QUIC_EXPORT_PRIVATE PushPromiseFrame {
   PushId push_id;
   QuicStringPiece headers;
 
@@ -161,7 +161,7 @@ struct PushPromiseFrame {
 //
 //   The GOAWAY frame (type=0x7) is used to initiate graceful shutdown of
 //   a connection by a server.
-struct GoAwayFrame {
+struct QUIC_EXPORT_PRIVATE GoAwayFrame {
   QuicStreamId stream_id;
 
   bool operator==(const GoAwayFrame& rhs) const {
@@ -173,7 +173,7 @@ struct GoAwayFrame {
 //
 //   The MAX_PUSH_ID frame (type=0xD) is used by clients to control the
 //   number of server pushes that the server can initiate.
-struct MaxPushIdFrame {
+struct QUIC_EXPORT_PRIVATE MaxPushIdFrame {
   PushId push_id;
 
   bool operator==(const MaxPushIdFrame& rhs) const {
@@ -186,7 +186,7 @@ struct MaxPushIdFrame {
 //  The DUPLICATE_PUSH frame (type=0xE) is used by servers to indicate
 //  that an existing pushed resource is related to multiple client
 //  requests.
-struct DuplicatePushFrame {
+struct QUIC_EXPORT_PRIVATE DuplicatePushFrame {
   PushId push_id;
 
   bool operator==(const DuplicatePushFrame& rhs) const {
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info.h
index bf614051fc1..9268940240e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info.h
@@ -84,7 +84,7 @@ class QUIC_EXPORT_PRIVATE QuicClientPromisedInfo
  private:
   friend class test::QuicClientPromisedInfoPeer;
 
-  class CleanupAlarm : public QuicAlarm::Delegate {
+  class QUIC_EXPORT_PRIVATE CleanupAlarm : public QuicAlarm::Delegate {
    public:
     explicit CleanupAlarm(QuicClientPromisedInfo* promised)
         : promised_(promised) {}
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info_test.cc
index e244fcf83c3..27d9fe89630 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_promised_info_test.cc
@@ -89,7 +89,6 @@ class QuicClientPromisedInfoTest : public QuicTest {
 
     push_promise_[":path"] = "/bar";
     push_promise_[":authority"] = "www.google.com";
-    push_promise_[":version"] = "HTTP/1.1";
     push_promise_[":method"] = "GET";
     push_promise_[":scheme"] = "https";
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_push_promise_index_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_push_promise_index_test.cc
index 933ef6bb808..3ca377eb729 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_client_push_promise_index_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_client_push_promise_index_test.cc
@@ -60,7 +60,6 @@ class QuicClientPushPromiseIndexTest : public QuicTest {
                   url_) {
     request_[":path"] = "/bar";
     request_[":authority"] = "www.google.com";
-    request_[":version"] = "HTTP/1.1";
     request_[":method"] = "GET";
     request_[":scheme"] = "https";
     url_ = SpdyServerPushUtils::GetPromisedUrlFromHeaders(request_);
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_header_list.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_header_list.cc
index f9b730bcb4c..cba3e587ab3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_header_list.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_header_list.cc
@@ -4,6 +4,7 @@
 
 #include "net/third_party/quiche/src/quic/core/http/quic_header_list.h"
 
+#include <limits>
 #include <string>
 
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
@@ -13,7 +14,7 @@
 namespace quic {
 
 QuicHeaderList::QuicHeaderList()
-    : max_header_list_size_(kDefaultMaxUncompressedHeaderSize),
+    : max_header_list_size_(std::numeric_limits<size_t>::max()),
       current_header_list_size_(0),
       uncompressed_header_bytes_(0),
       compressed_header_bytes_(0) {}
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_header_list_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_header_list_test.cc
index 67bd35f2644..5ff3c5a6b58 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_header_list_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_header_list_test.cc
@@ -37,9 +37,12 @@ TEST_F(QuicHeaderListTest, DebugString) {
 }
 
 TEST_F(QuicHeaderListTest, TooLarge) {
+  const size_t kMaxHeaderListSize = 256;
+
   QuicHeaderList headers;
+  headers.set_max_header_list_size(kMaxHeaderListSize);
   std::string key = "key";
-  std::string value(1 << 18, '1');
+  std::string value(kMaxHeaderListSize, '1');
   // Send a header that exceeds max_header_list_size.
   headers.OnHeader(key, value);
   // Send a second header exceeding max_header_list_size.
@@ -48,8 +51,8 @@ TEST_F(QuicHeaderListTest, TooLarge) {
   EXPECT_LT(headers.DebugString().size(), 2 * value.size());
   size_t total_bytes = 2 * (key.size() + value.size()) + 1;
   headers.OnHeaderBlockEnd(total_bytes, total_bytes);
-  EXPECT_TRUE(headers.empty());
 
+  EXPECT_TRUE(headers.empty());
   EXPECT_EQ("{ }", headers.DebugString());
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_headers_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_headers_stream_test.cc
index 079150638f4..4cf11cc2976 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_headers_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_headers_stream_test.cc
@@ -25,6 +25,7 @@
 #include "net/third_party/quiche/src/quic/test_tools/quic_spdy_session_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_stream_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 #include "net/third_party/quiche/src/spdy/core/http2_frame_decoder_adapter.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_alt_svc_wire_format.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
@@ -36,7 +37,6 @@ using spdy::SETTINGS_HEADER_TABLE_SIZE;
 using spdy::SETTINGS_INITIAL_WINDOW_SIZE;
 using spdy::SETTINGS_MAX_CONCURRENT_STREAMS;
 using spdy::SETTINGS_MAX_FRAME_SIZE;
-using spdy::SETTINGS_MAX_HEADER_LIST_SIZE;
 using spdy::Spdy3PriorityToHttp2Weight;
 using spdy::SpdyAltSvcWireFormat;
 using spdy::SpdyDataIR;
@@ -200,7 +200,6 @@ class QuicHeadersStreamTest : public QuicTestWithParam<TestParams> {
     QuicSpdySessionPeer::SetMaxInboundHeaderListSize(&session_, 256 * 1024);
     session_.Initialize();
     headers_stream_ = QuicSpdySessionPeer::GetHeadersStream(&session_);
-    headers_[":version"] = "HTTP/1.1";
     headers_[":status"] = "200 Ok";
     headers_["content-length"] = "11";
     framer_ = std::unique_ptr<SpdyFramer>(
@@ -228,7 +227,7 @@ class QuicHeadersStreamTest : public QuicTestWithParam<TestParams> {
 
   QuicConsumedData SaveIov(size_t write_length) {
     char* buf = new char[write_length];
-    QuicDataWriter writer(write_length, buf, NETWORK_BYTE_ORDER);
+    QuicDataWriter writer(write_length, buf, quiche::NETWORK_BYTE_ORDER);
     headers_stream_->WriteStreamData(headers_stream_->stream_bytes_written(),
                                      write_length, &writer);
     saved_data_.append(buf, write_length);
@@ -306,7 +305,7 @@ class QuicHeadersStreamTest : public QuicTestWithParam<TestParams> {
     } else {
       EXPECT_CALL(visitor_,
                   OnHeaders(stream_id, !kHasPriority,
-                            /*priority=*/0,
+                            /*weight=*/0,
                             /*parent_stream_id=*/0,
                             /*exclusive=*/false, fin, kFrameComplete));
     }
@@ -521,13 +520,7 @@ TEST_P(QuicHeadersStreamTest, ProcessPriorityFrame) {
       SpdyPriorityIR priority_frame(stream_id, parent_stream_id, weight, true);
       SpdySerializedFrame frame(framer_->SerializeFrame(priority_frame));
       parent_stream_id = stream_id;
-      if (transport_version() <= QUIC_VERSION_39) {
-        EXPECT_CALL(*connection_,
-                    CloseConnection(QUIC_INVALID_HEADERS_STREAM_DATA,
-                                    "SPDY PRIORITY frame received.", _))
-            .WillRepeatedly(InvokeWithoutArgs(
-                this, &QuicHeadersStreamTest::TearDownLocalConnectionState));
-      } else if (perspective() == Perspective::IS_CLIENT) {
+      if (perspective() == Perspective::IS_CLIENT) {
         EXPECT_CALL(*connection_,
                     CloseConnection(QUIC_INVALID_HEADERS_STREAM_DATA,
                                     "Server must not send PRIORITY frames.", _))
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.cc
index 4d78106f372..c949fa77c7f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.cc
@@ -9,6 +9,7 @@
 #include "net/third_party/quiche/src/quic/core/http/http_constants.h"
 #include "net/third_party/quiche/src/quic/core/http/http_decoder.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_session.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 
 namespace quic {
@@ -65,9 +66,15 @@ class QuicReceiveControlStream::HttpDecoderVisitor
     return false;
   }
 
-  bool OnGoAwayFrame(const GoAwayFrame& /*frame*/) override {
-    CloseConnectionOnWrongFrame("Goaway");
-    return false;
+  bool OnGoAwayFrame(const GoAwayFrame& frame) override {
+    QuicSpdySession* spdy_session =
+        static_cast<QuicSpdySession*>(stream_->session());
+    if (spdy_session->perspective() == Perspective::IS_SERVER) {
+      CloseConnectionOnWrongFrame("Go Away");
+      return false;
+    }
+    spdy_session->OnHttp3GoAway(frame.stream_id);
+    return true;
   }
 
   bool OnSettingsFrameStart(QuicByteCount header_length) override {
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream_test.cc
index 73b30b3ff09..8418766a97a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_receive_control_stream_test.cc
@@ -5,6 +5,7 @@
 #include "net/third_party/quiche/src/quic/core/http/quic_receive_control_stream.h"
 
 #include "net/third_party/quiche/src/quic/core/http/http_constants.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
@@ -17,7 +18,6 @@ namespace test {
 
 namespace {
 using ::testing::_;
-using ::testing::AtLeast;
 using ::testing::StrictMock;
 
 struct TestParams {
@@ -103,18 +103,16 @@ class QuicReceiveControlStreamTest : public QuicTestWithParam<TestParams> {
   Perspective perspective() const { return GetParam().perspective; }
 
   std::string EncodeSettings(const SettingsFrame& settings) {
-    HttpEncoder encoder;
     std::unique_ptr<char[]> buffer;
     QuicByteCount settings_frame_length =
-        encoder.SerializeSettingsFrame(settings, &buffer);
+        HttpEncoder::SerializeSettingsFrame(settings, &buffer);
     return std::string(buffer.get(), settings_frame_length);
   }
 
   std::string PriorityFrame(const PriorityFrame& frame) {
-    HttpEncoder encoder;
     std::unique_ptr<char[]> priority_buffer;
     QuicByteCount priority_frame_length =
-        encoder.SerializePriorityFrame(frame, &priority_buffer);
+        HttpEncoder::SerializePriorityFrame(frame, &priority_buffer);
     return std::string(priority_buffer.get(), priority_frame_length);
   }
 
@@ -214,11 +212,11 @@ TEST_P(QuicReceiveControlStreamTest, ReceiveSettingsFragments) {
 }
 
 TEST_P(QuicReceiveControlStreamTest, ReceiveWrongFrame) {
-  GoAwayFrame goaway;
-  goaway.stream_id = 0x1;
-  HttpEncoder encoder;
+  DuplicatePushFrame dup;
+  dup.push_id = 0x1;
   std::unique_ptr<char[]> buffer;
-  QuicByteCount header_length = encoder.SerializeGoAwayFrame(goaway, &buffer);
+  QuicByteCount header_length =
+      HttpEncoder::SerializeDuplicatePushFrame(dup, &buffer);
   std::string data = std::string(buffer.get(), header_length);
 
   QuicStreamFrame frame(receive_control_stream_->id(), false, 1, data);
@@ -245,14 +243,35 @@ TEST_P(QuicReceiveControlStreamTest, ReceivePriorityFrame) {
   EXPECT_EQ(1u, stream_->precedence().spdy3_priority());
 }
 
+TEST_P(QuicReceiveControlStreamTest, ReceiveGoAwayFrame) {
+  GoAwayFrame goaway;
+  goaway.stream_id = 0x00;
+
+  std::unique_ptr<char[]> buffer;
+  QuicByteCount header_length =
+      HttpEncoder::SerializeGoAwayFrame(goaway, &buffer);
+  std::string data = std::string(buffer.get(), header_length);
+
+  QuicStreamFrame frame(receive_control_stream_->id(), false, 1, data);
+  EXPECT_FALSE(session_.http3_goaway_received());
+
+  if (perspective() == Perspective::IS_SERVER) {
+    EXPECT_CALL(*connection_, CloseConnection(QUIC_HTTP_DECODER_ERROR, _, _));
+  }
+
+  receive_control_stream_->OnStreamFrame(frame);
+  if (perspective() == Perspective::IS_CLIENT) {
+    EXPECT_TRUE(session_.http3_goaway_received());
+  }
+}
+
 TEST_P(QuicReceiveControlStreamTest, PushPromiseOnControlStreamShouldClose) {
   PushPromiseFrame push_promise;
   push_promise.push_id = 0x01;
   push_promise.headers = "Headers";
   std::unique_ptr<char[]> buffer;
-  HttpEncoder encoder;
-  uint64_t length =
-      encoder.SerializePushPromiseFrameWithOnlyPushId(push_promise, &buffer);
+  uint64_t length = HttpEncoder::SerializePushPromiseFrameWithOnlyPushId(
+      push_promise, &buffer);
   QuicStreamFrame frame(receive_control_stream_->id(), false, 1, buffer.get(),
                         length);
   // TODO(lassey) Check for HTTP_WRONG_STREAM error code.
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.cc
index da7f79e0f92..ed7cd7ffb40 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.cc
@@ -3,11 +3,15 @@
 // found in the LICENSE file.
 
 #include "net/third_party/quiche/src/quic/core/http/quic_send_control_stream.h"
+#include <memory>
 
 #include "net/third_party/quiche/src/quic/core/http/http_constants.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_spdy_session.h"
 #include "net/third_party/quiche/src/quic/core/quic_session.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 
 namespace quic {
 
@@ -55,7 +59,7 @@ void QuicSendControlStream::MaybeSendSettingsFrame() {
 
   std::unique_ptr<char[]> buffer;
   QuicByteCount frame_length =
-      encoder_.SerializeSettingsFrame(settings, &buffer);
+      HttpEncoder::SerializeSettingsFrame(settings, &buffer);
   QUIC_DVLOG(1) << "Control stream " << id() << " is writing settings frame "
                 << settings;
   QuicSpdySession* spdy_session = static_cast<QuicSpdySession*>(session());
@@ -72,7 +76,7 @@ void QuicSendControlStream::WritePriority(const PriorityFrame& priority) {
   MaybeSendSettingsFrame();
   std::unique_ptr<char[]> buffer;
   QuicByteCount frame_length =
-      encoder_.SerializePriorityFrame(priority, &buffer);
+      HttpEncoder::SerializePriorityFrame(priority, &buffer);
   QUIC_DVLOG(1) << "Control Stream " << id() << " is writing " << priority;
   WriteOrBufferData(QuicStringPiece(buffer.get(), frame_length), false,
                     nullptr);
@@ -85,9 +89,29 @@ void QuicSendControlStream::SendMaxPushIdFrame(PushId max_push_id) {
   MaxPushIdFrame frame;
   frame.push_id = max_push_id;
   std::unique_ptr<char[]> buffer;
-  QuicByteCount frame_length = encoder_.SerializeMaxPushIdFrame(frame, &buffer);
+  QuicByteCount frame_length =
+      HttpEncoder::SerializeMaxPushIdFrame(frame, &buffer);
   WriteOrBufferData(QuicStringPiece(buffer.get(), frame_length),
                     /*fin = */ false, nullptr);
 }
 
+void QuicSendControlStream::SendGoAway(QuicStreamId stream_id) {
+  QuicConnection::ScopedPacketFlusher flusher(session()->connection());
+
+  MaybeSendSettingsFrame();
+  GoAwayFrame frame;
+  // If the peer hasn't created any stream yet. Use stream id 0 to indicate no
+  // request is accepted.
+  if (stream_id ==
+      QuicUtils::GetInvalidStreamId(session()->transport_version())) {
+    stream_id = 0;
+  }
+  frame.stream_id = stream_id;
+  std::unique_ptr<char[]> buffer;
+  QuicByteCount frame_length =
+      HttpEncoder::SerializeGoAwayFrame(frame, &buffer);
+  WriteOrBufferData(QuicStringPiece(buffer.get(), frame_length), false,
+                    nullptr);
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.h
index aa8fff156b3..ac946d35a6f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream.h
@@ -7,6 +7,7 @@
 
 #include "net/third_party/quiche/src/quic/core/http/http_encoder.h"
 #include "net/third_party/quiche/src/quic/core/quic_stream.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 
 namespace quic {
@@ -42,12 +43,14 @@ class QUIC_EXPORT_PRIVATE QuicSendControlStream : public QuicStream {
   // Send |Priority| on this stream. It must be sent after settings.
   void WritePriority(const PriorityFrame& priority);
 
+  // Serialize a GOAWAY frame from |stream_id| and send it on this stream.
+  void SendGoAway(QuicStreamId stream_id);
+
   // The send control stream is write unidirectional, so this method should
   // never be called.
   void OnDataAvailable() override { QUIC_NOTREACHED(); }
 
  private:
-  HttpEncoder encoder_;
   // Track if a settings frame is already sent.
   bool settings_sent_;
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream_test.cc
index a06a3196880..de2e705e8c6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_send_control_stream_test.cc
@@ -93,7 +93,6 @@ class QuicSendControlStreamTest : public QuicTestWithParam<TestParams> {
   MockAlarmFactory alarm_factory_;
   StrictMock<MockQuicConnection>* connection_;
   StrictMock<MockQuicSpdySession> session_;
-  HttpEncoder encoder_;
   QuicSendControlStream* send_control_stream_;
 };
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base_test.cc
index c7ab6236c29..9e8c749025b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_server_session_base_test.cc
@@ -152,9 +152,10 @@ class QuicServerSessionBaseTest : public QuicTestWithParam<ParsedQuicVersion> {
         QuicCryptoServerConfig::ConfigOptions());
     SetQuicReloadableFlag(quic_supports_tls_handshake, true);
     session_->Initialize();
-    QuicSessionPeer::GetMutableCryptoStream(session_.get())
-        ->OnSuccessfulVersionNegotiation(supported_versions.front());
-    visitor_ = QuicConnectionPeer::GetVisitor(connection_);
+    if (!GetQuicReloadableFlag(quic_version_negotiated_by_default_at_server)) {
+      QuicSessionPeer::GetMutableCryptoStream(session_.get())
+          ->OnSuccessfulVersionNegotiation(supported_versions.front());
+    }
     QuicConfigPeer::SetReceivedInitialSessionFlowControlWindow(
         session_->config(), kMinimumFlowControlSendWindow);
     session_->OnConfigNegotiated();
@@ -208,7 +209,6 @@ class QuicServerSessionBaseTest : public QuicTestWithParam<ParsedQuicVersion> {
   QuicMemoryCacheBackend memory_cache_backend_;
   std::unique_ptr<TestServerSession> session_;
   std::unique_ptr<CryptoHandshakeMessage> handshake_message_;
-  QuicConnectionVisitorInterface* visitor_;
 };
 
 // Compares CachedNetworkParameters.
@@ -253,7 +253,7 @@ TEST_P(QuicServerSessionBaseTest, CloseStreamDueToReset) {
                 OnStreamReset(GetNthClientInitiatedBidirectionalId(0),
                               QUIC_RST_ACKNOWLEDGEMENT));
   }
-  visitor_->OnRstStream(rst1);
+  session_->OnRstStream(rst1);
 
   // For version-99 will create and receive a stop-sending, completing
   // the full-close expected by this test.
@@ -263,7 +263,7 @@ TEST_P(QuicServerSessionBaseTest, CloseStreamDueToReset) {
   EXPECT_EQ(0u, session_->GetNumOpenIncomingStreams());
 
   // Send the same two bytes of payload in a new packet.
-  visitor_->OnStreamFrame(data1);
+  session_->OnStreamFrame(data1);
 
   // The stream should not be re-opened.
   EXPECT_EQ(0u, session_->GetNumOpenIncomingStreams());
@@ -284,7 +284,7 @@ TEST_P(QuicServerSessionBaseTest, NeverOpenStreamDueToReset) {
                 OnStreamReset(GetNthClientInitiatedBidirectionalId(0),
                               QUIC_RST_ACKNOWLEDGEMENT));
   }
-  visitor_->OnRstStream(rst1);
+  session_->OnRstStream(rst1);
 
   // For version-99 will create and receive a stop-sending, completing
   // the full-close expected by this test.
@@ -296,7 +296,7 @@ TEST_P(QuicServerSessionBaseTest, NeverOpenStreamDueToReset) {
   // Send two bytes of payload.
   QuicStreamFrame data1(GetNthClientInitiatedBidirectionalId(0), false, 0,
                         QuicStringPiece("HT"));
-  visitor_->OnStreamFrame(data1);
+  session_->OnStreamFrame(data1);
 
   // The stream should never be opened, now that the reset is received.
   EXPECT_EQ(0u, session_->GetNumOpenIncomingStreams());
@@ -309,8 +309,8 @@ TEST_P(QuicServerSessionBaseTest, AcceptClosedStream) {
                          QuicStringPiece("\1\0\0\0\0\0\0\0HT"));
   QuicStreamFrame frame2(GetNthClientInitiatedBidirectionalId(1), false, 0,
                          QuicStringPiece("\2\0\0\0\0\0\0\0HT"));
-  visitor_->OnStreamFrame(frame1);
-  visitor_->OnStreamFrame(frame2);
+  session_->OnStreamFrame(frame1);
+  session_->OnStreamFrame(frame2);
   EXPECT_EQ(2u, session_->GetNumOpenIncomingStreams());
 
   // Send a reset (and expect the peer to send a RST in response).
@@ -326,7 +326,7 @@ TEST_P(QuicServerSessionBaseTest, AcceptClosedStream) {
                 OnStreamReset(GetNthClientInitiatedBidirectionalId(0),
                               QUIC_RST_ACKNOWLEDGEMENT));
   }
-  visitor_->OnRstStream(rst);
+  session_->OnRstStream(rst);
 
   // For version-99 will create and receive a stop-sending, completing
   // the full-close expected by this test.
@@ -340,8 +340,8 @@ TEST_P(QuicServerSessionBaseTest, AcceptClosedStream) {
                          QuicStringPiece("TP"));
   QuicStreamFrame frame4(GetNthClientInitiatedBidirectionalId(1), false, 2,
                          QuicStringPiece("TP"));
-  visitor_->OnStreamFrame(frame3);
-  visitor_->OnStreamFrame(frame4);
+  session_->OnStreamFrame(frame3);
+  session_->OnStreamFrame(frame4);
   // The stream should never be opened, now that the reset is received.
   EXPECT_EQ(1u, session_->GetNumOpenIncomingStreams());
   EXPECT_TRUE(connection_->connected());
@@ -570,8 +570,7 @@ TEST_P(QuicServerSessionBaseTest, BandwidthEstimates) {
   SerializedPacket packet(
       QuicPacketNumber(1) + kMinPacketsBetweenServerConfigUpdates,
       PACKET_4BYTE_PACKET_NUMBER, nullptr, 1000, false, false);
-  sent_packet_manager->OnPacketSent(&packet, QuicPacketNumber(), now,
-                                    NOT_RETRANSMISSION,
+  sent_packet_manager->OnPacketSent(&packet, now, NOT_RETRANSMISSION,
                                     HAS_RETRANSMITTABLE_DATA);
 
   // Verify that the proto has exactly the values we expect.
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.cc
index c6f99ff9f61..da3336d26a0 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.cc
@@ -53,6 +53,9 @@ bool QuicSpdyClientSession::ShouldCreateOutgoingBidirectionalStream() {
     QUIC_DLOG(INFO) << "Encryption not active so no outgoing stream created.";
     return false;
   }
+  bool goaway_received = VersionUsesHttp3(transport_version())
+                             ? http3_goaway_received()
+                             : QuicSession::goaway_received();
   if (!GetQuicReloadableFlag(quic_use_common_stream_check) &&
       !VersionHasIetfQuicFrames(transport_version())) {
     if (GetNumOpenOutgoingStreams() >=
@@ -61,14 +64,14 @@ bool QuicSpdyClientSession::ShouldCreateOutgoingBidirectionalStream() {
                       << "Already " << GetNumOpenOutgoingStreams() << " open.";
       return false;
     }
-    if (goaway_received() && respect_goaway_) {
+    if (goaway_received && respect_goaway_) {
       QUIC_DLOG(INFO) << "Failed to create a new outgoing stream. "
                       << "Already received goaway.";
       return false;
     }
     return true;
   }
-  if (goaway_received() && respect_goaway_) {
+  if (goaway_received && respect_goaway_) {
     QUIC_DLOG(INFO) << "Failed to create a new outgoing stream. "
                     << "Already received goaway.";
     return false;
@@ -132,7 +135,10 @@ bool QuicSpdyClientSession::ShouldCreateIncomingStream(QuicStreamId id) {
     QUIC_BUG << "ShouldCreateIncomingStream called when disconnected";
     return false;
   }
-  if (goaway_received() && respect_goaway_) {
+  bool goaway_received = quic::VersionUsesHttp3(transport_version())
+                             ? http3_goaway_received()
+                             : QuicSession::goaway_received();
+  if (goaway_received && respect_goaway_) {
     QUIC_DLOG(INFO) << "Failed to create a new outgoing stream. "
                     << "Already received goaway.";
     return false;
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.h
index 3611c69bcf0..b3def0aca29 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session.h
@@ -20,7 +20,7 @@ namespace quic {
 class QuicConnection;
 class QuicServerId;
 
-class QuicSpdyClientSession : public QuicSpdyClientSessionBase {
+class QUIC_NO_EXPORT QuicSpdyClientSession : public QuicSpdyClientSessionBase {
  public:
   // Takes ownership of |connection|. Caller retains ownership of
   // |promised_by_url|.
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.cc
index aef68c8ff8f..7dd2aec34e7 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.cc
@@ -39,15 +39,6 @@ void QuicSpdyClientSessionBase::OnConfigNegotiated() {
   QuicSpdySession::OnConfigNegotiated();
 }
 
-void QuicSpdyClientSessionBase::OnCryptoHandshakeEvent(
-    CryptoHandshakeEvent event) {
-  QuicSpdySession::OnCryptoHandshakeEvent(event);
-  if (event == HANDSHAKE_CONFIRMED && max_allowed_push_id() > 0 &&
-      VersionUsesHttp3(transport_version())) {
-    SendMaxPushId();
-  }
-}
-
 void QuicSpdyClientSessionBase::OnInitialHeadersComplete(
     QuicStreamId stream_id,
     const SpdyHeaderBlock& response_headers) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.h
index aec5e75947f..3ca3499e8c7 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_base.h
@@ -50,9 +50,6 @@ class QUIC_EXPORT_PRIVATE QuicSpdyClientSessionBase
 
   void OnConfigNegotiated() override;
 
-  // Override base class to set FEC policy before any data is sent by client.
-  void OnCryptoHandshakeEvent(CryptoHandshakeEvent event) override;
-
   // Called by |headers_stream_| when push promise headers have been
   // completely received.
   void OnPromiseHeaderList(QuicStreamId stream_id,
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_test.cc
index 59634f8ef69..7c4d914da98 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_session_test.cc
@@ -32,6 +32,7 @@
 using spdy::SpdyHeaderBlock;
 using testing::_;
 using testing::AnyNumber;
+using testing::AtLeast;
 using testing::AtMost;
 using testing::Invoke;
 using testing::Truly;
@@ -106,7 +107,6 @@ class QuicSpdyClientSessionTest : public QuicTestWithParam<ParsedQuicVersion> {
     session_->Initialize();
     push_promise_[":path"] = "/bar";
     push_promise_[":authority"] = "www.google.com";
-    push_promise_[":version"] = "HTTP/1.1";
     push_promise_[":method"] = "GET";
     push_promise_[":scheme"] = "https";
     promise_url_ =
@@ -165,9 +165,11 @@ class QuicSpdyClientSessionTest : public QuicTestWithParam<ParsedQuicVersion> {
       config.SetMaxIncomingBidirectionalStreamsToSend(
           server_max_incoming_streams);
     }
+    std::unique_ptr<QuicCryptoServerConfig> crypto_config =
+        crypto_test_utils::CryptoServerConfigForTesting();
     crypto_test_utils::HandshakeWithFakeServer(
-        &config, &helper_, &alarm_factory_, connection_, stream,
-        AlpnForVersion(connection_->version()));
+        &config, crypto_config.get(), &helper_, &alarm_factory_, connection_,
+        stream, AlpnForVersion(connection_->version()));
   }
 
   QuicCryptoClientConfig crypto_config_;
@@ -244,8 +246,6 @@ TEST_P(QuicSpdyClientSessionTest, MaxNumStreamsWithNoFinOrRst) {
     // TODO(nharper): Add support for Transport Parameters in the TLS handshake.
     return;
   }
-  EXPECT_CALL(*connection_, SendControlFrame(_)).Times(AnyNumber());
-  EXPECT_CALL(*connection_, OnStreamReset(_, _)).Times(AnyNumber());
 
   uint32_t kServerMaxIncomingStreams = 1;
   CompleteCryptoHandshake(kServerMaxIncomingStreams);
@@ -276,8 +276,6 @@ TEST_P(QuicSpdyClientSessionTest, MaxNumStreamsWithRst) {
     // TODO(nharper): Add support for Transport Parameters in the TLS handshake.
     return;
   }
-  EXPECT_CALL(*connection_, SendControlFrame(_)).Times(AnyNumber());
-  EXPECT_CALL(*connection_, OnStreamReset(_, _)).Times(AnyNumber());
 
   uint32_t kServerMaxIncomingStreams = 1;
   CompleteCryptoHandshake(kServerMaxIncomingStreams);
@@ -345,7 +343,9 @@ TEST_P(QuicSpdyClientSessionTest, ResetAndTrailers) {
 
   QuicStreamId stream_id = stream->id();
 
-  EXPECT_CALL(*connection_, SendControlFrame(_)).Times(1);
+  EXPECT_CALL(*connection_, SendControlFrame(_))
+      .Times(AtLeast(1))
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   EXPECT_CALL(*connection_, OnStreamReset(_, _)).Times(1);
   session_->SendRstStream(stream_id, QUIC_STREAM_PEER_GOING_AWAY, 0);
 
@@ -395,7 +395,9 @@ TEST_P(QuicSpdyClientSessionTest, ReceivedMalformedTrailersAfterSendingRst) {
   // Send the RST, which results in the stream being closed locally (but some
   // state remains while the client waits for a response from the server).
   QuicStreamId stream_id = stream->id();
-  EXPECT_CALL(*connection_, SendControlFrame(_)).Times(1);
+  EXPECT_CALL(*connection_, SendControlFrame(_))
+      .Times(AtLeast(1))
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   EXPECT_CALL(*connection_, OnStreamReset(_, _)).Times(1);
   session_->SendRstStream(stream_id, QUIC_STREAM_PEER_GOING_AWAY, 0);
 
@@ -532,14 +534,15 @@ TEST_P(QuicSpdyClientSessionTest, InvalidPacketReceived) {
 
 // A packet with invalid framing should cause a connection to be closed.
 TEST_P(QuicSpdyClientSessionTest, InvalidFramedPacketReceived) {
-  if (GetParam().handshake_protocol == PROTOCOL_TLS1_3) {
+  const ParsedQuicVersion version = GetParam();
+  if (version.handshake_protocol == PROTOCOL_TLS1_3) {
     // TODO(nharper, b/112643533): Figure out why this test fails when TLS is
     // enabled and fix it.
     return;
   }
   QuicSocketAddress server_address(TestPeerIPAddress(), kTestPort);
   QuicSocketAddress client_address(TestPeerIPAddress(), kTestPort);
-  if (GetParam().KnowsWhichDecrypterToUse()) {
+  if (version.KnowsWhichDecrypterToUse()) {
     connection_->InstallDecrypter(
         ENCRYPTION_FORWARD_SECURE,
         std::make_unique<NullDecrypter>(Perspective::IS_CLIENT));
@@ -560,10 +563,9 @@ TEST_P(QuicSpdyClientSessionTest, InvalidFramedPacketReceived) {
   QuicConnectionId source_connection_id = EmptyQuicConnectionId();
   QuicFramerPeer::SetLastSerializedServerConnectionId(
       QuicConnectionPeer::GetFramer(connection_), destination_connection_id);
-  ParsedQuicVersionVector versions = {GetParam()};
   bool version_flag = false;
   QuicConnectionIdIncluded scid_included = CONNECTION_ID_ABSENT;
-  if (VersionHasIetfInvariantHeader(GetParam().transport_version)) {
+  if (VersionHasIetfInvariantHeader(version.transport_version)) {
     version_flag = true;
     source_connection_id = destination_connection_id;
     scid_included = CONNECTION_ID_PRESENT;
@@ -571,7 +573,7 @@ TEST_P(QuicSpdyClientSessionTest, InvalidFramedPacketReceived) {
   std::unique_ptr<QuicEncryptedPacket> packet(ConstructMisFramedEncryptedPacket(
       destination_connection_id, source_connection_id, version_flag, false, 100,
       "data", CONNECTION_ID_ABSENT, scid_included, PACKET_4BYTE_PACKET_NUMBER,
-      &versions, Perspective::IS_SERVER));
+      version, Perspective::IS_SERVER));
   std::unique_ptr<QuicReceivedPacket> received(
       ConstructReceivedPacket(*packet, QuicTime::Zero()));
   EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(1);
@@ -618,7 +620,6 @@ TEST_P(QuicSpdyClientSessionTest, PushPromiseStreamIdTooHigh) {
   headers.OnHeaderBlockStart();
   headers.OnHeader(":path", "/bar");
   headers.OnHeader(":authority", "www.google.com");
-  headers.OnHeader(":version", "HTTP/1.1");
   headers.OnHeader(":method", "GET");
   headers.OnHeader(":scheme", "https");
   headers.OnHeaderBlockEnd(0, 0);
@@ -924,7 +925,6 @@ TEST_P(QuicSpdyClientSessionTest, TooManyPushPromises) {
     headers.OnHeaderBlockStart();
     headers.OnHeader(":path", QuicStrCat("/", promise_count));
     headers.OnHeader(":authority", "www.google.com");
-    headers.OnHeader(":version", "HTTP/1.1");
     headers.OnHeader(":method", "GET");
     headers.OnHeader(":scheme", "https");
     headers.OnHeaderBlockEnd(0, 0);
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.h
index 9c94b700936..5cd27d4a6b8 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream.h
@@ -19,7 +19,7 @@ class QuicSpdyClientSession;
 
 // All this does right now is send an SPDY request, and aggregate the
 // SPDY response.
-class QuicSpdyClientStream : public QuicSpdyStream {
+class QUIC_NO_EXPORT QuicSpdyClientStream : public QuicSpdyStream {
  public:
   QuicSpdyClientStream(QuicStreamId id,
                        QuicSpdyClientSession* session,
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream_test.cc
index 84a207ad26c..dd1cadebbd8 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_client_stream_test.cc
@@ -96,7 +96,6 @@ class QuicSpdyClientStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
   std::unique_ptr<StreamVisitor> stream_visitor_;
   SpdyHeaderBlock headers_;
   std::string body_;
-  HttpEncoder encoder_;
 };
 
 INSTANTIATE_TEST_SUITE_P(Tests,
@@ -113,7 +112,8 @@ TEST_P(QuicSpdyClientStreamTest, TestReceivingIllegalResponseStatusCode) {
   auto headers = AsHeaderList(headers_);
   stream_->OnStreamHeaderList(false, headers.uncompressed_header_bytes(),
                               headers);
-  EXPECT_EQ(QUIC_BAD_APPLICATION_PAYLOAD, stream_->stream_error());
+  EXPECT_THAT(stream_->stream_error(),
+              IsStreamError(QUIC_BAD_APPLICATION_PAYLOAD));
 }
 
 TEST_P(QuicSpdyClientStreamTest, TestFraming) {
@@ -122,7 +122,7 @@ TEST_P(QuicSpdyClientStreamTest, TestFraming) {
                               headers);
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body_.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(body_.length(), &buffer);
   std::string header = std::string(buffer.get(), header_length);
   std::string data = VersionUsesHttp3(connection_->transport_version())
                          ? header + body_
@@ -153,7 +153,7 @@ TEST_P(QuicSpdyClientStreamTest, TestFramingOnePacket) {
                               headers);
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body_.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(body_.length(), &buffer);
   std::string header = std::string(buffer.get(), header_length);
   std::string data = VersionUsesHttp3(connection_->transport_version())
                          ? header + body_
@@ -173,12 +173,12 @@ TEST_P(QuicSpdyClientStreamTest,
   stream_->OnStreamHeaderList(false, headers.uncompressed_header_bytes(),
                               headers);
   // The headers should parse successfully.
-  EXPECT_EQ(QUIC_STREAM_NO_ERROR, stream_->stream_error());
+  EXPECT_THAT(stream_->stream_error(), IsQuicStreamNoError());
   EXPECT_EQ("200", stream_->response_headers().find(":status")->second);
   EXPECT_EQ(200, stream_->response_code());
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(large_body.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(large_body.length(), &buffer);
   std::string header = std::string(buffer.get(), header_length);
   std::string data = VersionUsesHttp3(connection_->transport_version())
                          ? header + large_body
@@ -222,7 +222,7 @@ TEST_P(QuicSpdyClientStreamTest, ReceivingTrailers) {
   // received, as well as all data.
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body_.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(body_.length(), &buffer);
   std::string header = std::string(buffer.get(), header_length);
   std::string data = VersionUsesHttp3(connection_->transport_version())
                          ? header + body_
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base.h
index ad0d32699f0..b66b459d021 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base.h
@@ -9,7 +9,7 @@
 
 namespace quic {
 
-class QuicSpdyServerStreamBase : public QuicSpdyStream {
+class QUIC_NO_EXPORT QuicSpdyServerStreamBase : public QuicSpdyStream {
  public:
   QuicSpdyServerStreamBase(QuicStreamId id,
                            QuicSpdySession* session,
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base_test.cc
index 1888e033f25..1a8eef2935f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_server_stream_base_test.cc
@@ -31,6 +31,7 @@ class QuicSpdyServerStreamBaseTest : public QuicTest {
       : session_(new MockQuicConnection(&helper_,
                                         &alarm_factory_,
                                         Perspective::IS_SERVER)) {
+    session_.Initialize();
     stream_ =
         new TestQuicSpdyServerStream(GetNthClientInitiatedBidirectionalStreamId(
                                          session_.transport_version(), 0),
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.cc
index c876e3d1a93..3a3441bc416 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.cc
@@ -11,6 +11,8 @@
 
 #include "net/third_party/quiche/src/quic/core/http/http_constants.h"
 #include "net/third_party/quiche/src/quic/core/http/quic_headers_stream.h"
+#include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_versions.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
@@ -44,7 +46,6 @@ using spdy::SpdyPriorityIR;
 using spdy::SpdyPushPromiseIR;
 using spdy::SpdySerializedFrame;
 using spdy::SpdySettingsId;
-using spdy::SpdySettingsIR;
 using spdy::SpdyStreamId;
 
 namespace quic {
@@ -245,11 +246,6 @@ class QuicSpdySession::SpdyFramerVisitor
                   int weight,
                   bool exclusive) override {
     DCHECK(!VersionUsesHttp3(session_->transport_version()));
-    if (session_->transport_version() <= QUIC_VERSION_39) {
-      CloseConnection("SPDY PRIORITY frame received.",
-                      QUIC_INVALID_HEADERS_STREAM_DATA);
-      return;
-    }
     if (!session_->IsConnected()) {
       return;
     }
@@ -303,7 +299,6 @@ class QuicSpdySession::SpdyFramerVisitor
     }
   }
 
- private:
   QuicSpdySession* session_;
   QuicHeaderList header_list_;
 };
@@ -352,7 +347,10 @@ QuicSpdySession::QuicSpdySession(
       spdy_framer_visitor_(new SpdyFramerVisitor(this)),
       max_allowed_push_id_(0),
       destruction_indicator_(123456789),
-      debug_visitor_(nullptr) {
+      debug_visitor_(nullptr),
+      http3_goaway_received_(false),
+      http3_goaway_sent_(false),
+      http3_max_push_id_sent_(false) {
   h2_deframer_.set_visitor(spdy_framer_visitor_.get());
   h2_deframer_.set_debug_visitor(spdy_framer_visitor_.get());
   spdy_framer_.set_debug_visitor(spdy_framer_visitor_.get());
@@ -416,18 +414,16 @@ void QuicSpdySession::Initialize() {
 void QuicSpdySession::OnDecoderStreamError(QuicStringPiece error_message) {
   DCHECK(VersionUsesHttp3(transport_version()));
 
-  // TODO(b/124216424): Use HTTP_QPACK_DECODER_STREAM_ERROR.
   CloseConnectionWithDetails(
-      QUIC_DECOMPRESSION_FAILURE,
+      QUIC_QPACK_DECODER_STREAM_ERROR,
       QuicStrCat("Decoder stream error: ", error_message));
 }
 
 void QuicSpdySession::OnEncoderStreamError(QuicStringPiece error_message) {
   DCHECK(VersionUsesHttp3(transport_version()));
 
-  // TODO(b/124216424): Use HTTP_QPACK_ENCODER_STREAM_ERROR.
   CloseConnectionWithDetails(
-      QUIC_DECOMPRESSION_FAILURE,
+      QUIC_QPACK_ENCODER_STREAM_ERROR,
       QuicStrCat("Encoder stream error: ", error_message));
 }
 
@@ -520,9 +516,6 @@ size_t QuicSpdySession::WritePriority(QuicStreamId id,
                                       int weight,
                                       bool exclusive) {
   DCHECK(!VersionUsesHttp3(transport_version()));
-  if (transport_version() <= QUIC_VERSION_39) {
-    return 0;
-  }
   SpdyPriorityIR priority_frame(id, parent_stream_id, weight, exclusive);
   SpdySerializedFrame frame(spdy_framer_.SerializeFrame(priority_frame));
   headers_stream()->WriteOrBufferData(
@@ -537,10 +530,29 @@ void QuicSpdySession::WriteH3Priority(const PriorityFrame& priority) {
       << "Server must not send priority";
 
   QuicConnection::ScopedPacketFlusher flusher(connection());
-  SendInitialData();
   send_control_stream_->WritePriority(priority);
 }
 
+void QuicSpdySession::OnHttp3GoAway(QuicStreamId stream_id) {
+  DCHECK_EQ(perspective(), Perspective::IS_CLIENT);
+  if (!QuicUtils::IsBidirectionalStreamId(stream_id) ||
+      IsIncomingStream(stream_id)) {
+    CloseConnectionWithDetails(
+        QUIC_INVALID_STREAM_ID,
+        "GOAWAY's last stream id has to point to a request stream");
+    return;
+  }
+  http3_goaway_received_ = true;
+}
+
+void QuicSpdySession::SendHttp3GoAway() {
+  DCHECK_EQ(perspective(), Perspective::IS_SERVER);
+  DCHECK(VersionUsesHttp3(transport_version()));
+  http3_goaway_sent_ = true;
+  send_control_stream_->SendGoAway(
+      GetLargestPeerCreatedStreamId(/*unidirectional = */ false));
+}
+
 void QuicSpdySession::WritePushPromise(QuicStreamId original_stream_id,
                                        QuicStreamId promised_stream_id,
                                        SpdyHeaderBlock headers) {
@@ -580,27 +592,18 @@ void QuicSpdySession::WritePushPromise(QuicStreamId original_stream_id,
 }
 
 void QuicSpdySession::SendInitialData() {
-  if (VersionUsesHttp3(transport_version())) {
-    QuicConnection::ScopedPacketFlusher flusher(connection());
-    send_control_stream_->MaybeSendSettingsFrame();
-    // TODO(renjietang): Remove this once stream id manager can take dynamically
-    // created HTTP/3 unidirectional streams.
-    qpack_encoder_send_stream_->MaybeSendStreamType();
-    qpack_decoder_send_stream_->MaybeSendStreamType();
+  if (!VersionUsesHttp3(transport_version())) {
     return;
   }
-  if (GetQuicReloadableFlag(quic_do_not_send_settings)) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_do_not_send_settings);
-    return;
+  QuicConnection::ScopedPacketFlusher flusher(connection());
+  send_control_stream_->MaybeSendSettingsFrame();
+  if (GetQuicReloadableFlag(quic_send_max_push_id_with_settings) &&
+      perspective() == Perspective::IS_CLIENT && !http3_max_push_id_sent_) {
+    SendMaxPushId();
+    http3_max_push_id_sent_ = true;
   }
-
-  SpdySettingsIR settings_frame;
-  settings_frame.AddSetting(SETTINGS_MAX_HEADER_LIST_SIZE,
-                            max_inbound_header_list_size_);
-
-  SpdySerializedFrame frame(spdy_framer_.SerializeFrame(settings_frame));
-  headers_stream()->WriteOrBufferData(
-      QuicStringPiece(frame.data(), frame.size()), false, nullptr);
+  qpack_decoder_send_stream_->MaybeSendStreamType();
+  qpack_encoder_send_stream_->MaybeSendStreamType();
 }
 
 QpackEncoder* QuicSpdySession::qpack_encoder() {
@@ -630,19 +633,20 @@ QuicSpdyStream* QuicSpdySession::GetSpdyDataStream(
 
 void QuicSpdySession::OnCryptoHandshakeEvent(CryptoHandshakeEvent event) {
   QuicSession::OnCryptoHandshakeEvent(event);
-  if (VersionUsesHttp3(transport_version()) ||
-      (event == HANDSHAKE_CONFIRMED && config()->SupportMaxHeaderListSize())) {
-    SendInitialData();
-  }
+  SendInitialData();
+}
+
+void QuicSpdySession::SetDefaultEncryptionLevel(quic::EncryptionLevel level) {
+  QuicSession::SetDefaultEncryptionLevel(level);
+  SendInitialData();
 }
 
 // True if there are open HTTP requests.
 bool QuicSpdySession::ShouldKeepConnectionAlive() const {
-  if (GetQuicReloadableFlag(quic_aggressive_connection_aliveness)) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_aggressive_connection_aliveness);
-    return GetNumActiveStreams() > 0;
+  if (!VersionUsesHttp3(transport_version())) {
+    DCHECK(pending_streams().empty());
   }
-  return GetNumOpenDynamicStreams() > 0;
+  return GetNumActiveStreams() + pending_streams().size() > 0;
 }
 
 bool QuicSpdySession::UsesPendingStreams() const {
@@ -1035,9 +1039,8 @@ void QuicSpdySession::SetMaxAllowedPushId(QuicStreamId max_allowed_push_id) {
   }
 
   DCHECK(perspective() == Perspective::IS_CLIENT);
-  if (IsHandshakeConfirmed()) {
+  if (IsCryptoHandshakeConfirmed()) {
     SendMaxPushId();
-    send_control_stream_->SendMaxPushIdFrame(max_allowed_push_id_);
   }
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.h
index 0eb3751e679..575d6641a61 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session.h
@@ -21,7 +21,6 @@
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_receive_stream.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_send_stream.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_session.h"
 #include "net/third_party/quiche/src/quic/core/quic_versions.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
@@ -153,6 +152,13 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
   // Writes a HTTP/3 PRIORITY frame to the peer.
   void WriteH3Priority(const PriorityFrame& priority);
 
+  // Process received HTTP/3 GOAWAY frame. This method should only be called on
+  // the client side.
+  virtual void OnHttp3GoAway(QuicStreamId stream_id);
+
+  // Write the GOAWAY |frame| on control stream.
+  void SendHttp3GoAway();
+
   // Write |headers| for |promised_stream_id| on |original_stream_id| in a
   // PUSH_PROMISE frame to peer.
   virtual void WritePushPromise(QuicStreamId original_stream_id,
@@ -237,6 +243,10 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
 
   Http3DebugVisitor* debug_visitor() { return debug_visitor_; }
 
+  bool http3_goaway_received() const { return http3_goaway_received_; }
+
+  bool http3_goaway_sent() const { return http3_goaway_sent_; }
+
   // Log header compression ratio histogram.
   // |using_qpack| is true for QPACK, false for HPACK.
   // |is_sent| is true for sent headers, false for received ones.
@@ -255,6 +265,14 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
                                                  QuicByteCount compressed,
                                                  QuicByteCount uncompressed);
 
+  // True if any dynamic table entries have been referenced from either a sent
+  // or received header block.  Used for stats.
+  bool dynamic_table_entry_referenced() const {
+    return (qpack_encoder_ &&
+            qpack_encoder_->dynamic_table_entry_referenced()) ||
+           (qpack_decoder_ && qpack_decoder_->dynamic_table_entry_referenced());
+  }
+
  protected:
   // Override CreateIncomingStream(), CreateOutgoingBidirectionalStream() and
   // CreateOutgoingUnidirectionalStream() with QuicSpdyStream return type to
@@ -295,6 +313,7 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
       QuicReferenceCountedPointer<QuicAckListenerInterface> ack_listener);
 
   void OnCryptoHandshakeEvent(CryptoHandshakeEvent event) override;
+  void SetDefaultEncryptionLevel(quic::EncryptionLevel level) override;
 
   bool supports_push_promise() { return supports_push_promise_; }
 
@@ -416,6 +435,14 @@ class QUIC_EXPORT_PRIVATE QuicSpdySession
 
   // Not owned by the session.
   Http3DebugVisitor* debug_visitor_;
+
+  // If the endpoint has received HTTP/3 GOAWAY frame.
+  bool http3_goaway_received_;
+  // If the endpoint has sent HTTP/3 GOAWAY frame.
+  bool http3_goaway_sent_;
+
+  // If the sendpoint has sent the initial HTTP/3 MAX_PUSH_ID frame.
+  bool http3_max_push_id_sent_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session_test.cc
index 85e79a7a987..b37246acd23 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_session_test.cc
@@ -13,6 +13,7 @@
 #include "net/third_party/quiche/src/quic/core/crypto/null_encrypter.h"
 #include "net/third_party/quiche/src/quic/core/frames/quic_stream_frame.h"
 #include "net/third_party/quiche/src/quic/core/http/http_constants.h"
+#include "net/third_party/quiche/src/quic/core/http/http_encoder.h"
 #include "net/third_party/quiche/src/quic/core/quic_config.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_data_writer.h"
@@ -29,8 +30,9 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
-#include "net/third_party/quiche/src/quic/test_tools/qpack_encoder_peer.h"
-#include "net/third_party/quiche/src/quic/test_tools/qpack_header_table_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_header_table_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_config_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_flow_controller_peer.h"
@@ -39,6 +41,7 @@
 #include "net/third_party/quiche/src/quic/test_tools/quic_stream_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_stream_send_buffer_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_framer.h"
 
 using spdy::kV3HighestPriority;
@@ -95,11 +98,16 @@ class TestCryptoStream : public QuicCryptoStream, public QuicCryptoHandshaker {
       error =
           session()->config()->ProcessPeerHello(msg, CLIENT, &error_details);
     }
-    EXPECT_EQ(QUIC_NO_ERROR, error);
+    EXPECT_THAT(error, IsQuicNoError());
     session()->OnConfigNegotiated();
-    session()->connection()->SetDefaultEncryptionLevel(
-        ENCRYPTION_FORWARD_SECURE);
-    session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
+    if (session()->use_handshake_delegate()) {
+      session()->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+      session()->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
+    } else {
+      session()->connection()->SetDefaultEncryptionLevel(
+          ENCRYPTION_FORWARD_SECURE);
+      session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
+    }
   }
 
   // QuicCryptoStream implementation
@@ -114,6 +122,7 @@ class TestCryptoStream : public QuicCryptoStream, public QuicCryptoHandshaker {
   CryptoMessageParser* crypto_message_parser() override {
     return QuicCryptoHandshaker::crypto_message_parser();
   }
+  void OnPacketDecrypted(EncryptionLevel /*level*/) override {}
 
   MOCK_METHOD0(OnCanWrite, void());
 
@@ -296,6 +305,7 @@ class TestSession : public QuicSpdySession {
   }
 
   using QuicSession::closed_streams;
+  using QuicSession::ShouldKeepConnectionAlive;
   using QuicSession::zombie_streams;
   using QuicSpdySession::ProcessPendingStream;
   using QuicSpdySession::UsesPendingStreams;
@@ -350,10 +360,9 @@ class QuicSpdySessionTestBase : public QuicTestWithParam<ParsedQuicVersion> {
 
   void CheckClosedStreams() {
     QuicStreamId first_stream_id = QuicUtils::GetFirstBidirectionalStreamId(
-        connection_->transport_version(), Perspective::IS_CLIENT);
-    if (!QuicVersionUsesCryptoFrames(connection_->transport_version())) {
-      first_stream_id =
-          QuicUtils::GetCryptoStreamId(connection_->transport_version());
+        transport_version(), Perspective::IS_CLIENT);
+    if (!QuicVersionUsesCryptoFrames(transport_version())) {
+      first_stream_id = QuicUtils::GetCryptoStreamId(transport_version());
     }
     for (QuicStreamId i = first_stream_id; i < 100; i++) {
       if (!QuicContainsKey(closed_streams_, i)) {
@@ -388,18 +397,16 @@ class QuicSpdySessionTestBase : public QuicTestWithParam<ParsedQuicVersion> {
   }
 
   QuicStreamId GetNthServerInitiatedBidirectionalId(int n) {
-    return GetNthServerInitiatedBidirectionalStreamId(
-        connection_->transport_version(), n);
+    return GetNthServerInitiatedBidirectionalStreamId(transport_version(), n);
   }
 
   QuicStreamId IdDelta() {
-    return QuicUtils::StreamIdDelta(connection_->transport_version());
+    return QuicUtils::StreamIdDelta(transport_version());
   }
 
   std::string EncodeSettings(const SettingsFrame& settings) {
-    HttpEncoder encoder;
     std::unique_ptr<char[]> buffer;
-    auto header_length = encoder.SerializeSettingsFrame(settings, &buffer);
+    auto header_length = HttpEncoder::SerializeSettingsFrame(settings, &buffer);
     return std::string(buffer.get(), header_length);
   }
 
@@ -456,8 +463,7 @@ TEST_P(QuicSpdySessionTestServer, SelfAddress) {
 }
 
 TEST_P(QuicSpdySessionTestServer, IsCryptoHandshakeConfirmed) {
-  if (!GetQuicReloadableFlag(quic_do_not_send_settings) ||
-      VersionUsesHttp3(transport_version())) {
+  if (VersionUsesHttp3(transport_version())) {
     MockPacketWriter* writer = static_cast<MockPacketWriter*>(
         QuicConnectionPeer::GetWriter(session_.connection()));
     EXPECT_CALL(*writer, WritePacket(_, _, _, _, _))
@@ -473,10 +479,9 @@ TEST_P(QuicSpdySessionTestServer, IsCryptoHandshakeConfirmed) {
 TEST_P(QuicSpdySessionTestServer, IsClosedStreamDefault) {
   // Ensure that no streams are initially closed.
   QuicStreamId first_stream_id = QuicUtils::GetFirstBidirectionalStreamId(
-      connection_->transport_version(), Perspective::IS_CLIENT);
-  if (!QuicVersionUsesCryptoFrames(connection_->transport_version())) {
-    first_stream_id =
-        QuicUtils::GetCryptoStreamId(connection_->transport_version());
+      transport_version(), Perspective::IS_CLIENT);
+  if (!QuicVersionUsesCryptoFrames(transport_version())) {
+    first_stream_id = QuicUtils::GetCryptoStreamId(transport_version());
   }
   for (QuicStreamId i = first_stream_id; i < 100; i++) {
     EXPECT_FALSE(session_.IsClosedStream(i)) << "stream id: " << i;
@@ -850,7 +855,7 @@ TEST_P(QuicSpdySessionTestServer, BufferedHandshake) {
   // This tests prioritization of the crypto stream when flow control limits are
   // reached. When CRYPTO frames are in use, there is no flow control for the
   // crypto handshake, so this test is irrelevant.
-  if (QuicVersionUsesCryptoFrames(connection_->transport_version())) {
+  if (QuicVersionUsesCryptoFrames(transport_version())) {
     return;
   }
   session_.set_writev_consumes_all_data(true);
@@ -867,7 +872,7 @@ TEST_P(QuicSpdySessionTestServer, BufferedHandshake) {
 
   // Blocking (due to buffering of) the Crypto stream is detected.
   session_.MarkConnectionLevelWriteBlocked(
-      QuicUtils::GetCryptoStreamId(connection_->transport_version()));
+      QuicUtils::GetCryptoStreamId(transport_version()));
   EXPECT_TRUE(session_.HasPendingHandshake());
 
   TestStream* stream4 = session_.CreateOutgoingBidirectionalStream();
@@ -940,9 +945,9 @@ TEST_P(QuicSpdySessionTestServer,
 
   // Mark the crypto and headers streams as write blocked, we expect them to be
   // allowed to write later.
-  if (!QuicVersionUsesCryptoFrames(connection_->transport_version())) {
+  if (!QuicVersionUsesCryptoFrames(transport_version())) {
     session_.MarkConnectionLevelWriteBlocked(
-        QuicUtils::GetCryptoStreamId(connection_->transport_version()));
+        QuicUtils::GetCryptoStreamId(transport_version()));
   }
 
   // Create a data stream, and although it is write blocked we never expect it
@@ -953,18 +958,18 @@ TEST_P(QuicSpdySessionTestServer,
 
   // The crypto and headers streams should be called even though we are
   // connection flow control blocked.
-  if (!QuicVersionUsesCryptoFrames(connection_->transport_version())) {
+  if (!QuicVersionUsesCryptoFrames(transport_version())) {
     TestCryptoStream* crypto_stream = session_.GetMutableCryptoStream();
     EXPECT_CALL(*crypto_stream, OnCanWrite());
   }
 
-  if (!VersionUsesHttp3(connection_->transport_version())) {
+  if (!VersionUsesHttp3(transport_version())) {
     TestHeadersStream* headers_stream;
     QuicSpdySessionPeer::SetHeadersStream(&session_, nullptr);
     headers_stream = new TestHeadersStream(&session_);
     QuicSpdySessionPeer::SetHeadersStream(&session_, headers_stream);
     session_.MarkConnectionLevelWriteBlocked(
-        QuicUtils::GetHeadersStreamId(connection_->transport_version()));
+        QuicUtils::GetHeadersStreamId(transport_version()));
     EXPECT_CALL(*headers_stream, OnCanWrite());
   }
 
@@ -978,7 +983,7 @@ TEST_P(QuicSpdySessionTestServer,
 
 TEST_P(QuicSpdySessionTestServer, SendGoAway) {
   if (VersionHasIetfQuicFrames(transport_version())) {
-    // GoAway frames are not in version 99
+    // HTTP/3 GOAWAY has different semantic and thus has its own test.
     return;
   }
   connection_->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
@@ -1001,10 +1006,24 @@ TEST_P(QuicSpdySessionTestServer, SendGoAway) {
   EXPECT_TRUE(session_.GetOrCreateStream(kTestStreamId));
 }
 
+TEST_P(QuicSpdySessionTestServer, SendHttp3GoAway) {
+  if (!VersionUsesHttp3(transport_version())) {
+    return;
+  }
+  connection_->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+
+  session_.SendHttp3GoAway();
+  EXPECT_TRUE(session_.http3_goaway_sent());
+
+  const QuicStreamId kTestStreamId =
+      GetNthClientInitiatedBidirectionalStreamId(transport_version(), 0);
+  EXPECT_CALL(*connection_, OnStreamReset(kTestStreamId, _)).Times(0);
+  EXPECT_TRUE(session_.GetOrCreateStream(kTestStreamId));
+}
+
 TEST_P(QuicSpdySessionTestServer, DoNotSendGoAwayTwice) {
   if (VersionHasIetfQuicFrames(transport_version())) {
-    // TODO(b/118808809): Enable this test for version 99 when GOAWAY is
-    // supported.
+    // HTTP/3 GOAWAY doesn't have such restriction.
     return;
   }
   EXPECT_CALL(*connection_, SendControlFrame(_))
@@ -1016,8 +1035,7 @@ TEST_P(QuicSpdySessionTestServer, DoNotSendGoAwayTwice) {
 
 TEST_P(QuicSpdySessionTestServer, InvalidGoAway) {
   if (VersionHasIetfQuicFrames(transport_version())) {
-    // TODO(b/118808809): Enable this test for version 99 when GOAWAY is
-    // supported.
+    // HTTP/3 GOAWAY has different semantics and thus has its own test.
     return;
   }
   QuicGoAwayFrame go_away(kInvalidControlFrameId, QUIC_PEER_GOING_AWAY,
@@ -1049,8 +1067,7 @@ TEST_P(QuicSpdySessionTestServer, ServerReplyToConnecitivityProbe) {
 }
 
 TEST_P(QuicSpdySessionTestServer, IncreasedTimeoutAfterCryptoHandshake) {
-  if (!GetQuicReloadableFlag(quic_do_not_send_settings) ||
-      VersionUsesHttp3(transport_version())) {
+  if (VersionUsesHttp3(transport_version())) {
     MockPacketWriter* writer = static_cast<MockPacketWriter*>(
         QuicConnectionPeer::GetWriter(session_.connection()));
     EXPECT_CALL(*writer, WritePacket(_, _, _, _, _))
@@ -1115,7 +1132,7 @@ TEST_P(QuicSpdySessionTestServer, OnStreamFrameFinStaticStreamId) {
     QuicStreamFrame data1(id, false, 0, QuicStringPiece(type, 1));
     session_.OnStreamFrame(data1);
   } else {
-    id = QuicUtils::GetHeadersStreamId(connection_->transport_version());
+    id = QuicUtils::GetHeadersStreamId(transport_version());
   }
 
   // Send two bytes of payload.
@@ -1137,7 +1154,7 @@ TEST_P(QuicSpdySessionTestServer, OnRstStreamStaticStreamId) {
     QuicStreamFrame data1(id, false, 0, QuicStringPiece(type, 1));
     session_.OnStreamFrame(data1);
   } else {
-    id = QuicUtils::GetHeadersStreamId(connection_->transport_version());
+    id = QuicUtils::GetHeadersStreamId(transport_version());
   }
 
   // Send two bytes of payload.
@@ -1152,9 +1169,8 @@ TEST_P(QuicSpdySessionTestServer, OnRstStreamStaticStreamId) {
 
 TEST_P(QuicSpdySessionTestServer, OnStreamFrameInvalidStreamId) {
   // Send two bytes of payload.
-  QuicStreamFrame data1(
-      QuicUtils::GetInvalidStreamId(connection_->transport_version()), true, 0,
-      QuicStringPiece("HT"));
+  QuicStreamFrame data1(QuicUtils::GetInvalidStreamId(transport_version()),
+                        true, 0, QuicStringPiece("HT"));
   EXPECT_CALL(*connection_,
               CloseConnection(
                   QUIC_INVALID_STREAM_ID, "Received data for an invalid stream",
@@ -1164,10 +1180,9 @@ TEST_P(QuicSpdySessionTestServer, OnStreamFrameInvalidStreamId) {
 
 TEST_P(QuicSpdySessionTestServer, OnRstStreamInvalidStreamId) {
   // Send two bytes of payload.
-  QuicRstStreamFrame rst1(
-      kInvalidControlFrameId,
-      QuicUtils::GetInvalidStreamId(connection_->transport_version()),
-      QUIC_ERROR_PROCESSING_STREAM, 0);
+  QuicRstStreamFrame rst1(kInvalidControlFrameId,
+                          QuicUtils::GetInvalidStreamId(transport_version()),
+                          QUIC_ERROR_PROCESSING_STREAM, 0);
   EXPECT_CALL(*connection_,
               CloseConnection(
                   QUIC_INVALID_STREAM_ID, "Received data for an invalid stream",
@@ -1213,7 +1228,7 @@ TEST_P(QuicSpdySessionTestServer, HandshakeUnblocksFlowControlBlockedStream) {
 
 TEST_P(QuicSpdySessionTestServer,
        HandshakeUnblocksFlowControlBlockedCryptoStream) {
-  if (QuicVersionUsesCryptoFrames(GetParam().transport_version)) {
+  if (QuicVersionUsesCryptoFrames(transport_version())) {
     // QUIC version 47 onwards uses CRYPTO frames for the handshake, so this
     // test doesn't make sense for those versions.
     return;
@@ -1230,13 +1245,8 @@ TEST_P(QuicSpdySessionTestServer,
   EXPECT_FALSE(headers_stream->flow_controller()->IsBlocked());
   EXPECT_FALSE(session_.IsConnectionFlowControlBlocked());
   EXPECT_FALSE(session_.IsStreamFlowControlBlocked());
-  if (VersionHasIetfQuicFrames(transport_version())) {
-    EXPECT_CALL(*connection_, SendControlFrame(_))
-        .WillOnce(Invoke(&ClearControlFrame));
-  } else {
-    EXPECT_CALL(*connection_, SendControlFrame(_))
-        .WillOnce(Invoke(&ClearControlFrame));
-  }
+  EXPECT_CALL(*connection_, SendControlFrame(_))
+      .WillOnce(Invoke(&ClearControlFrame));
   for (QuicStreamId i = 0;
        !crypto_stream->flow_controller()->IsBlocked() && i < 1000u; i++) {
     EXPECT_FALSE(session_.IsConnectionFlowControlBlocked());
@@ -1247,7 +1257,7 @@ TEST_P(QuicSpdySessionTestServer,
     config.ToHandshakeMessage(&crypto_message, transport_version());
     crypto_stream->SendHandshakeMessage(crypto_message);
     char buf[1000];
-    QuicDataWriter writer(1000, buf, NETWORK_BYTE_ORDER);
+    QuicDataWriter writer(1000, buf, quiche::NETWORK_BYTE_ORDER);
     crypto_stream->WriteStreamData(offset, crypto_message.size(), &writer);
   }
   EXPECT_TRUE(crypto_stream->flow_controller()->IsBlocked());
@@ -1262,8 +1272,7 @@ TEST_P(QuicSpdySessionTestServer,
   CryptoHandshakeMessage msg;
   session_.GetMutableCryptoStream()->OnHandshakeMessage(msg);
   EXPECT_TRUE(QuicSessionPeer::IsStreamWriteBlocked(
-      &session_,
-      QuicUtils::GetCryptoStreamId(connection_->transport_version())));
+      &session_, QuicUtils::GetCryptoStreamId(transport_version())));
   // Stream is now unblocked and will no longer have buffered data.
   EXPECT_FALSE(crypto_stream->flow_controller()->IsBlocked());
   EXPECT_FALSE(session_.IsConnectionFlowControlBlocked());
@@ -1280,7 +1289,7 @@ TEST_P(QuicSpdySessionTestServer,
        HandshakeUnblocksFlowControlBlockedHeadersStream) {
   // This test depends on stream-level flow control for the crypto stream, which
   // doesn't exist when CRYPTO frames are used.
-  if (QuicVersionUsesCryptoFrames(connection_->transport_version())) {
+  if (QuicVersionUsesCryptoFrames(transport_version())) {
     return;
   }
 
@@ -1341,8 +1350,7 @@ TEST_P(QuicSpdySessionTestServer,
   EXPECT_FALSE(session_.IsStreamFlowControlBlocked());
   EXPECT_TRUE(headers_stream->HasBufferedData());
   EXPECT_TRUE(QuicSessionPeer::IsStreamWriteBlocked(
-      &session_,
-      QuicUtils::GetHeadersStreamId(connection_->transport_version())));
+      &session_, QuicUtils::GetHeadersStreamId(transport_version())));
 }
 #endif  // !defined(OS_IOS)
 
@@ -1566,7 +1574,7 @@ TEST_P(QuicSpdySessionTestServer, FlowControlWithInvalidFinalOffset) {
 }
 
 TEST_P(QuicSpdySessionTestServer, WindowUpdateUnblocksHeadersStream) {
-  if (VersionUsesHttp3(GetParam().transport_version)) {
+  if (VersionUsesHttp3(transport_version())) {
     // The test relies on headers stream, which no longer exists in IETF QUIC.
     return;
   }
@@ -1620,8 +1628,7 @@ TEST_P(QuicSpdySessionTestServer,
       GetNthClientInitiatedBidirectionalId(kMaxStreams);
   // Create kMaxStreams data streams, and close them all without receiving a
   // FIN or a RST_STREAM from the client.
-  const QuicStreamId kNextId =
-      QuicUtils::StreamIdDelta(connection_->transport_version());
+  const QuicStreamId kNextId = QuicUtils::StreamIdDelta(transport_version());
   for (QuicStreamId i = kFirstStreamId; i < kFinalStreamId; i += kNextId) {
     QuicStreamFrame data1(i, false, 0, QuicStringPiece("HT"));
     session_.OnStreamFrame(data1);
@@ -1738,6 +1745,21 @@ TEST_P(QuicSpdySessionTestClient, BadStreamFramePendingStream) {
   session_.OnStreamFrame(data1);
 }
 
+TEST_P(QuicSpdySessionTestClient, PendingStreamKeepsConnectionAlive) {
+  if (!VersionUsesHttp3(transport_version())) {
+    return;
+  }
+
+  QuicStreamId stream_id = QuicUtils::GetFirstUnidirectionalStreamId(
+      transport_version(), Perspective::IS_SERVER);
+
+  QuicStreamFrame frame(stream_id, false, 1, "test");
+  EXPECT_FALSE(session_.ShouldKeepConnectionAlive());
+  session_.OnStreamFrame(frame);
+  EXPECT_TRUE(QuicSessionPeer::GetPendingStream(&session_, stream_id));
+  EXPECT_TRUE(session_.ShouldKeepConnectionAlive());
+}
+
 TEST_P(QuicSpdySessionTestClient, AvailableStreamsClient) {
   ASSERT_TRUE(session_.GetOrCreateStream(
                   GetNthServerInitiatedBidirectionalId(2)) != nullptr);
@@ -1838,21 +1860,17 @@ TEST_P(QuicSpdySessionTestClient, WritePriority) {
 
   QuicStreamSendBuffer& send_buffer =
       QuicStreamPeer::SendBuffer(headers_stream);
-  if (transport_version() > QUIC_VERSION_39) {
-    ASSERT_EQ(1u, send_buffer.size());
-
-    SpdyPriorityIR priority_frame(
-        id, parent_stream_id, Spdy3PriorityToHttp2Weight(priority), exclusive);
-    SpdyFramer spdy_framer(SpdyFramer::ENABLE_COMPRESSION);
-    SpdySerializedFrame frame = spdy_framer.SerializeFrame(priority_frame);
-
-    const QuicMemSlice& slice =
-        QuicStreamSendBufferPeer::CurrentWriteSlice(&send_buffer)->slice;
-    EXPECT_EQ(QuicStringPiece(frame.data(), frame.size()),
-              QuicStringPiece(slice.data(), slice.length()));
-  } else {
-    EXPECT_EQ(0u, send_buffer.size());
-  }
+  ASSERT_EQ(1u, send_buffer.size());
+
+  SpdyPriorityIR priority_frame(
+      id, parent_stream_id, Spdy3PriorityToHttp2Weight(priority), exclusive);
+  SpdyFramer spdy_framer(SpdyFramer::ENABLE_COMPRESSION);
+  SpdySerializedFrame frame = spdy_framer.SerializeFrame(priority_frame);
+
+  const QuicMemSlice& slice =
+      QuicStreamSendBufferPeer::CurrentWriteSlice(&send_buffer)->slice;
+  EXPECT_EQ(QuicStringPiece(frame.data(), frame.size()),
+            QuicStringPiece(slice.data(), slice.length()));
 }
 
 TEST_P(QuicSpdySessionTestClient, Http3ServerPush) {
@@ -1936,7 +1954,6 @@ TEST_P(QuicSpdySessionTestServer, ZombieStreams) {
 }
 
 TEST_P(QuicSpdySessionTestServer, OnStreamFrameLost) {
-  QuicConnectionPeer::SetSessionDecidesWhatToWrite(connection_);
   InSequence s;
 
   // Drive congestion control manually.
@@ -1952,16 +1969,15 @@ TEST_P(QuicSpdySessionTestServer, OnStreamFrameLost) {
 
   // Lost data on cryption stream, streams 2 and 4.
   EXPECT_CALL(*stream4, HasPendingRetransmission()).WillOnce(Return(true));
-  if (!QuicVersionUsesCryptoFrames(connection_->transport_version())) {
+  if (!QuicVersionUsesCryptoFrames(transport_version())) {
     EXPECT_CALL(*crypto_stream, HasPendingRetransmission())
         .WillOnce(Return(true));
   }
   EXPECT_CALL(*stream2, HasPendingRetransmission()).WillOnce(Return(true));
   session_.OnFrameLost(QuicFrame(frame3));
-  if (!QuicVersionUsesCryptoFrames(connection_->transport_version())) {
-    QuicStreamFrame frame1(
-        QuicUtils::GetCryptoStreamId(connection_->transport_version()), false,
-        0, 1300);
+  if (!QuicVersionUsesCryptoFrames(transport_version())) {
+    QuicStreamFrame frame1(QuicUtils::GetCryptoStreamId(transport_version()),
+                           false, 0, 1300);
     session_.OnFrameLost(QuicFrame(frame1));
   } else {
     QuicCryptoFrame crypto_frame(ENCRYPTION_INITIAL, 0, 1300);
@@ -1978,7 +1994,7 @@ TEST_P(QuicSpdySessionTestServer, OnStreamFrameLost) {
   // stream go first.
   // Do not check congestion window when crypto stream has lost data.
   EXPECT_CALL(*send_algorithm, CanSend(_)).Times(0);
-  if (!QuicVersionUsesCryptoFrames(connection_->transport_version())) {
+  if (!QuicVersionUsesCryptoFrames(transport_version())) {
     EXPECT_CALL(*crypto_stream, OnCanWrite());
     EXPECT_CALL(*crypto_stream, HasPendingRetransmission())
         .WillOnce(Return(false));
@@ -2010,7 +2026,14 @@ TEST_P(QuicSpdySessionTestServer, OnStreamFrameLost) {
 }
 
 TEST_P(QuicSpdySessionTestServer, DonotRetransmitDataOfClosedStreams) {
-  QuicConnectionPeer::SetSessionDecidesWhatToWrite(connection_);
+  // Resetting a stream will send a QPACK Stream Cancellation instruction on the
+  // decoder stream.  For simplicity, ignore writes on this stream.
+  NoopQpackStreamSenderDelegate qpack_stream_sender_delegate;
+  if (VersionUsesHttp3(transport_version())) {
+    session_.qpack_decoder()->set_qpack_stream_sender_delegate(
+        &qpack_stream_sender_delegate);
+  }
+
   InSequence s;
 
   TestStream* stream2 = session_.CreateOutgoingBidirectionalStream();
@@ -2050,7 +2073,6 @@ TEST_P(QuicSpdySessionTestServer, DonotRetransmitDataOfClosedStreams) {
 }
 
 TEST_P(QuicSpdySessionTestServer, RetransmitFrames) {
-  QuicConnectionPeer::SetSessionDecidesWhatToWrite(connection_);
   MockSendAlgorithm* send_algorithm = new StrictMock<MockSendAlgorithm>;
   QuicConnectionPeer::SetSendAlgorithm(session_.connection(), send_algorithm);
   InSequence s;
@@ -2290,10 +2312,9 @@ TEST_P(QuicSpdySessionTestServer, StreamClosedWhileHeaderDecodingBlocked) {
   // HEADERS frame referencing first dynamic table entry.
   std::string headers_payload = QuicTextUtils::HexDecode("020080");
   std::unique_ptr<char[]> headers_buffer;
-  HttpEncoder encoder;
   QuicByteCount headers_frame_header_length =
-      encoder.SerializeHeadersFrameHeader(headers_payload.length(),
-                                          &headers_buffer);
+      HttpEncoder::SerializeHeadersFrameHeader(headers_payload.length(),
+                                               &headers_buffer);
   QuicStringPiece headers_frame_header(headers_buffer.get(),
                                        headers_frame_header_length);
   std::string headers = QuicStrCat(headers_frame_header, headers_payload);
@@ -2325,10 +2346,9 @@ TEST_P(QuicSpdySessionTestServer, SessionDestroyedWhileHeaderDecodingBlocked) {
   // HEADERS frame referencing first dynamic table entry.
   std::string headers_payload = QuicTextUtils::HexDecode("020080");
   std::unique_ptr<char[]> headers_buffer;
-  HttpEncoder encoder;
   QuicByteCount headers_frame_header_length =
-      encoder.SerializeHeadersFrameHeader(headers_payload.length(),
-                                          &headers_buffer);
+      HttpEncoder::SerializeHeadersFrameHeader(headers_payload.length(),
+                                               &headers_buffer);
   QuicStringPiece headers_frame_header(headers_buffer.get(),
                                        headers_frame_header_length);
   std::string headers = QuicStrCat(headers_frame_header, headers_payload);
@@ -2384,12 +2404,6 @@ TEST_P(QuicSpdySessionTestClient, ResetAfterInvalidIncomingStreamType) {
                                QUIC_STREAM_CANCELLED,
                                /* bytes_written = */ payload.size());
 
-  // This will trigger the sending of two control frames: one RESET_STREAM with
-  // QUIC_RST_ACKNOWLEDGEMENT, and one STOP_SENDING.
-  EXPECT_CALL(*connection_, SendControlFrame(_))
-      .Times(2)
-      .WillRepeatedly(Invoke(&ClearControlFrame));
-  EXPECT_CALL(*connection_, OnStreamReset(stream_id, QUIC_RST_ACKNOWLEDGEMENT));
   session_.OnRstStream(rst_frame);
 
   // The stream is closed.
@@ -2457,12 +2471,6 @@ TEST_P(QuicSpdySessionTestClient, ResetInMiddleOfStreamType) {
                                QUIC_STREAM_CANCELLED,
                                /* bytes_written = */ payload.size());
 
-  // This will trigger the sending of two control frames: one RESET_STREAM with
-  // QUIC_RST_ACKNOWLEDGEMENT, and one STOP_SENDING.
-  EXPECT_CALL(*connection_, SendControlFrame(_))
-      .Times(2)
-      .WillRepeatedly(Invoke(&ClearControlFrame));
-  EXPECT_CALL(*connection_, OnStreamReset(stream_id, QUIC_RST_ACKNOWLEDGEMENT));
   session_.OnRstStream(rst_frame);
 
   // The stream is closed.
@@ -2567,7 +2575,7 @@ TEST_P(QuicSpdySessionTestClient, EncoderStreamError) {
 
   EXPECT_CALL(
       *connection_,
-      CloseConnection(QUIC_DECOMPRESSION_FAILURE,
+      CloseConnection(QUIC_QPACK_ENCODER_STREAM_ERROR,
                       "Encoder stream error: Invalid relative index.", _));
   session_.OnStreamFrame(frame);
 }
@@ -2588,11 +2596,25 @@ TEST_P(QuicSpdySessionTestClient, DecoderStreamError) {
 
   EXPECT_CALL(
       *connection_,
-      CloseConnection(QUIC_DECOMPRESSION_FAILURE,
+      CloseConnection(QUIC_QPACK_DECODER_STREAM_ERROR,
                       "Decoder stream error: Invalid increment value 0.", _));
   session_.OnStreamFrame(frame);
 }
 
+TEST_P(QuicSpdySessionTestClient, InvalidHttp3GoAway) {
+  if (!VersionUsesHttp3(transport_version())) {
+    return;
+  }
+  EXPECT_CALL(
+      *connection_,
+      CloseConnection(
+          QUIC_INVALID_STREAM_ID,
+          "GOAWAY's last stream id has to point to a request stream", _));
+  QuicStreamId stream_id =
+      GetNthServerInitiatedUnidirectionalStreamId(transport_version(), 0);
+  session_.OnHttp3GoAway(stream_id);
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.cc
index 5dd9f3a832f..f7a13f62254 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.cc
@@ -193,6 +193,7 @@ QuicSpdyStream::QuicSpdyStream(QuicStreamId id,
       visitor_(nullptr),
       blocked_on_decoding_headers_(false),
       headers_decompressed_(false),
+      header_list_size_limit_exceeded_(false),
       headers_payload_length_(0),
       trailers_payload_length_(0),
       trailers_decompressed_(false),
@@ -227,6 +228,7 @@ QuicSpdyStream::QuicSpdyStream(PendingStream* pending,
       visitor_(nullptr),
       blocked_on_decoding_headers_(false),
       headers_decompressed_(false),
+      header_list_size_limit_exceeded_(false),
       headers_payload_length_(0),
       trailers_payload_length_(0),
       trailers_decompressed_(false),
@@ -297,7 +299,7 @@ void QuicSpdyStream::WriteOrBufferBody(QuicStringPiece data, bool fin) {
   // Write frame header.
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(data.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(data.length(), &buffer);
   unacked_frame_headers_offsets_.Add(
       send_buffer().stream_offset(),
       send_buffer().stream_offset() + header_length);
@@ -310,7 +312,7 @@ void QuicSpdyStream::WriteOrBufferBody(QuicStringPiece data, bool fin) {
   // Write body.
   QUIC_DLOG(INFO) << ENDPOINT << "Stream " << id()
                   << " is writing DATA frame payload of length "
-                  << data.length();
+                  << data.length() << " with fin " << fin;
   WriteOrBufferData(data, fin, nullptr);
 }
 
@@ -358,7 +360,7 @@ void QuicSpdyStream::WritePushPromise(const PushPromiseFrame& frame) {
   DCHECK(VersionUsesHttp3(transport_version()));
   std::unique_ptr<char[]> push_promise_frame_with_id;
   const size_t push_promise_frame_length =
-      encoder_.SerializePushPromiseFrameWithOnlyPushId(
+      HttpEncoder::SerializePushPromiseFrameWithOnlyPushId(
           frame, &push_promise_frame_with_id);
 
   unacked_frame_headers_offsets_.Add(send_buffer().stream_offset(),
@@ -401,7 +403,7 @@ QuicConsumedData QuicSpdyStream::WriteBodySlices(QuicMemSliceSpan slices,
 
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(slices.total_length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(slices.total_length(), &buffer);
   if (!CanWriteNewDataAfterData(header_length)) {
     return {0, false};
   }
@@ -517,13 +519,13 @@ void QuicSpdyStream::OnStreamHeaderList(bool fin,
                                         size_t frame_len,
                                         const QuicHeaderList& header_list) {
   // TODO(b/134706391): remove |fin| argument.
-  // The headers list avoid infinite buffering by clearing the headers list
-  // if the current headers are too large. So if the list is empty here
-  // then the headers list must have been too large, and the stream should
-  // be reset.
-  // TODO(rch): Use an explicit "headers too large" signal. An empty header list
-  // might be acceptable if it corresponds to a trailing header frame.
-  if (header_list.empty()) {
+  // When using Google QUIC, an empty header list indicates that the size limit
+  // has been exceeded.
+  // When using IETF QUIC, there is an explicit signal from
+  // QpackDecodedHeadersAccumulator.
+  if ((VersionUsesHttp3(transport_version()) &&
+       header_list_size_limit_exceeded_) ||
+      (!VersionUsesHttp3(transport_version()) && header_list.empty())) {
     OnHeadersTooLarge();
     if (IsDoneReading()) {
       return;
@@ -537,26 +539,46 @@ void QuicSpdyStream::OnStreamHeaderList(bool fin,
 }
 
 void QuicSpdyStream::OnHeadersDecoded(QuicHeaderList headers) {
-  blocked_on_decoding_headers_ = false;
-  ProcessDecodedHeaders(headers);
-  // Continue decoding HTTP/3 frames.
-  OnDataAvailable();
+  header_list_size_limit_exceeded_ =
+      qpack_decoded_headers_accumulator_->header_list_size_limit_exceeded();
+  qpack_decoded_headers_accumulator_.reset();
+
+  QuicSpdySession::LogHeaderCompressionRatioHistogram(
+      /* using_qpack = */ true,
+      /* is_sent = */ false, headers.compressed_header_bytes(),
+      headers.uncompressed_header_bytes());
+
+  if (spdy_session_->promised_stream_id() ==
+      QuicUtils::GetInvalidStreamId(session()->transport_version())) {
+    const QuicByteCount frame_length = headers_decompressed_
+                                           ? trailers_payload_length_
+                                           : headers_payload_length_;
+    OnStreamHeaderList(/* fin = */ false, frame_length, headers);
+  } else {
+    spdy_session_->OnHeaderList(headers);
+  }
+
+  if (blocked_on_decoding_headers_) {
+    blocked_on_decoding_headers_ = false;
+    // Continue decoding HTTP/3 frames.
+    OnDataAvailable();
+  }
 }
 
-void QuicSpdyStream::OnHeaderDecodingError() {
-  // TODO(b/124216424): Use HTTP_EXCESSIVE_LOAD or
-  // HTTP_QPACK_DECOMPRESSION_FAILED error code as indicated by
-  // |qpack_decoded_headers_accumulator_|.
-  std::string error_message = QuicStrCat(
-      "Error during async decoding of ",
-      headers_decompressed_ ? "trailers" : "headers", " on stream ", id(), ": ",
-      qpack_decoded_headers_accumulator_->error_message());
-  CloseConnectionWithDetails(QUIC_DECOMPRESSION_FAILURE, error_message);
+void QuicSpdyStream::OnHeaderDecodingError(QuicStringPiece error_message) {
+  qpack_decoded_headers_accumulator_.reset();
+
+  std::string connection_close_error_message = QuicStrCat(
+      "Error decoding ", headers_decompressed_ ? "trailers" : "headers",
+      " on stream ", id(), ": ", error_message);
+  CloseConnectionWithDetails(QUIC_QPACK_DECOMPRESSION_FAILED,
+                             connection_close_error_message);
 }
 
 void QuicSpdyStream::OnHeadersTooLarge() {
   if (VersionUsesHttp3(transport_version())) {
-    // TODO(124216424): Use HTTP_EXCESSIVE_LOAD error code.
+    // TODO(b/124216424): Reset stream with H3_REQUEST_CANCELLED (if client)
+    // or with H3_REQUEST_REJECTED (if server).
     std::string error_message =
         QuicStrCat("Too large headers received on stream ", id());
     CloseConnectionWithDetails(QUIC_HEADERS_STREAM_DATA_DECOMPRESS_FAILURE,
@@ -658,9 +680,12 @@ void QuicSpdyStream::OnPriorityFrame(
 
 void QuicSpdyStream::OnStreamReset(const QuicRstStreamFrame& frame) {
   if (frame.error_code != QUIC_STREAM_NO_ERROR) {
+    // TODO(b/145684124) Call QpackDecoder::OnStreamReset().
+
     QuicStream::OnStreamReset(frame);
     return;
   }
+
   QUIC_DVLOG(1) << ENDPOINT
                 << "Received QUIC_STREAM_NO_ERROR, not discarding response";
   set_rst_received(true);
@@ -669,6 +694,12 @@ void QuicSpdyStream::OnStreamReset(const QuicRstStreamFrame& frame) {
   CloseWriteSide();
 }
 
+void QuicSpdyStream::Reset(QuicRstStreamErrorCode error) {
+  // TODO(b/145684124) Call QpackDecoder::OnStreamReset().
+
+  QuicStream::Reset(error);
+}
+
 void QuicSpdyStream::OnDataAvailable() {
   if (!VersionUsesHttp3(transport_version())) {
     // Sequencer must be blocked until headers are consumed.
@@ -899,18 +930,14 @@ bool QuicSpdyStream::OnHeadersFramePayload(QuicStringPiece payload) {
     headers_payload_length_ += payload.length();
   }
 
-  const bool success = qpack_decoded_headers_accumulator_->Decode(payload);
+  qpack_decoded_headers_accumulator_->Decode(payload);
 
-  sequencer()->MarkConsumed(body_manager_.OnNonBody(payload.size()));
-
-  if (!success) {
-    // TODO(124216424): Use HTTP_QPACK_DECOMPRESSION_FAILED error code.
-    std::string error_message =
-        QuicStrCat("Error decompressing header block on stream ", id(), ": ",
-                   qpack_decoded_headers_accumulator_->error_message());
-    CloseConnectionWithDetails(QUIC_DECOMPRESSION_FAILURE, error_message);
+  // |qpack_decoded_headers_accumulator_| is reset if an error is detected.
+  if (!qpack_decoded_headers_accumulator_) {
     return false;
   }
+
+  sequencer()->MarkConsumed(body_manager_.OnNonBody(payload.size()));
   return true;
 }
 
@@ -918,25 +945,15 @@ bool QuicSpdyStream::OnHeadersFrameEnd() {
   DCHECK(VersionUsesHttp3(transport_version()));
   DCHECK(qpack_decoded_headers_accumulator_);
 
-  auto result = qpack_decoded_headers_accumulator_->EndHeaderBlock();
+  qpack_decoded_headers_accumulator_->EndHeaderBlock();
 
-  if (result == QpackDecodedHeadersAccumulator::Status::kError) {
-    // TODO(124216424): Use HTTP_QPACK_DECOMPRESSION_FAILED error code.
-    std::string error_message =
-        QuicStrCat("Error decompressing header block on stream ", id(), ": ",
-                   qpack_decoded_headers_accumulator_->error_message());
-    CloseConnectionWithDetails(QUIC_DECOMPRESSION_FAILURE, error_message);
-    return false;
-  }
-
-  if (result == QpackDecodedHeadersAccumulator::Status::kBlocked) {
+  // If decoding is complete or an error is detected, then
+  // |qpack_decoded_headers_accumulator_| is already reset.
+  if (qpack_decoded_headers_accumulator_) {
     blocked_on_decoding_headers_ = true;
     return false;
   }
 
-  DCHECK(result == QpackDecodedHeadersAccumulator::Status::kSuccess);
-
-  ProcessDecodedHeaders(qpack_decoded_headers_accumulator_->quic_header_list());
   return !sequencer()->IsClosed() && !reading_stopped();
 }
 
@@ -999,24 +1016,6 @@ bool QuicSpdyStream::OnUnknownFrameEnd() {
   return true;
 }
 
-void QuicSpdyStream::ProcessDecodedHeaders(const QuicHeaderList& headers) {
-  QuicSpdySession::LogHeaderCompressionRatioHistogram(
-      /* using_qpack = */ true,
-      /* is_sent = */ false, headers.compressed_header_bytes(),
-      headers.uncompressed_header_bytes());
-
-  if (spdy_session_->promised_stream_id() ==
-      QuicUtils::GetInvalidStreamId(session()->transport_version())) {
-    const QuicByteCount frame_length = headers_decompressed_
-                                           ? trailers_payload_length_
-                                           : headers_payload_length_;
-    OnStreamHeaderList(/* fin = */ false, frame_length, headers);
-  } else {
-    spdy_session_->OnHeaderList(headers);
-  }
-  qpack_decoded_headers_accumulator_.reset();
-}
-
 size_t QuicSpdyStream::WriteHeadersImpl(
     spdy::SpdyHeaderBlock header_block,
     bool fin,
@@ -1044,8 +1043,8 @@ size_t QuicSpdyStream::WriteHeadersImpl(
   // Write HEADERS frame.
   std::unique_ptr<char[]> headers_frame_header;
   const size_t headers_frame_header_length =
-      encoder_.SerializeHeadersFrameHeader(encoded_headers.size(),
-                                           &headers_frame_header);
+      HttpEncoder::SerializeHeadersFrameHeader(encoded_headers.size(),
+                                               &headers_frame_header);
   unacked_frame_headers_offsets_.Add(
       send_buffer().stream_offset(),
       send_buffer().stream_offset() + headers_frame_header_length);
@@ -1059,7 +1058,7 @@ size_t QuicSpdyStream::WriteHeadersImpl(
 
   QUIC_DLOG(INFO) << ENDPOINT << "Stream " << id()
                   << " is writing HEADERS frame payload of length "
-                  << encoded_headers.length();
+                  << encoded_headers.length() << " with fin " << fin;
   WriteOrBufferData(encoded_headers, fin, nullptr);
 
   QuicSpdySession::LogHeaderCompressionRatioHistogram(
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.h
index 6da102bd56c..8610dbb1f2d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream.h
@@ -102,6 +102,8 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream
   // QUIC_STREAM_NO_ERROR.
   void OnStreamReset(const QuicRstStreamFrame& frame) override;
 
+  void Reset(QuicRstStreamErrorCode error) override;
+
   // Called by the sequencer when new data is available. Decodes the data and
   // calls OnBodyAvailable() to pass to the upper layer.
   void OnDataAvailable() override;
@@ -211,11 +213,9 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream
   // will be available.
   bool IsClosed() { return sequencer()->IsClosed(); }
 
-  using QuicStream::CloseWriteSide;
-
   // QpackDecodedHeadersAccumulator::Visitor implementation.
   void OnHeadersDecoded(QuicHeaderList headers) override;
-  void OnHeaderDecodingError() override;
+  void OnHeaderDecodingError(QuicStringPiece error_message) override;
 
  protected:
   // Called when the received headers are too large. By default this will
@@ -267,9 +267,6 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream
   bool OnUnknownFramePayload(QuicStringPiece payload);
   bool OnUnknownFrameEnd();
 
-  // Called internally when headers are decoded.
-  void ProcessDecodedHeaders(const QuicHeaderList& headers);
-
   // Given the interval marked by [|offset|, |offset| + |data_length|), return
   // the number of frame header bytes contained in it.
   QuicByteCount GetNumFrameHeadersInInterval(QuicStreamOffset offset,
@@ -286,6 +283,9 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream
   bool blocked_on_decoding_headers_;
   // True if the headers have been completely decompressed.
   bool headers_decompressed_;
+  // True if uncompressed headers or trailers exceed maximum allowed size
+  // advertised to peer via SETTINGS_MAX_HEADER_LIST_SIZE.
+  bool header_list_size_limit_exceeded_;
   // Contains a copy of the decompressed header (name, value) pairs until they
   // are consumed via Readv.
   QuicHeaderList header_list_;
@@ -305,8 +305,6 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStream
   // The parsed trailers received from the peer.
   spdy::SpdyHeaderBlock received_trailers_;
 
-  // Http encoder for writing streams.
-  HttpEncoder encoder_;
   // Headers accumulator for decoding HEADERS frame payload.
   std::unique_ptr<QpackDecodedHeadersAccumulator>
       qpack_decoded_headers_accumulator_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_manager.h b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_manager.h
index 6b2dd62b02d..1942c261188 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_manager.h
@@ -77,7 +77,7 @@ class QUIC_EXPORT_PRIVATE QuicSpdyStreamBodyManager {
   // A Fragment instance represents a body fragment with a count of bytes
   // received afterwards but before the next body fragment that can be marked
   // consumed as soon as all of the body fragment is read.
-  struct Fragment {
+  struct QUIC_EXPORT_PRIVATE Fragment {
     // |body| must not be empty.
     QuicStringPiece body;
     // Might be zero.
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_manager_test.cc
index 3a5b720d277..10b19f1d668 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_body_manager_test.cc
@@ -50,29 +50,29 @@ TEST_F(QuicSpdyStreamBodyManagerTest, ConsumeMoreThanAvailable) {
   EXPECT_EQ(0u, bytes_to_consume);
 }
 
-struct {
-  std::vector<QuicByteCount> frame_header_lengths;
-  std::vector<const char*> frame_payloads;
-  std::vector<QuicByteCount> body_bytes_to_read;
-  std::vector<QuicByteCount> expected_return_values;
-} const kOnBodyConsumedTestData[] = {
-    // One frame consumed in one call.
-    {{2}, {"foobar"}, {6}, {6}},
-    // Two frames consumed in one call.
-    {{3, 5}, {"foobar", "baz"}, {9}, {14}},
-    // One frame consumed in two calls.
-    {{2}, {"foobar"}, {4, 2}, {4, 2}},
-    // Two frames consumed in two calls matching frame boundaries.
-    {{3, 5}, {"foobar", "baz"}, {6, 3}, {11, 3}},
-    // Two frames consumed in two calls,
-    // the first call only consuming part of the first frame.
-    {{3, 5}, {"foobar", "baz"}, {5, 4}, {5, 9}},
-    // Two frames consumed in two calls,
-    // the first call consuming the entire first frame and part of the second.
-    {{3, 5}, {"foobar", "baz"}, {7, 2}, {12, 2}},
-};
-
 TEST_F(QuicSpdyStreamBodyManagerTest, OnBodyConsumed) {
+  struct {
+    std::vector<QuicByteCount> frame_header_lengths;
+    std::vector<const char*> frame_payloads;
+    std::vector<QuicByteCount> body_bytes_to_read;
+    std::vector<QuicByteCount> expected_return_values;
+  } const kOnBodyConsumedTestData[] = {
+      // One frame consumed in one call.
+      {{2}, {"foobar"}, {6}, {6}},
+      // Two frames consumed in one call.
+      {{3, 5}, {"foobar", "baz"}, {9}, {14}},
+      // One frame consumed in two calls.
+      {{2}, {"foobar"}, {4, 2}, {4, 2}},
+      // Two frames consumed in two calls matching frame boundaries.
+      {{3, 5}, {"foobar", "baz"}, {6, 3}, {11, 3}},
+      // Two frames consumed in two calls,
+      // the first call only consuming part of the first frame.
+      {{3, 5}, {"foobar", "baz"}, {5, 4}, {5, 9}},
+      // Two frames consumed in two calls,
+      // the first call consuming the entire first frame and part of the second.
+      {{3, 5}, {"foobar", "baz"}, {7, 2}, {12, 2}},
+  };
+
   for (size_t test_case_index = 0;
        test_case_index < QUIC_ARRAYSIZE(kOnBodyConsumedTestData);
        ++test_case_index) {
@@ -105,26 +105,26 @@ TEST_F(QuicSpdyStreamBodyManagerTest, OnBodyConsumed) {
   }
 }
 
-struct {
-  std::vector<QuicByteCount> frame_header_lengths;
-  std::vector<const char*> frame_payloads;
-  size_t iov_len;
-} const kPeekBodyTestData[] = {
-    // No frames, more iovecs than frames.
-    {{}, {}, 1},
-    // One frame, same number of iovecs.
-    {{3}, {"foobar"}, 1},
-    // One frame, more iovecs than frames.
-    {{3}, {"foobar"}, 2},
-    // Two frames, fewer iovecs than frames.
-    {{3, 5}, {"foobar", "baz"}, 1},
-    // Two frames, same number of iovecs.
-    {{3, 5}, {"foobar", "baz"}, 2},
-    // Two frames, more iovecs than frames.
-    {{3, 5}, {"foobar", "baz"}, 3},
-};
-
 TEST_F(QuicSpdyStreamBodyManagerTest, PeekBody) {
+  struct {
+    std::vector<QuicByteCount> frame_header_lengths;
+    std::vector<const char*> frame_payloads;
+    size_t iov_len;
+  } const kPeekBodyTestData[] = {
+      // No frames, more iovecs than frames.
+      {{}, {}, 1},
+      // One frame, same number of iovecs.
+      {{3}, {"foobar"}, 1},
+      // One frame, more iovecs than frames.
+      {{3}, {"foobar"}, 2},
+      // Two frames, fewer iovecs than frames.
+      {{3, 5}, {"foobar", "baz"}, 1},
+      // Two frames, same number of iovecs.
+      {{3, 5}, {"foobar", "baz"}, 2},
+      // Two frames, more iovecs than frames.
+      {{3, 5}, {"foobar", "baz"}, 3},
+  };
+
   for (size_t test_case_index = 0;
        test_case_index < QUIC_ARRAYSIZE(kPeekBodyTestData); ++test_case_index) {
     const std::vector<QuicByteCount>& frame_header_lengths =
@@ -159,62 +159,65 @@ TEST_F(QuicSpdyStreamBodyManagerTest, PeekBody) {
   }
 }
 
-struct {
-  std::vector<QuicByteCount> frame_header_lengths;
-  std::vector<const char*> frame_payloads;
-  std::vector<std::vector<QuicByteCount>> iov_lengths;
-  std::vector<QuicByteCount> expected_total_bytes_read;
-  std::vector<QuicByteCount> expected_return_values;
-} const kReadBodyTestData[] = {
-    // One frame, one read with smaller iovec.
-    {{4}, {"foo"}, {{2}}, {2}, {2}},
-    // One frame, one read with same size iovec.
-    {{4}, {"foo"}, {{3}}, {3}, {3}},
-    // One frame, one read with larger iovec.
-    {{4}, {"foo"}, {{5}}, {3}, {3}},
-    // One frame, one read with two iovecs, smaller total size.
-    {{4}, {"foobar"}, {{2, 3}}, {5}, {5}},
-    // One frame, one read with two iovecs, same total size.
-    {{4}, {"foobar"}, {{2, 4}}, {6}, {6}},
-    // One frame, one read with two iovecs, larger total size in last iovec.
-    {{4}, {"foobar"}, {{2, 6}}, {6}, {6}},
-    // One frame, one read with extra iovecs, body ends at iovec boundary.
-    {{4}, {"foobar"}, {{2, 4, 4, 3}}, {6}, {6}},
-    // One frame, one read with extra iovecs, body ends not at iovec boundary.
-    {{4}, {"foobar"}, {{2, 7, 4, 3}}, {6}, {6}},
-    // One frame, two reads with two iovecs each, smaller total size.
-    {{4}, {"foobarbaz"}, {{2, 1}, {3, 2}}, {3, 5}, {3, 5}},
-    // One frame, two reads with two iovecs each, same total size.
-    {{4}, {"foobarbaz"}, {{2, 1}, {4, 2}}, {3, 6}, {3, 6}},
-    // One frame, two reads with two iovecs each, larger total size.
-    {{4}, {"foobarbaz"}, {{2, 1}, {4, 10}}, {3, 6}, {3, 6}},
-    // Two frames, one read with smaller iovec.
-    {{4, 3}, {"foobar", "baz"}, {{8}}, {8}, {11}},
-    // Two frames, one read with same size iovec.
-    {{4, 3}, {"foobar", "baz"}, {{9}}, {9}, {12}},
-    // Two frames, one read with larger iovec.
-    {{4, 3}, {"foobar", "baz"}, {{10}}, {9}, {12}},
-    // Two frames, one read with two iovecs, smaller total size.
-    {{4, 3}, {"foobar", "baz"}, {{4, 3}}, {7}, {10}},
-    // Two frames, one read with two iovecs, same total size.
-    {{4, 3}, {"foobar", "baz"}, {{4, 5}}, {9}, {12}},
-    // Two frames, one read with two iovecs, larger total size in last iovec.
-    {{4, 3}, {"foobar", "baz"}, {{4, 6}}, {9}, {12}},
-    // Two frames, one read with extra iovecs, body ends at iovec boundary.
-    {{4, 3}, {"foobar", "baz"}, {{4, 6, 4, 3}}, {9}, {12}},
-    // Two frames, one read with extra iovecs, body ends not at iovec boundary.
-    {{4, 3}, {"foobar", "baz"}, {{4, 7, 4, 3}}, {9}, {12}},
-    // Two frames, two reads with two iovecs each, reads end on frame boundary.
-    {{4, 3}, {"foobar", "baz"}, {{2, 4}, {2, 1}}, {6, 3}, {9, 3}},
-    // Three frames, three reads, extra iovecs, no iovec ends on frame boundary.
-    {{4, 3, 6},
-     {"foobar", "bazquux", "qux"},
-     {{4, 3}, {2, 3}, {5, 3}},
-     {7, 5, 4},
-     {10, 5, 10}},
-};
-
 TEST_F(QuicSpdyStreamBodyManagerTest, ReadBody) {
+  struct {
+    std::vector<QuicByteCount> frame_header_lengths;
+    std::vector<const char*> frame_payloads;
+    std::vector<std::vector<QuicByteCount>> iov_lengths;
+    std::vector<QuicByteCount> expected_total_bytes_read;
+    std::vector<QuicByteCount> expected_return_values;
+  } const kReadBodyTestData[] = {
+      // One frame, one read with smaller iovec.
+      {{4}, {"foo"}, {{2}}, {2}, {2}},
+      // One frame, one read with same size iovec.
+      {{4}, {"foo"}, {{3}}, {3}, {3}},
+      // One frame, one read with larger iovec.
+      {{4}, {"foo"}, {{5}}, {3}, {3}},
+      // One frame, one read with two iovecs, smaller total size.
+      {{4}, {"foobar"}, {{2, 3}}, {5}, {5}},
+      // One frame, one read with two iovecs, same total size.
+      {{4}, {"foobar"}, {{2, 4}}, {6}, {6}},
+      // One frame, one read with two iovecs, larger total size in last iovec.
+      {{4}, {"foobar"}, {{2, 6}}, {6}, {6}},
+      // One frame, one read with extra iovecs, body ends at iovec boundary.
+      {{4}, {"foobar"}, {{2, 4, 4, 3}}, {6}, {6}},
+      // One frame, one read with extra iovecs, body ends not at iovec boundary.
+      {{4}, {"foobar"}, {{2, 7, 4, 3}}, {6}, {6}},
+      // One frame, two reads with two iovecs each, smaller total size.
+      {{4}, {"foobarbaz"}, {{2, 1}, {3, 2}}, {3, 5}, {3, 5}},
+      // One frame, two reads with two iovecs each, same total size.
+      {{4}, {"foobarbaz"}, {{2, 1}, {4, 2}}, {3, 6}, {3, 6}},
+      // One frame, two reads with two iovecs each, larger total size.
+      {{4}, {"foobarbaz"}, {{2, 1}, {4, 10}}, {3, 6}, {3, 6}},
+      // Two frames, one read with smaller iovec.
+      {{4, 3}, {"foobar", "baz"}, {{8}}, {8}, {11}},
+      // Two frames, one read with same size iovec.
+      {{4, 3}, {"foobar", "baz"}, {{9}}, {9}, {12}},
+      // Two frames, one read with larger iovec.
+      {{4, 3}, {"foobar", "baz"}, {{10}}, {9}, {12}},
+      // Two frames, one read with two iovecs, smaller total size.
+      {{4, 3}, {"foobar", "baz"}, {{4, 3}}, {7}, {10}},
+      // Two frames, one read with two iovecs, same total size.
+      {{4, 3}, {"foobar", "baz"}, {{4, 5}}, {9}, {12}},
+      // Two frames, one read with two iovecs, larger total size in last iovec.
+      {{4, 3}, {"foobar", "baz"}, {{4, 6}}, {9}, {12}},
+      // Two frames, one read with extra iovecs, body ends at iovec boundary.
+      {{4, 3}, {"foobar", "baz"}, {{4, 6, 4, 3}}, {9}, {12}},
+      // Two frames, one read with extra iovecs, body ends not at iovec
+      // boundary.
+      {{4, 3}, {"foobar", "baz"}, {{4, 7, 4, 3}}, {9}, {12}},
+      // Two frames, two reads with two iovecs each, reads end on frame
+      // boundary.
+      {{4, 3}, {"foobar", "baz"}, {{2, 4}, {2, 1}}, {6, 3}, {9, 3}},
+      // Three frames, three reads, extra iovecs, no iovec ends on frame
+      // boundary.
+      {{4, 3, 6},
+       {"foobar", "bazquux", "qux"},
+       {{4, 3}, {2, 3}, {5, 3}},
+       {7, 5, 4},
+       {10, 5, 10}},
+  };
+
   for (size_t test_case_index = 0;
        test_case_index < QUIC_ARRAYSIZE(kReadBodyTestData); ++test_case_index) {
     const std::vector<QuicByteCount>& frame_header_lengths =
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_test.cc
index c545265dd77..62ef3b5015a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/quic_spdy_stream_test.cc
@@ -22,6 +22,7 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_config_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_flow_controller_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_session_peer.h"
@@ -231,21 +232,31 @@ class QuicSpdyStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
       auto send_control_stream =
           QuicSpdySessionPeer::GetSendControlStream(session_.get());
       // The control stream will write 3 times, including stream type, settings
-      // frame, priority for headers.
+      // frame and max push id, priority for headers.
+      int num_control_stream_writes = 2;
+      if (session_->perspective() == Perspective::IS_CLIENT) {
+        // The control stream also writes the max push id frame.
+        num_control_stream_writes++;
+      }
       EXPECT_CALL(*session_, WritevData(send_control_stream,
                                         send_control_stream->id(), _, _, _))
-          .Times(2);
-      auto qpack_encoder_stream =
-          QuicSpdySessionPeer::GetQpackEncoderSendStream(session_.get());
-      EXPECT_CALL(*session_, WritevData(qpack_encoder_stream,
-                                        qpack_encoder_stream->id(), 1, 0, _));
+          .Times(num_control_stream_writes);
       auto qpack_decoder_stream =
           QuicSpdySessionPeer::GetQpackDecoderSendStream(session_.get());
       EXPECT_CALL(*session_, WritevData(qpack_decoder_stream,
                                         qpack_decoder_stream->id(), 1, 0, _));
+      auto qpack_encoder_stream =
+          QuicSpdySessionPeer::GetQpackEncoderSendStream(session_.get());
+      EXPECT_CALL(*session_, WritevData(qpack_encoder_stream,
+                                        qpack_encoder_stream->id(), 1, 0, _));
+    }
+    if (session_->use_handshake_delegate()) {
+      static_cast<QuicSession*>(session_.get())
+          ->SetDefaultEncryptionLevel(ENCRYPTION_ZERO_RTT);
+    } else {
+      static_cast<QuicSession*>(session_.get())
+          ->OnCryptoHandshakeEvent(QuicSession::ENCRYPTION_ESTABLISHED);
     }
-    static_cast<QuicSession*>(session_.get())
-        ->OnCryptoHandshakeEvent(QuicSession::ENCRYPTION_ESTABLISHED);
   }
 
   QuicHeaderList ProcessHeaders(bool fin, const SpdyHeaderBlock& headers) {
@@ -280,7 +291,8 @@ class QuicSpdyStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
   std::string HeadersFrame(QuicStringPiece payload) {
     std::unique_ptr<char[]> headers_buffer;
     QuicByteCount headers_frame_header_length =
-        encoder_.SerializeHeadersFrameHeader(payload.length(), &headers_buffer);
+        HttpEncoder::SerializeHeadersFrameHeader(payload.length(),
+                                                 &headers_buffer);
     QuicStringPiece headers_frame_header(headers_buffer.get(),
                                          headers_frame_header_length);
     return QuicStrCat(headers_frame_header, payload);
@@ -289,7 +301,7 @@ class QuicSpdyStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
   std::string DataFrame(QuicStringPiece payload) {
     std::unique_ptr<char[]> data_buffer;
     QuicByteCount data_frame_header_length =
-        encoder_.SerializeDataFrameHeader(payload.length(), &data_buffer);
+        HttpEncoder::SerializeDataFrameHeader(payload.length(), &data_buffer);
     QuicStringPiece data_frame_header(data_buffer.get(),
                                       data_frame_header_length);
     return QuicStrCat(data_frame_header, payload);
@@ -323,8 +335,6 @@ class QuicSpdyStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
   TestStream* stream2_;
 
   SpdyHeaderBlock headers_;
-
-  HttpEncoder encoder_;
 };
 
 INSTANTIATE_TEST_SUITE_P(Tests,
@@ -346,29 +356,36 @@ TEST_P(QuicSpdyStreamTest, ProcessHeaderList) {
 TEST_P(QuicSpdyStreamTest, ProcessTooLargeHeaderList) {
   Initialize(kShouldProcessData);
 
-  QuicHeaderList headers;
-  stream_->OnStreamHeadersPriority(
-      spdy::SpdyStreamPrecedence(kV3HighestPriority));
-
-  const bool version_uses_qpack =
-      VersionUsesHttp3(GetParam().transport_version);
+  if (!UsesHttp3()) {
+    QuicHeaderList headers;
+    stream_->OnStreamHeadersPriority(
+        spdy::SpdyStreamPrecedence(kV3HighestPriority));
 
-  if (version_uses_qpack) {
-    EXPECT_CALL(
-        *connection_,
-        CloseConnection(
-            QUIC_HEADERS_STREAM_DATA_DECOMPRESS_FAILURE,
-            MatchesRegex("Too large headers received on stream \\d+"), _));
-  } else {
     EXPECT_CALL(*session_,
                 SendRstStream(stream_->id(), QUIC_HEADERS_TOO_LARGE, 0));
-  }
+    stream_->OnStreamHeaderList(false, 1 << 20, headers);
 
-  stream_->OnStreamHeaderList(false, 1 << 20, headers);
+    EXPECT_THAT(stream_->stream_error(), IsStreamError(QUIC_HEADERS_TOO_LARGE));
 
-  if (!version_uses_qpack) {
-    EXPECT_EQ(QUIC_HEADERS_TOO_LARGE, stream_->stream_error());
+    return;
   }
+
+  // Header list size includes 32 bytes for overhead per header field.
+  session_->set_max_inbound_header_list_size(40);
+  std::string headers =
+      HeadersFrame({std::make_pair("foo", "too long headers")});
+
+  QuicStreamFrame frame(stream_->id(), false, 0, headers);
+
+  EXPECT_CALL(
+      *connection_,
+      CloseConnection(QUIC_HEADERS_STREAM_DATA_DECOMPRESS_FAILURE,
+                      MatchesRegex("Too large headers received on stream \\d+"),
+                      _));
+
+  stream_->OnStreamFrame(frame);
+
+  EXPECT_TRUE(stream_->header_list().empty());
 }
 
 TEST_P(QuicSpdyStreamTest, ProcessHeaderListWithFin) {
@@ -386,7 +403,7 @@ TEST_P(QuicSpdyStreamTest, ProcessHeaderListWithFin) {
   EXPECT_EQ("", stream_->data());
   EXPECT_FALSE(stream_->header_list().empty());
   EXPECT_FALSE(stream_->IsDoneReading());
-  EXPECT_TRUE(stream_->HasFinalReceivedByteOffset());
+  EXPECT_TRUE(stream_->HasReceivedFinalOffset());
 }
 
 // A valid status code should be 3-digit integer. The first digit should be in
@@ -469,7 +486,8 @@ TEST_P(QuicSpdyStreamTest, ProcessWrongFramesOnSpdyStream) {
   GoAwayFrame goaway;
   goaway.stream_id = 0x1;
   std::unique_ptr<char[]> buffer;
-  QuicByteCount header_length = encoder_.SerializeGoAwayFrame(goaway, &buffer);
+  QuicByteCount header_length =
+      HttpEncoder::SerializeGoAwayFrame(goaway, &buffer);
   std::string data = std::string(buffer.get(), header_length);
 
   EXPECT_EQ("", stream_->data());
@@ -763,7 +781,8 @@ TEST_P(QuicSpdyStreamTest, StreamFlowControlNoWindowUpdateIfNotConsumed) {
 
   if (UsesHttp3()) {
     std::unique_ptr<char[]> buffer;
-    header_length = encoder_.SerializeDataFrameHeader(body.length(), &buffer);
+    header_length =
+        HttpEncoder::SerializeDataFrameHeader(body.length(), &buffer);
     std::string header = std::string(buffer.get(), header_length);
     data = header + body;
   } else {
@@ -812,7 +831,8 @@ TEST_P(QuicSpdyStreamTest, StreamFlowControlWindowUpdate) {
 
   if (UsesHttp3()) {
     std::unique_ptr<char[]> buffer;
-    header_length = encoder_.SerializeDataFrameHeader(body.length(), &buffer);
+    header_length =
+        HttpEncoder::SerializeDataFrameHeader(body.length(), &buffer);
     std::string header = std::string(buffer.get(), header_length);
     data = header + body;
   } else {
@@ -882,12 +902,13 @@ TEST_P(QuicSpdyStreamTest, ConnectionFlowControlWindowUpdate) {
   if (UsesHttp3()) {
     body = std::string(kWindow / 4 - 2, 'a');
     std::unique_ptr<char[]> buffer;
-    header_length = encoder_.SerializeDataFrameHeader(body.length(), &buffer);
+    header_length =
+        HttpEncoder::SerializeDataFrameHeader(body.length(), &buffer);
     std::string header = std::string(buffer.get(), header_length);
     data = header + body;
     std::unique_ptr<char[]> buffer2;
     QuicByteCount header_length2 =
-        encoder_.SerializeDataFrameHeader(body2.length(), &buffer2);
+        HttpEncoder::SerializeDataFrameHeader(body2.length(), &buffer2);
     std::string header2 = std::string(buffer2.get(), header_length2);
     data2 = header2 + body2;
   } else {
@@ -1023,7 +1044,7 @@ TEST_P(QuicSpdyStreamTest, ReceivingTrailersViaHeaderList) {
   trailers_block["key2"] = "value2";
   trailers_block["key3"] = "value3";
   SpdyHeaderBlock trailers_block_with_final_offset = trailers_block.Clone();
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     // :final-offset pseudo-header is only added if trailers are sent
     // on the headers stream.
     trailers_block_with_final_offset[kFinalOffsetHeaderKey] = "0";
@@ -1051,7 +1072,7 @@ TEST_P(QuicSpdyStreamTest, ReceivingTrailersViaHeaderList) {
 TEST_P(QuicSpdyStreamTest, ReceivingTrailersWithOffset) {
   // kFinalOffsetHeaderKey is not used when HEADERS are sent on the
   // request/response stream.
-  if (VersionUsesHttp3(GetParam().transport_version)) {
+  if (UsesHttp3()) {
     return;
   }
 
@@ -1098,7 +1119,7 @@ TEST_P(QuicSpdyStreamTest, ReceivingTrailersWithOffset) {
 TEST_P(QuicSpdyStreamTest, ReceivingTrailersWithoutOffset) {
   // kFinalOffsetHeaderKey is not used when HEADERS are sent on the
   // request/response stream.
-  if (VersionUsesHttp3(GetParam().transport_version)) {
+  if (UsesHttp3()) {
     return;
   }
 
@@ -1130,7 +1151,7 @@ TEST_P(QuicSpdyStreamTest, ReceivingTrailersWithoutOffset) {
 TEST_P(QuicSpdyStreamTest, ReceivingTrailersWithoutFin) {
   // In IETF QUIC, there is no such thing as FIN flag on HTTP/3 frames like the
   // HEADERS frame.
-  if (VersionUsesHttp3(GetParam().transport_version)) {
+  if (UsesHttp3()) {
     return;
   }
 
@@ -1161,7 +1182,7 @@ TEST_P(QuicSpdyStreamTest, ReceivingTrailersAfterHeadersWithFin) {
   // If HEADERS frames are sent on the request/response stream, then the
   // sequencer will signal an error if any stream data arrives after a FIN,
   // so QuicSpdyStream does not need to.
-  if (VersionUsesHttp3(GetParam().transport_version)) {
+  if (UsesHttp3()) {
     return;
   }
 
@@ -1183,7 +1204,7 @@ TEST_P(QuicSpdyStreamTest, ReceivingTrailersAfterBodyWithFin) {
   // If HEADERS frames are sent on the request/response stream,
   // then the sequencer will block them from reaching QuicSpdyStream
   // after the stream is closed.
-  if (VersionUsesHttp3(GetParam().transport_version)) {
+  if (UsesHttp3()) {
     return;
   }
 
@@ -1233,7 +1254,7 @@ TEST_P(QuicSpdyStreamTest, ClosingStreamWithNoTrailers) {
 TEST_P(QuicSpdyStreamTest, WritingTrailersSendsAFin) {
   Initialize(kShouldProcessData);
 
-  if (VersionUsesHttp3(GetParam().transport_version)) {
+  if (UsesHttp3()) {
     // In this case, TestStream::WriteHeadersImpl() does not prevent writes.
     EXPECT_CALL(*session_, WritevData(stream_, stream_->id(), _, _, _))
         .Times(AtLeast(1));
@@ -1253,9 +1274,10 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersSendsAFin) {
 
 TEST_P(QuicSpdyStreamTest, ClientWritesPriority) {
   SetQuicFlag(FLAGS_quic_allow_http3_priority, true);
+  SetQuicReloadableFlag(quic_send_max_push_id_with_settings, true);
   InitializeWithPerspective(kShouldProcessData, Perspective::IS_CLIENT);
 
-  if (VersionUsesHttp3(GetParam().transport_version)) {
+  if (UsesHttp3()) {
     // In this case, TestStream::WriteHeadersImpl() does not prevent writes.
     // Six writes include priority for headers, headers frame header, headers
     // frame, priority of trailers, trailing headers frame header, and trailers.
@@ -1263,7 +1285,8 @@ TEST_P(QuicSpdyStreamTest, ClientWritesPriority) {
         .Times(4);
     auto send_control_stream =
         QuicSpdySessionPeer::GetSendControlStream(session_.get());
-    // The control stream will write priority for headers.
+    // The control stream will write priority for headers as well as
+    // the settings/max_push_id.
     EXPECT_CALL(*session_, WritevData(send_control_stream,
                                       send_control_stream->id(), _, _, _))
         .Times(1);
@@ -1286,7 +1309,7 @@ TEST_P(QuicSpdyStreamTest, ClientWritesPriority) {
 TEST_P(QuicSpdyStreamTest, WritingTrailersFinalOffset) {
   Initialize(kShouldProcessData);
 
-  if (VersionUsesHttp3(GetParam().transport_version)) {
+  if (UsesHttp3()) {
     // In this case, TestStream::WriteHeadersImpl() does not prevent writes.
     EXPECT_CALL(*session_, WritevData(stream_, stream_->id(), _, _, _))
         .Times(AtLeast(1));
@@ -1302,7 +1325,7 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersFinalOffset) {
   QuicByteCount header_length = 0;
   if (UsesHttp3()) {
     std::unique_ptr<char[]> buf;
-    header_length = encoder_.SerializeDataFrameHeader(body.length(), &buf);
+    header_length = HttpEncoder::SerializeDataFrameHeader(body.length(), &buf);
   }
 
   stream_->WriteOrBufferBody(body, false);
@@ -1315,7 +1338,7 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersFinalOffset) {
   SpdyHeaderBlock expected_trailers(trailers.Clone());
   // :final-offset pseudo-header is only added if trailers are sent
   // on the headers stream.
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     expected_trailers[kFinalOffsetHeaderKey] =
         QuicTextUtils::Uint64ToString(body.length() + header_length);
   }
@@ -1357,7 +1380,7 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersWithQueuedBytes) {
   // This test exercises sending trailers on the headers stream while data is
   // still queued on the response/request stream.  In IETF QUIC, data and
   // trailers are sent on the same stream, so this test does not apply.
-  if (VersionUsesHttp3(GetParam().transport_version)) {
+  if (UsesHttp3()) {
     return;
   }
 
@@ -1416,7 +1439,7 @@ TEST_P(QuicSpdyStreamTest, WritingTrailersAfterFIN) {
 
 TEST_P(QuicSpdyStreamTest, HeaderStreamNotiferCorrespondingSpdyStream) {
   // There is no headers stream if QPACK is used.
-  if (VersionUsesHttp3(GetParam().transport_version)) {
+  if (UsesHttp3()) {
     return;
   }
 
@@ -1652,10 +1675,11 @@ TEST_P(QuicSpdyStreamTest, HeadersAckNotReportedWriteOrBufferBody) {
 
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(body.length(), &buffer);
   std::string header = std::string(buffer.get(), header_length);
 
-  header_length = encoder_.SerializeDataFrameHeader(body2.length(), &buffer);
+  header_length =
+      HttpEncoder::SerializeDataFrameHeader(body2.length(), &buffer);
   std::string header2 = std::string(buffer.get(), header_length);
 
   EXPECT_CALL(*mock_ack_listener, OnPacketAcked(body.length(), _));
@@ -1748,7 +1772,7 @@ TEST_P(QuicSpdyStreamTest, HeaderBytesNotReportedOnRetransmission) {
 }
 
 TEST_P(QuicSpdyStreamTest, HeadersFrameOnRequestStream) {
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     return;
   }
 
@@ -1776,7 +1800,7 @@ TEST_P(QuicSpdyStreamTest, HeadersFrameOnRequestStream) {
 }
 
 TEST_P(QuicSpdyStreamTest, ProcessBodyAfterTrailers) {
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     return;
   }
 
@@ -1820,7 +1844,7 @@ TEST_P(QuicSpdyStreamTest, ProcessBodyAfterTrailers) {
 // normal body. Make sure the http decoder stops processing body after the
 // connection shuts down.
 TEST_P(QuicSpdyStreamTest, MalformedHeadersStopHttpDecoder) {
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     return;
   }
 
@@ -1839,11 +1863,10 @@ TEST_P(QuicSpdyStreamTest, MalformedHeadersStopHttpDecoder) {
 
   EXPECT_CALL(
       *connection_,
-      CloseConnection(
-          QUIC_DECOMPRESSION_FAILURE,
-          MatchesRegex("Error decompressing header block on stream \\d+: "
-                       "Incomplete header block."),
-          _))
+      CloseConnection(QUIC_QPACK_DECOMPRESSION_FAILED,
+                      MatchesRegex("Error decoding headers on stream \\d+: "
+                                   "Incomplete header block."),
+                      _))
       .WillOnce(
           (Invoke([this](QuicErrorCode error, const std::string& error_details,
                          ConnectionCloseBehavior connection_close_behavior) {
@@ -1861,8 +1884,50 @@ TEST_P(QuicSpdyStreamTest, MalformedHeadersStopHttpDecoder) {
   stream_->OnStreamFrame(frame);
 }
 
+// Regression test for https://crbug.com/1027895: a HEADERS frame triggers an
+// error in QuicSpdyStream::OnHeadersFramePayload().  This closes the
+// connection, freeing the buffer of QuicStreamSequencer.  Therefore
+// QuicStreamSequencer::MarkConsumed() must not be called from
+// QuicSpdyStream::OnHeadersFramePayload().
+TEST_P(QuicSpdyStreamTest, DoNotMarkConsumedAfterQpackDecodingError) {
+  if (!UsesHttp3()) {
+    return;
+  }
+
+  Initialize(kShouldProcessData);
+  connection_->AdvanceTime(QuicTime::Delta::FromSeconds(1));
+
+  testing::InSequence s;
+  EXPECT_CALL(
+      *connection_,
+      CloseConnection(QUIC_QPACK_DECOMPRESSION_FAILED,
+                      MatchesRegex("Error decoding headers on stream \\d+: "
+                                   "Invalid relative index."),
+                      _))
+      .WillOnce(
+          (Invoke([this](QuicErrorCode error, const std::string& error_details,
+                         ConnectionCloseBehavior connection_close_behavior) {
+            connection_->ReallyCloseConnection(error, error_details,
+                                               connection_close_behavior);
+          })));
+  EXPECT_CALL(*connection_, SendConnectionClosePacket(_, _));
+  EXPECT_CALL(*session_, OnConnectionClosed(_, _))
+      .WillOnce(Invoke([this](const QuicConnectionCloseFrame& frame,
+                              ConnectionCloseSource source) {
+        session_->ReallyOnConnectionClosed(frame, source);
+      }));
+  EXPECT_CALL(*session_, SendRstStream(stream_->id(), _, _));
+  EXPECT_CALL(*session_, SendRstStream(stream2_->id(), _, _));
+
+  // Invalid headers: Required Insert Count is zero, but the header block
+  // contains a dynamic table reference.
+  std::string headers = HeadersFrame(QuicTextUtils::HexDecode("000080"));
+  QuicStreamFrame frame(stream_->id(), false, 0, headers);
+  stream_->OnStreamFrame(frame);
+}
+
 TEST_P(QuicSpdyStreamTest, ImmediateHeaderDecodingWithDynamicTableEntries) {
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     return;
   }
 
@@ -1917,7 +1982,7 @@ TEST_P(QuicSpdyStreamTest, ImmediateHeaderDecodingWithDynamicTableEntries) {
 }
 
 TEST_P(QuicSpdyStreamTest, BlockedHeaderDecoding) {
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     return;
   }
 
@@ -1974,7 +2039,7 @@ TEST_P(QuicSpdyStreamTest, BlockedHeaderDecoding) {
 }
 
 TEST_P(QuicSpdyStreamTest, AsyncErrorDecodingHeaders) {
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     return;
   }
 
@@ -1993,11 +2058,10 @@ TEST_P(QuicSpdyStreamTest, AsyncErrorDecodingHeaders) {
 
   EXPECT_CALL(
       *connection_,
-      CloseConnection(
-          QUIC_DECOMPRESSION_FAILURE,
-          MatchesRegex("Error during async decoding of headers on stream \\d+: "
-                       "Required Insert Count too large."),
-          ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET));
+      CloseConnection(QUIC_QPACK_DECOMPRESSION_FAILED,
+                      MatchesRegex("Error decoding headers on stream \\d+: "
+                                   "Required Insert Count too large."),
+                      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET));
 
   // Deliver two dynamic table entries to decoder
   // to trigger decoding of header block.
@@ -2005,8 +2069,37 @@ TEST_P(QuicSpdyStreamTest, AsyncErrorDecodingHeaders) {
   session_->qpack_decoder()->OnInsertWithoutNameReference("foo", "bar");
 }
 
+// Regression test for https://crbug.com/1024263 and for
+// https://crbug.com/1025209#c11.
+TEST_P(QuicSpdyStreamTest, BlockedHeaderDecodingUnblockedWithBufferedError) {
+  if (!UsesHttp3()) {
+    return;
+  }
+
+  Initialize(kShouldProcessData);
+  session_->qpack_decoder()->OnSetDynamicTableCapacity(1024);
+
+  // Relative index 2 is invalid because it is larger than or equal to the Base.
+  std::string headers = HeadersFrame(QuicTextUtils::HexDecode("020082"));
+  stream_->OnStreamFrame(QuicStreamFrame(stream_->id(), false, 0, headers));
+
+  // Decoding is blocked.
+  EXPECT_FALSE(stream_->headers_decompressed());
+
+  EXPECT_CALL(
+      *connection_,
+      CloseConnection(QUIC_QPACK_DECOMPRESSION_FAILED,
+                      MatchesRegex("Error decoding headers on stream \\d+: "
+                                   "Invalid relative index."),
+                      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET));
+
+  // Deliver one dynamic table entry to decoder
+  // to trigger decoding of header block.
+  session_->qpack_decoder()->OnInsertWithoutNameReference("foo", "bar");
+}
+
 TEST_P(QuicSpdyStreamTest, AsyncErrorDecodingTrailers) {
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     return;
   }
 
@@ -2053,13 +2146,12 @@ TEST_P(QuicSpdyStreamTest, AsyncErrorDecodingTrailers) {
   // Insert Count value advertised in the header block prefix.
   EXPECT_FALSE(stream_->trailers_decompressed());
 
-  EXPECT_CALL(*connection_,
-              CloseConnection(
-                  QUIC_DECOMPRESSION_FAILURE,
-                  MatchesRegex(
-                      "Error during async decoding of trailers on stream \\d+: "
-                      "Required Insert Count too large."),
-                  ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET));
+  EXPECT_CALL(
+      *connection_,
+      CloseConnection(QUIC_QPACK_DECOMPRESSION_FAILED,
+                      MatchesRegex("Error decoding trailers on stream \\d+: "
+                                   "Required Insert Count too large."),
+                      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET));
 
   // Deliver second dynamic table entry to decoder
   // to trigger decoding of trailing header block.
@@ -2116,7 +2208,7 @@ INSTANTIATE_TEST_SUITE_P(Tests,
 // Test that stream bytes are consumed (by calling
 // sequencer()->MarkConsumed()) incrementally, as soon as possible.
 TEST_P(QuicSpdyStreamIncrementalConsumptionTest, OnlyKnownFrames) {
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     return;
   }
 
@@ -2175,7 +2267,7 @@ TEST_P(QuicSpdyStreamIncrementalConsumptionTest, OnlyKnownFrames) {
 }
 
 TEST_P(QuicSpdyStreamIncrementalConsumptionTest, UnknownFramesInterleaved) {
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     return;
   }
 
@@ -2268,9 +2360,8 @@ TEST_P(QuicSpdyStreamTest, PushPromiseOnDataStream) {
   push_promise.push_id = 0x01;
   push_promise.headers = headers;
   std::unique_ptr<char[]> buffer;
-  HttpEncoder encoder;
-  uint64_t length =
-      encoder.SerializePushPromiseFrameWithOnlyPushId(push_promise, &buffer);
+  uint64_t length = HttpEncoder::SerializePushPromiseFrameWithOnlyPushId(
+      push_promise, &buffer);
   std::string data = std::string(buffer.get(), length) + headers;
   QuicStreamFrame frame(stream_->id(), false, 0, data);
 
@@ -2282,7 +2373,7 @@ TEST_P(QuicSpdyStreamTest, PushPromiseOnDataStream) {
 
 // Close connection if a DATA frame is received before a HEADERS frame.
 TEST_P(QuicSpdyStreamTest, DataBeforeHeaders) {
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     return;
   }
 
@@ -2304,7 +2395,7 @@ TEST_P(QuicSpdyStreamTest, DataBeforeHeaders) {
 
 // Close connection if a HEADERS frame is received after the trailing HEADERS.
 TEST_P(QuicSpdyStreamTest, TrailersAfterTrailers) {
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     return;
   }
 
@@ -2357,7 +2448,7 @@ TEST_P(QuicSpdyStreamTest, TrailersAfterTrailers) {
 // Regression test for https://crbug.com/978733.
 // Close connection if a DATA frame is received after the trailing HEADERS.
 TEST_P(QuicSpdyStreamTest, DataAfterTrailers) {
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     return;
   }
 
@@ -2407,7 +2498,7 @@ TEST_P(QuicSpdyStreamTest, DataAfterTrailers) {
 // SETTINGS frames are invalid on bidirectional streams.  If one is received,
 // the connection is closed.  No more data should be processed.
 TEST_P(QuicSpdyStreamTest, StopProcessingIfConnectionClosed) {
-  if (!VersionUsesHttp3(GetParam().transport_version)) {
+  if (!UsesHttp3()) {
     return;
   }
 
@@ -2438,6 +2529,45 @@ TEST_P(QuicSpdyStreamTest, StopProcessingIfConnectionClosed) {
   EXPECT_EQ(0u, stream_->sequencer()->NumBytesConsumed());
 }
 
+// Stream Cancellation instruction is sent on QPACK decoder stream
+// when stream is reset.
+// TODO(b/145684124) Re-enable.
+TEST_P(QuicSpdyStreamTest, DISABLED_StreamCancellationWhenStreamReset) {
+  if (!UsesHttp3()) {
+    return;
+  }
+
+  Initialize(kShouldProcessData);
+
+  auto qpack_decoder_stream =
+      QuicSpdySessionPeer::GetQpackDecoderSendStream(session_.get());
+  EXPECT_CALL(*session_, WritevData(qpack_decoder_stream,
+                                    qpack_decoder_stream->id(), 1, 1, _));
+  EXPECT_CALL(*session_,
+              SendRstStream(stream_->id(), QUIC_STREAM_CANCELLED, 0));
+
+  stream_->Reset(QUIC_STREAM_CANCELLED);
+}
+
+// Stream Cancellation instruction is sent on QPACK decoder stream
+// when RESET_STREAM frame is received.
+// TODO(b/145684124) Re-enable.
+TEST_P(QuicSpdyStreamTest, DISABLED_StreamCancellationOnResetReceived) {
+  if (!UsesHttp3()) {
+    return;
+  }
+
+  Initialize(kShouldProcessData);
+
+  auto qpack_decoder_stream =
+      QuicSpdySessionPeer::GetQpackDecoderSendStream(session_.get());
+  EXPECT_CALL(*session_, WritevData(qpack_decoder_stream,
+                                    qpack_decoder_stream->id(), 1, 1, _));
+
+  stream_->OnStreamReset(QuicRstStreamFrame(
+      kInvalidControlFrameId, stream_->id(), QUIC_STREAM_CANCELLED, 0));
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/http/spdy_server_push_utils_test.cc b/chromium/net/third_party/quiche/src/quic/core/http/spdy_server_push_utils_test.cc
index 72d4a25ed13..0f6ec8a6287 100644
--- a/chromium/net/third_party/quiche/src/quic/core/http/spdy_server_push_utils_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/http/spdy_server_push_utils_test.cc
@@ -13,8 +13,6 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 
 using spdy::SpdyHeaderBlock;
-using testing::Pair;
-using testing::UnorderedElementsAre;
 
 namespace quic {
 namespace test {
diff --git a/chromium/net/third_party/quiche/src/quic/core/packet_number_indexed_queue.h b/chromium/net/third_party/quiche/src/quic/core/packet_number_indexed_queue.h
index 695ff7d91ec..470a58c1f11 100644
--- a/chromium/net/third_party/quiche/src/quic/core/packet_number_indexed_queue.h
+++ b/chromium/net/third_party/quiche/src/quic/core/packet_number_indexed_queue.h
@@ -35,7 +35,7 @@ namespace quic {
 // Because of that, it is not a general-purpose container and should not be used
 // as one.
 template <typename T>
-class PacketNumberIndexedQueue {
+class QUIC_NO_EXPORT PacketNumberIndexedQueue {
  public:
   PacketNumberIndexedQueue() : number_of_present_entries_(0) {}
 
@@ -86,7 +86,7 @@ class PacketNumberIndexedQueue {
 
  private:
   // Wrapper around T used to mark whether the entry is actually in the map.
-  struct EntryWrapper : T {
+  struct QUIC_NO_EXPORT EntryWrapper : T {
     bool present;
 
     EntryWrapper() : present(false) {}
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/offline/README.md b/chromium/net/third_party/quiche/src/quic/core/qpack/offline/README.md
deleted file mode 100644
index 4f6697c66b5..00000000000
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/offline/README.md
+++ /dev/null
@@ -1,28 +0,0 @@
-# QPACK Offline Interop Testing tools
-
-See
-[QPACK Offline Interop](https://github.com/quicwg/base-drafts/wiki/QPACK-Offline-Interop)
-for description of test data format.
-
-Example usage:
-
-```shell
-$ # Download test data
-$ cd $TEST_DATA
-$ git clone https://github.com/qpackers/qifs.git
-$ TEST_ENCODED_DATA=`pwd`/qifs/encoded/qpack-03
-$ TEST_QIF_DATA=`pwd`/qifs/qifs
-$
-$ # Decode encoded test data in four files and verify that they match
-$ # the original headers in corresponding files
-$ $BIN/qpack_offline_decoder \
->   $TEST_ENCODED_DATA/f5/fb-req.qifencoded.4096.100.0 \
->   $TEST_QIF_DATA/fb-req.qif
->   $TEST_ENCODED_DATA/h2o/fb-req-hq.out.512.0.1 \
->   $TEST_QIF_DATA/fb-req-hq.qif
->   $TEST_ENCODED_DATA/ls-qpack/fb-resp-hq.out.0.0.0 \
->   $TEST_QIF_DATA/fb-resp-hq.qif
->   $TEST_ENCODED_DATA/proxygen/netbsd.qif.proxygen.out.4096.0.0 \
->   $TEST_QIF_DATA/netbsd.qif
-$
-```
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_blocking_manager.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_blocking_manager.cc
index ffec17280f6..3544f1ca10b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_blocking_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_blocking_manager.cc
@@ -24,7 +24,7 @@ bool QpackBlockingManager::OnHeaderAcknowledgement(QuicStreamId stream_id) {
 
   const uint64_t required_index_count = RequiredInsertCount(indices);
   if (known_received_count_ < required_index_count) {
-    IncreaseKnownReceivedCountTo(required_index_count);
+    known_received_count_ = required_index_count;
   }
 
   DecreaseReferenceCounts(indices);
@@ -56,7 +56,7 @@ bool QpackBlockingManager::OnInsertCountIncrement(uint64_t increment) {
     return false;
   }
 
-  IncreaseKnownReceivedCountTo(known_received_count_ + increment);
+  known_received_count_ += increment;
   return true;
 }
 
@@ -68,16 +68,6 @@ void QpackBlockingManager::OnHeaderBlockSent(QuicStreamId stream_id,
   header_blocks_[stream_id].push_back(std::move(indices));
 }
 
-void QpackBlockingManager::OnReferenceSentOnEncoderStream(
-    uint64_t inserted_index,
-    uint64_t referred_index) {
-  auto result = unacked_encoder_stream_references_.insert(
-      {inserted_index, referred_index});
-  // Each dynamic table entry can refer to at most one |referred_index|.
-  DCHECK(result.second);
-  IncreaseReferenceCounts({referred_index});
-}
-
 bool QpackBlockingManager::blocking_allowed_on_stream(
     QuicStreamId stream_id,
     uint64_t maximum_blocked_streams) const {
@@ -141,26 +131,6 @@ uint64_t QpackBlockingManager::RequiredInsertCount(const IndexSet& indices) {
   return *indices.rbegin() + 1;
 }
 
-void QpackBlockingManager::IncreaseKnownReceivedCountTo(
-    uint64_t new_known_received_count) {
-  DCHECK_GT(new_known_received_count, known_received_count_);
-
-  known_received_count_ = new_known_received_count;
-
-  // Remove referred indices with key less than new Known Received Count from
-  // |unacked_encoder_stream_references_| and |entry_reference_counts_|.
-  IndexSet acknowledged_references;
-  auto it = unacked_encoder_stream_references_.begin();
-  while (it != unacked_encoder_stream_references_.end() &&
-         it->first < known_received_count_) {
-    acknowledged_references.insert(it->second);
-    ++it;
-  }
-  unacked_encoder_stream_references_.erase(
-      unacked_encoder_stream_references_.begin(), it);
-  DecreaseReferenceCounts(acknowledged_references);
-}
-
 void QpackBlockingManager::IncreaseReferenceCounts(const IndexSet& indices) {
   for (const uint64_t index : indices) {
     auto it = entry_reference_counts_.lower_bound(index);
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_blocking_manager.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_blocking_manager.h
index 60f7db7060a..6d2df9cfcf8 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_blocking_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_blocking_manager.h
@@ -48,12 +48,6 @@ class QUIC_EXPORT_PRIVATE QpackBlockingManager {
   // entries with |indices|.  |indices| must not be empty.
   void OnHeaderBlockSent(QuicStreamId stream_id, IndexSet indices);
 
-  // Called when sending Insert With Name Reference or Duplicate instruction on
-  // encoder stream, inserting entry |inserted_index| referring to
-  // |referred_index|.
-  void OnReferenceSentOnEncoderStream(uint64_t inserted_index,
-                                      uint64_t referred_index);
-
   // Returns true if sending blocking references on stream |stream_id| would not
   // increase the total number of blocked streams above
   // |maximum_blocked_streams|.  Note that if |stream_id| is already blocked
@@ -85,11 +79,6 @@ class QUIC_EXPORT_PRIVATE QpackBlockingManager {
   using HeaderBlocksForStream = std::list<IndexSet>;
   using HeaderBlocks = QuicUnorderedMap<QuicStreamId, HeaderBlocksForStream>;
 
-  // Increases |known_received_count_| to |new_known_received_count|, which must
-  // me larger than |known_received_count_|.  Removes acknowledged references
-  // from |unacked_encoder_stream_references_|.
-  void IncreaseKnownReceivedCountTo(uint64_t new_known_received_count);
-
   // Increase or decrease the reference count for each index in |indices|.
   void IncreaseReferenceCounts(const IndexSet& indices);
   void DecreaseReferenceCounts(const IndexSet& indices);
@@ -98,13 +87,7 @@ class QUIC_EXPORT_PRIVATE QpackBlockingManager {
   // Must not contain a stream id with an empty queue.
   HeaderBlocks header_blocks_;
 
-  // Unacknowledged references on the encoder stream.
-  // The key is the absolute index of the inserted entry,
-  // the mapped value is the absolute index of the entry referred.
-  std::map<uint64_t, uint64_t> unacked_encoder_stream_references_;
-
-  // Number of references in |header_blocks_| and
-  // |unacked_encoder_stream_references_| for each entry index.
+  // Number of references in |header_blocks_| for each entry index.
   std::map<uint64_t, uint64_t> entry_reference_counts_;
 
   uint64_t known_received_count_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_blocking_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_blocking_manager_test.cc
index 64bfb97f71d..d92dda549ef 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_blocking_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_blocking_manager_test.cc
@@ -236,88 +236,6 @@ TEST_F(QpackBlockingManagerTest, CancelStream) {
             manager_.smallest_blocking_index());
 }
 
-TEST_F(QpackBlockingManagerTest,
-       ReferenceOnEncoderStreamUnblockedByInsertCountIncrement) {
-  EXPECT_EQ(0u, manager_.known_received_count());
-  EXPECT_EQ(std::numeric_limits<uint64_t>::max(),
-            manager_.smallest_blocking_index());
-
-  // Entry 1 refers to entry 0.
-  manager_.OnReferenceSentOnEncoderStream(1, 0);
-  // Entry 2 also refers to entry 0.
-  manager_.OnReferenceSentOnEncoderStream(2, 0);
-
-  EXPECT_EQ(0u, manager_.known_received_count());
-  EXPECT_EQ(0u, manager_.smallest_blocking_index());
-
-  // Acknowledging entry 1 still leaves one unacknowledged reference to entry 0.
-  EXPECT_TRUE(manager_.OnInsertCountIncrement(2));
-
-  EXPECT_EQ(2u, manager_.known_received_count());
-  EXPECT_EQ(0u, manager_.smallest_blocking_index());
-
-  // Entry 3 also refers to entry 2.
-  manager_.OnReferenceSentOnEncoderStream(3, 2);
-
-  EXPECT_EQ(2u, manager_.known_received_count());
-  EXPECT_EQ(0u, manager_.smallest_blocking_index());
-
-  // Acknowledging entry 2 removes last reference to entry 0.
-  EXPECT_TRUE(manager_.OnInsertCountIncrement(1));
-
-  EXPECT_EQ(3u, manager_.known_received_count());
-  EXPECT_EQ(2u, manager_.smallest_blocking_index());
-
-  // Acknowledging entry 4 (and implicitly 3) removes reference to entry 2.
-  EXPECT_TRUE(manager_.OnInsertCountIncrement(2));
-
-  EXPECT_EQ(5u, manager_.known_received_count());
-  EXPECT_EQ(std::numeric_limits<uint64_t>::max(),
-            manager_.smallest_blocking_index());
-}
-
-TEST_F(QpackBlockingManagerTest,
-       ReferenceOnEncoderStreamUnblockedByHeaderAcknowledgement) {
-  EXPECT_EQ(0u, manager_.known_received_count());
-  EXPECT_EQ(std::numeric_limits<uint64_t>::max(),
-            manager_.smallest_blocking_index());
-
-  // Entry 1 refers to entry 0.
-  manager_.OnReferenceSentOnEncoderStream(1, 0);
-  // Entry 2 also refers to entry 0.
-  manager_.OnReferenceSentOnEncoderStream(2, 0);
-
-  EXPECT_EQ(0u, manager_.known_received_count());
-  EXPECT_EQ(0u, manager_.smallest_blocking_index());
-
-  // Acknowledging a header block with entries up to 1 still leave one
-  // unacknowledged reference to entry 0.
-  manager_.OnHeaderBlockSent(/* stream_id = */ 0, {0, 1});
-  manager_.OnHeaderAcknowledgement(/* stream_id = */ 0);
-
-  EXPECT_EQ(2u, manager_.known_received_count());
-  EXPECT_EQ(0u, manager_.smallest_blocking_index());
-
-  // Entry 3 also refers to entry 2.
-  manager_.OnReferenceSentOnEncoderStream(3, 2);
-
-  // Acknowledging a header block with entries up to 2 removes last reference to
-  // entry 0.
-  manager_.OnHeaderBlockSent(/* stream_id = */ 0, {2, 0, 2});
-  manager_.OnHeaderAcknowledgement(/* stream_id = */ 0);
-
-  EXPECT_EQ(3u, manager_.known_received_count());
-  EXPECT_EQ(2u, manager_.smallest_blocking_index());
-
-  // Acknowledging entry 4 (and implicitly 3) removes reference to entry 2.
-  manager_.OnHeaderBlockSent(/* stream_id = */ 0, {1, 4, 2, 0});
-  manager_.OnHeaderAcknowledgement(/* stream_id = */ 0);
-
-  EXPECT_EQ(5u, manager_.known_received_count());
-  EXPECT_EQ(std::numeric_limits<uint64_t>::max(),
-            manager_.smallest_blocking_index());
-}
-
 TEST_F(QpackBlockingManagerTest, BlockingAllowedOnStream) {
   const QuicStreamId kStreamId1 = 1;
   const QuicStreamId kStreamId2 = 2;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.cc
index 9cce57365b6..e16aa5a2de7 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.cc
@@ -8,6 +8,12 @@
 
 namespace quic {
 
+namespace {
+
+size_t kHeaderFieldSizeOverhead = 32;
+
+}
+
 QpackDecodedHeadersAccumulator::QpackDecodedHeadersAccumulator(
     QuicStreamId id,
     QpackDecoder* qpack_decoder,
@@ -15,12 +21,13 @@ QpackDecodedHeadersAccumulator::QpackDecodedHeadersAccumulator(
     size_t max_header_list_size)
     : decoder_(qpack_decoder->CreateProgressiveDecoder(id, this)),
       visitor_(visitor),
-      uncompressed_header_bytes_(0),
+      max_header_list_size_(max_header_list_size),
+      uncompressed_header_bytes_including_overhead_(0),
+      uncompressed_header_bytes_without_overhead_(0),
       compressed_header_bytes_(0),
+      header_list_size_limit_exceeded_(false),
       headers_decoded_(false),
-      blocked_(false),
       error_detected_(false) {
-  quic_header_list_.set_max_header_list_size(max_header_list_size);
   quic_header_list_.OnHeaderBlockStart();
 }
 
@@ -28,8 +35,21 @@ void QpackDecodedHeadersAccumulator::OnHeaderDecoded(QuicStringPiece name,
                                                      QuicStringPiece value) {
   DCHECK(!error_detected_);
 
-  uncompressed_header_bytes_ += name.size() + value.size();
-  quic_header_list_.OnHeader(name, value);
+  uncompressed_header_bytes_without_overhead_ += name.size() + value.size();
+
+  if (header_list_size_limit_exceeded_) {
+    return;
+  }
+
+  uncompressed_header_bytes_including_overhead_ +=
+      name.size() + value.size() + kHeaderFieldSizeOverhead;
+
+  if (uncompressed_header_bytes_including_overhead_ > max_header_list_size_) {
+    header_list_size_limit_exceeded_ = true;
+    quic_header_list_.Clear();
+  } else {
+    quic_header_list_.OnHeader(name, value);
+  }
 }
 
 void QpackDecodedHeadersAccumulator::OnDecodingCompleted() {
@@ -37,12 +57,12 @@ void QpackDecodedHeadersAccumulator::OnDecodingCompleted() {
   DCHECK(!error_detected_);
 
   headers_decoded_ = true;
-  quic_header_list_.OnHeaderBlockEnd(uncompressed_header_bytes_,
-                                     compressed_header_bytes_);
 
-  if (blocked_) {
-    visitor_->OnHeadersDecoded(quic_header_list_);
-  }
+  quic_header_list_.OnHeaderBlockEnd(
+      uncompressed_header_bytes_without_overhead_, compressed_header_bytes_);
+
+  // Might destroy |this|.
+  visitor_->OnHeadersDecoded(std::move(quic_header_list_));
 }
 
 void QpackDecodedHeadersAccumulator::OnDecodingErrorDetected(
@@ -51,51 +71,24 @@ void QpackDecodedHeadersAccumulator::OnDecodingErrorDetected(
   DCHECK(!headers_decoded_);
 
   error_detected_ = true;
-  // Copy error message to ensure it remains valid for the lifetime of |this|.
-  error_message_.assign(error_message.data(), error_message.size());
-
-  if (blocked_) {
-    visitor_->OnHeaderDecodingError();
-  }
+  // Might destroy |this|.
+  visitor_->OnHeaderDecodingError(error_message);
 }
 
-bool QpackDecodedHeadersAccumulator::Decode(QuicStringPiece data) {
+void QpackDecodedHeadersAccumulator::Decode(QuicStringPiece data) {
   DCHECK(!error_detected_);
 
   compressed_header_bytes_ += data.size();
+  // Might destroy |this|.
   decoder_->Decode(data);
-
-  return !error_detected_;
 }
 
-QpackDecodedHeadersAccumulator::Status
-QpackDecodedHeadersAccumulator::EndHeaderBlock() {
+void QpackDecodedHeadersAccumulator::EndHeaderBlock() {
   DCHECK(!error_detected_);
   DCHECK(!headers_decoded_);
 
+  // Might destroy |this|.
   decoder_->EndHeaderBlock();
-
-  if (error_detected_) {
-    DCHECK(!headers_decoded_);
-    return Status::kError;
-  }
-
-  if (headers_decoded_) {
-    return Status::kSuccess;
-  }
-
-  blocked_ = true;
-  return Status::kBlocked;
-}
-
-const QuicHeaderList& QpackDecodedHeadersAccumulator::quic_header_list() const {
-  DCHECK(!error_detected_);
-  return quic_header_list_;
-}
-
-QuicStringPiece QpackDecodedHeadersAccumulator::error_message() const {
-  DCHECK(error_detected_);
-  return error_message_;
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.h
index c64932214dc..0a2db6a348d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator.h
@@ -20,32 +20,30 @@ class QpackDecoder;
 
 // A class that creates and owns a QpackProgressiveDecoder instance, accumulates
 // decoded headers in a QuicHeaderList, and keeps track of uncompressed and
-// compressed size so that it can be passed to QuicHeaderList::EndHeaderBlock().
+// compressed size so that it can be passed to
+// QuicHeaderList::OnHeaderBlockEnd().
 class QUIC_EXPORT_PRIVATE QpackDecodedHeadersAccumulator
     : public QpackProgressiveDecoder::HeadersHandlerInterface {
  public:
-  // Return value for EndHeaderBlock().
-  enum class Status {
-    // Headers have been successfully decoded.
-    kSuccess,
-    // An error has occurred.
-    kError,
-    // Decoding is blocked.
-    kBlocked
-  };
-
-  // Visitor interface used for blocked decoding.  Exactly one visitor method
-  // will be called if EndHeaderBlock() returned kBlocked.  No visitor method
-  // will be called if EndHeaderBlock() returned any other value.
-  class Visitor {
+  // Visitor interface to signal success or error.
+  // Exactly one method will be called.
+  // Methods may be called synchronously from Decode() and EndHeaderBlock(),
+  // or asynchronously.
+  // Method implementations are allowed to destroy |this|.
+  class QUIC_EXPORT_PRIVATE Visitor {
    public:
     virtual ~Visitor() = default;
 
-    // Called when headers are successfully decoded.
+    // Called when headers are successfully decoded.  If header list size
+    // exceeds the limit specified via |max_header_list_size| in
+    // QpackDecodedHeadersAccumulator constructor, then |headers| will be empty,
+    // but will still have the correct compressed and uncompressed size
+    // information.  However, header_list_size_limit_exceeded() is recommended
+    // instead of headers.empty() to check whether header size exceeds limit.
     virtual void OnHeadersDecoded(QuicHeaderList headers) = 0;
 
     // Called when an error has occurred.
-    virtual void OnHeaderDecodingError() = 0;
+    virtual void OnHeaderDecodingError(QuicStringPiece error_message) = 0;
   };
 
   QpackDecodedHeadersAccumulator(QuicStreamId id,
@@ -60,42 +58,48 @@ class QUIC_EXPORT_PRIVATE QpackDecodedHeadersAccumulator
   void OnDecodingCompleted() override;
   void OnDecodingErrorDetected(QuicStringPiece error_message) override;
 
-  // Decode payload data.  Returns true on success, false on error.
+  // Decode payload data.
   // Must not be called if an error has been detected.
   // Must not be called after EndHeaderBlock().
-  bool Decode(QuicStringPiece data);
+  void Decode(QuicStringPiece data);
 
   // Signal end of HEADERS frame.
   // Must not be called if an error has been detected.
   // Must not be called more that once.
-  // Returns kSuccess if headers can be readily decoded.
-  // Returns kError if an error occurred.
-  // Returns kBlocked if headers cannot be decoded at the moment, in which case
-  // exactly one Visitor method will be called as soon as sufficient data
-  // is received on the QPACK decoder stream.
-  Status EndHeaderBlock();
-
-  // Returns accumulated header list.
-  const QuicHeaderList& quic_header_list() const;
-
-  // Returns error message.
-  // Must not be called unless an error has been detected.
-  // TODO(b/124216424): Add accessor for error code, return HTTP_EXCESSIVE_LOAD
-  // or HTTP_QPACK_DECOMPRESSION_FAILED.
-  QuicStringPiece error_message() const;
+  void EndHeaderBlock();
+
+  // Returns true if the uncompressed size of the header list, including an
+  // overhead for each header field, exceeds |max_header_list_size| passed in
+  // the constructor.
+  bool header_list_size_limit_exceeded() const {
+    return header_list_size_limit_exceeded_;
+  }
 
  private:
   std::unique_ptr<QpackProgressiveDecoder> decoder_;
   Visitor* visitor_;
+  // Maximum header list size including overhead.
+  size_t max_header_list_size_;
+  // Uncompressed header list size including overhead, for enforcing the limit.
+  size_t uncompressed_header_bytes_including_overhead_;
   QuicHeaderList quic_header_list_;
-  size_t uncompressed_header_bytes_;
+  // Uncompressed header list size with overhead,
+  // for passing in to QuicHeaderList::OnHeaderBlockEnd().
+  size_t uncompressed_header_bytes_without_overhead_;
+  // Compressed header list size
+  // for passing in to QuicHeaderList::OnHeaderBlockEnd().
   size_t compressed_header_bytes_;
-  // Set to true when OnDecodingCompleted() is called.
+
+  // True if the header size limit has been exceeded.
+  // Input data is still fed to QpackProgressiveDecoder.
+  bool header_list_size_limit_exceeded_;
+
+  // The following two members are only used for DCHECKs.
+
+  // True if headers have been completedly and successfully decoded.
   bool headers_decoded_;
-  // Set to true when EndHeaderBlock() returns kBlocked.
-  bool blocked_;
+  // True if an error has been detected during decoding.
   bool error_detected_;
-  std::string error_message_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator_test.cc
index 1d60660e9c4..6616517330f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoded_headers_accumulator_test.cc
@@ -7,16 +7,17 @@
 #include <cstring>
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_decoder_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 
+using ::testing::_;
 using ::testing::ElementsAre;
 using ::testing::Eq;
 using ::testing::Pair;
+using ::testing::SaveArg;
 using ::testing::StrictMock;
-using Status = quic::QpackDecodedHeadersAccumulator::Status;
 
 namespace quic {
 namespace test {
@@ -37,15 +38,15 @@ const uint64_t kMaximumBlockedStreams = 1;
 // Header Acknowledgement decoder stream instruction with stream_id = 1.
 const char* const kHeaderAcknowledgement = "\x81";
 
-}  // anonymous namespace
-
-class NoopVisitor : public QpackDecodedHeadersAccumulator::Visitor {
+class MockVisitor : public QpackDecodedHeadersAccumulator::Visitor {
  public:
-  ~NoopVisitor() override = default;
-  void OnHeadersDecoded(QuicHeaderList /* headers */) override {}
-  void OnHeaderDecodingError() override {}
+  ~MockVisitor() override = default;
+  MOCK_METHOD1(OnHeadersDecoded, void(QuicHeaderList headers));
+  MOCK_METHOD1(OnHeaderDecodingError, void(QuicStringPiece error_message));
 };
 
+}  // anonymous namespace
+
 class QpackDecodedHeadersAccumulatorTest : public QuicTest {
  protected:
   QpackDecodedHeadersAccumulatorTest()
@@ -63,91 +64,143 @@ class QpackDecodedHeadersAccumulatorTest : public QuicTest {
   NoopEncoderStreamErrorDelegate encoder_stream_error_delegate_;
   StrictMock<MockQpackStreamSenderDelegate> decoder_stream_sender_delegate_;
   QpackDecoder qpack_decoder_;
-  NoopVisitor visitor_;
+  StrictMock<MockVisitor> visitor_;
   QpackDecodedHeadersAccumulator accumulator_;
 };
 
 // HEADERS frame payload must have a complete Header Block Prefix.
 TEST_F(QpackDecodedHeadersAccumulatorTest, EmptyPayload) {
-  EXPECT_EQ(Status::kError, accumulator_.EndHeaderBlock());
-  EXPECT_EQ("Incomplete header data prefix.", accumulator_.error_message());
+  EXPECT_CALL(visitor_,
+              OnHeaderDecodingError(Eq("Incomplete header data prefix.")));
+  accumulator_.EndHeaderBlock();
 }
 
 // HEADERS frame payload must have a complete Header Block Prefix.
 TEST_F(QpackDecodedHeadersAccumulatorTest, TruncatedHeaderBlockPrefix) {
-  EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode("00")));
-  EXPECT_EQ(Status::kError, accumulator_.EndHeaderBlock());
-  EXPECT_EQ("Incomplete header data prefix.", accumulator_.error_message());
+  accumulator_.Decode(QuicTextUtils::HexDecode("00"));
+
+  EXPECT_CALL(visitor_,
+              OnHeaderDecodingError(Eq("Incomplete header data prefix.")));
+  accumulator_.EndHeaderBlock();
 }
 
 TEST_F(QpackDecodedHeadersAccumulatorTest, EmptyHeaderList) {
-  EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode("0000")));
-  EXPECT_EQ(Status::kSuccess, accumulator_.EndHeaderBlock());
+  std::string encoded_data(QuicTextUtils::HexDecode("0000"));
+  accumulator_.Decode(encoded_data);
 
-  EXPECT_TRUE(accumulator_.quic_header_list().empty());
+  QuicHeaderList header_list;
+  EXPECT_CALL(visitor_, OnHeadersDecoded(_)).WillOnce(SaveArg<0>(&header_list));
+  accumulator_.EndHeaderBlock();
+  EXPECT_FALSE(accumulator_.header_list_size_limit_exceeded());
+
+  EXPECT_EQ(0u, header_list.uncompressed_header_bytes());
+  EXPECT_EQ(encoded_data.size(), header_list.compressed_header_bytes());
+  EXPECT_TRUE(header_list.empty());
 }
 
 // This payload is the prefix of a valid payload, but EndHeaderBlock() is called
 // before it can be completely decoded.
 TEST_F(QpackDecodedHeadersAccumulatorTest, TruncatedPayload) {
-  EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode("00002366")));
-  EXPECT_EQ(Status::kError, accumulator_.EndHeaderBlock());
-  EXPECT_EQ("Incomplete header block.", accumulator_.error_message());
+  accumulator_.Decode(QuicTextUtils::HexDecode("00002366"));
+
+  EXPECT_CALL(visitor_, OnHeaderDecodingError(Eq("Incomplete header block.")));
+  accumulator_.EndHeaderBlock();
 }
 
 // This payload is invalid because it refers to a non-existing static entry.
 TEST_F(QpackDecodedHeadersAccumulatorTest, InvalidPayload) {
-  EXPECT_FALSE(accumulator_.Decode(QuicTextUtils::HexDecode("0000ff23ff24")));
-  EXPECT_EQ("Static table entry not found.", accumulator_.error_message());
+  EXPECT_CALL(visitor_,
+              OnHeaderDecodingError(Eq("Static table entry not found.")));
+  accumulator_.Decode(QuicTextUtils::HexDecode("0000ff23ff24"));
 }
 
 TEST_F(QpackDecodedHeadersAccumulatorTest, Success) {
   std::string encoded_data(QuicTextUtils::HexDecode("000023666f6f03626172"));
-  EXPECT_TRUE(accumulator_.Decode(encoded_data));
-  EXPECT_EQ(Status::kSuccess, accumulator_.EndHeaderBlock());
+  accumulator_.Decode(encoded_data);
 
-  const QuicHeaderList& header_list = accumulator_.quic_header_list();
-  EXPECT_THAT(header_list, ElementsAre(Pair("foo", "bar")));
+  QuicHeaderList header_list;
+  EXPECT_CALL(visitor_, OnHeadersDecoded(_)).WillOnce(SaveArg<0>(&header_list));
+  accumulator_.EndHeaderBlock();
+  EXPECT_FALSE(accumulator_.header_list_size_limit_exceeded());
 
+  EXPECT_THAT(header_list, ElementsAre(Pair("foo", "bar")));
   EXPECT_EQ(strlen("foo") + strlen("bar"),
             header_list.uncompressed_header_bytes());
   EXPECT_EQ(encoded_data.size(), header_list.compressed_header_bytes());
 }
 
-TEST_F(QpackDecodedHeadersAccumulatorTest, ExceedingLimit) {
+// Test that Decode() calls are not ignored after header list limit is exceeded,
+// otherwise decoding could fail with "incomplete header block" error.
+TEST_F(QpackDecodedHeadersAccumulatorTest, ExceedLimitThenSplitInstruction) {
   // Total length of header list exceeds kMaxHeaderListSize.
-  EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode(
+  accumulator_.Decode(QuicTextUtils::HexDecode(
       "0000"                                      // header block prefix
       "26666f6f626172"                            // header key: "foobar"
       "7d61616161616161616161616161616161616161"  // header value: 'a' 125 times
       "616161616161616161616161616161616161616161616161616161616161616161616161"
       "616161616161616161616161616161616161616161616161616161616161616161616161"
-      "61616161616161616161616161616161616161616161616161616161616161616161")));
-  EXPECT_EQ(Status::kSuccess, accumulator_.EndHeaderBlock());
+      "61616161616161616161616161616161616161616161616161616161616161616161"
+      "ff"));  // first byte of a two-byte long Indexed Header Field instruction
+  accumulator_.Decode(QuicTextUtils::HexDecode(
+      "0f"  // second byte of a two-byte long Indexed Header Field instruction
+      ));
+
+  EXPECT_CALL(visitor_, OnHeadersDecoded(_));
+  accumulator_.EndHeaderBlock();
+  EXPECT_TRUE(accumulator_.header_list_size_limit_exceeded());
+}
 
-  // QuicHeaderList signals header list over limit by clearing it.
-  EXPECT_TRUE(accumulator_.quic_header_list().empty());
+// Test that header list limit enforcement works with blocked encoding.
+TEST_F(QpackDecodedHeadersAccumulatorTest, ExceedLimitBlocked) {
+  // Total length of header list exceeds kMaxHeaderListSize.
+  accumulator_.Decode(QuicTextUtils::HexDecode(
+      "0200"            // header block prefix
+      "80"              // reference to dynamic table entry not yet received
+      "26666f6f626172"  // header key: "foobar"
+      "7d61616161616161616161616161616161616161"  // header value: 'a' 125 times
+      "616161616161616161616161616161616161616161616161616161616161616161616161"
+      "616161616161616161616161616161616161616161616161616161616161616161616161"
+      "61616161616161616161616161616161616161616161616161616161616161616161"));
+  accumulator_.EndHeaderBlock();
+
+  // Set dynamic table capacity.
+  qpack_decoder_.OnSetDynamicTableCapacity(kMaxDynamicTableCapacity);
+  // Adding dynamic table entry unblocks decoding.
+  EXPECT_CALL(decoder_stream_sender_delegate_,
+              WriteStreamData(Eq(kHeaderAcknowledgement)));
+
+  EXPECT_CALL(visitor_, OnHeadersDecoded(_));
+  qpack_decoder_.OnInsertWithoutNameReference("foo", "bar");
+  EXPECT_TRUE(accumulator_.header_list_size_limit_exceeded());
 }
 
 TEST_F(QpackDecodedHeadersAccumulatorTest, BlockedDecoding) {
   // Reference to dynamic table entry not yet received.
-  EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode("020080")));
-  EXPECT_EQ(Status::kBlocked, accumulator_.EndHeaderBlock());
+  std::string encoded_data(QuicTextUtils::HexDecode("020080"));
+  accumulator_.Decode(encoded_data);
+  accumulator_.EndHeaderBlock();
 
   // Set dynamic table capacity.
   qpack_decoder_.OnSetDynamicTableCapacity(kMaxDynamicTableCapacity);
   // Adding dynamic table entry unblocks decoding.
   EXPECT_CALL(decoder_stream_sender_delegate_,
               WriteStreamData(Eq(kHeaderAcknowledgement)));
+
+  QuicHeaderList header_list;
+  EXPECT_CALL(visitor_, OnHeadersDecoded(_)).WillOnce(SaveArg<0>(&header_list));
   qpack_decoder_.OnInsertWithoutNameReference("foo", "bar");
 
-  EXPECT_THAT(accumulator_.quic_header_list(), ElementsAre(Pair("foo", "bar")));
+  EXPECT_FALSE(accumulator_.header_list_size_limit_exceeded());
+  EXPECT_THAT(header_list, ElementsAre(Pair("foo", "bar")));
+  EXPECT_EQ(strlen("foo") + strlen("bar"),
+            header_list.uncompressed_header_bytes());
+  EXPECT_EQ(encoded_data.size(), header_list.compressed_header_bytes());
 }
 
 TEST_F(QpackDecodedHeadersAccumulatorTest,
        BlockedDecodingUnblockedBeforeEndOfHeaderBlock) {
   // Reference to dynamic table entry not yet received.
-  EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode("020080")));
+  accumulator_.Decode(QuicTextUtils::HexDecode("020080"));
 
   // Set dynamic table capacity.
   qpack_decoder_.OnSetDynamicTableCapacity(kMaxDynamicTableCapacity);
@@ -157,11 +210,34 @@ TEST_F(QpackDecodedHeadersAccumulatorTest,
   // Rest of header block: same entry again.
   EXPECT_CALL(decoder_stream_sender_delegate_,
               WriteStreamData(Eq(kHeaderAcknowledgement)));
-  EXPECT_TRUE(accumulator_.Decode(QuicTextUtils::HexDecode("80")));
-  EXPECT_EQ(Status::kSuccess, accumulator_.EndHeaderBlock());
+  accumulator_.Decode(QuicTextUtils::HexDecode("80"));
 
-  EXPECT_THAT(accumulator_.quic_header_list(),
-              ElementsAre(Pair("foo", "bar"), Pair("foo", "bar")));
+  QuicHeaderList header_list;
+  EXPECT_CALL(visitor_, OnHeadersDecoded(_)).WillOnce(SaveArg<0>(&header_list));
+  accumulator_.EndHeaderBlock();
+  EXPECT_FALSE(accumulator_.header_list_size_limit_exceeded());
+
+  EXPECT_THAT(header_list, ElementsAre(Pair("foo", "bar"), Pair("foo", "bar")));
+}
+
+// Regression test for https://crbug.com/1024263.
+TEST_F(QpackDecodedHeadersAccumulatorTest,
+       BlockedDecodingUnblockedAndErrorBeforeEndOfHeaderBlock) {
+  // Required Insert Count higher than number of entries causes decoding to be
+  // blocked.
+  accumulator_.Decode(QuicTextUtils::HexDecode("0200"));
+  // Indexed Header Field instruction addressing dynamic table entry with
+  // relative index 0, absolute index 0.
+  accumulator_.Decode(QuicTextUtils::HexDecode("80"));
+  // Relative index larger than or equal to Base is invalid.
+  accumulator_.Decode(QuicTextUtils::HexDecode("81"));
+
+  // Set dynamic table capacity.
+  qpack_decoder_.OnSetDynamicTableCapacity(kMaxDynamicTableCapacity);
+
+  // Adding dynamic table entry unblocks decoding.  Error is detected.
+  EXPECT_CALL(visitor_, OnHeaderDecodingError(Eq("Invalid relative index.")));
+  qpack_decoder_.OnInsertWithoutNameReference("foo", "bar");
 }
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.cc
index 4f39e3b39b2..3ae6bce6e6b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.cc
@@ -27,10 +27,10 @@ QpackDecoder::QpackDecoder(
 QpackDecoder::~QpackDecoder() {}
 
 void QpackDecoder::OnStreamReset(QuicStreamId stream_id) {
-  // TODO(bnc): SendStreamCancellation should not be called if maximum dynamic
-  // table capacity is zero.
-  decoder_stream_sender_.SendStreamCancellation(stream_id);
-  decoder_stream_sender_.Flush();
+  if (header_table_.maximum_dynamic_table_capacity() > 0) {
+    decoder_stream_sender_.SendStreamCancellation(stream_id);
+    decoder_stream_sender_.Flush();
+  }
 }
 
 bool QpackDecoder::OnStreamBlocked(QuicStreamId stream_id) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h
index 113c6ea8e4a..4ac1e449bc6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h
@@ -95,6 +95,11 @@ class QUIC_EXPORT_PRIVATE QpackDecoder
     return &encoder_stream_receiver_;
   }
 
+  // True if any dynamic table entries have been referenced from a header block.
+  bool dynamic_table_entry_referenced() const {
+    return header_table_.dynamic_table_entry_referenced();
+  }
+
  private:
   EncoderStreamErrorDelegate* const encoder_stream_error_delegate_;
   QpackEncoderStreamReceiver encoder_stream_receiver_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.cc
index 559ce433376..2ba89d48a82 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.cc
@@ -6,7 +6,7 @@
 
 #include "net/third_party/quiche/src/http2/decoder/decode_buffer.h"
 #include "net/third_party/quiche/src/http2/decoder/decode_status.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_instructions.h"
 
 namespace quic {
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.h
index 60719399d8b..396c6df8779 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.h
@@ -23,7 +23,7 @@ class QUIC_EXPORT_PRIVATE QpackDecoderStreamReceiver
  public:
   // An interface for handling instructions decoded from the decoder stream, see
   // https://quicwg.org/base-drafts/draft-ietf-quic-qpack.html#rfc.section.5.3
-  class Delegate {
+  class QUIC_EXPORT_PRIVATE Delegate {
    public:
     virtual ~Delegate() = default;
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.cc
index 68e4d67816c..72a446b420a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.cc
@@ -8,7 +8,7 @@
 #include <limits>
 #include <string>
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_instructions.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 
 namespace quic {
@@ -16,25 +16,19 @@ namespace quic {
 QpackDecoderStreamSender::QpackDecoderStreamSender() : delegate_(nullptr) {}
 
 void QpackDecoderStreamSender::SendInsertCountIncrement(uint64_t increment) {
-  values_.varint = increment;
-
-  instruction_encoder_.Encode(InsertCountIncrementInstruction(), values_,
-                              &buffer_);
+  instruction_encoder_.Encode(
+      QpackInstructionWithValues::InsertCountIncrement(increment), &buffer_);
 }
 
 void QpackDecoderStreamSender::SendHeaderAcknowledgement(
     QuicStreamId stream_id) {
-  values_.varint = stream_id;
-
-  instruction_encoder_.Encode(HeaderAcknowledgementInstruction(), values_,
-                              &buffer_);
+  instruction_encoder_.Encode(
+      QpackInstructionWithValues::HeaderAcknowledgement(stream_id), &buffer_);
 }
 
 void QpackDecoderStreamSender::SendStreamCancellation(QuicStreamId stream_id) {
-  values_.varint = stream_id;
-
-  instruction_encoder_.Encode(StreamCancellationInstruction(), values_,
-                              &buffer_);
+  instruction_encoder_.Encode(
+      QpackInstructionWithValues::StreamCancellation(stream_id), &buffer_);
 }
 
 void QpackDecoderStreamSender::Flush() {
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.h
index 93d95d91476..d9033b04dee 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.h
@@ -44,7 +44,6 @@ class QUIC_EXPORT_PRIVATE QpackDecoderStreamSender {
  private:
   QpackStreamSenderDelegate* delegate_;
   QpackInstructionEncoder instruction_encoder_;
-  QpackInstructionEncoder::Values values_;
   std::string buffer_;
 };
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender_test.cc
index 6e042590833..e3dc12497e3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender_test.cc
@@ -4,9 +4,9 @@
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_sender.h"
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 
 using ::testing::Eq;
 using ::testing::StrictMock;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test.cc
index d0ff30ff679..1fc5802d83c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test.cc
@@ -6,14 +6,16 @@
 
 #include <algorithm>
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_decoder_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_header_block.h"
 
+using ::testing::_;
 using ::testing::Eq;
+using ::testing::Invoke;
 using ::testing::Mock;
 using ::testing::Sequence;
 using ::testing::StrictMock;
@@ -42,6 +44,15 @@ class QpackDecoderTest : public QuicTestWithParam<FragmentMode> {
 
   ~QpackDecoderTest() override = default;
 
+  void SetUp() override {
+    // Destroy QpackProgressiveDecoder on error to test that it does not crash.
+    // See https://crbug.com/1025209.
+    ON_CALL(handler_, OnDecodingErrorDetected(_))
+        .WillByDefault(Invoke([this](QuicStringPiece /* error_message */) {
+          progressive_decoder_.reset();
+        }));
+  }
+
   void DecodeEncoderStreamData(QuicStringPiece data) {
     qpack_decoder_.encoder_stream_receiver()->Decode(data);
   }
@@ -61,7 +72,7 @@ class QpackDecoderTest : public QuicTestWithParam<FragmentMode> {
   void DecodeData(QuicStringPiece data) {
     auto fragment_size_generator =
         FragmentModeToFragmentSizeGenerator(fragment_mode_);
-    while (!data.empty()) {
+    while (progressive_decoder_ && !data.empty()) {
       size_t fragment_size = std::min(fragment_size_generator(), data.size());
       progressive_decoder_->Decode(data.substr(0, fragment_size));
       data = data.substr(fragment_size);
@@ -70,9 +81,11 @@ class QpackDecoderTest : public QuicTestWithParam<FragmentMode> {
 
   // Signal end of header block to QpackProgressiveDecoder.
   void EndDecoding() {
-    progressive_decoder_->EndHeaderBlock();
-    // |progressive_decoder_| is kept alive so that it can
-    // handle callbacks later in case of blocked decoding.
+    if (progressive_decoder_) {
+      progressive_decoder_->EndHeaderBlock();
+    }
+    // If no error was detected, |*progressive_decoder_| is kept alive so that
+    // it can handle callbacks later in case of blocked decoding.
   }
 
   // Decode an entire header block.
@@ -105,6 +118,18 @@ TEST_P(QpackDecoderTest, NoPrefix) {
   DecodeHeaderBlock(QuicTextUtils::HexDecode("00"));
 }
 
+// Regression test for https://1025209: QpackProgressiveDecoder must not crash
+// in Decode() if it is destroyed by handler_.OnDecodingErrorDetected().
+TEST_P(QpackDecoderTest, InvalidPrefix) {
+  StartDecoding();
+
+  EXPECT_CALL(handler_,
+              OnDecodingErrorDetected(Eq("Encoded integer too large.")));
+
+  // Encoded Required Insert Count in Header Data Prefix is too large.
+  DecodeData(QuicTextUtils::HexDecode("ffffffffffffffffffffffffffff"));
+}
+
 TEST_P(QpackDecoderTest, EmptyHeaderBlock) {
   EXPECT_CALL(handler_, OnDecodingCompleted());
 
@@ -780,16 +805,15 @@ TEST_P(QpackDecoderTest, BlockedDecodingUnblockedBeforeEndOfHeaderBlock) {
                // entry with relative index 0, absolute index 0.
       "d1"));  // Static table entry with index 17.
 
+  // Set dynamic table capacity to 1024.
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("3fe107"));
+
   // Add literal entry with name "foo" and value "bar".  Decoding is now
   // unblocked because dynamic table Insert Count reached the Required Insert
   // Count of the header block.  |handler_| methods are called immediately for
   // the already consumed part of the header block.
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("bar")));
   EXPECT_CALL(handler_, OnHeaderDecoded(Eq(":method"), Eq("GET")));
-
-  // Set dynamic table capacity to 1024.
-  DecodeEncoderStreamData(QuicTextUtils::HexDecode("3fe107"));
-  // Add literal entry with name "foo" and value "bar".
   DecodeEncoderStreamData(QuicTextUtils::HexDecode("6294e703626172"));
   Mock::VerifyAndClearExpectations(&handler_);
 
@@ -809,6 +833,29 @@ TEST_P(QpackDecoderTest, BlockedDecodingUnblockedBeforeEndOfHeaderBlock) {
   EndDecoding();
 }
 
+// Regression test for https://crbug.com/1024263.
+TEST_P(QpackDecoderTest,
+       BlockedDecodingUnblockedAndErrorBeforeEndOfHeaderBlock) {
+  StartDecoding();
+  DecodeData(QuicTextUtils::HexDecode(
+      "0200"   // Required Insert Count 1 and Delta Base 0.
+               // Base is 1 + 0 = 1.
+      "80"     // Indexed Header Field instruction addressing dynamic table
+               // entry with relative index 0, absolute index 0.
+      "81"));  // Relative index 1 is equal to Base, therefore invalid.
+
+  // Set dynamic table capacity to 1024.
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("3fe107"));
+
+  // Add literal entry with name "foo" and value "bar".  Decoding is now
+  // unblocked because dynamic table Insert Count reached the Required Insert
+  // Count of the header block.  |handler_| methods are called immediately for
+  // the already consumed part of the header block.
+  EXPECT_CALL(handler_, OnHeaderDecoded(Eq("foo"), Eq("bar")));
+  EXPECT_CALL(handler_, OnDecodingErrorDetected(Eq("Invalid relative index.")));
+  DecodeEncoderStreamData(QuicTextUtils::HexDecode("6294e703626172"));
+}
+
 // Make sure that Required Insert Count is compared to Insert Count,
 // not size of dynamic table.
 TEST_P(QpackDecoderTest, BlockedDecodingAndEvictedEntries) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.cc
index 319af82115a..59e172ec75a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.cc
@@ -7,7 +7,6 @@
 #include <algorithm>
 #include <utility>
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_index_conversions.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_required_insert_count.h"
@@ -42,47 +41,37 @@ QpackEncoder::QpackEncoder(
 QpackEncoder::~QpackEncoder() {}
 
 // static
-QpackEncoder::InstructionWithValues QpackEncoder::EncodeIndexedHeaderField(
+QpackInstructionWithValues QpackEncoder::EncodeIndexedHeaderField(
     bool is_static,
     uint64_t index,
     QpackBlockingManager::IndexSet* referred_indices) {
-  InstructionWithValues instruction{QpackIndexedHeaderFieldInstruction(), {}};
-  instruction.values.s_bit = is_static;
-  instruction.values.varint = index;
   // Add |index| to |*referred_indices| only if entry is in the dynamic table.
   if (!is_static) {
     referred_indices->insert(index);
   }
-  return instruction;
+  return QpackInstructionWithValues::IndexedHeaderField(is_static, index);
 }
 
 // static
-QpackEncoder::InstructionWithValues
+QpackInstructionWithValues
 QpackEncoder::EncodeLiteralHeaderFieldWithNameReference(
     bool is_static,
     uint64_t index,
     QuicStringPiece value,
     QpackBlockingManager::IndexSet* referred_indices) {
-  InstructionWithValues instruction{
-      QpackLiteralHeaderFieldNameReferenceInstruction(), {}};
-  instruction.values.s_bit = is_static;
-  instruction.values.varint = index;
-  instruction.values.value = value;
   // Add |index| to |*referred_indices| only if entry is in the dynamic table.
   if (!is_static) {
     referred_indices->insert(index);
   }
-  return instruction;
+  return QpackInstructionWithValues::LiteralHeaderFieldNameReference(
+      is_static, index, value);
 }
 
 // static
-QpackEncoder::InstructionWithValues QpackEncoder::EncodeLiteralHeaderField(
+QpackInstructionWithValues QpackEncoder::EncodeLiteralHeaderField(
     QuicStringPiece name,
     QuicStringPiece value) {
-  InstructionWithValues instruction{QpackLiteralHeaderFieldInstruction(), {}};
-  instruction.values.name = name;
-  instruction.values.value = value;
-  return instruction;
+  return QpackInstructionWithValues::LiteralHeaderField(name, value);
 }
 
 QpackEncoder::Instructions QpackEncoder::FirstPassEncode(
@@ -142,6 +131,7 @@ QpackEncoder::Instructions QpackEncoder::FirstPassEncode(
             instructions.push_back(
                 EncodeIndexedHeaderField(is_static, index, referred_indices));
             smallest_blocking_index = std::min(smallest_blocking_index, index);
+            header_table_.set_dynamic_table_entry_referenced();
 
             break;
           }
@@ -159,11 +149,10 @@ QpackEncoder::Instructions QpackEncoder::FirstPassEncode(
                 QpackAbsoluteIndexToEncoderStreamRelativeIndex(
                     index, header_table_.inserted_entry_count()));
             auto entry = header_table_.InsertEntry(name, value);
-            blocking_manager_.OnReferenceSentOnEncoderStream(
-                entry->InsertionIndex(), index);
             instructions.push_back(EncodeIndexedHeaderField(
                 is_static, entry->InsertionIndex(), referred_indices));
             smallest_blocking_index = std::min(smallest_blocking_index, index);
+            header_table_.set_dynamic_table_entry_referenced();
 
             break;
           }
@@ -218,11 +207,10 @@ QpackEncoder::Instructions QpackEncoder::FirstPassEncode(
                   index, header_table_.inserted_entry_count()),
               value);
           auto entry = header_table_.InsertEntry(name, value);
-          blocking_manager_.OnReferenceSentOnEncoderStream(
-              entry->InsertionIndex(), index);
           instructions.push_back(EncodeIndexedHeaderField(
               is_static, entry->InsertionIndex(), referred_indices));
           smallest_blocking_index = std::min(smallest_blocking_index, index);
+          header_table_.set_dynamic_table_entry_referenced();
 
           break;
         }
@@ -233,6 +221,7 @@ QpackEncoder::Instructions QpackEncoder::FirstPassEncode(
           instructions.push_back(EncodeLiteralHeaderFieldWithNameReference(
               is_static, index, value, referred_indices));
           smallest_blocking_index = std::min(smallest_blocking_index, index);
+          header_table_.set_dynamic_table_entry_referenced();
 
           break;
         }
@@ -329,29 +318,24 @@ std::string QpackEncoder::SecondPassEncode(
   std::string encoded_headers;
 
   // Header block prefix.
-  QpackInstructionEncoder::Values values;
-  values.varint = QpackEncodeRequiredInsertCount(required_insert_count,
-                                                 header_table_.max_entries());
-  values.varint2 = 0;    // Delta Base.
-  values.s_bit = false;  // Delta Base sign.
-  const uint64_t base = required_insert_count;
+  instruction_encoder.Encode(
+      QpackInstructionWithValues::Prefix(QpackEncodeRequiredInsertCount(
+          required_insert_count, header_table_.max_entries())),
+      &encoded_headers);
 
-  instruction_encoder.Encode(QpackPrefixInstruction(), values,
-                             &encoded_headers);
+  const uint64_t base = required_insert_count;
 
   for (auto& instruction : instructions) {
     // Dynamic table references must be transformed from absolute to relative
     // indices.
-    if ((instruction.instruction == QpackIndexedHeaderFieldInstruction() ||
-         instruction.instruction ==
+    if ((instruction.instruction() == QpackIndexedHeaderFieldInstruction() ||
+         instruction.instruction() ==
              QpackLiteralHeaderFieldNameReferenceInstruction()) &&
-        !instruction.values.s_bit) {
-      instruction.values.varint =
-          QpackAbsoluteIndexToRequestStreamRelativeIndex(
-              instruction.values.varint, base);
+        !instruction.s_bit()) {
+      instruction.set_varint(QpackAbsoluteIndexToRequestStreamRelativeIndex(
+          instruction.varint(), base));
     }
-    instruction_encoder.Encode(instruction.instruction, instruction.values,
-                               &encoded_headers);
+    instruction_encoder.Encode(instruction, &encoded_headers);
   }
 
   return encoded_headers;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h
index 1ed56a82e11..e635e3bf04b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h
@@ -14,6 +14,7 @@
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_stream_receiver.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_header_table.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_instructions.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_exported_stats.h"
@@ -87,39 +88,35 @@ class QUIC_EXPORT_PRIVATE QpackEncoder
     return &decoder_stream_receiver_;
   }
 
+  // True if any dynamic table entries have been referenced from a header block.
+  bool dynamic_table_entry_referenced() const {
+    return header_table_.dynamic_table_entry_referenced();
+  }
+
  private:
   friend class test::QpackEncoderPeer;
 
-  // TODO(bnc): Consider moving this class to QpackInstructionEncoder or
-  // qpack_constants, adding factory methods, one for each instruction, and
-  // changing QpackInstructionEncoder::Encoder() to take an
-  // InstructionWithValues struct instead of separate |instruction| and |values|
-  // arguments.
-  struct InstructionWithValues {
-    // |instruction| is not owned.
-    const QpackInstruction* instruction;
-    QpackInstructionEncoder::Values values;
-  };
-  using Instructions = std::vector<InstructionWithValues>;
+  using Instructions = std::vector<QpackInstructionWithValues>;
 
   // Generate indexed header field instruction
   // and optionally update |*referred_indices|.
-  static InstructionWithValues EncodeIndexedHeaderField(
+  static QpackInstructionWithValues EncodeIndexedHeaderField(
       bool is_static,
       uint64_t index,
       QpackBlockingManager::IndexSet* referred_indices);
 
   // Generate literal header field with name reference instruction
   // and optionally update |*referred_indices|.
-  static InstructionWithValues EncodeLiteralHeaderFieldWithNameReference(
+  static QpackInstructionWithValues EncodeLiteralHeaderFieldWithNameReference(
       bool is_static,
       uint64_t index,
       QuicStringPiece value,
       QpackBlockingManager::IndexSet* referred_indices);
 
   // Generate literal header field instruction.
-  static InstructionWithValues EncodeLiteralHeaderField(QuicStringPiece name,
-                                                        QuicStringPiece value);
+  static QpackInstructionWithValues EncodeLiteralHeaderField(
+      QuicStringPiece name,
+      QuicStringPiece value);
 
   // Performs first pass of two-pass encoding: represent each header field in
   // |*header_list| as a reference to an existing entry, the name of an existing
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_receiver.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_receiver.cc
index 3f8ef08a7ee..c46cc3c0f41 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_receiver.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_receiver.cc
@@ -6,7 +6,7 @@
 
 #include "net/third_party/quiche/src/http2/decoder/decode_buffer.h"
 #include "net/third_party/quiche/src/http2/decoder/decode_status.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_instructions.h"
 
 namespace quic {
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_receiver.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_receiver.h
index 8da3147d1ea..b393b546b60 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_receiver.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_receiver.h
@@ -22,7 +22,7 @@ class QUIC_EXPORT_PRIVATE QpackEncoderStreamReceiver
  public:
   // An interface for handling instructions decoded from the encoder stream, see
   // https://quicwg.org/base-drafts/draft-ietf-quic-qpack.html#rfc.section.5.2
-  class Delegate {
+  class QUIC_EXPORT_PRIVATE Delegate {
    public:
     virtual ~Delegate() = default;
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.cc
index 4a7f12cd3a3..5182864ce6d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.cc
@@ -8,7 +8,7 @@
 #include <limits>
 #include <string>
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_instructions.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 
 namespace quic {
@@ -19,35 +19,28 @@ void QpackEncoderStreamSender::SendInsertWithNameReference(
     bool is_static,
     uint64_t name_index,
     QuicStringPiece value) {
-  values_.s_bit = is_static;
-  values_.varint = name_index;
-  values_.value = value;
-
-  instruction_encoder_.Encode(InsertWithNameReferenceInstruction(), values_,
-                              &buffer_);
+  instruction_encoder_.Encode(
+      QpackInstructionWithValues::InsertWithNameReference(is_static, name_index,
+                                                          value),
+      &buffer_);
 }
 
 void QpackEncoderStreamSender::SendInsertWithoutNameReference(
     QuicStringPiece name,
     QuicStringPiece value) {
-  values_.name = name;
-  values_.value = value;
-
-  instruction_encoder_.Encode(InsertWithoutNameReferenceInstruction(), values_,
-                              &buffer_);
+  instruction_encoder_.Encode(
+      QpackInstructionWithValues::InsertWithoutNameReference(name, value),
+      &buffer_);
 }
 
 void QpackEncoderStreamSender::SendDuplicate(uint64_t index) {
-  values_.varint = index;
-
-  instruction_encoder_.Encode(DuplicateInstruction(), values_, &buffer_);
+  instruction_encoder_.Encode(QpackInstructionWithValues::Duplicate(index),
+                              &buffer_);
 }
 
 void QpackEncoderStreamSender::SendSetDynamicTableCapacity(uint64_t capacity) {
-  values_.varint = capacity;
-
-  instruction_encoder_.Encode(SetDynamicTableCapacityInstruction(), values_,
-                              &buffer_);
+  instruction_encoder_.Encode(
+      QpackInstructionWithValues::SetDynamicTableCapacity(capacity), &buffer_);
 }
 
 QuicByteCount QpackEncoderStreamSender::Flush() {
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h
index efbfbc632d5..de9e8f14839 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h
@@ -50,7 +50,6 @@ class QUIC_EXPORT_PRIVATE QpackEncoderStreamSender {
  private:
   QpackStreamSenderDelegate* delegate_;
   QpackInstructionEncoder instruction_encoder_;
-  QpackInstructionEncoder::Values values_;
   std::string buffer_;
 };
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender_test.cc
index 80a6ed3c06f..0a42df220cb 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender_test.cc
@@ -4,9 +4,9 @@
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_stream_sender.h"
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 
 using ::testing::Eq;
 using ::testing::StrictMock;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test.cc
index 6f2efe3aecc..6b92e4bfc95 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test.cc
@@ -7,13 +7,12 @@
 #include <limits>
 #include <string>
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
-#include "net/third_party/quiche/src/quic/test_tools/qpack_encoder_peer.h"
-#include "net/third_party/quiche/src/quic/test_tools/qpack_header_table_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_header_table_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 
 using ::testing::_;
 using ::testing::Eq;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.cc
index ff9be9a79fd..4cafa196815 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.cc
@@ -17,7 +17,8 @@ QpackHeaderTable::QpackHeaderTable()
       dynamic_table_capacity_(0),
       maximum_dynamic_table_capacity_(0),
       max_entries_(0),
-      dropped_entry_count_(0) {}
+      dropped_entry_count_(0),
+      dynamic_table_entry_referenced_(false) {}
 
 QpackHeaderTable::~QpackHeaderTable() {
   for (auto& entry : observers_) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.h
index 78d85f6ae29..dd5ca3ba3e5 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_header_table.h
@@ -40,7 +40,7 @@ class QUIC_EXPORT_PRIVATE QpackHeaderTable {
   enum class MatchType { kNameAndValue, kName, kNoMatch };
 
   // Observer interface for dynamic table insertion.
-  class Observer {
+  class QUIC_EXPORT_PRIVATE Observer {
    public:
     virtual ~Observer() = default;
 
@@ -98,6 +98,11 @@ class QUIC_EXPORT_PRIVATE QpackHeaderTable {
   // This method must only be called at most once.
   void SetMaximumDynamicTableCapacity(uint64_t maximum_dynamic_table_capacity);
 
+  // Get |maximum_dynamic_table_capacity_|.
+  uint64_t maximum_dynamic_table_capacity() const {
+    return maximum_dynamic_table_capacity_;
+  }
+
   // Register an observer to be notified when inserted_entry_count() reaches
   // |required_insert_count|.  After the notification, |observer| automatically
   // gets unregistered.  Each observer must only be registered at most once.
@@ -130,6 +135,13 @@ class QUIC_EXPORT_PRIVATE QpackHeaderTable {
   // The returned index might not be the index of a valid entry.
   uint64_t draining_index(float draining_fraction) const;
 
+  void set_dynamic_table_entry_referenced() {
+    dynamic_table_entry_referenced_ = true;
+  }
+  bool dynamic_table_entry_referenced() const {
+    return dynamic_table_entry_referenced_;
+  }
+
  private:
   friend class test::QpackHeaderTablePeer;
 
@@ -192,6 +204,10 @@ class QUIC_EXPORT_PRIVATE QpackHeaderTable {
 
   // Observers waiting to be notified, sorted by required insert count.
   std::multimap<uint64_t, Observer*> observers_;
+
+  // True if any dynamic table entries have been referenced from a header block.
+  // Set directly by the encoder or decoder.  Used for stats.
+  bool dynamic_table_entry_referenced_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.cc
index 187894d374e..fede8e307df 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.cc
@@ -32,44 +32,48 @@ QpackInstructionDecoder::QpackInstructionDecoder(const QpackLanguage* language,
       error_detected_(false),
       state_(State::kStartInstruction) {}
 
-void QpackInstructionDecoder::Decode(QuicStringPiece data) {
+bool QpackInstructionDecoder::Decode(QuicStringPiece data) {
   DCHECK(!data.empty());
   DCHECK(!error_detected_);
 
   while (true) {
+    bool success = true;
     size_t bytes_consumed = 0;
 
     switch (state_) {
       case State::kStartInstruction:
-        DoStartInstruction(data);
+        success = DoStartInstruction(data);
         break;
       case State::kStartField:
-        DoStartField();
+        success = DoStartField();
         break;
       case State::kReadBit:
-        DoReadBit(data);
+        success = DoReadBit(data);
         break;
       case State::kVarintStart:
-        bytes_consumed = DoVarintStart(data);
+        success = DoVarintStart(data, &bytes_consumed);
         break;
       case State::kVarintResume:
-        bytes_consumed = DoVarintResume(data);
+        success = DoVarintResume(data, &bytes_consumed);
         break;
       case State::kVarintDone:
-        DoVarintDone();
+        success = DoVarintDone();
         break;
       case State::kReadString:
-        bytes_consumed = DoReadString(data);
+        success = DoReadString(data, &bytes_consumed);
         break;
       case State::kReadStringDone:
-        DoReadStringDone();
+        success = DoReadStringDone();
         break;
     }
 
-    if (error_detected_) {
-      return;
+    if (!success) {
+      return false;
     }
 
+    // |success| must be false if an error is detected.
+    DCHECK(!error_detected_);
+
     DCHECK_LE(bytes_consumed, data.size());
 
     data = QuicStringPiece(data.data() + bytes_consumed,
@@ -78,35 +82,37 @@ void QpackInstructionDecoder::Decode(QuicStringPiece data) {
     // Stop processing if no more data but next state would require it.
     if (data.empty() && (state_ != State::kStartField) &&
         (state_ != State::kVarintDone) && (state_ != State::kReadStringDone)) {
-      return;
+      return true;
     }
   }
+
+  return true;
 }
 
 bool QpackInstructionDecoder::AtInstructionBoundary() const {
   return state_ == State::kStartInstruction;
 }
 
-void QpackInstructionDecoder::DoStartInstruction(QuicStringPiece data) {
+bool QpackInstructionDecoder::DoStartInstruction(QuicStringPiece data) {
   DCHECK(!data.empty());
 
   instruction_ = LookupOpcode(data[0]);
   field_ = instruction_->fields.begin();
 
   state_ = State::kStartField;
+  return true;
 }
 
-void QpackInstructionDecoder::DoStartField() {
+bool QpackInstructionDecoder::DoStartField() {
   if (field_ == instruction_->fields.end()) {
     // Completed decoding this instruction.
 
     if (!delegate_->OnInstructionDecoded(instruction_)) {
-      error_detected_ = true;
-      return;
+      return false;
     }
 
     state_ = State::kStartInstruction;
-    return;
+    return true;
   }
 
   switch (field_->type) {
@@ -114,15 +120,18 @@ void QpackInstructionDecoder::DoStartField() {
     case QpackInstructionFieldType::kName:
     case QpackInstructionFieldType::kValue:
       state_ = State::kReadBit;
-      return;
+      return true;
     case QpackInstructionFieldType::kVarint:
     case QpackInstructionFieldType::kVarint2:
       state_ = State::kVarintStart;
-      return;
+      return true;
+    default:
+      QUIC_BUG << "Invalid field type.";
+      return false;
   }
 }
 
-void QpackInstructionDecoder::DoReadBit(QuicStringPiece data) {
+bool QpackInstructionDecoder::DoReadBit(QuicStringPiece data) {
   DCHECK(!data.empty());
 
   switch (field_->type) {
@@ -133,7 +142,7 @@ void QpackInstructionDecoder::DoReadBit(QuicStringPiece data) {
       ++field_;
       state_ = State::kStartField;
 
-      return;
+      return true;
     }
     case QpackInstructionFieldType::kName:
     case QpackInstructionFieldType::kValue: {
@@ -144,14 +153,16 @@ void QpackInstructionDecoder::DoReadBit(QuicStringPiece data) {
 
       state_ = State::kVarintStart;
 
-      return;
+      return true;
     }
     default:
-      DCHECK(false);
+      QUIC_BUG << "Invalid field type.";
+      return false;
   }
 }
 
-size_t QpackInstructionDecoder::DoVarintStart(QuicStringPiece data) {
+bool QpackInstructionDecoder::DoVarintStart(QuicStringPiece data,
+                                            size_t* bytes_consumed) {
   DCHECK(!data.empty());
   DCHECK(field_->type == QpackInstructionFieldType::kVarint ||
          field_->type == QpackInstructionFieldType::kVarint2 ||
@@ -162,24 +173,25 @@ size_t QpackInstructionDecoder::DoVarintStart(QuicStringPiece data) {
   http2::DecodeStatus status =
       varint_decoder_.Start(data[0], field_->param, &buffer);
 
-  size_t bytes_consumed = 1 + buffer.Offset();
+  *bytes_consumed = 1 + buffer.Offset();
   switch (status) {
     case http2::DecodeStatus::kDecodeDone:
       state_ = State::kVarintDone;
-      return bytes_consumed;
+      return true;
     case http2::DecodeStatus::kDecodeInProgress:
       state_ = State::kVarintResume;
-      return bytes_consumed;
+      return true;
     case http2::DecodeStatus::kDecodeError:
       OnError("Encoded integer too large.");
-      return bytes_consumed;
+      return false;
     default:
       QUIC_BUG << "Unknown decode status " << status;
-      return bytes_consumed;
+      return false;
   }
 }
 
-size_t QpackInstructionDecoder::DoVarintResume(QuicStringPiece data) {
+bool QpackInstructionDecoder::DoVarintResume(QuicStringPiece data,
+                                             size_t* bytes_consumed) {
   DCHECK(!data.empty());
   DCHECK(field_->type == QpackInstructionFieldType::kVarint ||
          field_->type == QpackInstructionFieldType::kVarint2 ||
@@ -189,25 +201,25 @@ size_t QpackInstructionDecoder::DoVarintResume(QuicStringPiece data) {
   http2::DecodeBuffer buffer(data);
   http2::DecodeStatus status = varint_decoder_.Resume(&buffer);
 
-  size_t bytes_consumed = buffer.Offset();
+  *bytes_consumed = buffer.Offset();
   switch (status) {
     case http2::DecodeStatus::kDecodeDone:
       state_ = State::kVarintDone;
-      return bytes_consumed;
+      return true;
     case http2::DecodeStatus::kDecodeInProgress:
-      DCHECK_EQ(bytes_consumed, data.size());
+      DCHECK_EQ(*bytes_consumed, data.size());
       DCHECK(buffer.Empty());
-      return bytes_consumed;
+      return true;
     case http2::DecodeStatus::kDecodeError:
       OnError("Encoded integer too large.");
-      return bytes_consumed;
+      return false;
     default:
       QUIC_BUG << "Unknown decode status " << status;
-      return bytes_consumed;
+      return false;
   }
 }
 
-void QpackInstructionDecoder::DoVarintDone() {
+bool QpackInstructionDecoder::DoVarintDone() {
   DCHECK(field_->type == QpackInstructionFieldType::kVarint ||
          field_->type == QpackInstructionFieldType::kVarint2 ||
          field_->type == QpackInstructionFieldType::kName ||
@@ -218,7 +230,7 @@ void QpackInstructionDecoder::DoVarintDone() {
 
     ++field_;
     state_ = State::kStartField;
-    return;
+    return true;
   }
 
   if (field_->type == QpackInstructionFieldType::kVarint2) {
@@ -226,13 +238,13 @@ void QpackInstructionDecoder::DoVarintDone() {
 
     ++field_;
     state_ = State::kStartField;
-    return;
+    return true;
   }
 
   string_length_ = varint_decoder_.value();
   if (string_length_ > kStringLiteralLengthLimit) {
     OnError("String literal too long.");
-    return;
+    return false;
   }
 
   std::string* const string =
@@ -242,15 +254,17 @@ void QpackInstructionDecoder::DoVarintDone() {
   if (string_length_ == 0) {
     ++field_;
     state_ = State::kStartField;
-    return;
+    return true;
   }
 
   string->reserve(string_length_);
 
   state_ = State::kReadString;
+  return true;
 }
 
-size_t QpackInstructionDecoder::DoReadString(QuicStringPiece data) {
+bool QpackInstructionDecoder::DoReadString(QuicStringPiece data,
+                                           size_t* bytes_consumed) {
   DCHECK(!data.empty());
   DCHECK(field_->type == QpackInstructionFieldType::kName ||
          field_->type == QpackInstructionFieldType::kValue);
@@ -259,18 +273,17 @@ size_t QpackInstructionDecoder::DoReadString(QuicStringPiece data) {
       (field_->type == QpackInstructionFieldType::kName) ? &name_ : &value_;
   DCHECK_LT(string->size(), string_length_);
 
-  size_t bytes_consumed =
-      std::min(string_length_ - string->size(), data.size());
-  string->append(data.data(), bytes_consumed);
+  *bytes_consumed = std::min(string_length_ - string->size(), data.size());
+  string->append(data.data(), *bytes_consumed);
 
   DCHECK_LE(string->size(), string_length_);
   if (string->size() == string_length_) {
     state_ = State::kReadStringDone;
   }
-  return bytes_consumed;
+  return true;
 }
 
-void QpackInstructionDecoder::DoReadStringDone() {
+bool QpackInstructionDecoder::DoReadStringDone() {
   DCHECK(field_->type == QpackInstructionFieldType::kName ||
          field_->type == QpackInstructionFieldType::kValue);
 
@@ -285,13 +298,14 @@ void QpackInstructionDecoder::DoReadStringDone() {
     huffman_decoder_.Decode(*string, &decoded_value);
     if (!huffman_decoder_.InputProperlyTerminated()) {
       OnError("Error in Huffman-encoded string.");
-      return;
+      return false;
     }
     *string = std::move(decoded_value);
   }
 
   ++field_;
   state_ = State::kStartField;
+  return true;
 }
 
 const QpackInstruction* QpackInstructionDecoder::LookupOpcode(
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.h
index f478c249b07..4c217731a92 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder.h
@@ -11,7 +11,7 @@
 
 #include "net/third_party/quiche/src/http2/hpack/huffman/hpack_huffman_decoder.h"
 #include "net/third_party/quiche/src/http2/hpack/varint/hpack_varint_decoder.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_instructions.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 
@@ -33,11 +33,15 @@ class QUIC_EXPORT_PRIVATE QpackInstructionDecoder {
     // Returns true if decoded fields are valid.
     // Returns false otherwise, in which case QpackInstructionDecoder stops
     // decoding: Delegate methods will not be called, and Decode() must not be
-    // called.
+    // called.  Implementations are allowed to destroy the
+    // QpackInstructionDecoder instance synchronously if OnInstructionDecoded()
+    // returns false.
     virtual bool OnInstructionDecoded(const QpackInstruction* instruction) = 0;
 
     // Called by QpackInstructionDecoder if an error has occurred.
     // No more data is processed afterwards.
+    // Implementations are allowed to destroy the QpackInstructionDecoder
+    // instance synchronously.
     virtual void OnError(QuicStringPiece error_message) = 0;
   };
 
@@ -48,8 +52,9 @@ class QUIC_EXPORT_PRIVATE QpackInstructionDecoder {
   QpackInstructionDecoder& operator=(const QpackInstructionDecoder&) = delete;
 
   // Provide a data fragment to decode.  Must not be called after an error has
-  // occurred.  Must not be called with empty |data|.
-  void Decode(QuicStringPiece data);
+  // occurred.  Must not be called with empty |data|.  Return true on success,
+  // false on error (in which case Delegate::OnError() is called synchronously).
+  bool Decode(QuicStringPiece data);
 
   // Returns true if no decoding has taken place yet or if the last instruction
   // has been entirely parsed.
@@ -84,18 +89,19 @@ class QUIC_EXPORT_PRIVATE QpackInstructionDecoder {
     kReadStringDone
   };
 
-  // One method for each state.  Some take input data and return the number of
-  // octets processed.  Some take input data but do have void return type
-  // because they not consume any bytes.  Some do not take any arguments because
-  // they only change internal state.
-  void DoStartInstruction(QuicStringPiece data);
-  void DoStartField();
-  void DoReadBit(QuicStringPiece data);
-  size_t DoVarintStart(QuicStringPiece data);
-  size_t DoVarintResume(QuicStringPiece data);
-  void DoVarintDone();
-  size_t DoReadString(QuicStringPiece data);
-  void DoReadStringDone();
+  // One method for each state.  They each return true on success, false on
+  // error (in which case |this| might already be destroyed).  Some take input
+  // data and set |*bytes_consumed| to the number of octets processed.  Some
+  // take input data but do not consume any bytes.  Some do not take any
+  // arguments because they only change internal state.
+  bool DoStartInstruction(QuicStringPiece data);
+  bool DoStartField();
+  bool DoReadBit(QuicStringPiece data);
+  bool DoVarintStart(QuicStringPiece data, size_t* bytes_consumed);
+  bool DoVarintResume(QuicStringPiece data, size_t* bytes_consumed);
+  bool DoVarintDone();
+  bool DoReadString(QuicStringPiece data, size_t* bytes_consumed);
+  bool DoReadStringDone();
 
   // Identify instruction based on opcode encoded in |byte|.
   // Returns a pointer to an element of |*language_|.
@@ -127,8 +133,8 @@ class QUIC_EXPORT_PRIVATE QpackInstructionDecoder {
   // Decoder instance for decoding Huffman encoded strings.
   http2::HpackHuffmanDecoder huffman_decoder_;
 
-  // True if a decoding error has been detected either by
-  // QpackInstructionDecoder or by Delegate.
+  // True if a decoding error has been detected by QpackInstructionDecoder.
+  // Only used in DCHECKs.
   bool error_detected_;
 
   // Decoding state.
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder_test.cc
index 2d57f5c5320..c066827d295 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_decoder_test.cc
@@ -6,15 +6,16 @@
 
 #include <algorithm>
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_instructions.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 
 using ::testing::_;
 using ::testing::Eq;
 using ::testing::Expectation;
+using ::testing::Invoke;
 using ::testing::Return;
 using ::testing::StrictMock;
 using ::testing::Values;
@@ -64,36 +65,52 @@ class MockDelegate : public QpackInstructionDecoder::Delegate {
 };
 
 class QpackInstructionDecoderTest : public QuicTestWithParam<FragmentMode> {
- public:
+ protected:
   QpackInstructionDecoderTest()
-      : decoder_(TestLanguage(), &delegate_), fragment_mode_(GetParam()) {}
+      : decoder_(std::make_unique<QpackInstructionDecoder>(TestLanguage(),
+                                                           &delegate_)),
+        fragment_mode_(GetParam()) {}
   ~QpackInstructionDecoderTest() override = default;
 
- protected:
+  void SetUp() override {
+    // Destroy QpackInstructionDecoder on error to test that it does not crash.
+    // See https://crbug.com/1025209.
+    ON_CALL(delegate_, OnError(_))
+        .WillByDefault(Invoke(
+            [this](QuicStringPiece /* error_message */) { decoder_.reset(); }));
+  }
+
   // Decode one full instruction with fragment sizes dictated by
   // |fragment_mode_|.
-  // Verifies that AtInstructionBoundary() returns true before and after the
+  // Assumes that |data| is a single complete instruction, and accordingly
+  // verifies that AtInstructionBoundary() returns true before and after the
   // instruction, and returns false while decoding is in progress.
+  // Assumes that delegate methods destroy |decoder_| if they return false.
   void DecodeInstruction(QuicStringPiece data) {
-    EXPECT_TRUE(decoder_.AtInstructionBoundary());
+    EXPECT_TRUE(decoder_->AtInstructionBoundary());
 
     FragmentSizeGenerator fragment_size_generator =
         FragmentModeToFragmentSizeGenerator(fragment_mode_);
 
     while (!data.empty()) {
       size_t fragment_size = std::min(fragment_size_generator(), data.size());
-      decoder_.Decode(data.substr(0, fragment_size));
+      bool success = decoder_->Decode(data.substr(0, fragment_size));
+      if (!decoder_) {
+        EXPECT_FALSE(success);
+        return;
+      }
+      EXPECT_TRUE(success);
       data = data.substr(fragment_size);
       if (!data.empty()) {
-        EXPECT_FALSE(decoder_.AtInstructionBoundary());
+        EXPECT_FALSE(decoder_->AtInstructionBoundary());
       }
     }
 
-    EXPECT_TRUE(decoder_.AtInstructionBoundary());
+    EXPECT_TRUE(decoder_->AtInstructionBoundary());
   }
 
   StrictMock<MockDelegate> delegate_;
-  QpackInstructionDecoder decoder_;
+  std::unique_ptr<QpackInstructionDecoder> decoder_;
 
  private:
   const FragmentMode fragment_mode_;
@@ -108,60 +125,82 @@ TEST_P(QpackInstructionDecoderTest, SBitAndVarint2) {
   EXPECT_CALL(delegate_, OnInstructionDecoded(TestInstruction1()));
   DecodeInstruction(QuicTextUtils::HexDecode("7f01ff65"));
 
-  EXPECT_TRUE(decoder_.s_bit());
-  EXPECT_EQ(64u, decoder_.varint());
-  EXPECT_EQ(356u, decoder_.varint2());
+  EXPECT_TRUE(decoder_->s_bit());
+  EXPECT_EQ(64u, decoder_->varint());
+  EXPECT_EQ(356u, decoder_->varint2());
 
   EXPECT_CALL(delegate_, OnInstructionDecoded(TestInstruction1()));
   DecodeInstruction(QuicTextUtils::HexDecode("05c8"));
 
-  EXPECT_FALSE(decoder_.s_bit());
-  EXPECT_EQ(5u, decoder_.varint());
-  EXPECT_EQ(200u, decoder_.varint2());
+  EXPECT_FALSE(decoder_->s_bit());
+  EXPECT_EQ(5u, decoder_->varint());
+  EXPECT_EQ(200u, decoder_->varint2());
 }
 
 TEST_P(QpackInstructionDecoderTest, NameAndValue) {
   EXPECT_CALL(delegate_, OnInstructionDecoded(TestInstruction2()));
   DecodeInstruction(QuicTextUtils::HexDecode("83666f6f03626172"));
 
-  EXPECT_EQ("foo", decoder_.name());
-  EXPECT_EQ("bar", decoder_.value());
+  EXPECT_EQ("foo", decoder_->name());
+  EXPECT_EQ("bar", decoder_->value());
 
   EXPECT_CALL(delegate_, OnInstructionDecoded(TestInstruction2()));
   DecodeInstruction(QuicTextUtils::HexDecode("8000"));
 
-  EXPECT_EQ("", decoder_.name());
-  EXPECT_EQ("", decoder_.value());
+  EXPECT_EQ("", decoder_->name());
+  EXPECT_EQ("", decoder_->value());
 
   EXPECT_CALL(delegate_, OnInstructionDecoded(TestInstruction2()));
   DecodeInstruction(QuicTextUtils::HexDecode("c294e7838c767f"));
 
-  EXPECT_EQ("foo", decoder_.name());
-  EXPECT_EQ("bar", decoder_.value());
+  EXPECT_EQ("foo", decoder_->name());
+  EXPECT_EQ("bar", decoder_->value());
 }
 
 TEST_P(QpackInstructionDecoderTest, InvalidHuffmanEncoding) {
   EXPECT_CALL(delegate_, OnError(Eq("Error in Huffman-encoded string.")));
-  decoder_.Decode(QuicTextUtils::HexDecode("c1ff"));
+  DecodeInstruction(QuicTextUtils::HexDecode("c1ff"));
 }
 
 TEST_P(QpackInstructionDecoderTest, InvalidVarintEncoding) {
   EXPECT_CALL(delegate_, OnError(Eq("Encoded integer too large.")));
-  decoder_.Decode(QuicTextUtils::HexDecode("ffffffffffffffffffffff"));
+  DecodeInstruction(QuicTextUtils::HexDecode("ffffffffffffffffffffff"));
 }
 
 TEST_P(QpackInstructionDecoderTest, DelegateSignalsError) {
   // First instruction is valid.
   Expectation first_call =
       EXPECT_CALL(delegate_, OnInstructionDecoded(TestInstruction1()))
-          .WillOnce(Return(true));
+          .WillOnce(Invoke(
+              [this](const QpackInstruction * /* instruction */) -> bool {
+                EXPECT_EQ(1u, decoder_->varint());
+                return true;
+              }));
+
   // Second instruction is invalid.  Decoding must halt.
   EXPECT_CALL(delegate_, OnInstructionDecoded(TestInstruction1()))
       .After(first_call)
-      .WillOnce(Return(false));
-  decoder_.Decode(QuicTextUtils::HexDecode("01000200030004000500"));
+      .WillOnce(
+          Invoke([this](const QpackInstruction * /* instruction */) -> bool {
+            EXPECT_EQ(2u, decoder_->varint());
+            return false;
+          }));
+
+  EXPECT_FALSE(
+      decoder_->Decode(QuicTextUtils::HexDecode("01000200030004000500")));
+}
 
-  EXPECT_EQ(2u, decoder_.varint());
+// QpackInstructionDecoder must not crash if it is destroyed from a
+// Delegate::OnInstructionDecoded() call as long as it returns false.
+TEST_P(QpackInstructionDecoderTest, DelegateSignalsErrorAndDestroysDecoder) {
+  EXPECT_CALL(delegate_, OnInstructionDecoded(TestInstruction1()))
+      .WillOnce(
+          Invoke([this](const QpackInstruction * /* instruction */) -> bool {
+            EXPECT_EQ(1u, decoder_->varint());
+            decoder_.reset();
+            return false;
+          }));
+  DecodeInstruction(QuicTextUtils::HexDecode("0100"));
 }
 
 }  // namespace
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.cc
index 5845a748ffc..a87489d9e67 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.cc
@@ -16,13 +16,13 @@ namespace quic {
 QpackInstructionEncoder::QpackInstructionEncoder()
     : byte_(0), state_(State::kOpcode), instruction_(nullptr) {}
 
-void QpackInstructionEncoder::Encode(const QpackInstruction* instruction,
-                                     const Values& values,
-                                     std::string* output) {
-  DCHECK(instruction);
+void QpackInstructionEncoder::Encode(
+    const QpackInstructionWithValues& instruction_with_values,
+    std::string* output) {
+  DCHECK(instruction_with_values.instruction());
 
   state_ = State::kOpcode;
-  instruction_ = instruction;
+  instruction_ = instruction_with_values.instruction();
   field_ = instruction_->fields.begin();
 
   // Field list must not be empty.
@@ -37,13 +37,15 @@ void QpackInstructionEncoder::Encode(const QpackInstruction* instruction,
         DoStartField();
         break;
       case State::kSbit:
-        DoSBit(values.s_bit);
+        DoSBit(instruction_with_values.s_bit());
         break;
       case State::kVarintEncode:
-        DoVarintEncode(values.varint, values.varint2, output);
+        DoVarintEncode(instruction_with_values.varint(),
+                       instruction_with_values.varint2(), output);
         break;
       case State::kStartString:
-        DoStartString(values.name, values.value);
+        DoStartString(instruction_with_values.name(),
+                      instruction_with_values.value());
         break;
       case State::kWriteString:
         DoWriteString(output);
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h
index 1ca52e667ec..04b2888172e 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder.h
@@ -8,7 +8,7 @@
 #include <cstdint>
 #include <string>
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_instructions.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 
@@ -19,23 +19,12 @@ namespace quic {
 // fields that follow each instruction.
 class QUIC_EXPORT_PRIVATE QpackInstructionEncoder {
  public:
-  // Storage for field values to be encoded.
-  // The encoded instruction determines which values are actually used.
-  struct Values {
-    bool s_bit;
-    uint64_t varint;
-    uint64_t varint2;
-    QuicStringPiece name;
-    QuicStringPiece value;
-  };
-
   QpackInstructionEncoder();
   QpackInstructionEncoder(const QpackInstructionEncoder&) = delete;
   QpackInstructionEncoder& operator=(const QpackInstructionEncoder&) = delete;
 
   // Append encoded instruction to |output|.
-  void Encode(const QpackInstruction* instruction,
-              const Values& values,
+  void Encode(const QpackInstructionWithValues& instruction_with_values,
               std::string* output);
 
  private:
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder_test.cc
index 0d172cd6847..79dfe2af379 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instruction_encoder_test.cc
@@ -8,10 +8,44 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 
-using ::testing::Values;
-
 namespace quic {
 namespace test {
+
+class QpackInstructionWithValuesPeer {
+ public:
+  static QpackInstructionWithValues CreateQpackInstructionWithValues(
+      const QpackInstruction* instruction) {
+    QpackInstructionWithValues instruction_with_values;
+    instruction_with_values.instruction_ = instruction;
+    return instruction_with_values;
+  }
+
+  static void set_s_bit(QpackInstructionWithValues* instruction_with_values,
+                        bool s_bit) {
+    instruction_with_values->s_bit_ = s_bit;
+  }
+
+  static void set_varint(QpackInstructionWithValues* instruction_with_values,
+                         uint64_t varint) {
+    instruction_with_values->varint_ = varint;
+  }
+
+  static void set_varint2(QpackInstructionWithValues* instruction_with_values,
+                          uint64_t varint2) {
+    instruction_with_values->varint2_ = varint2;
+  }
+
+  static void set_name(QpackInstructionWithValues* instruction_with_values,
+                       QuicStringPiece name) {
+    instruction_with_values->name_ = name;
+  }
+
+  static void set_value(QpackInstructionWithValues* instruction_with_values,
+                        QuicStringPiece value) {
+    instruction_with_values->value_ = value;
+  }
+};
+
 namespace {
 
 class QpackInstructionEncoderTest : public QuicTest {
@@ -20,9 +54,9 @@ class QpackInstructionEncoderTest : public QuicTest {
   ~QpackInstructionEncoderTest() override = default;
 
   // Append encoded |instruction| to |output_|.
-  void EncodeInstruction(const QpackInstruction* instruction,
-                         const QpackInstructionEncoder::Values& values) {
-    encoder_.Encode(instruction, values, &output_);
+  void EncodeInstruction(
+      const QpackInstructionWithValues& instruction_with_values) {
+    encoder_.Encode(instruction_with_values, &output_);
   }
 
   // Compare substring appended to |output_| since last EncodedSegmentMatches()
@@ -44,13 +78,15 @@ TEST_F(QpackInstructionEncoderTest, Varint) {
   const QpackInstruction instruction{QpackInstructionOpcode{0x00, 0x80},
                                      {{QpackInstructionFieldType::kVarint, 7}}};
 
-  QpackInstructionEncoder::Values values;
-  values.varint = 5;
-  EncodeInstruction(&instruction, values);
+  auto instruction_with_values =
+      QpackInstructionWithValuesPeer::CreateQpackInstructionWithValues(
+          &instruction);
+  QpackInstructionWithValuesPeer::set_varint(&instruction_with_values, 5);
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("05"));
 
-  values.varint = 127;
-  EncodeInstruction(&instruction, values);
+  QpackInstructionWithValuesPeer::set_varint(&instruction_with_values, 127);
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("7f00"));
 }
 
@@ -61,17 +97,19 @@ TEST_F(QpackInstructionEncoderTest, SBitAndTwoVarint2) {
        {QpackInstructionFieldType::kVarint, 5},
        {QpackInstructionFieldType::kVarint2, 8}}};
 
-  QpackInstructionEncoder::Values values;
-  values.s_bit = true;
-  values.varint = 5;
-  values.varint2 = 200;
-  EncodeInstruction(&instruction, values);
+  auto instruction_with_values =
+      QpackInstructionWithValuesPeer::CreateQpackInstructionWithValues(
+          &instruction);
+  QpackInstructionWithValuesPeer::set_s_bit(&instruction_with_values, true);
+  QpackInstructionWithValuesPeer::set_varint(&instruction_with_values, 5);
+  QpackInstructionWithValuesPeer::set_varint2(&instruction_with_values, 200);
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("a5c8"));
 
-  values.s_bit = false;
-  values.varint = 31;
-  values.varint2 = 356;
-  EncodeInstruction(&instruction, values);
+  QpackInstructionWithValuesPeer::set_s_bit(&instruction_with_values, false);
+  QpackInstructionWithValuesPeer::set_varint(&instruction_with_values, 31);
+  QpackInstructionWithValuesPeer::set_varint2(&instruction_with_values, 356);
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("9f00ff65"));
 }
 
@@ -81,17 +119,19 @@ TEST_F(QpackInstructionEncoderTest, SBitAndVarintAndValue) {
                                       {QpackInstructionFieldType::kVarint, 5},
                                       {QpackInstructionFieldType::kValue, 7}}};
 
-  QpackInstructionEncoder::Values values;
-  values.s_bit = true;
-  values.varint = 100;
-  values.value = "foo";
-  EncodeInstruction(&instruction, values);
+  auto instruction_with_values =
+      QpackInstructionWithValuesPeer::CreateQpackInstructionWithValues(
+          &instruction);
+  QpackInstructionWithValuesPeer::set_s_bit(&instruction_with_values, true);
+  QpackInstructionWithValuesPeer::set_varint(&instruction_with_values, 100);
+  QpackInstructionWithValuesPeer::set_value(&instruction_with_values, "foo");
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("ff458294e7"));
 
-  values.s_bit = false;
-  values.varint = 3;
-  values.value = "bar";
-  EncodeInstruction(&instruction, values);
+  QpackInstructionWithValuesPeer::set_s_bit(&instruction_with_values, false);
+  QpackInstructionWithValuesPeer::set_varint(&instruction_with_values, 3);
+  QpackInstructionWithValuesPeer::set_value(&instruction_with_values, "bar");
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("c303626172"));
 }
 
@@ -99,17 +139,19 @@ TEST_F(QpackInstructionEncoderTest, Name) {
   const QpackInstruction instruction{QpackInstructionOpcode{0xe0, 0xe0},
                                      {{QpackInstructionFieldType::kName, 4}}};
 
-  QpackInstructionEncoder::Values values;
-  values.name = "";
-  EncodeInstruction(&instruction, values);
+  auto instruction_with_values =
+      QpackInstructionWithValuesPeer::CreateQpackInstructionWithValues(
+          &instruction);
+  QpackInstructionWithValuesPeer::set_name(&instruction_with_values, "");
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("e0"));
 
-  values.name = "foo";
-  EncodeInstruction(&instruction, values);
+  QpackInstructionWithValuesPeer::set_name(&instruction_with_values, "foo");
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("f294e7"));
 
-  values.name = "bar";
-  EncodeInstruction(&instruction, values);
+  QpackInstructionWithValuesPeer::set_name(&instruction_with_values, "bar");
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("e3626172"));
 }
 
@@ -117,17 +159,19 @@ TEST_F(QpackInstructionEncoderTest, Value) {
   const QpackInstruction instruction{QpackInstructionOpcode{0xf0, 0xf0},
                                      {{QpackInstructionFieldType::kValue, 3}}};
 
-  QpackInstructionEncoder::Values values;
-  values.value = "";
-  EncodeInstruction(&instruction, values);
+  auto instruction_with_values =
+      QpackInstructionWithValuesPeer::CreateQpackInstructionWithValues(
+          &instruction);
+  QpackInstructionWithValuesPeer::set_value(&instruction_with_values, "");
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("f0"));
 
-  values.value = "foo";
-  EncodeInstruction(&instruction, values);
+  QpackInstructionWithValuesPeer::set_value(&instruction_with_values, "foo");
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("fa94e7"));
 
-  values.value = "bar";
-  EncodeInstruction(&instruction, values);
+  QpackInstructionWithValuesPeer::set_value(&instruction_with_values, "bar");
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("f3626172"));
 }
 
@@ -137,17 +181,19 @@ TEST_F(QpackInstructionEncoderTest, SBitAndNameAndValue) {
                                       {QpackInstructionFieldType::kName, 2},
                                       {QpackInstructionFieldType::kValue, 7}}};
 
-  QpackInstructionEncoder::Values values;
-  values.s_bit = false;
-  values.name = "";
-  values.value = "";
-  EncodeInstruction(&instruction, values);
+  auto instruction_with_values =
+      QpackInstructionWithValuesPeer::CreateQpackInstructionWithValues(
+          &instruction);
+  QpackInstructionWithValuesPeer::set_s_bit(&instruction_with_values, false);
+  QpackInstructionWithValuesPeer::set_name(&instruction_with_values, "");
+  QpackInstructionWithValuesPeer::set_value(&instruction_with_values, "");
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("f000"));
 
-  values.s_bit = true;
-  values.name = "foo";
-  values.value = "bar";
-  EncodeInstruction(&instruction, values);
+  QpackInstructionWithValuesPeer::set_s_bit(&instruction_with_values, true);
+  QpackInstructionWithValuesPeer::set_name(&instruction_with_values, "foo");
+  QpackInstructionWithValuesPeer::set_value(&instruction_with_values, "bar");
+  EncodeInstruction(instruction_with_values);
   EXPECT_TRUE(EncodedSegmentMatches("fe94e703626172"));
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_constants.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instructions.cc
index 6644918b34a..a6a7529bf09 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_constants.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instructions.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_instructions.h"
 
 #include <limits>
 
@@ -199,4 +199,133 @@ const QpackLanguage* QpackRequestStreamLanguage() {
   return language;
 }
 
+// static
+QpackInstructionWithValues QpackInstructionWithValues::InsertWithNameReference(
+    bool is_static,
+    uint64_t name_index,
+    QuicStringPiece value) {
+  QpackInstructionWithValues instruction_with_values;
+  instruction_with_values.instruction_ = InsertWithNameReferenceInstruction();
+  instruction_with_values.s_bit_ = is_static;
+  instruction_with_values.varint_ = name_index;
+  instruction_with_values.value_ = value;
+
+  return instruction_with_values;
+}
+
+// static
+QpackInstructionWithValues
+QpackInstructionWithValues::InsertWithoutNameReference(QuicStringPiece name,
+                                                       QuicStringPiece value) {
+  QpackInstructionWithValues instruction_with_values;
+  instruction_with_values.instruction_ =
+      InsertWithoutNameReferenceInstruction();
+  instruction_with_values.name_ = name;
+  instruction_with_values.value_ = value;
+
+  return instruction_with_values;
+}
+
+// static
+QpackInstructionWithValues QpackInstructionWithValues::Duplicate(
+    uint64_t index) {
+  QpackInstructionWithValues instruction_with_values;
+  instruction_with_values.instruction_ = DuplicateInstruction();
+  instruction_with_values.varint_ = index;
+
+  return instruction_with_values;
+}
+
+// static
+QpackInstructionWithValues QpackInstructionWithValues::SetDynamicTableCapacity(
+    uint64_t capacity) {
+  QpackInstructionWithValues instruction_with_values;
+  instruction_with_values.instruction_ = SetDynamicTableCapacityInstruction();
+  instruction_with_values.varint_ = capacity;
+
+  return instruction_with_values;
+}
+
+// static
+QpackInstructionWithValues QpackInstructionWithValues::InsertCountIncrement(
+    uint64_t increment) {
+  QpackInstructionWithValues instruction_with_values;
+  instruction_with_values.instruction_ = InsertCountIncrementInstruction();
+  instruction_with_values.varint_ = increment;
+
+  return instruction_with_values;
+}
+
+// static
+QpackInstructionWithValues QpackInstructionWithValues::HeaderAcknowledgement(
+    uint64_t stream_id) {
+  QpackInstructionWithValues instruction_with_values;
+  instruction_with_values.instruction_ = HeaderAcknowledgementInstruction();
+  instruction_with_values.varint_ = stream_id;
+
+  return instruction_with_values;
+}
+
+// static
+QpackInstructionWithValues QpackInstructionWithValues::StreamCancellation(
+    uint64_t stream_id) {
+  QpackInstructionWithValues instruction_with_values;
+  instruction_with_values.instruction_ = StreamCancellationInstruction();
+  instruction_with_values.varint_ = stream_id;
+
+  return instruction_with_values;
+}
+
+// static
+QpackInstructionWithValues QpackInstructionWithValues::Prefix(
+    uint64_t required_insert_count) {
+  QpackInstructionWithValues instruction_with_values;
+  instruction_with_values.instruction_ = QpackPrefixInstruction();
+  instruction_with_values.varint_ = required_insert_count;
+  instruction_with_values.varint2_ = 0;    // Delta Base.
+  instruction_with_values.s_bit_ = false;  // Delta Base sign.
+
+  return instruction_with_values;
+}
+
+// static
+QpackInstructionWithValues QpackInstructionWithValues::IndexedHeaderField(
+    bool is_static,
+    uint64_t index) {
+  QpackInstructionWithValues instruction_with_values;
+  instruction_with_values.instruction_ = QpackIndexedHeaderFieldInstruction();
+  instruction_with_values.s_bit_ = is_static;
+  instruction_with_values.varint_ = index;
+
+  return instruction_with_values;
+}
+
+// static
+QpackInstructionWithValues
+QpackInstructionWithValues::LiteralHeaderFieldNameReference(
+    bool is_static,
+    uint64_t index,
+    QuicStringPiece value) {
+  QpackInstructionWithValues instruction_with_values;
+  instruction_with_values.instruction_ =
+      QpackLiteralHeaderFieldNameReferenceInstruction();
+  instruction_with_values.s_bit_ = is_static;
+  instruction_with_values.varint_ = index;
+  instruction_with_values.value_ = value;
+
+  return instruction_with_values;
+}
+
+// static
+QpackInstructionWithValues QpackInstructionWithValues::LiteralHeaderField(
+    QuicStringPiece name,
+    QuicStringPiece value) {
+  QpackInstructionWithValues instruction_with_values;
+  instruction_with_values.instruction_ = QpackLiteralHeaderFieldInstruction();
+  instruction_with_values.name_ = name;
+  instruction_with_values.value_ = value;
+
+  return instruction_with_values;
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_constants.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instructions.h
index 35e4d560bef..0ff18bff254 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_constants.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_instructions.h
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef QUICHE_QUIC_CORE_QPACK_QPACK_CONSTANTS_H_
-#define QUICHE_QUIC_CORE_QPACK_QPACK_CONSTANTS_H_
+#ifndef QUICHE_QUIC_CORE_QPACK_QPACK_INSTRUCTIONS_H_
+#define QUICHE_QUIC_CORE_QPACK_QPACK_INSTRUCTIONS_H_
 
 #include <cstdint>
 #include <string>
@@ -11,9 +11,14 @@
 #include <vector>
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 
 namespace quic {
 
+namespace test {
+class QpackInstructionWithValuesPeer;
+}  // namespace test
+
 // Each instruction is identified with an opcode in the first byte.
 // |mask| determines which bits are part of the opcode.
 // |value| is the value of these bits.  (Other bits in value must be zero.)
@@ -137,6 +142,66 @@ const QpackInstruction* QpackLiteralHeaderFieldInstruction();
 // Request and push stream language.
 const QpackLanguage* QpackRequestStreamLanguage();
 
+// Storage for instruction and field values to be encoded.
+// This class can only be instantiated using factory methods that take exactly
+// the arguments that the corresponding instruction needs.
+class QUIC_EXPORT_PRIVATE QpackInstructionWithValues {
+ public:
+  // 5.2 Encoder stream instructions
+  static QpackInstructionWithValues InsertWithNameReference(
+      bool is_static,
+      uint64_t name_index,
+      QuicStringPiece value);
+  static QpackInstructionWithValues InsertWithoutNameReference(
+      QuicStringPiece name,
+      QuicStringPiece value);
+  static QpackInstructionWithValues Duplicate(uint64_t index);
+  static QpackInstructionWithValues SetDynamicTableCapacity(uint64_t capacity);
+
+  // 5.3 Decoder stream instructions
+  static QpackInstructionWithValues InsertCountIncrement(uint64_t increment);
+  static QpackInstructionWithValues HeaderAcknowledgement(uint64_t stream_id);
+  static QpackInstructionWithValues StreamCancellation(uint64_t stream_id);
+
+  // 5.4.1. Header data prefix.  Delta Base is hardcoded to be zero.
+  static QpackInstructionWithValues Prefix(uint64_t required_insert_count);
+
+  // 5.4.2. Request and push stream instructions
+  static QpackInstructionWithValues IndexedHeaderField(bool is_static,
+                                                       uint64_t index);
+  static QpackInstructionWithValues LiteralHeaderFieldNameReference(
+      bool is_static,
+      uint64_t index,
+      QuicStringPiece value);
+  static QpackInstructionWithValues LiteralHeaderField(QuicStringPiece name,
+                                                       QuicStringPiece value);
+
+  const QpackInstruction* instruction() const { return instruction_; }
+  bool s_bit() const { return s_bit_; }
+  uint64_t varint() const { return varint_; }
+  uint64_t varint2() const { return varint2_; }
+  QuicStringPiece name() const { return name_; }
+  QuicStringPiece value() const { return value_; }
+
+  // Used by QpackEncoder, because in the first pass it stores absolute indices,
+  // which are converted into relative indices in the second pass after base is
+  // determined.
+  void set_varint(uint64_t varint) { varint_ = varint; }
+
+ private:
+  friend test::QpackInstructionWithValuesPeer;
+
+  QpackInstructionWithValues() = default;
+
+  // |*instruction| is not owned.
+  const QpackInstruction* instruction_;
+  bool s_bit_;
+  uint64_t varint_;
+  uint64_t varint2_;
+  QuicStringPiece name_;
+  QuicStringPiece value_;
+};
+
 }  // namespace quic
 
-#endif  // QUICHE_QUIC_CORE_QPACK_QPACK_CONSTANTS_H_
+#endif  // QUICHE_QUIC_CORE_QPACK_QPACK_INSTRUCTIONS_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder_bin.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_offline_decoder_bin.cc
index d72b0003da4..327816e8cb2 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder_bin.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_offline_decoder_bin.cc
@@ -2,14 +2,13 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.h"
-
 #include <cstddef>
 #include <iostream>
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_offline_decoder.h"
 
 int main(int argc, char* argv[]) {
   const char* usage =
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.cc
index 3c0b0f546fa..c9e19d2d013 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.cc
@@ -8,8 +8,8 @@
 #include <limits>
 #include <utility>
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_constants.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_index_conversions.h"
+#include "net/third_party/quiche/src/quic/core/qpack/qpack_instructions.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_required_insert_count.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 
@@ -57,11 +57,13 @@ void QpackProgressiveDecoder::Decode(QuicStringPiece data) {
   while (!prefix_decoded_) {
     DCHECK(!blocked_);
 
-    prefix_decoder_->Decode(data.substr(0, 1));
-    if (error_detected_) {
+    if (!prefix_decoder_->Decode(data.substr(0, 1))) {
       return;
     }
 
+    // |prefix_decoder_->Decode()| must return false if an error is detected.
+    DCHECK(!error_detected_);
+
     data = data.substr(1);
     if (data.empty()) {
       return;
@@ -115,20 +117,28 @@ void QpackProgressiveDecoder::OnError(QuicStringPiece error_message) {
   DCHECK(!error_detected_);
 
   error_detected_ = true;
+  // Might destroy |this|.
   handler_->OnDecodingErrorDetected(error_message);
 }
 
 void QpackProgressiveDecoder::OnInsertCountReachedThreshold() {
   DCHECK(blocked_);
 
+  // Clear |blocked_| before calling instruction_decoder_.Decode() below,
+  // because that might destroy |this| and ~QpackProgressiveDecoder() needs to
+  // know not to call UnregisterObserver().
+  blocked_ = false;
+  enforcer_->OnStreamUnblocked(stream_id_);
+
   if (!buffer_.empty()) {
-    instruction_decoder_.Decode(buffer_);
+    std::string buffer(std::move(buffer_));
     buffer_.clear();
+    if (!instruction_decoder_.Decode(buffer)) {
+      // |this| might be destroyed.
+      return;
+    }
   }
 
-  blocked_ = false;
-  enforcer_->OnStreamUnblocked(stream_id_);
-
   if (!decoding_) {
     FinishDecoding();
   }
@@ -163,6 +173,7 @@ bool QpackProgressiveDecoder::DoIndexedHeaderFieldInstruction() {
       return false;
     }
 
+    header_table_->set_dynamic_table_entry_referenced();
     handler_->OnHeaderDecoded(entry->name(), entry->value());
     return true;
   }
@@ -202,6 +213,7 @@ bool QpackProgressiveDecoder::DoIndexedHeaderFieldPostBaseInstruction() {
     return false;
   }
 
+  header_table_->set_dynamic_table_entry_referenced();
   handler_->OnHeaderDecoded(entry->name(), entry->value());
   return true;
 }
@@ -231,6 +243,7 @@ bool QpackProgressiveDecoder::DoLiteralHeaderFieldNameReferenceInstruction() {
       return false;
     }
 
+    header_table_->set_dynamic_table_entry_referenced();
     handler_->OnHeaderDecoded(entry->name(), instruction_decoder_.value());
     return true;
   }
@@ -270,6 +283,7 @@ bool QpackProgressiveDecoder::DoLiteralHeaderFieldPostBaseInstruction() {
     return false;
   }
 
+  header_table_->set_dynamic_table_entry_referenced();
   handler_->OnHeaderDecoded(entry->name(), instruction_decoder_.value());
   return true;
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.h
index 2f306c8e19c..6599c1a3ff8 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.h
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.h
@@ -44,7 +44,8 @@ class QUIC_EXPORT_PRIVATE QpackProgressiveDecoder
     virtual void OnDecodingCompleted() = 0;
 
     // Called when a decoding error has occurred.  No other methods will be
-    // called afterwards.
+    // called afterwards.  Implementations are allowed to destroy
+    // the QpackProgressiveDecoder instance synchronously.
     virtual void OnDecodingErrorDetected(QuicStringPiece error_message) = 0;
   };
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_round_trip_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_round_trip_test.cc
index 567676c75d2..f0dc797fa3b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_round_trip_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_round_trip_test.cc
@@ -5,15 +5,13 @@
 #include <string>
 #include <tuple>
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_decoder_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_header_block.h"
 
-using ::testing::Combine;
 using ::testing::Values;
 
 namespace quic {
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_utils.h b/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_utils.h
deleted file mode 100644
index 1b63422d4ac..00000000000
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_utils.h
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright (c) 2019 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_QUIC_CORE_QPACK_QPACK_UTILS_H_
-#define QUICHE_QUIC_CORE_QPACK_QPACK_UTILS_H_
-
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_stream_sender_delegate.h"
-
-namespace quic {
-// TODO(renjietang): Move this class to qpack_test_utils.h once it is not needed
-// in QuicSpdySession.
-class QUIC_EXPORT_PRIVATE NoopQpackStreamSenderDelegate
-    : public QpackStreamSenderDelegate {
- public:
-  ~NoopQpackStreamSenderDelegate() override = default;
-
-  void WriteStreamData(QuicStringPiece /*data*/) override {}
-};
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_CORE_QPACK_QPACK_UTILS_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list_test.cc b/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list_test.cc
index 03a5eb03def..bab52386512 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/qpack/value_splitting_header_list_test.cc
@@ -60,10 +60,16 @@ TEST(ValueSplittingHeaderListTest, Comparison) {
         EXPECT_FALSE(it1 == it2);
         EXPECT_TRUE(it1 != it2);
       }
-      ++it2;
+      if (j < kEnd - 1) {
+        ASSERT_NE(it2, headers.end());
+        ++it2;
+      }
     }
 
-    ++it1;
+    if (i < kEnd - 1) {
+      ASSERT_NE(it1, headers.end());
+      ++it1;
+    }
   }
 }
 
@@ -75,37 +81,37 @@ TEST(ValueSplittingHeaderListTest, Empty) {
   EXPECT_EQ(headers.begin(), headers.end());
 }
 
-struct {
-  const char* name;
-  QuicStringPiece value;
-  std::vector<const char*> expected_values;
-} kTestData[]{
-    // Empty value.
-    {"foo", "", {""}},
-    // Trivial case.
-    {"foo", "bar", {"bar"}},
-    // Simple split.
-    {"foo", {"bar\0baz", 7}, {"bar", "baz"}},
-    {"cookie", "foo;bar", {"foo", "bar"}},
-    {"cookie", "foo; bar", {"foo", "bar"}},
-    // Empty fragments with \0 separator.
-    {"foo", {"\0", 1}, {"", ""}},
-    {"bar", {"foo\0", 4}, {"foo", ""}},
-    {"baz", {"\0bar", 4}, {"", "bar"}},
-    {"qux", {"\0foobar\0", 8}, {"", "foobar", ""}},
-    // Empty fragments with ";" separator.
-    {"cookie", ";", {"", ""}},
-    {"cookie", "foo;", {"foo", ""}},
-    {"cookie", ";bar", {"", "bar"}},
-    {"cookie", ";foobar;", {"", "foobar", ""}},
-    // Empty fragments with "; " separator.
-    {"cookie", "; ", {"", ""}},
-    {"cookie", "foo; ", {"foo", ""}},
-    {"cookie", "; bar", {"", "bar"}},
-    {"cookie", "; foobar; ", {"", "foobar", ""}},
-};
-
 TEST(ValueSplittingHeaderListTest, Split) {
+  struct {
+    const char* name;
+    QuicStringPiece value;
+    std::vector<const char*> expected_values;
+  } kTestData[]{
+      // Empty value.
+      {"foo", "", {""}},
+      // Trivial case.
+      {"foo", "bar", {"bar"}},
+      // Simple split.
+      {"foo", {"bar\0baz", 7}, {"bar", "baz"}},
+      {"cookie", "foo;bar", {"foo", "bar"}},
+      {"cookie", "foo; bar", {"foo", "bar"}},
+      // Empty fragments with \0 separator.
+      {"foo", {"\0", 1}, {"", ""}},
+      {"bar", {"foo\0", 4}, {"foo", ""}},
+      {"baz", {"\0bar", 4}, {"", "bar"}},
+      {"qux", {"\0foobar\0", 8}, {"", "foobar", ""}},
+      // Empty fragments with ";" separator.
+      {"cookie", ";", {"", ""}},
+      {"cookie", "foo;", {"foo", ""}},
+      {"cookie", ";bar", {"", "bar"}},
+      {"cookie", ";foobar;", {"", "foobar", ""}},
+      // Empty fragments with "; " separator.
+      {"cookie", "; ", {"", ""}},
+      {"cookie", "foo; ", {"foo", ""}},
+      {"cookie", "; bar", {"", "bar"}},
+      {"cookie", "; foobar; ", {"", "foobar", ""}},
+  };
+
   for (size_t i = 0; i < QUIC_ARRAYSIZE(kTestData); ++i) {
     spdy::SpdyHeaderBlock block;
     block[kTestData[i].name] = kTestData[i].value;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_arena_scoped_ptr.h b/chromium/net/third_party/quiche/src/quic/core/quic_arena_scoped_ptr.h
index 7c20fc7af4c..92da3dbc9de 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_arena_scoped_ptr.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_arena_scoped_ptr.h
@@ -14,12 +14,13 @@
 #include <cstdint>  // for uintptr_t
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_aligned.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 
 namespace quic {
 
 template <typename T>
-class QuicArenaScopedPtr {
+class QUIC_NO_EXPORT QuicArenaScopedPtr {
   static_assert(QUIC_ALIGN_OF(T*) > 1,
                 "QuicArenaScopedPtr can only store objects that are aligned to "
                 "greater than 1 byte.");
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_circular_deque.h b/chromium/net/third_party/quiche/src/quic/core/quic_circular_deque.h
new file mode 100644
index 00000000000..39eed8e6768
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_circular_deque.h
@@ -0,0 +1,744 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_QUIC_CIRCULAR_DEQUE_H_
+#define QUICHE_QUIC_CORE_QUIC_CIRCULAR_DEQUE_H_
+
+#include <algorithm>
+#include <cstddef>
+#include <iterator>
+#include <memory>
+#include <ostream>
+#include <type_traits>
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
+
+namespace quic {
+
+// QuicCircularDeque is a STL-style container that is similar to std deque in
+// API and std::vector in capacity management. The goal is to optimize a common
+// QUIC use case where we keep adding new elements to the end and removing old
+// elements from the beginning, under such scenarios, if the container's size()
+// remain relatively stable, QuicCircularDeque requires little to no memory
+// allocations or deallocations.
+//
+// The implementation, as the name suggests, uses a flat circular buffer to hold
+// all elements. At any point in time, either
+// a) All elements are placed in a contiguous portion of this buffer, like a
+//    c-array, or
+// b) Elements are phycially divided into two parts: the first part occupies the
+//    end of the buffer and the second part occupies the beginning of the
+//    buffer.
+//
+// Currently, elements can only be pushed or poped from either ends, it can't be
+// inserted or erased in the middle.
+//
+// TODO(wub): Make memory grow/shrink strategies customizable.
+template <typename T,
+          size_t MinCapacityIncrement = 3,
+          typename Allocator = std::allocator<T>>
+class QUIC_NO_EXPORT QuicCircularDeque {
+  using AllocatorTraits = std::allocator_traits<Allocator>;
+
+  // Pointee is either T or const T.
+  template <typename Pointee>
+  class QUIC_NO_EXPORT basic_iterator {
+    using size_type = typename AllocatorTraits::size_type;
+
+   public:
+    using iterator_category = std::random_access_iterator_tag;
+    using value_type = typename AllocatorTraits::value_type;
+    using difference_type = typename AllocatorTraits::difference_type;
+    using pointer = Pointee*;
+    using reference = Pointee&;
+
+    basic_iterator() = default;
+
+    // A copy constructor if Pointee is T.
+    // A conversion from iterator to const_iterator if Pointee is const T.
+    basic_iterator(
+        const basic_iterator<value_type>& it)  // NOLINT(runtime/explicit)
+        : deque_(it.deque_), index_(it.index_) {}
+
+    reference operator*() const { return *deque_->index_to_address(index_); }
+    pointer operator->() const { return deque_->index_to_address(index_); }
+    reference operator[](difference_type i) { return *(*this + i); }
+
+    basic_iterator& operator++() {
+      Increment();
+      return *this;
+    }
+
+    basic_iterator operator++(int) {
+      basic_iterator result = *this;
+      Increment();
+      return result;
+    }
+
+    basic_iterator operator--() {
+      Decrement();
+      return *this;
+    }
+
+    basic_iterator operator--(int) {
+      basic_iterator result = *this;
+      Decrement();
+      return result;
+    }
+
+    friend basic_iterator operator+(const basic_iterator& it,
+                                    difference_type delta) {
+      basic_iterator result = it;
+      result.IncrementBy(delta);
+      return result;
+    }
+
+    basic_iterator& operator+=(difference_type delta) {
+      IncrementBy(delta);
+      return *this;
+    }
+
+    friend basic_iterator operator-(const basic_iterator& it,
+                                    difference_type delta) {
+      basic_iterator result = it;
+      result.IncrementBy(-delta);
+      return result;
+    }
+
+    basic_iterator& operator-=(difference_type delta) {
+      IncrementBy(-delta);
+      return *this;
+    }
+
+    friend difference_type operator-(const basic_iterator& lhs,
+                                     const basic_iterator& rhs) {
+      return lhs.ExternalPosition() - rhs.ExternalPosition();
+    }
+
+    friend bool operator==(const basic_iterator& lhs,
+                           const basic_iterator& rhs) {
+      return lhs.index_ == rhs.index_;
+    }
+
+    friend bool operator!=(const basic_iterator& lhs,
+                           const basic_iterator& rhs) {
+      return !(lhs == rhs);
+    }
+
+    friend bool operator<(const basic_iterator& lhs,
+                          const basic_iterator& rhs) {
+      return lhs.ExternalPosition() < rhs.ExternalPosition();
+    }
+
+    friend bool operator<=(const basic_iterator& lhs,
+                           const basic_iterator& rhs) {
+      return !(lhs > rhs);
+    }
+
+    friend bool operator>(const basic_iterator& lhs,
+                          const basic_iterator& rhs) {
+      return lhs.ExternalPosition() > rhs.ExternalPosition();
+    }
+
+    friend bool operator>=(const basic_iterator& lhs,
+                           const basic_iterator& rhs) {
+      return !(lhs < rhs);
+    }
+
+   private:
+    basic_iterator(const QuicCircularDeque* deque, size_type index)
+        : deque_(deque), index_(index) {}
+
+    void Increment() {
+      DCHECK_LE(ExternalPosition() + 1, deque_->size());
+      index_ = deque_->index_next(index_);
+    }
+
+    void Decrement() {
+      DCHECK_GE(ExternalPosition(), 1u);
+      index_ = deque_->index_prev(index_);
+    }
+
+    void IncrementBy(difference_type delta) {
+      if (delta >= 0) {
+        // After increment we are before or at end().
+        DCHECK_LE(static_cast<size_type>(ExternalPosition() + delta),
+                  deque_->size());
+      } else {
+        // After decrement we are after or at begin().
+        DCHECK_GE(ExternalPosition(), static_cast<size_type>(-delta));
+      }
+      index_ = deque_->index_increment_by(index_, delta);
+    }
+
+    size_type ExternalPosition() const {
+      if (index_ >= deque_->begin_) {
+        return index_ - deque_->begin_;
+      }
+      return index_ + deque_->data_capacity() - deque_->begin_;
+    }
+
+    friend class QuicCircularDeque;
+    const QuicCircularDeque* deque_ = nullptr;
+    size_type index_ = 0;
+  };
+
+ public:
+  using allocator_type = typename AllocatorTraits::allocator_type;
+  using value_type = typename AllocatorTraits::value_type;
+  using size_type = typename AllocatorTraits::size_type;
+  using difference_type = typename AllocatorTraits::difference_type;
+  using reference = value_type&;
+  using const_reference = const value_type&;
+  using pointer = typename AllocatorTraits::pointer;
+  using const_pointer = typename AllocatorTraits::const_pointer;
+  using iterator = basic_iterator<T>;
+  using const_iterator = basic_iterator<const T>;
+  using reverse_iterator = std::reverse_iterator<iterator>;
+  using const_reverse_iterator = std::reverse_iterator<const_iterator>;
+
+  QuicCircularDeque() : QuicCircularDeque(allocator_type()) {}
+  explicit QuicCircularDeque(const allocator_type& alloc)
+      : allocator_and_data_(alloc) {}
+
+  QuicCircularDeque(size_type count,
+                    const T& value,
+                    const Allocator& alloc = allocator_type())
+      : allocator_and_data_(alloc) {
+    resize(count, value);
+  }
+
+  explicit QuicCircularDeque(size_type count,
+                             const Allocator& alloc = allocator_type())
+      : allocator_and_data_(alloc) {
+    resize(count);
+  }
+
+  template <
+      class InputIt,
+      typename = std::enable_if_t<std::is_base_of<
+          std::input_iterator_tag,
+          typename std::iterator_traits<InputIt>::iterator_category>::value>>
+  QuicCircularDeque(InputIt first,
+                    InputIt last,
+                    const Allocator& alloc = allocator_type())
+      : allocator_and_data_(alloc) {
+    AssignRange(first, last);
+  }
+
+  QuicCircularDeque(const QuicCircularDeque& other)
+      : QuicCircularDeque(
+            other,
+            AllocatorTraits::select_on_container_copy_construction(
+                other.allocator_and_data_.allocator())) {}
+
+  QuicCircularDeque(const QuicCircularDeque& other, const allocator_type& alloc)
+      : allocator_and_data_(alloc) {
+    assign(other.begin(), other.end());
+  }
+
+  QuicCircularDeque(QuicCircularDeque&& other)
+      : begin_(other.begin_),
+        end_(other.end_),
+        allocator_and_data_(std::move(other.allocator_and_data_)) {
+    other.begin_ = other.end_ = 0;
+    other.allocator_and_data_.data = nullptr;
+    other.allocator_and_data_.data_capacity = 0;
+  }
+
+  QuicCircularDeque(QuicCircularDeque&& other, const allocator_type& alloc)
+      : allocator_and_data_(alloc) {
+    MoveRetainAllocator(std::move(other));
+  }
+
+  QuicCircularDeque(std::initializer_list<T> init,
+                    const allocator_type& alloc = allocator_type())
+      : QuicCircularDeque(init.begin(), init.end(), alloc) {}
+
+  QuicCircularDeque& operator=(const QuicCircularDeque& other) {
+    if (this == &other) {
+      return *this;
+    }
+    if (AllocatorTraits::propagate_on_container_copy_assignment::value &&
+        (allocator_and_data_.allocator() !=
+         other.allocator_and_data_.allocator())) {
+      // Destroy all current elements and blocks with the current allocator,
+      // before switching this to use the allocator propagated from "other".
+      DestroyAndDeallocateAll();
+      begin_ = end_ = 0;
+      allocator_and_data_ =
+          AllocatorAndData(other.allocator_and_data_.allocator());
+    }
+    assign(other.begin(), other.end());
+    return *this;
+  }
+
+  QuicCircularDeque& operator=(QuicCircularDeque&& other) {
+    if (this == &other) {
+      return *this;
+    }
+    if (AllocatorTraits::propagate_on_container_move_assignment::value) {
+      // Take over the storage of "other", along with its allocator.
+      this->~QuicCircularDeque();
+      new (this) QuicCircularDeque(std::move(other));
+    } else {
+      MoveRetainAllocator(std::move(other));
+    }
+    return *this;
+  }
+
+  ~QuicCircularDeque() { DestroyAndDeallocateAll(); }
+
+  void assign(size_type count, const T& value) {
+    ClearRetainCapacity();
+    reserve(count);
+    for (size_t i = 0; i < count; ++i) {
+      emplace_back(value);
+    }
+  }
+
+  template <
+      class InputIt,
+      typename = std::enable_if_t<std::is_base_of<
+          std::input_iterator_tag,
+          typename std::iterator_traits<InputIt>::iterator_category>::value>>
+  void assign(InputIt first, InputIt last) {
+    AssignRange(first, last);
+  }
+
+  void assign(std::initializer_list<T> ilist) {
+    assign(ilist.begin(), ilist.end());
+  }
+
+  reference at(size_type pos) {
+    DCHECK(pos < size()) << "pos:" << pos << ", size():" << size();
+    size_type index = begin_ + pos;
+    if (index < data_capacity()) {
+      return *index_to_address(index);
+    }
+    return *index_to_address(index - data_capacity());
+  }
+
+  const_reference at(size_type pos) const {
+    return const_cast<QuicCircularDeque*>(this)->at(pos);
+  }
+
+  reference operator[](size_type pos) { return at(pos); }
+
+  const_reference operator[](size_type pos) const { return at(pos); }
+
+  reference front() {
+    DCHECK(!empty());
+    return *index_to_address(begin_);
+  }
+
+  const_reference front() const {
+    return const_cast<QuicCircularDeque*>(this)->front();
+  }
+
+  reference back() {
+    DCHECK(!empty());
+    return *(index_to_address(end_ == 0 ? data_capacity() - 1 : end_ - 1));
+  }
+
+  const_reference back() const {
+    return const_cast<QuicCircularDeque*>(this)->back();
+  }
+
+  iterator begin() { return iterator(this, begin_); }
+  const_iterator begin() const { return const_iterator(this, begin_); }
+  const_iterator cbegin() const { return const_iterator(this, begin_); }
+
+  iterator end() { return iterator(this, end_); }
+  const_iterator end() const { return const_iterator(this, end_); }
+  const_iterator cend() const { return const_iterator(this, end_); }
+
+  reverse_iterator rbegin() { return reverse_iterator(end()); }
+  const_reverse_iterator rbegin() const {
+    return const_reverse_iterator(end());
+  }
+  const_reverse_iterator crbegin() const { return rbegin(); }
+
+  reverse_iterator rend() { return reverse_iterator(begin()); }
+  const_reverse_iterator rend() const {
+    return const_reverse_iterator(begin());
+  }
+  const_reverse_iterator crend() const { return rend(); }
+
+  size_type capacity() const {
+    return data_capacity() == 0 ? 0 : data_capacity() - 1;
+  }
+
+  void reserve(size_type new_cap) {
+    if (new_cap > capacity()) {
+      Relocate(new_cap);
+    }
+  }
+
+  // Remove all elements. Leave capacity unchanged.
+  void clear() { ClearRetainCapacity(); }
+
+  bool empty() const { return begin_ == end_; }
+
+  size_type size() const {
+    if (begin_ <= end_) {
+      return end_ - begin_;
+    }
+    return data_capacity() + end_ - begin_;
+  }
+
+  void resize(size_type count) { ResizeInternal(count); }
+
+  void resize(size_type count, const value_type& value) {
+    ResizeInternal(count, value);
+  }
+
+  void push_front(const T& value) { emplace_front(value); }
+  void push_front(T&& value) { emplace_front(std::move(value)); }
+
+  template <class... Args>
+  reference emplace_front(Args&&... args) {
+    MaybeExpandCapacity(1);
+    begin_ = index_prev(begin_);
+    new (index_to_address(begin_)) T(std::forward<Args>(args)...);
+    return front();
+  }
+
+  void push_back(const T& value) { emplace_back(value); }
+  void push_back(T&& value) { emplace_back(std::move(value)); }
+
+  template <class... Args>
+  reference emplace_back(Args&&... args) {
+    MaybeExpandCapacity(1);
+    new (index_to_address(end_)) T(std::forward<Args>(args)...);
+    end_ = index_next(end_);
+    return back();
+  }
+
+  void pop_front() {
+    DCHECK(!empty());
+    DestroyByIndex(begin_);
+    begin_ = index_next(begin_);
+    MaybeShrinkCapacity();
+  }
+
+  size_type pop_front_n(size_type count) {
+    size_type num_elements_to_pop = std::min(count, size());
+    size_type new_begin = index_increment_by(begin_, num_elements_to_pop);
+    DestroyRange(begin_, new_begin);
+    begin_ = new_begin;
+    MaybeShrinkCapacity();
+    return num_elements_to_pop;
+  }
+
+  void pop_back() {
+    DCHECK(!empty());
+    end_ = index_prev(end_);
+    DestroyByIndex(end_);
+    MaybeShrinkCapacity();
+  }
+
+  size_type pop_back_n(size_type count) {
+    size_type num_elements_to_pop = std::min(count, size());
+    size_type new_end = index_increment_by(end_, -num_elements_to_pop);
+    DestroyRange(new_end, end_);
+    end_ = new_end;
+    MaybeShrinkCapacity();
+    return num_elements_to_pop;
+  }
+
+  void swap(QuicCircularDeque& other) {
+    using std::swap;
+    swap(begin_, other.begin_);
+    swap(end_, other.end_);
+
+    if (AllocatorTraits::propagate_on_container_swap::value) {
+      swap(allocator_and_data_, other.allocator_and_data_);
+    } else {
+      // When propagate_on_container_swap is false, it is undefined behavior, by
+      // c++ standard, to swap between two AllocatorAwareContainer(s) with
+      // unequal allocators.
+      DCHECK(get_allocator() == other.get_allocator())
+          << "Undefined swap behavior";
+      swap(allocator_and_data_.data, other.allocator_and_data_.data);
+      swap(allocator_and_data_.data_capacity,
+           other.allocator_and_data_.data_capacity);
+    }
+  }
+
+  friend void swap(QuicCircularDeque& lhs, QuicCircularDeque& rhs) {
+    lhs.swap(rhs);
+  }
+
+  allocator_type get_allocator() const {
+    return allocator_and_data_.allocator();
+  }
+
+  friend bool operator==(const QuicCircularDeque& lhs,
+                         const QuicCircularDeque& rhs) {
+    return std::equal(lhs.begin(), lhs.end(), rhs.begin(), rhs.end());
+  }
+
+  friend bool operator!=(const QuicCircularDeque& lhs,
+                         const QuicCircularDeque& rhs) {
+    return !(lhs == rhs);
+  }
+
+  friend QUIC_NO_EXPORT std::ostream& operator<<(std::ostream& os,
+                                                 const QuicCircularDeque& dq) {
+    os << "{";
+    for (size_type pos = 0; pos != dq.size(); ++pos) {
+      if (pos != 0) {
+        os << ",";
+      }
+      os << " " << dq[pos];
+    }
+    os << " }";
+    return os;
+  }
+
+ private:
+  void MoveRetainAllocator(QuicCircularDeque&& other) {
+    if (get_allocator() == other.get_allocator()) {
+      // Take over the storage of "other", with which we share an allocator.
+      DestroyAndDeallocateAll();
+
+      begin_ = other.begin_;
+      end_ = other.end_;
+      allocator_and_data_.data = other.allocator_and_data_.data;
+      allocator_and_data_.data_capacity =
+          other.allocator_and_data_.data_capacity;
+
+      other.begin_ = other.end_ = 0;
+      other.allocator_and_data_.data = nullptr;
+      other.allocator_and_data_.data_capacity = 0;
+    } else {
+      // We cannot take over of the storage from "other", since it has a
+      // different allocator; we're stuck move-assigning elements individually.
+      ClearRetainCapacity();
+      for (auto& elem : other) {
+        push_back(std::move(elem));
+      }
+      other.clear();
+    }
+  }
+
+  template <
+      typename InputIt,
+      typename = std::enable_if_t<std::is_base_of<
+          std::input_iterator_tag,
+          typename std::iterator_traits<InputIt>::iterator_category>::value>>
+  void AssignRange(InputIt first, InputIt last) {
+    ClearRetainCapacity();
+    if (std::is_base_of<
+            std::random_access_iterator_tag,
+            typename std::iterator_traits<InputIt>::iterator_category>::value) {
+      reserve(std::distance(first, last));
+    }
+    for (; first != last; ++first) {
+      emplace_back(*first);
+    }
+  }
+
+  // WARNING: begin_, end_ and allocator_and_data_ are not modified.
+  void DestroyAndDeallocateAll() {
+    DestroyRange(begin_, end_);
+
+    if (data_capacity() > 0) {
+      DCHECK_NE(nullptr, allocator_and_data_.data);
+      AllocatorTraits::deallocate(allocator_and_data_.allocator(),
+                                  allocator_and_data_.data, data_capacity());
+    }
+  }
+
+  void ClearRetainCapacity() {
+    DestroyRange(begin_, end_);
+    begin_ = end_ = 0;
+  }
+
+  void MaybeShrinkCapacity() {
+    // TODO(wub): Implement a storage policy that actually shrinks.
+  }
+
+  void MaybeExpandCapacity(size_t num_additional_elements) {
+    size_t new_size = size() + num_additional_elements;
+    if (capacity() >= new_size) {
+      return;
+    }
+
+    // The minimum amount of additional capacity to grow.
+    size_t min_additional_capacity =
+        std::max(MinCapacityIncrement, capacity() / 4);
+    size_t new_capacity =
+        std::max(new_size, capacity() + min_additional_capacity);
+
+    Relocate(new_capacity);
+  }
+
+  void Relocate(size_t new_capacity) {
+    const size_t num_elements = size();
+    DCHECK_GT(new_capacity, num_elements)
+        << "new_capacity:" << new_capacity << ", num_elements:" << num_elements;
+
+    size_t new_data_capacity = new_capacity + 1;
+    pointer new_data = AllocatorTraits::allocate(
+        allocator_and_data_.allocator(), new_data_capacity);
+
+    if (begin_ <= end_) {
+      // Not wrapped.
+      RelocateUnwrappedRange(begin_, end_, new_data);
+    } else {
+      // Wrapped.
+      const size_t num_elements_before_wrap = data_capacity() - begin_;
+      RelocateUnwrappedRange(begin_, data_capacity(), new_data);
+      RelocateUnwrappedRange(0, end_, new_data + num_elements_before_wrap);
+    }
+
+    if (data_capacity()) {
+      AllocatorTraits::deallocate(allocator_and_data_.allocator(),
+                                  allocator_and_data_.data, data_capacity());
+    }
+
+    allocator_and_data_.data = new_data;
+    allocator_and_data_.data_capacity = new_data_capacity;
+    begin_ = 0;
+    end_ = num_elements;
+  }
+
+  template <typename T_ = T>
+  typename std::enable_if<std::is_trivially_copyable<T_>::value, void>::type
+  RelocateUnwrappedRange(size_type begin, size_type end, pointer dest) const {
+    DCHECK_LE(begin, end) << "begin:" << begin << ", end:" << end;
+    memcpy(dest, index_to_address(begin), sizeof(T) * (end - begin));
+    DestroyRange(begin, end);
+  }
+
+  template <typename T_ = T>
+  typename std::enable_if<!std::is_trivially_copyable<T_>::value &&
+                              std::is_move_constructible<T_>::value,
+                          void>::type
+  RelocateUnwrappedRange(size_type begin, size_type end, pointer dest) const {
+    DCHECK_LE(begin, end) << "begin:" << begin << ", end:" << end;
+    pointer src = index_to_address(begin);
+    pointer src_end = index_to_address(end);
+    while (src != src_end) {
+      new (dest) T(std::move(*src));
+      DestroyByAddress(src);
+      ++dest;
+      ++src;
+    }
+  }
+
+  template <typename T_ = T>
+  typename std::enable_if<!std::is_trivially_copyable<T_>::value &&
+                              !std::is_move_constructible<T_>::value,
+                          void>::type
+  RelocateUnwrappedRange(size_type begin, size_type end, pointer dest) const {
+    DCHECK_LE(begin, end) << "begin:" << begin << ", end:" << end;
+    pointer src = index_to_address(begin);
+    pointer src_end = index_to_address(end);
+    while (src != src_end) {
+      new (dest) T(*src);
+      DestroyByAddress(src);
+      ++dest;
+      ++src;
+    }
+  }
+
+  template <class... U>
+  void ResizeInternal(size_type count, U&&... u) {
+    if (count > size()) {
+      // Expanding.
+      MaybeExpandCapacity(count - size());
+      while (size() < count) {
+        emplace_back(std::forward<U>(u)...);
+      }
+    } else {
+      // Most likely shrinking. No-op if count == size().
+      size_type new_end = (begin_ + count) % data_capacity();
+      DestroyRange(new_end, end_);
+      end_ = new_end;
+
+      MaybeShrinkCapacity();
+    }
+  }
+
+  void DestroyRange(size_type begin, size_type end) const {
+    if (std::is_trivially_destructible<T>::value) {
+      return;
+    }
+    if (end >= begin) {
+      DestroyUnwrappedRange(begin, end);
+    } else {
+      DestroyUnwrappedRange(begin, data_capacity());
+      DestroyUnwrappedRange(0, end);
+    }
+  }
+
+  // Should only be called from DestroyRange.
+  void DestroyUnwrappedRange(size_type begin, size_type end) const {
+    DCHECK_LE(begin, end) << "begin:" << begin << ", end:" << end;
+    for (; begin != end; ++begin) {
+      DestroyByIndex(begin);
+    }
+  }
+
+  void DestroyByIndex(size_type index) const {
+    DestroyByAddress(index_to_address(index));
+  }
+
+  void DestroyByAddress(pointer address) const {
+    if (std::is_trivially_destructible<T>::value) {
+      return;
+    }
+    address->~T();
+  }
+
+  size_type data_capacity() const { return allocator_and_data_.data_capacity; }
+
+  pointer index_to_address(size_type index) const {
+    return allocator_and_data_.data + index;
+  }
+
+  size_type index_prev(size_type index) const {
+    return index == 0 ? data_capacity() - 1 : index - 1;
+  }
+
+  size_type index_next(size_type index) const {
+    return index == data_capacity() - 1 ? 0 : index + 1;
+  }
+
+  size_type index_increment_by(size_type index, difference_type delta) const {
+    if (delta == 0) {
+      return index;
+    }
+
+    DCHECK_LT(static_cast<size_type>(std::abs(delta)), data_capacity());
+    return (index + data_capacity() + delta) % data_capacity();
+  }
+
+  // Empty base-class optimization: bundle storage for our allocator together
+  // with the fields we had to store anyway, via inheriting from the allocator,
+  // so this allocator instance doesn't consume any storage when its type has no
+  // data members.
+  struct AllocatorAndData : private allocator_type {
+    explicit AllocatorAndData(const allocator_type& alloc)
+        : allocator_type(alloc) {}
+
+    const allocator_type& allocator() const { return *this; }
+    allocator_type& allocator() { return *this; }
+
+    pointer data = nullptr;
+    size_type data_capacity = 0;
+  };
+
+  size_type begin_ = 0;
+  size_type end_ = 0;
+  AllocatorAndData allocator_and_data_;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_QUIC_CIRCULAR_DEQUE_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_circular_deque_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_circular_deque_test.cc
new file mode 100644
index 00000000000..c1658985a48
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_circular_deque_test.cc
@@ -0,0 +1,790 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/quic_circular_deque.h"
+
+#include <cstddef>
+#include <cstdint>
+#include <memory>
+#include <type_traits>
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+
+using testing::ElementsAre;
+
+namespace quic {
+namespace test {
+
+template <typename T, template <typename> class BaseAllocator = std::allocator>
+class CountingAllocator : public BaseAllocator<T> {
+  typedef BaseAllocator<T> BaseType;
+
+ public:
+  using propagate_on_container_copy_assignment = std::true_type;
+  using propagate_on_container_move_assignment = std::true_type;
+  using propagate_on_container_swap = std::true_type;
+
+  T* allocate(std::size_t n) {
+    ++shared_counts_->allocate_count;
+    return BaseType::allocate(n);
+  }
+
+  void deallocate(T* ptr, std::size_t n) {
+    ++shared_counts_->deallocate_count;
+    return BaseType::deallocate(ptr, n);
+  }
+
+  size_t allocate_count() const { return shared_counts_->allocate_count; }
+
+  size_t deallocate_count() const { return shared_counts_->deallocate_count; }
+
+  friend bool operator==(const CountingAllocator& lhs,
+                         const CountingAllocator& rhs) {
+    return lhs.shared_counts_ == rhs.shared_counts_;
+  }
+
+  friend bool operator!=(const CountingAllocator& lhs,
+                         const CountingAllocator& rhs) {
+    return !(lhs == rhs);
+  }
+
+ private:
+  struct Counts {
+    size_t allocate_count = 0;
+    size_t deallocate_count = 0;
+  };
+
+  std::shared_ptr<Counts> shared_counts_ = std::make_shared<Counts>();
+};
+
+template <typename T,
+          typename propagate_on_copy_assignment,
+          typename propagate_on_move_assignment,
+          typename propagate_on_swap,
+          bool equality_result,
+          template <typename> class BaseAllocator = std::allocator>
+struct ConfigurableAllocator : public BaseAllocator<T> {
+  using propagate_on_container_copy_assignment = propagate_on_copy_assignment;
+  using propagate_on_container_move_assignment = propagate_on_move_assignment;
+  using propagate_on_container_swap = propagate_on_swap;
+
+  friend bool operator==(const ConfigurableAllocator& /*lhs*/,
+                         const ConfigurableAllocator& /*rhs*/) {
+    return equality_result;
+  }
+
+  friend bool operator!=(const ConfigurableAllocator& lhs,
+                         const ConfigurableAllocator& rhs) {
+    return !(lhs == rhs);
+  }
+};
+
+// [1, 2, 3, 4] ==> [4, 1, 2, 3]
+template <typename Deque>
+void ShiftRight(Deque* dq, bool emplace) {
+  auto back = *(&dq->back());
+  dq->pop_back();
+  if (emplace) {
+    dq->emplace_front(back);
+  } else {
+    dq->push_front(back);
+  }
+}
+
+// [1, 2, 3, 4] ==> [2, 3, 4, 1]
+template <typename Deque>
+void ShiftLeft(Deque* dq, bool emplace) {
+  auto front = *(&dq->front());
+  dq->pop_front();
+  if (emplace) {
+    dq->emplace_back(front);
+  } else {
+    dq->push_back(front);
+  }
+}
+
+TEST(QuicCircularDeque, Empty) {
+  QuicCircularDeque<int> dq;
+  EXPECT_TRUE(dq.empty());
+  EXPECT_EQ(0u, dq.size());
+  dq.clear();
+  dq.push_back(10);
+  EXPECT_FALSE(dq.empty());
+  EXPECT_EQ(1u, dq.size());
+  EXPECT_EQ(10, dq.front());
+  EXPECT_EQ(10, dq.back());
+  dq.pop_front();
+  EXPECT_TRUE(dq.empty());
+  EXPECT_EQ(0u, dq.size());
+
+  EXPECT_QUIC_DEBUG_DEATH(dq.front(), "");
+  EXPECT_QUIC_DEBUG_DEATH(dq.back(), "");
+  EXPECT_QUIC_DEBUG_DEATH(dq.at(0), "");
+  EXPECT_QUIC_DEBUG_DEATH(dq[0], "");
+}
+
+TEST(QuicCircularDeque, Constructor) {
+  QuicCircularDeque<int> dq;
+  EXPECT_TRUE(dq.empty());
+
+  std::allocator<int> alloc;
+  QuicCircularDeque<int> dq1(alloc);
+  EXPECT_TRUE(dq1.empty());
+
+  QuicCircularDeque<int> dq2(8, 100, alloc);
+  EXPECT_THAT(dq2, ElementsAre(100, 100, 100, 100, 100, 100, 100, 100));
+
+  QuicCircularDeque<int> dq3(5, alloc);
+  EXPECT_THAT(dq3, ElementsAre(0, 0, 0, 0, 0));
+
+  QuicCircularDeque<int> dq4_rand_iter(dq3.begin(), dq3.end(), alloc);
+  EXPECT_THAT(dq4_rand_iter, ElementsAre(0, 0, 0, 0, 0));
+  EXPECT_EQ(dq4_rand_iter, dq3);
+
+  std::list<int> dq4_src = {4, 4, 4, 4};
+  QuicCircularDeque<int> dq4_bidi_iter(dq4_src.begin(), dq4_src.end());
+  EXPECT_THAT(dq4_bidi_iter, ElementsAre(4, 4, 4, 4));
+
+  QuicCircularDeque<int> dq5(dq4_bidi_iter);
+  EXPECT_THAT(dq5, ElementsAre(4, 4, 4, 4));
+  EXPECT_EQ(dq5, dq4_bidi_iter);
+
+  QuicCircularDeque<int> dq6(dq5, alloc);
+  EXPECT_THAT(dq6, ElementsAre(4, 4, 4, 4));
+  EXPECT_EQ(dq6, dq5);
+
+  QuicCircularDeque<int> dq7(std::move(*&dq6));
+  EXPECT_THAT(dq7, ElementsAre(4, 4, 4, 4));
+  EXPECT_TRUE(dq6.empty());
+
+  QuicCircularDeque<int> dq8_equal_allocator(std::move(*&dq7), alloc);
+  EXPECT_THAT(dq8_equal_allocator, ElementsAre(4, 4, 4, 4));
+  EXPECT_TRUE(dq7.empty());
+
+  QuicCircularDeque<int, 3, CountingAllocator<int>> dq8_temp = {5, 6, 7, 8, 9};
+  QuicCircularDeque<int, 3, CountingAllocator<int>> dq8_unequal_allocator(
+      std::move(*&dq8_temp), CountingAllocator<int>());
+  EXPECT_THAT(dq8_unequal_allocator, ElementsAre(5, 6, 7, 8, 9));
+  EXPECT_TRUE(dq8_temp.empty());
+
+  QuicCircularDeque<int> dq9({3, 4, 5, 6, 7}, alloc);
+  EXPECT_THAT(dq9, ElementsAre(3, 4, 5, 6, 7));
+}
+
+TEST(QuicCircularDeque, Assign) {
+  // assign()
+  QuicCircularDeque<int, 3, CountingAllocator<int>> dq;
+  dq.assign(7, 1);
+  EXPECT_THAT(dq, ElementsAre(1, 1, 1, 1, 1, 1, 1));
+  EXPECT_EQ(1u, dq.get_allocator().allocate_count());
+
+  QuicCircularDeque<int, 3, CountingAllocator<int>> dq2;
+  dq2.assign(dq.begin(), dq.end());
+  EXPECT_THAT(dq2, ElementsAre(1, 1, 1, 1, 1, 1, 1));
+  EXPECT_EQ(1u, dq2.get_allocator().allocate_count());
+  EXPECT_TRUE(std::equal(dq.begin(), dq.end(), dq2.begin(), dq2.end()));
+
+  dq2.assign({2, 2, 2, 2, 2, 2});
+  EXPECT_THAT(dq2, ElementsAre(2, 2, 2, 2, 2, 2));
+
+  // Assign from a non random access iterator.
+  std::list<int> dq3_src = {3, 3, 3, 3, 3};
+  QuicCircularDeque<int, 3, CountingAllocator<int>> dq3;
+  dq3.assign(dq3_src.begin(), dq3_src.end());
+  EXPECT_THAT(dq3, ElementsAre(3, 3, 3, 3, 3));
+  EXPECT_LT(1u, dq3.get_allocator().allocate_count());
+
+  // Copy assignment
+  dq3 = *&dq3;
+  EXPECT_THAT(dq3, ElementsAre(3, 3, 3, 3, 3));
+
+  QuicCircularDeque<
+      int, 3,
+      ConfigurableAllocator<int,
+                            /*propagate_on_copy_assignment=*/std::true_type,
+                            /*propagate_on_move_assignment=*/std::true_type,
+                            /*propagate_on_swap=*/std::true_type,
+                            /*equality_result=*/false>>
+      dq4, dq5;
+  dq4.assign(dq3.begin(), dq3.end());
+  dq5 = dq4;
+  EXPECT_THAT(dq5, ElementsAre(3, 3, 3, 3, 3));
+
+  QuicCircularDeque<
+      int, 3,
+      ConfigurableAllocator<int,
+                            /*propagate_on_copy_assignment=*/std::false_type,
+                            /*propagate_on_move_assignment=*/std::true_type,
+                            /*propagate_on_swap=*/std::true_type,
+                            /*equality_result=*/true>>
+      dq6, dq7;
+  dq6.assign(dq3.begin(), dq3.end());
+  dq7 = dq6;
+  EXPECT_THAT(dq7, ElementsAre(3, 3, 3, 3, 3));
+
+  // Move assignment
+  dq3 = std::move(*&dq3);
+  EXPECT_THAT(dq3, ElementsAre(3, 3, 3, 3, 3));
+
+  ASSERT_TRUE(decltype(
+      dq3.get_allocator())::propagate_on_container_move_assignment::value);
+  decltype(dq3) dq8;
+  dq8 = std::move(*&dq3);
+  EXPECT_THAT(dq8, ElementsAre(3, 3, 3, 3, 3));
+  EXPECT_TRUE(dq3.empty());
+
+  QuicCircularDeque<
+      int, 3,
+      ConfigurableAllocator<int,
+                            /*propagate_on_copy_assignment=*/std::true_type,
+                            /*propagate_on_move_assignment=*/std::false_type,
+                            /*propagate_on_swap=*/std::true_type,
+                            /*equality_result=*/true>>
+      dq9, dq10;
+  dq9.assign(dq8.begin(), dq8.end());
+  dq10.assign(dq2.begin(), dq2.end());
+  dq9 = std::move(*&dq10);
+  EXPECT_THAT(dq9, ElementsAre(2, 2, 2, 2, 2, 2));
+  EXPECT_TRUE(dq10.empty());
+
+  QuicCircularDeque<
+      int, 3,
+      ConfigurableAllocator<int,
+                            /*propagate_on_copy_assignment=*/std::true_type,
+                            /*propagate_on_move_assignment=*/std::false_type,
+                            /*propagate_on_swap=*/std::true_type,
+                            /*equality_result=*/false>>
+      dq11, dq12;
+  dq11.assign(dq8.begin(), dq8.end());
+  dq12.assign(dq2.begin(), dq2.end());
+  dq11 = std::move(*&dq12);
+  EXPECT_THAT(dq11, ElementsAre(2, 2, 2, 2, 2, 2));
+  EXPECT_TRUE(dq12.empty());
+}
+
+TEST(QuicCircularDeque, Access) {
+  // at()
+  // operator[]
+  // front()
+  // back()
+
+  QuicCircularDeque<int, 3, CountingAllocator<int>> dq;
+  dq.push_back(10);
+  EXPECT_EQ(dq.front(), 10);
+  EXPECT_EQ(dq.back(), 10);
+  EXPECT_EQ(dq.at(0), 10);
+  EXPECT_EQ(dq[0], 10);
+  dq.front() = 12;
+  EXPECT_EQ(dq.front(), 12);
+  EXPECT_EQ(dq.back(), 12);
+  EXPECT_EQ(dq.at(0), 12);
+  EXPECT_EQ(dq[0], 12);
+
+  const auto& dqref = dq;
+  EXPECT_EQ(dqref.front(), 12);
+  EXPECT_EQ(dqref.back(), 12);
+  EXPECT_EQ(dqref.at(0), 12);
+  EXPECT_EQ(dqref[0], 12);
+
+  dq.pop_front();
+  EXPECT_TRUE(dqref.empty());
+
+  // Push to capacity.
+  dq.push_back(15);
+  dq.push_front(5);
+  dq.push_back(25);
+  EXPECT_EQ(dq.size(), dq.capacity());
+  EXPECT_THAT(dq, ElementsAre(5, 15, 25));
+  EXPECT_LT(&dq.front(), &dq.back());
+  EXPECT_EQ(dq.front(), 5);
+  EXPECT_EQ(dq.back(), 25);
+  EXPECT_EQ(dq.at(0), 5);
+  EXPECT_EQ(dq.at(1), 15);
+  EXPECT_EQ(dq.at(2), 25);
+  EXPECT_EQ(dq[0], 5);
+  EXPECT_EQ(dq[1], 15);
+  EXPECT_EQ(dq[2], 25);
+
+  // Shift right such that begin=1 and end=0. Data is still not wrapped.
+  dq.pop_front();
+  dq.push_back(35);
+  EXPECT_THAT(dq, ElementsAre(15, 25, 35));
+  EXPECT_LT(&dq.front(), &dq.back());
+  EXPECT_EQ(dq.front(), 15);
+  EXPECT_EQ(dq.back(), 35);
+  EXPECT_EQ(dq.at(0), 15);
+  EXPECT_EQ(dq.at(1), 25);
+  EXPECT_EQ(dq.at(2), 35);
+  EXPECT_EQ(dq[0], 15);
+  EXPECT_EQ(dq[1], 25);
+  EXPECT_EQ(dq[2], 35);
+
+  // Shift right such that data is wrapped.
+  dq.pop_front();
+  dq.push_back(45);
+  EXPECT_THAT(dq, ElementsAre(25, 35, 45));
+  EXPECT_GT(&dq.front(), &dq.back());
+  EXPECT_EQ(dq.front(), 25);
+  EXPECT_EQ(dq.back(), 45);
+  EXPECT_EQ(dq.at(0), 25);
+  EXPECT_EQ(dq.at(1), 35);
+  EXPECT_EQ(dq.at(2), 45);
+  EXPECT_EQ(dq[0], 25);
+  EXPECT_EQ(dq[1], 35);
+  EXPECT_EQ(dq[2], 45);
+
+  // Shift right again, data is still wrapped.
+  dq.pop_front();
+  dq.push_back(55);
+  EXPECT_THAT(dq, ElementsAre(35, 45, 55));
+  EXPECT_GT(&dq.front(), &dq.back());
+  EXPECT_EQ(dq.front(), 35);
+  EXPECT_EQ(dq.back(), 55);
+  EXPECT_EQ(dq.at(0), 35);
+  EXPECT_EQ(dq.at(1), 45);
+  EXPECT_EQ(dq.at(2), 55);
+  EXPECT_EQ(dq[0], 35);
+  EXPECT_EQ(dq[1], 45);
+  EXPECT_EQ(dq[2], 55);
+
+  // Shift right one last time. begin returns to 0. Data is no longer wrapped.
+  dq.pop_front();
+  dq.push_back(65);
+  EXPECT_THAT(dq, ElementsAre(45, 55, 65));
+  EXPECT_LT(&dq.front(), &dq.back());
+  EXPECT_EQ(dq.front(), 45);
+  EXPECT_EQ(dq.back(), 65);
+  EXPECT_EQ(dq.at(0), 45);
+  EXPECT_EQ(dq.at(1), 55);
+  EXPECT_EQ(dq.at(2), 65);
+  EXPECT_EQ(dq[0], 45);
+  EXPECT_EQ(dq[1], 55);
+  EXPECT_EQ(dq[2], 65);
+
+  EXPECT_EQ(1u, dq.get_allocator().allocate_count());
+}
+
+TEST(QuicCircularDeque, Iterate) {
+  QuicCircularDeque<int> dq;
+  EXPECT_EQ(dq.begin(), dq.end());
+  EXPECT_EQ(dq.cbegin(), dq.cend());
+  EXPECT_EQ(dq.rbegin(), dq.rend());
+  EXPECT_EQ(dq.crbegin(), dq.crend());
+
+  dq.emplace_back(2);
+  QuicCircularDeque<int>::const_iterator citer = dq.begin();
+  EXPECT_NE(citer, dq.end());
+  EXPECT_EQ(*citer, 2);
+  ++citer;
+  EXPECT_EQ(citer, dq.end());
+
+  EXPECT_EQ(*dq.begin(), 2);
+  EXPECT_EQ(*dq.cbegin(), 2);
+  EXPECT_EQ(*dq.rbegin(), 2);
+  EXPECT_EQ(*dq.crbegin(), 2);
+
+  dq.emplace_front(1);
+  QuicCircularDeque<int>::const_reverse_iterator criter = dq.rbegin();
+  EXPECT_NE(criter, dq.rend());
+  EXPECT_EQ(*criter, 2);
+  ++criter;
+  EXPECT_NE(criter, dq.rend());
+  EXPECT_EQ(*criter, 1);
+  ++criter;
+  EXPECT_EQ(criter, dq.rend());
+
+  EXPECT_EQ(*dq.begin(), 1);
+  EXPECT_EQ(*dq.cbegin(), 1);
+  EXPECT_EQ(*dq.rbegin(), 2);
+  EXPECT_EQ(*dq.crbegin(), 2);
+
+  dq.push_back(3);
+
+  // Forward iterate.
+  int expected_value = 1;
+  for (QuicCircularDeque<int>::iterator it = dq.begin(); it != dq.end(); ++it) {
+    EXPECT_EQ(expected_value++, *it);
+  }
+
+  expected_value = 1;
+  for (QuicCircularDeque<int>::const_iterator it = dq.cbegin(); it != dq.cend();
+       ++it) {
+    EXPECT_EQ(expected_value++, *it);
+  }
+
+  // Reverse iterate.
+  expected_value = 3;
+  for (QuicCircularDeque<int>::reverse_iterator it = dq.rbegin();
+       it != dq.rend(); ++it) {
+    EXPECT_EQ(expected_value--, *it);
+  }
+
+  expected_value = 3;
+  for (QuicCircularDeque<int>::const_reverse_iterator it = dq.crbegin();
+       it != dq.crend(); ++it) {
+    EXPECT_EQ(expected_value--, *it);
+  }
+}
+
+TEST(QuicCircularDeque, Iterator) {
+  // Default constructed iterators of the same type compare equal.
+  EXPECT_EQ(QuicCircularDeque<int>::iterator(),
+            QuicCircularDeque<int>::iterator());
+  EXPECT_EQ(QuicCircularDeque<int>::const_iterator(),
+            QuicCircularDeque<int>::const_iterator());
+  EXPECT_EQ(QuicCircularDeque<int>::reverse_iterator(),
+            QuicCircularDeque<int>::reverse_iterator());
+  EXPECT_EQ(QuicCircularDeque<int>::const_reverse_iterator(),
+            QuicCircularDeque<int>::const_reverse_iterator());
+
+  QuicCircularDeque<QuicCircularDeque<int>, 3> dqdq = {
+      {1, 2}, {10, 20, 30}, {100, 200, 300, 400}};
+
+  // iter points to {1, 2}
+  decltype(dqdq)::iterator iter = dqdq.begin();
+  EXPECT_EQ(iter->size(), 2u);
+  EXPECT_THAT(*iter, ElementsAre(1, 2));
+
+  // citer points to {10, 20, 30}
+  decltype(dqdq)::const_iterator citer = dqdq.cbegin() + 1;
+  EXPECT_NE(*iter, *citer);
+  EXPECT_EQ(citer->size(), 3u);
+  int x = 10;
+  for (auto it = citer->begin(); it != citer->end(); ++it) {
+    EXPECT_EQ(*it, x);
+    x += 10;
+  }
+
+  EXPECT_LT(iter, citer);
+  EXPECT_LE(iter, iter);
+  EXPECT_GT(citer, iter);
+  EXPECT_GE(citer, citer);
+
+  // iter points to {100, 200, 300, 400}
+  iter += 2;
+  EXPECT_NE(*iter, *citer);
+  EXPECT_EQ(iter->size(), 4u);
+  for (int i = 1; i <= 4; ++i) {
+    EXPECT_EQ(iter->begin()[i - 1], i * 100);
+  }
+
+  EXPECT_LT(citer, iter);
+  EXPECT_LE(iter, iter);
+  EXPECT_GT(iter, citer);
+  EXPECT_GE(citer, citer);
+
+  // iter points to {10, 20, 30}. (same as citer)
+  iter -= 1;
+  EXPECT_EQ(*iter, *citer);
+  EXPECT_EQ(iter->size(), 3u);
+  x = 10;
+  for (auto it = iter->begin(); it != iter->end();) {
+    EXPECT_EQ(*(it++), x);
+    x += 10;
+  }
+  x = 30;
+  for (auto it = iter->begin() + 2; it != iter->begin();) {
+    EXPECT_EQ(*(it--), x);
+    x -= 10;
+  }
+}
+
+TEST(QuicCircularDeque, Resize) {
+  QuicCircularDeque<int, 3, CountingAllocator<int>> dq;
+  dq.resize(8);
+  EXPECT_THAT(dq, ElementsAre(0, 0, 0, 0, 0, 0, 0, 0));
+  EXPECT_EQ(1u, dq.get_allocator().allocate_count());
+
+  dq.resize(10, 5);
+  EXPECT_THAT(dq, ElementsAre(0, 0, 0, 0, 0, 0, 0, 0, 5, 5));
+
+  QuicCircularDeque<int, 3, CountingAllocator<int>> dq2 = dq;
+
+  for (size_t new_size = dq.size(); new_size != 0; --new_size) {
+    dq.resize(new_size);
+    EXPECT_TRUE(
+        std::equal(dq.begin(), dq.end(), dq2.begin(), dq2.begin() + new_size));
+  }
+
+  dq.resize(0);
+  EXPECT_TRUE(dq.empty());
+
+  // Resize when data is wrapped.
+  ASSERT_EQ(dq2.size(), dq2.capacity());
+  while (dq2.size() < dq2.capacity()) {
+    dq2.push_back(5);
+  }
+
+  // Shift left once such that data is wrapped.
+  ASSERT_LT(&dq2.front(), &dq2.back());
+  dq2.pop_back();
+  dq2.push_front(-5);
+  ASSERT_GT(&dq2.front(), &dq2.back());
+
+  EXPECT_EQ(-5, dq2.front());
+  EXPECT_EQ(5, dq2.back());
+  dq2.resize(dq2.size() + 1, 10);
+
+  // Data should be unwrapped after the resize.
+  ASSERT_LT(&dq2.front(), &dq2.back());
+  EXPECT_EQ(-5, dq2.front());
+  EXPECT_EQ(10, dq2.back());
+  EXPECT_EQ(5, *(dq2.rbegin() + 1));
+}
+
+namespace {
+class Foo {
+ public:
+  Foo() : Foo(0xF00) {}
+
+  explicit Foo(int i) : i_(new int(i)) {}
+
+  ~Foo() {
+    if (i_ != nullptr) {
+      delete i_;
+      // Do not set i_ to nullptr such that if the container calls destructor
+      // multiple times, asan can detect it.
+    }
+  }
+
+  Foo(const Foo& other) : i_(new int(*other.i_)) {}
+
+  Foo(Foo&& other) = delete;
+
+  void Set(int i) { *i_ = i; }
+
+  int i() const { return *i_; }
+
+  friend bool operator==(const Foo& lhs, const Foo& rhs) {
+    return lhs.i() == rhs.i();
+  }
+
+  friend std::ostream& operator<<(std::ostream& os, const Foo& foo) {
+    return os << "Foo(" << foo.i() << ")";
+  }
+
+ private:
+  // By pointing i_ to a dynamically allocated integer, a memory leak will be
+  // reported if the container forget to properly destruct this object.
+  int* i_ = nullptr;
+};
+}  // namespace
+
+TEST(QuicCircularDeque, RelocateNonTriviallyCopyable) {
+  // When relocating non-trivially-copyable objects:
+  // - Move constructor is preferred, if available.
+  // - Copy constructor is used otherwise.
+
+  {
+    // Move construct in Relocate.
+    typedef std::unique_ptr<Foo> MoveConstructible;
+    ASSERT_FALSE(std::is_trivially_copyable<MoveConstructible>::value);
+    ASSERT_TRUE(std::is_move_constructible<MoveConstructible>::value);
+    QuicCircularDeque<MoveConstructible, 3,
+                      CountingAllocator<MoveConstructible>>
+        dq1;
+    dq1.resize(3);
+    EXPECT_EQ(dq1.size(), dq1.capacity());
+    EXPECT_EQ(1u, dq1.get_allocator().allocate_count());
+
+    dq1.emplace_back(new Foo(0xF1));  // Cause existing elements to relocate.
+    EXPECT_EQ(4u, dq1.size());
+    EXPECT_EQ(2u, dq1.get_allocator().allocate_count());
+    EXPECT_EQ(dq1[0], nullptr);
+    EXPECT_EQ(dq1[1], nullptr);
+    EXPECT_EQ(dq1[2], nullptr);
+    EXPECT_EQ(dq1[3]->i(), 0xF1);
+  }
+
+  {
+    // Copy construct in Relocate.
+    typedef Foo NonMoveConstructible;
+    ASSERT_FALSE(std::is_trivially_copyable<NonMoveConstructible>::value);
+    ASSERT_FALSE(std::is_move_constructible<NonMoveConstructible>::value);
+    QuicCircularDeque<NonMoveConstructible, 3,
+                      CountingAllocator<NonMoveConstructible>>
+        dq2;
+    dq2.resize(3);
+    EXPECT_EQ(dq2.size(), dq2.capacity());
+    EXPECT_EQ(1u, dq2.get_allocator().allocate_count());
+
+    dq2.emplace_back(0xF1);  // Cause existing elements to relocate.
+    EXPECT_EQ(4u, dq2.size());
+    EXPECT_EQ(2u, dq2.get_allocator().allocate_count());
+    EXPECT_EQ(dq2[0].i(), 0xF00);
+    EXPECT_EQ(dq2[1].i(), 0xF00);
+    EXPECT_EQ(dq2[2].i(), 0xF00);
+    EXPECT_EQ(dq2[3].i(), 0xF1);
+  }
+}
+
+TEST(QuicCircularDeque, PushPop) {
+  // (push|pop|emplace)_(back|front)
+
+  {
+    QuicCircularDeque<Foo, 4, CountingAllocator<Foo>> dq(4);
+    for (size_t i = 0; i < dq.size(); ++i) {
+      dq[i].Set(i + 1);
+    }
+    QUIC_LOG(INFO) << "dq initialized to " << dq;
+    EXPECT_THAT(dq, ElementsAre(Foo(1), Foo(2), Foo(3), Foo(4)));
+
+    ShiftLeft(&dq, false);
+    QUIC_LOG(INFO) << "shift left once : " << dq;
+    EXPECT_THAT(dq, ElementsAre(Foo(2), Foo(3), Foo(4), Foo(1)));
+
+    ShiftLeft(&dq, true);
+    QUIC_LOG(INFO) << "shift left twice: " << dq;
+    EXPECT_THAT(dq, ElementsAre(Foo(3), Foo(4), Foo(1), Foo(2)));
+    ASSERT_GT(&dq.front(), &dq.back());
+    // dq destructs with wrapped data.
+  }
+
+  {
+    QuicCircularDeque<Foo, 4, CountingAllocator<Foo>> dq1(4);
+    for (size_t i = 0; i < dq1.size(); ++i) {
+      dq1[i].Set(i + 1);
+    }
+    QUIC_LOG(INFO) << "dq1 initialized to " << dq1;
+    EXPECT_THAT(dq1, ElementsAre(Foo(1), Foo(2), Foo(3), Foo(4)));
+
+    ShiftRight(&dq1, false);
+    QUIC_LOG(INFO) << "shift right once : " << dq1;
+    EXPECT_THAT(dq1, ElementsAre(Foo(4), Foo(1), Foo(2), Foo(3)));
+
+    ShiftRight(&dq1, true);
+    QUIC_LOG(INFO) << "shift right twice: " << dq1;
+    EXPECT_THAT(dq1, ElementsAre(Foo(3), Foo(4), Foo(1), Foo(2)));
+    ASSERT_GT(&dq1.front(), &dq1.back());
+    // dq1 destructs with wrapped data.
+  }
+
+  {  // Pop n elements from front.
+    QuicCircularDeque<Foo, 4, CountingAllocator<Foo>> dq2(5);
+    for (size_t i = 0; i < dq2.size(); ++i) {
+      dq2[i].Set(i + 1);
+    }
+    EXPECT_THAT(dq2, ElementsAre(Foo(1), Foo(2), Foo(3), Foo(4), Foo(5)));
+
+    EXPECT_EQ(2u, dq2.pop_front_n(2));
+    EXPECT_THAT(dq2, ElementsAre(Foo(3), Foo(4), Foo(5)));
+
+    EXPECT_EQ(3u, dq2.pop_front_n(100));
+    EXPECT_TRUE(dq2.empty());
+  }
+
+  {  // Pop n elements from back.
+    QuicCircularDeque<Foo, 4, CountingAllocator<Foo>> dq3(6);
+    for (size_t i = 0; i < dq3.size(); ++i) {
+      dq3[i].Set(i + 1);
+    }
+    EXPECT_THAT(dq3,
+                ElementsAre(Foo(1), Foo(2), Foo(3), Foo(4), Foo(5), Foo(6)));
+
+    ShiftRight(&dq3, true);
+    ShiftRight(&dq3, true);
+    ShiftRight(&dq3, true);
+    EXPECT_THAT(dq3,
+                ElementsAre(Foo(4), Foo(5), Foo(6), Foo(1), Foo(2), Foo(3)));
+
+    EXPECT_EQ(2u, dq3.pop_back_n(2));
+    EXPECT_THAT(dq3, ElementsAre(Foo(4), Foo(5), Foo(6), Foo(1)));
+
+    EXPECT_EQ(2u, dq3.pop_back_n(2));
+    EXPECT_THAT(dq3, ElementsAre(Foo(4), Foo(5)));
+  }
+}
+
+TEST(QuicCircularDeque, Allocation) {
+  CountingAllocator<int> alloc;
+
+  {
+    QuicCircularDeque<int, 3, CountingAllocator<int>> dq(alloc);
+    EXPECT_EQ(alloc, dq.get_allocator());
+    EXPECT_EQ(0u, dq.size());
+    EXPECT_EQ(0u, dq.capacity());
+    EXPECT_EQ(0u, alloc.allocate_count());
+    EXPECT_EQ(0u, alloc.deallocate_count());
+
+    for (int i = 1; i <= 18; ++i) {
+      SCOPED_TRACE(testing::Message()
+                   << "i=" << i << ", capacity_b4_push=" << dq.capacity());
+      dq.push_back(i);
+      EXPECT_EQ(i, static_cast<int>(dq.size()));
+
+      const size_t capacity = 3 + (i - 1) / 3 * 3;
+      EXPECT_EQ(capacity, dq.capacity());
+      EXPECT_EQ(capacity / 3, alloc.allocate_count());
+      EXPECT_EQ(capacity / 3 - 1, alloc.deallocate_count());
+    }
+
+    dq.push_back(19);
+    EXPECT_EQ(22u, dq.capacity());  // 18 + 18 / 4
+    EXPECT_EQ(7u, alloc.allocate_count());
+    EXPECT_EQ(6u, alloc.deallocate_count());
+  }
+
+  EXPECT_EQ(7u, alloc.deallocate_count());
+}
+
+}  // namespace test
+}  // namespace quic
+
+// Use a non-quic namespace to make sure swap can be used via ADL.
+namespace {
+
+template <typename T>
+using SwappableAllocator = quic::test::ConfigurableAllocator<
+    T,
+    /*propagate_on_copy_assignment=*/std::true_type,
+    /*propagate_on_move_assignment=*/std::true_type,
+    /*propagate_on_swap=*/std::true_type,
+    /*equality_result=*/true>;
+
+template <typename T>
+using UnswappableEqualAllocator = quic::test::ConfigurableAllocator<
+    T,
+    /*propagate_on_copy_assignment=*/std::true_type,
+    /*propagate_on_move_assignment=*/std::true_type,
+    /*propagate_on_swap=*/std::false_type,
+    /*equality_result=*/true>;
+
+template <typename T>
+using UnswappableUnequalAllocator = quic::test::ConfigurableAllocator<
+    T,
+    /*propagate_on_copy_assignment=*/std::true_type,
+    /*propagate_on_move_assignment=*/std::true_type,
+    /*propagate_on_swap=*/std::false_type,
+    /*equality_result=*/false>;
+
+TEST(QuicCircularDeque, Swap) {
+  using std::swap;
+
+  quic::QuicCircularDeque<int64_t, 3, SwappableAllocator<int64_t>> dq1, dq2;
+  dq1.push_back(10);
+  dq1.push_back(11);
+  dq2.push_back(20);
+  swap(dq1, dq2);
+  EXPECT_THAT(dq1, ElementsAre(20));
+  EXPECT_THAT(dq2, ElementsAre(10, 11));
+
+  quic::QuicCircularDeque<char, 3, UnswappableEqualAllocator<char>> dq3, dq4;
+  dq3 = {1, 2, 3, 4, 5};
+  dq4 = {6, 7, 8, 9, 0};
+  swap(dq3, dq4);
+  EXPECT_THAT(dq3, ElementsAre(6, 7, 8, 9, 0));
+  EXPECT_THAT(dq4, ElementsAre(1, 2, 3, 4, 5));
+
+  quic::QuicCircularDeque<int, 3, UnswappableUnequalAllocator<int>> dq5, dq6;
+  dq6.push_front(4);
+
+  // Using UnswappableUnequalAllocator is ok as long as swap is not called.
+  dq5.assign(dq6.begin(), dq6.end());
+  EXPECT_THAT(dq5, ElementsAre(4));
+
+  // Undefined behavior to swap between two containers with unequal allocators.
+  EXPECT_QUIC_DEBUG_DEATH(swap(dq5, dq6), "Undefined swap behavior");
+}
+}  // namespace
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_coalesced_packet.cc b/chromium/net/third_party/quiche/src/quic/core/quic_coalesced_packet.cc
new file mode 100644
index 00000000000..3dd9b24a4a4
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_coalesced_packet.cc
@@ -0,0 +1,119 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/quic_coalesced_packet.h"
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
+
+namespace quic {
+
+QuicCoalescedPacket::QuicCoalescedPacket()
+    : length_(0), max_packet_length_(0) {}
+
+QuicCoalescedPacket::~QuicCoalescedPacket() {
+  Clear();
+}
+
+bool QuicCoalescedPacket::MaybeCoalescePacket(
+    const SerializedPacket& packet,
+    const QuicSocketAddress& self_address,
+    const QuicSocketAddress& peer_address,
+    QuicBufferAllocator* allocator,
+    QuicPacketLength current_max_packet_length) {
+  if (packet.encrypted_length == 0) {
+    QUIC_BUG << "Trying to coalesce an empty packet";
+    return true;
+  }
+  if (length_ == 0) {
+#ifndef NDEBUG
+    for (const auto& buffer : encrypted_buffers_) {
+      DCHECK(buffer.empty());
+    }
+#endif
+    DCHECK(initial_packet_ == nullptr);
+    // This is the first packet, set max_packet_length and self/peer
+    // addresses.
+    max_packet_length_ = current_max_packet_length;
+    self_address_ = self_address;
+    peer_address_ = peer_address;
+  } else {
+    if (self_address_ != self_address || peer_address_ != peer_address) {
+      // Do not coalesce packet with different self/peer addresses.
+      QUIC_DLOG(INFO)
+          << "Cannot coalesce packet because self/peer address changed";
+      return false;
+    }
+    if (max_packet_length_ != current_max_packet_length) {
+      QUIC_BUG << "Max packet length changes in the middle of the write path";
+      return false;
+    }
+    if (!encrypted_buffers_[packet.encryption_level].empty() ||
+        (packet.encryption_level == ENCRYPTION_INITIAL &&
+         initial_packet_ != nullptr)) {
+      // Do not coalesce packets of the same encryption level.
+      return false;
+    }
+  }
+
+  if (length_ + packet.encrypted_length > max_packet_length_) {
+    // Packet does not fit.
+    return false;
+  }
+  QUIC_DVLOG(1) << "Successfully coalesced packet: encryption_level: "
+                << EncryptionLevelToString(packet.encryption_level)
+                << ", encrypted_length: " << packet.encrypted_length
+                << ", current length: " << length_
+                << ", max_packet_length: " << max_packet_length_;
+  if (length_ > 0) {
+    QUIC_CODE_COUNT(QUIC_SUCCESSFULLY_COALESCED_MULTIPLE_PACKETS);
+  }
+  length_ += packet.encrypted_length;
+  if (packet.encryption_level == ENCRYPTION_INITIAL) {
+    // Save a copy of ENCRYPTION_INITIAL packet (excluding encrypted buffer, as
+    // the packet will be re-serialized later).
+    initial_packet_ = QuicWrapUnique<SerializedPacket>(
+        CopySerializedPacket(packet, allocator, /*copy_buffer=*/false));
+    return true;
+  }
+  // Copy encrypted buffer of packets with other encryption levels.
+  encrypted_buffers_[packet.encryption_level] =
+      std::string(packet.encrypted_buffer, packet.encrypted_length);
+  return true;
+}
+
+void QuicCoalescedPacket::Clear() {
+  self_address_ = QuicSocketAddress();
+  peer_address_ = QuicSocketAddress();
+  length_ = 0;
+  max_packet_length_ = 0;
+  for (auto& packet : encrypted_buffers_) {
+    packet.clear();
+  }
+  if (initial_packet_ != nullptr) {
+    ClearSerializedPacket(initial_packet_.get());
+  }
+  initial_packet_ = nullptr;
+}
+
+bool QuicCoalescedPacket::CopyEncryptedBuffers(char* buffer,
+                                               size_t buffer_len,
+                                               size_t* length_copied) const {
+  *length_copied = 0;
+  for (const auto& packet : encrypted_buffers_) {
+    if (packet.empty()) {
+      continue;
+    }
+    if (packet.length() > buffer_len) {
+      return false;
+    }
+    memcpy(buffer, packet.data(), packet.length());
+    buffer += packet.length();
+    buffer_len -= packet.length();
+    *length_copied += packet.length();
+  }
+  return true;
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_coalesced_packet.h b/chromium/net/third_party/quiche/src/quic/core/quic_coalesced_packet.h
new file mode 100644
index 00000000000..f03f87544b9
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_coalesced_packet.h
@@ -0,0 +1,72 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_QUIC_COALESCED_PACKET_H_
+#define QUICHE_QUIC_CORE_QUIC_COALESCED_PACKET_H_
+
+#include "net/third_party/quiche/src/quic/core/quic_packets.h"
+
+namespace quic {
+
+// QuicCoalescedPacket is used to buffer multiple packets which can be coalesced
+// into the same UDP datagram.
+class QUIC_EXPORT_PRIVATE QuicCoalescedPacket {
+ public:
+  QuicCoalescedPacket();
+  ~QuicCoalescedPacket();
+
+  // Returns true if |packet| is successfully coalesced with existing packets.
+  // Returns false otherwise.
+  bool MaybeCoalescePacket(const SerializedPacket& packet,
+                           const QuicSocketAddress& self_address,
+                           const QuicSocketAddress& peer_address,
+                           QuicBufferAllocator* allocator,
+                           QuicPacketLength current_max_packet_length);
+
+  // Clears this coalesced packet.
+  void Clear();
+
+  // Copies encrypted_buffers_ to |buffer| and sets |length_copied| to the
+  // copied amount. Returns false if copy fails (i.e., |buffer_len| is not
+  // enough).
+  bool CopyEncryptedBuffers(char* buffer,
+                            size_t buffer_len,
+                            size_t* length_copied) const;
+
+  const SerializedPacket* initial_packet() const {
+    return initial_packet_.get();
+  }
+
+  const QuicSocketAddress& self_address() const { return self_address_; }
+
+  const QuicSocketAddress& peer_address() const { return peer_address_; }
+
+  QuicPacketLength length() const { return length_; }
+
+  QuicPacketLength max_packet_length() const { return max_packet_length_; }
+
+ private:
+  // self/peer addresses are set when trying to coalesce the first packet.
+  // Packets with different self/peer addresses cannot be coalesced.
+  QuicSocketAddress self_address_;
+  QuicSocketAddress peer_address_;
+  // Length of this coalesced packet.
+  QuicPacketLength length_;
+  // Max packet length. Do not try to coalesce packet when max packet length
+  // changes (e.g., with MTU discovery).
+  QuicPacketLength max_packet_length_;
+  // Copies of packets' encrypted buffers according to different encryption
+  // levels.
+  std::string encrypted_buffers_[NUM_ENCRYPTION_LEVELS];
+
+  // A copy of ENCRYPTION_INITIAL packet if this coalesced packet contains one.
+  // Null otherwise. Please note, the encrypted_buffer field is not copied. The
+  // frames are copied to allow it be re-serialized when this coalesced packet
+  // gets sent.
+  std::unique_ptr<SerializedPacket> initial_packet_;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_QUIC_COALESCED_PACKET_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_coalesced_packet_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_coalesced_packet_test.cc
new file mode 100644
index 00000000000..8213480bf91
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_coalesced_packet_test.cc
@@ -0,0 +1,114 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/quic_coalesced_packet.h"
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+
+namespace quic {
+namespace test {
+namespace {
+
+TEST(QuicCoalescedPacketTest, MaybeCoalescePacket) {
+  QuicCoalescedPacket coalesced;
+  SimpleBufferAllocator allocator;
+  EXPECT_EQ(0u, coalesced.length());
+  char buffer[1000];
+  QuicSocketAddress self_address(QuicIpAddress::Loopback4(), 1);
+  QuicSocketAddress peer_address(QuicIpAddress::Loopback4(), 2);
+  SerializedPacket packet1(QuicPacketNumber(1), PACKET_4BYTE_PACKET_NUMBER,
+                           buffer, 500, false, false);
+  QuicAckFrame ack_frame(InitAckFrame(1));
+  packet1.nonretransmittable_frames.push_back(QuicFrame(&ack_frame));
+  packet1.retransmittable_frames.push_back(
+      QuicFrame(QuicStreamFrame(1, true, 0, 100)));
+  ASSERT_TRUE(coalesced.MaybeCoalescePacket(packet1, self_address, peer_address,
+                                            &allocator, 1500));
+  EXPECT_EQ(1500u, coalesced.max_packet_length());
+  EXPECT_EQ(500u, coalesced.length());
+
+  // Cannot coalesce packet of the same encryption level.
+  SerializedPacket packet2(QuicPacketNumber(2), PACKET_4BYTE_PACKET_NUMBER,
+                           buffer, 500, false, false);
+  EXPECT_FALSE(coalesced.MaybeCoalescePacket(packet2, self_address,
+                                             peer_address, &allocator, 1500));
+
+  SerializedPacket packet3(QuicPacketNumber(3), PACKET_4BYTE_PACKET_NUMBER,
+                           buffer, 500, false, false);
+  packet3.nonretransmittable_frames.push_back(QuicFrame(QuicPaddingFrame(100)));
+  packet3.encryption_level = ENCRYPTION_ZERO_RTT;
+  ASSERT_TRUE(coalesced.MaybeCoalescePacket(packet3, self_address, peer_address,
+                                            &allocator, 1500));
+  EXPECT_EQ(1500u, coalesced.max_packet_length());
+  EXPECT_EQ(1000u, coalesced.length());
+
+  SerializedPacket packet4(QuicPacketNumber(4), PACKET_4BYTE_PACKET_NUMBER,
+                           buffer, 500, false, false);
+  packet4.encryption_level = ENCRYPTION_FORWARD_SECURE;
+  // Cannot coalesce packet of changed self/peer address.
+  EXPECT_FALSE(coalesced.MaybeCoalescePacket(
+      packet4, QuicSocketAddress(QuicIpAddress::Loopback4(), 3), peer_address,
+      &allocator, 1500));
+
+  // Packet does not fit.
+  SerializedPacket packet5(QuicPacketNumber(5), PACKET_4BYTE_PACKET_NUMBER,
+                           buffer, 501, false, false);
+  packet5.encryption_level = ENCRYPTION_FORWARD_SECURE;
+  EXPECT_FALSE(coalesced.MaybeCoalescePacket(packet5, self_address,
+                                             peer_address, &allocator, 1500));
+  EXPECT_EQ(1500u, coalesced.max_packet_length());
+  EXPECT_EQ(1000u, coalesced.length());
+
+  // Max packet number length changed.
+  SerializedPacket packet6(QuicPacketNumber(6), PACKET_4BYTE_PACKET_NUMBER,
+                           buffer, 100, false, false);
+  packet6.encryption_level = ENCRYPTION_FORWARD_SECURE;
+  EXPECT_QUIC_BUG(coalesced.MaybeCoalescePacket(packet6, self_address,
+                                                peer_address, &allocator, 1000),
+                  "Max packet length changes in the middle of the write path");
+  EXPECT_EQ(1500u, coalesced.max_packet_length());
+  EXPECT_EQ(1000u, coalesced.length());
+}
+
+TEST(QuicCoalescedPacketTest, CopyEncryptedBuffers) {
+  QuicCoalescedPacket coalesced;
+  SimpleBufferAllocator allocator;
+  QuicSocketAddress self_address(QuicIpAddress::Loopback4(), 1);
+  QuicSocketAddress peer_address(QuicIpAddress::Loopback4(), 2);
+  std::string buffer(500, 'a');
+  std::string buffer2(500, 'b');
+  SerializedPacket packet1(QuicPacketNumber(1), PACKET_4BYTE_PACKET_NUMBER,
+                           buffer.data(), 500,
+                           /*has_ack=*/false, /*has_stop_waiting=*/false);
+  packet1.encryption_level = ENCRYPTION_ZERO_RTT;
+  SerializedPacket packet2(QuicPacketNumber(2), PACKET_4BYTE_PACKET_NUMBER,
+                           buffer2.data(), 500,
+                           /*has_ack=*/false, /*has_stop_waiting=*/false);
+  packet2.encryption_level = ENCRYPTION_FORWARD_SECURE;
+
+  ASSERT_TRUE(coalesced.MaybeCoalescePacket(packet1, self_address, peer_address,
+                                            &allocator, 1500));
+  ASSERT_TRUE(coalesced.MaybeCoalescePacket(packet2, self_address, peer_address,
+                                            &allocator, 1500));
+  EXPECT_EQ(1000u, coalesced.length());
+
+  char copy_buffer[1000];
+  size_t length_copied = 0;
+  EXPECT_FALSE(
+      coalesced.CopyEncryptedBuffers(copy_buffer, 900, &length_copied));
+  ASSERT_TRUE(
+      coalesced.CopyEncryptedBuffers(copy_buffer, 1000, &length_copied));
+  EXPECT_EQ(1000u, length_copied);
+  char expected[1000];
+  memset(expected, 'a', 500);
+  memset(expected + 500, 'b', 500);
+  test::CompareCharArraysWithHexError("copied buffers", copy_buffer,
+                                      length_copied, expected, 1000);
+}
+
+}  // namespace
+}  // namespace test
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_config.cc b/chromium/net/third_party/quiche/src/quic/core/quic_config.cc
index a3840ec8e9b..3d8fe3fa318 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_config.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_config.cc
@@ -420,7 +420,9 @@ QuicConfig::QuicConfig()
       stateless_reset_token_(kSRST, PRESENCE_OPTIONAL),
       max_incoming_unidirectional_streams_(kMIUS, PRESENCE_OPTIONAL),
       max_ack_delay_ms_(kMAD, PRESENCE_OPTIONAL),
-      ack_delay_exponent_(kADE, PRESENCE_OPTIONAL) {
+      ack_delay_exponent_(kADE, PRESENCE_OPTIONAL),
+      max_packet_size_(0, PRESENCE_OPTIONAL),
+      max_datagram_frame_size_(0, PRESENCE_OPTIONAL) {
   SetDefaults();
 }
 
@@ -579,6 +581,39 @@ uint32_t QuicConfig::ReceivedAckDelayExponent() const {
   return ack_delay_exponent_.GetReceivedValue();
 }
 
+void QuicConfig::SetMaxPacketSizeToSend(uint32_t max_packet_size) {
+  max_packet_size_.SetSendValue(max_packet_size);
+}
+
+uint32_t QuicConfig::GetMaxPacketSizeToSend() const {
+  return max_packet_size_.GetSendValue();
+}
+
+bool QuicConfig::HasReceivedMaxPacketSize() const {
+  return max_packet_size_.HasReceivedValue();
+}
+
+uint32_t QuicConfig::ReceivedMaxPacketSize() const {
+  return max_packet_size_.GetReceivedValue();
+}
+
+void QuicConfig::SetMaxDatagramFrameSizeToSend(
+    uint32_t max_datagram_frame_size) {
+  max_datagram_frame_size_.SetSendValue(max_datagram_frame_size);
+}
+
+uint32_t QuicConfig::GetMaxDatagramFrameSizeToSend() const {
+  return max_datagram_frame_size_.GetSendValue();
+}
+
+bool QuicConfig::HasReceivedMaxDatagramFrameSize() const {
+  return max_datagram_frame_size_.HasReceivedValue();
+}
+
+uint32_t QuicConfig::ReceivedMaxDatagramFrameSize() const {
+  return max_datagram_frame_size_.GetReceivedValue();
+}
+
 bool QuicConfig::HasSetBytesForConnectionIdToSend() const {
   return bytes_for_connection_id_.HasSendValue();
 }
@@ -806,6 +841,8 @@ void QuicConfig::SetDefaults() {
   SetMaxAckDelayToSendMs(kDefaultDelayedAckTimeMs);
   SetSupportMaxHeaderListSize();
   SetAckDelayExponentToSend(kDefaultAckDelayExponent);
+  SetMaxPacketSizeToSend(kMaxIncomingPacketSize);
+  SetMaxDatagramFrameSizeToSend(kMaxAcceptedDatagramFrameSize);
 }
 
 void QuicConfig::ToHandshakeMessage(
@@ -921,7 +958,8 @@ bool QuicConfig::FillTransportParameters(TransportParameters* params) const {
             sizeof(stateless_reset_token));
   }
 
-  params->max_packet_size.set_value(kMaxIncomingPacketSize);
+  params->max_packet_size.set_value(GetMaxPacketSizeToSend());
+  params->max_datagram_frame_size.set_value(GetMaxDatagramFrameSizeToSend());
   params->initial_max_data.set_value(
       GetInitialSessionFlowControlWindowToSend());
   // The max stream data bidirectional transport parameters can be either local
@@ -1008,10 +1046,19 @@ QuicErrorCode QuicConfig::ProcessTransportParameters(
     stateless_reset_token_.SetReceivedValue(stateless_reset_token);
   }
 
-  if (params.max_packet_size.value() < kMaxOutgoingPacketSize) {
+  if (params.max_packet_size.IsValid()) {
+    max_packet_size_.SetReceivedValue(params.max_packet_size.value());
+    if (ReceivedMaxPacketSize() < kMaxOutgoingPacketSize) {
+      // TODO(dschinazi) act on this.
+      QUIC_DLOG(ERROR) << "Ignoring peer's requested max packet size of "
+                       << ReceivedMaxPacketSize();
+    }
+  }
+
+  if (params.max_datagram_frame_size.IsValid()) {
+    max_datagram_frame_size_.SetReceivedValue(
+        params.max_datagram_frame_size.value());
     // TODO(dschinazi) act on this.
-    QUIC_DLOG(ERROR) << "Ignoring peer's requested max packet size of "
-                     << params.max_packet_size.value();
   }
 
   initial_session_flow_control_window_bytes_.SetReceivedValue(
@@ -1048,8 +1095,9 @@ QuicErrorCode QuicConfig::ProcessTransportParameters(
   if (params.ack_delay_exponent.IsValid()) {
     ack_delay_exponent_.SetReceivedValue(params.ack_delay_exponent.value());
   }
-  connection_migration_disabled_.SetReceivedValue(
-      params.disable_migration ? 1u : 0u);
+  if (params.disable_migration) {
+    connection_migration_disabled_.SetReceivedValue(1u);
+  }
 
   if (params.preferred_address != nullptr) {
     if (params.preferred_address->ipv6_socket_address.port() != 0) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_config.h b/chromium/net/third_party/quiche/src/quic/core/quic_config.h
index ecece2ae49f..de78d40144a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_config.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_config.h
@@ -456,6 +456,18 @@ class QUIC_EXPORT_PRIVATE QuicConfig {
   bool HasReceivedAckDelayExponent() const;
   uint32_t ReceivedAckDelayExponent() const;
 
+  // IETF QUIC max_packet_size transport parameter.
+  void SetMaxPacketSizeToSend(uint32_t max_packet_size);
+  uint32_t GetMaxPacketSizeToSend() const;
+  bool HasReceivedMaxPacketSize() const;
+  uint32_t ReceivedMaxPacketSize() const;
+
+  // IETF QUIC max_datagram_frame_size transport parameter.
+  void SetMaxDatagramFrameSizeToSend(uint32_t max_datagram_frame_size);
+  uint32_t GetMaxDatagramFrameSizeToSend() const;
+  bool HasReceivedMaxDatagramFrameSize() const;
+  uint32_t ReceivedMaxDatagramFrameSize() const;
+
   bool negotiated() const;
 
   void SetCreateSessionTagIndicators(QuicTagVector tags);
@@ -573,6 +585,12 @@ class QUIC_EXPORT_PRIVATE QuicConfig {
   // to serialize frames and this node uses to deserialize them.
   QuicFixedUint32 ack_delay_exponent_;
 
+  // max_packet_size IETF QUIC transport parameter.
+  QuicFixedUint32 max_packet_size_;
+
+  // max_datagram_frame_size IETF QUIC transport parameter.
+  QuicFixedUint32 max_datagram_frame_size_;
+
   // Custom transport parameters that can be sent and received in the TLS
   // handshake.
   TransportParameters::ParameterMap custom_transport_parameters_to_send_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_config_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_config_test.cc
index e0eb304a945..69ce78de0fd 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_config_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_config_test.cc
@@ -21,6 +21,9 @@ namespace quic {
 namespace test {
 namespace {
 
+const uint32_t kMaxPacketSizeForTest = 1234;
+const uint32_t kMaxDatagramFrameSizeForTest = 1333;
+
 class QuicConfigTest : public QuicTestWithParam<QuicTransportVersion> {
  protected:
   QuicConfig config_;
@@ -47,6 +50,8 @@ TEST_P(QuicConfigTest, SetDefaults) {
   EXPECT_FALSE(
       config_.HasReceivedInitialMaxStreamDataBytesOutgoingBidirectional());
   EXPECT_FALSE(config_.HasReceivedInitialMaxStreamDataBytesUnidirectional());
+  EXPECT_EQ(kMaxIncomingPacketSize, config_.GetMaxPacketSizeToSend());
+  EXPECT_FALSE(config_.HasReceivedMaxPacketSize());
 }
 
 TEST_P(QuicConfigTest, AutoSetIetfFlowControl) {
@@ -91,15 +96,15 @@ TEST_P(QuicConfigTest, ToHandshakeMessage) {
 
   uint32_t value;
   QuicErrorCode error = msg.GetUint32(kICSL, &value);
-  EXPECT_EQ(QUIC_NO_ERROR, error);
+  EXPECT_THAT(error, IsQuicNoError());
   EXPECT_EQ(5u, value);
 
   error = msg.GetUint32(kSFCW, &value);
-  EXPECT_EQ(QUIC_NO_ERROR, error);
+  EXPECT_THAT(error, IsQuicNoError());
   EXPECT_EQ(kInitialStreamFlowControlWindowForTest, value);
 
   error = msg.GetUint32(kCFCW, &value);
-  EXPECT_EQ(QUIC_NO_ERROR, error);
+  EXPECT_THAT(error, IsQuicNoError());
   EXPECT_EQ(kInitialSessionFlowControlWindowForTest, value);
 }
 
@@ -137,7 +142,7 @@ TEST_P(QuicConfigTest, ProcessClientHello) {
   EXPECT_FALSE(
       config_.SetInitialReceivedConnectionOptions(initial_received_options))
       << "You cannot set initial options after the hello.";
-  EXPECT_EQ(QUIC_NO_ERROR, error);
+  EXPECT_THAT(error, IsQuicNoError());
   EXPECT_TRUE(config_.negotiated());
   EXPECT_EQ(QuicTime::Delta::FromSeconds(kMaximumIdleTimeoutSecs),
             config_.IdleNetworkTimeout());
@@ -191,7 +196,7 @@ TEST_P(QuicConfigTest, ProcessServerHello) {
   std::string error_details;
   const QuicErrorCode error =
       config_.ProcessPeerHello(msg, SERVER, &error_details);
-  EXPECT_EQ(QUIC_NO_ERROR, error);
+  EXPECT_THAT(error, IsQuicNoError());
   EXPECT_TRUE(config_.negotiated());
   EXPECT_EQ(QuicTime::Delta::FromSeconds(kMaximumIdleTimeoutSecs / 2),
             config_.IdleNetworkTimeout());
@@ -231,7 +236,7 @@ TEST_P(QuicConfigTest, MissingOptionalValuesInCHLO) {
   std::string error_details;
   const QuicErrorCode error =
       config_.ProcessPeerHello(msg, CLIENT, &error_details);
-  EXPECT_EQ(QUIC_NO_ERROR, error);
+  EXPECT_THAT(error, IsQuicNoError());
   EXPECT_TRUE(config_.negotiated());
 }
 
@@ -246,7 +251,7 @@ TEST_P(QuicConfigTest, MissingOptionalValuesInSHLO) {
   std::string error_details;
   const QuicErrorCode error =
       config_.ProcessPeerHello(msg, SERVER, &error_details);
-  EXPECT_EQ(QUIC_NO_ERROR, error);
+  EXPECT_THAT(error, IsQuicNoError());
   EXPECT_TRUE(config_.negotiated());
 }
 
@@ -256,7 +261,7 @@ TEST_P(QuicConfigTest, MissingValueInCHLO) {
   std::string error_details;
   const QuicErrorCode error =
       config_.ProcessPeerHello(msg, CLIENT, &error_details);
-  EXPECT_EQ(QUIC_CRYPTO_MESSAGE_PARAMETER_NOT_FOUND, error);
+  EXPECT_THAT(error, IsError(QUIC_CRYPTO_MESSAGE_PARAMETER_NOT_FOUND));
 }
 
 TEST_P(QuicConfigTest, MissingValueInSHLO) {
@@ -265,7 +270,7 @@ TEST_P(QuicConfigTest, MissingValueInSHLO) {
   std::string error_details;
   const QuicErrorCode error =
       config_.ProcessPeerHello(msg, SERVER, &error_details);
-  EXPECT_EQ(QUIC_CRYPTO_MESSAGE_PARAMETER_NOT_FOUND, error);
+  EXPECT_THAT(error, IsError(QUIC_CRYPTO_MESSAGE_PARAMETER_NOT_FOUND));
 }
 
 TEST_P(QuicConfigTest, OutOfBoundSHLO) {
@@ -279,7 +284,7 @@ TEST_P(QuicConfigTest, OutOfBoundSHLO) {
   std::string error_details;
   const QuicErrorCode error =
       config_.ProcessPeerHello(msg, SERVER, &error_details);
-  EXPECT_EQ(QUIC_INVALID_NEGOTIATED_VALUE, error);
+  EXPECT_THAT(error, IsError(QUIC_INVALID_NEGOTIATED_VALUE));
 }
 
 TEST_P(QuicConfigTest, InvalidFlowControlWindow) {
@@ -309,7 +314,7 @@ TEST_P(QuicConfigTest, HasClientSentConnectionOption) {
   std::string error_details;
   const QuicErrorCode error =
       config_.ProcessPeerHello(msg, CLIENT, &error_details);
-  EXPECT_EQ(QUIC_NO_ERROR, error);
+  EXPECT_THAT(error, IsQuicNoError());
   EXPECT_TRUE(config_.negotiated());
 
   EXPECT_TRUE(config_.HasReceivedConnectionOptions());
@@ -330,7 +335,7 @@ TEST_P(QuicConfigTest, DontSendClientConnectionOptions) {
   std::string error_details;
   const QuicErrorCode error =
       config_.ProcessPeerHello(msg, CLIENT, &error_details);
-  EXPECT_EQ(QUIC_NO_ERROR, error);
+  EXPECT_THAT(error, IsQuicNoError());
   EXPECT_TRUE(config_.negotiated());
 
   EXPECT_FALSE(config_.HasReceivedConnectionOptions());
@@ -357,7 +362,7 @@ TEST_P(QuicConfigTest, HasClientRequestedIndependentOption) {
   std::string error_details;
   const QuicErrorCode error =
       config_.ProcessPeerHello(msg, CLIENT, &error_details);
-  EXPECT_EQ(QUIC_NO_ERROR, error);
+  EXPECT_THAT(error, IsQuicNoError());
   EXPECT_TRUE(config_.negotiated());
 
   EXPECT_TRUE(config_.HasReceivedConnectionOptions());
@@ -377,8 +382,9 @@ TEST_P(QuicConfigTest, IncomingLargeIdleTimeoutTransportParameter) {
   params.idle_timeout_milliseconds.set_value(120000);
 
   std::string error_details = "foobar";
-  EXPECT_EQ(QUIC_NO_ERROR,
-            config_.ProcessTransportParameters(params, SERVER, &error_details));
+  EXPECT_THAT(
+      config_.ProcessTransportParameters(params, SERVER, &error_details),
+      IsQuicNoError());
   EXPECT_EQ("", error_details);
   EXPECT_EQ(quic::QuicTime::Delta::FromSeconds(60),
             config_.IdleNetworkTimeout());
@@ -391,6 +397,8 @@ TEST_P(QuicConfigTest, FillTransportParams) {
       3 * kMinimumFlowControlSendWindow);
   config_.SetInitialMaxStreamDataBytesUnidirectionalToSend(
       4 * kMinimumFlowControlSendWindow);
+  config_.SetMaxPacketSizeToSend(kMaxPacketSizeForTest);
+  config_.SetMaxDatagramFrameSizeToSend(kMaxDatagramFrameSizeForTest);
 
   TransportParameters params;
   config_.FillTransportParameters(&params);
@@ -404,6 +412,10 @@ TEST_P(QuicConfigTest, FillTransportParams) {
 
   EXPECT_EQ(static_cast<uint64_t>(kMaximumIdleTimeoutSecs * 1000),
             params.idle_timeout_milliseconds.value());
+
+  EXPECT_EQ(kMaxPacketSizeForTest, params.max_packet_size.value());
+  EXPECT_EQ(kMaxDatagramFrameSizeForTest,
+            params.max_datagram_frame_size.value());
 }
 
 TEST_P(QuicConfigTest, ProcessTransportParametersServer) {
@@ -415,10 +427,13 @@ TEST_P(QuicConfigTest, ProcessTransportParametersServer) {
       3 * kMinimumFlowControlSendWindow);
   params.initial_max_stream_data_uni.set_value(4 *
                                                kMinimumFlowControlSendWindow);
+  params.max_packet_size.set_value(kMaxPacketSizeForTest);
+  params.max_datagram_frame_size.set_value(kMaxDatagramFrameSizeForTest);
 
   std::string error_details;
-  EXPECT_EQ(QUIC_NO_ERROR,
-            config_.ProcessTransportParameters(params, SERVER, &error_details));
+  EXPECT_THAT(
+      config_.ProcessTransportParameters(params, SERVER, &error_details),
+      IsQuicNoError());
 
   ASSERT_TRUE(
       config_.HasReceivedInitialMaxStreamDataBytesIncomingBidirectional());
@@ -433,6 +448,25 @@ TEST_P(QuicConfigTest, ProcessTransportParametersServer) {
   ASSERT_TRUE(config_.HasReceivedInitialMaxStreamDataBytesUnidirectional());
   EXPECT_EQ(4 * kMinimumFlowControlSendWindow,
             config_.ReceivedInitialMaxStreamDataBytesUnidirectional());
+
+  ASSERT_TRUE(config_.HasReceivedMaxPacketSize());
+  EXPECT_EQ(kMaxPacketSizeForTest, config_.ReceivedMaxPacketSize());
+
+  ASSERT_TRUE(config_.HasReceivedMaxDatagramFrameSize());
+  EXPECT_EQ(kMaxDatagramFrameSizeForTest,
+            config_.ReceivedMaxDatagramFrameSize());
+
+  EXPECT_FALSE(config_.DisableConnectionMigration());
+}
+
+TEST_P(QuicConfigTest, DisableMigrationTransportParameter) {
+  TransportParameters params;
+  params.disable_migration = true;
+  std::string error_details;
+  EXPECT_THAT(
+      config_.ProcessTransportParameters(params, SERVER, &error_details),
+      IsQuicNoError());
+  EXPECT_TRUE(config_.DisableConnectionMigration());
 }
 
 }  // namespace
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_connection.cc b/chromium/net/third_party/quiche/src/quic/core/quic_connection.cc
index cb2409592a0..9349bf234fd 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_connection.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_connection.cc
@@ -24,8 +24,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_config.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection_id.h"
 #include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
-#include "net/third_party/quiche/src/quic/core/quic_packet_generator.h"
-#include "net/third_party/quiche/src/quic/core/quic_pending_retransmission.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
@@ -180,6 +178,17 @@ class ProcessUndecryptablePacketsAlarmDelegate : public QuicAlarm::Delegate {
   QuicConnection* connection_;
 };
 
+// When the clearer goes out of scope, the coalesced packet gets cleared.
+class ScopedCoalescedPacketClearer {
+ public:
+  explicit ScopedCoalescedPacketClearer(QuicCoalescedPacket* coalesced)
+      : coalesced_(coalesced) {}
+  ~ScopedCoalescedPacketClearer() { coalesced_->Clear(); }
+
+ private:
+  QuicCoalescedPacket* coalesced_;  // Unowned.
+};
+
 // Whether this incoming packet is allowed to replace our connection ID.
 bool PacketCanReplaceConnectionId(const QuicPacketHeader& header,
                                   Perspective perspective) {
@@ -256,7 +265,8 @@ QuicConnection::QuicConnection(
       pending_retransmission_alarm_(false),
       defer_send_in_response_to_packets_(false),
       ping_timeout_(QuicTime::Delta::FromSeconds(kPingTimeoutSecs)),
-      retransmittable_on_wire_timeout_(QuicTime::Delta::Infinite()),
+      initial_retransmittable_on_wire_timeout_(QuicTime::Delta::Infinite()),
+      consecutive_retransmittable_on_wire_ping_count_(0),
       arena_(),
       ack_alarm_(alarm_factory_->CreateAlarm(arena_.New<AckAlarmDelegate>(this),
                                              &arena_)),
@@ -283,10 +293,7 @@ QuicConnection::QuicConnection(
           &arena_)),
       visitor_(nullptr),
       debug_visitor_(nullptr),
-      packet_generator_(server_connection_id_,
-                        &framer_,
-                        random_generator_,
-                        this),
+      packet_creator_(server_connection_id_, &framer_, random_generator_, this),
       idle_network_timeout_(QuicTime::Delta::Infinite()),
       handshake_timeout_(QuicTime::Delta::Infinite()),
       time_of_first_packet_sent_after_receiving_(QuicTime::Zero()),
@@ -301,10 +308,7 @@ QuicConnection::QuicConnection(
       perspective_(perspective),
       connected_(true),
       can_truncate_connection_ids_(perspective == Perspective::IS_SERVER),
-      mtu_discovery_target_(0),
       mtu_probe_count_(0),
-      packets_between_mtu_probes_(kPacketsBetweenMtuProbesBase),
-      next_mtu_probe_at_(kPacketsBetweenMtuProbesBase),
       largest_received_packet_size_(0),
       write_error_occurred_(false),
       no_stop_waiting_frames_(
@@ -326,10 +330,11 @@ QuicConnection::QuicConnection(
       bytes_received_before_address_validation_(0),
       bytes_sent_before_address_validation_(0),
       address_validated_(false),
-      skip_packet_number_for_pto_(false),
-      treat_queued_packets_as_sent_(
-          GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)),
-      mtu_discovery_v2_(GetQuicReloadableFlag(quic_mtu_discovery_v2)) {
+      quic_version_negotiated_by_default_at_server_(
+          GetQuicReloadableFlag(quic_version_negotiated_by_default_at_server)),
+      use_handshake_delegate_(
+          GetQuicReloadableFlag(quic_use_handshaker_delegate) ||
+          version().handshake_protocol == PROTOCOL_TLS1_3) {
   QUIC_DLOG(INFO) << ENDPOINT << "Created connection with server connection ID "
                   << server_connection_id
                   << " and version: " << ParsedQuicVersionToString(version());
@@ -339,6 +344,9 @@ QuicConnection::QuicConnection(
       << "QuicConnection: attempted to use server connection ID "
       << server_connection_id << " which is invalid with version "
       << QuicVersionToString(transport_version());
+  if (use_handshake_delegate_) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_use_handshaker_delegate);
+  }
 
   framer_.set_visitor(this);
   stats_.connection_creation_time = clock_->ApproximateNow();
@@ -356,20 +364,23 @@ QuicConnection::QuicConnection(
                          ? kDefaultServerMaxPacketSize
                          : kDefaultMaxPacketSize);
   uber_received_packet_manager_.set_max_ack_ranges(255);
-  MaybeEnableSessionDecidesWhatToWrite();
+  if (version().SupportsAntiAmplificationLimit()) {
+    sent_packet_manager_.EnableIetfPtoAndLossDetection();
+  }
   MaybeEnableMultiplePacketNumberSpacesSupport();
   DCHECK(perspective_ == Perspective::IS_CLIENT ||
          supported_versions.size() == 1);
   InstallInitialCrypters(server_connection_id_);
+
+  if (quic_version_negotiated_by_default_at_server() &&
+      perspective_ == Perspective::IS_SERVER) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_version_negotiated_by_default_at_server);
+    version_negotiated_ = true;
+    framer_.InferPacketHeaderTypeFromVersion();
+  }
 }
 
 void QuicConnection::InstallInitialCrypters(QuicConnectionId connection_id) {
-  if (!framer_.framer_doesnt_create_initial_encrypter() &&
-      !version().UsesInitialObfuscators() &&
-      version().handshake_protocol != PROTOCOL_TLS1_3) {
-    // Initial crypters are currently only supported with TLS.
-    return;
-  }
   CrypterPair crypters;
   CryptoUtils::CreateInitialObfuscators(perspective_, version(), connection_id,
                                         &crypters);
@@ -389,15 +400,6 @@ QuicConnection::~QuicConnection() {
 }
 
 void QuicConnection::ClearQueuedPackets() {
-  for (auto it = queued_packets_.begin(); it != queued_packets_.end(); ++it) {
-    // Delete the buffer before calling ClearSerializedPacket, which sets
-    // encrypted_buffer to nullptr.
-    DCHECK(!treat_queued_packets_as_sent_);
-    delete[] it->encrypted_buffer;
-    ClearSerializedPacket(&(*it));
-  }
-  queued_packets_.clear();
-
   buffered_packets_.clear();
 }
 
@@ -418,17 +420,18 @@ void QuicConnection::SetFromConfig(const QuicConfig& config) {
   sent_packet_manager_.SetFromConfig(config);
   if (config.HasReceivedBytesForConnectionId() &&
       can_truncate_connection_ids_) {
-    packet_generator_.SetServerConnectionIdLength(
+    packet_creator_.SetServerConnectionIdLength(
         config.ReceivedBytesForConnectionId());
   }
   max_undecryptable_packets_ = config.max_undecryptable_packets();
 
-  if (config.HasClientSentConnectionOption(kMTUH, perspective_)) {
+  if (config.HasClientRequestedIndependentOption(kMTUH, perspective_)) {
     SetMtuDiscoveryTarget(kMtuDiscoveryTargetPacketSizeHigh);
   }
-  if (config.HasClientSentConnectionOption(kMTUL, perspective_)) {
+  if (config.HasClientRequestedIndependentOption(kMTUL, perspective_)) {
     SetMtuDiscoveryTarget(kMtuDiscoveryTargetPacketSizeLow);
   }
+
   if (debug_visitor_ != nullptr) {
     debug_visitor_->OnSetFromConfig(config);
   }
@@ -443,16 +446,11 @@ void QuicConnection::SetFromConfig(const QuicConfig& config) {
     }
     if (config.HasClientSentConnectionOption(k7PTO, perspective_)) {
       max_consecutive_ptos_ = 6;
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_pto, 3, 4);
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_pto, 3, 8);
     }
     if (config.HasClientSentConnectionOption(k8PTO, perspective_)) {
       max_consecutive_ptos_ = 7;
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_pto, 4, 4);
-    }
-    if (GetQuicReloadableFlag(quic_skip_packet_number_for_pto) &&
-        config.HasClientSentConnectionOption(kPTOS, perspective_)) {
-      QUIC_RELOADABLE_FLAG_COUNT(quic_skip_packet_number_for_pto);
-      skip_packet_number_for_pto_ = true;
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_pto, 4, 8);
     }
   }
   if (config.HasClientSentConnectionOption(kNSTP, perspective_)) {
@@ -506,11 +504,9 @@ void QuicConnection::SetMaxPacingRate(QuicBandwidth max_pacing_rate) {
   sent_packet_manager_.SetMaxPacingRate(max_pacing_rate);
 }
 
-void QuicConnection::AdjustNetworkParameters(QuicBandwidth bandwidth,
-                                             QuicTime::Delta rtt,
-                                             bool allow_cwnd_to_decrease) {
-  sent_packet_manager_.AdjustNetworkParameters(bandwidth, rtt,
-                                               allow_cwnd_to_decrease);
+void QuicConnection::AdjustNetworkParameters(
+    const SendAlgorithmInterface::NetworkParams& params) {
+  sent_packet_manager_.AdjustNetworkParameters(params);
 }
 
 QuicBandwidth QuicConnection::MaxPacingRate() const {
@@ -657,8 +653,8 @@ void QuicConnection::OnRetryPacket(QuicConnectionId original_connection_id,
                   << ", received token "
                   << QuicTextUtils::HexEncode(retry_token);
   server_connection_id_ = new_connection_id;
-  packet_generator_.SetServerConnectionId(server_connection_id_);
-  packet_generator_.SetRetryToken(retry_token);
+  packet_creator_.SetServerConnectionId(server_connection_id_);
+  packet_creator_.SetRetryToken(retry_token);
 
   // Reinstall initial crypters because the connection ID changed.
   InstallInitialCrypters(server_connection_id_);
@@ -751,7 +747,7 @@ bool QuicConnection::OnUnauthenticatedHeader(const QuicPacketHeader& header) {
              GetServerConnectionIdAsRecipient(header, perspective_)) ||
          PacketCanReplaceConnectionId(header, perspective_));
 
-  if (packet_generator_.HasPendingFrames()) {
+  if (packet_creator_.HasPendingFrames()) {
     // Incoming packets may change a queued ACK frame.
     const std::string error_details =
         "Pending frames must be serialized before incoming packets are "
@@ -762,32 +758,41 @@ bool QuicConnection::OnUnauthenticatedHeader(const QuicPacketHeader& header) {
     return false;
   }
 
-  if (!version_negotiated_ && perspective_ == Perspective::IS_SERVER) {
-    if (!header.version_flag) {
-      // Packets should have the version flag till version negotiation is
-      // done.
-      std::string error_details =
-          QuicStrCat(ENDPOINT, "Packet ", header.packet_number.ToUint64(),
-                     " without version flag before version negotiated.");
-      QUIC_DLOG(WARNING) << error_details;
-      CloseConnection(QUIC_INVALID_VERSION, error_details,
-                      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-      return false;
-    } else {
-      DCHECK_EQ(header.version, version());
-      version_negotiated_ = true;
-      framer_.InferPacketHeaderTypeFromVersion();
-      visitor_->OnSuccessfulVersionNegotiation(version());
-      if (debug_visitor_ != nullptr) {
-        debug_visitor_->OnSuccessfulVersionNegotiation(version());
+  if (!quic_version_negotiated_by_default_at_server()) {
+    if (!version_negotiated_ && perspective_ == Perspective::IS_SERVER) {
+      if (!header.version_flag) {
+        // Packets should have the version flag till version negotiation is
+        // done.
+        std::string error_details =
+            QuicStrCat(ENDPOINT, "Packet ", header.packet_number.ToUint64(),
+                       " without version flag before version negotiated.");
+        QUIC_DLOG(WARNING) << error_details;
+        CloseConnection(QUIC_INVALID_VERSION, error_details,
+                        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+        return false;
+      } else {
+        DCHECK_EQ(header.version, version());
+        version_negotiated_ = true;
+        framer_.InferPacketHeaderTypeFromVersion();
+        visitor_->OnSuccessfulVersionNegotiation(version());
+        if (debug_visitor_ != nullptr) {
+          debug_visitor_->OnSuccessfulVersionNegotiation(version());
+        }
       }
+      DCHECK(version_negotiated_);
     }
-    DCHECK(version_negotiated_);
   }
 
   return true;
 }
 
+void QuicConnection::OnSuccessfulVersionNegotiation() {
+  visitor_->OnSuccessfulVersionNegotiation(version());
+  if (debug_visitor_ != nullptr) {
+    debug_visitor_->OnSuccessfulVersionNegotiation(version());
+  }
+}
+
 void QuicConnection::OnDecryptedPacket(EncryptionLevel level) {
   last_decrypted_packet_level_ = level;
   last_packet_decrypted_ = true;
@@ -797,6 +802,11 @@ void QuicConnection::OnDecryptedPacket(EncryptionLevel level) {
     address_validated_ = true;
   }
 
+  if (use_handshake_delegate_) {
+    visitor_->OnPacketDecrypted(level);
+    return;
+  }
+
   // Once the server receives a forward secure packet, the handshake is
   // confirmed.
   if (level == ENCRYPTION_FORWARD_SECURE &&
@@ -909,6 +919,7 @@ bool QuicConnection::OnStreamFrame(const QuicStreamFrame& frame) {
   visitor_->OnStreamFrame(frame);
   stats_.stream_bytes_received += frame.data_length;
   should_last_packet_instigate_acks_ = true;
+  consecutive_retransmittable_on_wire_ping_count_ = 0;
   return connected_;
 }
 
@@ -955,7 +966,11 @@ bool QuicConnection::OnAckFrameStart(QuicPacketNumber largest_acked,
       largest_acked > GetLargestSentPacket()) {
     QUIC_DLOG(WARNING) << ENDPOINT
                        << "Peer's observed unsent packet:" << largest_acked
-                       << " vs " << GetLargestSentPacket();
+                       << " vs " << GetLargestSentPacket()
+                       << ". SupportsMultiplePacketNumberSpaces():"
+                       << SupportsMultiplePacketNumberSpaces()
+                       << ", last_decrypted_packet_level_:"
+                       << last_decrypted_packet_level_;
     // We got an ack for data we have not sent.
     CloseConnection(QUIC_INVALID_ACK_DATA, "Largest observed too high.",
                     ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
@@ -1040,12 +1055,8 @@ bool QuicConnection::OnAckFrameEnd(QuicPacketNumber start) {
   // If the incoming ack's packets set expresses received packets: peer is still
   // acking packets which we never care about.
   // Send an ack to raise the high water mark.
-  bool send_stop_waiting = GetLeastUnacked() > start;
-  if (GetQuicReloadableFlag(quic_simplify_stop_waiting) &&
-      no_stop_waiting_frames_) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_simplify_stop_waiting);
-    send_stop_waiting = false;
-  }
+  const bool send_stop_waiting =
+      no_stop_waiting_frames_ ? false : GetLeastUnacked() > start;
   PostProcessAfterAckFrame(send_stop_waiting,
                            ack_result == PACKETS_NEWLY_ACKED);
   processing_ack_frame_ = false;
@@ -1298,9 +1309,7 @@ bool QuicConnection::OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame) {
   if (debug_visitor_ != nullptr) {
     debug_visitor_->OnWindowUpdateFrame(frame, time_of_last_received_packet_);
   }
-  QUIC_DVLOG(1) << ENDPOINT << "WINDOW_UPDATE_FRAME received for stream: "
-                << frame.stream_id
-                << " with byte offset: " << frame.byte_offset;
+  QUIC_DVLOG(1) << ENDPOINT << "WINDOW_UPDATE_FRAME received " << frame;
   visitor_->OnWindowUpdateFrame(frame);
   should_last_packet_instigate_acks_ = true;
   return connected_;
@@ -1562,7 +1571,7 @@ void QuicConnection::SendVersionNegotiationPacket(bool ietf_quic,
                          framer_.supported_versions())
                   << "}, " << (ietf_quic ? "" : "!") << "ietf_quic";
   std::unique_ptr<QuicEncryptedPacket> version_packet(
-      packet_generator_.SerializeVersionNegotiationPacket(
+      packet_creator_.SerializeVersionNegotiationPacket(
           ietf_quic, has_length_prefix, framer_.supported_versions()));
   QUIC_DVLOG(2) << ENDPOINT << "Sending version negotiation packet: {"
                 << ParsedQuicVersionVectorToString(framer_.supported_versions())
@@ -1599,7 +1608,7 @@ size_t QuicConnection::SendCryptoData(EncryptionLevel level,
     return 0;
   }
   ScopedPacketFlusher flusher(this);
-  return packet_generator_.ConsumeCryptoData(level, write_length, offset);
+  return packet_creator_.ConsumeCryptoData(level, write_length, offset);
 }
 
 QuicConsumedData QuicConnection::SendStreamData(QuicStreamId id,
@@ -1617,7 +1626,7 @@ QuicConsumedData QuicConnection::SendStreamData(QuicStreamId id,
   // packet (a handshake packet from client to server could result in a REJ or a
   // SHLO from the server, leading to two different decrypters at the server.)
   ScopedPacketFlusher flusher(this);
-  return packet_generator_.ConsumeData(id, write_length, offset, state);
+  return packet_creator_.ConsumeData(id, write_length, offset, state);
 }
 
 bool QuicConnection::SendControlFrame(const QuicFrame& frame) {
@@ -1635,14 +1644,14 @@ bool QuicConnection::SendControlFrame(const QuicFrame& frame) {
   }
   ScopedPacketFlusher flusher(this);
   const bool consumed =
-      packet_generator_.ConsumeRetransmittableControlFrame(frame);
+      packet_creator_.ConsumeRetransmittableControlFrame(frame);
   if (!consumed) {
     QUIC_DVLOG(1) << ENDPOINT << "Failed to send control frame: " << frame;
     return false;
   }
   if (frame.type == PING_FRAME) {
     // Flush PING frame immediately.
-    packet_generator_.FlushAllQueuedFrames();
+    packet_creator_.FlushCurrentPacket();
     if (debug_visitor_ != nullptr) {
       debug_visitor_->OnPingSent();
     }
@@ -1661,32 +1670,9 @@ void QuicConnection::OnStreamReset(QuicStreamId id,
     return;
   }
   // Flush stream frames of reset stream.
-  if (packet_generator_.HasPendingStreamFramesOfStream(id)) {
+  if (packet_creator_.HasPendingStreamFramesOfStream(id)) {
     ScopedPacketFlusher flusher(this);
-    packet_generator_.FlushAllQueuedFrames();
-  }
-
-  sent_packet_manager_.CancelRetransmissionsForStream(id);
-  // Remove all queued packets which only contain data for the reset stream.
-  // TODO(fayang): consider removing this because it should be rarely executed.
-  auto packet_iterator = queued_packets_.begin();
-  while (packet_iterator != queued_packets_.end()) {
-    QuicFrames* retransmittable_frames =
-        &packet_iterator->retransmittable_frames;
-    if (retransmittable_frames->empty()) {
-      ++packet_iterator;
-      continue;
-    }
-    // NOTE THAT RemoveFramesForStream removes only STREAM frames
-    // for the specified stream.
-    RemoveFramesForStream(retransmittable_frames, id);
-    if (!retransmittable_frames->empty()) {
-      ++packet_iterator;
-      continue;
-    }
-    delete[] packet_iterator->encrypted_buffer;
-    ClearSerializedPacket(&(*packet_iterator));
-    packet_iterator = queued_packets_.erase(packet_iterator);
+    packet_creator_.FlushCurrentPacket();
   }
   // TODO(ianswett): Consider checking for 3 RTOs when the last stream is
   // cancelled as well.
@@ -1707,7 +1693,11 @@ const QuicConnectionStats& QuicConnection::GetStats() {
   stats_.srtt_us = srtt.ToMicroseconds();
 
   stats_.estimated_bandwidth = sent_packet_manager_.BandwidthEstimate();
-  stats_.max_packet_size = packet_generator_.GetCurrentMaxPacketLength();
+  if (GetQuicReloadableFlag(quic_log_ack_aggregation_stats)) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_log_ack_aggregation_stats);
+    sent_packet_manager_.GetSendAlgorithm()->PopulateConnectionStats(&stats_);
+  }
+  stats_.max_packet_size = packet_creator_.max_packet_length();
   stats_.max_received_packet_size = largest_received_packet_size_;
   return stats_;
 }
@@ -1879,9 +1869,6 @@ void QuicConnection::OnCanWrite() {
       SendAck();
     }
   }
-  if (!session_decides_what_to_write()) {
-    WritePendingRetransmissions();
-  }
 
   WriteNewData();
 }
@@ -1949,7 +1936,7 @@ bool QuicConnection::ProcessValidatedPacket(const QuicPacketHeader& header) {
                     << server_connection_id_ << " with "
                     << header.source_connection_id;
     server_connection_id_ = header.source_connection_id;
-    packet_generator_.SetServerConnectionId(server_connection_id_);
+    packet_creator_.SetServerConnectionId(server_connection_id_);
   }
 
   if (!ValidateReceivedPacketNumber(header.packet_number)) {
@@ -1964,13 +1951,10 @@ bool QuicConnection::ProcessValidatedPacket(const QuicPacketHeader& header) {
         // it should stop sending version since the version negotiation is done.
         // IETF QUIC stops sending version once encryption level switches to
         // forward secure.
-        packet_generator_.StopSendingVersion();
+        packet_creator_.StopSendingVersion();
       }
       version_negotiated_ = true;
-      visitor_->OnSuccessfulVersionNegotiation(version());
-      if (debug_visitor_ != nullptr) {
-        debug_visitor_->OnSuccessfulVersionNegotiation(version());
-      }
+      OnSuccessfulVersionNegotiation();
     }
   }
 
@@ -1980,7 +1964,7 @@ bool QuicConnection::ProcessValidatedPacket(const QuicPacketHeader& header) {
 
   if (perspective_ == Perspective::IS_SERVER &&
       encryption_level_ == ENCRYPTION_INITIAL &&
-      last_size_ > packet_generator_.GetCurrentMaxPacketLength()) {
+      last_size_ > packet_creator_.max_packet_length()) {
     SetMaxPacketLength(last_size_);
   }
   return true;
@@ -2015,37 +1999,9 @@ void QuicConnection::WriteQueuedPackets() {
   }
 
   QUIC_CLIENT_HISTOGRAM_COUNTS("QuicSession.NumQueuedPacketsBeforeWrite",
-                               queued_packets_.size(), 1, 1000, 50, "");
-  while (!queued_packets_.empty()) {
-    DCHECK(!treat_queued_packets_as_sent_);
-    // WritePacket() can potentially clear all queued packets, so we need to
-    // save the first queued packet to a local variable before calling it.
-    SerializedPacket packet(std::move(queued_packets_.front()));
-    queued_packets_.pop_front();
-
-    const bool write_result = WritePacket(&packet);
-
-    if (connected_ && !write_result) {
-      // Write failed but connection is open, re-insert |packet| into the
-      // front of the queue, it will be retried later.
-      queued_packets_.emplace_front(std::move(packet));
-      break;
-    }
-
-    delete[] packet.encrypted_buffer;
-    ClearSerializedPacket(&packet);
-    if (!connected_) {
-      DCHECK(queued_packets_.empty()) << "Queued packets should have been "
-                                         "cleared while closing connection";
-      break;
-    }
-
-    // Continue to send the next packet in queue.
-  }
+                               buffered_packets_.size(), 1, 1000, 50, "");
 
   while (!buffered_packets_.empty()) {
-    DCHECK(treat_queued_packets_as_sent_);
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_treat_queued_packets_as_sent, 1, 3);
     if (HandleWriteBlocked()) {
       break;
     }
@@ -2054,7 +2010,7 @@ void QuicConnection::WriteQueuedPackets() {
         packet.encrypted_buffer.data(), packet.encrypted_buffer.length(),
         packet.self_address.host(), packet.peer_address, per_packet_options_);
     QUIC_DVLOG(1) << ENDPOINT << "Sending buffered packet, result: " << result;
-    if (mtu_discovery_v2_ && IsMsgTooBig(result) &&
+    if (IsMsgTooBig(result) &&
         packet.encrypted_buffer.length() > long_term_mtu_) {
       // When MSG_TOO_BIG is returned, the system typically knows what the
       // actual MTU is, so there is no need to probe further.
@@ -2078,35 +2034,6 @@ void QuicConnection::WriteQueuedPackets() {
   }
 }
 
-void QuicConnection::WritePendingRetransmissions() {
-  DCHECK(!session_decides_what_to_write());
-  // Keep writing as long as there's a pending retransmission which can be
-  // written.
-  while (sent_packet_manager_.HasPendingRetransmissions() &&
-         CanWrite(HAS_RETRANSMITTABLE_DATA)) {
-    const QuicPendingRetransmission pending =
-        sent_packet_manager_.NextPendingRetransmission();
-
-    // Re-packetize the frames with a new packet number for retransmission.
-    // Retransmitted packets use the same packet number length as the
-    // original.
-    // Flush the packet generator before making a new packet.
-    // TODO(ianswett): Implement ReserializeAllFrames as a separate path that
-    // does not require the creator to be flushed.
-    // TODO(fayang): FlushAllQueuedFrames should only be called once, and should
-    // be moved outside of the loop. Also, CanWrite is not checked after the
-    // generator is flushed.
-    {
-      ScopedPacketFlusher flusher(this);
-      packet_generator_.FlushAllQueuedFrames();
-    }
-    DCHECK(!packet_generator_.HasPendingFrames());
-    char buffer[kMaxOutgoingPacketSize];
-    packet_generator_.ReserializeAllFrames(pending, buffer,
-                                           kMaxOutgoingPacketSize);
-  }
-}
-
 void QuicConnection::SendProbingRetransmissions() {
   while (sent_packet_manager_.GetSendAlgorithm()->ShouldSendProbingPacket() &&
          CanWrite(HAS_RETRANSMITTABLE_DATA)) {
@@ -2115,11 +2042,6 @@ void QuicConnection::SendProbingRetransmissions() {
           << "Cannot send probing retransmissions: nothing to retransmit.";
       break;
     }
-
-    if (!session_decides_what_to_write()) {
-      DCHECK(sent_packet_manager_.HasPendingRetransmissions());
-      WritePendingRetransmissions();
-    }
   }
 }
 
@@ -2187,8 +2109,7 @@ bool QuicConnection::CanWrite(HasRetransmittableData retransmittable) {
     return false;
   }
 
-  if (session_decides_what_to_write() &&
-      sent_packet_manager_.pending_timer_transmission_count() > 0) {
+  if (sent_packet_manager_.pending_timer_transmission_count() > 0) {
     // Force sending the retransmissions for HANDSHAKE, TLP, RTO, PROBING cases.
     return true;
   }
@@ -2238,21 +2159,16 @@ bool QuicConnection::WritePacket(SerializedPacket* packet) {
     QUIC_BUG << "Attempt to write packet:" << packet->packet_number
              << " after:" << sent_packet_manager_.GetLargestSentPacket();
     QUIC_CLIENT_HISTOGRAM_COUNTS("QuicSession.NumQueuedPacketsAtOutOfOrder",
-                                 queued_packets_.size(), 1, 1000, 50, "");
+                                 buffered_packets_.size(), 1, 1000, 50, "");
     CloseConnection(QUIC_INTERNAL_ERROR, "Packet written out of order.",
                     ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
     return true;
   }
-  SerializedPacketFate fate = DeterminePacketFate();
+  SerializedPacketFate fate = DeterminePacketFate(
+      /*is_mtu_discovery=*/packet->encrypted_length > long_term_mtu_);
   // Termination packets are encrypted and saved, so don't exit early.
   const bool is_termination_packet = IsTerminationPacket(*packet);
-  if (!treat_queued_packets_as_sent_ && HandleWriteBlocked() &&
-      !is_termination_packet) {
-    return false;
-  }
-
   QuicPacketNumber packet_number = packet->packet_number;
-
   QuicPacketLength encrypted_length = packet->encrypted_length;
   // Termination packets are eventually owned by TimeWaitListManager.
   // Others are deleted at the end of this call.
@@ -2265,18 +2181,13 @@ bool QuicConnection::WritePacket(SerializedPacket* packet) {
     char* buffer_copy = CopyBuffer(*packet);
     termination_packets_->emplace_back(
         new QuicEncryptedPacket(buffer_copy, encrypted_length, true));
-    // This assures we won't try to write *forced* packets when blocked.
-    // Return true to stop processing.
-    if (!treat_queued_packets_as_sent_ && HandleWriteBlocked()) {
-      return true;
-    }
   }
 
   const bool looks_like_mtu_probe = packet->retransmittable_frames.empty() &&
                                     packet->encrypted_length > long_term_mtu_;
   DCHECK_LE(encrypted_length, kMaxOutgoingPacketSize);
   if (!looks_like_mtu_probe) {
-    DCHECK_LE(encrypted_length, packet_generator_.GetCurrentMaxPacketLength());
+    DCHECK_LE(encrypted_length, packet_creator_.max_packet_length());
   }
   QUIC_DVLOG(1) << ENDPOINT << "Sending packet " << packet_number << " : "
                 << (IsRetransmittable(*packet) == HAS_RETRANSMITTABLE_DATA
@@ -2284,7 +2195,8 @@ bool QuicConnection::WritePacket(SerializedPacket* packet) {
                         : " ack only ")
                 << ", encryption level: "
                 << EncryptionLevelToString(packet->encryption_level)
-                << ", encrypted length:" << encrypted_length;
+                << ", encrypted length:" << encrypted_length
+                << ", fate: " << SerializedPacketFateToString(fate);
   QUIC_DVLOG(2) << ENDPOINT << "packet(" << packet_number << "): " << std::endl
                 << QuicTextUtils::HexDump(QuicStringPiece(
                        packet->encrypted_buffer, encrypted_length));
@@ -2307,11 +2219,36 @@ bool QuicConnection::WritePacket(SerializedPacket* packet) {
   WriteResult result(WRITE_STATUS_OK, encrypted_length);
   switch (fate) {
     case COALESCE:
-      DCHECK(false);
+      QUIC_BUG_IF(!version().CanSendCoalescedPackets());
+      if (!coalesced_packet_.MaybeCoalescePacket(
+              *packet, self_address(), peer_address(),
+              helper_->GetStreamSendBufferAllocator(),
+              packet_creator_.max_packet_length())) {
+        // Failed to coalesce packet, flush current coalesced packet.
+        if (!FlushCoalescedPacket()) {
+          // Failed to flush coalesced packet, write error has been handled.
+          return false;
+        }
+        if (!coalesced_packet_.MaybeCoalescePacket(
+                *packet, self_address(), peer_address(),
+                helper_->GetStreamSendBufferAllocator(),
+                packet_creator_.max_packet_length())) {
+          // Failed to coalesce packet even it is the only packet, raise a write
+          // error.
+          QUIC_DLOG(ERROR) << ENDPOINT << "Failed to coalesce packet";
+          result.error_code = WRITE_STATUS_FAILED_TO_COALESCE_PACKET;
+          break;
+        }
+      }
+      if (coalesced_packet_.length() < coalesced_packet_.max_packet_length()) {
+        QUIC_DVLOG(1) << ENDPOINT << "Trying to set soft max packet length to "
+                      << coalesced_packet_.max_packet_length() -
+                             coalesced_packet_.length();
+        packet_creator_.SetSoftMaxPacketLength(
+            coalesced_packet_.max_packet_length() - coalesced_packet_.length());
+      }
       break;
     case BUFFER:
-      DCHECK(treat_queued_packets_as_sent_);
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_treat_queued_packets_as_sent, 2, 3);
       QUIC_DVLOG(1) << ENDPOINT << "Adding packet: " << packet->packet_number
                     << " to buffered packets";
       buffered_packets_.emplace_back(*packet, self_address(), peer_address());
@@ -2321,6 +2258,11 @@ bool QuicConnection::WritePacket(SerializedPacket* packet) {
                                     self_address().host(), peer_address(),
                                     per_packet_options_);
       break;
+    case FAILED_TO_WRITE_COALESCED_PACKET:
+      // Failed to send existing coalesced packet when determining packet fate,
+      // write error has been handled.
+      QUIC_BUG_IF(!version().CanSendCoalescedPackets());
+      return false;
     default:
       DCHECK(false);
       break;
@@ -2341,31 +2283,22 @@ bool QuicConnection::WritePacket(SerializedPacket* packet) {
     // duplicate packet being sent.  The helper must call OnCanWrite
     // when the write completes, and OnWriteError if an error occurs.
     if (result.status != WRITE_STATUS_BLOCKED_DATA_BUFFERED) {
-      if (treat_queued_packets_as_sent_) {
-        QUIC_RELOADABLE_FLAG_COUNT_N(quic_treat_queued_packets_as_sent, 3, 3);
-        QUIC_DVLOG(1) << ENDPOINT << "Adding packet: " << packet->packet_number
-                      << " to buffered packets";
-        buffered_packets_.emplace_back(*packet, self_address(), peer_address());
-      } else {
-        return false;
-      }
+      QUIC_DVLOG(1) << ENDPOINT << "Adding packet: " << packet->packet_number
+                    << " to buffered packets";
+      buffered_packets_.emplace_back(*packet, self_address(), peer_address());
     }
   }
 
   // In some cases, an MTU probe can cause EMSGSIZE. This indicates that the
   // MTU discovery is permanently unsuccessful.
   if (IsMsgTooBig(result) && looks_like_mtu_probe) {
-    if (mtu_discovery_v2_) {
-      // When MSG_TOO_BIG is returned, the system typically knows what the
-      // actual MTU is, so there is no need to probe further.
-      // TODO(wub): Reduce max packet size to a safe default, or the actual MTU.
-      QUIC_DVLOG(1) << ENDPOINT << " MTU probe packet too big, size:"
-                    << packet->encrypted_length
-                    << ", long_term_mtu_:" << long_term_mtu_;
-      mtu_discoverer_.Disable();
-    } else {
-      mtu_discovery_target_ = 0;
-    }
+    // When MSG_TOO_BIG is returned, the system typically knows what the
+    // actual MTU is, so there is no need to probe further.
+    // TODO(wub): Reduce max packet size to a safe default, or the actual MTU.
+    QUIC_DVLOG(1) << ENDPOINT << " MTU probe packet too big, size:"
+                  << packet->encrypted_length
+                  << ", long_term_mtu_:" << long_term_mtu_;
+    mtu_discoverer_.Disable();
     mtu_discovery_alarm_->Cancel();
     // The write failed, but the writer is not blocked, so return true.
     return true;
@@ -2382,8 +2315,8 @@ bool QuicConnection::WritePacket(SerializedPacket* packet) {
 
   if (debug_visitor_ != nullptr) {
     // Pass the write result to the visitor.
-    debug_visitor_->OnPacketSent(*packet, packet->original_packet_number,
-                                 packet->transmission_type, packet_send_time);
+    debug_visitor_->OnPacketSent(*packet, packet->transmission_type,
+                                 packet_send_time);
   }
   if (IsRetransmittable(*packet) == HAS_RETRANSMITTABLE_DATA) {
     if (!is_path_degrading_ && !path_degrading_alarm_->IsSet()) {
@@ -2412,8 +2345,8 @@ bool QuicConnection::WritePacket(SerializedPacket* packet) {
   }
 
   const bool in_flight = sent_packet_manager_.OnPacketSent(
-      packet, packet->original_packet_number, packet_send_time,
-      packet->transmission_type, IsRetransmittable(*packet));
+      packet, packet_send_time, packet->transmission_type,
+      IsRetransmittable(*packet));
 
   if (in_flight || !retransmission_alarm_->IsSet()) {
     SetRetransmissionAlarm();
@@ -2422,7 +2355,7 @@ bool QuicConnection::WritePacket(SerializedPacket* packet) {
 
   // The packet number length must be updated after OnPacketSent, because it
   // may change the packet number length in packet.
-  packet_generator_.UpdatePacketNumberLength(
+  packet_creator_.UpdatePacketNumberLength(
       sent_packet_manager_.GetLeastUnacked(),
       sent_packet_manager_.EstimateMaxPacketsInFlight(max_packet_length()));
 
@@ -2519,6 +2452,13 @@ void QuicConnection::OnWriteError(int error_code) {
 }
 
 char* QuicConnection::GetPacketBuffer() {
+  if (version().CanSendCoalescedPackets() &&
+      sent_packet_manager_.handshake_state() <
+          QuicSentPacketManager::HANDSHAKE_CONFIRMED) {
+    // Do not use writer's packet buffer for coalesced packets which may contain
+    // multiple QUIC packets.
+    return nullptr;
+  }
   return writer_->GetNextWriteLocation(self_address().host(), peer_address());
 }
 
@@ -2542,8 +2482,7 @@ void QuicConnection::OnSerializedPacket(SerializedPacket* serialized_packet) {
     return;
   }
 
-  if (serialized_packet->retransmittable_frames.empty() &&
-      !serialized_packet->original_packet_number.IsInitialized()) {
+  if (serialized_packet->retransmittable_frames.empty()) {
     // Increment consecutive_num_packets_with_no_retransmittable_frames_ if
     // this packet is a new transmission with no retransmittable frames.
     ++consecutive_num_packets_with_no_retransmittable_frames_;
@@ -2585,10 +2524,8 @@ void QuicConnection::OnPathMtuIncreased(QuicPacketLength packet_size) {
   if (packet_size > max_packet_length()) {
     const QuicByteCount old_max_packet_length = max_packet_length();
     SetMaxPacketLength(packet_size);
-    if (mtu_discovery_v2_) {
-      mtu_discoverer_.OnMaxPacketLengthUpdated(old_max_packet_length,
-                                               max_packet_length());
-    }
+    mtu_discoverer_.OnMaxPacketLengthUpdated(old_max_packet_length,
+                                             max_packet_length());
   }
 }
 
@@ -2609,17 +2546,7 @@ void QuicConnection::SendOrQueuePacket(SerializedPacket* packet) {
     QUIC_BUG << "packet.encrypted_buffer == nullptr in to SendOrQueuePacket";
     return;
   }
-  // If there are already queued packets, queue this one immediately to ensure
-  // it's written in sequence number order.
-  if (!queued_packets_.empty() || !WritePacket(packet)) {
-    if (!treat_queued_packets_as_sent_) {
-      // Take ownership of the underlying encrypted packet.
-      packet->encrypted_buffer = CopyBuffer(*packet);
-      queued_packets_.push_back(*packet);
-      packet->retransmittable_frames.clear();
-    }
-  }
-
+  WritePacket(packet);
   ClearSerializedPacket(packet);
 }
 
@@ -2639,7 +2566,7 @@ void QuicConnection::SendAck() {
     PopulateStopWaitingFrame(&stop_waiting);
     frames.push_back(QuicFrame(stop_waiting));
   }
-  if (!packet_generator_.FlushAckFrame(frames)) {
+  if (!packet_creator_.FlushAckFrame(frames)) {
     return;
   }
   ResetAckStates();
@@ -2648,7 +2575,7 @@ void QuicConnection::SendAck() {
     return;
   }
   consecutive_num_packets_with_no_retransmittable_frames_ = 0;
-  if (packet_generator_.HasRetransmittableFrames() ||
+  if (packet_creator_.HasPendingRetransmittableFrames() ||
       visitor_->WillingAndAbleToWrite()) {
     // There are pending retransmittable frames.
     return;
@@ -2665,9 +2592,9 @@ void QuicConnection::OnPathDegradingTimeout() {
 void QuicConnection::OnRetransmissionTimeout() {
   DCHECK(!sent_packet_manager_.unacked_packets().empty() ||
          (sent_packet_manager_.handshake_mode_disabled() &&
-          !sent_packet_manager_.handshake_confirmed()));
+          !IsHandshakeComplete()));
   const QuicPacketNumber previous_created_packet_number =
-      packet_generator_.packet_number();
+      packet_creator_.packet_number();
   if (close_connection_after_five_rtos_ &&
       sent_packet_manager_.GetConsecutiveRtoCount() >= 4) {
     // Close on the 5th consecutive RTO, so after 4 previous RTOs have occurred.
@@ -2686,14 +2613,20 @@ void QuicConnection::OnRetransmissionTimeout() {
 
   const auto retransmission_mode =
       sent_packet_manager_.OnRetransmissionTimeout();
-  if (skip_packet_number_for_pto_ &&
+  if (sent_packet_manager_.skip_packet_number_for_pto() &&
       retransmission_mode == QuicSentPacketManager::PTO_MODE &&
       sent_packet_manager_.pending_timer_transmission_count() == 1) {
     // Skip a packet number when a single PTO packet is sent to elicit an
     // immediate ACK.
-    packet_generator_.SkipNPacketNumbers(
-        1, sent_packet_manager_.GetLeastUnacked(),
+    const QuicPacketCount num_packet_numbers_to_skip = 1;
+    packet_creator_.SkipNPacketNumbers(
+        num_packet_numbers_to_skip, sent_packet_manager_.GetLeastUnacked(),
         sent_packet_manager_.EstimateMaxPacketsInFlight(max_packet_length()));
+    if (GetQuicReloadableFlag(quic_on_packet_numbers_skipped) &&
+        debug_visitor_ != nullptr) {
+      QUIC_RELOADABLE_FLAG_COUNT(quic_on_packet_numbers_skipped);
+      debug_visitor_->OnNPacketNumbersSkipped(num_packet_numbers_to_skip);
+    }
   }
   WriteIfNotBlocked();
 
@@ -2712,45 +2645,42 @@ void QuicConnection::OnRetransmissionTimeout() {
     WriteIfNotBlocked();
   }
 
-  if (sent_packet_manager_.fix_rto_retransmission()) {
-    if (packet_generator_.packet_number() == previous_created_packet_number &&
-        (retransmission_mode == QuicSentPacketManager::TLP_MODE ||
-         retransmission_mode == QuicSentPacketManager::RTO_MODE ||
-         retransmission_mode == QuicSentPacketManager::PTO_MODE) &&
-        !visitor_->WillingAndAbleToWrite()) {
-      // Send PING if timer fires in RTO or PTO mode but there is no data to
-      // send.
-      // When TLP fires, either new data or tail loss probe should be sent.
-      // There is corner case where TLP fires after RTO because packets get
-      // acked. Two packets are marked RTO_RETRANSMITTED, but the first packet
-      // is retransmitted as two packets because of packet number length
-      // increases (please see QuicConnectionTest.RtoPacketAsTwo).
-      QUIC_DLOG_IF(WARNING,
-                   retransmission_mode == QuicSentPacketManager::TLP_MODE &&
-                       stats_.rto_count == 0)
-          << "No packet gets sent when timer fires in TLP mode, sending PING";
-      DCHECK_LT(0u, sent_packet_manager_.pending_timer_transmission_count());
-      visitor_->SendPing();
-    }
-    if (retransmission_mode == QuicSentPacketManager::PTO_MODE) {
-      sent_packet_manager_.AdjustPendingTimerTransmissions();
-    }
-    if (retransmission_mode != QuicSentPacketManager::LOSS_MODE) {
-      // When timer fires in TLP or RTO mode, ensure 1) at least one packet is
-      // created, or there is data to send and available credit (such that
-      // packets will be sent eventually).
-      QUIC_BUG_IF(
-          packet_generator_.packet_number() == previous_created_packet_number &&
-          (!visitor_->WillingAndAbleToWrite() ||
-           sent_packet_manager_.pending_timer_transmission_count() == 0u))
-          << "retransmission_mode: " << retransmission_mode
-          << ", packet_number: " << packet_generator_.packet_number()
-          << ", session has data to write: "
-          << visitor_->WillingAndAbleToWrite()
-          << ", writer is blocked: " << writer_->IsWriteBlocked()
-          << ", pending_timer_transmission_count: "
-          << sent_packet_manager_.pending_timer_transmission_count();
-    }
+  if (packet_creator_.packet_number() == previous_created_packet_number &&
+      (retransmission_mode == QuicSentPacketManager::TLP_MODE ||
+       retransmission_mode == QuicSentPacketManager::RTO_MODE ||
+       retransmission_mode == QuicSentPacketManager::PTO_MODE) &&
+      !visitor_->WillingAndAbleToWrite()) {
+    // Send PING if timer fires in RTO or PTO mode but there is no data to
+    // send.
+    // When TLP fires, either new data or tail loss probe should be sent.
+    // There is corner case where TLP fires after RTO because packets get
+    // acked. Two packets are marked RTO_RETRANSMITTED, but the first packet
+    // is retransmitted as two packets because of packet number length
+    // increases (please see QuicConnectionTest.RtoPacketAsTwo).
+    QUIC_DLOG_IF(WARNING,
+                 retransmission_mode == QuicSentPacketManager::TLP_MODE &&
+                     stats_.rto_count == 0)
+        << "No packet gets sent when timer fires in TLP mode, sending PING";
+    DCHECK_LT(0u, sent_packet_manager_.pending_timer_transmission_count());
+    visitor_->SendPing();
+  }
+  if (retransmission_mode == QuicSentPacketManager::PTO_MODE) {
+    sent_packet_manager_.AdjustPendingTimerTransmissions();
+  }
+  if (retransmission_mode != QuicSentPacketManager::LOSS_MODE) {
+    // When timer fires in TLP or RTO mode, ensure 1) at least one packet is
+    // created, or there is data to send and available credit (such that
+    // packets will be sent eventually).
+    QUIC_BUG_IF(packet_creator_.packet_number() ==
+                    previous_created_packet_number &&
+                (!visitor_->WillingAndAbleToWrite() ||
+                 sent_packet_manager_.pending_timer_transmission_count() == 0u))
+        << "retransmission_mode: " << retransmission_mode
+        << ", packet_number: " << packet_creator_.packet_number()
+        << ", session has data to write: " << visitor_->WillingAndAbleToWrite()
+        << ", writer is blocked: " << writer_->IsWriteBlocked()
+        << ", pending_timer_transmission_count: "
+        << sent_packet_manager_.pending_timer_transmission_count();
   }
 
   // Ensure the retransmission alarm is always set if there are unacked packets
@@ -2764,26 +2694,26 @@ void QuicConnection::OnRetransmissionTimeout() {
 
 void QuicConnection::SetEncrypter(EncryptionLevel level,
                                   std::unique_ptr<QuicEncrypter> encrypter) {
-  packet_generator_.SetEncrypter(level, std::move(encrypter));
+  packet_creator_.SetEncrypter(level, std::move(encrypter));
 }
 
 void QuicConnection::SetDiversificationNonce(
     const DiversificationNonce& nonce) {
   DCHECK_EQ(Perspective::IS_SERVER, perspective_);
-  packet_generator_.SetDiversificationNonce(nonce);
+  packet_creator_.SetDiversificationNonce(nonce);
 }
 
 void QuicConnection::SetDefaultEncryptionLevel(EncryptionLevel level) {
   QUIC_DVLOG(1) << ENDPOINT << "Setting default encryption level from "
                 << EncryptionLevelToString(encryption_level_) << " to "
                 << EncryptionLevelToString(level);
-  if (level != encryption_level_ && packet_generator_.HasPendingFrames()) {
+  if (level != encryption_level_ && packet_creator_.HasPendingFrames()) {
     // Flush all queued frames when encryption level changes.
     ScopedPacketFlusher flusher(this);
-    packet_generator_.FlushAllQueuedFrames();
+    packet_creator_.FlushCurrentPacket();
   }
   encryption_level_ = level;
-  packet_generator_.set_encryption_level(level);
+  packet_creator_.set_encryption_level(level);
 }
 
 void QuicConnection::SetDecrypter(EncryptionLevel level,
@@ -2832,13 +2762,13 @@ const QuicDecrypter* QuicConnection::alternative_decrypter() const {
 
 void QuicConnection::QueueUndecryptablePacket(
     const QuicEncryptedPacket& packet) {
-    for (const auto& saved_packet : undecryptable_packets_) {
-      if (packet.data() == saved_packet->data() &&
-          packet.length() == saved_packet->length()) {
-        QUIC_DVLOG(1) << ENDPOINT << "Not queueing known undecryptable packet";
-        return;
-      }
+  for (const auto& saved_packet : undecryptable_packets_) {
+    if (packet.data() == saved_packet->data() &&
+        packet.length() == saved_packet->length()) {
+      QUIC_DVLOG(1) << ENDPOINT << "Not queueing known undecryptable packet";
+      return;
     }
+  }
   QUIC_DVLOG(1) << ENDPOINT << "Queueing undecryptable packet.";
   undecryptable_packets_.push_back(packet.Clone());
 }
@@ -2854,7 +2784,7 @@ void QuicConnection::MaybeProcessUndecryptablePackets() {
   while (connected_ && !undecryptable_packets_.empty()) {
     // Making sure there is no pending frames when processing next undecrypted
     // packet because the queued ack frame may change.
-    packet_generator_.FlushAllQueuedFrames();
+    packet_creator_.FlushCurrentPacket();
     if (!connected_) {
       return;
     }
@@ -2888,26 +2818,28 @@ void QuicConnection::MaybeProcessUndecryptablePackets() {
 
 void QuicConnection::QueueCoalescedPacket(const QuicEncryptedPacket& packet) {
   QUIC_DVLOG(1) << ENDPOINT << "Queueing coalesced packet.";
-  coalesced_packets_.push_back(packet.Clone());
+  received_coalesced_packets_.push_back(packet.Clone());
+  ++stats_.num_coalesced_packets_received;
 }
 
 void QuicConnection::MaybeProcessCoalescedPackets() {
   bool processed = false;
-  while (connected_ && !coalesced_packets_.empty()) {
+  while (connected_ && !received_coalesced_packets_.empty()) {
     // Making sure there are no pending frames when processing the next
     // coalesced packet because the queued ack frame may change.
-    packet_generator_.FlushAllQueuedFrames();
+    packet_creator_.FlushCurrentPacket();
     if (!connected_) {
       return;
     }
 
     std::unique_ptr<QuicEncryptedPacket> packet =
-        std::move(coalesced_packets_.front());
-    coalesced_packets_.pop_front();
+        std::move(received_coalesced_packets_.front());
+    received_coalesced_packets_.pop_front();
 
     QUIC_DVLOG(1) << ENDPOINT << "Processing coalesced packet";
     if (framer_.ProcessPacket(*packet)) {
       processed = true;
+      ++stats_.num_coalesced_packets_processed;
     } else {
       // If we are unable to decrypt this packet, it might be
       // because the CHLO or SHLO packet was lost.
@@ -2942,25 +2874,76 @@ void QuicConnection::CloseConnection(
 
 void QuicConnection::SendConnectionClosePacket(QuicErrorCode error,
                                                const std::string& details) {
-  QUIC_DLOG(INFO) << ENDPOINT << "Sending connection close packet.";
-  SetDefaultEncryptionLevel(GetConnectionCloseEncryptionLevel());
-  ClearQueuedPackets();
-  // If there was a packet write error, write the smallest close possible.
+  if (!GetQuicReloadableFlag(quic_close_all_encryptions_levels2)) {
+    QUIC_DLOG(INFO) << ENDPOINT << "Sending connection close packet.";
+    SetDefaultEncryptionLevel(GetConnectionCloseEncryptionLevel());
+    if (version().CanSendCoalescedPackets()) {
+      coalesced_packet_.Clear();
+    }
+    ClearQueuedPackets();
+    // If there was a packet write error, write the smallest close possible.
+    ScopedPacketFlusher flusher(this);
+    // When multiple packet number spaces is supported, an ACK frame will be
+    // bundled when connection is not write blocked.
+    if (!SupportsMultiplePacketNumberSpaces() &&
+        error != QUIC_PACKET_WRITE_ERROR &&
+        !GetUpdatedAckFrame().ack_frame->packets.Empty()) {
+      SendAck();
+    }
+    QuicConnectionCloseFrame* frame;
+
+    frame = new QuicConnectionCloseFrame(transport_version(), error, details,
+                                         framer_.current_received_frame_type());
+    packet_creator_.ConsumeRetransmittableControlFrame(QuicFrame(frame));
+    packet_creator_.FlushCurrentPacket();
+    if (version().CanSendCoalescedPackets()) {
+      FlushCoalescedPacket();
+    }
+    ClearQueuedPackets();
+    return;
+  }
+  const EncryptionLevel current_encryption_level = encryption_level_;
   ScopedPacketFlusher flusher(this);
-  // When multiple packet number spaces is supported, an ACK frame will be
-  // bundled when connection is not write blocked.
-  if (!SupportsMultiplePacketNumberSpaces() &&
-      error != QUIC_PACKET_WRITE_ERROR &&
-      !GetUpdatedAckFrame().ack_frame->packets.Empty()) {
-    SendAck();
-  }
-  QuicConnectionCloseFrame* frame;
-
-  frame = new QuicConnectionCloseFrame(transport_version(), error, details,
-                                       framer_.current_received_frame_type());
-  packet_generator_.ConsumeRetransmittableControlFrame(QuicFrame(frame));
-  packet_generator_.FlushAllQueuedFrames();
+  QUIC_RELOADABLE_FLAG_COUNT(quic_close_all_encryptions_levels2);
+
+  // Now that the connection is being closed, discard any unsent packets
+  // so the only packets to be sent will be connection close packets.
+  if (version().CanSendCoalescedPackets()) {
+    coalesced_packet_.Clear();
+  }
+  ClearQueuedPackets();
+
+  for (EncryptionLevel level :
+       {ENCRYPTION_INITIAL, ENCRYPTION_HANDSHAKE, ENCRYPTION_ZERO_RTT,
+        ENCRYPTION_FORWARD_SECURE}) {
+    if (!framer_.HasEncrypterOfEncryptionLevel(level)) {
+      continue;
+    }
+    QUIC_DLOG(INFO) << ENDPOINT << "Sending connection close packet at level: "
+                    << EncryptionLevelToString(level);
+    SetDefaultEncryptionLevel(level);
+    // If there was a packet write error, write the smallest close possible.
+    // When multiple packet number spaces are supported, an ACK frame will
+    // be bundled by the ScopedPacketFlusher. Otherwise, an ACK must be sent
+    // explicitly.
+    if (!SupportsMultiplePacketNumberSpaces() &&
+        error != QUIC_PACKET_WRITE_ERROR &&
+        !GetUpdatedAckFrame().ack_frame->packets.Empty()) {
+      SendAck();
+    }
+    auto* frame =
+        new QuicConnectionCloseFrame(transport_version(), error, details,
+                                     framer_.current_received_frame_type());
+    packet_creator_.ConsumeRetransmittableControlFrame(QuicFrame(frame));
+    packet_creator_.FlushCurrentPacket();
+  }
+  if (version().CanSendCoalescedPackets()) {
+    FlushCoalescedPacket();
+  }
+  // Since the connection is closing, if the connection close packets were not
+  // sent, then they should be discarded.
   ClearQueuedPackets();
+  SetDefaultEncryptionLevel(current_encryption_level);
 }
 
 void QuicConnection::TearDownLocalConnectionState(
@@ -3007,24 +2990,23 @@ void QuicConnection::CancelAllAlarms() {
 }
 
 QuicByteCount QuicConnection::max_packet_length() const {
-  return packet_generator_.GetCurrentMaxPacketLength();
+  return packet_creator_.max_packet_length();
 }
 
 void QuicConnection::SetMaxPacketLength(QuicByteCount length) {
   long_term_mtu_ = length;
-  packet_generator_.SetMaxPacketLength(GetLimitedMaxPacketSize(length));
+  packet_creator_.SetMaxPacketLength(GetLimitedMaxPacketSize(length));
 }
 
 bool QuicConnection::HasQueuedData() const {
-  return pending_version_negotiation_packet_ || !queued_packets_.empty() ||
-         packet_generator_.HasPendingFrames() || !buffered_packets_.empty();
+  return pending_version_negotiation_packet_ ||
+         packet_creator_.HasPendingFrames() || !buffered_packets_.empty();
 }
 
 bool QuicConnection::CanWriteStreamData() {
   // Don't write stream data if there are negotiation or queued data packets
   // to send. Otherwise, continue and bundle as many frames as possible.
-  if (pending_version_negotiation_packet_ || !queued_packets_.empty() ||
-      !buffered_packets_.empty()) {
+  if (pending_version_negotiation_packet_ || !buffered_packets_.empty()) {
     return false;
   }
 
@@ -3129,28 +3111,52 @@ void QuicConnection::SetPingAlarm() {
     // because it is expecting a response from the server.
     return;
   }
-  if (retransmittable_on_wire_timeout_.IsInfinite() ||
+  if (initial_retransmittable_on_wire_timeout_.IsInfinite() ||
       sent_packet_manager_.HasInFlightPackets()) {
     // Extend the ping alarm.
     ping_alarm_->Update(clock_->ApproximateNow() + ping_timeout_,
                         QuicTime::Delta::FromSeconds(1));
     return;
   }
-  DCHECK_LT(retransmittable_on_wire_timeout_, ping_timeout_);
+  DCHECK_LT(initial_retransmittable_on_wire_timeout_, ping_timeout_);
+  QuicTime::Delta retransmittable_on_wire_timeout =
+      initial_retransmittable_on_wire_timeout_;
+  int max_aggressive_retransmittable_on_wire_ping_count =
+      GetQuicFlag(FLAGS_quic_max_aggressive_retransmittable_on_wire_ping_count);
+  DCHECK_LE(0, max_aggressive_retransmittable_on_wire_ping_count);
+  if (consecutive_retransmittable_on_wire_ping_count_ >
+      max_aggressive_retransmittable_on_wire_ping_count) {
+    // Exponentially back off the timeout if the number of consecutive
+    // retransmittable on wire pings has exceeds the allowance.
+    int shift = consecutive_retransmittable_on_wire_ping_count_ -
+                max_aggressive_retransmittable_on_wire_ping_count;
+    retransmittable_on_wire_timeout =
+        initial_retransmittable_on_wire_timeout_ * (1 << shift);
+  }
   // If it's already set to an earlier time, then don't update it.
   if (ping_alarm_->IsSet() &&
       ping_alarm_->deadline() <
-          clock_->ApproximateNow() + retransmittable_on_wire_timeout_) {
+          clock_->ApproximateNow() + retransmittable_on_wire_timeout) {
+    return;
+  }
+
+  if (retransmittable_on_wire_timeout < ping_timeout_) {
+    // Use a shorter timeout if there are open streams, but nothing on the wire.
+    ping_alarm_->Update(
+        clock_->ApproximateNow() + retransmittable_on_wire_timeout,
+        QuicTime::Delta::FromMilliseconds(1));
+    if (max_aggressive_retransmittable_on_wire_ping_count != 0) {
+      consecutive_retransmittable_on_wire_ping_count_++;
+    }
     return;
   }
-  // Use a shorter timeout if there are open streams, but nothing on the wire.
-  ping_alarm_->Update(
-      clock_->ApproximateNow() + retransmittable_on_wire_timeout_,
-      QuicTime::Delta::FromMilliseconds(1));
+
+  ping_alarm_->Update(clock_->ApproximateNow() + ping_timeout_,
+                      QuicTime::Delta::FromMilliseconds(1));
 }
 
 void QuicConnection::SetRetransmissionAlarm() {
-  if (packet_generator_.PacketFlusherAttached()) {
+  if (packet_creator_.PacketFlusherAttached()) {
     pending_retransmission_alarm_ = true;
     return;
   }
@@ -3175,35 +3181,11 @@ void QuicConnection::SetPathDegradingAlarm() {
 }
 
 void QuicConnection::MaybeSetMtuAlarm(QuicPacketNumber sent_packet_number) {
-  if (mtu_discovery_v2_) {
-    if (mtu_discovery_alarm_->IsSet() ||
-        !mtu_discoverer_.ShouldProbeMtu(sent_packet_number)) {
-      return;
-    }
-    mtu_discovery_alarm_->Set(clock_->ApproximateNow());
+  if (mtu_discovery_alarm_->IsSet() ||
+      !mtu_discoverer_.ShouldProbeMtu(sent_packet_number)) {
     return;
   }
-
-  // Do not set the alarm if the target size is less than the current size.
-  // This covers the case when |mtu_discovery_target_| is at its default value,
-  // zero.
-  if (mtu_discovery_target_ <= max_packet_length()) {
-    return;
-  }
-
-  if (mtu_probe_count_ >= kMtuDiscoveryAttempts) {
-    return;
-  }
-
-  if (mtu_discovery_alarm_->IsSet()) {
-    return;
-  }
-
-  if (sent_packet_number >= next_mtu_probe_at_) {
-    // Use an alarm to send the MTU probe to ensure that no ScopedPacketFlushers
-    // are active.
-    mtu_discovery_alarm_->Set(clock_->ApproximateNow());
-  }
+  mtu_discovery_alarm_->Set(clock_->ApproximateNow());
 }
 
 void QuicConnection::MaybeSetAckAlarmTo(QuicTime time) {
@@ -3220,9 +3202,9 @@ QuicConnection::ScopedPacketFlusher::ScopedPacketFlusher(
     return;
   }
 
-  if (!connection_->packet_generator_.PacketFlusherAttached()) {
+  if (!connection_->packet_creator_.PacketFlusherAttached()) {
     flush_and_set_pending_retransmission_alarm_on_delete_ = true;
-    connection->packet_generator_.AttachPacketFlusher();
+    connection->packet_creator_.AttachPacketFlusher();
   }
 }
 
@@ -3261,12 +3243,13 @@ QuicConnection::ScopedPacketFlusher::~ScopedPacketFlusher() {
         connection_->SendAck();
       }
     }
-    connection_->packet_generator_.Flush();
-    connection_->FlushPackets();
-    if (connection_->session_decides_what_to_write()) {
-      // Reset transmission type.
-      connection_->SetTransmissionType(NOT_RETRANSMISSION);
+    connection_->packet_creator_.Flush();
+    if (connection_->version().CanSendCoalescedPackets()) {
+      connection_->FlushCoalescedPacket();
     }
+    connection_->FlushPackets();
+    // Reset transmission type.
+    connection_->SetTransmissionType(NOT_RETRANSMISSION);
 
     // Once all transmissions are done, check if there is any outstanding data
     // to send and notify the congestion controller if not.
@@ -3294,7 +3277,7 @@ QuicConnection::ScopedPacketFlusher::~ScopedPacketFlusher() {
     }
   }
   DCHECK_EQ(flush_and_set_pending_retransmission_alarm_on_delete_,
-            !connection_->packet_generator_.PacketFlusherAttached());
+            !connection_->packet_creator_.PacketFlusherAttached());
 }
 
 QuicConnection::BufferedPacket::BufferedPacket(
@@ -3305,6 +3288,16 @@ QuicConnection::BufferedPacket::BufferedPacket(
       self_address(self_address),
       peer_address(peer_address) {}
 
+QuicConnection::BufferedPacket::BufferedPacket(
+    char* encrypted_buffer,
+    QuicPacketLength encrypted_length,
+    const QuicSocketAddress& self_address,
+    const QuicSocketAddress& peer_address)
+    : encrypted_buffer(CopyBuffer(encrypted_buffer, encrypted_length),
+                       encrypted_length),
+      self_address(self_address),
+      peer_address(peer_address) {}
+
 QuicConnection::BufferedPacket::~BufferedPacket() {
   delete[] encrypted_buffer.data();
 }
@@ -3334,13 +3327,9 @@ bool QuicConnection::IsTerminationPacket(const SerializedPacket& packet) {
 }
 
 void QuicConnection::SetMtuDiscoveryTarget(QuicByteCount target) {
-  if (mtu_discovery_v2_) {
-    mtu_discoverer_.Disable();
-    mtu_discoverer_.Enable(max_packet_length(),
-                           GetLimitedMaxPacketSize(target));
-  } else {
-    mtu_discovery_target_ = GetLimitedMaxPacketSize(target);
-  }
+  QUIC_DVLOG(2) << ENDPOINT << "SetMtuDiscoveryTarget: " << target;
+  mtu_discoverer_.Disable();
+  mtu_discoverer_.Enable(max_packet_length(), GetLimitedMaxPacketSize(target));
 }
 
 QuicByteCount QuicConnection::GetLimitedMaxPacketSize(
@@ -3367,7 +3356,7 @@ void QuicConnection::SendMtuDiscoveryPacket(QuicByteCount target_mtu) {
   DCHECK_EQ(target_mtu, GetLimitedMaxPacketSize(target_mtu));
 
   // Send the probe.
-  packet_generator_.GenerateMtuDiscoveryPacket(target_mtu);
+  packet_creator_.GenerateMtuDiscoveryPacket(target_mtu);
 }
 
 // TODO(zhongyi): change this method to generate a connectivity probing packet
@@ -3422,7 +3411,7 @@ bool QuicConnection::SendGenericPathProbePacket(
   if (!VersionHasIetfQuicFrames(transport_version())) {
     // Non-IETF QUIC, generate a padded ping regardless of whether this is a
     // request or a response.
-    probing_packet = packet_generator_.SerializeConnectivityProbingPacket();
+    probing_packet = packet_creator_.SerializeConnectivityProbingPacket();
   } else {
     if (is_response) {
       // Respond using IETF QUIC PATH_RESPONSE frame
@@ -3430,14 +3419,14 @@ bool QuicConnection::SendGenericPathProbePacket(
         // Pad the response if the request was a google connectivity probe
         // (padded).
         probing_packet =
-            packet_generator_.SerializePathResponseConnectivityProbingPacket(
+            packet_creator_.SerializePathResponseConnectivityProbingPacket(
                 received_path_challenge_payloads_, /* is_padded = */ true);
         received_path_challenge_payloads_.clear();
       } else {
         // Do not pad the response if the path challenge was not a google
         // connectivity probe.
         probing_packet =
-            packet_generator_.SerializePathResponseConnectivityProbingPacket(
+            packet_creator_.SerializePathResponseConnectivityProbingPacket(
                 received_path_challenge_payloads_,
                 /* is_padded = */ false);
         received_path_challenge_payloads_.clear();
@@ -3447,7 +3436,7 @@ bool QuicConnection::SendGenericPathProbePacket(
       transmitted_connectivity_probe_payload_ =
           std::make_unique<QuicPathFrameBuffer>();
       probing_packet =
-          packet_generator_.SerializePathChallengeConnectivityProbingPacket(
+          packet_creator_.SerializePathChallengeConnectivityProbingPacket(
               transmitted_connectivity_probe_payload_.get());
       if (!probing_packet) {
         transmitted_connectivity_probe_payload_ = nullptr;
@@ -3484,15 +3473,13 @@ bool QuicConnection::SendGenericPathProbePacket(
 
   if (debug_visitor_ != nullptr) {
     debug_visitor_->OnPacketSent(
-        *probing_packet, probing_packet->original_packet_number,
-        probing_packet->transmission_type, packet_send_time);
+        *probing_packet, probing_packet->transmission_type, packet_send_time);
   }
 
   // Call OnPacketSent regardless of the write result.
-  sent_packet_manager_.OnPacketSent(
-      probing_packet.get(), probing_packet->original_packet_number,
-      packet_send_time, probing_packet->transmission_type,
-      NO_RETRANSMITTABLE_DATA);
+  sent_packet_manager_.OnPacketSent(probing_packet.get(), packet_send_time,
+                                    probing_packet->transmission_type,
+                                    NO_RETRANSMITTABLE_DATA);
 
   if (IsWriteBlockedStatus(result.status)) {
     if (probing_writer == writer_) {
@@ -3511,35 +3498,13 @@ bool QuicConnection::SendGenericPathProbePacket(
 void QuicConnection::DiscoverMtu() {
   DCHECK(!mtu_discovery_alarm_->IsSet());
 
-  if (mtu_discovery_v2_) {
-    const QuicPacketNumber largest_sent_packet =
-        sent_packet_manager_.GetLargestSentPacket();
-    if (mtu_discoverer_.ShouldProbeMtu(largest_sent_packet)) {
-      ++mtu_probe_count_;
-      SendMtuDiscoveryPacket(
-          mtu_discoverer_.GetUpdatedMtuProbeSize(largest_sent_packet));
-    }
-    DCHECK(!mtu_discovery_alarm_->IsSet());
-    return;
-  }
-
-  // Check if the MTU has been already increased.
-  if (mtu_discovery_target_ <= max_packet_length()) {
-    return;
+  const QuicPacketNumber largest_sent_packet =
+      sent_packet_manager_.GetLargestSentPacket();
+  if (mtu_discoverer_.ShouldProbeMtu(largest_sent_packet)) {
+    ++mtu_probe_count_;
+    SendMtuDiscoveryPacket(
+        mtu_discoverer_.GetUpdatedMtuProbeSize(largest_sent_packet));
   }
-
-  // Calculate the packet number of the next probe *before* sending the current
-  // one.  Otherwise, when SendMtuDiscoveryPacket() is called,
-  // MaybeSetMtuAlarm() will not realize that the probe has been just sent, and
-  // will reschedule this probe again.
-  packets_between_mtu_probes_ *= 2;
-  next_mtu_probe_at_ = sent_packet_manager_.GetLargestSentPacket() +
-                       packets_between_mtu_probes_ + 1;
-  ++mtu_probe_count_;
-
-  QUIC_DVLOG(2) << "Sending a path MTU discovery packet #" << mtu_probe_count_;
-  SendMtuDiscoveryPacket(mtu_discovery_target_);
-
   DCHECK(!mtu_discovery_alarm_->IsSet());
 }
 
@@ -3623,7 +3588,7 @@ void QuicConnection::MaybeSendProbingRetransmissions() {
   DCHECK(fill_up_link_during_probing_);
 
   // Don't send probing retransmissions until the handshake has completed.
-  if (!sent_packet_manager_.handshake_confirmed() ||
+  if (!IsHandshakeComplete() ||
       sent_packet_manager().HasUnackedCryptoPackets()) {
     return;
   }
@@ -3640,14 +3605,12 @@ void QuicConnection::MaybeSendProbingRetransmissions() {
 }
 
 void QuicConnection::CheckIfApplicationLimited() {
-  if (session_decides_what_to_write() && probing_retransmission_pending_) {
+  if (probing_retransmission_pending_) {
     return;
   }
 
   bool application_limited =
-      queued_packets_.empty() && buffered_packets_.empty() &&
-      !sent_packet_manager_.HasPendingRetransmissions() &&
-      !visitor_->WillingAndAbleToWrite();
+      buffered_packets_.empty() && !visitor_->WillingAndAbleToWrite();
 
   if (!application_limited) {
     return;
@@ -3716,20 +3679,6 @@ void QuicConnection::UpdatePacketContent(PacketContent type) {
   current_effective_peer_migration_type_ = NO_CHANGE;
 }
 
-void QuicConnection::MaybeEnableSessionDecidesWhatToWrite() {
-  // Only enable session decides what to write code path for version 42+,
-  // because it needs the receiver to allow receiving overlapping stream data.
-  const bool enable_session_decides_what_to_write =
-      transport_version() > QUIC_VERSION_39;
-  sent_packet_manager_.SetSessionDecideWhatToWrite(
-      enable_session_decides_what_to_write);
-  if (version().SupportsAntiAmplificationLimit()) {
-    sent_packet_manager_.EnableIetfPtoAndLossDetection();
-  }
-  packet_generator_.SetCanSetTransmissionType(
-      enable_session_decides_what_to_write);
-}
-
 void QuicConnection::PostProcessAfterAckFrame(bool send_stop_waiting,
                                               bool acked_new_packet) {
   if (no_stop_waiting_frames_) {
@@ -3777,11 +3726,7 @@ void QuicConnection::SetDataProducer(
 }
 
 void QuicConnection::SetTransmissionType(TransmissionType type) {
-  packet_generator_.SetTransmissionType(type);
-}
-
-bool QuicConnection::session_decides_what_to_write() const {
-  return sent_packet_manager_.session_decides_what_to_write();
+  packet_creator_.SetTransmissionType(type);
 }
 
 void QuicConnection::UpdateReleaseTimeIntoFuture() {
@@ -3803,7 +3748,8 @@ void QuicConnection::ResetAckStates() {
 }
 
 MessageStatus QuicConnection::SendMessage(QuicMessageId message_id,
-                                          QuicMemSliceSpan message) {
+                                          QuicMemSliceSpan message,
+                                          bool flush) {
   if (!VersionSupportsMessageFrames(transport_version())) {
     QUIC_BUG << "MESSAGE frame is not supported for version "
              << transport_version();
@@ -3812,19 +3758,19 @@ MessageStatus QuicConnection::SendMessage(QuicMessageId message_id,
   if (message.total_length() > GetCurrentLargestMessagePayload()) {
     return MESSAGE_STATUS_TOO_LARGE;
   }
-  if (!CanWrite(HAS_RETRANSMITTABLE_DATA)) {
+  if (!connected_ || (!flush && !CanWrite(HAS_RETRANSMITTABLE_DATA))) {
     return MESSAGE_STATUS_BLOCKED;
   }
   ScopedPacketFlusher flusher(this);
-  return packet_generator_.AddMessageFrame(message_id, message);
+  return packet_creator_.AddMessageFrame(message_id, message);
 }
 
 QuicPacketLength QuicConnection::GetCurrentLargestMessagePayload() const {
-  return packet_generator_.GetCurrentLargestMessagePayload();
+  return packet_creator_.GetCurrentLargestMessagePayload();
 }
 
 QuicPacketLength QuicConnection::GetGuaranteedLargestMessagePayload() const {
-  return packet_generator_.GetGuaranteedLargestMessagePayload();
+  return packet_creator_.GetGuaranteedLargestMessagePayload();
 }
 
 uint32_t QuicConnection::cipher_id() const {
@@ -3838,7 +3784,7 @@ EncryptionLevel QuicConnection::GetConnectionCloseEncryptionLevel() const {
   if (perspective_ == Perspective::IS_CLIENT) {
     return encryption_level_;
   }
-  if (sent_packet_manager_.handshake_confirmed()) {
+  if (IsHandshakeComplete()) {
     // A forward secure packet has been received.
     QUIC_BUG_IF(encryption_level_ != ENCRYPTION_FORWARD_SECURE)
         << ENDPOINT << "Unexpected connection close encryption level "
@@ -3887,7 +3833,7 @@ void QuicConnection::SendAllPendingAcks() {
     QuicFrames frames;
     frames.push_back(uber_received_packet_manager_.GetUpdatedAckFrame(
         static_cast<PacketNumberSpace>(i), clock_->ApproximateNow()));
-    const bool flushed = packet_generator_.FlushAckFrame(frames);
+    const bool flushed = packet_creator_.FlushAckFrame(frames);
     if (!flushed) {
       // Connection is write blocked.
       QUIC_BUG_IF(!writer_->IsWriteBlocked())
@@ -3913,7 +3859,7 @@ void QuicConnection::SendAllPendingAcks() {
     return;
   }
   consecutive_num_packets_with_no_retransmittable_frames_ = 0;
-  if (packet_generator_.HasRetransmittableFrames() ||
+  if (packet_creator_.HasPendingRetransmittableFrames() ||
       visitor_->WillingAndAbleToWrite()) {
     // There are pending retransmittable frames.
     return;
@@ -3922,6 +3868,65 @@ void QuicConnection::SendAllPendingAcks() {
   visitor_->OnAckNeedsRetransmittableFrame();
 }
 
+bool QuicConnection::FlushCoalescedPacket() {
+  ScopedCoalescedPacketClearer clearer(&coalesced_packet_);
+  if (!version().CanSendCoalescedPackets()) {
+    QUIC_BUG_IF(coalesced_packet_.length() > 0);
+    return true;
+  }
+  if (coalesced_packet_.length() == 0) {
+    return true;
+  }
+  QUIC_DVLOG(1) << ENDPOINT << "Sending coalesced packet";
+  char buffer[kMaxOutgoingPacketSize];
+  const size_t length = packet_creator_.SerializeCoalescedPacket(
+      coalesced_packet_, buffer, coalesced_packet_.max_packet_length());
+  if (length == 0) {
+    return false;
+  }
+
+  if (!buffered_packets_.empty() || HandleWriteBlocked()) {
+    QUIC_DVLOG(1) << ENDPOINT
+                  << "Buffering coalesced packet of len: " << length;
+    buffered_packets_.emplace_back(buffer, length,
+                                   coalesced_packet_.self_address(),
+                                   coalesced_packet_.peer_address());
+    return true;
+  }
+
+  WriteResult result = writer_->WritePacket(
+      buffer, length, coalesced_packet_.self_address().host(),
+      coalesced_packet_.peer_address(), per_packet_options_);
+  if (IsWriteError(result.status)) {
+    OnWriteError(result.error_code);
+    return false;
+  }
+  if (IsWriteBlockedStatus(result.status)) {
+    visitor_->OnWriteBlocked();
+    if (result.status != WRITE_STATUS_BLOCKED_DATA_BUFFERED) {
+      QUIC_DVLOG(1) << ENDPOINT
+                    << "Buffering coalesced packet of len: " << length;
+      buffered_packets_.emplace_back(buffer, length,
+                                     coalesced_packet_.self_address(),
+                                     coalesced_packet_.peer_address());
+    }
+  }
+  // Account for added padding.
+  if (length > coalesced_packet_.length()) {
+    size_t padding_size = length - coalesced_packet_.length();
+    if (EnforceAntiAmplificationLimit()) {
+      bytes_sent_before_address_validation_ += padding_size;
+    }
+    stats_.bytes_sent += padding_size;
+    if (coalesced_packet_.initial_packet() != nullptr &&
+        coalesced_packet_.initial_packet()->transmission_type !=
+            NOT_RETRANSMISSION) {
+      stats_.bytes_retransmitted += padding_size;
+    }
+  }
+  return true;
+}
+
 void QuicConnection::MaybeEnableMultiplePacketNumberSpacesSupport() {
   if (version().handshake_protocol != PROTOCOL_TLS1_3) {
     return;
@@ -3988,9 +3993,21 @@ bool QuicConnection::LimitedByAmplificationFactor() const {
                  bytes_received_before_address_validation_;
 }
 
-QuicConnection::SerializedPacketFate QuicConnection::DeterminePacketFate() {
-  if (treat_queued_packets_as_sent_ &&
-      (!buffered_packets_.empty() || HandleWriteBlocked())) {
+SerializedPacketFate QuicConnection::DeterminePacketFate(
+    bool is_mtu_discovery) {
+  if (version().CanSendCoalescedPackets() &&
+      sent_packet_manager_.handshake_state() <
+          QuicSentPacketManager::HANDSHAKE_CONFIRMED &&
+      !is_mtu_discovery) {
+    // Before receiving ACK for any 1-RTT packets, always try to coalesce
+    // packet (except MTU discovery packet).
+    return COALESCE;
+  }
+  // Packet cannot be coalesced, flush existing coalesced packet.
+  if (version().CanSendCoalescedPackets() && !FlushCoalescedPacket()) {
+    return FAILED_TO_WRITE_COALESCED_PACKET;
+  }
+  if (!buffered_packets_.empty() || HandleWriteBlocked()) {
     return BUFFER;
   }
   return SEND_TO_WRITER;
@@ -4037,7 +4054,7 @@ void QuicConnection::set_client_connection_id(
                   << client_connection_id_
                   << " for connection with server connection ID "
                   << server_connection_id_;
-  packet_generator_.SetClientConnectionId(client_connection_id_);
+  packet_creator_.SetClientConnectionId(client_connection_id_);
   framer_.SetExpectedClientConnectionIdLength(client_connection_id_.length());
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_connection.h b/chromium/net/third_party/quiche/src/quic/core/quic_connection.h
index 3d07946b316..abd836f4c6d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_connection.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_connection.h
@@ -37,7 +37,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_mtu_discovery.h"
 #include "net/third_party/quiche/src/quic/core/quic_one_block_arena.h"
 #include "net/third_party/quiche/src/quic/core/quic_packet_creator.h"
-#include "net/third_party/quiche/src/quic/core/quic_packet_generator.h"
 #include "net/third_party/quiche/src/quic/core/quic_packet_writer.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_sent_packet_manager.h"
@@ -165,7 +164,10 @@ class QUIC_EXPORT_PRIVATE QuicConnectionVisitorInterface {
   virtual void OnForwardProgressConfirmed() = 0;
 
   // Called when a STOP_SENDING frame has been received.
-  virtual bool OnStopSendingFrame(const QuicStopSendingFrame& frame) = 0;
+  virtual void OnStopSendingFrame(const QuicStopSendingFrame& frame) = 0;
+
+  // Called when a packet of encryption |level| has been successfully decrypted.
+  virtual void OnPacketDecrypted(EncryptionLevel level) = 0;
 };
 
 // Interface which gets callbacks from the QuicConnection at interesting
@@ -178,7 +180,6 @@ class QUIC_EXPORT_PRIVATE QuicConnectionDebugVisitor
 
   // Called when a packet has been sent.
   virtual void OnPacketSent(const SerializedPacket& /*serialized_packet*/,
-                            QuicPacketNumber /*original_packet_number*/,
                             TransmissionType /*transmission_type*/,
                             QuicTime /*sent_time*/) {}
 
@@ -305,6 +306,9 @@ class QUIC_EXPORT_PRIVATE QuicConnectionDebugVisitor
 
   // Called when a MaxStreamsFrame has been parsed.
   virtual void OnMaxStreamsFrame(const QuicMaxStreamsFrame& /*frame*/) {}
+
+  // Called when |count| packet numbers have been skipped.
+  virtual void OnNPacketNumbersSkipped(QuicPacketCount /*count*/) {}
 };
 
 class QUIC_EXPORT_PRIVATE QuicConnectionHelperInterface {
@@ -364,6 +368,8 @@ class QUIC_EXPORT_PRIVATE QuicConnection
 
   // Allows the client to adjust network parameters based on external
   // information.
+  void AdjustNetworkParameters(
+      const SendAlgorithmInterface::NetworkParams& params);
   void AdjustNetworkParameters(QuicBandwidth bandwidth,
                                QuicTime::Delta rtt,
                                bool allow_cwnd_to_decrease);
@@ -514,12 +520,10 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   void OnAuthenticatedIetfStatelessResetPacket(
       const QuicIetfStatelessResetPacket& packet) override;
 
-  // QuicPacketGenerator::DelegateInterface
+  // QuicPacketCreator::DelegateInterface
   bool ShouldGeneratePacket(HasRetransmittableData retransmittable,
                             IsHandshake handshake) override;
   const QuicFrames MaybeBundleAckOpportunistically() override;
-
-  // QuicPacketCreator::DelegateInterface
   char* GetPacketBuffer() override;
   void OnSerializedPacket(SerializedPacket* packet) override;
   void OnUnrecoverableError(QuicErrorCode error,
@@ -553,21 +557,21 @@ class QUIC_EXPORT_PRIVATE QuicConnection
     DCHECK(!ping_alarm_->IsSet());
     ping_timeout_ = ping_timeout;
   }
-  const QuicTime::Delta ping_timeout() { return ping_timeout_; }
+  const QuicTime::Delta ping_timeout() const { return ping_timeout_; }
   // Used in Chromium, but not internally.
-  // Sets a timeout for the ping alarm when there is no retransmittable data
-  // in flight, allowing for a more aggressive ping alarm in that case.
-  void set_retransmittable_on_wire_timeout(
+  // Sets an initial timeout for the ping alarm when there is no retransmittable
+  // data in flight, allowing for a more aggressive ping alarm in that case.
+  void set_initial_retransmittable_on_wire_timeout(
       QuicTime::Delta retransmittable_on_wire_timeout) {
     DCHECK(!ping_alarm_->IsSet());
-    retransmittable_on_wire_timeout_ = retransmittable_on_wire_timeout;
+    initial_retransmittable_on_wire_timeout_ = retransmittable_on_wire_timeout;
   }
-  const QuicTime::Delta retransmittable_on_wire_timeout() {
-    return retransmittable_on_wire_timeout_;
+  const QuicTime::Delta initial_retransmittable_on_wire_timeout() const {
+    return initial_retransmittable_on_wire_timeout_;
   }
   // Used in Chromium, but not internally.
   void set_creator_debug_delegate(QuicPacketCreator::DebugDelegate* visitor) {
-    packet_generator_.set_debug_delegate(visitor);
+    packet_creator_.set_debug_delegate(visitor);
   }
   const QuicSocketAddress& self_address() const { return self_address_; }
   const QuicSocketAddress& peer_address() const { return direct_peer_address_; }
@@ -595,12 +599,7 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   }
 
   // Testing only.
-  size_t NumQueuedPackets() const {
-    if (treat_queued_packets_as_sent_) {
-      return buffered_packets_.size();
-    }
-    return queued_packets_.size();
-  }
+  size_t NumQueuedPackets() const { return buffered_packets_.size(); }
 
   // Returns true if the underlying UDP socket is writable, there is
   // no queued data and the connection is not congestion-control
@@ -743,8 +742,7 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   virtual void SendConnectivityProbingResponsePacket(
       const QuicSocketAddress& peer_address);
 
-  // Sends an MTU discovery packet of size |mtu_discovery_target_| and updates
-  // the MTU discovery alarm.
+  // Sends an MTU discovery packet and updates the MTU discovery alarm.
   void DiscoverMtu();
 
   // Sets the session notifier on the SentPacketManager.
@@ -757,8 +755,11 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   void SetTransmissionType(TransmissionType type);
 
   // Tries to send |message| and returns the message status.
+  // If |flush| is false, this will return a MESSAGE_STATUS_BLOCKED
+  // when the connection is deemed unwritable.
   virtual MessageStatus SendMessage(QuicMessageId message_id,
-                                    QuicMemSliceSpan message);
+                                    QuicMemSliceSpan message,
+                                    bool flush);
 
   // Returns the largest payload that will fit into a single MESSAGE frame.
   // Because overhead can vary during a connection, this method should be
@@ -785,9 +786,7 @@ class QUIC_EXPORT_PRIVATE QuicConnection
 
   const QuicFramer& framer() const { return framer_; }
 
-  const QuicPacketGenerator& packet_generator() const {
-    return packet_generator_;
-  }
+  const QuicPacketCreator& packet_creator() const { return packet_creator_; }
 
   EncryptionLevel encryption_level() const { return encryption_level_; }
   EncryptionLevel last_decrypted_level() const {
@@ -812,11 +811,11 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // can only be set to false if there is some other mechanism of preventing
   // amplification attacks, such as ICE (plus its a non-standard quic).
   void set_fully_pad_crypto_handshake_packets(bool new_value) {
-    packet_generator_.set_fully_pad_crypto_handshake_packets(new_value);
+    packet_creator_.set_fully_pad_crypto_handshake_packets(new_value);
   }
 
   bool fully_pad_during_crypto_handshake() const {
-    return packet_generator_.fully_pad_crypto_handshake_packets();
+    return packet_creator_.fully_pad_crypto_handshake_packets();
   }
 
   size_t min_received_before_ack_decimation() const;
@@ -832,8 +831,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
     defer_send_in_response_to_packets_ = defer;
   }
 
-  bool session_decides_what_to_write() const;
-
   // Sets the current per-packet options for the connection. The QuicConnection
   // does not take ownership of |options|; |options| must live for as long as
   // the QuicConnection is in use.
@@ -862,9 +859,10 @@ class QUIC_EXPORT_PRIVATE QuicConnection
     NOT_PADDED_PING,  // Set if the packet is not {PING, PADDING}.
   };
 
-  // Whether the handshake is confirmed from this connection's perspective.
-  bool IsHandshakeConfirmed() const {
-    return sent_packet_manager_.handshake_confirmed();
+  // Whether the handshake completes from this connection's perspective.
+  bool IsHandshakeComplete() const {
+    return sent_packet_manager_.handshake_state() >=
+           QuicSentPacketManager::HANDSHAKE_COMPLETE;
   }
 
   // Returns the largest received packet number sent by peer.
@@ -890,6 +888,15 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // or the one sent after an IETF Retry.
   void InstallInitialCrypters(QuicConnectionId connection_id);
 
+  // Called when version is considered negotiated.
+  void OnSuccessfulVersionNegotiation();
+
+  bool quic_version_negotiated_by_default_at_server() const {
+    return quic_version_negotiated_by_default_at_server_;
+  }
+
+  bool use_handshake_delegate() const { return use_handshake_delegate_; }
+
  protected:
   // Calls cancel() on all the alarms owned by this connection.
   void CancelAllAlarms();
@@ -971,21 +978,18 @@ class QUIC_EXPORT_PRIVATE QuicConnection
 
   typedef std::list<SerializedPacket> QueuedPacketList;
 
-  // Indicates the fate of a serialized packet in WritePacket().
-  enum SerializedPacketFate : uint8_t {
-    COALESCE,        // Try to coalesce packet.
-    BUFFER,          // Buffer packet in buffered_packets_.
-    SEND_TO_WRITER,  // Send packet to writer.
-  };
-
   // BufferedPacket stores necessary information (encrypted buffer and self/peer
   // addresses) of those packets which are serialized but failed to send because
   // socket is blocked. From unacked packet map and send algorithm's
   // perspective, buffered packets are treated as sent.
-  struct BufferedPacket {
+  struct QUIC_EXPORT_PRIVATE BufferedPacket {
     BufferedPacket(const SerializedPacket& packet,
                    const QuicSocketAddress& self_address,
                    const QuicSocketAddress& peer_address);
+    BufferedPacket(char* encrypted_buffer,
+                   QuicPacketLength encrypted_length,
+                   const QuicSocketAddress& self_address,
+                   const QuicSocketAddress& peer_address);
     BufferedPacket(const BufferedPacket& other) = delete;
     BufferedPacket(const BufferedPacket&& other) = delete;
 
@@ -1042,9 +1046,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // blocked when this is called.
   void WriteQueuedPackets();
 
-  // Writes as many pending retransmissions as possible.
-  void WritePendingRetransmissions();
-
   // Writes new data if congestion control allows.
   void WriteNewData();
 
@@ -1112,9 +1113,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // effective peer address change.
   void UpdatePacketContent(PacketContent type);
 
-  // Enables session decide what to write based on version and flags.
-  void MaybeEnableSessionDecidesWhatToWrite();
-
   // Called when last received ack frame has been processed.
   // |send_stop_waiting| indicates whether a stop waiting needs to be sent.
   // |acked_new_packet| is true if a previously-unacked packet was acked.
@@ -1146,8 +1144,12 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // and flags.
   void MaybeEnableMultiplePacketNumberSpacesSupport();
 
-  // Returns packet fate when trying to write a packet.
-  SerializedPacketFate DeterminePacketFate();
+  // Returns packet fate when trying to write a packet via WritePacket().
+  SerializedPacketFate DeterminePacketFate(bool is_mtu_discovery);
+
+  // Serialize and send coalesced_packet. Returns false if serialization fails
+  // or the write causes errors, otherwise, returns true.
+  bool FlushCoalescedPacket();
 
   // Returns the encryption level the connection close packet should be sent at,
   // which is the highest encryption level that peer can guarantee to process.
@@ -1259,7 +1261,7 @@ class QUIC_EXPORT_PRIVATE QuicConnection
 
   // Collection of coalesced packets which were received while processing
   // the current packet.
-  QuicDeque<std::unique_ptr<QuicEncryptedPacket>> coalesced_packets_;
+  QuicDeque<std::unique_ptr<QuicEncryptedPacket>> received_coalesced_packets_;
 
   // Maximum number of undecryptable packets the connection will store.
   size_t max_undecryptable_packets_;
@@ -1274,15 +1276,6 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   bool send_ietf_version_negotiation_packet_;
   bool send_version_negotiation_packet_with_prefixed_lengths_;
 
-  // When packets could not be sent because the socket was not writable,
-  // they are added to this list.  All corresponding frames are in
-  // unacked_packets_ if they are to be retransmitted.  Packets encrypted_buffer
-  // fields are owned by the QueuedPacketList, in order to ensure they outlast
-  // the original scope of the SerializedPacket.
-  // TODO(fayang): Remove this when deprecating
-  // quic_treat_queued_packets_as_sent.
-  QueuedPacketList queued_packets_;
-
   // Contains the connection close packets if the connection has been closed.
   std::unique_ptr<std::vector<std::unique_ptr<QuicEncryptedPacket>>>
       termination_packets_;
@@ -1301,7 +1294,7 @@ class QUIC_EXPORT_PRIVATE QuicConnection
 
   // Indicates how many consecutive times an ack has arrived which indicates
   // the peer needs to stop waiting for some packets.
-  // TODO(fayang): remove this when deprecating quic_simplify_stop_waiting.
+  // TODO(fayang): remove this when deprecating QUIC_VERSION_43.
   int stop_waiting_count_;
 
   // Indicates the retransmission alarm needs to be set.
@@ -1314,8 +1307,12 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // The timeout for PING.
   QuicTime::Delta ping_timeout_;
 
-  // Timeout for how long the wire can have no retransmittable packets.
-  QuicTime::Delta retransmittable_on_wire_timeout_;
+  // Initial timeout for how long the wire can have no retransmittable packets.
+  QuicTime::Delta initial_retransmittable_on_wire_timeout_;
+
+  // Indicates how many retransmittable-on-wire pings have been emitted without
+  // receiving any new data in between.
+  int consecutive_retransmittable_on_wire_ping_count_;
 
   // Arena to store class implementations within the QuicConnection.
   QuicConnectionArena arena_;
@@ -1344,7 +1341,7 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   QuicConnectionVisitorInterface* visitor_;
   QuicConnectionDebugVisitor* debug_visitor_;
 
-  QuicPacketGenerator packet_generator_;
+  QuicPacketCreator packet_creator_;
 
   // Network idle time before this connection is closed.
   QuicTime::Delta idle_network_timeout_;
@@ -1369,6 +1366,7 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   QuicSentPacketManager sent_packet_manager_;
 
   // Indicates whether connection version has been negotiated.
+  // Always true for server connections.
   bool version_negotiated_;
 
   // Tracks if the connection was created by the server or the client.
@@ -1392,19 +1390,9 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // version negotiation packet.
   ParsedQuicVersionVector server_supported_versions_;
 
-  // The size of the packet we are targeting while doing path MTU discovery.
-  QuicByteCount mtu_discovery_target_;
-
   // The number of MTU probes already sent.
   size_t mtu_probe_count_;
 
-  // The number of packets between MTU probes.
-  QuicPacketCount packets_between_mtu_probes_;
-
-  // The packet number of the packet after which the next MTU probe will be
-  // sent.
-  QuicPacketNumber next_mtu_probe_at_;
-
   // The value of the MTU regularly used by the connection. This is different
   // from the value returned by max_packet_size(), as max_packet_size() returns
   // the value of the MTU as currently used by the serializer, so if
@@ -1501,23 +1489,24 @@ class QUIC_EXPORT_PRIVATE QuicConnection
   // EnforceAntiAmplificationLimit returns true.
   bool address_validated_;
 
-  // If true, skip packet number before sending the last PTO retransmission.
-  bool skip_packet_number_for_pto_;
-
   // Used to store content of packets which cannot be sent because of write
   // blocked. Packets' encrypted buffers are copied and owned by
   // buffered_packets_. From unacked_packet_map (and congestion control)'s
-  // perspective, those packets are considered sent. This is only used when
-  // treat_queued_packets_as_sent_ is true.
+  // perspective, those packets are considered sent.
   std::list<BufferedPacket> buffered_packets_;
 
-  // Latched value of quic_treat_queued_packets_as_sent.
-  const bool treat_queued_packets_as_sent_;
+  // Used to coalesce packets of different encryption level into the same UDP
+  // datagram. Connection stops trying to coalesce packets if a forward secure
+  // packet gets acknowledged.
+  QuicCoalescedPacket coalesced_packet_;
 
-  // Latched value of quic_mtu_discovery_v2.
-  const bool mtu_discovery_v2_;
-  // Only used if quic_mtu_discovery_v2 is true.
   QuicConnectionMtuDiscoverer mtu_discoverer_;
+
+  // Latched value of quic_version_negotiated_by_default_at_server.
+  const bool quic_version_negotiated_by_default_at_server_;
+
+  // Latched value of quic_use_handshaker_delegate.
+  const bool use_handshake_delegate_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.cc b/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.cc
index c2a8754af39..49e90b6bb38 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.cc
@@ -14,11 +14,11 @@
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.h b/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.h
index 431cc741f60..25af43def29 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_connection_id.h
@@ -127,7 +127,7 @@ QUIC_EXPORT_PRIVATE QuicConnectionId EmptyQuicConnectionId();
 // Note however that this property is not guaranteed across process lifetimes.
 // This makes QuicConnectionIdHash suitable for data structures such as hash
 // tables but not for sending a hash over the network.
-class QuicConnectionIdHash {
+class QUIC_EXPORT_PRIVATE QuicConnectionIdHash {
  public:
   size_t operator()(QuicConnectionId const& connection_id) const noexcept {
     return connection_id.Hash();
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_connection_stats.cc b/chromium/net/third_party/quiche/src/quic/core/quic_connection_stats.cc
index 128bc93aa39..89f7e546d88 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_connection_stats.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_connection_stats.cc
@@ -6,55 +6,6 @@
 
 namespace quic {
 
-QuicConnectionStats::QuicConnectionStats()
-    : bytes_sent(0),
-      packets_sent(0),
-      stream_bytes_sent(0),
-      packets_discarded(0),
-      bytes_received(0),
-      packets_received(0),
-      packets_processed(0),
-      stream_bytes_received(0),
-      bytes_retransmitted(0),
-      packets_retransmitted(0),
-      bytes_spuriously_retransmitted(0),
-      packets_spuriously_retransmitted(0),
-      packets_lost(0),
-      slowstart_count(0),
-      slowstart_num_rtts(0),
-      slowstart_packets_sent(0),
-      slowstart_bytes_sent(0),
-      slowstart_packets_lost(0),
-      slowstart_bytes_lost(0),
-      slowstart_duration(QuicTime::Delta::Zero()),
-      slowstart_start_time(QuicTime::Zero()),
-      packets_dropped(0),
-      undecryptable_packets_received_before_handshake_complete(0),
-      crypto_retransmit_count(0),
-      loss_timeout_count(0),
-      tlp_count(0),
-      rto_count(0),
-      pto_count(0),
-      min_rtt_us(0),
-      srtt_us(0),
-      max_packet_size(0),
-      max_received_packet_size(0),
-      estimated_bandwidth(QuicBandwidth::Zero()),
-      packets_reordered(0),
-      max_sequence_reordering(0),
-      max_time_reordering_us(0),
-      tcp_loss_events(0),
-      connection_creation_time(QuicTime::Zero()),
-      blocked_frames_received(0),
-      blocked_frames_sent(0),
-      num_connectivity_probing_received(0),
-      retry_packet_processed(false) {}
-
-QuicConnectionStats::QuicConnectionStats(const QuicConnectionStats& other) =
-    default;
-
-QuicConnectionStats::~QuicConnectionStats() {}
-
 std::ostream& operator<<(std::ostream& os, const QuicConnectionStats& s) {
   os << "{ bytes_sent: " << s.bytes_sent;
   os << " packets_sent: " << s.packets_sent;
@@ -98,6 +49,10 @@ std::ostream& operator<<(std::ostream& os, const QuicConnectionStats& s) {
      << s.num_connectivity_probing_received;
   os << " retry_packet_processed: "
      << (s.retry_packet_processed ? "yes" : "no");
+  os << " num_coalesced_packets_received: " << s.num_coalesced_packets_received;
+  os << " num_coalesced_packets_processed: "
+     << s.num_coalesced_packets_processed;
+  os << " num_ack_aggregation_epochs: " << s.num_ack_aggregation_epochs;
   os << " }";
 
   return os;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_connection_stats.h b/chromium/net/third_party/quiche/src/quic/core/quic_connection_stats.h
index 805afd15a73..c76d591602b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_connection_stats.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_connection_stats.h
@@ -11,104 +11,107 @@
 #include "net/third_party/quiche/src/quic/core/quic_bandwidth.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_time.h"
+#include "net/third_party/quiche/src/quic/core/quic_time_accumulator.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 
 namespace quic {
 // Structure to hold stats for a QuicConnection.
 struct QUIC_EXPORT_PRIVATE QuicConnectionStats {
-  QuicConnectionStats();
-  QuicConnectionStats(const QuicConnectionStats& other);
-  ~QuicConnectionStats();
-
   QUIC_EXPORT_PRIVATE friend std::ostream& operator<<(
       std::ostream& os,
       const QuicConnectionStats& s);
 
-  QuicByteCount bytes_sent;  // Includes retransmissions.
-  QuicPacketCount packets_sent;
+  QuicByteCount bytes_sent = 0;  // Includes retransmissions.
+  QuicPacketCount packets_sent = 0;
   // Non-retransmitted bytes sent in a stream frame.
-  QuicByteCount stream_bytes_sent;
+  QuicByteCount stream_bytes_sent = 0;
   // Packets serialized and discarded before sending.
-  QuicPacketCount packets_discarded;
+  QuicPacketCount packets_discarded = 0;
 
   // These include version negotiation and public reset packets, which do not
   // have packet numbers or frame data.
-  QuicByteCount bytes_received;  // Includes duplicate data for a stream.
+  QuicByteCount bytes_received = 0;  // Includes duplicate data for a stream.
   // Includes packets which were not processable.
-  QuicPacketCount packets_received;
+  QuicPacketCount packets_received = 0;
   // Excludes packets which were not processable.
-  QuicPacketCount packets_processed;
-  QuicByteCount stream_bytes_received;  // Bytes received in a stream frame.
+  QuicPacketCount packets_processed = 0;
+  QuicByteCount stream_bytes_received = 0;  // Bytes received in a stream frame.
 
-  QuicByteCount bytes_retransmitted;
-  QuicPacketCount packets_retransmitted;
+  QuicByteCount bytes_retransmitted = 0;
+  QuicPacketCount packets_retransmitted = 0;
 
-  QuicByteCount bytes_spuriously_retransmitted;
-  QuicPacketCount packets_spuriously_retransmitted;
+  QuicByteCount bytes_spuriously_retransmitted = 0;
+  QuicPacketCount packets_spuriously_retransmitted = 0;
   // Number of packets abandoned as lost by the loss detection algorithm.
-  QuicPacketCount packets_lost;
+  QuicPacketCount packets_lost = 0;
 
   // Number of times this connection went through the slow start phase.
-  uint32_t slowstart_count;
+  uint32_t slowstart_count = 0;
   // Number of round trips spent in slow start.
-  uint32_t slowstart_num_rtts;
+  uint32_t slowstart_num_rtts = 0;
   // Number of packets sent in slow start.
-  QuicPacketCount slowstart_packets_sent;
+  QuicPacketCount slowstart_packets_sent = 0;
   // Number of bytes sent in slow start.
-  QuicByteCount slowstart_bytes_sent;
+  QuicByteCount slowstart_bytes_sent = 0;
   // Number of packets lost exiting slow start.
-  QuicPacketCount slowstart_packets_lost;
+  QuicPacketCount slowstart_packets_lost = 0;
   // Number of bytes lost exiting slow start.
-  QuicByteCount slowstart_bytes_lost;
-  // Time spent in COMPLETED slow start phases.
-  QuicTime::Delta slowstart_duration;
-  // Start time of the last slow start phase.
-  QuicTime slowstart_start_time;
+  QuicByteCount slowstart_bytes_lost = 0;
+  // Time spent in slow start. Populated for BBRv1 and BBRv2.
+  QuicTimeAccumulator slowstart_duration;
 
-  QuicPacketCount packets_dropped;  // Duplicate or less than least unacked.
+  QuicPacketCount packets_dropped = 0;  // Duplicate or less than least unacked.
 
   // Packets that failed to decrypt when they were first received,
   // before the handshake was complete.
-  QuicPacketCount undecryptable_packets_received_before_handshake_complete;
+  QuicPacketCount undecryptable_packets_received_before_handshake_complete = 0;
 
-  size_t crypto_retransmit_count;
+  size_t crypto_retransmit_count = 0;
   // Count of times the loss detection alarm fired.  At least one packet should
   // be lost when the alarm fires.
-  size_t loss_timeout_count;
-  size_t tlp_count;
-  size_t rto_count;  // Count of times the rto timer fired.
-  size_t pto_count;
+  size_t loss_timeout_count = 0;
+  size_t tlp_count = 0;
+  size_t rto_count = 0;  // Count of times the rto timer fired.
+  size_t pto_count = 0;
 
-  int64_t min_rtt_us;  // Minimum RTT in microseconds.
-  int64_t srtt_us;     // Smoothed RTT in microseconds.
-  QuicByteCount max_packet_size;
-  QuicByteCount max_received_packet_size;
-  QuicBandwidth estimated_bandwidth;
+  int64_t min_rtt_us = 0;  // Minimum RTT in microseconds.
+  int64_t srtt_us = 0;     // Smoothed RTT in microseconds.
+  QuicByteCount max_packet_size = 0;
+  QuicByteCount max_received_packet_size = 0;
+  QuicBandwidth estimated_bandwidth = QuicBandwidth::Zero();
 
   // Reordering stats for received packets.
   // Number of packets received out of packet number order.
-  QuicPacketCount packets_reordered;
+  QuicPacketCount packets_reordered = 0;
   // Maximum reordering observed in packet number space.
-  QuicPacketCount max_sequence_reordering;
+  QuicPacketCount max_sequence_reordering = 0;
   // Maximum reordering observed in microseconds
-  int64_t max_time_reordering_us;
+  int64_t max_time_reordering_us = 0;
 
   // The following stats are used only in TcpCubicSender.
   // The number of loss events from TCP's perspective.  Each loss event includes
   // one or more lost packets.
-  uint32_t tcp_loss_events;
+  uint32_t tcp_loss_events = 0;
 
   // Creation time, as reported by the QuicClock.
-  QuicTime connection_creation_time;
+  QuicTime connection_creation_time = QuicTime::Zero();
 
-  uint64_t blocked_frames_received;
-  uint64_t blocked_frames_sent;
+  uint64_t blocked_frames_received = 0;
+  uint64_t blocked_frames_sent = 0;
 
   // Number of connectivity probing packets received by this connection.
-  uint64_t num_connectivity_probing_received;
+  uint64_t num_connectivity_probing_received = 0;
 
   // Whether a RETRY packet was successfully processed.
-  bool retry_packet_processed;
+  bool retry_packet_processed = false;
+
+  // Number of received coalesced packets.
+  uint64_t num_coalesced_packets_received = 0;
+  // Number of successfully processed coalesced packets.
+  uint64_t num_coalesced_packets_processed = 0;
+  // Number of ack aggregation epochs. For the same number of bytes acked, the
+  // smaller this value, the more ack aggregation is going on.
+  uint64_t num_ack_aggregation_epochs = 0;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_connection_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_connection_test.cc
index 3d923a2deac..3babced88b6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_connection_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_connection_test.cc
@@ -36,7 +36,6 @@
 #include "net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_framer_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.h"
-#include "net/third_party/quiche/src/quic/test_tools/quic_packet_generator_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_sent_packet_manager_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/simple_data_producer.h"
@@ -338,6 +337,7 @@ class TestPacketWriter : public QuicPacketWriter {
         final_bytes_of_previous_packet_(0),
         use_tagging_decrypter_(false),
         packets_write_attempts_(0),
+        connection_close_packets_(0),
         clock_(clock),
         write_pause_time_delta_(QuicTime::Delta::Zero()),
         max_packet_size_(kMaxOutgoingPacketSize),
@@ -406,7 +406,9 @@ class TestPacketWriter : public QuicPacketWriter {
 
     last_packet_size_ = packet.length();
     last_packet_header_ = framer_.header();
-
+    if (!framer_.connection_close_frames().empty()) {
+      ++connection_close_packets_;
+    }
     if (!write_pause_time_delta_.IsZero()) {
       clock_->AdvanceTime(write_pause_time_delta_);
     }
@@ -514,6 +516,10 @@ class TestPacketWriter : public QuicPacketWriter {
     return framer_.path_response_frames();
   }
 
+  const QuicEncryptedPacket* coalesced_packet() const {
+    return framer_.coalesced_packet();
+  }
+
   size_t last_packet_size() { return last_packet_size_; }
 
   const QuicPacketHeader& last_packet_header() const {
@@ -550,6 +556,10 @@ class TestPacketWriter : public QuicPacketWriter {
 
   uint32_t packets_write_attempts() { return packets_write_attempts_; }
 
+  uint32_t connection_close_packets() const {
+    return connection_close_packets_;
+  }
+
   void Reset() { framer_.Reset(); }
 
   void SetSupportedVersions(const ParsedQuicVersionVector& versions) {
@@ -583,6 +593,7 @@ class TestPacketWriter : public QuicPacketWriter {
   uint32_t final_bytes_of_previous_packet_;
   bool use_tagging_decrypter_;
   uint32_t packets_write_attempts_;
+  uint32_t connection_close_packets_;
   MockClock* clock_;
   // If non-zero, the clock will pause during WritePacket for this amount of
   // time.
@@ -631,6 +642,7 @@ class TestConnection : public QuicConnection {
                   HasRetransmittableData retransmittable,
                   bool has_ack,
                   bool has_pending_frames) {
+    ScopedPacketFlusher flusher(this);
     char buffer[kMaxOutgoingPacketSize];
     size_t encrypted_length =
         QuicConnectionPeer::GetFramer(this)->EncryptPayload(
@@ -641,7 +653,7 @@ class TestConnection : public QuicConnection {
         encrypted_length, has_ack, has_pending_frames);
     if (retransmittable == HAS_RETRANSMITTABLE_DATA) {
       serialized_packet.retransmittable_frames.push_back(
-          QuicFrame(QuicStreamFrame()));
+          QuicFrame(QuicPingFrame()));
     }
     OnSerializedPacket(&serialized_packet);
   }
@@ -668,7 +680,7 @@ class TestConnection : public QuicConnection {
     if (!QuicUtils::IsCryptoStreamId(transport_version(), id) &&
         this->encryption_level() == ENCRYPTION_INITIAL) {
       this->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
-      if (perspective() == Perspective::IS_CLIENT && !IsHandshakeConfirmed()) {
+      if (perspective() == Perspective::IS_CLIENT && !IsHandshakeComplete()) {
         OnHandshakeComplete();
       }
       if (version().SupportsAntiAmplificationLimit()) {
@@ -769,14 +781,14 @@ class TestConnection : public QuicConnection {
   }
 
   // Enable path MTU discovery.  Assumes that the test is performed from the
-  // client perspective and the higher value of MTU target is used.
+  // server perspective and the higher value of MTU target is used.
   void EnablePathMtuDiscovery(MockSendAlgorithm* send_algorithm) {
-    ASSERT_EQ(Perspective::IS_CLIENT, perspective());
+    ASSERT_EQ(Perspective::IS_SERVER, perspective());
 
     QuicConfig config;
     QuicTagVector connection_options;
     connection_options.push_back(kMTUH);
-    config.SetConnectionOptionsToSend(connection_options);
+    config.SetInitialReceivedConnectionOptions(connection_options);
     EXPECT_CALL(*send_algorithm, SetFromConfig(_, _));
     SetFromConfig(config);
 
@@ -964,7 +976,6 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
                     Perspective::IS_CLIENT,
                     version()),
         creator_(QuicConnectionPeer::GetPacketCreator(&connection_)),
-        generator_(QuicConnectionPeer::GetPacketGenerator(&connection_)),
         manager_(QuicConnectionPeer::GetSentPacketManager(&connection_)),
         frame1_(0, false, 0, QuicStringPiece(data1)),
         frame2_(0, false, 3, QuicStringPiece(data2)),
@@ -1016,10 +1027,8 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
     frame1_.stream_id = stream_id;
     frame2_.stream_id = stream_id;
     connection_.set_visitor(&visitor_);
-    if (connection_.session_decides_what_to_write()) {
-      connection_.SetSessionNotifier(&notifier_);
-      connection_.set_notifier(&notifier_);
-    }
+    connection_.SetSessionNotifier(&notifier_);
+    connection_.set_notifier(&notifier_);
     connection_.SetSendAlgorithm(send_algorithm_);
     connection_.SetLossAlgorithm(loss_algorithm_.get());
     EXPECT_CALL(*send_algorithm_, CanSend(_)).WillRepeatedly(Return(true));
@@ -1034,23 +1043,22 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
     EXPECT_CALL(*send_algorithm_, BandwidthEstimate())
         .Times(AnyNumber())
         .WillRepeatedly(Return(QuicBandwidth::Zero()));
+    EXPECT_CALL(*send_algorithm_, PopulateConnectionStats(_))
+        .Times(AnyNumber());
     EXPECT_CALL(*send_algorithm_, InSlowStart()).Times(AnyNumber());
     EXPECT_CALL(*send_algorithm_, InRecovery()).Times(AnyNumber());
     EXPECT_CALL(*send_algorithm_, OnApplicationLimited(_)).Times(AnyNumber());
     EXPECT_CALL(visitor_, WillingAndAbleToWrite()).Times(AnyNumber());
+    EXPECT_CALL(visitor_, OnPacketDecrypted(_)).Times(AnyNumber());
     EXPECT_CALL(visitor_, HasPendingHandshake()).Times(AnyNumber());
-    if (connection_.session_decides_what_to_write()) {
-      EXPECT_CALL(visitor_, OnCanWrite())
-          .WillRepeatedly(
-              Invoke(&notifier_, &SimpleSessionNotifier::OnCanWrite));
-    } else {
-      EXPECT_CALL(visitor_, OnCanWrite()).Times(AnyNumber());
-    }
+    EXPECT_CALL(visitor_, OnCanWrite())
+        .WillRepeatedly(Invoke(&notifier_, &SimpleSessionNotifier::OnCanWrite));
     EXPECT_CALL(visitor_, ShouldKeepConnectionAlive())
         .WillRepeatedly(Return(false));
     EXPECT_CALL(visitor_, OnCongestionWindowChange(_)).Times(AnyNumber());
     EXPECT_CALL(visitor_, OnPacketReceived(_, _, _)).Times(AnyNumber());
     EXPECT_CALL(visitor_, OnForwardProgressConfirmed()).Times(AnyNumber());
+    EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_)).Times(AnyNumber());
 
     EXPECT_CALL(*loss_algorithm_, GetLossTimeout())
         .WillRepeatedly(Return(QuicTime::Zero()));
@@ -1120,7 +1128,10 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
     QuicFrames frames;
     frames.push_back(QuicFrame(frame));
     QuicPacketCreatorPeer::SetSendVersionInPacket(
-        &peer_creator_, connection_.perspective() == Perspective::IS_SERVER);
+        &peer_creator_,
+        QuicPacketCreatorPeer::GetEncryptionLevel(&peer_creator_) <
+                ENCRYPTION_FORWARD_SECURE &&
+            connection_.perspective() == Perspective::IS_SERVER);
 
     char buffer[kMaxOutgoingPacketSize];
     SerializedPacket serialized_packet =
@@ -1329,26 +1340,11 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
   void SendRstStream(QuicStreamId id,
                      QuicRstStreamErrorCode error,
                      QuicStreamOffset bytes_written) {
-    if (connection_.session_decides_what_to_write()) {
-      notifier_.WriteOrBufferRstStream(id, error, bytes_written);
-      connection_.OnStreamReset(id, error);
-      return;
-    }
-    std::unique_ptr<QuicRstStreamFrame> rst_stream =
-        std::make_unique<QuicRstStreamFrame>(1, id, error, bytes_written);
-    if (connection_.SendControlFrame(QuicFrame(rst_stream.get()))) {
-      rst_stream.release();
-    }
+    notifier_.WriteOrBufferRstStream(id, error, bytes_written);
     connection_.OnStreamReset(id, error);
   }
 
-  void SendPing() {
-    if (connection_.session_decides_what_to_write()) {
-      notifier_.WriteOrBufferPing();
-    } else {
-      connection_.SendControlFrame(QuicFrame(QuicPingFrame(1)));
-    }
-  }
+  void SendPing() { notifier_.WriteOrBufferPing(); }
 
   void ProcessAckPacket(uint64_t packet_number, QuicAckFrame* frame) {
     if (packet_number > 1) {
@@ -1536,8 +1532,8 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
     EXPECT_FALSE(QuicConnectionPeer::GetConnectionClosePacket(&connection_) ==
                  nullptr);
     EXPECT_EQ(1, connection_close_frame_count_);
-    EXPECT_EQ(QUIC_INVALID_ACK_DATA,
-              saved_connection_close_frame_.quic_error_code);
+    EXPECT_THAT(saved_connection_close_frame_.quic_error_code,
+                IsError(QUIC_INVALID_ACK_DATA));
   }
 
   void BlockOnNextWrite() {
@@ -1567,6 +1563,10 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
     connection_.set_perspective(perspective);
     if (perspective == Perspective::IS_SERVER) {
       connection_.set_can_truncate_connection_ids(true);
+      QuicConnectionPeer::SetNegotiatedVersion(&connection_);
+      if (GetQuicReloadableFlag(quic_version_negotiated_by_default_at_server)) {
+        connection_.OnSuccessfulVersionNegotiation();
+      }
     }
     QuicFramerPeer::SetPerspective(&peer_framer_,
                                    QuicUtils::InvertPerspective(perspective));
@@ -1574,16 +1574,9 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
 
   void set_packets_between_probes_base(
       const QuicPacketCount packets_between_probes_base) {
-    if (GetQuicReloadableFlag(quic_mtu_discovery_v2)) {
-      QuicConnectionPeer::ReInitializeMtuDiscoverer(
-          &connection_, packets_between_probes_base,
-          QuicPacketNumber(packets_between_probes_base));
-    } else {
-      QuicConnectionPeer::SetPacketsBetweenMtuProbes(
-          &connection_, packets_between_probes_base);
-      QuicConnectionPeer::SetNextMtuProbeAt(
-          &connection_, QuicPacketNumber(packets_between_probes_base));
-    }
+    QuicConnectionPeer::ReInitializeMtuDiscoverer(
+        &connection_, packets_between_probes_base,
+        QuicPacketNumber(packets_between_probes_base));
   }
 
   bool IsDefaultTestConfiguration() {
@@ -1627,6 +1620,24 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
     }
   }
 
+  void MtuDiscoveryTestInit() {
+    set_perspective(Perspective::IS_SERVER);
+    QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
+    connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+    peer_creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
+    // QuicFramer::GetMaxPlaintextSize uses the smallest max plaintext size
+    // across all encrypters. The initial encrypter used with IETF QUIC has a
+    // 16-byte overhead, while the NullEncrypter used throughout this test has a
+    // 12-byte overhead. This test tests behavior that relies on computing the
+    // packet size correctly, so by unsetting the initial encrypter, we avoid
+    // having a mismatch between the overheads for the encrypters used. In
+    // non-test scenarios all encrypters used for a given connection have the
+    // same overhead, either 12 bytes for ones using Google QUIC crypto, or 16
+    // bytes for ones using TLS.
+    connection_.SetEncrypter(ENCRYPTION_INITIAL, nullptr);
+    EXPECT_TRUE(connection_.connected());
+  }
+
   QuicConnectionId connection_id_;
   QuicFramer framer_;
 
@@ -1642,7 +1653,6 @@ class QuicConnectionTest : public QuicTestWithParam<TestParams> {
   std::unique_ptr<TestPacketWriter> writer_;
   TestConnection connection_;
   QuicPacketCreator* creator_;
-  QuicPacketGenerator* generator_;
   QuicSentPacketManager* manager_;
   StrictMock<MockQuicConnectionVisitor> visitor_;
 
@@ -1727,8 +1737,6 @@ TEST_P(QuicConnectionTest, SelfAddressChangeAtClient) {
 }
 
 TEST_P(QuicConnectionTest, SelfAddressChangeAtServer) {
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
-
   set_perspective(Perspective::IS_SERVER);
   QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
 
@@ -1758,8 +1766,6 @@ TEST_P(QuicConnectionTest, SelfAddressChangeAtServer) {
 }
 
 TEST_P(QuicConnectionTest, AllowSelfAddressChangeToMappedIpv4AddressAtServer) {
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
-
   set_perspective(Perspective::IS_SERVER);
   QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
 
@@ -1793,7 +1799,6 @@ TEST_P(QuicConnectionTest, AllowSelfAddressChangeToMappedIpv4AddressAtServer) {
 }
 
 TEST_P(QuicConnectionTest, ClientAddressChangeAndPacketReordered) {
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   set_perspective(Perspective::IS_SERVER);
   QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
 
@@ -1832,7 +1837,6 @@ TEST_P(QuicConnectionTest, ClientAddressChangeAndPacketReordered) {
 }
 
 TEST_P(QuicConnectionTest, PeerAddressChangeAtServer) {
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   set_perspective(Perspective::IS_SERVER);
   QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
   EXPECT_EQ(Perspective::IS_SERVER, connection_.perspective());
@@ -1870,7 +1874,6 @@ TEST_P(QuicConnectionTest, PeerAddressChangeAtServer) {
 }
 
 TEST_P(QuicConnectionTest, EffectivePeerAddressChangeAtServer) {
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   set_perspective(Perspective::IS_SERVER);
   QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
   EXPECT_EQ(Perspective::IS_SERVER, connection_.perspective());
@@ -1956,7 +1959,6 @@ TEST_P(QuicConnectionTest, EffectivePeerAddressChangeAtServer) {
 }
 
 TEST_P(QuicConnectionTest, ReceivePaddedPingAtServer) {
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   set_perspective(Perspective::IS_SERVER);
   QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
   EXPECT_EQ(Perspective::IS_SERVER, connection_.perspective());
@@ -2032,29 +2034,17 @@ TEST_P(QuicConnectionTest, WriteOutOfOrderQueuedPackets) {
   writer_->SetWritable();
   connection_.SendConnectivityProbingPacket(writer_.get(),
                                             connection_.peer_address());
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(visitor_, OnConnectionClosed(_, _)).Times(0);
-    connection_.OnCanWrite();
-    return;
-  }
-  EXPECT_CALL(visitor_,
-              OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
-  EXPECT_QUIC_BUG(connection_.OnCanWrite(),
-                  "Attempt to write packet:1 after:2");
-  EXPECT_FALSE(connection_.connected());
-  TestConnectionCloseQuicErrorCode(QUIC_INTERNAL_ERROR);
-  const std::vector<QuicConnectionCloseFrame>& connection_close_frames =
-      writer_->connection_close_frames();
-  EXPECT_EQ("Packet written out of order.",
-            connection_close_frames[0].error_details);
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _)).Times(0);
+  connection_.OnCanWrite();
 }
 
 TEST_P(QuicConnectionTest, DiscardQueuedPacketsAfterConnectionClose) {
   // Regression test for b/74073386.
   {
     InSequence seq;
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-    EXPECT_CALL(visitor_, OnConnectionClosed(_, _)).Times(1);
+    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _))
+        .Times(AtLeast(1));
+    EXPECT_CALL(visitor_, OnConnectionClosed(_, _)).Times(AtLeast(1));
   }
 
   set_perspective(Perspective::IS_CLIENT);
@@ -2067,12 +2057,8 @@ TEST_P(QuicConnectionTest, DiscardQueuedPacketsAfterConnectionClose) {
   connection_.SendStreamDataWithString(/*id=*/2, "foo", 0, NO_FIN);
 
   EXPECT_FALSE(connection_.connected());
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    // No need to buffer packets.
-    EXPECT_EQ(0u, connection_.NumQueuedPackets());
-  } else {
-    EXPECT_EQ(1u, connection_.NumQueuedPackets());
-  }
+  // No need to buffer packets.
+  EXPECT_EQ(0u, connection_.NumQueuedPackets());
 
   EXPECT_EQ(0u, connection_.GetStats().packets_discarded);
   connection_.OnCanWrite();
@@ -2080,7 +2066,6 @@ TEST_P(QuicConnectionTest, DiscardQueuedPacketsAfterConnectionClose) {
 }
 
 TEST_P(QuicConnectionTest, ReceiveConnectivityProbingAtServer) {
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   set_perspective(Perspective::IS_SERVER);
   QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
   EXPECT_EQ(Perspective::IS_SERVER, connection_.perspective());
@@ -2139,7 +2124,6 @@ TEST_P(QuicConnectionTest, ReceiveConnectivityProbingAtServer) {
 }
 
 TEST_P(QuicConnectionTest, ReceiveReorderedConnectivityProbingAtServer) {
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   set_perspective(Perspective::IS_SERVER);
   QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
   EXPECT_EQ(Perspective::IS_SERVER, connection_.perspective());
@@ -2196,7 +2180,6 @@ TEST_P(QuicConnectionTest, ReceiveReorderedConnectivityProbingAtServer) {
 }
 
 TEST_P(QuicConnectionTest, MigrateAfterProbingAtServer) {
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   set_perspective(Perspective::IS_SERVER);
   QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
   EXPECT_EQ(Perspective::IS_SERVER, connection_.perspective());
@@ -2397,8 +2380,6 @@ TEST_P(QuicConnectionTest, SmallerServerMaxPacketSize) {
 }
 
 TEST_P(QuicConnectionTest, IncreaseServerMaxPacketSize) {
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
-
   set_perspective(Perspective::IS_SERVER);
   connection_.SetMaxPacketLength(1000);
 
@@ -2443,8 +2424,6 @@ TEST_P(QuicConnectionTest, IncreaseServerMaxPacketSize) {
 }
 
 TEST_P(QuicConnectionTest, IncreaseServerMaxPacketSizeWhileWriterLimited) {
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
-
   const QuicByteCount lower_max_packet_size = 1240;
   writer_->set_max_packet_size(lower_max_packet_size);
   set_perspective(Perspective::IS_SERVER);
@@ -2708,18 +2687,13 @@ TEST_P(QuicConnectionTest, AckReceiptCausesAckSend) {
   connection_.SendStreamDataWithString(3, "foofoofoo", 9, NO_FIN);
   // Ack bundled.
   if (GetParam().no_stop_waiting) {
-    if (GetQuicReloadableFlag(quic_simplify_stop_waiting)) {
-      // Do not ACK acks.
-      EXPECT_EQ(1u, writer_->frame_count());
-    } else {
-      EXPECT_EQ(2u, writer_->frame_count());
-    }
+    // Do not ACK acks.
+    EXPECT_EQ(1u, writer_->frame_count());
   } else {
     EXPECT_EQ(3u, writer_->frame_count());
   }
   EXPECT_EQ(1u, writer_->stream_frames().size());
-  if (GetParam().no_stop_waiting &&
-      GetQuicReloadableFlag(quic_simplify_stop_waiting)) {
+  if (GetParam().no_stop_waiting) {
     EXPECT_TRUE(writer_->ack_frames().empty());
   } else {
     EXPECT_FALSE(writer_->ack_frames().empty());
@@ -2852,9 +2826,11 @@ TEST_P(QuicConnectionTest, LeastUnackedLower) {
   // one.  This should cause a connection error.
   QuicPacketCreatorPeer::SetPacketNumber(&peer_creator_, 7);
   if (!GetParam().no_stop_waiting) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
+    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _))
+        .Times(AtLeast(1));
     EXPECT_CALL(visitor_,
-                OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
+                OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF))
+        .Times(AtLeast(1));
   }
   ProcessStopWaitingPacket(InitStopWaitingFrame(1));
   if (!GetParam().no_stop_waiting) {
@@ -2907,7 +2883,7 @@ TEST_P(QuicConnectionTest, AckUnsentData) {
   EXPECT_CALL(visitor_,
               OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
-  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(AtLeast(1));
   QuicAckFrame frame = InitAckFrame(1);
   EXPECT_CALL(visitor_, OnCanWrite()).Times(0);
   ProcessAckPacket(&frame);
@@ -3078,7 +3054,9 @@ TEST_P(QuicConnectionTest, FramePackingNonCryptoThenCrypto) {
     EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(2);
     QuicConnection::ScopedPacketFlusher flusher(&connection_);
     connection_.SendStreamData3();
+    connection_.SetDefaultEncryptionLevel(ENCRYPTION_INITIAL);
     connection_.SendCryptoStreamData();
+    connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
   }
   EXPECT_EQ(0u, connection_.NumQueuedPackets());
   EXPECT_FALSE(connection_.HasQueuedData());
@@ -3366,11 +3344,6 @@ TEST_P(QuicConnectionTest, DoNotSendQueuedPacketForResetStream) {
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   writer_->SetWritable();
   connection_.OnCanWrite();
-  if (!connection_.session_decides_what_to_write()) {
-    // OnCanWrite will cause RST_STREAM be sent again.
-    connection_.SendControlFrame(QuicFrame(new QuicRstStreamFrame(
-        1, stream_id, QUIC_ERROR_PROCESSING_STREAM, 14)));
-  }
   size_t padding_frame_count = writer_->padding_frames().size();
   EXPECT_EQ(padding_frame_count + 1u, writer_->frame_count());
   EXPECT_EQ(1u, writer_->rst_stream_frames().size());
@@ -3381,11 +3354,7 @@ TEST_P(QuicConnectionTest, SendQueuedPacketForQuicRstStreamNoError) {
   BlockOnNextWrite();
 
   QuicStreamId stream_id = 2;
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   connection_.SendStreamDataWithString(stream_id, "foo", 0, NO_FIN);
 
   // Now that there is a queued packet, reset the stream.
@@ -3393,20 +3362,9 @@ TEST_P(QuicConnectionTest, SendQueuedPacketForQuicRstStreamNoError) {
 
   // Unblock the connection and verify that the RST_STREAM is sent and the data
   // packet is sent.
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _))
-        .Times(AtLeast(1));
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _))
-        .Times(AtLeast(2));
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(AtLeast(1));
   writer_->SetWritable();
   connection_.OnCanWrite();
-  if (!connection_.session_decides_what_to_write()) {
-    // OnCanWrite will cause RST_STREAM be sent again.
-    connection_.SendControlFrame(QuicFrame(
-        new QuicRstStreamFrame(1, stream_id, QUIC_STREAM_NO_ERROR, 14)));
-  }
   size_t padding_frame_count = writer_->padding_frames().size();
   EXPECT_EQ(padding_frame_count + 1u, writer_->frame_count());
   EXPECT_EQ(1u, writer_->rst_stream_frames().size());
@@ -3495,12 +3453,7 @@ TEST_P(QuicConnectionTest, CancelRetransmissionAlarmAfterResetStream) {
   // Ensure that the data is still in flight, but the retransmission alarm is no
   // longer set.
   EXPECT_GT(manager_->GetBytesInFlight(), 0u);
-  if (QuicConnectionPeer::GetSentPacketManager(&connection_)
-          ->fix_rto_retransmission()) {
-    EXPECT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
-  } else {
-    EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
-  }
+  EXPECT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
 }
 
 TEST_P(QuicConnectionTest, RetransmitForQuicRstStreamNoErrorOnRTO) {
@@ -3547,11 +3500,6 @@ TEST_P(QuicConnectionTest, DoNotSendPendingRetransmissionForResetStream) {
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   writer_->SetWritable();
   connection_.OnCanWrite();
-  if (!connection_.session_decides_what_to_write()) {
-    // OnCanWrite will cause this RST_STREAM_FRAME be sent again.
-    connection_.SendControlFrame(QuicFrame(new QuicRstStreamFrame(
-        1, stream_id, QUIC_ERROR_PROCESSING_STREAM, 14)));
-  }
   size_t padding_frame_count = writer_->padding_frames().size();
   EXPECT_EQ(padding_frame_count + 1u, writer_->frame_count());
   ASSERT_EQ(1u, writer_->rst_stream_frames().size());
@@ -3613,12 +3561,8 @@ TEST_P(QuicConnectionTest, RetransmitAckedPacket) {
   EXPECT_CALL(*loss_algorithm_, DetectLosses(_, _, _, _, _, _))
       .WillOnce(SetArgPointee<5>(lost_packets));
   EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _));
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, QuicPacketNumber(4), _, _))
-        .Times(1);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, QuicPacketNumber(4), _, _))
+      .Times(1);
   ProcessAckPacket(&nack_two);
   EXPECT_EQ(1u, connection_.NumQueuedPackets());
 
@@ -3628,15 +3572,8 @@ TEST_P(QuicConnectionTest, RetransmitAckedPacket) {
   QuicAckFrame ack_all = InitAckFrame(3);
   ProcessAckPacket(&ack_all);
 
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, QuicPacketNumber(4), _, _))
-        .Times(0);
-  } else {
-    // Unblock the socket and attempt to send the queued packets. We will always
-    // send the retransmission.
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, QuicPacketNumber(4), _, _))
-        .Times(1);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, QuicPacketNumber(4), _, _))
+      .Times(0);
 
   writer_->SetWritable();
   connection_.OnCanWrite();
@@ -3674,8 +3611,7 @@ TEST_P(QuicConnectionTest, RetransmitNackedLargestObserved) {
 }
 
 TEST_P(QuicConnectionTest, QueueAfterTwoRTOs) {
-  if (connection_.PtoEnabled() ||
-      !connection_.session_decides_what_to_write()) {
+  if (connection_.PtoEnabled()) {
     return;
   }
   connection_.SetMaxTailLossProbes(0);
@@ -3688,11 +3624,7 @@ TEST_P(QuicConnectionTest, QueueAfterTwoRTOs) {
   // Block the writer and ensure they're queued.
   BlockOnNextWrite();
   clock_.AdvanceTime(DefaultRetransmissionTime());
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(2);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(2);
   connection_.GetRetransmissionAlarm()->Fire();
   EXPECT_TRUE(connection_.HasQueuedData());
 
@@ -3700,12 +3632,7 @@ TEST_P(QuicConnectionTest, QueueAfterTwoRTOs) {
   writer_->SetWritable();
   clock_.AdvanceTime(QuicTime::Delta::FromMicroseconds(
       2 * DefaultRetransmissionTime().ToMicroseconds()));
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(2);
-  } else {
-    // 2 RTOs + 1 TLP, which is buggy.
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(3);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(2);
   connection_.GetRetransmissionAlarm()->Fire();
   connection_.OnCanWrite();
 }
@@ -3725,36 +3652,20 @@ TEST_P(QuicConnectionTest, WriteBlockedBufferedThenSent) {
 TEST_P(QuicConnectionTest, WriteBlockedThenSent) {
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
   BlockOnNextWrite();
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   connection_.SendStreamDataWithString(1, "foo", 0, NO_FIN);
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
-  } else {
-    EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
-  }
+  EXPECT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
   EXPECT_EQ(1u, connection_.NumQueuedPackets());
 
   // The second packet should also be queued, in order to ensure packets are
   // never sent out of order.
   writer_->SetWritable();
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   connection_.SendStreamDataWithString(1, "foo", 0, NO_FIN);
   EXPECT_EQ(2u, connection_.NumQueuedPackets());
 
   // Now both are sent in order when we unblock.
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(2);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
   connection_.OnCanWrite();
   EXPECT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
   EXPECT_EQ(0u, connection_.NumQueuedPackets());
@@ -3779,12 +3690,7 @@ TEST_P(QuicConnectionTest, RetransmitWriteBlockedAckedOriginalThenSent) {
 
   writer_->SetWritable();
   connection_.OnCanWrite();
-  if (QuicConnectionPeer::GetSentPacketManager(&connection_)
-          ->fix_rto_retransmission()) {
-    EXPECT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
-  } else {
-    EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
-  }
+  EXPECT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
   EXPECT_FALSE(QuicConnectionPeer::HasRetransmittableFrames(&connection_, 2));
 }
 
@@ -3867,8 +3773,8 @@ TEST_P(QuicConnectionTest, DoNotAddToWriteBlockedListAfterDisconnect) {
     writer_->SetWriteBlocked();
   }
   EXPECT_EQ(1, connection_close_frame_count_);
-  EXPECT_EQ(QUIC_PEER_GOING_AWAY,
-            saved_connection_close_frame_.quic_error_code);
+  EXPECT_THAT(saved_connection_close_frame_.quic_error_code,
+              IsError(QUIC_PEER_GOING_AWAY));
 }
 
 TEST_P(QuicConnectionTest, AddToWriteBlockedListIfBlockedOnFlushPackets) {
@@ -3906,11 +3812,7 @@ TEST_P(QuicConnectionTest, NoLimitPacketsPerNack) {
   EXPECT_CALL(*loss_algorithm_, DetectLosses(_, _, _, _, _, _))
       .WillOnce(SetArgPointee<5>(lost_packets));
   EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _));
-  if (connection_.session_decides_what_to_write()) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(14);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   ProcessAckPacket(&nack);
 }
 
@@ -4036,8 +3938,7 @@ TEST_P(QuicConnectionTest, TLP) {
 }
 
 TEST_P(QuicConnectionTest, TailLossProbeDelayForStreamDataInTLPR) {
-  if (!connection_.session_decides_what_to_write() ||
-      connection_.PtoEnabled()) {
+  if (connection_.PtoEnabled()) {
     return;
   }
 
@@ -4072,8 +3973,7 @@ TEST_P(QuicConnectionTest, TailLossProbeDelayForStreamDataInTLPR) {
 }
 
 TEST_P(QuicConnectionTest, TailLossProbeDelayForNonStreamDataInTLPR) {
-  if (!connection_.session_decides_what_to_write() ||
-      connection_.PtoEnabled()) {
+  if (connection_.PtoEnabled()) {
     return;
   }
 
@@ -4089,7 +3989,7 @@ TEST_P(QuicConnectionTest, TailLossProbeDelayForNonStreamDataInTLPR) {
   // Sets retransmittable on wire.
   const QuicTime::Delta retransmittable_on_wire_timeout =
       QuicTime::Delta::FromMilliseconds(50);
-  connection_.set_retransmittable_on_wire_timeout(
+  connection_.set_initial_retransmittable_on_wire_timeout(
       retransmittable_on_wire_timeout);
 
   EXPECT_TRUE(connection_.connected());
@@ -4129,7 +4029,7 @@ TEST_P(QuicConnectionTest, TailLossProbeDelayForNonStreamDataInTLPR) {
   // The ping alarm is set for the ping timeout, not the shorter
   // retransmittable_on_wire_timeout.
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
-  EXPECT_EQ(QuicTime::Delta::FromSeconds(kPingTimeoutSecs),
+  EXPECT_EQ(connection_.ping_timeout(),
             connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   // Receive an ACK for the data packet.
@@ -4184,7 +4084,7 @@ TEST_P(QuicConnectionTest, TailLossProbeDelayForNonStreamDataInTLPR) {
   // The ping alarm is set for the ping timeout, not the shorter
   // retransmittable_on_wire_timeout.
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
-  EXPECT_EQ(QuicTime::Delta::FromSeconds(kPingTimeoutSecs),
+  EXPECT_EQ(connection_.ping_timeout(),
             connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   // Advance a small period of time: 5ms. And receive a retransmitted ACK.
@@ -4227,8 +4127,7 @@ TEST_P(QuicConnectionTest, RTO) {
 
 // Regression test of b/133771183.
 TEST_P(QuicConnectionTest, RtoWithNoDataToRetransmit) {
-  if (!connection_.session_decides_what_to_write() ||
-      connection_.PtoEnabled()) {
+  if (connection_.PtoEnabled()) {
     return;
   }
   connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
@@ -4243,31 +4142,14 @@ TEST_P(QuicConnectionTest, RtoWithNoDataToRetransmit) {
   // Simulate the retransmission alarm firing.
   clock_.AdvanceTime(DefaultRetransmissionTime());
   // RTO fires, but there is no packet to be RTOed.
-  if (GetQuicReloadableFlag(quic_fix_rto_retransmission3)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   connection_.GetRetransmissionAlarm()->Fire();
-  if (GetQuicReloadableFlag(quic_fix_rto_retransmission3)) {
-    EXPECT_EQ(1u, writer_->rst_stream_frames().size());
-  }
+  EXPECT_EQ(1u, writer_->rst_stream_frames().size());
 
   EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(40);
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(20);
-  if (GetQuicReloadableFlag(quic_fix_rto_retransmission3)) {
-    EXPECT_CALL(visitor_, WillingAndAbleToWrite())
-        .WillRepeatedly(Return(false));
-  } else {
-    EXPECT_CALL(visitor_, WillingAndAbleToWrite()).WillRepeatedly(Return(true));
-  }
-  if (GetQuicReloadableFlag(quic_fix_rto_retransmission3)) {
-    EXPECT_CALL(visitor_, OnAckNeedsRetransmittableFrame()).Times(1);
-  } else {
-    // Since there is a buffered RST_STREAM, no retransmittable frame is bundled
-    // with ACKs.
-    EXPECT_CALL(visitor_, OnAckNeedsRetransmittableFrame()).Times(0);
-  }
+  EXPECT_CALL(visitor_, WillingAndAbleToWrite()).WillRepeatedly(Return(false));
+  EXPECT_CALL(visitor_, OnAckNeedsRetransmittableFrame()).Times(1);
   // Receives packets 1 - 40.
   for (size_t i = 1; i <= 40; ++i) {
     ProcessDataPacket(i);
@@ -4304,9 +4186,12 @@ TEST_P(QuicConnectionTest, RetransmitWithSameEncryptionLevel) {
 
   // Manually mark both packets for retransmission.
   connection_.RetransmitUnackedPackets(ALL_UNACKED_RETRANSMISSION);
-
-  // Packet should have been sent with ENCRYPTION_INITIAL.
-  EXPECT_EQ(0x01010101u, writer_->final_bytes_of_previous_packet());
+  if (!connection_.version().CanSendCoalescedPackets()) {
+    // Packet should have been sent with ENCRYPTION_INITIAL.
+    // If connection can send coalesced packet, both retransmissions will be
+    // coalesced in the same UDP datagram.
+    EXPECT_EQ(0x01010101u, writer_->final_bytes_of_previous_packet());
+  }
 
   // Packet should have been sent with ENCRYPTION_ZERO_RTT.
   EXPECT_EQ(0x02020202u, writer_->final_bytes_of_last_packet());
@@ -4346,17 +4231,12 @@ TEST_P(QuicConnectionTest,
   use_tagging_decrypter();
   connection_.SetEncrypter(ENCRYPTION_INITIAL,
                            std::make_unique<TaggingEncrypter>(0x01));
-  QuicPacketNumber packet_number;
   connection_.SendCryptoStreamData();
 
   // Simulate the retransmission alarm firing and the socket blocking.
   BlockOnNextWrite();
   clock_.AdvanceTime(DefaultRetransmissionTime());
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   connection_.GetRetransmissionAlarm()->Fire();
   EXPECT_EQ(1u, connection_.NumQueuedPackets());
 
@@ -4506,26 +4386,13 @@ TEST_P(QuicConnectionTest, Buffer100NonDecryptablePacketsThenKeyChange) {
 
 TEST_P(QuicConnectionTest, SetRTOAfterWritingToSocket) {
   BlockOnNextWrite();
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   connection_.SendStreamDataWithString(1, "foo", 0, NO_FIN);
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
-  } else {
-    // Make sure that RTO is not started when the packet is queued.
-    EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
-  }
+  EXPECT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
 
   // Test that RTO is started once we write to the socket.
   writer_->SetWritable();
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
   connection_.OnCanWrite();
   EXPECT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
 }
@@ -4542,8 +4409,8 @@ TEST_P(QuicConnectionTest, DelayRTOWithAckReceipt) {
   connection_.SendStreamDataWithString(3, "bar", 0, NO_FIN);
   QuicAlarm* retransmission_alarm = connection_.GetRetransmissionAlarm();
   EXPECT_TRUE(retransmission_alarm->IsSet());
-  EXPECT_EQ(clock_.Now() + DefaultRetransmissionTime(),
-            retransmission_alarm->deadline());
+  EXPECT_EQ(DefaultRetransmissionTime(),
+            retransmission_alarm->deadline() - clock_.Now());
 
   // Advance the time right before the RTO, then receive an ack for the first
   // packet to delay the RTO.
@@ -4554,8 +4421,8 @@ TEST_P(QuicConnectionTest, DelayRTOWithAckReceipt) {
   // Now we have an RTT sample of DefaultRetransmissionTime(500ms),
   // so the RTO has increased to 2 * SRTT.
   EXPECT_TRUE(retransmission_alarm->IsSet());
-  EXPECT_EQ(retransmission_alarm->deadline(),
-            clock_.Now() + 2 * DefaultRetransmissionTime());
+  EXPECT_EQ(retransmission_alarm->deadline() - clock_.Now(),
+            2 * DefaultRetransmissionTime());
 
   // Move forward past the original RTO and ensure the RTO is still pending.
   clock_.AdvanceTime(2 * DefaultRetransmissionTime());
@@ -4780,8 +4647,8 @@ TEST_P(QuicConnectionTest, PingAfterSend) {
       GetNthClientInitiatedStreamId(0, connection_.transport_version()),
       "GET /", 0, FIN, nullptr);
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
-  EXPECT_EQ(clock_.ApproximateNow() + QuicTime::Delta::FromSeconds(15),
-            connection_.GetPingAlarm()->deadline());
+  EXPECT_EQ(QuicTime::Delta::FromSeconds(15),
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   // Now recevie an ACK of the previous packet, which will move the
   // ping alarm forward.
@@ -4793,9 +4660,9 @@ TEST_P(QuicConnectionTest, PingAfterSend) {
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
   // The ping timer is set slightly less than 15 seconds in the future, because
   // of the 1s ping timer alarm granularity.
-  EXPECT_EQ(clock_.ApproximateNow() + QuicTime::Delta::FromSeconds(15) -
-                QuicTime::Delta::FromMilliseconds(5),
-            connection_.GetPingAlarm()->deadline());
+  EXPECT_EQ(
+      QuicTime::Delta::FromSeconds(15) - QuicTime::Delta::FromMilliseconds(5),
+      connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   writer_->Reset();
   clock_.AdvanceTime(QuicTime::Delta::FromSeconds(15));
@@ -4834,8 +4701,8 @@ TEST_P(QuicConnectionTest, ReducedPingTimeout) {
       GetNthClientInitiatedStreamId(0, connection_.transport_version()),
       "GET /", 0, FIN, nullptr);
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
-  EXPECT_EQ(clock_.ApproximateNow() + QuicTime::Delta::FromSeconds(10),
-            connection_.GetPingAlarm()->deadline());
+  EXPECT_EQ(QuicTime::Delta::FromSeconds(10),
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   // Now recevie an ACK of the previous packet, which will move the
   // ping alarm forward.
@@ -4847,9 +4714,9 @@ TEST_P(QuicConnectionTest, ReducedPingTimeout) {
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
   // The ping timer is set slightly less than 10 seconds in the future, because
   // of the 1s ping timer alarm granularity.
-  EXPECT_EQ(clock_.ApproximateNow() + QuicTime::Delta::FromSeconds(10) -
-                QuicTime::Delta::FromMilliseconds(5),
-            connection_.GetPingAlarm()->deadline());
+  EXPECT_EQ(
+      QuicTime::Delta::FromSeconds(10) - QuicTime::Delta::FromMilliseconds(5),
+      connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   writer_->Reset();
   clock_.AdvanceTime(QuicTime::Delta::FromSeconds(10));
@@ -4873,10 +4740,7 @@ TEST_P(QuicConnectionTest, ReducedPingTimeout) {
 // Tests whether sending an MTU discovery packet to peer successfully causes the
 // maximum packet size to increase.
 TEST_P(QuicConnectionTest, SendMtuDiscoveryPacket) {
-  if (connection_.SupportsMultiplePacketNumberSpaces()) {
-    return;
-  }
-  EXPECT_TRUE(connection_.connected());
+  MtuDiscoveryTestInit();
 
   // Send an MTU probe.
   const size_t new_mtu = kDefaultMaxPacketSize + 100;
@@ -4887,17 +4751,6 @@ TEST_P(QuicConnectionTest, SendMtuDiscoveryPacket) {
   EXPECT_EQ(new_mtu, mtu_probe_size);
   EXPECT_EQ(QuicPacketNumber(1u), creator_->packet_number());
 
-  // QuicFramer::GetMaxPlaintextSize uses the smallest max plaintext size across
-  // all encrypters. The initial encrypter used with IETF QUIC has a 16-byte
-  // overhead, while the NullEncrypter used throughout this test has a 12-byte
-  // overhead. This test tests behavior that relies on computing the packet size
-  // correctly, so by unsetting the initial encrypter, we avoid having a
-  // mismatch between the overheads for the encrypters used. In non-test
-  // scenarios all encrypters used for a given connection have the same
-  // overhead, either 12 bytes for ones using Google QUIC crypto, or 16 bytes
-  // for ones using TLS.
-  connection_.SetEncrypter(ENCRYPTION_INITIAL, nullptr);
-
   // Send more than MTU worth of data.  No acknowledgement was received so far,
   // so the MTU should be at its old value.
   const std::string data(kDefaultMaxPacketSize + 1, '.');
@@ -4912,7 +4765,6 @@ TEST_P(QuicConnectionTest, SendMtuDiscoveryPacket) {
 
   // Acknowledge all packets so far.
   QuicAckFrame probe_ack = InitAckFrame(3);
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _));
   ProcessAckPacket(&probe_ack);
   EXPECT_EQ(new_mtu, connection_.max_packet_length());
@@ -4926,7 +4778,7 @@ TEST_P(QuicConnectionTest, SendMtuDiscoveryPacket) {
 // Tests whether MTU discovery does not happen when it is not explicitly enabled
 // by the connection options.
 TEST_P(QuicConnectionTest, MtuDiscoveryDisabled) {
-  EXPECT_TRUE(connection_.connected());
+  MtuDiscoveryTestInit();
 
   const QuicPacketCount packets_between_probes_base = 10;
   set_packets_between_probes_base(packets_between_probes_base);
@@ -4942,18 +4794,7 @@ TEST_P(QuicConnectionTest, MtuDiscoveryDisabled) {
 // Tests whether MTU discovery works when all probes are acknowledged on the
 // first try.
 TEST_P(QuicConnectionTest, MtuDiscoveryEnabled) {
-  EXPECT_TRUE(connection_.connected());
-
-  // QuicFramer::GetMaxPlaintextSize uses the smallest max plaintext size across
-  // all encrypters. The initial encrypter used with IETF QUIC has a 16-byte
-  // overhead, while the NullEncrypter used throughout this test has a 12-byte
-  // overhead. This test tests behavior that relies on computing the packet size
-  // correctly, so by unsetting the initial encrypter, we avoid having a
-  // mismatch between the overheads for the encrypters used. In non-test
-  // scenarios all encrypters used for a given connection have the same
-  // overhead, either 12 bytes for ones using Google QUIC crypto, or 16 bytes
-  // for ones using TLS.
-  connection_.SetEncrypter(ENCRYPTION_INITIAL, nullptr);
+  MtuDiscoveryTestInit();
 
   const QuicPacketCount packets_between_probes_base = 5;
   set_packets_between_probes_base(packets_between_probes_base);
@@ -4974,12 +4815,9 @@ TEST_P(QuicConnectionTest, MtuDiscoveryEnabled) {
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _))
       .WillOnce(SaveArg<3>(&probe_size));
   connection_.GetMtuDiscoveryAlarm()->Fire();
-  if (GetQuicReloadableFlag(quic_mtu_discovery_v2)) {
-    EXPECT_THAT(probe_size, InRange(connection_.max_packet_length(),
-                                    kMtuDiscoveryTargetPacketSizeHigh));
-  } else {
-    EXPECT_EQ(kMtuDiscoveryTargetPacketSizeHigh, probe_size);
-  }
+
+  EXPECT_THAT(probe_size, InRange(connection_.max_packet_length(),
+                                  kMtuDiscoveryTargetPacketSizeHigh));
 
   const QuicPacketNumber probe_packet_number =
       FirstSendingPacketNumber() + packets_between_probes_base;
@@ -4987,7 +4825,6 @@ TEST_P(QuicConnectionTest, MtuDiscoveryEnabled) {
 
   // Acknowledge all packets sent so far.
   QuicAckFrame probe_ack = InitAckFrame(probe_packet_number);
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _))
       .Times(AnyNumber());
   ProcessAckPacket(&probe_ack);
@@ -4996,17 +4833,6 @@ TEST_P(QuicConnectionTest, MtuDiscoveryEnabled) {
 
   EXPECT_EQ(1u, connection_.mtu_probe_count());
 
-  if (!GetQuicReloadableFlag(quic_mtu_discovery_v2)) {
-    // Send more packets, and ensure that none of them sets the alarm.
-    for (QuicPacketCount i = 0; i < 4 * packets_between_probes_base; i++) {
-      SendStreamDataToPeer(3, ".", packets_between_probes_base + i, NO_FIN,
-                           nullptr);
-      ASSERT_FALSE(connection_.GetMtuDiscoveryAlarm()->IsSet());
-    }
-
-    return;
-  }
-
   QuicStreamOffset stream_offset = packets_between_probes_base;
   for (size_t num_probes = 1; num_probes < kMtuDiscoveryAttempts;
        ++num_probes) {
@@ -5044,9 +4870,7 @@ TEST_P(QuicConnectionTest, MtuDiscoveryEnabled) {
 // Simulate the case where the first attempt to send a probe is write blocked,
 // and after unblock, the second attempt returns a MSG_TOO_BIG error.
 TEST_P(QuicConnectionTest, MtuDiscoveryWriteBlocked) {
-  EXPECT_TRUE(connection_.connected());
-
-  connection_.SetEncrypter(ENCRYPTION_INITIAL, nullptr);
+  MtuDiscoveryTestInit();
 
   const QuicPacketCount packets_between_probes_base = 5;
   set_packets_between_probes_base(packets_between_probes_base);
@@ -5065,9 +4889,7 @@ TEST_P(QuicConnectionTest, MtuDiscoveryWriteBlocked) {
   SendStreamDataToPeer(3, "!", packets_between_probes_base - 1, NO_FIN,
                        nullptr);
   ASSERT_TRUE(connection_.GetMtuDiscoveryAlarm()->IsSet());
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
   BlockOnNextWrite();
   EXPECT_EQ(0u, connection_.NumQueuedPackets());
   connection_.GetMtuDiscoveryAlarm()->Fire();
@@ -5086,7 +4908,7 @@ TEST_P(QuicConnectionTest, MtuDiscoveryWriteBlocked) {
 // Tests whether MTU discovery works correctly when the probes never get
 // acknowledged.
 TEST_P(QuicConnectionTest, MtuDiscoveryFailed) {
-  EXPECT_TRUE(connection_.connected());
+  MtuDiscoveryTestInit();
 
   // Lower the number of probes between packets in order to make the test go
   // much faster.
@@ -5106,8 +4928,6 @@ TEST_P(QuicConnectionTest, MtuDiscoveryFailed) {
   const QuicPacketCount number_of_packets =
       packets_between_probes_base * (1 << (kMtuDiscoveryAttempts + 1));
   std::vector<QuicPacketNumber> mtu_discovery_packets;
-  // Called by the first ack.
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   // Called on many acks.
   EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _))
       .Times(AnyNumber());
@@ -5168,21 +4988,7 @@ TEST_P(QuicConnectionTest, MtuDiscoveryFailed) {
 
 // Probe 3 times, the first one succeeds, then fails, then succeeds again.
 TEST_P(QuicConnectionTest, MtuDiscoverySecondProbeFailed) {
-  if (!GetQuicReloadableFlag(quic_mtu_discovery_v2)) {
-    return;
-  }
-  EXPECT_TRUE(connection_.connected());
-
-  // QuicFramer::GetMaxPlaintextSize uses the smallest max plaintext size across
-  // all encrypters. The initial encrypter used with IETF QUIC has a 16-byte
-  // overhead, while the NullEncrypter used throughout this test has a 12-byte
-  // overhead. This test tests behavior that relies on computing the packet size
-  // correctly, so by unsetting the initial encrypter, we avoid having a
-  // mismatch between the overheads for the encrypters used. In non-test
-  // scenarios all encrypters used for a given connection have the same
-  // overhead, either 12 bytes for ones using Google QUIC crypto, or 16 bytes
-  // for ones using TLS.
-  connection_.SetEncrypter(ENCRYPTION_INITIAL, nullptr);
+  MtuDiscoveryTestInit();
 
   const QuicPacketCount packets_between_probes_base = 5;
   set_packets_between_probes_base(packets_between_probes_base);
@@ -5213,7 +5019,6 @@ TEST_P(QuicConnectionTest, MtuDiscoverySecondProbeFailed) {
 
   // Acknowledge all packets sent so far.
   QuicAckFrame first_ack = InitAckFrame(probe_packet_number);
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _))
       .Times(AnyNumber());
   ProcessAckPacket(&first_ack);
@@ -5271,18 +5076,7 @@ TEST_P(QuicConnectionTest, MtuDiscoverySecondProbeFailed) {
 // Tests whether MTU discovery works when the writer has a limit on how large a
 // packet can be.
 TEST_P(QuicConnectionTest, MtuDiscoveryWriterLimited) {
-  EXPECT_TRUE(connection_.connected());
-
-  // QuicFramer::GetMaxPlaintextSize uses the smallest max plaintext size across
-  // all encrypters. The initial encrypter used with IETF QUIC has a 16-byte
-  // overhead, while the NullEncrypter used throughout this test has a 12-byte
-  // overhead. This test tests behavior that relies on computing the packet size
-  // correctly, so by unsetting the initial encrypter, we avoid having a
-  // mismatch between the overheads for the encrypters used. In non-test
-  // scenarios all encrypters used for a given connection have the same
-  // overhead, either 12 bytes for ones using Google QUIC crypto, or 16 bytes
-  // for ones using TLS.
-  connection_.SetEncrypter(ENCRYPTION_INITIAL, nullptr);
+  MtuDiscoveryTestInit();
 
   const QuicByteCount mtu_limit = kMtuDiscoveryTargetPacketSizeHigh - 1;
   writer_->set_max_packet_size(mtu_limit);
@@ -5306,12 +5100,8 @@ TEST_P(QuicConnectionTest, MtuDiscoveryWriterLimited) {
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _))
       .WillOnce(SaveArg<3>(&probe_size));
   connection_.GetMtuDiscoveryAlarm()->Fire();
-  if (GetQuicReloadableFlag(quic_mtu_discovery_v2)) {
-    EXPECT_THAT(probe_size,
-                InRange(connection_.max_packet_length(), mtu_limit));
-  } else {
-    EXPECT_EQ(mtu_limit, probe_size);
-  }
+
+  EXPECT_THAT(probe_size, InRange(connection_.max_packet_length(), mtu_limit));
 
   const QuicPacketNumber probe_sequence_number =
       FirstSendingPacketNumber() + packets_between_probes_base;
@@ -5319,7 +5109,6 @@ TEST_P(QuicConnectionTest, MtuDiscoveryWriterLimited) {
 
   // Acknowledge all packets sent so far.
   QuicAckFrame probe_ack = InitAckFrame(probe_sequence_number);
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _))
       .Times(AnyNumber());
   ProcessAckPacket(&probe_ack);
@@ -5328,17 +5117,6 @@ TEST_P(QuicConnectionTest, MtuDiscoveryWriterLimited) {
 
   EXPECT_EQ(1u, connection_.mtu_probe_count());
 
-  if (!GetQuicReloadableFlag(quic_mtu_discovery_v2)) {
-    // Send more packets, and ensure that none of them sets the alarm.
-    for (QuicPacketCount i = 0; i < 4 * packets_between_probes_base; i++) {
-      SendStreamDataToPeer(3, ".", packets_between_probes_base + i, NO_FIN,
-                           nullptr);
-      ASSERT_FALSE(connection_.GetMtuDiscoveryAlarm()->IsSet());
-    }
-
-    return;
-  }
-
   QuicStreamOffset stream_offset = packets_between_probes_base;
   for (size_t num_probes = 1; num_probes < kMtuDiscoveryAttempts;
        ++num_probes) {
@@ -5375,7 +5153,7 @@ TEST_P(QuicConnectionTest, MtuDiscoveryWriterLimited) {
 // Tests whether MTU discovery works when the writer returns an error despite
 // advertising higher packet length.
 TEST_P(QuicConnectionTest, MtuDiscoveryWriterFailed) {
-  EXPECT_TRUE(connection_.connected());
+  MtuDiscoveryTestInit();
 
   const QuicByteCount mtu_limit = kMtuDiscoveryTargetPacketSizeHigh - 1;
   const QuicByteCount initial_mtu = connection_.max_packet_length();
@@ -5412,7 +5190,6 @@ TEST_P(QuicConnectionTest, MtuDiscoveryWriterFailed) {
   // Acknowledge all packets sent so far, except for the lost probe.
   QuicAckFrame probe_ack =
       ConstructAckFrame(creator_->packet_number(), probe_number);
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _));
   ProcessAckPacket(&probe_ack);
   EXPECT_EQ(initial_mtu, connection_.max_packet_length());
@@ -5428,7 +5205,7 @@ TEST_P(QuicConnectionTest, MtuDiscoveryWriterFailed) {
 }
 
 TEST_P(QuicConnectionTest, NoMtuDiscoveryAfterConnectionClosed) {
-  EXPECT_TRUE(connection_.connected());
+  MtuDiscoveryTestInit();
 
   const QuicPacketCount packets_between_probes_base = 10;
   set_packets_between_probes_base(packets_between_probes_base);
@@ -5492,7 +5269,7 @@ TEST_P(QuicConnectionTest, TimeoutAfterSend) {
   // This time, we should time out.
   EXPECT_CALL(visitor_,
               OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
-  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(AtLeast(1));
   clock_.AdvanceTime(five_ms);
   EXPECT_EQ(default_timeout + five_ms, clock_.ApproximateNow());
   connection_.GetTimeoutAlarm()->Fire();
@@ -5570,7 +5347,7 @@ TEST_P(QuicConnectionTest, TimeoutAfterRetransmission) {
   // This time, we should time out.
   EXPECT_CALL(visitor_,
               OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
-  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(AtLeast(1));
   clock_.AdvanceTime(final_timeout - clock_.Now());
   EXPECT_EQ(connection_.GetTimeoutAlarm()->deadline(), clock_.Now());
   EXPECT_EQ(final_timeout, clock_.Now());
@@ -5601,7 +5378,7 @@ TEST_P(QuicConnectionTest, NewTimeoutAfterSendSilentClose) {
   client_config.ToHandshakeMessage(&msg, connection_.transport_version());
   const QuicErrorCode error =
       config.ProcessPeerHello(msg, CLIENT, &error_details);
-  EXPECT_EQ(QUIC_NO_ERROR, error);
+  EXPECT_THAT(error, IsQuicNoError());
 
   connection_.SetFromConfig(config);
   EXPECT_TRUE(QuicConnectionPeer::IsSilentCloseEnabled(&connection_));
@@ -5650,8 +5427,8 @@ TEST_P(QuicConnectionTest, NewTimeoutAfterSendSilentClose) {
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
   EXPECT_FALSE(connection_.connected());
   EXPECT_EQ(1, connection_close_frame_count_);
-  EXPECT_EQ(QUIC_NETWORK_IDLE_TIMEOUT,
-            saved_connection_close_frame_.quic_error_code);
+  EXPECT_THAT(saved_connection_close_frame_.quic_error_code,
+              IsError(QUIC_NETWORK_IDLE_TIMEOUT));
 }
 
 TEST_P(QuicConnectionTest, TimeoutAfterSendSilentCloseAndTLP) {
@@ -5678,7 +5455,7 @@ TEST_P(QuicConnectionTest, TimeoutAfterSendSilentCloseAndTLP) {
   client_config.ToHandshakeMessage(&msg, connection_.transport_version());
   const QuicErrorCode error =
       config.ProcessPeerHello(msg, CLIENT, &error_details);
-  EXPECT_EQ(QUIC_NO_ERROR, error);
+  EXPECT_THAT(error, IsQuicNoError());
 
   connection_.SetFromConfig(config);
   EXPECT_TRUE(QuicConnectionPeer::IsSilentCloseEnabled(&connection_));
@@ -5705,7 +5482,7 @@ TEST_P(QuicConnectionTest, TimeoutAfterSendSilentCloseAndTLP) {
   // This time, we should time out and send a connection close due to the TLP.
   EXPECT_CALL(visitor_,
               OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
-  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(AtLeast(1));
   clock_.AdvanceTime(connection_.GetTimeoutAlarm()->deadline() -
                      clock_.ApproximateNow() + five_ms);
   connection_.GetTimeoutAlarm()->Fire();
@@ -5735,7 +5512,7 @@ TEST_P(QuicConnectionTest, TimeoutAfterSendSilentCloseWithOpenStreams) {
   client_config.ToHandshakeMessage(&msg, connection_.transport_version());
   const QuicErrorCode error =
       config.ProcessPeerHello(msg, CLIENT, &error_details);
-  EXPECT_EQ(QUIC_NO_ERROR, error);
+  EXPECT_THAT(error, IsQuicNoError());
 
   connection_.SetFromConfig(config);
   EXPECT_TRUE(QuicConnectionPeer::IsSilentCloseEnabled(&connection_));
@@ -5760,7 +5537,7 @@ TEST_P(QuicConnectionTest, TimeoutAfterSendSilentCloseWithOpenStreams) {
   // This time, we should time out and send a connection close due to the TLP.
   EXPECT_CALL(visitor_,
               OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
-  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(AtLeast(1));
   clock_.AdvanceTime(connection_.GetTimeoutAlarm()->deadline() -
                      clock_.ApproximateNow() + five_ms);
   connection_.GetTimeoutAlarm()->Fire();
@@ -5811,7 +5588,7 @@ TEST_P(QuicConnectionTest, TimeoutAfterReceive) {
   // This time, we should time out.
   EXPECT_CALL(visitor_,
               OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
-  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(AtLeast(1));
   clock_.AdvanceTime(five_ms);
   EXPECT_EQ(default_timeout + five_ms, clock_.ApproximateNow());
   connection_.GetTimeoutAlarm()->Fire();
@@ -5914,7 +5691,7 @@ TEST_P(QuicConnectionTest, TimeoutAfter5ClientRTOs) {
   // This time, we should time out.
   EXPECT_CALL(visitor_,
               OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
-  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(AtLeast(1));
   connection_.GetRetransmissionAlarm()->Fire();
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
   EXPECT_FALSE(connection_.connected());
@@ -6567,7 +6344,7 @@ TEST_P(QuicConnectionTest, SendDelayedAckDecimationWithLargeReordering) {
   }
   // Check that ack is sent and that delayed ack alarm is reset.
   if (GetParam().no_stop_waiting) {
-    EXPECT_EQ(1u, writer_->frame_count());
+    EXPECT_EQ(writer_->padding_frames().size() + 1u, writer_->frame_count());
     EXPECT_TRUE(writer_->stop_waiting_frames().empty());
   } else {
     EXPECT_EQ(2u, writer_->frame_count());
@@ -6584,7 +6361,7 @@ TEST_P(QuicConnectionTest, SendDelayedAckDecimationWithLargeReordering) {
                            ENCRYPTION_ZERO_RTT);
   // Check that ack is sent and that delayed ack alarm is reset.
   if (GetParam().no_stop_waiting) {
-    EXPECT_EQ(1u, writer_->frame_count());
+    EXPECT_EQ(writer_->padding_frames().size() + 1u, writer_->frame_count());
     EXPECT_TRUE(writer_->stop_waiting_frames().empty());
   } else {
     EXPECT_EQ(2u, writer_->frame_count());
@@ -6720,7 +6497,7 @@ TEST_P(QuicConnectionTest,
   }
   // Check that ack is sent and that delayed ack alarm is reset.
   if (GetParam().no_stop_waiting) {
-    EXPECT_EQ(1u, writer_->frame_count());
+    EXPECT_EQ(writer_->padding_frames().size() + 1u, writer_->frame_count());
     EXPECT_TRUE(writer_->stop_waiting_frames().empty());
   } else {
     EXPECT_EQ(2u, writer_->frame_count());
@@ -6737,7 +6514,7 @@ TEST_P(QuicConnectionTest,
                            ENCRYPTION_ZERO_RTT);
   // Check that ack is sent and that delayed ack alarm is reset.
   if (GetParam().no_stop_waiting) {
-    EXPECT_EQ(1u, writer_->frame_count());
+    EXPECT_EQ(writer_->padding_frames().size() + 1u, writer_->frame_count());
     EXPECT_TRUE(writer_->stop_waiting_frames().empty());
   } else {
     EXPECT_EQ(2u, writer_->frame_count());
@@ -6997,19 +6774,13 @@ TEST_P(QuicConnectionTest, BundleAckWithDataOnIncomingAck) {
   // Check that ack is bundled with outgoing data and the delayed ack
   // alarm is reset.
   if (GetParam().no_stop_waiting) {
-    if (GetQuicReloadableFlag(quic_simplify_stop_waiting)) {
-      // Do not ACK acks.
-      EXPECT_EQ(1u, writer_->frame_count());
-    } else {
-      EXPECT_EQ(2u, writer_->frame_count());
-      EXPECT_TRUE(writer_->stop_waiting_frames().empty());
-    }
+    // Do not ACK acks.
+    EXPECT_EQ(1u, writer_->frame_count());
   } else {
     EXPECT_EQ(3u, writer_->frame_count());
     EXPECT_FALSE(writer_->stop_waiting_frames().empty());
   }
-  if (GetParam().no_stop_waiting &&
-      GetQuicReloadableFlag(quic_simplify_stop_waiting)) {
+  if (GetParam().no_stop_waiting) {
     EXPECT_TRUE(writer_->ack_frames().empty());
   } else {
     EXPECT_FALSE(writer_->ack_frames().empty());
@@ -7028,8 +6799,8 @@ TEST_P(QuicConnectionTest, NoAckSentForClose) {
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
   ProcessClosePacket(2);
   EXPECT_EQ(1, connection_close_frame_count_);
-  EXPECT_EQ(QUIC_PEER_GOING_AWAY,
-            saved_connection_close_frame_.quic_error_code);
+  EXPECT_THAT(saved_connection_close_frame_.quic_error_code,
+              IsError(QUIC_PEER_GOING_AWAY));
 }
 
 TEST_P(QuicConnectionTest, SendWhenDisconnected) {
@@ -7047,8 +6818,8 @@ TEST_P(QuicConnectionTest, SendWhenDisconnected) {
   connection_.SendPacket(ENCRYPTION_INITIAL, 1, std::move(packet),
                          HAS_RETRANSMITTABLE_DATA, false, false);
   EXPECT_EQ(1, connection_close_frame_count_);
-  EXPECT_EQ(QUIC_PEER_GOING_AWAY,
-            saved_connection_close_frame_.quic_error_code);
+  EXPECT_THAT(saved_connection_close_frame_.quic_error_code,
+              IsError(QUIC_PEER_GOING_AWAY));
 }
 
 TEST_P(QuicConnectionTest, SendConnectivityProbingWhenDisconnected) {
@@ -7073,8 +6844,8 @@ TEST_P(QuicConnectionTest, SendConnectivityProbingWhenDisconnected) {
                   "Not sending connectivity probing packet as connection is "
                   "disconnected.");
   EXPECT_EQ(1, connection_close_frame_count_);
-  EXPECT_EQ(QUIC_PEER_GOING_AWAY,
-            saved_connection_close_frame_.quic_error_code);
+  EXPECT_THAT(saved_connection_close_frame_.quic_error_code,
+              IsError(QUIC_PEER_GOING_AWAY));
 }
 
 TEST_P(QuicConnectionTest, WriteBlockedAfterClientSendsConnectivityProbe) {
@@ -7155,7 +6926,8 @@ TEST_P(QuicConnectionTest, PublicReset) {
       .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
   connection_.ProcessUdpPacket(kSelfAddress, kPeerAddress, *received);
   EXPECT_EQ(1, connection_close_frame_count_);
-  EXPECT_EQ(QUIC_PUBLIC_RESET, saved_connection_close_frame_.quic_error_code);
+  EXPECT_THAT(saved_connection_close_frame_.quic_error_code,
+              IsError(QUIC_PUBLIC_RESET));
 }
 
 TEST_P(QuicConnectionTest, IetfStatelessReset) {
@@ -7177,7 +6949,8 @@ TEST_P(QuicConnectionTest, IetfStatelessReset) {
       .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
   connection_.ProcessUdpPacket(kSelfAddress, kPeerAddress, *received);
   EXPECT_EQ(1, connection_close_frame_count_);
-  EXPECT_EQ(QUIC_PUBLIC_RESET, saved_connection_close_frame_.quic_error_code);
+  EXPECT_THAT(saved_connection_close_frame_.quic_error_code,
+              IsError(QUIC_PUBLIC_RESET));
 }
 
 TEST_P(QuicConnectionTest, GoAway) {
@@ -7201,7 +6974,7 @@ TEST_P(QuicConnectionTest, WindowUpdate) {
 
   QuicWindowUpdateFrame window_update;
   window_update.stream_id = 3;
-  window_update.byte_offset = 1234;
+  window_update.max_data = 1234;
   EXPECT_CALL(visitor_, OnWindowUpdateFrame(_));
   ProcessFramePacket(QuicFrame(&window_update));
 }
@@ -7259,8 +7032,8 @@ TEST_P(QuicConnectionTest, ClientHandlesVersionNegotiation) {
   connection_.ProcessUdpPacket(kSelfAddress, kPeerAddress, *received);
   EXPECT_FALSE(connection_.connected());
   EXPECT_EQ(1, connection_close_frame_count_);
-  EXPECT_EQ(QUIC_INVALID_VERSION,
-            saved_connection_close_frame_.quic_error_code);
+  EXPECT_THAT(saved_connection_close_frame_.quic_error_code,
+              IsError(QUIC_INVALID_VERSION));
 }
 
 TEST_P(QuicConnectionTest, BadVersionNegotiation) {
@@ -7278,8 +7051,8 @@ TEST_P(QuicConnectionTest, BadVersionNegotiation) {
       ConstructReceivedPacket(*encrypted, QuicTime::Zero()));
   connection_.ProcessUdpPacket(kSelfAddress, kPeerAddress, *received);
   EXPECT_EQ(1, connection_close_frame_count_);
-  EXPECT_EQ(QUIC_INVALID_VERSION_NEGOTIATION_PACKET,
-            saved_connection_close_frame_.quic_error_code);
+  EXPECT_THAT(saved_connection_close_frame_.quic_error_code,
+              IsError(QUIC_INVALID_VERSION_NEGOTIATION_PACKET));
 }
 
 TEST_P(QuicConnectionTest, CheckSendStats) {
@@ -7317,9 +7090,6 @@ TEST_P(QuicConnectionTest, CheckSendStats) {
   EXPECT_CALL(*loss_algorithm_, DetectLosses(_, _, _, _, _, _))
       .WillOnce(SetArgPointee<5>(lost_packets));
   EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _));
-  if (!connection_.session_decides_what_to_write()) {
-    EXPECT_CALL(visitor_, OnCanWrite());
-  }
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   ProcessAckPacket(&nack_three);
 
@@ -7387,8 +7157,8 @@ TEST_P(QuicConnectionTest, ProcessFramesIfPacketClosedConnection) {
       kSelfAddress, kPeerAddress,
       QuicReceivedPacket(buffer, encrypted_length, QuicTime::Zero(), false));
   EXPECT_EQ(1, connection_close_frame_count_);
-  EXPECT_EQ(QUIC_PEER_GOING_AWAY,
-            saved_connection_close_frame_.extracted_error_code);
+  EXPECT_THAT(saved_connection_close_frame_.extracted_error_code,
+              IsError(QUIC_PEER_GOING_AWAY));
 }
 
 TEST_P(QuicConnectionTest, SelectMutualVersion) {
@@ -7426,7 +7196,7 @@ TEST_P(QuicConnectionTest, ConnectionCloseWhenWritable) {
   EXPECT_EQ(1u, writer_->packets_write_attempts());
 
   TriggerConnectionClose();
-  EXPECT_EQ(2u, writer_->packets_write_attempts());
+  EXPECT_LE(2u, writer_->packets_write_attempts());
 }
 
 TEST_P(QuicConnectionTest, ConnectionCloseGettingWriteBlocked) {
@@ -7450,10 +7220,10 @@ TEST_P(QuicConnectionTest, OnPacketSentDebugVisitor) {
   MockQuicConnectionDebugVisitor debug_visitor;
   connection_.set_debug_visitor(&debug_visitor);
 
-  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _, _)).Times(1);
+  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _)).Times(1);
   connection_.SendStreamDataWithString(1, "foo", 0, NO_FIN);
 
-  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _, _)).Times(1);
+  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _)).Times(1);
   connection_.SendConnectivityProbingPacket(writer_.get(),
                                             connection_.peer_address());
 }
@@ -7494,7 +7264,7 @@ TEST_P(QuicConnectionTest, WindowUpdateInstigateAcks) {
   // Send a WINDOW_UPDATE frame.
   QuicWindowUpdateFrame window_update;
   window_update.stream_id = 3;
-  window_update.byte_offset = 1234;
+  window_update.max_data = 1234;
   EXPECT_CALL(visitor_, OnWindowUpdateFrame(_));
   ProcessFramePacket(QuicFrame(&window_update));
 
@@ -7582,7 +7352,7 @@ TEST_P(QuicConnectionTest, SendPingImmediately) {
   CongestionBlockWrites();
   connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _, _)).Times(1);
+  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _)).Times(1);
   EXPECT_CALL(debug_visitor, OnPingSent()).Times(1);
   connection_.SendControlFrame(QuicFrame(QuicPingFrame(1)));
   EXPECT_FALSE(connection_.HasQueuedData());
@@ -7594,7 +7364,7 @@ TEST_P(QuicConnectionTest, SendBlockedImmediately) {
 
   connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _, _)).Times(1);
+  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _)).Times(1);
   EXPECT_EQ(0u, connection_.GetStats().blocked_frames_sent);
   connection_.SendControlFrame(QuicFrame(new QuicBlockedFrame(1, 3)));
   EXPECT_EQ(1u, connection_.GetStats().blocked_frames_sent);
@@ -7610,7 +7380,7 @@ TEST_P(QuicConnectionTest, FailedToSendBlockedFrames) {
   QuicBlockedFrame blocked(1, 3);
 
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _, _)).Times(0);
+  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _)).Times(0);
   EXPECT_EQ(0u, connection_.GetStats().blocked_frames_sent);
   connection_.SendControlFrame(QuicFrame(&blocked));
   EXPECT_EQ(0u, connection_.GetStats().blocked_frames_sent);
@@ -7631,8 +7401,8 @@ TEST_P(QuicConnectionTest, SendingUnencryptedStreamDataFails) {
                   "Cannot send stream data with level: ENCRYPTION_INITIAL");
   EXPECT_FALSE(connection_.connected());
   EXPECT_EQ(1, connection_close_frame_count_);
-  EXPECT_EQ(QUIC_ATTEMPT_TO_SEND_UNENCRYPTED_STREAM_DATA,
-            saved_connection_close_frame_.quic_error_code);
+  EXPECT_THAT(saved_connection_close_frame_.quic_error_code,
+              IsError(QUIC_ATTEMPT_TO_SEND_UNENCRYPTED_STREAM_DATA));
 }
 
 TEST_P(QuicConnectionTest, SetRetransmissionAlarmForCryptoPacket) {
@@ -7668,8 +7438,8 @@ TEST_P(QuicConnectionTest, PathDegradingAlarmForCryptoPacket) {
   EXPECT_FALSE(connection_.IsPathDegrading());
   QuicTime::Delta delay = QuicConnectionPeer::GetSentPacketManager(&connection_)
                               ->GetPathDegradingDelay();
-  EXPECT_EQ(clock_.ApproximateNow() + delay,
-            connection_.GetPathDegradingAlarm()->deadline());
+  EXPECT_EQ(delay, connection_.GetPathDegradingAlarm()->deadline() -
+                       clock_.ApproximateNow());
 
   // Fire the path degrading alarm, path degrading signal should be sent to
   // the visitor.
@@ -7702,8 +7472,8 @@ TEST_P(QuicConnectionTest, PathDegradingAlarmForNonCryptoPackets) {
     QuicTime::Delta delay =
         QuicConnectionPeer::GetSentPacketManager(&connection_)
             ->GetPathDegradingDelay();
-    EXPECT_EQ(clock_.ApproximateNow() + delay,
-              connection_.GetPathDegradingAlarm()->deadline());
+    EXPECT_EQ(delay, connection_.GetPathDegradingAlarm()->deadline() -
+                         clock_.ApproximateNow());
 
     // Send a second packet. The path degrading alarm's deadline should remain
     // the same.
@@ -7731,8 +7501,8 @@ TEST_P(QuicConnectionTest, PathDegradingAlarmForNonCryptoPackets) {
     // Check the deadline of the path degrading alarm.
     delay = QuicConnectionPeer::GetSentPacketManager(&connection_)
                 ->GetPathDegradingDelay();
-    EXPECT_EQ(clock_.ApproximateNow() + delay,
-              connection_.GetPathDegradingAlarm()->deadline());
+    EXPECT_EQ(delay, connection_.GetPathDegradingAlarm()->deadline() -
+                         clock_.ApproximateNow());
 
     if (i == 0) {
       // Now receive an ACK of the second packet. Since there are no more
@@ -7758,7 +7528,7 @@ TEST_P(QuicConnectionTest, PathDegradingAlarmForNonCryptoPackets) {
 TEST_P(QuicConnectionTest, RetransmittableOnWireSetsPingAlarm) {
   const QuicTime::Delta retransmittable_on_wire_timeout =
       QuicTime::Delta::FromMilliseconds(50);
-  connection_.set_retransmittable_on_wire_timeout(
+  connection_.set_initial_retransmittable_on_wire_timeout(
       retransmittable_on_wire_timeout);
 
   EXPECT_TRUE(connection_.connected());
@@ -7782,15 +7552,15 @@ TEST_P(QuicConnectionTest, RetransmittableOnWireSetsPingAlarm) {
   EXPECT_TRUE(connection_.GetPathDegradingAlarm()->IsSet());
   QuicTime::Delta delay = QuicConnectionPeer::GetSentPacketManager(&connection_)
                               ->GetPathDegradingDelay();
-  EXPECT_EQ(clock_.ApproximateNow() + delay,
-            connection_.GetPathDegradingAlarm()->deadline());
+  EXPECT_EQ(delay, connection_.GetPathDegradingAlarm()->deadline() -
+                       clock_.ApproximateNow());
   ASSERT_TRUE(connection_.sent_packet_manager().HasInFlightPackets());
   // The ping alarm is set for the ping timeout, not the shorter
   // retransmittable_on_wire_timeout.
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
   QuicTime::Delta ping_delay = QuicTime::Delta::FromSeconds(kPingTimeoutSecs);
-  EXPECT_EQ((clock_.ApproximateNow() + ping_delay),
-            connection_.GetPingAlarm()->deadline());
+  EXPECT_EQ(ping_delay,
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   // Now receive an ACK of the packet.
   clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
@@ -7804,8 +7574,8 @@ TEST_P(QuicConnectionTest, RetransmittableOnWireSetsPingAlarm) {
   // retransmittable_on_wire_timeout.
   EXPECT_FALSE(connection_.GetPathDegradingAlarm()->IsSet());
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
-  EXPECT_EQ(clock_.ApproximateNow() + retransmittable_on_wire_timeout,
-            connection_.GetPingAlarm()->deadline());
+  EXPECT_EQ(retransmittable_on_wire_timeout,
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   // Simulate firing the ping alarm and sending a PING.
   clock_.AdvanceTime(retransmittable_on_wire_timeout);
@@ -7819,8 +7589,8 @@ TEST_P(QuicConnectionTest, RetransmittableOnWireSetsPingAlarm) {
   EXPECT_TRUE(connection_.GetPathDegradingAlarm()->IsSet());
   delay = QuicConnectionPeer::GetSentPacketManager(&connection_)
               ->GetPathDegradingDelay();
-  EXPECT_EQ(clock_.ApproximateNow() + delay,
-            connection_.GetPathDegradingAlarm()->deadline());
+  EXPECT_EQ(delay, connection_.GetPathDegradingAlarm()->deadline() -
+                       clock_.ApproximateNow());
 }
 
 // This test verifies that the connection marks path as degrading and does not
@@ -7843,8 +7613,8 @@ TEST_P(QuicConnectionTest, NoPathDegradingAlarmIfPathIsDegrading) {
   // Check the deadline of the path degrading alarm.
   QuicTime::Delta delay = QuicConnectionPeer::GetSentPacketManager(&connection_)
                               ->GetPathDegradingDelay();
-  EXPECT_EQ(clock_.ApproximateNow() + delay,
-            connection_.GetPathDegradingAlarm()->deadline());
+  EXPECT_EQ(delay, connection_.GetPathDegradingAlarm()->deadline() -
+                       clock_.ApproximateNow());
 
   // Send a second packet. The path degrading alarm's deadline should remain
   // the same.
@@ -7867,8 +7637,8 @@ TEST_P(QuicConnectionTest, NoPathDegradingAlarmIfPathIsDegrading) {
   // Check the deadline of the path degrading alarm.
   delay = QuicConnectionPeer::GetSentPacketManager(&connection_)
               ->GetPathDegradingDelay();
-  EXPECT_EQ(clock_.ApproximateNow() + delay,
-            connection_.GetPathDegradingAlarm()->deadline());
+  EXPECT_EQ(delay, connection_.GetPathDegradingAlarm()->deadline() -
+                       clock_.ApproximateNow());
 
   // Advance time to the path degrading alarm's deadline and simulate
   // firing the path degrading alarm. This path will be considered as
@@ -7909,8 +7679,8 @@ TEST_P(QuicConnectionTest, UnmarkPathDegradingOnForwardProgress) {
   // Check the deadline of the path degrading alarm.
   QuicTime::Delta delay = QuicConnectionPeer::GetSentPacketManager(&connection_)
                               ->GetPathDegradingDelay();
-  EXPECT_EQ(clock_.ApproximateNow() + delay,
-            connection_.GetPathDegradingAlarm()->deadline());
+  EXPECT_EQ(delay, connection_.GetPathDegradingAlarm()->deadline() -
+                       clock_.ApproximateNow());
 
   // Send a second packet. The path degrading alarm's deadline should remain
   // the same.
@@ -7933,8 +7703,8 @@ TEST_P(QuicConnectionTest, UnmarkPathDegradingOnForwardProgress) {
   // Check the deadline of the path degrading alarm.
   delay = QuicConnectionPeer::GetSentPacketManager(&connection_)
               ->GetPathDegradingDelay();
-  EXPECT_EQ(clock_.ApproximateNow() + delay,
-            connection_.GetPathDegradingAlarm()->deadline());
+  EXPECT_EQ(delay, connection_.GetPathDegradingAlarm()->deadline() -
+                       clock_.ApproximateNow());
 
   // Advance time to the path degrading alarm's deadline and simulate
   // firing the alarm.
@@ -7981,7 +7751,6 @@ TEST_P(QuicConnectionTest, NoPathDegradingOnServer) {
 
   // Ack data.
   clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _));
   QuicAckFrame frame =
       InitAckFrame({{QuicPacketNumber(1u), QuicPacketNumber(2u)}});
@@ -8016,8 +7785,6 @@ TEST_P(QuicConnectionTest, MultipleCallsToCloseConnection) {
 }
 
 TEST_P(QuicConnectionTest, ServerReceivesChloOnNonCryptoStream) {
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
-
   set_perspective(Perspective::IS_SERVER);
   QuicPacketCreatorPeer::SetSendVersionInPacket(creator_, false);
 
@@ -8133,11 +7900,7 @@ TEST_P(QuicConnectionTest, NotBecomeApplicationLimitedDueToWriteBlock) {
   EXPECT_CALL(visitor_, WillingAndAbleToWrite()).WillRepeatedly(Return(true));
   BlockOnNextWrite();
 
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   connection_.SendStreamData3();
 
   // Now unblock the writer, become congestion control blocked,
@@ -8145,11 +7908,7 @@ TEST_P(QuicConnectionTest, NotBecomeApplicationLimitedDueToWriteBlock) {
   writer_->SetWritable();
   CongestionBlockWrites();
   EXPECT_CALL(visitor_, WillingAndAbleToWrite()).WillRepeatedly(Return(false));
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
   EXPECT_CALL(*send_algorithm_, OnApplicationLimited(_)).Times(1);
   connection_.OnCanWrite();
 }
@@ -8203,7 +7962,7 @@ TEST_P(QuicConnectionTest, SendDataWhenApplicationLimited) {
   ProcessAckPacket(&ack);
 }
 
-TEST_P(QuicConnectionTest, DonotForceSendingAckOnPacketTooLarge) {
+TEST_P(QuicConnectionTest, DoNotForceSendingAckOnPacketTooLarge) {
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   // Send an ack by simulating delayed ack alarm firing.
   ProcessPacket(1);
@@ -8214,13 +7973,74 @@ TEST_P(QuicConnectionTest, DonotForceSendingAckOnPacketTooLarge) {
   EXPECT_CALL(visitor_, OnConnectionClosed(_, _));
   SimulateNextPacketTooLarge();
   connection_.SendStreamDataWithString(3, "foo", 0, NO_FIN);
-  EXPECT_EQ(1u, writer_->frame_count());
-  EXPECT_FALSE(writer_->connection_close_frames().empty());
+  EXPECT_EQ(1u, writer_->connection_close_frames().size());
   // Ack frame is not bundled in connection close packet.
   EXPECT_TRUE(writer_->ack_frames().empty());
+  if (writer_->padding_frames().empty()) {
+    EXPECT_EQ(1u, writer_->frame_count());
+  } else {
+    EXPECT_EQ(2u, writer_->frame_count());
+  }
+
   TestConnectionCloseQuicErrorCode(QUIC_PACKET_WRITE_ERROR);
 }
 
+TEST_P(QuicConnectionTest, CloseConnectionAllLevels) {
+  SetQuicReloadableFlag(quic_close_all_encryptions_levels2, true);
+
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _));
+  const QuicErrorCode kQuicErrorCode = QUIC_INTERNAL_ERROR;
+  connection_.CloseConnection(
+      kQuicErrorCode, "Some random error message",
+      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+
+  EXPECT_EQ(2u, QuicConnectionPeer::GetNumEncryptionLevels(&connection_));
+
+  TestConnectionCloseQuicErrorCode(kQuicErrorCode);
+  EXPECT_EQ(1u, writer_->connection_close_frames().size());
+
+  if (!connection_.version().CanSendCoalescedPackets()) {
+    // Each connection close packet should be sent in distinct UDP packets.
+    EXPECT_EQ(QuicConnectionPeer::GetNumEncryptionLevels(&connection_),
+              writer_->connection_close_packets());
+    EXPECT_EQ(QuicConnectionPeer::GetNumEncryptionLevels(&connection_),
+              writer_->packets_write_attempts());
+    return;
+  }
+
+  // A single UDP packet should be sent with multiple connection close packets
+  // coalesced together.
+  EXPECT_EQ(1u, writer_->packets_write_attempts());
+
+  // Only the first packet has been processed yet.
+  EXPECT_EQ(1u, writer_->connection_close_packets());
+
+  // ProcessPacket resets the visitor and frees the coalesced packet.
+  ASSERT_TRUE(writer_->coalesced_packet() != nullptr);
+  auto packet = writer_->coalesced_packet()->Clone();
+  writer_->framer()->ProcessPacket(*packet);
+  EXPECT_EQ(1u, writer_->connection_close_packets());
+  ASSERT_TRUE(writer_->coalesced_packet() == nullptr);
+}
+
+TEST_P(QuicConnectionTest, CloseConnectionOneLevel) {
+  SetQuicReloadableFlag(quic_close_all_encryptions_levels2, false);
+
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _));
+  const QuicErrorCode kQuicErrorCode = QUIC_INTERNAL_ERROR;
+  connection_.CloseConnection(
+      kQuicErrorCode, "Some random error message",
+      ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+
+  EXPECT_EQ(2u, QuicConnectionPeer::GetNumEncryptionLevels(&connection_));
+
+  TestConnectionCloseQuicErrorCode(kQuicErrorCode);
+  EXPECT_EQ(1u, writer_->connection_close_frames().size());
+  EXPECT_EQ(1u, writer_->connection_close_packets());
+  EXPECT_EQ(1u, writer_->packets_write_attempts());
+  ASSERT_TRUE(writer_->coalesced_packet() == nullptr);
+}
+
 // Regression test for b/63620844.
 TEST_P(QuicConnectionTest, FailedToWriteHandshakePacket) {
   SimulateNextPacketTooLarge();
@@ -8279,13 +8099,19 @@ TEST_P(QuicConnectionTest, SendProbingRetransmissions) {
   }
   // Expect them retransmitted in cyclic order (foo, bar, test, foo, bar...).
   QuicPacketCount sent_count = 0;
-  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _, _))
+  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _))
       .WillRepeatedly(Invoke([this, &sent_count](const SerializedPacket&,
-                                                 QuicPacketNumber,
                                                  TransmissionType, QuicTime) {
         ASSERT_EQ(1u, writer_->stream_frames().size());
-        // Identify the frames by stream offset (0, 3, 6, 0, 3...).
-        EXPECT_EQ(3 * (sent_count % 3), writer_->stream_frames()[0]->offset);
+        if (connection_.version().CanSendCoalescedPackets()) {
+          // There is a delay of sending coalesced packet, so (6, 0, 3, 6,
+          // 0...).
+          EXPECT_EQ(3 * ((sent_count + 2) % 3),
+                    writer_->stream_frames()[0]->offset);
+        } else {
+          // Identify the frames by stream offset (0, 3, 6, 0, 3...).
+          EXPECT_EQ(3 * (sent_count % 3), writer_->stream_frames()[0]->offset);
+        }
         sent_count++;
       }));
   EXPECT_CALL(*send_algorithm_, ShouldSendProbingPacket())
@@ -8311,7 +8137,7 @@ TEST_P(QuicConnectionTest,
 
   MockQuicConnectionDebugVisitor debug_visitor;
   connection_.set_debug_visitor(&debug_visitor);
-  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _, _)).Times(0);
+  EXPECT_CALL(debug_visitor, OnPacketSent(_, _, _)).Times(0);
   EXPECT_CALL(*send_algorithm_, ShouldSendProbingPacket())
       .WillRepeatedly(Return(true));
   EXPECT_CALL(visitor_, SendProbingData()).WillRepeatedly([this] {
@@ -8325,7 +8151,7 @@ TEST_P(QuicConnectionTest,
 TEST_P(QuicConnectionTest, PingAfterLastRetransmittablePacketAcked) {
   const QuicTime::Delta retransmittable_on_wire_timeout =
       QuicTime::Delta::FromMilliseconds(50);
-  connection_.set_retransmittable_on_wire_timeout(
+  connection_.set_initial_retransmittable_on_wire_timeout(
       retransmittable_on_wire_timeout);
 
   EXPECT_TRUE(connection_.connected());
@@ -8346,8 +8172,8 @@ TEST_P(QuicConnectionTest, PingAfterLastRetransmittablePacketAcked) {
   // retransmittable_on_wire_timeout.
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
   QuicTime::Delta ping_delay = QuicTime::Delta::FromSeconds(kPingTimeoutSecs);
-  EXPECT_EQ((clock_.ApproximateNow() + ping_delay),
-            connection_.GetPingAlarm()->deadline());
+  EXPECT_EQ(ping_delay,
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   // Advance 5ms, send a second retransmittable packet to the peer.
   clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
@@ -8370,9 +8196,8 @@ TEST_P(QuicConnectionTest, PingAfterLastRetransmittablePacketAcked) {
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
   // The ping alarm has a 1 second granularity, and the clock has been advanced
   // 10ms since it was originally set.
-  EXPECT_EQ((clock_.ApproximateNow() + ping_delay -
-             QuicTime::Delta::FromMilliseconds(10)),
-            connection_.GetPingAlarm()->deadline());
+  EXPECT_EQ(ping_delay - QuicTime::Delta::FromMilliseconds(10),
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   // Now receive an ACK of the second packet. This should set the
   // retransmittable-on-wire alarm now that no retransmittable packets are on
@@ -8382,8 +8207,8 @@ TEST_P(QuicConnectionTest, PingAfterLastRetransmittablePacketAcked) {
   frame = InitAckFrame({{QuicPacketNumber(2), QuicPacketNumber(3)}});
   ProcessAckPacket(&frame);
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
-  EXPECT_EQ(clock_.ApproximateNow() + retransmittable_on_wire_timeout,
-            connection_.GetPingAlarm()->deadline());
+  EXPECT_EQ(retransmittable_on_wire_timeout,
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   // Now receive a duplicate ACK of the second packet. This should not update
   // the ping alarm.
@@ -8418,7 +8243,7 @@ TEST_P(QuicConnectionTest, PingAfterLastRetransmittablePacketAcked) {
 TEST_P(QuicConnectionTest, NoPingIfRetransmittablePacketSent) {
   const QuicTime::Delta retransmittable_on_wire_timeout =
       QuicTime::Delta::FromMilliseconds(50);
-  connection_.set_retransmittable_on_wire_timeout(
+  connection_.set_initial_retransmittable_on_wire_timeout(
       retransmittable_on_wire_timeout);
 
   EXPECT_TRUE(connection_.connected());
@@ -8439,8 +8264,8 @@ TEST_P(QuicConnectionTest, NoPingIfRetransmittablePacketSent) {
   // retransmittable_on_wire_timeout.
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
   QuicTime::Delta ping_delay = QuicTime::Delta::FromSeconds(kPingTimeoutSecs);
-  EXPECT_EQ((clock_.ApproximateNow() + ping_delay),
-            connection_.GetPingAlarm()->deadline());
+  EXPECT_EQ(ping_delay,
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   // Now receive an ACK of the first packet. This should set the
   // retransmittable-on-wire alarm now that no retransmittable packets are on
@@ -8452,8 +8277,8 @@ TEST_P(QuicConnectionTest, NoPingIfRetransmittablePacketSent) {
       InitAckFrame({{QuicPacketNumber(1), QuicPacketNumber(2)}});
   ProcessAckPacket(&frame);
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
-  EXPECT_EQ(clock_.ApproximateNow() + retransmittable_on_wire_timeout,
-            connection_.GetPingAlarm()->deadline());
+  EXPECT_EQ(retransmittable_on_wire_timeout,
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   // Before the alarm fires, send another retransmittable packet. This should
   // cancel the retransmittable-on-wire alarm since now there's a
@@ -8470,8 +8295,8 @@ TEST_P(QuicConnectionTest, NoPingIfRetransmittablePacketSent) {
   frame = InitAckFrame({{QuicPacketNumber(2), QuicPacketNumber(3)}});
   ProcessAckPacket(&frame);
   EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
-  EXPECT_EQ(clock_.ApproximateNow() + retransmittable_on_wire_timeout,
-            connection_.GetPingAlarm()->deadline());
+  EXPECT_EQ(retransmittable_on_wire_timeout,
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
 
   // Simulate the alarm firing and check that a PING is sent.
   writer_->Reset();
@@ -8481,18 +8306,233 @@ TEST_P(QuicConnectionTest, NoPingIfRetransmittablePacketSent) {
   connection_.GetPingAlarm()->Fire();
   size_t padding_frame_count = writer_->padding_frames().size();
   if (GetParam().no_stop_waiting) {
-    if (GetQuicReloadableFlag(quic_simplify_stop_waiting)) {
-      // Do not ACK acks.
-      EXPECT_EQ(padding_frame_count + 1u, writer_->frame_count());
-    } else {
-      EXPECT_EQ(padding_frame_count + 2u, writer_->frame_count());
-    }
+    // Do not ACK acks.
+    EXPECT_EQ(padding_frame_count + 1u, writer_->frame_count());
   } else {
     EXPECT_EQ(padding_frame_count + 3u, writer_->frame_count());
   }
   ASSERT_EQ(1u, writer_->ping_frames().size());
 }
 
+// When there is no stream data received but are open streams, send the
+// first few consecutive pings with aggressive retransmittable-on-wire
+// timeout. Exponentially back off the retransmittable-on-wire ping timeout
+// afterwards until it exceeds the default ping timeout.
+TEST_P(QuicConnectionTest, BackOffRetransmittableOnWireTimeout) {
+  int max_aggressive_retransmittable_on_wire_ping_count = 5;
+  SetQuicFlag(FLAGS_quic_max_aggressive_retransmittable_on_wire_ping_count,
+              max_aggressive_retransmittable_on_wire_ping_count);
+  const QuicTime::Delta initial_retransmittable_on_wire_timeout =
+      QuicTime::Delta::FromMilliseconds(200);
+  connection_.set_initial_retransmittable_on_wire_timeout(
+      initial_retransmittable_on_wire_timeout);
+
+  EXPECT_TRUE(connection_.connected());
+  EXPECT_CALL(visitor_, ShouldKeepConnectionAlive())
+      .WillRepeatedly(Return(true));
+
+  const char data[] = "data";
+  // Advance 5ms, send a retransmittable data packet to the peer.
+  clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
+  EXPECT_FALSE(connection_.GetPingAlarm()->IsSet());
+  connection_.SendStreamDataWithString(1, data, 0, NO_FIN);
+  EXPECT_TRUE(connection_.sent_packet_manager().HasInFlightPackets());
+  // The ping alarm is set for the ping timeout, not the shorter
+  // retransmittable_on_wire_timeout.
+  EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
+  EXPECT_EQ(connection_.ping_timeout(),
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
+
+  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_)).Times(AnyNumber());
+  EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _))
+      .Times(AnyNumber());
+
+  // Verify that the first few consecutive retransmittable on wire pings are
+  // sent with aggressive timeout.
+  for (int i = 0; i <= max_aggressive_retransmittable_on_wire_ping_count; i++) {
+    // Receive an ACK of the previous packet. This should set the ping alarm
+    // with the initial retransmittable-on-wire timeout.
+    clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
+    QuicPacketNumber ack_num = creator_->packet_number();
+    QuicAckFrame frame = InitAckFrame(
+        {{QuicPacketNumber(ack_num), QuicPacketNumber(ack_num + 1)}});
+    ProcessAckPacket(&frame);
+    EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
+    EXPECT_EQ(initial_retransmittable_on_wire_timeout,
+              connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
+    // Simulate the alarm firing and check that a PING is sent.
+    writer_->Reset();
+    EXPECT_CALL(visitor_, SendPing()).WillOnce(Invoke([this]() {
+      SendPing();
+    }));
+    clock_.AdvanceTime(initial_retransmittable_on_wire_timeout);
+    connection_.GetPingAlarm()->Fire();
+  }
+
+  QuicTime::Delta retransmittable_on_wire_timeout =
+      initial_retransmittable_on_wire_timeout;
+
+  // Verify subsequent pings are sent with timeout that is exponentially backed
+  // off.
+  while (retransmittable_on_wire_timeout * 2 < connection_.ping_timeout()) {
+    // Receive an ACK for the previous PING. This should set the
+    // ping alarm with backed off retransmittable-on-wire timeout.
+    retransmittable_on_wire_timeout = retransmittable_on_wire_timeout * 2;
+    clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
+    QuicPacketNumber ack_num = creator_->packet_number();
+    QuicAckFrame frame = InitAckFrame(
+        {{QuicPacketNumber(ack_num), QuicPacketNumber(ack_num + 1)}});
+    ProcessAckPacket(&frame);
+    EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
+    EXPECT_EQ(retransmittable_on_wire_timeout,
+              connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
+
+    // Simulate the alarm firing and check that a PING is sent.
+    writer_->Reset();
+    EXPECT_CALL(visitor_, SendPing()).WillOnce(Invoke([this]() {
+      SendPing();
+    }));
+    clock_.AdvanceTime(retransmittable_on_wire_timeout);
+    connection_.GetPingAlarm()->Fire();
+  }
+
+  // The ping alarm is set with default ping timeout.
+  EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
+  EXPECT_EQ(connection_.ping_timeout(),
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
+
+  // Receive an ACK for the previous PING. The ping alarm is set with an
+  // earlier deadline.
+  clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
+  QuicPacketNumber ack_num = creator_->packet_number();
+  QuicAckFrame frame = InitAckFrame(
+      {{QuicPacketNumber(ack_num), QuicPacketNumber(ack_num + 1)}});
+  ProcessAckPacket(&frame);
+  EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
+  EXPECT_EQ(connection_.ping_timeout() - QuicTime::Delta::FromMilliseconds(5),
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
+}
+
+// This test verify that the count of consecutive aggressive pings is reset
+// when new data is received. And it also verifies the connection resets
+// the exponential back-off of the retransmittable-on-wire ping timeout
+// after receiving new stream data.
+TEST_P(QuicConnectionTest, ResetBackOffRetransmitableOnWireTimeout) {
+  int max_aggressive_retransmittable_on_wire_ping_count = 3;
+  SetQuicFlag(FLAGS_quic_max_aggressive_retransmittable_on_wire_ping_count, 3);
+  const QuicTime::Delta initial_retransmittable_on_wire_timeout =
+      QuicTime::Delta::FromMilliseconds(200);
+  connection_.set_initial_retransmittable_on_wire_timeout(
+      initial_retransmittable_on_wire_timeout);
+
+  EXPECT_TRUE(connection_.connected());
+  EXPECT_CALL(visitor_, ShouldKeepConnectionAlive())
+      .WillRepeatedly(Return(true));
+  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_)).Times(AnyNumber());
+  EXPECT_CALL(*send_algorithm_, OnCongestionEvent(true, _, _, _, _))
+      .Times(AnyNumber());
+
+  const char data[] = "data";
+  // Advance 5ms, send a retransmittable data packet to the peer.
+  clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
+  EXPECT_FALSE(connection_.GetPingAlarm()->IsSet());
+  connection_.SendStreamDataWithString(1, data, 0, NO_FIN);
+  EXPECT_TRUE(connection_.sent_packet_manager().HasInFlightPackets());
+  // The ping alarm is set for the ping timeout, not the shorter
+  // retransmittable_on_wire_timeout.
+  EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
+  EXPECT_EQ(connection_.ping_timeout(),
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
+
+  // Receive an ACK of the first packet. This should set the ping alarm with
+  // initial retransmittable-on-wire timeout since there is no retransmittable
+  // packet on the wire.
+  clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
+  QuicAckFrame frame =
+      InitAckFrame({{QuicPacketNumber(1), QuicPacketNumber(2)}});
+  ProcessAckPacket(&frame);
+  EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
+  EXPECT_EQ(initial_retransmittable_on_wire_timeout,
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
+
+  // Simulate the alarm firing and check that a PING is sent.
+  writer_->Reset();
+  EXPECT_CALL(visitor_, SendPing()).WillOnce(Invoke([this]() { SendPing(); }));
+  clock_.AdvanceTime(initial_retransmittable_on_wire_timeout);
+  connection_.GetPingAlarm()->Fire();
+
+  // Receive an ACK for the previous PING. Ping alarm will be set with
+  // aggressive timeout.
+  clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
+  QuicPacketNumber ack_num = creator_->packet_number();
+  frame = InitAckFrame(
+      {{QuicPacketNumber(ack_num), QuicPacketNumber(ack_num + 1)}});
+  ProcessAckPacket(&frame);
+  EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
+  EXPECT_EQ(initial_retransmittable_on_wire_timeout,
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
+
+  // Process a data packet.
+  EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(1);
+  ProcessDataPacket(peer_creator_.packet_number() + 1);
+  QuicPacketCreatorPeer::SetPacketNumber(&peer_creator_,
+                                         peer_creator_.packet_number() + 1);
+  EXPECT_EQ(initial_retransmittable_on_wire_timeout,
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
+
+  // Verify the count of consecutive aggressive pings is reset.
+  for (int i = 0; i < max_aggressive_retransmittable_on_wire_ping_count; i++) {
+    // Receive an ACK of the previous packet. This should set the ping alarm
+    // with the initial retransmittable-on-wire timeout.
+    QuicPacketNumber ack_num = creator_->packet_number();
+    QuicAckFrame frame = InitAckFrame(
+        {{QuicPacketNumber(ack_num), QuicPacketNumber(ack_num + 1)}});
+    ProcessAckPacket(&frame);
+    EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
+    EXPECT_EQ(initial_retransmittable_on_wire_timeout,
+              connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
+    // Simulate the alarm firing and check that a PING is sent.
+    writer_->Reset();
+    EXPECT_CALL(visitor_, SendPing()).WillOnce(Invoke([this]() {
+      SendPing();
+    }));
+    clock_.AdvanceTime(initial_retransmittable_on_wire_timeout);
+    connection_.GetPingAlarm()->Fire();
+    // Advance 5ms to receive next packet.
+    clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
+  }
+
+  // Receive another ACK for the previous PING. This should set the
+  // ping alarm with backed off retransmittable-on-wire timeout.
+  ack_num = creator_->packet_number();
+  frame = InitAckFrame(
+      {{QuicPacketNumber(ack_num), QuicPacketNumber(ack_num + 1)}});
+  ProcessAckPacket(&frame);
+  EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
+  EXPECT_EQ(initial_retransmittable_on_wire_timeout * 2,
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
+
+  writer_->Reset();
+  EXPECT_CALL(visitor_, SendPing()).WillOnce(Invoke([this]() { SendPing(); }));
+  clock_.AdvanceTime(2 * initial_retransmittable_on_wire_timeout);
+  connection_.GetPingAlarm()->Fire();
+
+  // Process another data packet and a new ACK packet. The ping alarm is set
+  // with aggressive ping timeout again.
+  EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(1);
+  clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
+  ProcessDataPacket(peer_creator_.packet_number() + 1);
+  QuicPacketCreatorPeer::SetPacketNumber(&peer_creator_,
+                                         peer_creator_.packet_number() + 1);
+  ack_num = creator_->packet_number();
+  frame = InitAckFrame(
+      {{QuicPacketNumber(ack_num), QuicPacketNumber(ack_num + 1)}});
+  ProcessAckPacket(&frame);
+  EXPECT_TRUE(connection_.GetPingAlarm()->IsSet());
+  EXPECT_EQ(initial_retransmittable_on_wire_timeout,
+            connection_.GetPingAlarm()->deadline() - clock_.ApproximateNow());
+}
+
 TEST_P(QuicConnectionTest, OnForwardProgressConfirmed) {
   EXPECT_CALL(visitor_, OnForwardProgressConfirmed()).Times(Exactly(0));
   EXPECT_TRUE(connection_.connected());
@@ -8552,32 +8592,15 @@ TEST_P(QuicConnectionTest, ValidStatelessResetToken) {
 
 TEST_P(QuicConnectionTest, WriteBlockedWithInvalidAck) {
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(visitor_, OnConnectionClosed(_, _)).Times(0);
-  } else {
-    EXPECT_CALL(visitor_, OnConnectionClosed(_, _))
-        .WillOnce(Invoke(this, &QuicConnectionTest::SaveConnectionCloseFrame));
-  }
+  EXPECT_CALL(visitor_, OnConnectionClosed(_, _)).Times(0);
   BlockOnNextWrite();
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   connection_.SendStreamDataWithString(5, "foo", 0, FIN);
   // This causes connection to be closed because packet 1 has not been sent yet.
   QuicAckFrame frame = InitAckFrame(1);
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnCongestionEvent(_, _, _, _, _));
-  }
+  EXPECT_CALL(*send_algorithm_, OnCongestionEvent(_, _, _, _, _));
   ProcessAckPacket(1, &frame);
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_EQ(0, connection_close_frame_count_);
-  } else {
-    EXPECT_EQ(1, connection_close_frame_count_);
-    EXPECT_EQ(QUIC_INVALID_ACK_DATA,
-              saved_connection_close_frame_.quic_error_code);
-  }
+  EXPECT_EQ(0, connection_close_frame_count_);
 }
 
 TEST_P(QuicConnectionTest, SendMessage) {
@@ -8594,33 +8617,36 @@ TEST_P(QuicConnectionTest, SendMessage) {
     // get sent, one contains stream frame, and the other only contains the
     // message frame.
     EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(2);
-    EXPECT_EQ(
-        MESSAGE_STATUS_SUCCESS,
-        connection_.SendMessage(
-            1, MakeSpan(connection_.helper()->GetStreamSendBufferAllocator(),
-                        QuicStringPiece(
-                            message_data.data(),
-                            connection_.GetCurrentLargestMessagePayload()),
-                        &storage)));
+    EXPECT_EQ(MESSAGE_STATUS_SUCCESS,
+              connection_.SendMessage(
+                  1,
+                  MakeSpan(connection_.helper()->GetStreamSendBufferAllocator(),
+                           QuicStringPiece(
+                               message_data.data(),
+                               connection_.GetCurrentLargestMessagePayload()),
+                           &storage),
+                  false));
   }
   // Fail to send a message if connection is congestion control blocked.
   EXPECT_CALL(*send_algorithm_, CanSend(_)).WillOnce(Return(false));
-  EXPECT_EQ(
-      MESSAGE_STATUS_BLOCKED,
-      connection_.SendMessage(
-          2, MakeSpan(connection_.helper()->GetStreamSendBufferAllocator(),
-                      "message", &storage)));
+  EXPECT_EQ(MESSAGE_STATUS_BLOCKED,
+            connection_.SendMessage(
+                2,
+                MakeSpan(connection_.helper()->GetStreamSendBufferAllocator(),
+                         "message", &storage),
+                false));
 
   // Always fail to send a message which cannot fit into one packet.
   EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  EXPECT_EQ(
-      MESSAGE_STATUS_TOO_LARGE,
-      connection_.SendMessage(
-          3, MakeSpan(connection_.helper()->GetStreamSendBufferAllocator(),
-                      QuicStringPiece(
-                          message_data.data(),
-                          connection_.GetCurrentLargestMessagePayload() + 1),
-                      &storage)));
+  EXPECT_EQ(MESSAGE_STATUS_TOO_LARGE,
+            connection_.SendMessage(
+                3,
+                MakeSpan(connection_.helper()->GetStreamSendBufferAllocator(),
+                         QuicStringPiece(
+                             message_data.data(),
+                             connection_.GetCurrentLargestMessagePayload() + 1),
+                         &storage),
+                false));
 }
 
 // Test to check that the path challenge/path response logic works
@@ -8743,7 +8769,6 @@ TEST_P(QuicConnectionTest, StopProcessingGQuicPacketInIetfQuicConnection) {
         0u, QuicStringPiece()));
     EXPECT_CALL(visitor_, OnStreamFrame(_)).Times(1);
   }
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   ProcessFramePacketWithAddresses(frame, kSelfAddress, kPeerAddress);
 
   // Let connection process a Google QUIC packet.
@@ -8832,6 +8857,8 @@ TEST_P(QuicConnectionTest, PeerAcksPacketsInWrongPacketNumberSpace) {
   use_tagging_decrypter();
   connection_.SetEncrypter(ENCRYPTION_INITIAL,
                            std::make_unique<TaggingEncrypter>(0x01));
+  connection_.SetEncrypter(ENCRYPTION_FORWARD_SECURE,
+                           std::make_unique<TaggingEncrypter>(0x01));
 
   connection_.SendCryptoStreamData();
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
@@ -8853,7 +8880,7 @@ TEST_P(QuicConnectionTest, PeerAcksPacketsInWrongPacketNumberSpace) {
       InitAckFrame({{QuicPacketNumber(2), QuicPacketNumber(4)}});
   EXPECT_CALL(visitor_,
               OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
-  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(AtLeast(1));
   ProcessFramePacketAtLevel(300, QuicFrame(&invalid_ack), ENCRYPTION_INITIAL);
   TestConnectionCloseQuicErrorCode(QUIC_INVALID_ACK_DATA);
 }
@@ -9014,7 +9041,6 @@ TEST_P(QuicConnectionTest, UpdateClientConnectionIdFromFirstPacket) {
   if (!framer_.version().SupportsClientConnectionIds()) {
     return;
   }
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   set_perspective(Perspective::IS_SERVER);
   QuicPacketHeader header = ConstructPacketHeader(1, ENCRYPTION_INITIAL);
   header.source_connection_id = TestConnectionId(0x33);
@@ -9185,10 +9211,6 @@ TEST_P(QuicConnectionTest, CoalescedPacketThatSavesFrames) {
 
 // Regresstion test for b/138962304.
 TEST_P(QuicConnectionTest, RtoAndWriteBlocked) {
-  if (!QuicConnectionPeer::GetSentPacketManager(&connection_)
-           ->fix_rto_retransmission()) {
-    return;
-  }
   EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
 
   QuicStreamId stream_id = 2;
@@ -9215,10 +9237,6 @@ TEST_P(QuicConnectionTest, RtoAndWriteBlocked) {
 
 // Regresstion test for b/138962304.
 TEST_P(QuicConnectionTest, TlpAndWriteBlocked) {
-  if (!QuicConnectionPeer::GetSentPacketManager(&connection_)
-           ->fix_rto_retransmission()) {
-    return;
-  }
   EXPECT_FALSE(connection_.GetRetransmissionAlarm()->IsSet());
   connection_.SetMaxTailLossProbes(1);
 
@@ -9236,11 +9254,7 @@ TEST_P(QuicConnectionTest, TlpAndWriteBlocked) {
   EXPECT_CALL(visitor_, OnWriteBlocked()).Times(AtLeast(1));
   SendRstStream(stream_id, QUIC_ERROR_PROCESSING_STREAM, 3);
 
-  if (GetQuicReloadableFlag(quic_treat_queued_packets_as_sent)) {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
-  } else {
-    EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(0);
-  }
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(1);
   // Retransmission timer fires in TLP mode.
   connection_.GetRetransmissionAlarm()->Fire();
   // Verify one packets is forced flushed when writer is blocked.
@@ -9249,9 +9263,7 @@ TEST_P(QuicConnectionTest, TlpAndWriteBlocked) {
 
 // Regresstion test for b/139375344.
 TEST_P(QuicConnectionTest, RtoForcesSendingPing) {
-  if (!QuicConnectionPeer::GetSentPacketManager(&connection_)
-           ->fix_rto_retransmission() ||
-      connection_.PtoEnabled()) {
+  if (connection_.PtoEnabled()) {
     return;
   }
   EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
@@ -9289,12 +9301,7 @@ TEST_P(QuicConnectionTest, RtoForcesSendingPing) {
 }
 
 TEST_P(QuicConnectionTest, ProbeTimeout) {
-  if (!connection_.session_decides_what_to_write() ||
-      !GetQuicReloadableFlag(quic_fix_rto_retransmission3)) {
-    return;
-  }
   SetQuicReloadableFlag(quic_enable_pto, true);
-  SetQuicReloadableFlag(quic_fix_rto_retransmission3, true);
   QuicConfig config;
   QuicTagVector connection_options;
   connection_options.push_back(k2PTO);
@@ -9322,10 +9329,6 @@ TEST_P(QuicConnectionTest, ProbeTimeout) {
 }
 
 TEST_P(QuicConnectionTest, CloseConnectionAfter6ClientPTOs) {
-  if (!connection_.session_decides_what_to_write() ||
-      !GetQuicReloadableFlag(quic_fix_rto_retransmission3)) {
-    return;
-  }
   SetQuicReloadableFlag(quic_enable_pto, true);
   QuicConfig config;
   QuicTagVector connection_options;
@@ -9342,7 +9345,7 @@ TEST_P(QuicConnectionTest, CloseConnectionAfter6ClientPTOs) {
       0, FIN, nullptr);
 
   // 5PTO + 1 connection close.
-  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(6);
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(AtLeast(6));
 
   // Fire the retransmission alarm 5 times.
   for (int i = 0; i < 5; ++i) {
@@ -9364,10 +9367,6 @@ TEST_P(QuicConnectionTest, CloseConnectionAfter6ClientPTOs) {
 }
 
 TEST_P(QuicConnectionTest, CloseConnectionAfter7ClientPTOs) {
-  if (!connection_.session_decides_what_to_write() ||
-      !GetQuicReloadableFlag(quic_fix_rto_retransmission3)) {
-    return;
-  }
   SetQuicReloadableFlag(quic_enable_pto, true);
   QuicConfig config;
   QuicTagVector connection_options;
@@ -9397,7 +9396,7 @@ TEST_P(QuicConnectionTest, CloseConnectionAfter7ClientPTOs) {
   // Closes connection on 7th PTO.
   EXPECT_CALL(visitor_,
               OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
-  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(AtLeast(1));
   connection_.GetRetransmissionAlarm()->Fire();
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
   EXPECT_FALSE(connection_.connected());
@@ -9405,10 +9404,6 @@ TEST_P(QuicConnectionTest, CloseConnectionAfter7ClientPTOs) {
 }
 
 TEST_P(QuicConnectionTest, CloseConnectionAfter8ClientPTOs) {
-  if (!connection_.session_decides_what_to_write() ||
-      !GetQuicReloadableFlag(quic_fix_rto_retransmission3)) {
-    return;
-  }
   SetQuicReloadableFlag(quic_enable_pto, true);
   QuicConfig config;
   QuicTagVector connection_options;
@@ -9438,7 +9433,7 @@ TEST_P(QuicConnectionTest, CloseConnectionAfter8ClientPTOs) {
   // Closes connection on 8th PTO.
   EXPECT_CALL(visitor_,
               OnConnectionClosed(_, ConnectionCloseSource::FROM_SELF));
-  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _));
+  EXPECT_CALL(*send_algorithm_, OnPacketSent(_, _, _, _, _)).Times(AtLeast(1));
   connection_.GetRetransmissionAlarm()->Fire();
   EXPECT_FALSE(connection_.GetTimeoutAlarm()->IsSet());
   EXPECT_FALSE(connection_.connected());
@@ -9482,7 +9477,6 @@ TEST_P(QuicConnectionTest, AntiAmplificationLimit) {
   if (!connection_.version().SupportsAntiAmplificationLimit()) {
     return;
   }
-  EXPECT_CALL(visitor_, OnSuccessfulVersionNegotiation(_));
   EXPECT_CALL(visitor_, OnCryptoFrame(_)).Times(AnyNumber());
 
   set_perspective(Perspective::IS_SERVER);
@@ -9558,9 +9552,7 @@ TEST_P(QuicConnectionTest, ConnectionCloseFrameType) {
 
 // Regression test for b/137401387 and b/138962304.
 TEST_P(QuicConnectionTest, RtoPacketAsTwo) {
-  if (!QuicConnectionPeer::GetSentPacketManager(&connection_)
-           ->fix_rto_retransmission() ||
-      connection_.PtoEnabled()) {
+  if (connection_.PtoEnabled()) {
     return;
   }
   connection_.SetMaxTailLossProbes(1);
@@ -9603,10 +9595,6 @@ TEST_P(QuicConnectionTest, RtoPacketAsTwo) {
 }
 
 TEST_P(QuicConnectionTest, PtoSkipsPacketNumber) {
-  if (!connection_.session_decides_what_to_write() ||
-      !GetQuicReloadableFlag(quic_fix_rto_retransmission3)) {
-    return;
-  }
   SetQuicReloadableFlag(quic_enable_pto, true);
   SetQuicReloadableFlag(quic_skip_packet_number_for_pto, true);
   QuicConfig config;
@@ -9633,6 +9621,44 @@ TEST_P(QuicConnectionTest, PtoSkipsPacketNumber) {
   EXPECT_TRUE(connection_.GetRetransmissionAlarm()->IsSet());
 }
 
+TEST_P(QuicConnectionTest, SendCoalescedPackets) {
+  if (!connection_.version().CanSendCoalescedPackets()) {
+    return;
+  }
+  {
+    QuicConnection::ScopedPacketFlusher flusher(&connection_);
+    use_tagging_decrypter();
+    connection_.SetEncrypter(ENCRYPTION_INITIAL,
+                             std::make_unique<TaggingEncrypter>(0x01));
+    connection_.SetDefaultEncryptionLevel(ENCRYPTION_INITIAL);
+    connection_.SendCryptoDataWithString("foo", 0);
+    // Verify this packet is on hold.
+    EXPECT_EQ(0u, writer_->packets_write_attempts());
+
+    connection_.SetEncrypter(ENCRYPTION_HANDSHAKE,
+                             std::make_unique<TaggingEncrypter>(0x02));
+    connection_.SetDefaultEncryptionLevel(ENCRYPTION_HANDSHAKE);
+    connection_.SendCryptoDataWithString("bar", 3);
+    EXPECT_EQ(0u, writer_->packets_write_attempts());
+
+    connection_.SetEncrypter(ENCRYPTION_FORWARD_SECURE,
+                             std::make_unique<TaggingEncrypter>(0x03));
+    connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+    SendStreamDataToPeer(2, "baz", 3, NO_FIN, nullptr);
+  }
+  // Verify all 3 packets are coalesced in the same UDP datagram.
+  EXPECT_EQ(1u, writer_->packets_write_attempts());
+  EXPECT_EQ(0x03030303u, writer_->final_bytes_of_last_packet());
+  // Verify the packet is padded to full.
+  EXPECT_EQ(connection_.max_packet_length(), writer_->last_packet_size());
+
+  // Verify packet process.
+  EXPECT_EQ(1u, writer_->crypto_frames().size());
+  EXPECT_EQ(0u, writer_->stream_frames().size());
+  // Verify there is coalesced packet.
+  EXPECT_NE(nullptr, writer_->coalesced_packet());
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_constants.h b/chromium/net/third_party/quiche/src/quic/core/quic_constants.h
index 3dc462ccb87..3264c1532ff 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_constants.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_constants.h
@@ -47,6 +47,9 @@ const QuicByteCount kMaxIncomingPacketSize = kMaxV4PacketSize;
 const QuicByteCount kMaxOutgoingPacketSize = kMaxV6PacketSize;
 // ETH_MAX_MTU - MAX(sizeof(iphdr), sizeof(ip6_hdr)) - sizeof(udphdr).
 const QuicByteCount kMaxGsoPacketSize = 65535 - 40 - 8;
+// The maximal IETF DATAGRAM frame size we'll accept. Choosing 2^16 ensures
+// that it is greater than the biggest frame we could ever fit in a QUIC packet.
+const QuicByteCount kMaxAcceptedDatagramFrameSize = 65536;
 // Default maximum packet size used in the Linux TCP implementation.
 // Used in QUIC for congestion window computations in bytes.
 const QuicByteCount kDefaultTCPMSS = 1460;
@@ -245,6 +248,15 @@ const int kInitialRttMs = 100;
 // packet is lost due to early retransmission by time based loss detection.
 static const int kDefaultLossDelayShift = 2;
 
+// Maximum number of retransmittable packets received before sending an ack.
+const QuicPacketCount kDefaultRetransmittablePacketsBeforeAck = 2;
+// Wait for up to 10 retransmittable packets before sending an ack.
+const QuicPacketCount kMaxRetransmittablePacketsBeforeAck = 10;
+// Minimum number of packets received before ack decimation is enabled.
+// This intends to avoid the beginning of slow start, when CWNDs may be
+// rapidly increasing.
+const QuicPacketCount kMinReceivedBeforeAckDecimation = 100;
+
 // Packet number of first sending packet of a connection. Please note, this
 // cannot be used as first received packet because peer can choose its starting
 // packet number.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager.cc b/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager.cc
index 11efae85892..3eed5e8d7ca 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager.cc
@@ -26,14 +26,7 @@ QuicControlFrameManager::QuicControlFrameManager(QuicSession* session)
     : last_control_frame_id_(kInvalidControlFrameId),
       least_unacked_(1),
       least_unsent_(1),
-      session_(session),
-      add_upper_limit_(GetQuicReloadableFlag(
-          quic_add_upper_limit_of_buffered_control_frames3)) {
-  if (add_upper_limit_) {
-    QUIC_RELOADABLE_FLAG_COUNT(
-        quic_add_upper_limit_of_buffered_control_frames3);
-  }
-}
+      session_(session) {}
 
 QuicControlFrameManager::~QuicControlFrameManager() {
   while (!control_frames_.empty()) {
@@ -45,7 +38,7 @@ QuicControlFrameManager::~QuicControlFrameManager() {
 void QuicControlFrameManager::WriteOrBufferQuicFrame(QuicFrame frame) {
   const bool had_buffered_frames = HasBufferedFrames();
   control_frames_.emplace_back(frame);
-  if (add_upper_limit_ && control_frames_.size() > kMaxNumControlFrames) {
+  if (control_frames_.size() > kMaxNumControlFrames) {
     session_->connection()->CloseConnection(
         QUIC_TOO_MANY_BUFFERED_CONTROL_FRAMES,
         QuicStrCat("More than ", kMaxNumControlFrames,
@@ -125,7 +118,7 @@ void QuicControlFrameManager::WritePing() {
   }
   control_frames_.emplace_back(
       QuicFrame(QuicPingFrame(++last_control_frame_id_)));
-  if (add_upper_limit_ && control_frames_.size() > kMaxNumControlFrames) {
+  if (control_frames_.size() > kMaxNumControlFrames) {
     session_->connection()->CloseConnection(
         QUIC_TOO_MANY_BUFFERED_CONTROL_FRAMES,
         QuicStrCat("More than ", kMaxNumControlFrames,
@@ -281,9 +274,7 @@ bool QuicControlFrameManager::RetransmitControlFrame(const QuicFrame& frame) {
 
 void QuicControlFrameManager::WriteBufferedFrames() {
   while (HasBufferedFrames()) {
-    if (session_->session_decides_what_to_write()) {
-      session_->SetTransmissionType(NOT_RETRANSMISSION);
-    }
+    session_->SetTransmissionType(NOT_RETRANSMISSION);
     QuicFrame frame_to_send =
         control_frames_.at(least_unsent_ - least_unacked_);
     QuicFrame copy = CopyRetransmittableControlFrame(frame_to_send);
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager.h b/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager.h
index 735b73c07b2..a4c26780d40 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager.h
@@ -146,9 +146,6 @@ class QUIC_EXPORT_PRIVATE QuicControlFrameManager {
 
   // Last sent window update frame for each stream.
   QuicSmallMap<QuicStreamId, QuicControlFrameId, 10> window_update_frames_;
-
-  // Latched value of quic_add_upper_limit_of_buffered_control_frames3.
-  const bool add_upper_limit_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager_test.cc
index d1723a1828c..e76e09ffb9a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_control_frame_manager_test.cc
@@ -291,7 +291,6 @@ TEST_F(QuicControlFrameManagerTest, RetransmitWindowUpdateOfDifferentStreams) {
 }
 
 TEST_F(QuicControlFrameManagerTest, TooManyBufferedControlFrames) {
-  SetQuicReloadableFlag(quic_add_upper_limit_of_buffered_control_frames3, true);
   Initialize();
   EXPECT_CALL(*connection_, SendControlFrame(_))
       .Times(5)
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_handshaker.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_handshaker.cc
index 1f63042d6ee..eaeabfec08f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_handshaker.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_handshaker.cc
@@ -56,6 +56,7 @@ QuicCryptoClientHandshaker::QuicCryptoClientHandshaker(
     : QuicCryptoHandshaker(stream, session),
       stream_(stream),
       session_(session),
+      delegate_(session),
       next_state_(STATE_IDLE),
       num_client_hellos_(0),
       crypto_config_(crypto_config),
@@ -116,6 +117,13 @@ int QuicCryptoClientHandshaker::num_sent_client_hellos() const {
   return num_client_hellos_;
 }
 
+bool QuicCryptoClientHandshaker::IsResumption() const {
+  QUIC_BUG_IF(!handshake_confirmed_);
+  // While 0-RTT handshakes could be considered to be like resumption, QUIC
+  // Crypto doesn't have the same notion of a resumption like TLS does.
+  return false;
+}
+
 int QuicCryptoClientHandshaker::num_scup_messages_received() const {
   return num_scup_messages_received_;
 }
@@ -310,6 +318,17 @@ void QuicCryptoClientHandshaker::DoSendCHLO(
       crypto_config_->pad_full_hello());
   SendHandshakeMessage(out);
   // Be prepared to decrypt with the new server write key.
+  if (session()->use_handshake_delegate()) {
+    delegate_->OnNewKeysAvailable(
+        ENCRYPTION_ZERO_RTT,
+        std::move(crypto_negotiated_params_->initial_crypters.decrypter),
+        /*set_alternative_decrypter=*/true,
+        /*latch_once_used=*/true,
+        std::move(crypto_negotiated_params_->initial_crypters.encrypter));
+    encryption_established_ = true;
+    delegate_->SetDefaultEncryptionLevel(ENCRYPTION_ZERO_RTT);
+    return;
+  }
   if (session()->connection()->version().KnowsWhichDecrypterToUse()) {
     session()->connection()->InstallDecrypter(
         ENCRYPTION_ZERO_RTT,
@@ -369,7 +388,11 @@ void QuicCryptoClientHandshaker::DoReceiveREJ(
 
   // Receipt of a REJ message means that the server received the CHLO
   // so we can cancel and retransmissions.
-  session()->NeuterUnencryptedData();
+  if (session()->use_handshake_delegate()) {
+    delegate_->NeuterUnencryptedData();
+  } else {
+    session()->NeuterUnencryptedData();
+  }
 
   std::string error_details;
   QuicErrorCode error = crypto_config_->ProcessRejection(
@@ -529,6 +552,18 @@ void QuicCryptoClientHandshaker::DoReceiveSHLO(
   // has been floated that the server shouldn't send packets encrypted
   // with the FORWARD_SECURE key until it receives a FORWARD_SECURE
   // packet from the client.
+  if (session()->use_handshake_delegate()) {
+    delegate_->OnNewKeysAvailable(
+        ENCRYPTION_FORWARD_SECURE, std::move(crypters->decrypter),
+        /*set_alternative_decrypter=*/true,
+        /*latch_once_used=*/false, std::move(crypters->encrypter));
+    handshake_confirmed_ = true;
+    delegate_->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+    delegate_->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
+    delegate_->NeuterHandshakeData();
+    return;
+  }
+
   if (session()->connection()->version().KnowsWhichDecrypterToUse()) {
     session()->connection()->InstallDecrypter(ENCRYPTION_FORWARD_SECURE,
                                               std::move(crypters->decrypter));
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_handshaker.h b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_handshaker.h
index d33ebfe32fe..467e5c87208 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_handshaker.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_handshaker.h
@@ -37,6 +37,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoClientHandshaker
   // From QuicCryptoClientStream::HandshakerDelegate
   bool CryptoConnect() override;
   int num_sent_client_hellos() const override;
+  bool IsResumption() const override;
   int num_scup_messages_received() const override;
   std::string chlo_hash() const override;
   bool encryption_established() const override;
@@ -60,7 +61,8 @@ class QUIC_EXPORT_PRIVATE QuicCryptoClientHandshaker
   // ProofVerifierCallbackImpl is passed as the callback method to VerifyProof.
   // The ProofVerifier calls this class with the result of proof verification
   // when verification is performed asynchronously.
-  class ProofVerifierCallbackImpl : public ProofVerifierCallback {
+  class QUIC_EXPORT_PRIVATE ProofVerifierCallbackImpl
+      : public ProofVerifierCallback {
    public:
     explicit ProofVerifierCallbackImpl(QuicCryptoClientHandshaker* parent);
     ~ProofVerifierCallbackImpl() override;
@@ -130,6 +132,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoClientHandshaker
   QuicCryptoClientStream* stream_;
 
   QuicSession* session_;
+  HandshakerDelegateInterface* delegate_;
 
   State next_state_;
   // num_client_hellos_ contains the number of client hello messages that this
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream.cc
index 12b538f7cab..b30cd3a5112 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream.cc
@@ -43,9 +43,8 @@ QuicCryptoClientStream::QuicCryptoClientStream(
       break;
     case PROTOCOL_TLS1_3:
       handshaker_ = std::make_unique<TlsClientHandshaker>(
-          this, session, server_id, crypto_config->proof_verifier(),
-          crypto_config->ssl_ctx(), std::move(verify_context), proof_handler,
-          crypto_config->user_agent_id());
+          server_id, this, session, std::move(verify_context), crypto_config,
+          proof_handler);
       break;
     case PROTOCOL_UNSUPPORTED:
       QUIC_BUG << "Attempting to create QuicCryptoClientStream for unknown "
@@ -63,6 +62,10 @@ int QuicCryptoClientStream::num_sent_client_hellos() const {
   return handshaker_->num_sent_client_hellos();
 }
 
+bool QuicCryptoClientStream::IsResumption() const {
+  return handshaker_->IsResumption();
+}
+
 int QuicCryptoClientStream::num_scup_messages_received() const {
   return handshaker_->num_scup_messages_received();
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream.h b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream.h
index 89f0d2e28b7..3f9b0af7747 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream.h
@@ -35,6 +35,13 @@ class QUIC_EXPORT_PRIVATE QuicCryptoClientStreamBase : public QuicCryptoStream {
   // than the number of round-trips needed for the handshake.
   virtual int num_sent_client_hellos() const = 0;
 
+  // Returns true if the handshake performed was a resumption instead of a full
+  // handshake. Resumption only makes sense for TLS handshakes - there is no
+  // concept of resumption for QUIC crypto even though it supports a 0-RTT
+  // handshake. This function only returns valid results once the handshake is
+  // complete.
+  virtual bool IsResumption() const = 0;
+
   // The number of server config update messages received by the
   // client.  Does not count update messages that were received prior
   // to handshake confirmation.
@@ -79,6 +86,13 @@ class QUIC_EXPORT_PRIVATE QuicCryptoClientStream
     // than the number of round-trips needed for the handshake.
     virtual int num_sent_client_hellos() const = 0;
 
+    // Returns true if the handshake performed was a resumption instead of a
+    // full handshake. Resumption only makes sense for TLS handshakes - there is
+    // no concept of resumption for QUIC crypto even though it supports a 0-RTT
+    // handshake. This function only returns valid results once the handshake is
+    // complete.
+    virtual bool IsResumption() const = 0;
+
     // The number of server config update messages received by the
     // client.  Does not count update messages that were received prior
     // to handshake confirmation.
@@ -137,6 +151,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoClientStream
   // From QuicCryptoClientStreamBase
   bool CryptoConnect() override;
   int num_sent_client_hellos() const override;
+  bool IsResumption() const override;
 
   int num_scup_messages_received() const override;
 
@@ -146,6 +161,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoClientStream
   const QuicCryptoNegotiatedParameters& crypto_negotiated_params()
       const override;
   CryptoMessageParser* crypto_message_parser() override;
+  void OnPacketDecrypted(EncryptionLevel /*level*/) override {}
   size_t BufferSizeLimitForLevel(EncryptionLevel level) const override;
 
   std::string chlo_hash() const;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream_test.cc
index 8e1ef25ea01..827cb03e3a3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_client_stream_test.cc
@@ -22,6 +22,7 @@
 #include "net/third_party/quiche/src/quic/test_tools/quic_stream_sequencer_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/simple_quic_framer.h"
+#include "net/third_party/quiche/src/quic/test_tools/simple_session_cache.h"
 
 using testing::_;
 
@@ -37,7 +38,10 @@ class QuicCryptoClientStreamTest : public QuicTest {
   QuicCryptoClientStreamTest()
       : supported_versions_(AllSupportedVersions()),
         server_id_(kServerHostname, kServerPort, false),
-        crypto_config_(crypto_test_utils::ProofVerifierForTesting()) {
+        crypto_config_(crypto_test_utils::ProofVerifierForTesting(),
+                       std::make_unique<test::SimpleSessionCache>()),
+        server_crypto_config_(
+            crypto_test_utils::CryptoServerConfigForTesting()) {
     CreateConnection();
   }
 
@@ -56,17 +60,30 @@ class QuicCryptoClientStreamTest : public QuicTest {
             {AlpnForVersion(connection_->version())})));
   }
 
+  void UseTlsHandshake() {
+    SetQuicReloadableFlag(quic_supports_tls_handshake, true);
+    supported_versions_.clear();
+    for (ParsedQuicVersion version : AllSupportedVersions()) {
+      if (version.handshake_protocol != PROTOCOL_TLS1_3) {
+        continue;
+      }
+      supported_versions_.push_back(version);
+    }
+  }
+
   void CompleteCryptoHandshake() {
+    int proof_verify_details_calls = 1;
     if (stream()->handshake_protocol() != PROTOCOL_TLS1_3) {
       EXPECT_CALL(*session_, OnProofValid(testing::_));
+      proof_verify_details_calls = 0;
     }
     EXPECT_CALL(*session_, OnProofVerifyDetailsAvailable(testing::_))
-        .Times(testing::AnyNumber());
+        .Times(testing::AtLeast(proof_verify_details_calls));
     stream()->CryptoConnect();
     QuicConfig config;
     crypto_test_utils::HandshakeWithFakeServer(
-        &config, &server_helper_, &alarm_factory_, connection_, stream(),
-        AlpnForVersion(connection_->version()));
+        &config, server_crypto_config_.get(), &server_helper_, &alarm_factory_,
+        connection_, stream(), AlpnForVersion(connection_->version()));
   }
 
   QuicCryptoClientStream* stream() {
@@ -82,6 +99,7 @@ class QuicCryptoClientStreamTest : public QuicTest {
   QuicServerId server_id_;
   CryptoHandshakeMessage message_;
   QuicCryptoClientConfig crypto_config_;
+  std::unique_ptr<QuicCryptoServerConfig> server_crypto_config_;
 };
 
 TEST_F(QuicCryptoClientStreamTest, NotInitiallyConected) {
@@ -93,45 +111,57 @@ TEST_F(QuicCryptoClientStreamTest, ConnectedAfterSHLO) {
   CompleteCryptoHandshake();
   EXPECT_TRUE(stream()->encryption_established());
   EXPECT_TRUE(stream()->handshake_confirmed());
+  EXPECT_FALSE(stream()->IsResumption());
 }
 
 TEST_F(QuicCryptoClientStreamTest, ConnectedAfterTlsHandshake) {
-  SetQuicReloadableFlag(quic_supports_tls_handshake, true);
-  supported_versions_.clear();
-  for (ParsedQuicVersion version : AllSupportedVersions()) {
-    if (version.handshake_protocol != PROTOCOL_TLS1_3) {
-      continue;
-    }
-    supported_versions_.push_back(version);
-  }
+  UseTlsHandshake();
   CreateConnection();
   CompleteCryptoHandshake();
   EXPECT_EQ(PROTOCOL_TLS1_3, stream()->handshake_protocol());
   EXPECT_TRUE(stream()->encryption_established());
   EXPECT_TRUE(stream()->handshake_confirmed());
+  EXPECT_FALSE(stream()->IsResumption());
 }
 
 TEST_F(QuicCryptoClientStreamTest,
        ProofVerifyDetailsAvailableAfterTlsHandshake) {
-  SetQuicReloadableFlag(quic_supports_tls_handshake, true);
-  supported_versions_.clear();
-  for (ParsedQuicVersion version : AllSupportedVersions()) {
-    if (version.handshake_protocol != PROTOCOL_TLS1_3) {
-      continue;
-    }
-    supported_versions_.push_back(version);
-  }
+  UseTlsHandshake();
   CreateConnection();
 
   EXPECT_CALL(*session_, OnProofVerifyDetailsAvailable(testing::_));
   stream()->CryptoConnect();
   QuicConfig config;
   crypto_test_utils::HandshakeWithFakeServer(
-      &config, &server_helper_, &alarm_factory_, connection_, stream(),
-      AlpnForVersion(connection_->version()));
+      &config, server_crypto_config_.get(), &server_helper_, &alarm_factory_,
+      connection_, stream(), AlpnForVersion(connection_->version()));
+  EXPECT_EQ(PROTOCOL_TLS1_3, stream()->handshake_protocol());
+  EXPECT_TRUE(stream()->encryption_established());
+  EXPECT_TRUE(stream()->handshake_confirmed());
+}
+
+TEST_F(QuicCryptoClientStreamTest, TlsResumption) {
+  UseTlsHandshake();
+  // Enable resumption on the server:
+  SSL_CTX_clear_options(server_crypto_config_->ssl_ctx(), SSL_OP_NO_TICKET);
+  CreateConnection();
+
+  // Finish establishing the first connection:
+  CompleteCryptoHandshake();
+
+  EXPECT_EQ(PROTOCOL_TLS1_3, stream()->handshake_protocol());
+  EXPECT_TRUE(stream()->encryption_established());
+  EXPECT_TRUE(stream()->handshake_confirmed());
+  EXPECT_FALSE(stream()->IsResumption());
+
+  // Create a second connection
+  CreateConnection();
+  CompleteCryptoHandshake();
+
   EXPECT_EQ(PROTOCOL_TLS1_3, stream()->handshake_protocol());
   EXPECT_TRUE(stream()->encryption_established());
   EXPECT_TRUE(stream()->handshake_confirmed());
+  EXPECT_TRUE(stream()->IsResumption());
 }
 
 TEST_F(QuicCryptoClientStreamTest, MessageAfterHandshake) {
@@ -359,14 +389,14 @@ TEST_F(QuicCryptoClientStreamTest, PreferredVersion) {
   // Verify preferred version is the highest version that session supports, and
   // is different from connection's version.
   QuicVersionLabel client_version_label;
-  EXPECT_EQ(QUIC_NO_ERROR,
-            session_->sent_crypto_handshake_messages()[0].GetVersionLabel(
-                kVER, &client_version_label));
+  EXPECT_THAT(session_->sent_crypto_handshake_messages()[0].GetVersionLabel(
+                  kVER, &client_version_label),
+              IsQuicNoError());
   EXPECT_EQ(CreateQuicVersionLabel(supported_versions_[0]),
             client_version_label);
-  EXPECT_EQ(QUIC_NO_ERROR,
-            session_->sent_crypto_handshake_messages()[1].GetVersionLabel(
-                kVER, &client_version_label));
+  EXPECT_THAT(session_->sent_crypto_handshake_messages()[1].GetVersionLabel(
+                  kVER, &client_version_label),
+              IsQuicNoError());
   EXPECT_EQ(CreateQuicVersionLabel(supported_versions_[0]),
             client_version_label);
   EXPECT_NE(CreateQuicVersionLabel(connection_->version()),
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.cc
index 964c8ac5a46..755e35eb400 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.cc
@@ -54,6 +54,7 @@ QuicCryptoServerHandshaker::QuicCryptoServerHandshaker(
     : QuicCryptoHandshaker(stream, session),
       stream_(stream),
       session_(session),
+      delegate_(session),
       crypto_config_(crypto_config),
       compressed_certs_cache_(compressed_certs_cache),
       signed_config_(new QuicSignedServerConfig),
@@ -197,27 +198,52 @@ void QuicCryptoServerHandshaker::
   // write key.
   //
   // NOTE: the SHLO will be encrypted with the new server write key.
-  session()->connection()->SetEncrypter(
-      ENCRYPTION_ZERO_RTT,
-      std::move(crypto_negotiated_params_->initial_crypters.encrypter));
-  session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_ZERO_RTT);
-  // Set the decrypter immediately so that we no longer accept unencrypted
-  // packets.
-  if (session()->connection()->version().KnowsWhichDecrypterToUse()) {
-    session()->connection()->InstallDecrypter(
+  if (session()->use_handshake_delegate()) {
+    delegate_->OnNewKeysAvailable(
         ENCRYPTION_ZERO_RTT,
-        std::move(crypto_negotiated_params_->initial_crypters.decrypter));
-    session()->connection()->RemoveDecrypter(ENCRYPTION_INITIAL);
+        std::move(crypto_negotiated_params_->initial_crypters.decrypter),
+        /*set_alternative_decrypter=*/false,
+        /*latch_once_used=*/false,
+        std::move(crypto_negotiated_params_->initial_crypters.encrypter));
+    delegate_->SetDefaultEncryptionLevel(ENCRYPTION_ZERO_RTT);
+    delegate_->DiscardOldDecryptionKey(ENCRYPTION_INITIAL);
   } else {
-    session()->connection()->SetDecrypter(
+    session()->connection()->SetEncrypter(
         ENCRYPTION_ZERO_RTT,
-        std::move(crypto_negotiated_params_->initial_crypters.decrypter));
+        std::move(crypto_negotiated_params_->initial_crypters.encrypter));
+    session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_ZERO_RTT);
+    // Set the decrypter immediately so that we no longer accept unencrypted
+    // packets.
+    if (session()->connection()->version().KnowsWhichDecrypterToUse()) {
+      session()->connection()->InstallDecrypter(
+          ENCRYPTION_ZERO_RTT,
+          std::move(crypto_negotiated_params_->initial_crypters.decrypter));
+      session()->connection()->RemoveDecrypter(ENCRYPTION_INITIAL);
+    } else {
+      session()->connection()->SetDecrypter(
+          ENCRYPTION_ZERO_RTT,
+          std::move(crypto_negotiated_params_->initial_crypters.decrypter));
+    }
   }
   session()->connection()->SetDiversificationNonce(*diversification_nonce);
 
   session()->connection()->set_fully_pad_crypto_handshake_packets(
       crypto_config_->pad_shlo());
   SendHandshakeMessage(*reply);
+  if (session()->use_handshake_delegate()) {
+    delegate_->OnNewKeysAvailable(
+        ENCRYPTION_FORWARD_SECURE,
+        std::move(crypto_negotiated_params_->forward_secure_crypters.decrypter),
+        /*set_alternative_decrypter=*/true,
+        /*latch_once_used=*/false,
+        std::move(
+            crypto_negotiated_params_->forward_secure_crypters.encrypter));
+    encryption_established_ = true;
+    handshake_confirmed_ = true;
+    delegate_->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+    delegate_->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
+    return;
+  }
 
   session()->connection()->SetEncrypter(
       ENCRYPTION_FORWARD_SECURE,
@@ -336,6 +362,12 @@ void QuicCryptoServerHandshaker::SetPreviousCachedNetworkParams(
       new CachedNetworkParameters(cached_network_params));
 }
 
+void QuicCryptoServerHandshaker::OnPacketDecrypted(EncryptionLevel level) {
+  if (level == ENCRYPTION_FORWARD_SECURE) {
+    delegate_->NeuterHandshakeData();
+  }
+}
+
 bool QuicCryptoServerHandshaker::ShouldSendExpectCTHeader() const {
   return signed_config_->proof.send_expect_ct_header;
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.h b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.h
index b24e9e95e90..4e1a1b895fd 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_handshaker.h
@@ -50,6 +50,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerHandshaker
   bool ZeroRttAttempted() const override;
   void SetPreviousCachedNetworkParams(
       CachedNetworkParameters cached_network_params) override;
+  void OnPacketDecrypted(EncryptionLevel level) override;
   bool ShouldSendExpectCTHeader() const override;
 
   // From QuicCryptoStream
@@ -91,7 +92,8 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerHandshaker
  private:
   friend class test::QuicCryptoServerStreamPeer;
 
-  class ValidateCallback : public ValidateClientHelloResultCallback {
+  class QUIC_EXPORT_PRIVATE ValidateCallback
+      : public ValidateClientHelloResultCallback {
    public:
     explicit ValidateCallback(QuicCryptoServerHandshaker* parent);
     ValidateCallback(const ValidateCallback&) = delete;
@@ -161,6 +163,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerHandshaker
   QuicCryptoServerStream* stream_;
 
   QuicSession* session_;
+  HandshakerDelegateInterface* delegate_;
 
   // crypto_config_ contains crypto parameters for the handshake.
   const QuicCryptoServerConfig* crypto_config_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.cc
index 170e53baf01..bbc3b09d5c9 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.cc
@@ -111,6 +111,10 @@ CryptoMessageParser* QuicCryptoServerStream::crypto_message_parser() {
   return handshaker()->crypto_message_parser();
 }
 
+void QuicCryptoServerStream::OnPacketDecrypted(EncryptionLevel level) {
+  handshaker()->OnPacketDecrypted(level);
+}
+
 size_t QuicCryptoServerStream::BufferSizeLimitForLevel(
     EncryptionLevel level) const {
   return handshaker()->BufferSizeLimitForLevel(level);
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h
index 3a7d6e74b1a..d80c495e413 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h
@@ -98,6 +98,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerStream
     virtual bool ZeroRttAttempted() const = 0;
     virtual void SetPreviousCachedNetworkParams(
         CachedNetworkParameters cached_network_params) = 0;
+    virtual void OnPacketDecrypted(EncryptionLevel level) = 0;
 
     // NOTE: Indicating that the Expect-CT header should be sent here presents a
     // layering violation to some extent. The Expect-CT header only applies to
@@ -125,7 +126,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerStream
     virtual size_t BufferSizeLimitForLevel(EncryptionLevel level) const = 0;
   };
 
-  class Helper {
+  class QUIC_EXPORT_PRIVATE Helper {
    public:
     virtual ~Helper() {}
 
@@ -176,6 +177,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoServerStream
   const QuicCryptoNegotiatedParameters& crypto_negotiated_params()
       const override;
   CryptoMessageParser* crypto_message_parser() override;
+  void OnPacketDecrypted(EncryptionLevel level) override;
   size_t BufferSizeLimitForLevel(EncryptionLevel level) const override;
   void OnSuccessfulVersionNegotiation(
       const ParsedQuicVersion& version) override;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream_test.cc
index 360c2684fc5..2f7055da328 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_server_stream_test.cc
@@ -100,8 +100,10 @@ class QuicCryptoServerStreamTest : public QuicTestWithParam<bool> {
     crypto_test_utils::SetupCryptoServerConfigForTest(
         server_connection_->clock(), server_connection_->random_generator(),
         &server_crypto_config_);
-    server_session_->GetMutableCryptoStream()->OnSuccessfulVersionNegotiation(
-        supported_versions_.front());
+    if (!GetQuicReloadableFlag(quic_version_negotiated_by_default_at_server)) {
+      server_session_->GetMutableCryptoStream()->OnSuccessfulVersionNegotiation(
+          supported_versions_.front());
+    }
   }
 
   QuicCryptoServerStream* server_stream() {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream.cc
index d62417fbf51..e22e830d381 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream.cc
@@ -72,8 +72,15 @@ void QuicCryptoStream::OnCryptoFrame(const QuicCryptoFrame& frame) {
       << "Versions less than 47 shouldn't receive CRYPTO frames";
   EncryptionLevel level = session()->connection()->last_decrypted_level();
   substreams_[level].sequencer.OnCryptoFrame(frame);
+  EncryptionLevel frame_level;
+  if (GetQuicReloadableFlag(quic_use_connection_encryption_level)) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_use_connection_encryption_level);
+    frame_level = level;
+  } else {
+    frame_level = frame.level;
+  }
   if (substreams_[level].sequencer.NumBytesBuffered() >
-      BufferSizeLimitForLevel(frame.level)) {
+      BufferSizeLimitForLevel(frame_level)) {
     CloseConnectionWithDetails(QUIC_FLOW_CONTROL_RECEIVED_TOO_MUCH_DATA,
                                "Too much crypto data received");
   }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream.h b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream.h
index 12a36f894b6..357303a65bb 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream.h
@@ -80,6 +80,9 @@ class QUIC_EXPORT_PRIVATE QuicCryptoStream : public QuicStream {
   // Provides the message parser to use when data is received on this stream.
   virtual CryptoMessageParser* crypto_message_parser() = 0;
 
+  // Called when a packet of encryption |level| has been successfully decrypted.
+  virtual void OnPacketDecrypted(EncryptionLevel level) = 0;
+
   // Returns the maximum number of bytes that can be buffered at a particular
   // encryption level |level|.
   virtual size_t BufferSizeLimitForLevel(EncryptionLevel level) const;
@@ -155,7 +158,7 @@ class QUIC_EXPORT_PRIVATE QuicCryptoStream : public QuicStream {
   // levels. Some of the state for the single logical crypto stream is split
   // across encryption levels, and a CryptoSubstream is used to manage that
   // state for a particular encryption level.
-  struct CryptoSubstream {
+  struct QUIC_EXPORT_PRIVATE CryptoSubstream {
     CryptoSubstream(QuicCryptoStream* crypto_stream, EncryptionLevel);
 
     QuicStreamSequencer sequencer;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream_test.cc
index f5933d2fd89..25d9cc17ae1 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_crypto_stream_test.cc
@@ -56,6 +56,7 @@ class MockQuicCryptoStream : public QuicCryptoStream,
   CryptoMessageParser* crypto_message_parser() override {
     return QuicCryptoHandshaker::crypto_message_parser();
   }
+  void OnPacketDecrypted(EncryptionLevel /*level*/) override {}
 
  private:
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters> params_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.cc b/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.cc
index c9a76be8f57..17fb6cdafc3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.cc
@@ -9,18 +9,19 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
 QuicDataReader::QuicDataReader(QuicStringPiece data)
-    : QuicDataReader(data.data(), data.length(), NETWORK_BYTE_ORDER) {}
+    : QuicDataReader(data.data(), data.length(), quiche::NETWORK_BYTE_ORDER) {}
 
 QuicDataReader::QuicDataReader(const char* data, const size_t len)
-    : QuicDataReader(data, len, NETWORK_BYTE_ORDER) {}
+    : QuicDataReader(data, len, quiche::NETWORK_BYTE_ORDER) {}
 
 QuicDataReader::QuicDataReader(const char* data,
                                const size_t len,
-                               Endianness endianness)
+                               quiche::Endianness endianness)
     : data_(data), len_(len), pos_(0), endianness_(endianness) {}
 
 bool QuicDataReader::ReadUInt8(uint8_t* result) {
@@ -31,8 +32,8 @@ bool QuicDataReader::ReadUInt16(uint16_t* result) {
   if (!ReadBytes(result, sizeof(*result))) {
     return false;
   }
-  if (endianness_ == NETWORK_BYTE_ORDER) {
-    *result = QuicEndian::NetToHost16(*result);
+  if (endianness_ == quiche::NETWORK_BYTE_ORDER) {
+    *result = quiche::QuicheEndian::NetToHost16(*result);
   }
   return true;
 }
@@ -41,8 +42,8 @@ bool QuicDataReader::ReadUInt32(uint32_t* result) {
   if (!ReadBytes(result, sizeof(*result))) {
     return false;
   }
-  if (endianness_ == NETWORK_BYTE_ORDER) {
-    *result = QuicEndian::NetToHost32(*result);
+  if (endianness_ == quiche::NETWORK_BYTE_ORDER) {
+    *result = quiche::QuicheEndian::NetToHost32(*result);
   }
   return true;
 }
@@ -51,8 +52,8 @@ bool QuicDataReader::ReadUInt64(uint64_t* result) {
   if (!ReadBytes(result, sizeof(*result))) {
     return false;
   }
-  if (endianness_ == NETWORK_BYTE_ORDER) {
-    *result = QuicEndian::NetToHost64(*result);
+  if (endianness_ == quiche::NETWORK_BYTE_ORDER) {
+    *result = quiche::QuicheEndian::NetToHost64(*result);
   }
   return true;
 }
@@ -62,7 +63,7 @@ bool QuicDataReader::ReadBytesToUInt64(size_t num_bytes, uint64_t* result) {
   if (num_bytes > sizeof(*result)) {
     return false;
   }
-  if (endianness_ == HOST_BYTE_ORDER) {
+  if (endianness_ == quiche::HOST_BYTE_ORDER) {
     return ReadBytes(result, num_bytes);
   }
 
@@ -70,7 +71,7 @@ bool QuicDataReader::ReadBytesToUInt64(size_t num_bytes, uint64_t* result) {
                  num_bytes)) {
     return false;
   }
-  *result = QuicEndian::NetToHost64(*result);
+  *result = quiche::QuicheEndian::NetToHost64(*result);
   return true;
 }
 
@@ -217,7 +218,7 @@ bool QuicDataReader::IsDoneReading() const {
 }
 
 QuicVariableLengthIntegerLength QuicDataReader::PeekVarInt62Length() {
-  DCHECK_EQ(endianness_, NETWORK_BYTE_ORDER);
+  DCHECK_EQ(endianness_, quiche::NETWORK_BYTE_ORDER);
   const unsigned char* next =
       reinterpret_cast<const unsigned char*>(data_ + pos_);
   if (BytesRemaining() == 0) {
@@ -275,7 +276,7 @@ uint8_t QuicDataReader::PeekByte() const {
 // Low-level optimization is useful here because this function will be
 // called frequently, leading to outsize benefits.
 bool QuicDataReader::ReadVarInt62(uint64_t* result) {
-  DCHECK_EQ(endianness_, NETWORK_BYTE_ORDER);
+  DCHECK_EQ(endianness_, quiche::NETWORK_BYTE_ORDER);
 
   size_t remaining = BytesRemaining();
   const unsigned char* next =
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.h b/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.h
index 74ed2269d0c..acd30fda100 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_data_reader.h
@@ -9,9 +9,9 @@
 #include <cstdint>
 
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
@@ -39,7 +39,9 @@ class QUIC_EXPORT_PRIVATE QuicDataReader {
   QuicDataReader(const char* data, const size_t len);
   // Constructs a reader using the specified endianness.
   // Caller must provide an underlying buffer to work on.
-  QuicDataReader(const char* data, const size_t len, Endianness endianness);
+  QuicDataReader(const char* data,
+                 const size_t len,
+                 quiche::Endianness endianness);
   QuicDataReader(const QuicDataReader&) = delete;
   QuicDataReader& operator=(const QuicDataReader&) = delete;
 
@@ -152,8 +154,6 @@ class QUIC_EXPORT_PRIVATE QuicDataReader {
   // DOES NOT forward the internal iterator.
   uint8_t PeekByte() const;
 
-  void set_endianness(Endianness endianness) { endianness_ = endianness; }
-
   // Read an IETF-encoded Variable Length Integer and place the result
   // in |*result|.
   // Returns true if it works, false if not. The only error is that
@@ -190,7 +190,7 @@ class QUIC_EXPORT_PRIVATE QuicDataReader {
   size_t pos_;
 
   // The endianness to read integers and floating numbers.
-  Endianness endianness_;
+  quiche::Endianness endianness_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.cc b/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.cc
index e01eb6c4d24..d2d71133fe7 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.cc
@@ -12,13 +12,16 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
 QuicDataWriter::QuicDataWriter(size_t size, char* buffer)
-    : QuicDataWriter(size, buffer, NETWORK_BYTE_ORDER) {}
+    : QuicDataWriter(size, buffer, quiche::NETWORK_BYTE_ORDER) {}
 
-QuicDataWriter::QuicDataWriter(size_t size, char* buffer, Endianness endianness)
+QuicDataWriter::QuicDataWriter(size_t size,
+                               char* buffer,
+                               quiche::Endianness endianness)
     : buffer_(buffer), capacity_(size), length_(0), endianness_(endianness) {}
 
 QuicDataWriter::~QuicDataWriter() {}
@@ -32,22 +35,22 @@ bool QuicDataWriter::WriteUInt8(uint8_t value) {
 }
 
 bool QuicDataWriter::WriteUInt16(uint16_t value) {
-  if (endianness_ == NETWORK_BYTE_ORDER) {
-    value = QuicEndian::HostToNet16(value);
+  if (endianness_ == quiche::NETWORK_BYTE_ORDER) {
+    value = quiche::QuicheEndian::HostToNet16(value);
   }
   return WriteBytes(&value, sizeof(value));
 }
 
 bool QuicDataWriter::WriteUInt32(uint32_t value) {
-  if (endianness_ == NETWORK_BYTE_ORDER) {
-    value = QuicEndian::HostToNet32(value);
+  if (endianness_ == quiche::NETWORK_BYTE_ORDER) {
+    value = quiche::QuicheEndian::HostToNet32(value);
   }
   return WriteBytes(&value, sizeof(value));
 }
 
 bool QuicDataWriter::WriteUInt64(uint64_t value) {
-  if (endianness_ == NETWORK_BYTE_ORDER) {
-    value = QuicEndian::HostToNet64(value);
+  if (endianness_ == quiche::NETWORK_BYTE_ORDER) {
+    value = quiche::QuicheEndian::HostToNet64(value);
   }
   return WriteBytes(&value, sizeof(value));
 }
@@ -56,11 +59,11 @@ bool QuicDataWriter::WriteBytesToUInt64(size_t num_bytes, uint64_t value) {
   if (num_bytes > sizeof(value)) {
     return false;
   }
-  if (endianness_ == HOST_BYTE_ORDER) {
+  if (endianness_ == quiche::HOST_BYTE_ORDER) {
     return WriteBytes(&value, num_bytes);
   }
 
-  value = QuicEndian::HostToNet64(value);
+  value = quiche::QuicheEndian::HostToNet64(value);
   return WriteBytes(reinterpret_cast<char*>(&value) + sizeof(value) - num_bytes,
                     num_bytes);
 }
@@ -101,8 +104,8 @@ bool QuicDataWriter::WriteUFloat16(uint64_t value) {
     result = static_cast<uint16_t>(value + (exponent << kUFloat16MantissaBits));
   }
 
-  if (endianness_ == NETWORK_BYTE_ORDER) {
-    result = QuicEndian::HostToNet16(result);
+  if (endianness_ == quiche::NETWORK_BYTE_ORDER) {
+    result = quiche::QuicheEndian::HostToNet16(result);
   }
   return WriteBytes(&result, sizeof(result));
 }
@@ -227,7 +230,7 @@ bool QuicDataWriter::Seek(size_t length) {
 // Low-level optimization is useful here because this function will be
 // called frequently, leading to outsize benefits.
 bool QuicDataWriter::WriteVarInt62(uint64_t value) {
-  DCHECK_EQ(endianness_, NETWORK_BYTE_ORDER);
+  DCHECK_EQ(endianness_, quiche::NETWORK_BYTE_ORDER);
 
   size_t remaining = capacity_ - length_;
   char* next = buffer_ + length_;
@@ -298,7 +301,7 @@ bool QuicDataWriter::WriteVarInt62(uint64_t value) {
 bool QuicDataWriter::WriteVarInt62(
     uint64_t value,
     QuicVariableLengthIntegerLength write_length) {
-  DCHECK_EQ(endianness_, NETWORK_BYTE_ORDER);
+  DCHECK_EQ(endianness_, quiche::NETWORK_BYTE_ORDER);
 
   size_t remaining = capacity_ - length_;
   if (remaining < write_length) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.h b/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.h
index c43d0ffc743..8f1b21defd5 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_data_writer.h
@@ -9,9 +9,9 @@
 #include <cstdint>
 
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
@@ -42,7 +42,7 @@ class QUIC_EXPORT_PRIVATE QuicDataWriter {
   QuicDataWriter(size_t size, char* buffer);
   // Creates a QuicDataWriter where |buffer| is not owned
   // using the specified endianness.
-  QuicDataWriter(size_t size, char* buffer, Endianness endianness);
+  QuicDataWriter(size_t size, char* buffer, quiche::Endianness endianness);
   QuicDataWriter(const QuicDataWriter&) = delete;
   QuicDataWriter& operator=(const QuicDataWriter&) = delete;
 
@@ -144,7 +144,7 @@ class QUIC_EXPORT_PRIVATE QuicDataWriter {
   size_t length_;    // Current length of the buffer.
 
   // The endianness to write integers and floating numbers.
-  Endianness endianness_;
+  quiche::Endianness endianness_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_data_writer_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_data_writer_test.cc
index 60abf961bc1..104df8d42ee 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_data_writer_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_data_writer_test.cc
@@ -15,6 +15,7 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 namespace test {
@@ -25,20 +26,22 @@ char* AsChars(unsigned char* data) {
 }
 
 struct TestParams {
-  explicit TestParams(Endianness endianness) : endianness(endianness) {}
+  explicit TestParams(quiche::Endianness endianness) : endianness(endianness) {}
 
-  Endianness endianness;
+  quiche::Endianness endianness;
 };
 
 // Used by ::testing::PrintToStringParamName().
 std::string PrintToString(const TestParams& p) {
-  return QuicStrCat((p.endianness == NETWORK_BYTE_ORDER ? "Network" : "Host"),
-                    "ByteOrder");
+  return QuicStrCat(
+      (p.endianness == quiche::NETWORK_BYTE_ORDER ? "Network" : "Host"),
+      "ByteOrder");
 }
 
 std::vector<TestParams> GetTestParams() {
   std::vector<TestParams> params;
-  for (Endianness endianness : {NETWORK_BYTE_ORDER, HOST_BYTE_ORDER}) {
+  for (quiche::Endianness endianness :
+       {quiche::NETWORK_BYTE_ORDER, quiche::HOST_BYTE_ORDER}) {
     params.push_back(TestParams(endianness));
   }
   return params;
@@ -135,8 +138,8 @@ TEST_P(QuicDataWriterTest, WriteUFloat16) {
     QuicDataWriter writer(2, buffer, GetParam().endianness);
     EXPECT_TRUE(writer.WriteUFloat16(test_cases[i].decoded));
     uint16_t result = *reinterpret_cast<uint16_t*>(writer.data());
-    if (GetParam().endianness == NETWORK_BYTE_ORDER) {
-      result = QuicEndian::HostToNet16(result);
+    if (GetParam().endianness == quiche::NETWORK_BYTE_ORDER) {
+      result = quiche::QuicheEndian::HostToNet16(result);
     }
     EXPECT_EQ(test_cases[i].encoded, result);
   }
@@ -196,8 +199,8 @@ TEST_P(QuicDataWriterTest, ReadUFloat16) {
 
   for (int i = 0; i < num_test_cases; ++i) {
     uint16_t encoded_ufloat = test_cases[i].encoded;
-    if (GetParam().endianness == NETWORK_BYTE_ORDER) {
-      encoded_ufloat = QuicEndian::HostToNet16(encoded_ufloat);
+    if (GetParam().endianness == quiche::NETWORK_BYTE_ORDER) {
+      encoded_ufloat = quiche::QuicheEndian::HostToNet16(encoded_ufloat);
     }
     QuicDataReader reader(reinterpret_cast<char*>(&encoded_ufloat), 2,
                           GetParam().endianness);
@@ -213,8 +216,8 @@ TEST_P(QuicDataWriterTest, RoundTripUFloat16) {
   for (uint16_t i = 1; i < 0xFFFF; ++i) {
     // Read the two bytes.
     uint16_t read_number = i;
-    if (GetParam().endianness == NETWORK_BYTE_ORDER) {
-      read_number = QuicEndian::HostToNet16(read_number);
+    if (GetParam().endianness == quiche::NETWORK_BYTE_ORDER) {
+      read_number = quiche::QuicheEndian::HostToNet16(read_number);
     }
     QuicDataReader reader(reinterpret_cast<char*>(&read_number), 2,
                           GetParam().endianness);
@@ -243,10 +246,10 @@ TEST_P(QuicDataWriterTest, RoundTripUFloat16) {
     uint16_t encoded1 = *reinterpret_cast<uint16_t*>(writer.data());
     uint16_t encoded2 = *reinterpret_cast<uint16_t*>(writer.data() + 2);
     uint16_t encoded3 = *reinterpret_cast<uint16_t*>(writer.data() + 4);
-    if (GetParam().endianness == NETWORK_BYTE_ORDER) {
-      encoded1 = QuicEndian::NetToHost16(encoded1);
-      encoded2 = QuicEndian::NetToHost16(encoded2);
-      encoded3 = QuicEndian::NetToHost16(encoded3);
+    if (GetParam().endianness == quiche::NETWORK_BYTE_ORDER) {
+      encoded1 = quiche::QuicheEndian::NetToHost16(encoded1);
+      encoded2 = quiche::QuicheEndian::NetToHost16(encoded2);
+      encoded3 = quiche::QuicheEndian::NetToHost16(encoded3);
     }
     EXPECT_EQ(i - 1, encoded1);
     // Check roundtrip.
@@ -384,8 +387,8 @@ TEST_P(QuicDataWriterTest, Write16BitUnsignedIntegers) {
     writer.WriteUInt16(in_memory16);
     test::CompareCharArraysWithHexError(
         "uint16_t", buffer16, 2,
-        GetParam().endianness == NETWORK_BYTE_ORDER ? big_endian16
-                                                    : little_endian16,
+        GetParam().endianness == quiche::NETWORK_BYTE_ORDER ? big_endian16
+                                                            : little_endian16,
         2);
 
     uint16_t read_number16;
@@ -400,8 +403,8 @@ TEST_P(QuicDataWriterTest, Write16BitUnsignedIntegers) {
     writer.WriteBytesToUInt64(2, in_memory16);
     test::CompareCharArraysWithHexError(
         "uint16_t", buffer16, 2,
-        GetParam().endianness == NETWORK_BYTE_ORDER ? big_endian16
-                                                    : little_endian16,
+        GetParam().endianness == quiche::NETWORK_BYTE_ORDER ? big_endian16
+                                                            : little_endian16,
         2);
 
     uint64_t read_number16;
@@ -420,8 +423,8 @@ TEST_P(QuicDataWriterTest, Write24BitUnsignedIntegers) {
   writer.WriteBytesToUInt64(3, in_memory24);
   test::CompareCharArraysWithHexError(
       "uint24", buffer24, 3,
-      GetParam().endianness == NETWORK_BYTE_ORDER ? big_endian24
-                                                  : little_endian24,
+      GetParam().endianness == quiche::NETWORK_BYTE_ORDER ? big_endian24
+                                                          : little_endian24,
       3);
 
   uint64_t read_number24;
@@ -440,8 +443,8 @@ TEST_P(QuicDataWriterTest, Write32BitUnsignedIntegers) {
     writer.WriteUInt32(in_memory32);
     test::CompareCharArraysWithHexError(
         "uint32_t", buffer32, 4,
-        GetParam().endianness == NETWORK_BYTE_ORDER ? big_endian32
-                                                    : little_endian32,
+        GetParam().endianness == quiche::NETWORK_BYTE_ORDER ? big_endian32
+                                                            : little_endian32,
         4);
 
     uint32_t read_number32;
@@ -456,8 +459,8 @@ TEST_P(QuicDataWriterTest, Write32BitUnsignedIntegers) {
     writer.WriteBytesToUInt64(4, in_memory32);
     test::CompareCharArraysWithHexError(
         "uint32_t", buffer32, 4,
-        GetParam().endianness == NETWORK_BYTE_ORDER ? big_endian32
-                                                    : little_endian32,
+        GetParam().endianness == quiche::NETWORK_BYTE_ORDER ? big_endian32
+                                                            : little_endian32,
         4);
 
     uint64_t read_number32;
@@ -476,8 +479,8 @@ TEST_P(QuicDataWriterTest, Write40BitUnsignedIntegers) {
   writer.WriteBytesToUInt64(5, in_memory40);
   test::CompareCharArraysWithHexError(
       "uint40", buffer40, 5,
-      GetParam().endianness == NETWORK_BYTE_ORDER ? big_endian40
-                                                  : little_endian40,
+      GetParam().endianness == quiche::NETWORK_BYTE_ORDER ? big_endian40
+                                                          : little_endian40,
       5);
 
   uint64_t read_number40;
@@ -495,8 +498,8 @@ TEST_P(QuicDataWriterTest, Write48BitUnsignedIntegers) {
   writer.WriteBytesToUInt64(6, in_memory48);
   test::CompareCharArraysWithHexError(
       "uint48", buffer48, 6,
-      GetParam().endianness == NETWORK_BYTE_ORDER ? big_endian48
-                                                  : little_endian48,
+      GetParam().endianness == quiche::NETWORK_BYTE_ORDER ? big_endian48
+                                                          : little_endian48,
       6);
 
   uint64_t read_number48;
@@ -514,8 +517,8 @@ TEST_P(QuicDataWriterTest, Write56BitUnsignedIntegers) {
   writer.WriteBytesToUInt64(7, in_memory56);
   test::CompareCharArraysWithHexError(
       "uint56", buffer56, 7,
-      GetParam().endianness == NETWORK_BYTE_ORDER ? big_endian56
-                                                  : little_endian56,
+      GetParam().endianness == quiche::NETWORK_BYTE_ORDER ? big_endian56
+                                                          : little_endian56,
       7);
 
   uint64_t read_number56;
@@ -535,8 +538,9 @@ TEST_P(QuicDataWriterTest, Write64BitUnsignedIntegers) {
   writer.WriteBytesToUInt64(8, in_memory64);
   test::CompareCharArraysWithHexError(
       "uint64_t", buffer64, 8,
-      GetParam().endianness == NETWORK_BYTE_ORDER ? AsChars(big_endian64)
-                                                  : AsChars(little_endian64),
+      GetParam().endianness == quiche::NETWORK_BYTE_ORDER
+          ? AsChars(big_endian64)
+          : AsChars(little_endian64),
       8);
 
   uint64_t read_number64;
@@ -548,8 +552,9 @@ TEST_P(QuicDataWriterTest, Write64BitUnsignedIntegers) {
   writer2.WriteUInt64(in_memory64);
   test::CompareCharArraysWithHexError(
       "uint64_t", buffer64, 8,
-      GetParam().endianness == NETWORK_BYTE_ORDER ? AsChars(big_endian64)
-                                                  : AsChars(little_endian64),
+      GetParam().endianness == quiche::NETWORK_BYTE_ORDER
+          ? AsChars(big_endian64)
+          : AsChars(little_endian64),
       8);
   read_number64 = 0u;
   QuicDataReader reader2(buffer64, 8, GetParam().endianness);
@@ -674,7 +679,8 @@ bool EncodeDecodeValue(uint64_t value_in, char* buffer, size_t size_of_buffer) {
   // make a writer. Note that for IETF encoding
   // we do not care about endianness... It's always big-endian,
   // but the c'tor expects to be told what endianness is in force...
-  QuicDataWriter writer(size_of_buffer, buffer, Endianness::NETWORK_BYTE_ORDER);
+  QuicDataWriter writer(size_of_buffer, buffer,
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
 
   // Try to write the value.
   if (writer.WriteVarInt62(value_in) != true) {
@@ -699,7 +705,7 @@ bool EncodeDecodeValue(uint64_t value_in, char* buffer, size_t size_of_buffer) {
 
   // set up a reader, just the length we've used, no more, no less.
   QuicDataReader reader(buffer, expected_length,
-                        Endianness::NETWORK_BYTE_ORDER);
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   uint64_t value_out;
 
   if (reader.ReadVarInt62(&value_out) == false) {
@@ -721,7 +727,7 @@ TEST_P(QuicDataWriterTest, VarInt8Layout) {
   // are always encoded big endian...
   memset(buffer, 0, sizeof(buffer));
   QuicDataWriter writer(sizeof(buffer), static_cast<char*>(buffer),
-                        Endianness::NETWORK_BYTE_ORDER);
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   EXPECT_TRUE(writer.WriteVarInt62(UINT64_C(0x3142f3e4d5c6b7a8)));
   EXPECT_EQ(static_cast<unsigned char>(*(writer.data() + 0)),
             (0x31 + 0xc0));  // 0xc0 for encoding
@@ -743,7 +749,7 @@ TEST_P(QuicDataWriterTest, VarInt4Layout) {
   // are always encoded big endian...
   memset(buffer, 0, sizeof(buffer));
   QuicDataWriter writer(sizeof(buffer), static_cast<char*>(buffer),
-                        Endianness::NETWORK_BYTE_ORDER);
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   EXPECT_TRUE(writer.WriteVarInt62(0x3243f4e5));
   EXPECT_EQ(static_cast<unsigned char>(*(writer.data() + 0)),
             (0x32 + 0x80));  // 0x80 for encoding
@@ -761,7 +767,7 @@ TEST_P(QuicDataWriterTest, VarInt2Layout) {
   // are always encoded big endian...
   memset(buffer, 0, sizeof(buffer));
   QuicDataWriter writer(sizeof(buffer), static_cast<char*>(buffer),
-                        Endianness::NETWORK_BYTE_ORDER);
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   EXPECT_TRUE(writer.WriteVarInt62(0x3647));
   EXPECT_EQ(static_cast<unsigned char>(*(writer.data() + 0)),
             (0x36 + 0x40));  // 0x40 for encoding
@@ -777,7 +783,7 @@ TEST_P(QuicDataWriterTest, VarInt1Layout) {
   // is correct. Bytes are always encoded big endian...
   memset(buffer, 0, sizeof(buffer));
   QuicDataWriter writer(sizeof(buffer), static_cast<char*>(buffer),
-                        Endianness::NETWORK_BYTE_ORDER);
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   EXPECT_TRUE(writer.WriteVarInt62(0x3f));
   EXPECT_EQ(static_cast<unsigned char>(*(writer.data() + 0)), 0x3f);
 }
@@ -883,7 +889,7 @@ TEST_P(QuicDataWriterTest, MultiVarInt8) {
   char buffer[8 * kMultiVarCount];
   memset(buffer, 0, sizeof(buffer));
   QuicDataWriter writer(sizeof(buffer), static_cast<char*>(buffer),
-                        Endianness::NETWORK_BYTE_ORDER);
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   // Put N values into the buffer. Adding i to the value ensures that
   // each value is different so we can detect if we overwrite values,
   // or read the same value over and over.
@@ -897,7 +903,8 @@ TEST_P(QuicDataWriterTest, MultiVarInt8) {
 
   // Now we should be able to read out the N values that were
   // successfully encoded.
-  QuicDataReader reader(buffer, sizeof(buffer), Endianness::NETWORK_BYTE_ORDER);
+  QuicDataReader reader(buffer, sizeof(buffer),
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   for (int i = 0; i < kMultiVarCount; i++) {
     EXPECT_TRUE(reader.ReadVarInt62(&test_val));
     EXPECT_EQ(test_val, (UINT64_C(0x3142f3e4d5c6b7a8) + i));
@@ -912,7 +919,7 @@ TEST_P(QuicDataWriterTest, MultiVarInt4) {
   char buffer[4 * kMultiVarCount];
   memset(buffer, 0, sizeof(buffer));
   QuicDataWriter writer(sizeof(buffer), static_cast<char*>(buffer),
-                        Endianness::NETWORK_BYTE_ORDER);
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   // Put N values into the buffer. Adding i to the value ensures that
   // each value is different so we can detect if we overwrite values,
   // or read the same value over and over.
@@ -926,7 +933,8 @@ TEST_P(QuicDataWriterTest, MultiVarInt4) {
 
   // Now we should be able to read out the N values that were
   // successfully encoded.
-  QuicDataReader reader(buffer, sizeof(buffer), Endianness::NETWORK_BYTE_ORDER);
+  QuicDataReader reader(buffer, sizeof(buffer),
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   for (int i = 0; i < kMultiVarCount; i++) {
     EXPECT_TRUE(reader.ReadVarInt62(&test_val));
     EXPECT_EQ(test_val, (UINT64_C(0x3142f3e4) + i));
@@ -941,7 +949,7 @@ TEST_P(QuicDataWriterTest, MultiVarInt2) {
   char buffer[2 * kMultiVarCount];
   memset(buffer, 0, sizeof(buffer));
   QuicDataWriter writer(sizeof(buffer), static_cast<char*>(buffer),
-                        Endianness::NETWORK_BYTE_ORDER);
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   // Put N values into the buffer. Adding i to the value ensures that
   // each value is different so we can detect if we overwrite values,
   // or read the same value over and over.
@@ -955,7 +963,8 @@ TEST_P(QuicDataWriterTest, MultiVarInt2) {
 
   // Now we should be able to read out the N values that were
   // successfully encoded.
-  QuicDataReader reader(buffer, sizeof(buffer), Endianness::NETWORK_BYTE_ORDER);
+  QuicDataReader reader(buffer, sizeof(buffer),
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   for (int i = 0; i < kMultiVarCount; i++) {
     EXPECT_TRUE(reader.ReadVarInt62(&test_val));
     EXPECT_EQ(test_val, (UINT64_C(0x3142) + i));
@@ -970,7 +979,7 @@ TEST_P(QuicDataWriterTest, MultiVarInt1) {
   char buffer[1 * kMultiVarCount];
   memset(buffer, 0, sizeof(buffer));
   QuicDataWriter writer(sizeof(buffer), static_cast<char*>(buffer),
-                        Endianness::NETWORK_BYTE_ORDER);
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   // Put N values into the buffer. Adding i to the value ensures that
   // each value is different so we can detect if we overwrite values,
   // or read the same value over and over. &0xf ensures we do not
@@ -985,7 +994,8 @@ TEST_P(QuicDataWriterTest, MultiVarInt1) {
 
   // Now we should be able to read out the N values that were
   // successfully encoded.
-  QuicDataReader reader(buffer, sizeof(buffer), Endianness::NETWORK_BYTE_ORDER);
+  QuicDataReader reader(buffer, sizeof(buffer),
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   for (int i = 0; i < kMultiVarCount; i++) {
     EXPECT_TRUE(reader.ReadVarInt62(&test_val));
     EXPECT_EQ(test_val, (UINT64_C(0x30) + (i & 0xf)));
@@ -999,7 +1009,7 @@ TEST_P(QuicDataWriterTest, VarIntFixedLength) {
   char buffer[90];
   memset(buffer, 0, sizeof(buffer));
   QuicDataWriter writer(sizeof(buffer), static_cast<char*>(buffer),
-                        Endianness::NETWORK_BYTE_ORDER);
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
 
   writer.WriteVarInt62(1, VARIABLE_LENGTH_INTEGER_LENGTH_1);
   writer.WriteVarInt62(1, VARIABLE_LENGTH_INTEGER_LENGTH_2);
@@ -1027,7 +1037,8 @@ TEST_P(QuicDataWriterTest, VarIntFixedLength) {
 
   writer.WriteVarInt62(1073741824, VARIABLE_LENGTH_INTEGER_LENGTH_8);
 
-  QuicDataReader reader(buffer, sizeof(buffer), Endianness::NETWORK_BYTE_ORDER);
+  QuicDataReader reader(buffer, sizeof(buffer),
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
 
   uint64_t test_val = 0;
   for (int i = 0; i < 4; ++i) {
@@ -1071,10 +1082,11 @@ void EncodeDecodeStreamId(uint64_t value_in, bool expected_decode_result) {
 
   // Encode the given Stream ID.
   QuicDataWriter writer(sizeof(buffer), static_cast<char*>(buffer),
-                        Endianness::NETWORK_BYTE_ORDER);
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   EXPECT_TRUE(writer.WriteVarInt62(value_in));
 
-  QuicDataReader reader(buffer, sizeof(buffer), Endianness::NETWORK_BYTE_ORDER);
+  QuicDataReader reader(buffer, sizeof(buffer),
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   QuicStreamId received_stream_id;
   bool read_result = reader.ReadVarIntU32(&received_stream_id);
   EXPECT_EQ(expected_decode_result, read_result);
@@ -1124,28 +1136,28 @@ TEST_P(QuicDataWriterTest, WriteRandomBytes) {
 TEST_P(QuicDataWriterTest, PeekVarInt62Length) {
   // In range [0, 63], variable length should be 1 byte.
   char buffer[20];
-  QuicDataWriter writer(20, buffer, NETWORK_BYTE_ORDER);
+  QuicDataWriter writer(20, buffer, quiche::NETWORK_BYTE_ORDER);
   EXPECT_TRUE(writer.WriteVarInt62(50));
-  QuicDataReader reader(buffer, 20, NETWORK_BYTE_ORDER);
+  QuicDataReader reader(buffer, 20, quiche::NETWORK_BYTE_ORDER);
   EXPECT_EQ(1, reader.PeekVarInt62Length());
   // In range (63-16383], variable length should be 2 byte2.
   char buffer2[20];
-  QuicDataWriter writer2(20, buffer2, NETWORK_BYTE_ORDER);
+  QuicDataWriter writer2(20, buffer2, quiche::NETWORK_BYTE_ORDER);
   EXPECT_TRUE(writer2.WriteVarInt62(100));
-  QuicDataReader reader2(buffer2, 20, NETWORK_BYTE_ORDER);
+  QuicDataReader reader2(buffer2, 20, quiche::NETWORK_BYTE_ORDER);
   EXPECT_EQ(2, reader2.PeekVarInt62Length());
   // In range (16383, 1073741823], variable length should be 4 bytes.
   char buffer3[20];
-  QuicDataWriter writer3(20, buffer3, NETWORK_BYTE_ORDER);
+  QuicDataWriter writer3(20, buffer3, quiche::NETWORK_BYTE_ORDER);
   EXPECT_TRUE(writer3.WriteVarInt62(20000));
-  QuicDataReader reader3(buffer3, 20, NETWORK_BYTE_ORDER);
+  QuicDataReader reader3(buffer3, 20, quiche::NETWORK_BYTE_ORDER);
   EXPECT_EQ(4, reader3.PeekVarInt62Length());
   // In range (1073741823, 4611686018427387903], variable length should be 8
   // bytes.
   char buffer4[20];
-  QuicDataWriter writer4(20, buffer4, NETWORK_BYTE_ORDER);
+  QuicDataWriter writer4(20, buffer4, quiche::NETWORK_BYTE_ORDER);
   EXPECT_TRUE(writer4.WriteVarInt62(2000000000));
-  QuicDataReader reader4(buffer4, 20, NETWORK_BYTE_ORDER);
+  QuicDataReader reader4(buffer4, 20, quiche::NETWORK_BYTE_ORDER);
   EXPECT_EQ(8, reader4.PeekVarInt62Length());
 }
 
@@ -1171,7 +1183,7 @@ TEST_P(QuicDataWriterTest, ValidU32) {
   char buffer[1024];
   memset(buffer, 0, sizeof(buffer));
   QuicDataWriter writer(sizeof(buffer), static_cast<char*>(buffer),
-                        Endianness::NETWORK_BYTE_ORDER);
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   QuicDataReader reader(buffer, sizeof(buffer));
   const QuicStreamCount write_stream_count = 0xffeeddcc;
   EXPECT_TRUE(writer.WriteVarInt62(write_stream_count));
@@ -1184,7 +1196,7 @@ TEST_P(QuicDataWriterTest, InvalidU32) {
   char buffer[1024];
   memset(buffer, 0, sizeof(buffer));
   QuicDataWriter writer(sizeof(buffer), static_cast<char*>(buffer),
-                        Endianness::NETWORK_BYTE_ORDER);
+                        quiche::Endianness::NETWORK_BYTE_ORDER);
   QuicDataReader reader(buffer, sizeof(buffer));
   EXPECT_TRUE(writer.WriteVarInt62(UINT64_C(0x1ffeeddcc)));
   QuicStreamCount read_stream_count = 123456;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.cc b/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.cc
index acc5cb3bbdb..a1adda4c1b6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.cc
@@ -135,10 +135,7 @@ class StatelessConnectionTerminator {
         creator_(server_connection_id, &framer_, &collector_),
         time_wait_list_manager_(time_wait_list_manager) {
     framer_.set_data_producer(&collector_);
-    if (framer_.framer_doesnt_create_initial_encrypter() ||
-        version.UsesInitialObfuscators()) {
-      framer_.SetInitialObfuscators(server_connection_id);
-    }
+    framer_.SetInitialObfuscators(server_connection_id);
   }
 
   ~StatelessConnectionTerminator() {
@@ -179,7 +176,7 @@ class StatelessConnectionTerminator {
         framer_.transport_version(), error_code, error_details,
         /*transport_close_frame_type=*/0);
 
-    if (!creator_.AddSavedFrame(QuicFrame(frame), NOT_RETRANSMISSION)) {
+    if (!creator_.AddFrame(QuicFrame(frame), NOT_RETRANSMISSION)) {
       QUIC_BUG << "Unable to add frame to an empty packet";
       delete frame;
       return;
@@ -454,12 +451,10 @@ bool QuicDispatcher::MaybeDispatchPacket(
       return true;
     }
 
-    if (GetQuicReloadableFlag(quic_donot_process_small_initial_packets) &&
-        crypto_config()->validate_chlo_size() &&
+    if (crypto_config()->validate_chlo_size() &&
         packet_info.form == IETF_QUIC_LONG_HEADER_PACKET &&
         packet_info.long_packet_type == INITIAL &&
         packet_info.packet.length() < kMinClientInitialPacketLength) {
-      QUIC_RELOADABLE_FLAG_COUNT(quic_donot_process_small_initial_packets);
       StatelessConnectionTerminator terminator(
           packet_info.destination_connection_id, packet_info.version,
           helper_.get(), time_wait_list_manager_.get());
@@ -530,8 +525,6 @@ void QuicDispatcher::ProcessHeader(ReceivedPacketInfo* packet_info) {
 QuicDispatcher::QuicPacketFate QuicDispatcher::ValidityChecks(
     const ReceivedPacketInfo& packet_info) {
   if (!packet_info.version_flag) {
-    if (GetQuicReloadableFlag(quic_reply_to_old_android_conformance_test)) {
-      QUIC_RELOADABLE_FLAG_COUNT(quic_reply_to_old_android_conformance_test);
       // The Android network conformance test contains a UDP test that sends a
       // 12-byte packet with the following format:
       //  - 0x0c (public flags: 8-byte connection ID, 1-byte packet number)
@@ -559,17 +552,12 @@ QuicDispatcher::QuicPacketFate QuicDispatcher::ValidityChecks(
             /*ietf_quic=*/false, GetPerPacketContext());
         return kFateDrop;
       }
-    }
 
     QUIC_DLOG(INFO)
         << "Packet without version arrived for unknown connection ID "
         << packet_info.destination_connection_id;
-    if (GetQuicReloadableFlag(quic_reject_unprocessable_packets_statelessly)) {
-      QUIC_RELOADABLE_FLAG_COUNT(quic_reject_unprocessable_packets_statelessly);
-      MaybeResetPacketsWithNoVersion(packet_info);
-      return kFateDrop;
-    }
-    return kFateTimeWait;
+    MaybeResetPacketsWithNoVersion(packet_info);
+    return kFateDrop;
   }
 
   // Let the connection parse and validate packet number.
@@ -586,7 +574,7 @@ void QuicDispatcher::CleanUpSession(SessionMap::iterator it,
       !connection->termination_packets()->empty()) {
     action = QuicTimeWaitListManager::SEND_TERMINATION_PACKETS;
   } else {
-    if (!connection->IsHandshakeConfirmed()) {
+    if (!connection->IsHandshakeComplete()) {
       if (!VersionHasIetfInvariantHeader(connection->transport_version())) {
         QUIC_CODE_COUNT(gquic_add_to_time_wait_list_with_handshake_failed);
       } else {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.h b/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.h
index abcd4f2f733..7dbdea65339 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher.h
@@ -34,9 +34,10 @@ class QuicDispatcherPeer;
 class QuicConfig;
 class QuicCryptoServerConfig;
 
-class QuicDispatcher : public QuicTimeWaitListManager::Visitor,
-                       public ProcessPacketInterface,
-                       public QuicBufferedPacketStore::VisitorInterface {
+class QUIC_NO_EXPORT QuicDispatcher
+    : public QuicTimeWaitListManager::Visitor,
+      public ProcessPacketInterface,
+      public QuicBufferedPacketStore::VisitorInterface {
  public:
   // Ideally we'd have a linked_hash_set: the  boolean is unused.
   typedef QuicLinkedHashMap<QuicBlockedWriterInterface*, bool> WriteBlockedList;
@@ -313,11 +314,6 @@ class QuicDispatcher : public QuicTimeWaitListManager::Visitor,
   // connection ID according to the packet's size.
   void MaybeResetPacketsWithNoVersion(const ReceivedPacketInfo& packet_info);
 
-  void set_new_sessions_allowed_per_event_loop(
-      int16_t new_sessions_allowed_per_event_loop) {
-    new_sessions_allowed_per_event_loop_ = new_sessions_allowed_per_event_loop;
-  }
-
   const QuicConfig* config_;
 
   const QuicCryptoServerConfig* crypto_config_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher_test.cc
index 3240ceb2557..896438a2b73 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_dispatcher_test.cc
@@ -417,7 +417,7 @@ class QuicDispatcherTest : public QuicTest {
 TEST_F(QuicDispatcherTest, TlsClientHelloCreatesSession) {
   if (!QuicVersionUsesCryptoFrames(
           CurrentSupportedVersions().front().transport_version)) {
-    // TLS is only supported in versions 47 and greater.
+    // TLS is only supported in versions with crypto frames.
     return;
   }
   SetQuicReloadableFlag(quic_supports_tls_handshake, true);
@@ -684,23 +684,14 @@ TEST_F(QuicDispatcherTest, NoVersionPacketToTimeWaitListManager) {
   // list manager.
   EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, QuicStringPiece("hq"), _))
       .Times(0);
-  if (GetQuicReloadableFlag(quic_reject_unprocessable_packets_statelessly)) {
-    EXPECT_CALL(*time_wait_list_manager_,
-                ProcessPacket(_, _, connection_id, _, _))
-        .Times(0);
-    EXPECT_CALL(*time_wait_list_manager_,
-                AddConnectionIdToTimeWait(_, _, _, _, _))
-        .Times(0);
-    EXPECT_CALL(*time_wait_list_manager_, SendPublicReset(_, _, _, _, _))
-        .Times(1);
-  } else {
-    EXPECT_CALL(*time_wait_list_manager_,
-                ProcessPacket(_, _, connection_id, _, _))
-        .Times(1);
-    EXPECT_CALL(*time_wait_list_manager_,
-                AddConnectionIdToTimeWait(_, _, _, _, _))
-        .Times(1);
-  }
+  EXPECT_CALL(*time_wait_list_manager_,
+              ProcessPacket(_, _, connection_id, _, _))
+      .Times(0);
+  EXPECT_CALL(*time_wait_list_manager_,
+              AddConnectionIdToTimeWait(_, _, _, _, _))
+      .Times(0);
+  EXPECT_CALL(*time_wait_list_manager_, SendPublicReset(_, _, _, _, _))
+      .Times(1);
   ProcessPacket(client_address, connection_id, false, SerializeCHLO());
 }
 
@@ -714,29 +705,16 @@ TEST_F(QuicDispatcherTest,
   char valid_size_packet[23] = {0x70, 0xa7, 0x02, 0x6c};
   QuicReceivedPacket packet2(valid_size_packet, 23, QuicTime::Zero());
   EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, _, _)).Times(0);
-  if (GetQuicReloadableFlag(quic_reject_unprocessable_packets_statelessly)) {
-    EXPECT_CALL(*time_wait_list_manager_, ProcessPacket(_, _, _, _, _))
-        .Times(0);
-    EXPECT_CALL(*time_wait_list_manager_,
-                AddConnectionIdToTimeWait(_, _, _, _, _))
-        .Times(0);
-  } else {
-    EXPECT_CALL(*time_wait_list_manager_, ProcessPacket(_, _, _, _, _))
-        .Times(2);
-    EXPECT_CALL(*time_wait_list_manager_,
-                AddConnectionIdToTimeWait(_, _, _, _, _))
-        .Times(2);
-  }
-  if (GetQuicReloadableFlag(quic_reject_unprocessable_packets_statelessly)) {
-    // Verify small packet is silently dropped.
-    EXPECT_CALL(*time_wait_list_manager_, SendPublicReset(_, _, _, _, _))
-        .Times(0);
-  }
+  EXPECT_CALL(*time_wait_list_manager_, ProcessPacket(_, _, _, _, _)).Times(0);
+  EXPECT_CALL(*time_wait_list_manager_,
+              AddConnectionIdToTimeWait(_, _, _, _, _))
+      .Times(0);
+  // Verify small packet is silently dropped.
+  EXPECT_CALL(*time_wait_list_manager_, SendPublicReset(_, _, _, _, _))
+      .Times(0);
   dispatcher_->ProcessPacket(server_address_, client_address, packet);
-  if (GetQuicReloadableFlag(quic_reject_unprocessable_packets_statelessly)) {
-    EXPECT_CALL(*time_wait_list_manager_, SendPublicReset(_, _, _, _, _))
-        .Times(1);
-  }
+  EXPECT_CALL(*time_wait_list_manager_, SendPublicReset(_, _, _, _, _))
+      .Times(1);
   dispatcher_->ProcessPacket(server_address_, client_address, packet2);
 }
 
@@ -886,8 +864,8 @@ TEST_F(QuicDispatcherTest, ProcessPacketWithZeroPort) {
 }
 
 TEST_F(QuicDispatcherTest, ProcessPacketWithInvalidShortInitialConnectionId) {
-  // Enable v47 otherwise we cannot create a packet with a short connection ID.
-  SetQuicReloadableFlag(quic_enable_version_47, true);
+  // Enable a version that supports connection IDs of length different than 8.
+  SetQuicReloadableFlag(quic_enable_version_50, true);
   CreateTimeWaitListManager();
 
   QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
@@ -931,12 +909,8 @@ TEST_F(QuicDispatcherTest, OKSeqNoPacketProcessed) {
 }
 
 TEST_F(QuicDispatcherTest, SupportedTransportVersionsChangeInFlight) {
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync");
-  SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_47, true);
-  SetQuicReloadableFlag(quic_enable_version_48_2, true);
-  SetQuicReloadableFlag(quic_enable_version_49, true);
   SetQuicReloadableFlag(quic_enable_version_50, true);
   SetQuicReloadableFlag(quic_enable_version_99, true);
 
@@ -955,73 +929,52 @@ TEST_F(QuicDispatcherTest, SupportedTransportVersionsChangeInFlight) {
   SetQuicReloadableFlag(quic_enable_version_50, true);
   VerifyVersionSupported(
       ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_50));
-
-  // Turn off version 49.
-  SetQuicReloadableFlag(quic_enable_version_49, false);
-  VerifyVersionNotSupported(
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_49));
-
-  // Turn on version 49.
-  SetQuicReloadableFlag(quic_enable_version_49, true);
-  VerifyVersionSupported(
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_49));
-
-  // Turn off version 48.
-  SetQuicReloadableFlag(quic_enable_version_48_2, false);
-  VerifyVersionNotSupported(
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48));
-
-  // Turn on version 48.
-  SetQuicReloadableFlag(quic_enable_version_48_2, true);
-  VerifyVersionSupported(
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48));
-
-  // Turn off version 47.
-  SetQuicReloadableFlag(quic_enable_version_47, false);
-  VerifyVersionNotSupported(
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47));
-
-  // Turn on version 47.
-  SetQuicReloadableFlag(quic_enable_version_47, true);
-  VerifyVersionSupported(
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47));
-
-  // Turn off version 39.
-  SetQuicReloadableFlag(quic_disable_version_39, true);
-  VerifyVersionNotSupported(
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_39));
-
-  // Turn on version 39.
-  SetQuicReloadableFlag(quic_disable_version_39, false);
-  VerifyVersionSupported(
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_39));
 }
 
 TEST_F(QuicDispatcherTest, RejectDeprecatedVersionsWithVersionNegotiation) {
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Please add deprecated versions to this test");
   QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
   CreateTimeWaitListManager();
 
-  char packet45[kMinPacketSizeForVersionNegotiation] = {
-      0xC0, 'Q', '0', '4', '5', /*connection ID length byte*/ 0x50};
-  QuicReceivedPacket packet(packet45, kMinPacketSizeForVersionNegotiation,
-                            QuicTime::Zero());
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, _, _)).Times(0);
-  EXPECT_CALL(*time_wait_list_manager_,
-              SendVersionNegotiationPacket(_, _, _, _, _, _, _, _))
-      .Times(1);
-  dispatcher_->ProcessPacket(server_address_, client_address, packet);
+  {
+    char packet47[kMinPacketSizeForVersionNegotiation] = {
+        0xC0, 'Q', '0', '4', '7', /*connection ID length byte*/ 0x50};
+    QuicReceivedPacket received_packet47(
+        packet47, kMinPacketSizeForVersionNegotiation, QuicTime::Zero());
+    EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, _, _)).Times(0);
+    EXPECT_CALL(*time_wait_list_manager_,
+                SendVersionNegotiationPacket(_, _, _, _, _, _, _, _))
+        .Times(1);
+    dispatcher_->ProcessPacket(server_address_, client_address,
+                               received_packet47);
+  }
 
-  char packet44[kMinPacketSizeForVersionNegotiation] = {
-      0xFF, 'Q', '0', '4', '4', /*connection ID length byte*/ 0x50};
-  QuicReceivedPacket packet2(packet44, kMinPacketSizeForVersionNegotiation,
-                             QuicTime::Zero());
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, _, _)).Times(0);
-  EXPECT_CALL(*time_wait_list_manager_,
-              SendVersionNegotiationPacket(_, _, _, _, _, _, _, _))
-      .Times(1);
-  dispatcher_->ProcessPacket(server_address_, client_address, packet2);
+  {
+    char packet45[kMinPacketSizeForVersionNegotiation] = {
+        0xC0, 'Q', '0', '4', '5', /*connection ID length byte*/ 0x50};
+    QuicReceivedPacket received_packet45(
+        packet45, kMinPacketSizeForVersionNegotiation, QuicTime::Zero());
+    EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, _, _)).Times(0);
+    EXPECT_CALL(*time_wait_list_manager_,
+                SendVersionNegotiationPacket(_, _, _, _, _, _, _, _))
+        .Times(1);
+    dispatcher_->ProcessPacket(server_address_, client_address,
+                               received_packet45);
+  }
+
+  {
+    char packet44[kMinPacketSizeForVersionNegotiation] = {
+        0xFF, 'Q', '0', '4', '4', /*connection ID length byte*/ 0x50};
+    QuicReceivedPacket received_packet44(
+        packet44, kMinPacketSizeForVersionNegotiation, QuicTime::Zero());
+    EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, _, _)).Times(0);
+    EXPECT_CALL(*time_wait_list_manager_,
+                SendVersionNegotiationPacket(_, _, _, _, _, _, _, _))
+        .Times(1);
+    dispatcher_->ProcessPacket(server_address_, client_address,
+                               received_packet44);
+  }
 }
 
 TEST_F(QuicDispatcherTest, VersionNegotiationProbeOld) {
@@ -1196,8 +1149,6 @@ TEST_F(QuicDispatcherTest, VersionNegotiationProbeEndToEnd) {
 
 TEST_F(QuicDispatcherTest, AndroidConformanceTestOld) {
   // TODO(b/139691956) Remove this test once the workaround is removed.
-  // This test requires the workaround behind this flag to pass.
-  SetQuicReloadableFlag(quic_reply_to_old_android_conformance_test, true);
   SavingWriter* saving_writer = new SavingWriter();
   // dispatcher_ takes ownership of saving_writer.
   QuicDispatcherPeer::UseWriter(dispatcher_.get(), saving_writer);
@@ -1242,63 +1193,9 @@ TEST_F(QuicDispatcherTest, AndroidConformanceTestOld) {
       sizeof(connection_id_bytes));
 }
 
-TEST_F(QuicDispatcherTest, AndroidConformanceTestNewWithWorkaround) {
-  // TODO(b/139691956) Remove this test once the workaround is removed.
-  // This test doesn't need the workaround but we make sure that it passes even
-  // when the flag is true, also see AndroidConformanceTest below.
-  SetQuicReloadableFlag(quic_reply_to_old_android_conformance_test, true);
-  SavingWriter* saving_writer = new SavingWriter();
-  // dispatcher_ takes ownership of saving_writer.
-  QuicDispatcherPeer::UseWriter(dispatcher_.get(), saving_writer);
-
-  QuicTimeWaitListManager* time_wait_list_manager = new QuicTimeWaitListManager(
-      saving_writer, dispatcher_.get(), mock_helper_.GetClock(),
-      &mock_alarm_factory_);
-  // dispatcher_ takes ownership of time_wait_list_manager.
-  QuicDispatcherPeer::SetTimeWaitListManager(dispatcher_.get(),
-                                             time_wait_list_manager);
-  // clang-format off
-  static const unsigned char packet[1200] = {
-    // Android UDP network conformance test packet as it was after this change:
-    // https://android-review.googlesource.com/c/platform/cts/+/1104285
-    0x0d,  // public flags: version, 8-byte connection ID, 1-byte packet number
-    0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,  // 8-byte connection ID
-    0xaa, 0xda, 0xca, 0xaa,  // reserved-space version number
-    0x01,  // 1-byte packet number
-    0x00,  // private flags
-    0x07,  // PING frame
-  };
-  // clang-format on
-
-  QuicEncryptedPacket encrypted(reinterpret_cast<const char*>(packet),
-                                sizeof(packet), false);
-  std::unique_ptr<QuicReceivedPacket> received_packet(
-      ConstructReceivedPacket(encrypted, mock_helper_.GetClock()->Now()));
-  EXPECT_CALL(*dispatcher_, CreateQuicSession(_, _, _, _)).Times(0);
-
-  QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
-  dispatcher_->ProcessPacket(server_address_, client_address, *received_packet);
-  ASSERT_EQ(1u, saving_writer->packets()->size());
-
-  // The Android UDP network conformance test directly checks that bytes 1-9
-  // of the response match the connection ID that was sent.
-  static const char connection_id_bytes[] = {0x71, 0x72, 0x73, 0x74,
-                                             0x75, 0x76, 0x77, 0x78};
-  ASSERT_GE((*(saving_writer->packets()))[0]->length(),
-            1u + sizeof(connection_id_bytes));
-  test::CompareCharArraysWithHexError(
-      "response connection ID", &(*(saving_writer->packets()))[0]->data()[1],
-      sizeof(connection_id_bytes), connection_id_bytes,
-      sizeof(connection_id_bytes));
-}
-
 TEST_F(QuicDispatcherTest, AndroidConformanceTest) {
   // WARNING: do not remove or modify this test without making sure that we
   // still have adequate coverage for the Android conformance test.
-
-  // Set the flag to false to make sure this test passes even when the
-  // workaround is disabled.
-  SetQuicReloadableFlag(quic_reply_to_old_android_conformance_test, false);
   SavingWriter* saving_writer = new SavingWriter();
   // dispatcher_ takes ownership of saving_writer.
   QuicDispatcherPeer::UseWriter(dispatcher_.get(), saving_writer);
@@ -1345,7 +1242,6 @@ TEST_F(QuicDispatcherTest, AndroidConformanceTest) {
 }
 
 TEST_F(QuicDispatcherTest, DoNotProcessSmallPacket) {
-  SetQuicReloadableFlag(quic_donot_process_small_initial_packets, true);
   CreateTimeWaitListManager();
   QuicSocketAddress client_address(QuicIpAddress::Loopback4(), 1);
 
@@ -2161,8 +2057,8 @@ TEST_F(BufferedPacketStoreTest, ReceiveCHLOForBufferedConnection) {
       /*connection_id=*/TestConnectionId(1)));
 
   // CHLO on connection 1 should still be buffered.
-  ProcessPacket(client_addr_, /*connection_id=*/TestConnectionId(1), true,
-                SerializeFullCHLO());
+  ProcessPacket(client_addr_, /*server_connection_id=*/TestConnectionId(1),
+                true, SerializeFullCHLO());
   EXPECT_TRUE(store->HasChloForConnection(
       /*connection_id=*/TestConnectionId(1)));
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_epoll_alarm_factory.h b/chromium/net/third_party/quiche/src/quic/core/quic_epoll_alarm_factory.h
index fc9b45c393f..5c04e3d4cd5 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_epoll_alarm_factory.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_epoll_alarm_factory.h
@@ -13,7 +13,7 @@
 namespace quic {
 
 // Creates alarms that use the supplied EpollServer for timing and firing.
-class QuicEpollAlarmFactory : public QuicAlarmFactory {
+class QUIC_EXPORT_PRIVATE QuicEpollAlarmFactory : public QuicAlarmFactory {
  public:
   explicit QuicEpollAlarmFactory(QuicEpollServer* eps);
   QuicEpollAlarmFactory(const QuicEpollAlarmFactory&) = delete;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_epoll_connection_helper.h b/chromium/net/third_party/quiche/src/quic/core/quic_epoll_connection_helper.h
index 7041454f907..ce68cfbb756 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_epoll_connection_helper.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_epoll_connection_helper.h
@@ -27,7 +27,8 @@ class QuicRandom;
 
 enum class QuicAllocator { SIMPLE, BUFFER_POOL };
 
-class QuicEpollConnectionHelper : public QuicConnectionHelperInterface {
+class QUIC_EXPORT_PRIVATE QuicEpollConnectionHelper
+    : public QuicConnectionHelperInterface {
  public:
   QuicEpollConnectionHelper(QuicEpollServer* eps, QuicAllocator allocator);
   QuicEpollConnectionHelper(const QuicEpollConnectionHelper&) = delete;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.cc b/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.cc
index b1e8ed298f9..ae17f099a96 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.cc
@@ -160,6 +160,11 @@ const char* QuicErrorCodeToString(QuicErrorCode error) {
         QUIC_WINDOW_UPDATE_RECEIVED_ON_READ_UNIDIRECTIONAL_STREAM);
     RETURN_STRING_LITERAL(QUIC_TOO_MANY_BUFFERED_CONTROL_FRAMES);
     RETURN_STRING_LITERAL(QUIC_TRANSPORT_INVALID_CLIENT_INDICATION);
+    RETURN_STRING_LITERAL(QUIC_QPACK_DECOMPRESSION_FAILED);
+    RETURN_STRING_LITERAL(QUIC_QPACK_ENCODER_STREAM_ERROR);
+    RETURN_STRING_LITERAL(QUIC_QPACK_DECODER_STREAM_ERROR);
+    RETURN_STRING_LITERAL(QUIC_STREAM_DATA_BEYOND_CLOSE_OFFSET);
+    RETURN_STRING_LITERAL(QUIC_STREAM_MULTIPLE_OFFSET);
 
     RETURN_STRING_LITERAL(QUIC_LAST_ERROR);
     // Intentionally have no default case, so we'll break the build
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.h b/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.h
index ce5c7216b31..b6c2d50ca5f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_error_codes.h
@@ -342,8 +342,19 @@ enum QuicErrorCode {
   // QuicTransport received invalid client indication.
   QUIC_TRANSPORT_INVALID_CLIENT_INDICATION = 125,
 
+  // Internal error codes for QPACK errors.
+  QUIC_QPACK_DECOMPRESSION_FAILED = 126,
+  QUIC_QPACK_ENCODER_STREAM_ERROR = 127,
+  QUIC_QPACK_DECODER_STREAM_ERROR = 128,
+
+  // Received stream data beyond close offset.
+  QUIC_STREAM_DATA_BEYOND_CLOSE_OFFSET = 129,
+
+  // Received multiple close offset.
+  QUIC_STREAM_MULTIPLE_OFFSET = 130,
+
   // No error. Used as bound while iterating.
-  QUIC_LAST_ERROR = 126,
+  QUIC_LAST_ERROR = 131,
 };
 // QuicErrorCodes is encoded as four octets on-the-wire when doing Google QUIC,
 // or a varint62 when doing IETF QUIC. Ensure that its value does not exceed
@@ -357,7 +368,15 @@ QUIC_EXPORT_PRIVATE const char* QuicRstStreamErrorCodeToString(
     QuicRstStreamErrorCode error);
 
 // Returns the name of the QuicErrorCode as a char*
-QUIC_EXPORT const char* QuicErrorCodeToString(QuicErrorCode error);
+QUIC_EXPORT_PRIVATE const char* QuicErrorCodeToString(QuicErrorCode error);
+
+// Wire values for QPACK errors.
+// https://quicwg.org/base-drafts/draft-ietf-quic-qpack.html#error-code-registration
+enum QuicHttpQpackErrorCode {
+  IETF_QUIC_HTTP_QPACK_DECOMPRESSION_FAILED = 0x200,
+  IETF_QUIC_HTTP_QPACK_ENCODER_STREAM_ERROR = 0x201,
+  IETF_QUIC_HTTP_QPACK_DECODER_STREAM_ERROR = 0x202
+};
 
 QUIC_EXPORT_PRIVATE inline std::string HistogramEnumString(
     QuicErrorCode enum_value) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_framer.cc b/chromium/net/third_party/quiche/src/quic/core/quic_framer.cc
index 2d4d4a5af82..c5708b94995 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_framer.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_framer.cc
@@ -148,14 +148,6 @@ uint64_t ClosestTo(uint64_t target, uint64_t a, uint64_t b) {
   return (Delta(target, a) < Delta(target, b)) ? a : b;
 }
 
-uint64_t PacketNumberIntervalLength(
-    const QuicInterval<QuicPacketNumber>& interval) {
-  if (interval.Empty()) {
-    return 0u;
-  }
-  return interval.max() - interval.min();
-}
-
 QuicPacketNumberLength ReadSequenceNumberLength(uint8_t flags) {
   switch (flags & PACKET_FLAGS_8BYTE_PACKET) {
     case PACKET_FLAGS_8BYTE_PACKET:
@@ -424,22 +416,12 @@ QuicFramer::QuicFramer(const ParsedQuicVersionVector& supported_versions,
           expected_server_connection_id_length),
       expected_client_connection_id_length_(0),
       supports_multiple_packet_number_spaces_(false),
-      framer_doesnt_create_initial_encrypter_(
-          GetQuicReloadableFlag(quic_framer_doesnt_create_initial_encrypter)),
       last_written_packet_number_length_(0),
       peer_ack_delay_exponent_(kDefaultAckDelayExponent),
       local_ack_delay_exponent_(kDefaultAckDelayExponent),
       current_received_frame_type_(0) {
   DCHECK(!supported_versions.empty());
   version_ = supported_versions_[0];
-  if (!framer_doesnt_create_initial_encrypter_) {
-    decrypter_[ENCRYPTION_INITIAL] =
-        std::make_unique<NullDecrypter>(perspective);
-    encrypter_[ENCRYPTION_INITIAL] =
-        std::make_unique<NullEncrypter>(perspective);
-  } else {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_framer_doesnt_create_initial_encrypter);
-  }
 }
 
 QuicFramer::~QuicFramer() {}
@@ -449,7 +431,7 @@ size_t QuicFramer::GetMinStreamFrameSize(QuicTransportVersion version,
                                          QuicStreamId stream_id,
                                          QuicStreamOffset offset,
                                          bool last_frame_in_packet,
-                                         QuicPacketLength data_length) {
+                                         size_t data_length) {
   if (VersionHasIetfQuicFrames(version)) {
     return kQuicFrameTypeSize + QuicDataWriter::GetVarInt62Len(stream_id) +
            (last_frame_in_packet
@@ -564,13 +546,11 @@ size_t QuicFramer::GetWindowUpdateFrameSize(
   }
   if (frame.stream_id == QuicUtils::GetInvalidStreamId(version)) {
     // Frame would be a MAX DATA frame, which has only a Maximum Data field.
-    return kQuicFrameTypeSize +
-           QuicDataWriter::GetVarInt62Len(frame.byte_offset);
+    return kQuicFrameTypeSize + QuicDataWriter::GetVarInt62Len(frame.max_data);
   }
   // Frame would be MAX STREAM DATA, has Maximum Stream Data and Stream ID
   // fields.
-  return kQuicFrameTypeSize +
-         QuicDataWriter::GetVarInt62Len(frame.byte_offset) +
+  return kQuicFrameTypeSize + QuicDataWriter::GetVarInt62Len(frame.max_data) +
          QuicDataWriter::GetVarInt62Len(frame.stream_id);
 }
 
@@ -1275,33 +1255,26 @@ std::unique_ptr<QuicEncryptedPacket> QuicFramer::BuildVersionNegotiationPacket(
     bool use_length_prefix,
     const ParsedQuicVersionVector& versions) {
   ParsedQuicVersionVector wire_versions = versions;
-  if (!GetQuicReloadableFlag(quic_version_negotiation_grease)) {
-    if (wire_versions.empty()) {
-      wire_versions = {QuicVersionReservedForNegotiation()};
-    }
+  // Add a version reserved for negotiation as suggested by the
+  // "Using Reserved Versions" section of draft-ietf-quic-transport.
+  if (wire_versions.empty()) {
+    // Ensure that version negotiation packets we send have at least two
+    // versions. This guarantees that, under all circumstances, all QUIC
+    // packets we send are at least 14 bytes long.
+    wire_versions = {QuicVersionReservedForNegotiation(),
+                     QuicVersionReservedForNegotiation()};
   } else {
-    // Add a version reserved for negotiation as suggested by the
-    // "Using Reserved Versions" section of draft-ietf-quic-transport.
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_version_negotiation_grease, 1, 2);
-    if (wire_versions.empty()) {
-      // Ensure that version negotiation packets we send have at least two
-      // versions. This guarantees that, under all circumstances, all QUIC
-      // packets we send are at least 14 bytes long.
-      wire_versions = {QuicVersionReservedForNegotiation(),
-                       QuicVersionReservedForNegotiation()};
-    } else {
-      // This is not uniformely distributed but is acceptable since no security
-      // depends on this randomness.
-      size_t version_index = 0;
-      const bool disable_randomness =
-          GetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness);
-      if (!disable_randomness) {
-        version_index = QuicRandom::GetInstance()->RandUint64() %
-                        (wire_versions.size() + 1);
-      }
-      wire_versions.insert(wire_versions.begin() + version_index,
-                           QuicVersionReservedForNegotiation());
-    }
+    // This is not uniformely distributed but is acceptable since no security
+    // depends on this randomness.
+    size_t version_index = 0;
+    const bool disable_randomness =
+        GetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness);
+    if (!disable_randomness) {
+      version_index =
+          QuicRandom::GetInstance()->RandUint64() % (wire_versions.size() + 1);
+    }
+    wire_versions.insert(wire_versions.begin() + version_index,
+                         QuicVersionReservedForNegotiation());
   }
   if (ietf_quic) {
     return BuildIetfVersionNegotiationPacket(
@@ -1322,7 +1295,6 @@ std::unique_ptr<QuicEncryptedPacket> QuicFramer::BuildVersionNegotiationPacket(
 
   uint8_t flags = static_cast<uint8_t>(
       PACKET_PUBLIC_FLAGS_VERSION | PACKET_PUBLIC_FLAGS_8BYTE_CONNECTION_ID |
-      // TODO(rch): Remove this QUIC_VERSION_32 is retired.
       PACKET_PUBLIC_FLAGS_8BYTE_CONNECTION_ID_OLD);
   if (!writer.WriteUInt8(flags)) {
     return nullptr;
@@ -1699,12 +1671,11 @@ bool QuicFramer::ProcessIetfDataPacket(QuicDataReader* encrypted_reader,
         return true;
       }
       if (hp_removal_failed) {
-          const EncryptionLevel decryption_level = GetEncryptionLevel(*header);
-          const bool has_decryption_key =
-              decrypter_[decryption_level] != nullptr;
-          visitor_->OnUndecryptablePacket(
-              QuicEncryptedPacket(encrypted_reader->FullPayload()),
-              decryption_level, has_decryption_key);
+        const EncryptionLevel decryption_level = GetEncryptionLevel(*header);
+        const bool has_decryption_key = decrypter_[decryption_level] != nullptr;
+        visitor_->OnUndecryptablePacket(
+            QuicEncryptedPacket(encrypted_reader->FullPayload()),
+            decryption_level, has_decryption_key);
         set_detailed_error("Unable to decrypt header protection.");
         return RaiseError(QUIC_DECRYPTION_FAILURE);
       }
@@ -1763,12 +1734,12 @@ bool QuicFramer::ProcessIetfDataPacket(QuicDataReader* encrypted_reader,
       visitor_->OnAuthenticatedIetfStatelessResetPacket(packet);
       return true;
     }
-      const EncryptionLevel decryption_level = GetEncryptionLevel(*header);
-      const bool has_decryption_key = version_.KnowsWhichDecrypterToUse() &&
-                                      decrypter_[decryption_level] != nullptr;
-      visitor_->OnUndecryptablePacket(
-          QuicEncryptedPacket(encrypted_reader->FullPayload()),
-          decryption_level, has_decryption_key);
+    const EncryptionLevel decryption_level = GetEncryptionLevel(*header);
+    const bool has_decryption_key = version_.KnowsWhichDecrypterToUse() &&
+                                    decrypter_[decryption_level] != nullptr;
+    visitor_->OnUndecryptablePacket(
+        QuicEncryptedPacket(encrypted_reader->FullPayload()), decryption_level,
+        has_decryption_key);
     set_detailed_error("Unable to decrypt payload.");
     RecordDroppedPacketReason(DroppedPacketReason::DECRYPTION_FAILURE);
     return RaiseError(QUIC_DECRYPTION_FAILURE);
@@ -1850,13 +1821,13 @@ bool QuicFramer::ProcessDataPacket(QuicDataReader* encrypted_reader,
   EncryptionLevel decrypted_level;
   if (!DecryptPayload(encrypted, associated_data, *header, decrypted_buffer,
                       buffer_length, &decrypted_length, &decrypted_level)) {
-      const EncryptionLevel decryption_level = decrypter_level_;
-      // This version uses trial decryption so we always report to our visitor
-      // that we are not certain we have the correct decryption key.
-      const bool has_decryption_key = false;
-      visitor_->OnUndecryptablePacket(
-          QuicEncryptedPacket(encrypted_reader->FullPayload()),
-          decryption_level, has_decryption_key);
+    const EncryptionLevel decryption_level = decrypter_level_;
+    // This version uses trial decryption so we always report to our visitor
+    // that we are not certain we have the correct decryption key.
+    const bool has_decryption_key = false;
+    visitor_->OnUndecryptablePacket(
+        QuicEncryptedPacket(encrypted_reader->FullPayload()), decryption_level,
+        has_decryption_key);
     RecordDroppedPacketReason(DroppedPacketReason::DECRYPTION_FAILURE);
     set_detailed_error("Unable to decrypt payload.");
     return RaiseError(QUIC_DECRYPTION_FAILURE);
@@ -1904,7 +1875,7 @@ bool QuicFramer::ProcessPublicResetPacket(QuicDataReader* reader,
 
   std::unique_ptr<CryptoHandshakeMessage> reset(
       CryptoFramer::ParseMessage(reader->ReadRemainingPayload()));
-  if (!reset.get()) {
+  if (!reset) {
     set_detailed_error("Unable to read reset message.");
     RecordDroppedPacketReason(DroppedPacketReason::INVALID_PUBLIC_RESET_PACKET);
     return RaiseError(QUIC_INVALID_PUBLIC_RST_PACKET);
@@ -2346,7 +2317,7 @@ QuicFramer::AckFrameInfo QuicFramer::GetAckFrameInfo(
   new_ack_info.first_block_length = frame.packets.LastIntervalLength();
   auto itr = frame.packets.rbegin();
   QuicPacketNumber previous_start = itr->min();
-  new_ack_info.max_block_length = PacketNumberIntervalLength(*itr);
+  new_ack_info.max_block_length = itr->Length();
   ++itr;
 
   // Don't do any more work after getting information for 256 ACK blocks; any
@@ -2359,8 +2330,8 @@ QuicFramer::AckFrameInfo QuicFramer::GetAckFrameInfo(
     new_ack_info.num_ack_blocks +=
         (total_gap + std::numeric_limits<uint8_t>::max() - 1) /
         std::numeric_limits<uint8_t>::max();
-    new_ack_info.max_block_length = std::max(
-        new_ack_info.max_block_length, PacketNumberIntervalLength(interval));
+    new_ack_info.max_block_length =
+        std::max(new_ack_info.max_block_length, interval.Length());
   }
   return new_ack_info;
 }
@@ -3246,12 +3217,12 @@ bool QuicFramer::ProcessIetfFrameData(QuicDataReader* reader,
           }
           break;
         }
-        case IETF_EXTENSION_MESSAGE_NO_LENGTH:
+        case IETF_EXTENSION_MESSAGE_NO_LENGTH_V99:
           QUIC_FALLTHROUGH_INTENDED;
-        case IETF_EXTENSION_MESSAGE: {
+        case IETF_EXTENSION_MESSAGE_V99: {
           QuicMessageFrame message_frame;
           if (!ProcessMessageFrame(
-                  reader, frame_type == IETF_EXTENSION_MESSAGE_NO_LENGTH,
+                  reader, frame_type == IETF_EXTENSION_MESSAGE_NO_LENGTH_V99,
                   &message_frame)) {
             return RaiseError(QUIC_INVALID_MESSAGE_DATA);
           }
@@ -3685,7 +3656,7 @@ bool QuicFramer::ProcessIetfAckFrame(QuicDataReader* reader,
     return false;
   }
 
-  if (ack_delay_time_in_us == kVarInt62MaxValue) {
+  if (ack_delay_time_in_us >= (kVarInt62MaxValue >> peer_ack_delay_exponent_)) {
     ack_frame->ack_delay_time = QuicTime::Delta::Infinite();
   } else {
     ack_delay_time_in_us = (ack_delay_time_in_us << peer_ack_delay_exponent_);
@@ -3941,7 +3912,7 @@ bool QuicFramer::ProcessWindowUpdateFrame(QuicDataReader* reader,
     return false;
   }
 
-  if (!reader->ReadUInt64(&frame->byte_offset)) {
+  if (!reader->ReadUInt64(&frame->max_data)) {
     set_detailed_error("Unable to read window byte_offset.");
     return false;
   }
@@ -5190,8 +5161,8 @@ bool QuicFramer::AppendAckFrameAndTypeByte(const QuicAckFrame& frame,
           total_gap -
           (num_encoded_gaps - 1) * std::numeric_limits<uint8_t>::max();
       // Append the final ACK block with a non-empty size.
-      if (!AppendAckBlock(last_gap, ack_block_length,
-                          PacketNumberIntervalLength(interval), writer)) {
+      if (!AppendAckBlock(last_gap, ack_block_length, interval.Length(),
+                          writer)) {
         return false;
       }
       ++num_ack_blocks_written;
@@ -5541,7 +5512,7 @@ bool QuicFramer::AppendWindowUpdateFrame(const QuicWindowUpdateFrame& frame,
   if (!writer->WriteUInt32(stream_id)) {
     return false;
   }
-  if (!writer->WriteUInt64(frame.byte_offset)) {
+  if (!writer->WriteUInt64(frame.max_data)) {
     return false;
   }
   return true;
@@ -5579,8 +5550,14 @@ bool QuicFramer::AppendPaddingFrame(const QuicPaddingFrame& frame,
 bool QuicFramer::AppendMessageFrameAndTypeByte(const QuicMessageFrame& frame,
                                                bool last_frame_in_packet,
                                                QuicDataWriter* writer) {
-  uint8_t type_byte = last_frame_in_packet ? IETF_EXTENSION_MESSAGE_NO_LENGTH
-                                           : IETF_EXTENSION_MESSAGE;
+  uint8_t type_byte;
+  if (VersionHasIetfQuicFrames(version_.transport_version)) {
+    type_byte = last_frame_in_packet ? IETF_EXTENSION_MESSAGE_NO_LENGTH_V99
+                                     : IETF_EXTENSION_MESSAGE_V99;
+  } else {
+    type_byte = last_frame_in_packet ? IETF_EXTENSION_MESSAGE_NO_LENGTH
+                                     : IETF_EXTENSION_MESSAGE;
+  }
   if (!writer->WriteUInt8(type_byte)) {
     return false;
   }
@@ -5840,7 +5817,7 @@ bool QuicFramer::AppendStopSendingFrame(
 // Append/process IETF-Format MAX_DATA Frame
 bool QuicFramer::AppendMaxDataFrame(const QuicWindowUpdateFrame& frame,
                                     QuicDataWriter* writer) {
-  if (!writer->WriteVarInt62(frame.byte_offset)) {
+  if (!writer->WriteVarInt62(frame.max_data)) {
     set_detailed_error("Can not write MAX_DATA byte-offset");
     return false;
   }
@@ -5850,7 +5827,7 @@ bool QuicFramer::AppendMaxDataFrame(const QuicWindowUpdateFrame& frame,
 bool QuicFramer::ProcessMaxDataFrame(QuicDataReader* reader,
                                      QuicWindowUpdateFrame* frame) {
   frame->stream_id = QuicUtils::GetInvalidStreamId(transport_version());
-  if (!reader->ReadVarInt62(&frame->byte_offset)) {
+  if (!reader->ReadVarInt62(&frame->max_data)) {
     set_detailed_error("Can not read MAX_DATA byte-offset");
     return false;
   }
@@ -5864,7 +5841,7 @@ bool QuicFramer::AppendMaxStreamDataFrame(const QuicWindowUpdateFrame& frame,
     set_detailed_error("Can not write MAX_STREAM_DATA stream id");
     return false;
   }
-  if (!writer->WriteVarInt62(frame.byte_offset)) {
+  if (!writer->WriteVarInt62(frame.max_data)) {
     set_detailed_error("Can not write MAX_STREAM_DATA byte-offset");
     return false;
   }
@@ -5877,7 +5854,7 @@ bool QuicFramer::ProcessMaxStreamDataFrame(QuicDataReader* reader,
     set_detailed_error("Can not read MAX_STREAM_DATA stream id");
     return false;
   }
-  if (!reader->ReadVarInt62(&frame->byte_offset)) {
+  if (!reader->ReadVarInt62(&frame->max_data)) {
     set_detailed_error("Can not read MAX_STREAM_DATA byte-count");
     return false;
   }
@@ -6256,9 +6233,7 @@ inline bool ParseLongHeaderConnectionIds(
       return false;
     }
     if (!reader->ReadLengthPrefixedConnectionId(source_connection_id)) {
-      if (GetQuicReloadableFlag(quic_parse_prox_source_connection_id) &&
-          version_label == kProxVersionLabel) {
-        QUIC_RELOADABLE_FLAG_COUNT(quic_parse_prox_source_connection_id);
+      if (version_label == kProxVersionLabel) {
         // The "PROX" version does not follow the length-prefixed invariants,
         // and can therefore attempt to read a payload byte and interpret it
         // as the source connection ID length, which could fail to parse.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_framer.h b/chromium/net/third_party/quiche/src/quic/core/quic_framer.h
index 65a0b3becb3..cd2e2c7c438 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_framer.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_framer.h
@@ -288,7 +288,7 @@ class QUIC_EXPORT_PRIVATE QuicFramer {
                                       QuicStreamId stream_id,
                                       QuicStreamOffset offset,
                                       bool last_frame_in_packet,
-                                      QuicPacketLength data_length);
+                                      size_t data_length);
   // Returns the overhead of framing a CRYPTO frame with the specific offset and
   // data length provided, but not counting the size of the data payload.
   static size_t GetMinCryptoFrameSize(QuicStreamOffset offset,
@@ -636,16 +636,12 @@ class QUIC_EXPORT_PRIVATE QuicFramer {
   }
   uint32_t peer_ack_delay_exponent() const { return peer_ack_delay_exponent_; }
 
-  bool framer_doesnt_create_initial_encrypter() const {
-    return framer_doesnt_create_initial_encrypter_;
-  }
-
  private:
   friend class test::QuicFramerPeer;
 
   typedef std::map<QuicPacketNumber, uint8_t> NackRangeMap;
 
-  struct AckFrameInfo {
+  struct QUIC_EXPORT_PRIVATE AckFrameInfo {
     AckFrameInfo();
     AckFrameInfo(const AckFrameInfo& other);
     ~AckFrameInfo();
@@ -1056,10 +1052,6 @@ class QUIC_EXPORT_PRIVATE QuicFramer {
   // Indicates whether this framer supports multiple packet number spaces.
   bool supports_multiple_packet_number_spaces_;
 
-  // Latched value of reloadable flag
-  // quic_framer_doesnt_create_initial_encrypter.
-  const bool framer_doesnt_create_initial_encrypter_;
-
   // The length in bytes of the last packet number written to an IETF-framed
   // packet.
   size_t last_written_packet_number_length_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_framer_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_framer_test.cc
index 8aa96152875..ff9653d3827 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_framer_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_framer_test.cc
@@ -365,9 +365,9 @@ class TestQuicVisitor : public QuicFramerVisitorInterface {
     message_frames_.push_back(
         std::make_unique<QuicMessageFrame>(frame.data, frame.message_length));
     if (VersionHasIetfQuicFrames(transport_version_)) {
-      EXPECT_TRUE(IETF_EXTENSION_MESSAGE_NO_LENGTH ==
+      EXPECT_TRUE(IETF_EXTENSION_MESSAGE_NO_LENGTH_V99 ==
                       framer_->current_received_frame_type() ||
-                  IETF_EXTENSION_MESSAGE ==
+                  IETF_EXTENSION_MESSAGE_V99 ==
                       framer_->current_received_frame_type());
     } else {
       EXPECT_EQ(0u, framer_->current_received_frame_type());
@@ -929,7 +929,7 @@ TEST_P(QuicFramerTest, EmptyPacket) {
   char packet[] = {0x00};
   QuicEncryptedPacket encrypted(packet, 0, false);
   EXPECT_FALSE(framer_.ProcessPacket(encrypted));
-  EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_PACKET_HEADER));
 }
 
 TEST_P(QuicFramerTest, LargePacket) {
@@ -977,7 +977,7 @@ TEST_P(QuicFramerTest, LargePacket) {
   EXPECT_EQ(FramerTestConnectionId(),
             visitor_.header_->destination_connection_id);
   // Make sure the correct error is propagated.
-  EXPECT_EQ(QUIC_PACKET_TOO_LARGE, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_PACKET_TOO_LARGE));
   EXPECT_EQ("Packet too large.", framer_.detailed_error());
 }
 
@@ -1006,7 +1006,7 @@ TEST_P(QuicFramerTest, PacketHeader) {
       AssemblePacketFromFragments(fragments));
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-  EXPECT_EQ(QUIC_MISSING_PAYLOAD, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_MISSING_PAYLOAD));
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_EQ(FramerTestConnectionId(),
             visitor_.header_->destination_connection_id);
@@ -1032,7 +1032,7 @@ TEST_P(QuicFramerTest, PacketHeader) {
       &retry_token, &detailed_error);
   EXPECT_FALSE(retry_token_present);
   EXPECT_FALSE(use_length_prefix);
-  EXPECT_EQ(QUIC_NO_ERROR, error_code);
+  EXPECT_THAT(error_code, IsQuicNoError());
   EXPECT_EQ(GOOGLE_QUIC_PACKET, format);
   EXPECT_FALSE(version_flag);
   EXPECT_EQ(kQuicDefaultConnectionIdLength, destination_connection_id.length());
@@ -1071,7 +1071,7 @@ TEST_P(QuicFramerTest, LongPacketHeader) {
       AssemblePacketFromFragments(packet46));
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-  EXPECT_EQ(QUIC_MISSING_PAYLOAD, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_MISSING_PAYLOAD));
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_EQ(FramerTestConnectionId(),
             visitor_.header_->destination_connection_id);
@@ -1095,7 +1095,7 @@ TEST_P(QuicFramerTest, LongPacketHeader) {
       &version_flag, &use_length_prefix, &version_label, &parsed_version,
       &destination_connection_id, &source_connection_id, &retry_token_present,
       &retry_token, &detailed_error);
-  EXPECT_EQ(QUIC_NO_ERROR, error_code);
+  EXPECT_THAT(error_code, IsQuicNoError());
   EXPECT_EQ("", detailed_error);
   EXPECT_FALSE(retry_token_present);
   EXPECT_FALSE(use_length_prefix);
@@ -1175,7 +1175,7 @@ TEST_P(QuicFramerTest, LongPacketHeaderWithBothConnectionIds) {
       &version_flag, &use_length_prefix, &version_label, &parsed_version,
       &destination_connection_id, &source_connection_id, &retry_token_present,
       &retry_token, &detailed_error);
-  EXPECT_EQ(QUIC_NO_ERROR, error_code);
+  EXPECT_THAT(error_code, IsQuicNoError());
   EXPECT_FALSE(retry_token_present);
   EXPECT_EQ(framer_.version().HasLengthPrefixedConnectionIds(),
             use_length_prefix);
@@ -1270,7 +1270,7 @@ TEST_P(QuicFramerTest, ParsePublicHeader) {
       &parsed_version, &destination_connection_id, &source_connection_id,
       &long_packet_type, &retry_token_length_length, &retry_token,
       &detailed_error);
-  EXPECT_EQ(QUIC_NO_ERROR, parse_error);
+  EXPECT_THAT(parse_error, IsQuicNoError());
   EXPECT_EQ("", detailed_error);
   EXPECT_EQ(p[0], first_byte);
   EXPECT_TRUE(version_present);
@@ -1294,7 +1294,6 @@ TEST_P(QuicFramerTest, ParsePublicHeaderProxBadSourceConnectionIdLength) {
   if (!framer_.version().HasLengthPrefixedConnectionIds()) {
     return;
   }
-  SetQuicReloadableFlag(quic_parse_prox_source_connection_id, true);
   // clang-format off
   unsigned char packet[] = {
     // public flags (long header with packet type HANDSHAKE and
@@ -1339,7 +1338,7 @@ TEST_P(QuicFramerTest, ParsePublicHeaderProxBadSourceConnectionIdLength) {
       &has_length_prefix, &version_label, &parsed_version,
       &destination_connection_id, &source_connection_id, &long_packet_type,
       &retry_token_length_length, &retry_token, &detailed_error);
-  EXPECT_EQ(QUIC_NO_ERROR, parse_error);
+  EXPECT_THAT(parse_error, IsQuicNoError());
   EXPECT_EQ("", detailed_error);
   EXPECT_EQ(p[0], first_byte);
   EXPECT_TRUE(version_present);
@@ -1376,7 +1375,7 @@ TEST_P(QuicFramerTest, ClientConnectionIdFromShortHeaderToClient) {
   // clang-format on
   QuicEncryptedPacket encrypted(AsChars(packet), QUIC_ARRAYSIZE(packet), false);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   EXPECT_EQ("", framer_.detailed_error());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_EQ(FramerTestConnectionId(),
@@ -1410,7 +1409,7 @@ TEST_P(QuicFramerTest, ClientConnectionIdFromShortHeaderToServer) {
   // clang-format on
   QuicEncryptedPacket encrypted(AsChars(packet), QUIC_ARRAYSIZE(packet), false);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   EXPECT_EQ("", framer_.detailed_error());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_EQ(FramerTestConnectionId(),
@@ -1464,7 +1463,7 @@ TEST_P(QuicFramerTest, PacketHeaderWith0ByteConnectionId) {
   std::unique_ptr<QuicEncryptedPacket> encrypted(
       AssemblePacketFromFragments(fragments));
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-  EXPECT_EQ(QUIC_MISSING_PAYLOAD, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_MISSING_PAYLOAD));
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_EQ(FramerTestConnectionId(), visitor_.header_->source_connection_id);
   EXPECT_FALSE(visitor_.header_->reset_flag);
@@ -1545,7 +1544,7 @@ TEST_P(QuicFramerTest, PacketHeaderWithVersionFlag) {
   std::unique_ptr<QuicEncryptedPacket> encrypted(
       AssemblePacketFromFragments(fragments));
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-  EXPECT_EQ(QUIC_MISSING_PAYLOAD, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_MISSING_PAYLOAD));
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_EQ(FramerTestConnectionId(),
             visitor_.header_->destination_connection_id);
@@ -1607,7 +1606,7 @@ TEST_P(QuicFramerTest, PacketHeaderWith4BytePacketNumber) {
   std::unique_ptr<QuicEncryptedPacket> encrypted(
       AssemblePacketFromFragments(fragments));
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-  EXPECT_EQ(QUIC_MISSING_PAYLOAD, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_MISSING_PAYLOAD));
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_EQ(FramerTestConnectionId(),
             visitor_.header_->destination_connection_id);
@@ -1671,10 +1670,10 @@ TEST_P(QuicFramerTest, PacketHeaderWith2BytePacketNumber) {
       AssemblePacketFromFragments(fragments));
   if (framer_.version().HasHeaderProtection()) {
     EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
-    EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+    EXPECT_THAT(framer_.error(), IsQuicNoError());
   } else {
     EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-    EXPECT_EQ(QUIC_MISSING_PAYLOAD, framer_.error());
+    EXPECT_THAT(framer_.error(), IsError(QUIC_MISSING_PAYLOAD));
   }
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_EQ(FramerTestConnectionId(),
@@ -1741,10 +1740,10 @@ TEST_P(QuicFramerTest, PacketHeaderWith1BytePacketNumber) {
       AssemblePacketFromFragments(fragments));
   if (framer_.version().HasHeaderProtection()) {
     EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
-    EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+    EXPECT_THAT(framer_.error(), IsQuicNoError());
   } else {
     EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-    EXPECT_EQ(QUIC_MISSING_PAYLOAD, framer_.error());
+    EXPECT_THAT(framer_.error(), IsError(QUIC_MISSING_PAYLOAD));
   }
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_EQ(FramerTestConnectionId(),
@@ -1986,7 +1985,7 @@ TEST_P(QuicFramerTest, LargePublicFlagWithMismatchedVersions) {
   }
   QuicEncryptedPacket encrypted(AsChars(p), p_size, false);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_EQ(0, visitor_.frame_count_);
   EXPECT_EQ(1, visitor_.version_mismatch_);
@@ -2090,7 +2089,7 @@ TEST_P(QuicFramerTest, PaddingFrame) {
 
   QuicEncryptedPacket encrypted(AsChars(p), p_size, false);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -2210,7 +2209,7 @@ TEST_P(QuicFramerTest, StreamFrame) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -2265,7 +2264,7 @@ TEST_P(QuicFramerTest, EmptyStreamFrame) {
       AssemblePacketFromFragments(packet));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -2360,14 +2359,14 @@ TEST_P(QuicFramerTest, MissingDiversificationNonce) {
   QuicEncryptedPacket encrypted(AsChars(p), p_length, false);
   EXPECT_FALSE(framer_.ProcessPacket(encrypted));
   if (framer_.version().HasHeaderProtection()) {
-    EXPECT_EQ(QUIC_DECRYPTION_FAILURE, framer_.error());
+    EXPECT_THAT(framer_.error(), IsError(QUIC_DECRYPTION_FAILURE));
     EXPECT_EQ("Unable to decrypt header protection.", framer_.detailed_error());
   } else if (framer_.transport_version() >= QUIC_VERSION_46) {
     // Cannot read diversification nonce.
-    EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
+    EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_PACKET_HEADER));
     EXPECT_EQ("Unable to read nonce.", framer_.detailed_error());
   } else {
-    EXPECT_EQ(QUIC_DECRYPTION_FAILURE, framer_.error());
+    EXPECT_THAT(framer_.error(), IsError(QUIC_DECRYPTION_FAILURE));
   }
 }
 
@@ -2413,7 +2412,7 @@ TEST_P(QuicFramerTest, StreamFrame3ByteStreamId) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -2533,7 +2532,7 @@ TEST_P(QuicFramerTest, StreamFrame2ByteStreamId) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -2653,7 +2652,7 @@ TEST_P(QuicFramerTest, StreamFrame1ByteStreamId) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -2855,7 +2854,7 @@ TEST_P(QuicFramerTest, StreamFrameWithVersion) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, kIncludeVersion, !kIncludeDiversificationNonce,
@@ -2939,7 +2938,7 @@ TEST_P(QuicFramerTest, RejectPacket) {
                                 false);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -2978,7 +2977,7 @@ TEST_P(QuicFramerTest, RejectPublicHeader) {
       false);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_FALSE(visitor_.header_->packet_number.IsInitialized());
 }
@@ -3087,7 +3086,7 @@ TEST_P(QuicFramerTest, AckFrameOneAckBlock) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -3580,7 +3579,7 @@ TEST_P(QuicFramerTest, AckFrameFirstAckBlockLengthZero) {
       AssemblePacketFromFragments(fragments));
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-  EXPECT_EQ(QUIC_INVALID_ACK_DATA, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_ACK_DATA));
 
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
@@ -3689,7 +3688,7 @@ TEST_P(QuicFramerTest, AckFrameOneAckBlockMaxLength) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -3914,7 +3913,7 @@ TEST_P(QuicFramerTest, AckFrameTwoTimeStampsMultipleAckBlocks) {
   framer_.set_process_timestamps(true);
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -4126,7 +4125,7 @@ TEST_P(QuicFramerTest, NewStopWaitingFrame) {
   if (GetQuicReloadableFlag(quic_do_not_accept_stop_waiting) &&
       version_.transport_version >= QUIC_VERSION_46) {
     EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-    EXPECT_EQ(QUIC_INVALID_STOP_WAITING_DATA, framer_.error());
+    EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_STOP_WAITING_DATA));
     EXPECT_EQ("STOP WAITING not supported in version 44+.",
               framer_.detailed_error());
     return;
@@ -4134,7 +4133,7 @@ TEST_P(QuicFramerTest, NewStopWaitingFrame) {
 
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -4192,7 +4191,7 @@ TEST_P(QuicFramerTest, InvalidNewStopWaitingFrame) {
                                                     : QUIC_ARRAYSIZE(packet),
       false);
   EXPECT_FALSE(framer_.ProcessPacket(encrypted));
-  EXPECT_EQ(QUIC_INVALID_STOP_WAITING_DATA, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_STOP_WAITING_DATA));
   EXPECT_EQ("Invalid unacked delta.", framer_.detailed_error());
 }
 
@@ -4283,7 +4282,7 @@ TEST_P(QuicFramerTest, RstStreamFrame) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -4394,7 +4393,7 @@ TEST_P(QuicFramerTest, ConnectionCloseFrame) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -4407,8 +4406,8 @@ TEST_P(QuicFramerTest, ConnectionCloseFrame) {
   if (VersionHasIetfQuicFrames(framer_.transport_version())) {
     EXPECT_EQ(0x1234u,
               visitor_.connection_close_frame_.transport_close_frame_type);
-    EXPECT_EQ(QUIC_IETF_GQUIC_ERROR_MISSING,
-              visitor_.connection_close_frame_.extracted_error_code);
+    EXPECT_THAT(visitor_.connection_close_frame_.extracted_error_code,
+                IsError(QUIC_IETF_GQUIC_ERROR_MISSING));
   } else {
     // For Google QUIC closes, the error code is copied into
     // extracted_error_code.
@@ -4528,7 +4527,7 @@ TEST_P(QuicFramerTest, ConnectionCloseFrameWithExtractedInfoIgnoreGCuic) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -4598,7 +4597,7 @@ TEST_P(QuicFramerTest, ApplicationCloseFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -4660,7 +4659,7 @@ TEST_P(QuicFramerTest, ApplicationCloseFrameExtract) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -4757,7 +4756,7 @@ TEST_P(QuicFramerTest, GoAwayFrame) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -4830,14 +4829,14 @@ TEST_P(QuicFramerTest, WindowUpdateFrame) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
       PACKET_8BYTE_CONNECTION_ID, PACKET_0BYTE_CONNECTION_ID));
 
   EXPECT_EQ(kStreamId, visitor_.window_update_frame_.stream_id);
-  EXPECT_EQ(kStreamOffset, visitor_.window_update_frame_.byte_offset);
+  EXPECT_EQ(kStreamOffset, visitor_.window_update_frame_.max_data);
 
   CheckFramingBoundaries(fragments, QUIC_INVALID_WINDOW_UPDATE_DATA);
 }
@@ -4873,7 +4872,7 @@ TEST_P(QuicFramerTest, MaxDataFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -4881,7 +4880,7 @@ TEST_P(QuicFramerTest, MaxDataFrame) {
 
   EXPECT_EQ(QuicUtils::GetInvalidStreamId(framer_.transport_version()),
             visitor_.window_update_frame_.stream_id);
-  EXPECT_EQ(kStreamOffset, visitor_.window_update_frame_.byte_offset);
+  EXPECT_EQ(kStreamOffset, visitor_.window_update_frame_.max_data);
 
   CheckFramingBoundaries(packet99, QUIC_INVALID_MAX_DATA_FRAME_DATA);
 }
@@ -4920,14 +4919,14 @@ TEST_P(QuicFramerTest, MaxStreamDataFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
       PACKET_8BYTE_CONNECTION_ID, PACKET_0BYTE_CONNECTION_ID));
 
   EXPECT_EQ(kStreamId, visitor_.window_update_frame_.stream_id);
-  EXPECT_EQ(kStreamOffset, visitor_.window_update_frame_.byte_offset);
+  EXPECT_EQ(kStreamOffset, visitor_.window_update_frame_.max_data);
 
   CheckFramingBoundaries(packet99, QUIC_INVALID_MAX_STREAM_DATA_FRAME_DATA);
 }
@@ -5002,7 +5001,7 @@ TEST_P(QuicFramerTest, BlockedFrame) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -5075,7 +5074,7 @@ TEST_P(QuicFramerTest, PingFrame) {
       false);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -5087,7 +5086,7 @@ TEST_P(QuicFramerTest, PingFrame) {
 }
 
 TEST_P(QuicFramerTest, MessageFrame) {
-  if (framer_.transport_version() <= QUIC_VERSION_43) {
+  if (!VersionSupportsMessageFrames(framer_.transport_version())) {
     return;
   }
   SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
@@ -5118,13 +5117,43 @@ TEST_P(QuicFramerTest, MessageFrame) {
         {{},
          {'m', 'e', 's', 's', 'a', 'g', 'e', '2'}},
    };
+  PacketFragments packet99 = {
+       // type (short header, 4 byte packet number)
+       {"",
+        {0x43}},
+       // connection_id
+       {"",
+        {0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10}},
+       // packet number
+       {"",
+        {0x12, 0x34, 0x56, 0x78}},
+       // message frame type.
+       {"",
+        { 0x31 }},
+       // message length
+       {"Unable to read message length",
+        {0x07}},
+       // message data
+       {"Unable to read message data",
+        {'m', 'e', 's', 's', 'a', 'g', 'e'}},
+        // message frame no length.
+        {"",
+         { 0x30 }},
+        // message data
+        {{},
+         {'m', 'e', 's', 's', 'a', 'g', 'e', '2'}},
+   };
   // clang-format on
 
-  std::unique_ptr<QuicEncryptedPacket> encrypted(
-      AssemblePacketFromFragments(packet46));
+  std::unique_ptr<QuicEncryptedPacket> encrypted;
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
+    encrypted = AssemblePacketFromFragments(packet99);
+  } else {
+    encrypted = AssemblePacketFromFragments(packet46);
+  }
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -5134,7 +5163,11 @@ TEST_P(QuicFramerTest, MessageFrame) {
   EXPECT_EQ(7u, visitor_.message_frames_[0]->message_length);
   EXPECT_EQ(8u, visitor_.message_frames_[1]->message_length);
 
-  CheckFramingBoundaries(packet46, QUIC_INVALID_MESSAGE_DATA);
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
+    CheckFramingBoundaries(packet99, QUIC_INVALID_MESSAGE_DATA);
+  } else {
+    CheckFramingBoundaries(packet46, QUIC_INVALID_MESSAGE_DATA);
+  }
 }
 
 TEST_P(QuicFramerTest, PublicResetPacketV33) {
@@ -5177,7 +5210,7 @@ TEST_P(QuicFramerTest, PublicResetPacketV33) {
   std::unique_ptr<QuicEncryptedPacket> encrypted(
       AssemblePacketFromFragments(packet));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
-  ASSERT_EQ(QUIC_NO_ERROR, framer_.error());
+  ASSERT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.public_reset_packet_.get());
   EXPECT_EQ(FramerTestConnectionId(),
             visitor_.public_reset_packet_->connection_id);
@@ -5232,7 +5265,7 @@ TEST_P(QuicFramerTest, PublicResetPacket) {
   std::unique_ptr<QuicEncryptedPacket> encrypted(
       AssemblePacketFromFragments(packet));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
-  ASSERT_EQ(QUIC_NO_ERROR, framer_.error());
+  ASSERT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.public_reset_packet_.get());
   EXPECT_EQ(FramerTestConnectionId(),
             visitor_.public_reset_packet_->connection_id);
@@ -5279,7 +5312,7 @@ TEST_P(QuicFramerTest, PublicResetPacketWithTrailingJunk) {
 
   QuicEncryptedPacket encrypted(AsChars(packet), QUIC_ARRAYSIZE(packet), false);
   EXPECT_FALSE(framer_.ProcessPacket(encrypted));
-  ASSERT_EQ(QUIC_INVALID_PUBLIC_RST_PACKET, framer_.error());
+  ASSERT_THAT(framer_.error(), IsError(QUIC_INVALID_PUBLIC_RST_PACKET));
   EXPECT_EQ("Unable to read reset message.", framer_.detailed_error());
 }
 
@@ -5331,7 +5364,7 @@ TEST_P(QuicFramerTest, PublicResetPacketWithClientAddress) {
   std::unique_ptr<QuicEncryptedPacket> encrypted(
       AssemblePacketFromFragments(packet));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
-  ASSERT_EQ(QUIC_NO_ERROR, framer_.error());
+  ASSERT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.public_reset_packet_.get());
   EXPECT_EQ(FramerTestConnectionId(),
             visitor_.public_reset_packet_->connection_id);
@@ -5380,7 +5413,7 @@ TEST_P(QuicFramerTest, IetfStatelessResetPacket) {
   // This packet cannot be decrypted because diversification nonce is missing.
   QuicEncryptedPacket encrypted(AsChars(packet), QUIC_ARRAYSIZE(packet), false);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
-  ASSERT_EQ(QUIC_NO_ERROR, framer_.error());
+  ASSERT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.stateless_reset_packet_.get());
   EXPECT_EQ(kTestStatelessResetToken,
             visitor_.stateless_reset_packet_->stateless_reset_token);
@@ -5423,7 +5456,7 @@ TEST_P(QuicFramerTest, IetfStatelessResetPacketInvalidStatelessResetToken) {
   // This packet cannot be decrypted because diversification nonce is missing.
   QuicEncryptedPacket encrypted(AsChars(packet), QUIC_ARRAYSIZE(packet), false);
   EXPECT_FALSE(framer_.ProcessPacket(encrypted));
-  EXPECT_EQ(QUIC_DECRYPTION_FAILURE, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_DECRYPTION_FAILURE));
   ASSERT_FALSE(visitor_.stateless_reset_packet_);
 }
 
@@ -5490,7 +5523,7 @@ TEST_P(QuicFramerTest, VersionNegotiationPacketClient) {
   std::unique_ptr<QuicEncryptedPacket> encrypted(
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
-  ASSERT_EQ(QUIC_NO_ERROR, framer_.error());
+  ASSERT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.version_negotiation_packet_.get());
   EXPECT_EQ(1u, visitor_.version_negotiation_packet_->versions.size());
   EXPECT_EQ(GetParam(), visitor_.version_negotiation_packet_->versions[0]);
@@ -5549,7 +5582,8 @@ TEST_P(QuicFramerTest, VersionNegotiationPacketServer) {
 
   QuicEncryptedPacket encrypted(AsChars(p), p_length, false);
   EXPECT_FALSE(framer_.ProcessPacket(encrypted));
-  EXPECT_EQ(QUIC_INVALID_VERSION_NEGOTIATION_PACKET, framer_.error());
+  EXPECT_THAT(framer_.error(),
+              IsError(QUIC_INVALID_VERSION_NEGOTIATION_PACKET));
   EXPECT_EQ("Server received version negotiation packet.",
             framer_.detailed_error());
   EXPECT_FALSE(visitor_.version_negotiation_packet_.get());
@@ -5580,7 +5614,7 @@ TEST_P(QuicFramerTest, OldVersionNegotiationPacket) {
   std::unique_ptr<QuicEncryptedPacket> encrypted(
       AssemblePacketFromFragments(packet));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
-  ASSERT_EQ(QUIC_NO_ERROR, framer_.error());
+  ASSERT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.version_negotiation_packet_.get());
   EXPECT_EQ(1u, visitor_.version_negotiation_packet_->versions.size());
   EXPECT_EQ(GetParam(), visitor_.version_negotiation_packet_->versions[0]);
@@ -5646,7 +5680,7 @@ TEST_P(QuicFramerTest, ParseIetfRetryPacket) {
   QuicEncryptedPacket encrypted(AsChars(p), p_length, false);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
 
   ASSERT_TRUE(visitor_.retry_original_connection_id_.get());
@@ -5687,7 +5721,7 @@ TEST_P(QuicFramerTest, RejectIetfRetryPacketAsServer) {
   QuicEncryptedPacket encrypted(AsChars(packet), QUIC_ARRAYSIZE(packet), false);
   EXPECT_FALSE(framer_.ProcessPacket(encrypted));
 
-  EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_PACKET_HEADER));
   EXPECT_EQ("Client-initiated RETRY is invalid.", framer_.detailed_error());
 }
 
@@ -6483,7 +6517,7 @@ TEST_P(QuicFramerTest, CryptoFrame) {
       AssemblePacketFromFragments(fragments));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -6498,7 +6532,6 @@ TEST_P(QuicFramerTest, CryptoFrame) {
 }
 
 TEST_P(QuicFramerTest, BuildVersionNegotiationPacket) {
-  SetQuicReloadableFlag(quic_version_negotiation_grease, true);
   SetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness, true);
   // clang-format off
   unsigned char packet[] = {
@@ -6565,7 +6598,6 @@ TEST_P(QuicFramerTest, BuildVersionNegotiationPacketWithClientConnectionId) {
     return;
   }
 
-  SetQuicReloadableFlag(quic_version_negotiation_grease, true);
   SetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness, true);
 
   // clang-format off
@@ -8131,7 +8163,7 @@ TEST_P(QuicFramerTest, BuildWindowUpdatePacket) {
 
   QuicWindowUpdateFrame window_update_frame;
   window_update_frame.stream_id = kStreamId;
-  window_update_frame.byte_offset = 0x1122334455667788;
+  window_update_frame.max_data = 0x1122334455667788;
 
   QuicFrames frames = {QuicFrame(&window_update_frame)};
 
@@ -8219,7 +8251,7 @@ TEST_P(QuicFramerTest, BuildMaxStreamDataPacket) {
 
   QuicWindowUpdateFrame window_update_frame;
   window_update_frame.stream_id = kStreamId;
-  window_update_frame.byte_offset = 0x1122334455667788;
+  window_update_frame.max_data = 0x1122334455667788;
 
   QuicFrames frames = {QuicFrame(&window_update_frame)};
 
@@ -8265,7 +8297,7 @@ TEST_P(QuicFramerTest, BuildMaxDataPacket) {
   QuicWindowUpdateFrame window_update_frame;
   window_update_frame.stream_id =
       QuicUtils::GetInvalidStreamId(framer_.transport_version());
-  window_update_frame.byte_offset = 0x1122334455667788;
+  window_update_frame.max_data = 0x1122334455667788;
 
   QuicFrames frames = {QuicFrame(&window_update_frame)};
 
@@ -8442,7 +8474,7 @@ TEST_P(QuicFramerTest, BuildPingPacket) {
 }
 
 TEST_P(QuicFramerTest, BuildMessagePacket) {
-  if (framer_.transport_version() <= QUIC_VERSION_43) {
+  if (!VersionSupportsMessageFrames(framer_.transport_version())) {
     return;
   }
   QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_CLIENT);
@@ -8487,13 +8519,13 @@ TEST_P(QuicFramerTest, BuildMessagePacket) {
     0x12, 0x34, 0x56, 0x78,
 
     // frame type (IETF_MESSAGE frame)
-    0x21,
+    0x31,
     // Length
     0x07,
     // Message Data
     'm', 'e', 's', 's', 'a', 'g', 'e',
     // frame type (message frame no length)
-    0x20,
+    0x30,
     // Message Data
     'm', 'e', 's', 's', 'a', 'g', 'e', '2'
   };
@@ -9205,7 +9237,7 @@ TEST_P(QuicFramerTest, StopPacketProcessing) {
   }
   QuicEncryptedPacket encrypted(AsChars(p), p_size, false);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
 }
 
 static char kTestString[] = "At least 20 characters.";
@@ -9260,7 +9292,7 @@ TEST_P(QuicFramerTest, ConstructEncryptedPacket) {
   EXPECT_CALL(visitor, OnPacketComplete()).Times(1);
 
   EXPECT_TRUE(framer_.ProcessPacket(*packet));
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
 }
 
 // Verify that the packet returned by ConstructMisFramedEncryptedPacket()
@@ -9278,12 +9310,10 @@ TEST_P(QuicFramerTest, ConstructMisFramedEncryptedPacket) {
   }
   framer_.SetEncrypter(ENCRYPTION_INITIAL,
                        std::make_unique<NullEncrypter>(framer_.perspective()));
-  ParsedQuicVersionVector versions;
-  versions.push_back(framer_.version());
   std::unique_ptr<QuicEncryptedPacket> packet(ConstructMisFramedEncryptedPacket(
       TestConnectionId(), EmptyQuicConnectionId(), false, false,
       kTestQuicStreamId, kTestString, CONNECTION_ID_PRESENT,
-      CONNECTION_ID_ABSENT, PACKET_4BYTE_PACKET_NUMBER, &versions,
+      CONNECTION_ID_ABSENT, PACKET_4BYTE_PACKET_NUMBER, framer_.version(),
       Perspective::IS_CLIENT));
 
   MockFramerVisitor visitor;
@@ -9302,7 +9332,7 @@ TEST_P(QuicFramerTest, ConstructMisFramedEncryptedPacket) {
   EXPECT_CALL(visitor, OnPacketComplete()).Times(0);
 
   EXPECT_FALSE(framer_.ProcessPacket(*packet));
-  EXPECT_EQ(QUIC_INVALID_FRAME_DATA, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_FRAME_DATA));
 }
 
 TEST_P(QuicFramerTest, IetfBlockedFrame) {
@@ -9336,7 +9366,7 @@ TEST_P(QuicFramerTest, IetfBlockedFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -9421,7 +9451,7 @@ TEST_P(QuicFramerTest, IetfStreamBlockedFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -9507,7 +9537,7 @@ TEST_P(QuicFramerTest, BiDiMaxStreamsFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -9548,7 +9578,7 @@ TEST_P(QuicFramerTest, UniDiMaxStreamsFrame) {
   QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_CLIENT);
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -9590,7 +9620,7 @@ TEST_P(QuicFramerTest, ServerUniDiMaxStreamsFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -9631,7 +9661,7 @@ TEST_P(QuicFramerTest, ClientUniDiMaxStreamsFrame) {
   QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_CLIENT);
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -9676,7 +9706,7 @@ TEST_P(QuicFramerTest, BiDiMaxStreamsFrameTooBig) {
   QuicEncryptedPacket encrypted(AsChars(packet99), QUIC_ARRAYSIZE(packet99),
                                 false);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -9715,7 +9745,7 @@ TEST_P(QuicFramerTest, ClientBiDiMaxStreamsFrameTooBig) {
   QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_CLIENT);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -9754,7 +9784,7 @@ TEST_P(QuicFramerTest, ServerUniDiMaxStreamsFrameTooBig) {
                                 false);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -9793,7 +9823,7 @@ TEST_P(QuicFramerTest, ClientUniDiMaxStreamsFrameTooBig) {
   QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_CLIENT);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -9862,7 +9892,7 @@ TEST_P(QuicFramerTest, ServerBiDiStreamsBlockedFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -9905,7 +9935,7 @@ TEST_P(QuicFramerTest, BiDiStreamsBlockedFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -9948,7 +9978,7 @@ TEST_P(QuicFramerTest, UniDiStreamsBlockedFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -9989,7 +10019,7 @@ TEST_P(QuicFramerTest, ClientUniDiStreamsBlockedFrame) {
   QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_CLIENT);
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -10033,7 +10063,7 @@ TEST_P(QuicFramerTest, StreamsBlockedFrameTooBig) {
   QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_CLIENT);
   EXPECT_FALSE(framer_.ProcessPacket(encrypted));
 
-  EXPECT_EQ(QUIC_STREAMS_BLOCKED_DATA, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_STREAMS_BLOCKED_DATA));
   EXPECT_EQ(framer_.detailed_error(),
             "STREAMS_BLOCKED stream count exceeds implementation limit.");
 }
@@ -10071,7 +10101,7 @@ TEST_P(QuicFramerTest, StreamsBlockedFrameZeroCount) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -10293,7 +10323,7 @@ TEST_P(QuicFramerTest, NewConnectionIdFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -10352,7 +10382,7 @@ TEST_P(QuicFramerTest, NewConnectionIdFrameVariableLength) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -10419,7 +10449,7 @@ TEST_P(QuicFramerTest, InvalidLongNewConnectionIdFrame) {
   std::unique_ptr<QuicEncryptedPacket> encrypted(
       AssemblePacketFromFragments(packet99));
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-  EXPECT_EQ(QUIC_INVALID_NEW_CONNECTION_ID_DATA, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_NEW_CONNECTION_ID_DATA));
   EXPECT_EQ("Unable to read new connection ID frame connection id.",
             framer_.detailed_error());
 }
@@ -10464,7 +10494,7 @@ TEST_P(QuicFramerTest, InvalidRetirePriorToNewConnectionIdFrame) {
   std::unique_ptr<QuicEncryptedPacket> encrypted(
       AssemblePacketFromFragments(packet99));
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-  EXPECT_EQ(QUIC_INVALID_NEW_CONNECTION_ID_DATA, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_NEW_CONNECTION_ID_DATA));
   EXPECT_EQ("Retire_prior_to > sequence_number.", framer_.detailed_error());
 }
 
@@ -10557,7 +10587,7 @@ TEST_P(QuicFramerTest, NewTokenFrame) {
       AssemblePacketFromFragments(packet));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -10650,7 +10680,7 @@ TEST_P(QuicFramerTest, IetfStopSendingFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -10736,7 +10766,7 @@ TEST_P(QuicFramerTest, IetfPathChallengeFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -10819,7 +10849,7 @@ TEST_P(QuicFramerTest, IetfPathResponseFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -10981,7 +11011,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorUnknown1Byte) {
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_INVALID_FRAME_DATA, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_FRAME_DATA));
   EXPECT_EQ("Illegal frame type.", framer_.detailed_error());
 }
 
@@ -11014,7 +11044,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorUnknown2Bytes) {
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_INVALID_FRAME_DATA, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_FRAME_DATA));
   EXPECT_EQ("Illegal frame type.", framer_.detailed_error());
 }
 
@@ -11047,7 +11077,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorUnknown4Bytes) {
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_INVALID_FRAME_DATA, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_FRAME_DATA));
   EXPECT_EQ("Illegal frame type.", framer_.detailed_error());
 }
 
@@ -11079,7 +11109,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorUnknown8Bytes) {
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_INVALID_FRAME_DATA, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_FRAME_DATA));
   EXPECT_EQ("Illegal frame type.", framer_.detailed_error());
 }
 
@@ -11116,7 +11146,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorKnown2Bytes) {
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(IETF_QUIC_PROTOCOL_VIOLATION, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(IETF_QUIC_PROTOCOL_VIOLATION));
   EXPECT_EQ("Frame type not minimally encoded.", framer_.detailed_error());
 }
 
@@ -11149,7 +11179,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorKnown4Bytes) {
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(IETF_QUIC_PROTOCOL_VIOLATION, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(IETF_QUIC_PROTOCOL_VIOLATION));
   EXPECT_EQ("Frame type not minimally encoded.", framer_.detailed_error());
 }
 
@@ -11181,7 +11211,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorKnown8Bytes) {
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(IETF_QUIC_PROTOCOL_VIOLATION, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(IETF_QUIC_PROTOCOL_VIOLATION));
   EXPECT_EQ("Frame type not minimally encoded.", framer_.detailed_error());
 }
 
@@ -11585,7 +11615,7 @@ TEST_P(QuicFramerTest, IetfFrameTypeEncodingErrorKnown2BytesAllTypes) {
 
     EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
 
-    EXPECT_EQ(IETF_QUIC_PROTOCOL_VIOLATION, framer_.error());
+    EXPECT_THAT(framer_.error(), IsError(IETF_QUIC_PROTOCOL_VIOLATION));
     EXPECT_EQ("Frame type not minimally encoded.", framer_.detailed_error());
   }
 }
@@ -11620,7 +11650,7 @@ TEST_P(QuicFramerTest, RetireConnectionIdFrame) {
       AssemblePacketFromFragments(packet99));
   EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_TRUE(CheckDecryption(
       *encrypted, !kIncludeVersion, !kIncludeDiversificationNonce,
@@ -12083,7 +12113,7 @@ TEST_P(QuicFramerTest, CoalescedPacket) {
   QuicEncryptedPacket encrypted(AsChars(p), p_length, false);
   EXPECT_TRUE(framer_.ProcessPacket(encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
 
   ASSERT_EQ(1u, visitor_.stream_frames_.size());
@@ -12098,7 +12128,7 @@ TEST_P(QuicFramerTest, CoalescedPacket) {
   ASSERT_EQ(visitor_.coalesced_packets_.size(), 1u);
   EXPECT_TRUE(framer_.ProcessPacket(*visitor_.coalesced_packets_[0].get()));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
 
   ASSERT_EQ(2u, visitor_.stream_frames_.size());
@@ -12197,18 +12227,18 @@ TEST_P(QuicFramerTest, UndecryptablePacketWithoutDecrypter) {
   // First attempt decryption without the handshake crypter.
   EXPECT_FALSE(
       framer_.ProcessPacket(QuicEncryptedPacket(AsChars(p), p_length, false)));
-  EXPECT_EQ(QUIC_DECRYPTION_FAILURE, framer_.error());
-    ASSERT_EQ(1u, visitor_.undecryptable_packets_.size());
-    ASSERT_EQ(1u, visitor_.undecryptable_decryption_levels_.size());
-    ASSERT_EQ(1u, visitor_.undecryptable_has_decryption_keys_.size());
-    CompareCharArraysWithHexError(
-        "undecryptable packet", visitor_.undecryptable_packets_[0]->data(),
-        visitor_.undecryptable_packets_[0]->length(), AsChars(p), p_length);
-    if (framer_.version().KnowsWhichDecrypterToUse()) {
-      EXPECT_EQ(ENCRYPTION_HANDSHAKE,
-                visitor_.undecryptable_decryption_levels_[0]);
-    }
-    EXPECT_FALSE(visitor_.undecryptable_has_decryption_keys_[0]);
+  EXPECT_THAT(framer_.error(), IsError(QUIC_DECRYPTION_FAILURE));
+  ASSERT_EQ(1u, visitor_.undecryptable_packets_.size());
+  ASSERT_EQ(1u, visitor_.undecryptable_decryption_levels_.size());
+  ASSERT_EQ(1u, visitor_.undecryptable_has_decryption_keys_.size());
+  CompareCharArraysWithHexError(
+      "undecryptable packet", visitor_.undecryptable_packets_[0]->data(),
+      visitor_.undecryptable_packets_[0]->length(), AsChars(p), p_length);
+  if (framer_.version().KnowsWhichDecrypterToUse()) {
+    EXPECT_EQ(ENCRYPTION_HANDSHAKE,
+              visitor_.undecryptable_decryption_levels_[0]);
+  }
+  EXPECT_FALSE(visitor_.undecryptable_has_decryption_keys_[0]);
 }
 
 TEST_P(QuicFramerTest, UndecryptablePacketWithDecrypter) {
@@ -12299,19 +12329,19 @@ TEST_P(QuicFramerTest, UndecryptablePacketWithDecrypter) {
 
   EXPECT_FALSE(
       framer_.ProcessPacket(QuicEncryptedPacket(AsChars(p), p_length, false)));
-  EXPECT_EQ(QUIC_DECRYPTION_FAILURE, framer_.error());
-    ASSERT_EQ(1u, visitor_.undecryptable_packets_.size());
-    ASSERT_EQ(1u, visitor_.undecryptable_decryption_levels_.size());
-    ASSERT_EQ(1u, visitor_.undecryptable_has_decryption_keys_.size());
-    CompareCharArraysWithHexError(
-        "undecryptable packet", visitor_.undecryptable_packets_[0]->data(),
-        visitor_.undecryptable_packets_[0]->length(), AsChars(p), p_length);
-    if (framer_.version().KnowsWhichDecrypterToUse()) {
-      EXPECT_EQ(ENCRYPTION_HANDSHAKE,
-                visitor_.undecryptable_decryption_levels_[0]);
-    }
-    EXPECT_EQ(framer_.version().KnowsWhichDecrypterToUse(),
-              visitor_.undecryptable_has_decryption_keys_[0]);
+  EXPECT_THAT(framer_.error(), IsError(QUIC_DECRYPTION_FAILURE));
+  ASSERT_EQ(1u, visitor_.undecryptable_packets_.size());
+  ASSERT_EQ(1u, visitor_.undecryptable_decryption_levels_.size());
+  ASSERT_EQ(1u, visitor_.undecryptable_has_decryption_keys_.size());
+  CompareCharArraysWithHexError(
+      "undecryptable packet", visitor_.undecryptable_packets_[0]->data(),
+      visitor_.undecryptable_packets_[0]->length(), AsChars(p), p_length);
+  if (framer_.version().KnowsWhichDecrypterToUse()) {
+    EXPECT_EQ(ENCRYPTION_HANDSHAKE,
+              visitor_.undecryptable_decryption_levels_[0]);
+  }
+  EXPECT_EQ(framer_.version().KnowsWhichDecrypterToUse(),
+            visitor_.undecryptable_has_decryption_keys_[0]);
 }
 
 TEST_P(QuicFramerTest, UndecryptableCoalescedPacket) {
@@ -12462,20 +12492,19 @@ TEST_P(QuicFramerTest, UndecryptableCoalescedPacket) {
 
   EXPECT_FALSE(framer_.ProcessPacket(encrypted));
 
-  EXPECT_EQ(QUIC_DECRYPTION_FAILURE, framer_.error());
-
-    ASSERT_EQ(1u, visitor_.undecryptable_packets_.size());
-    ASSERT_EQ(1u, visitor_.undecryptable_decryption_levels_.size());
-    ASSERT_EQ(1u, visitor_.undecryptable_has_decryption_keys_.size());
-    // Make sure we only receive the first undecryptable packet and not the
-    // full packet including the second coalesced packet.
-    CompareCharArraysWithHexError("undecryptable packet",
-                                  visitor_.undecryptable_packets_[0]->data(),
-                                  visitor_.undecryptable_packets_[0]->length(),
-                                  AsChars(p), length_of_first_coalesced_packet);
-    EXPECT_EQ(ENCRYPTION_HANDSHAKE,
-              visitor_.undecryptable_decryption_levels_[0]);
-    EXPECT_TRUE(visitor_.undecryptable_has_decryption_keys_[0]);
+  EXPECT_THAT(framer_.error(), IsError(QUIC_DECRYPTION_FAILURE));
+
+  ASSERT_EQ(1u, visitor_.undecryptable_packets_.size());
+  ASSERT_EQ(1u, visitor_.undecryptable_decryption_levels_.size());
+  ASSERT_EQ(1u, visitor_.undecryptable_has_decryption_keys_.size());
+  // Make sure we only receive the first undecryptable packet and not the
+  // full packet including the second coalesced packet.
+  CompareCharArraysWithHexError("undecryptable packet",
+                                visitor_.undecryptable_packets_[0]->data(),
+                                visitor_.undecryptable_packets_[0]->length(),
+                                AsChars(p), length_of_first_coalesced_packet);
+  EXPECT_EQ(ENCRYPTION_HANDSHAKE, visitor_.undecryptable_decryption_levels_[0]);
+  EXPECT_TRUE(visitor_.undecryptable_has_decryption_keys_[0]);
 
   // Make sure the second coalesced packet is parsed correctly.
   ASSERT_EQ(visitor_.coalesced_packets_.size(), 1u);
@@ -12631,7 +12660,7 @@ TEST_P(QuicFramerTest, MismatchedCoalescedPacket) {
   EXPECT_QUIC_PEER_BUG(EXPECT_TRUE(framer_.ProcessPacket(encrypted)),
                        "Server: Received mismatched coalesced header.*");
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
 
   ASSERT_EQ(1u, visitor_.stream_frames_.size());
@@ -12737,7 +12766,7 @@ TEST_P(QuicFramerTest, InvalidCoalescedPacket) {
   EXPECT_QUIC_PEER_BUG(EXPECT_TRUE(framer_.ProcessPacket(encrypted)),
                        "Server: Failed to parse received coalesced header.*");
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   ASSERT_TRUE(visitor_.header_.get());
 
   ASSERT_EQ(1u, visitor_.stream_frames_.size());
@@ -12835,7 +12864,7 @@ TEST_P(QuicFramerTest, ClientReceivesInvalidVersion) {
   QuicEncryptedPacket encrypted(AsChars(packet), QUIC_ARRAYSIZE(packet), false);
   EXPECT_FALSE(framer_.ProcessPacket(encrypted));
 
-  EXPECT_EQ(QUIC_INVALID_VERSION, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_VERSION));
   EXPECT_EQ("Client received unexpected version.", framer_.detailed_error());
 }
 
@@ -12887,10 +12916,10 @@ TEST_P(QuicFramerTest, PacketHeaderWithVariableLengthConnectionId) {
       AssemblePacketFromFragments(fragments));
   if (framer_.version().HasHeaderProtection()) {
     EXPECT_TRUE(framer_.ProcessPacket(*encrypted));
-    EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+    EXPECT_THAT(framer_.error(), IsQuicNoError());
   } else {
     EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-    EXPECT_EQ(QUIC_MISSING_PAYLOAD, framer_.error());
+    EXPECT_THAT(framer_.error(), IsError(QUIC_MISSING_PAYLOAD));
   }
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_EQ(connection_id, visitor_.header_->destination_connection_id);
@@ -12963,7 +12992,7 @@ TEST_P(QuicFramerTest, MultiplePacketNumberSpaces) {
                             QUIC_ARRAYSIZE(long_header_packet99), false)));
   }
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   EXPECT_FALSE(
       QuicFramerPeer::GetLargestDecryptedPacketNumber(&framer_, INITIAL_DATA)
           .IsInitialized());
@@ -12998,7 +13027,7 @@ TEST_P(QuicFramerTest, MultiplePacketNumberSpaces) {
   }
   EXPECT_TRUE(framer_.ProcessPacket(short_header_encrypted));
 
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   EXPECT_FALSE(
       QuicFramerPeer::GetLargestDecryptedPacketNumber(&framer_, INITIAL_DATA)
           .IsInitialized());
@@ -13033,7 +13062,7 @@ TEST_P(QuicFramerTest, IetfRetryPacketRejected) {
       AssemblePacketFromFragments(packet46));
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-  EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_PACKET_HEADER));
   CheckFramingBoundaries(packet46, QUIC_INVALID_PACKET_HEADER);
 }
 
@@ -13062,7 +13091,7 @@ TEST_P(QuicFramerTest, RetryPacketRejectedWithMultiplePacketNumberSpaces) {
       AssemblePacketFromFragments(packet));
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-  EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_PACKET_HEADER));
   CheckFramingBoundaries(packet, QUIC_INVALID_PACKET_HEADER);
 }
 
@@ -13101,7 +13130,7 @@ TEST_P(QuicFramerTest, ProcessPublicHeaderNoVersionInferredType) {
       AssemblePacketFromFragments(fragments));
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-  EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_PACKET_HEADER));
   EXPECT_EQ("Invalid public header type for expected version.",
             framer_.detailed_error());
   CheckFramingBoundaries(fragments, QUIC_INVALID_PACKET_HEADER);
@@ -13138,7 +13167,7 @@ TEST_P(QuicFramerTest, ProcessMismatchedHeaderVersion) {
   framer_.ProcessPacket(*encrypted);
 
   EXPECT_FALSE(framer_.ProcessPacket(*encrypted));
-  EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
+  EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_PACKET_HEADER));
   EXPECT_EQ("Invalid public header type for expected version.",
             framer_.detailed_error());
   CheckFramingBoundaries(packet, QUIC_INVALID_PACKET_HEADER);
@@ -13229,7 +13258,7 @@ TEST_P(QuicFramerTest, WriteClientVersionNegotiationProbePacketOld) {
       &version_present, &has_length_prefix, &version_label, &parsed_version,
       &destination_connection_id, &source_connection_id, &retry_token_present,
       &retry_token, &detailed_error);
-  EXPECT_EQ(QUIC_NO_ERROR, parse_result);
+  EXPECT_THAT(parse_result, IsQuicNoError());
   EXPECT_EQ(IETF_QUIC_LONG_HEADER_PACKET, format);
   EXPECT_TRUE(version_present);
   EXPECT_FALSE(has_length_prefix);
@@ -13380,7 +13409,7 @@ TEST_P(QuicFramerTest, DispatcherParseOldClientVersionNegotiationProbePacket) {
       &version_present, &has_length_prefix, &version_label, &parsed_version,
       &destination_connection_id, &source_connection_id, &retry_token_present,
       &retry_token, &detailed_error);
-  EXPECT_EQ(QUIC_NO_ERROR, header_parse_result);
+  EXPECT_THAT(header_parse_result, IsQuicNoError());
   EXPECT_EQ(IETF_QUIC_LONG_HEADER_PACKET, format);
   EXPECT_TRUE(version_present);
   EXPECT_FALSE(has_length_prefix);
@@ -13459,7 +13488,7 @@ TEST_P(QuicFramerTest, DispatcherParseClientVersionNegotiationProbePacket) {
       &version_present, &has_length_prefix, &version_label, &parsed_version,
       &destination_connection_id, &source_connection_id, &retry_token_present,
       &retry_token, &detailed_error);
-  EXPECT_EQ(QUIC_NO_ERROR, header_parse_result);
+  EXPECT_THAT(header_parse_result, IsQuicNoError());
   EXPECT_EQ(IETF_QUIC_LONG_HEADER_PACKET, format);
   EXPECT_TRUE(version_present);
   EXPECT_TRUE(has_length_prefix);
@@ -13587,12 +13616,12 @@ TEST_P(QuicFramerTest, ClientConnectionIdFromLongHeaderToClient) {
   if (!QuicUtils::VariableLengthConnectionIdAllowedForVersion(
           framer_.transport_version())) {
     EXPECT_FALSE(parse_success);
-    EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
+    EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_PACKET_HEADER));
     EXPECT_EQ("Invalid ConnectionId length.", framer_.detailed_error());
     return;
   }
   EXPECT_TRUE(parse_success);
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   EXPECT_EQ("", framer_.detailed_error());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_EQ(FramerTestConnectionId(),
@@ -13653,19 +13682,19 @@ TEST_P(QuicFramerTest, ClientConnectionIdFromLongHeaderToServer) {
   if (!QuicUtils::VariableLengthConnectionIdAllowedForVersion(
           framer_.transport_version())) {
     EXPECT_FALSE(parse_success);
-    EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
+    EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_PACKET_HEADER));
     EXPECT_EQ("Invalid ConnectionId length.", framer_.detailed_error());
     return;
   }
   if (!framer_.version().SupportsClientConnectionIds()) {
     EXPECT_FALSE(parse_success);
-    EXPECT_EQ(QUIC_INVALID_PACKET_HEADER, framer_.error());
+    EXPECT_THAT(framer_.error(), IsError(QUIC_INVALID_PACKET_HEADER));
     EXPECT_EQ("Client connection ID not supported in this version.",
               framer_.detailed_error());
     return;
   }
   EXPECT_TRUE(parse_success);
-  EXPECT_EQ(QUIC_NO_ERROR, framer_.error());
+  EXPECT_THAT(framer_.error(), IsQuicNoError());
   EXPECT_EQ("", framer_.detailed_error());
   ASSERT_TRUE(visitor_.header_.get());
   EXPECT_EQ(FramerTestConnectionId(),
@@ -13757,17 +13786,20 @@ TEST_P(QuicFramerTest, TestExtendedErrorCodeParser) {
 
   frame.error_details = "this has no error code info in it";
   MaybeExtractQuicErrorCode(&frame);
-  EXPECT_EQ(QUIC_IETF_GQUIC_ERROR_MISSING, frame.extracted_error_code);
+  EXPECT_THAT(frame.extracted_error_code,
+              IsError(QUIC_IETF_GQUIC_ERROR_MISSING));
   EXPECT_EQ("this has no error code info in it", frame.error_details);
 
   frame.error_details = "1234this does not have the colon in it";
   MaybeExtractQuicErrorCode(&frame);
-  EXPECT_EQ(QUIC_IETF_GQUIC_ERROR_MISSING, frame.extracted_error_code);
+  EXPECT_THAT(frame.extracted_error_code,
+              IsError(QUIC_IETF_GQUIC_ERROR_MISSING));
   EXPECT_EQ("1234this does not have the colon in it", frame.error_details);
 
   frame.error_details = "1a234:this has a colon, but a malformed error number";
   MaybeExtractQuicErrorCode(&frame);
-  EXPECT_EQ(QUIC_IETF_GQUIC_ERROR_MISSING, frame.extracted_error_code);
+  EXPECT_THAT(frame.extracted_error_code,
+              IsError(QUIC_IETF_GQUIC_ERROR_MISSING));
   EXPECT_EQ("1a234:this has a colon, but a malformed error number",
             frame.error_details);
 
@@ -13779,14 +13811,16 @@ TEST_P(QuicFramerTest, TestExtendedErrorCodeParser) {
   frame.error_details =
       "1234 :this is not good, space between last digit and colon";
   MaybeExtractQuicErrorCode(&frame);
-  EXPECT_EQ(QUIC_IETF_GQUIC_ERROR_MISSING, frame.extracted_error_code);
+  EXPECT_THAT(frame.extracted_error_code,
+              IsError(QUIC_IETF_GQUIC_ERROR_MISSING));
   EXPECT_EQ("1234 :this is not good, space between last digit and colon",
             frame.error_details);
 
   frame.error_details = "123456789";
   MaybeExtractQuicErrorCode(&frame);
-  EXPECT_EQ(QUIC_IETF_GQUIC_ERROR_MISSING,
-            frame.extracted_error_code);  // Not good, all numbers, no :
+  EXPECT_THAT(
+      frame.extracted_error_code,
+      IsError(QUIC_IETF_GQUIC_ERROR_MISSING));  // Not good, all numbers, no :
   EXPECT_EQ("123456789", frame.error_details);
 
   frame.error_details = "1234:";
@@ -13803,23 +13837,26 @@ TEST_P(QuicFramerTest, TestExtendedErrorCodeParser) {
 
   frame.error_details = "12345 6789:";
   MaybeExtractQuicErrorCode(&frame);
-  EXPECT_EQ(QUIC_IETF_GQUIC_ERROR_MISSING,
-            frame.extracted_error_code);  // Not good
+  EXPECT_THAT(frame.extracted_error_code,
+              IsError(QUIC_IETF_GQUIC_ERROR_MISSING));  // Not good
   EXPECT_EQ("12345 6789:", frame.error_details);
 
   frame.error_details = ":no numbers, is not good";
   MaybeExtractQuicErrorCode(&frame);
-  EXPECT_EQ(QUIC_IETF_GQUIC_ERROR_MISSING, frame.extracted_error_code);
+  EXPECT_THAT(frame.extracted_error_code,
+              IsError(QUIC_IETF_GQUIC_ERROR_MISSING));
   EXPECT_EQ(":no numbers, is not good", frame.error_details);
 
   frame.error_details = "qwer:also no numbers, is not good";
   MaybeExtractQuicErrorCode(&frame);
-  EXPECT_EQ(QUIC_IETF_GQUIC_ERROR_MISSING, frame.extracted_error_code);
+  EXPECT_THAT(frame.extracted_error_code,
+              IsError(QUIC_IETF_GQUIC_ERROR_MISSING));
   EXPECT_EQ("qwer:also no numbers, is not good", frame.error_details);
 
   frame.error_details = " 1234:this is not good, space before first digit";
   MaybeExtractQuicErrorCode(&frame);
-  EXPECT_EQ(QUIC_IETF_GQUIC_ERROR_MISSING, frame.extracted_error_code);
+  EXPECT_THAT(frame.extracted_error_code,
+              IsError(QUIC_IETF_GQUIC_ERROR_MISSING));
   EXPECT_EQ(" 1234:this is not good, space before first digit",
             frame.error_details);
 
@@ -13830,6 +13867,42 @@ TEST_P(QuicFramerTest, TestExtendedErrorCodeParser) {
   EXPECT_EQ("", frame.error_details);
 }
 
+// Regression test for crbug/1029636.
+TEST_P(QuicFramerTest, OverlyLargeAckDelay) {
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
+    return;
+  }
+  SetDecrypterLevel(ENCRYPTION_FORWARD_SECURE);
+  // clang-format off
+  unsigned char packet99[] = {
+    // type (short header, 4 byte packet number)
+    0x43,
+    // connection_id
+    0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
+    // packet number
+    0x12, 0x34, 0x56, 0x78,
+
+    // frame type (IETF_ACK frame)
+    0x02,
+    // largest acked
+    kVarInt62FourBytes + 0x12, 0x34, 0x56, 0x78,
+    // ack delay time.
+    kVarInt62EightBytes + 0x31, 0x00, 0x00, 0x00, 0xF3, 0xA0, 0x81, 0xE0,
+    // Nr. of additional ack blocks
+    kVarInt62OneByte + 0x00,
+    // first ack block length.
+    kVarInt62FourBytes + 0x12, 0x34, 0x56, 0x77,
+  };
+  // clang-format on
+
+  framer_.ProcessPacket(
+      QuicEncryptedPacket(AsChars(packet99), QUIC_ARRAYSIZE(packet99), false));
+  ASSERT_EQ(1u, visitor_.ack_frames_.size());
+  // Verify ack_delay_time is set correctly.
+  EXPECT_EQ(QuicTime::Delta::Infinite(),
+            visitor_.ack_frames_[0]->ack_delay_time);
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_ietf_framer_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_ietf_framer_test.cc
index 90ae8b9d8d7..e4feb471131 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_ietf_framer_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_ietf_framer_test.cc
@@ -247,8 +247,8 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
     // initialize a writer so that the serialized packet is placed in
     // packet_buffer.
     QuicDataWriter writer(packet_buffer_size, packet_buffer,
-                          NETWORK_BYTE_ORDER);  // do not really care
-                                                // about endianness.
+                          quiche::NETWORK_BYTE_ORDER);  // do not really care
+                                                        // about endianness.
     // set up to define the source frame we wish to send.
     QuicStreamFrame source_stream_frame(
         stream_id, fin_bit, offset, xmit_packet_data, xmit_packet_data_size);
@@ -259,7 +259,8 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
     // Better have something in the packet buffer.
     EXPECT_NE(0u, writer.length());
     // Now set up a reader to read in the frame.
-    QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+    QuicDataReader reader(packet_buffer, writer.length(),
+                          quiche::NETWORK_BYTE_ORDER);
 
     // A StreamFrame to hold the results... we know the frame type,
     // put it into the QuicIetfStreamFrame
@@ -323,7 +324,8 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
 
     // Make a writer so that the serialized packet is placed in
     // packet_buffer.
-    QuicDataWriter writer(expected_size, packet_buffer, NETWORK_BYTE_ORDER);
+    QuicDataWriter writer(expected_size, packet_buffer,
+                          quiche::NETWORK_BYTE_ORDER);
 
     // Write the frame to the packet buffer.
     EXPECT_TRUE(QuicFramerPeer::AppendIetfAckFrameAndTypeByte(
@@ -338,7 +340,8 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
     // and what is in the buffer should be the expected size.
     EXPECT_EQ(expected_size, writer.length()) << "Frame is " << transmit_frame;
     // Now set up a reader to read in the frame.
-    QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+    QuicDataReader reader(packet_buffer, writer.length(),
+                          quiche::NETWORK_BYTE_ORDER);
 
     // read in the frame type
     uint8_t received_frame_type;
@@ -384,7 +387,7 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
     // Make a writer so that the serialized packet is placed in
     // packet_buffer.
     QuicDataWriter writer(packet_buffer_size, packet_buffer,
-                          NETWORK_BYTE_ORDER);
+                          quiche::NETWORK_BYTE_ORDER);
 
     QuicPathChallengeFrame transmit_frame(0, data);
 
@@ -396,7 +399,8 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
     EXPECT_EQ(kQuicPathChallengeFrameSize, writer.length());
 
     // now set up a reader to read in the frame.
-    QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+    QuicDataReader reader(packet_buffer, writer.length(),
+                          quiche::NETWORK_BYTE_ORDER);
 
     QuicPathChallengeFrame receive_frame;
 
@@ -417,7 +421,7 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
     // Make a writer so that the serialized packet is placed in
     // packet_buffer.
     QuicDataWriter writer(packet_buffer_size, packet_buffer,
-                          NETWORK_BYTE_ORDER);
+                          quiche::NETWORK_BYTE_ORDER);
 
     QuicPathResponseFrame transmit_frame(0, data);
 
@@ -429,7 +433,8 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
     EXPECT_EQ(kQuicPathResponseFrameSize, writer.length());
 
     // Set up a reader to read in the frame.
-    QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+    QuicDataReader reader(packet_buffer, writer.length(),
+                          quiche::NETWORK_BYTE_ORDER);
 
     QuicPathResponseFrame receive_frame;
 
@@ -452,7 +457,7 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
     // Initialize a writer so that the serialized packet is placed in
     // packet_buffer.
     QuicDataWriter writer(packet_buffer_size, packet_buffer,
-                          NETWORK_BYTE_ORDER);
+                          quiche::NETWORK_BYTE_ORDER);
 
     QuicRstStreamFrame transmit_frame(static_cast<QuicControlFrameId>(1),
                                       stream_id, error_code, final_offset);
@@ -465,7 +470,8 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
     EXPECT_LT(2u, writer.length());
     EXPECT_GT(25u, writer.length());
     // Now set up a reader to read in the thing in.
-    QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+    QuicDataReader reader(packet_buffer, writer.length(),
+                          quiche::NETWORK_BYTE_ORDER);
 
     // A QuicRstStreamFrame to hold the results
     QuicRstStreamFrame receive_frame;
@@ -487,7 +493,7 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
     Perspective old_perspective = framer_.perspective();
     // Set up the writer and transmit QuicMaxStreamsFrame
     QuicDataWriter writer(sizeof(packet_buffer), packet_buffer,
-                          NETWORK_BYTE_ORDER);
+                          quiche::NETWORK_BYTE_ORDER);
 
     // Set the perspective of the sender. If the stream id is supposed to
     // be server-initiated, then the sender of the MAX_STREAMS should be
@@ -512,7 +518,8 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
                                                  : Perspective::IS_CLIENT);
 
     // Set up reader and empty receive QuicPaddingFrame.
-    QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+    QuicDataReader reader(packet_buffer, writer.length(),
+                          quiche::NETWORK_BYTE_ORDER);
     QuicMaxStreamsFrame receive_frame;
 
     // Deframe it
@@ -537,7 +544,7 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
     Perspective old_perspective = framer_.perspective();
     // Set up the writer and transmit QuicStreamsBlockedFrame
     QuicDataWriter writer(sizeof(packet_buffer), packet_buffer,
-                          NETWORK_BYTE_ORDER);
+                          quiche::NETWORK_BYTE_ORDER);
 
     // Set the perspective of the sender. If the stream id is supposed to
     // be server-initiated, then the sender of the STREAMS_BLOCKED should be
@@ -562,7 +569,8 @@ class QuicIetfFramerTest : public QuicTestWithParam<ParsedQuicVersion> {
                                                  : Perspective::IS_SERVER);
 
     // Set up reader and empty receive QuicPaddingFrame.
-    QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+    QuicDataReader reader(packet_buffer, writer.length(),
+                          quiche::NETWORK_BYTE_ORDER);
     QuicStreamsBlockedFrame receive_frame;
 
     // Deframe it
@@ -762,13 +770,14 @@ TEST_F(QuicIetfFramerTest, CryptoFrame) {
     data_producer.SaveCryptoData(ENCRYPTION_INITIAL, offset, frame_data);
 
     QuicDataWriter writer(QUIC_ARRAYSIZE(packet_buffer), packet_buffer,
-                          NETWORK_BYTE_ORDER);
+                          quiche::NETWORK_BYTE_ORDER);
 
     // Write the frame.
     EXPECT_TRUE(QuicFramerPeer::AppendCryptoFrame(&framer_, frame, &writer));
     EXPECT_NE(0u, writer.length());
     // Read it back.
-    QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+    QuicDataReader reader(packet_buffer, writer.length(),
+                          quiche::NETWORK_BYTE_ORDER);
     QuicCryptoFrame read_frame;
     EXPECT_TRUE(
         QuicFramerPeer::ProcessCryptoFrame(&framer_, &reader, &read_frame));
@@ -787,7 +796,7 @@ TEST_F(QuicIetfFramerTest, ConnectionClose) {
   // initialize a writer so that the serialized packet is placed in
   // packet_buffer.
   QuicDataWriter writer(sizeof(packet_buffer), packet_buffer,
-                        NETWORK_BYTE_ORDER);
+                        quiche::NETWORK_BYTE_ORDER);
 
   std::string test_string = "Ich Bin Ein Jelly Donut?";
   QuicConnectionCloseFrame sent_frame(QUIC_VERSION_99, QUIC_NO_ERROR,
@@ -802,7 +811,8 @@ TEST_F(QuicIetfFramerTest, ConnectionClose) {
   EXPECT_NE(0u, writer.length());
 
   // now set up a reader to read in the frame.
-  QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+  QuicDataReader reader(packet_buffer, writer.length(),
+                        quiche::NETWORK_BYTE_ORDER);
 
   // a QuicConnectionCloseFrame to hold the results.
   QuicConnectionCloseFrame sink_frame;
@@ -812,7 +822,7 @@ TEST_F(QuicIetfFramerTest, ConnectionClose) {
 
   // Now check that received == sent
   EXPECT_EQ(sent_frame.quic_error_code, sink_frame.quic_error_code);
-  EXPECT_EQ(sink_frame.quic_error_code, QUIC_NO_ERROR);
+  EXPECT_THAT(sink_frame.quic_error_code, IsQuicNoError());
   EXPECT_EQ(sink_frame.error_details, test_string);
   EXPECT_EQ(sink_frame.close_type, sent_frame.close_type);
   EXPECT_EQ(sent_frame.close_type, IETF_QUIC_TRANSPORT_CONNECTION_CLOSE);
@@ -824,7 +834,7 @@ TEST_F(QuicIetfFramerTest, ApplicationClose) {
   // initialize a writer so that the serialized packet is placed in
   // packet_buffer.
   QuicDataWriter writer(sizeof(packet_buffer), packet_buffer,
-                        NETWORK_BYTE_ORDER);
+                        quiche::NETWORK_BYTE_ORDER);
 
   std::string test_string = "Ich Bin Ein Jelly Donut?";
   QuicConnectionCloseFrame sent_frame(QUIC_VERSION_99, QUIC_LAST_ERROR,
@@ -839,7 +849,8 @@ TEST_F(QuicIetfFramerTest, ApplicationClose) {
   EXPECT_NE(0u, writer.length());
 
   // now set up a reader to read in the frame.
-  QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+  QuicDataReader reader(packet_buffer, writer.length(),
+                        quiche::NETWORK_BYTE_ORDER);
 
   // a QuicConnectionCloseFrame to hold the results.
   QuicConnectionCloseFrame sink_frame;
@@ -1061,7 +1072,7 @@ TEST_F(QuicIetfFramerTest, AckFrameNoRanges) {
   // Make a writer so that the serialized packet is placed in
   // packet_buffer.
   QuicDataWriter writer(sizeof(packet_buffer), packet_buffer,
-                        NETWORK_BYTE_ORDER);
+                        quiche::NETWORK_BYTE_ORDER);
 
   QuicAckFrame transmit_frame;
   transmit_frame.largest_acked = QuicPacketNumber(1);
@@ -1085,7 +1096,8 @@ TEST_F(QuicIetfFramerTest, AckFrameNoRanges) {
   EXPECT_EQ(0, memcmp(packet, packet_buffer, writer.length()));
 
   // Now set up a reader to read in the frame.
-  QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+  QuicDataReader reader(packet_buffer, writer.length(),
+                        quiche::NETWORK_BYTE_ORDER);
 
   // an AckFrame to hold the results
   QuicAckFrame receive_frame;
@@ -1150,7 +1162,7 @@ TEST_F(QuicIetfFramerTest, StopSendingFrame) {
   // Make a writer so that the serialized packet is placed in
   // packet_buffer.
   QuicDataWriter writer(sizeof(packet_buffer), packet_buffer,
-                        NETWORK_BYTE_ORDER);
+                        quiche::NETWORK_BYTE_ORDER);
 
   QuicStopSendingFrame transmit_frame;
   transmit_frame.stream_id = 12345;
@@ -1164,7 +1176,8 @@ TEST_F(QuicIetfFramerTest, StopSendingFrame) {
   EXPECT_LE(3u, writer.length());
   EXPECT_GE(10u, writer.length());
 
-  QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+  QuicDataReader reader(packet_buffer, writer.length(),
+                        quiche::NETWORK_BYTE_ORDER);
 
   // A frame to hold the results
   QuicStopSendingFrame receive_frame;
@@ -1190,7 +1203,7 @@ TEST_F(QuicIetfFramerTest, MaxDataFrame) {
 
     // Set up the writer and transmit QuicWindowUpdateFrame
     QuicDataWriter writer(sizeof(packet_buffer), packet_buffer,
-                          NETWORK_BYTE_ORDER);
+                          quiche::NETWORK_BYTE_ORDER);
     QuicWindowUpdateFrame transmit_frame(0, 99, window_size);
 
     // Add the frame.
@@ -1202,7 +1215,8 @@ TEST_F(QuicIetfFramerTest, MaxDataFrame) {
     EXPECT_GE(8u, writer.length());
 
     // Set up reader and an empty QuicWindowUpdateFrame
-    QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+    QuicDataReader reader(packet_buffer, writer.length(),
+                          quiche::NETWORK_BYTE_ORDER);
     QuicWindowUpdateFrame receive_frame;
 
     // Deframe it
@@ -1210,8 +1224,8 @@ TEST_F(QuicIetfFramerTest, MaxDataFrame) {
         QuicFramerPeer::ProcessMaxDataFrame(&framer_, &reader, &receive_frame));
 
     // Now check that the received data equals the sent data.
-    EXPECT_EQ(transmit_frame.byte_offset, window_size);
-    EXPECT_EQ(transmit_frame.byte_offset, receive_frame.byte_offset);
+    EXPECT_EQ(transmit_frame.max_data, window_size);
+    EXPECT_EQ(transmit_frame.max_data, receive_frame.max_data);
     EXPECT_EQ(QuicUtils::GetInvalidStreamId(framer_.transport_version()),
               receive_frame.stream_id);
   }
@@ -1231,7 +1245,7 @@ TEST_F(QuicIetfFramerTest, MaxStreamDataFrame) {
 
       // Set up the writer and transmit QuicWindowUpdateFrame
       QuicDataWriter writer(sizeof(packet_buffer), packet_buffer,
-                            NETWORK_BYTE_ORDER);
+                            quiche::NETWORK_BYTE_ORDER);
       QuicWindowUpdateFrame transmit_frame(0, stream_id, window_size);
 
       // Add the frame.
@@ -1243,7 +1257,8 @@ TEST_F(QuicIetfFramerTest, MaxStreamDataFrame) {
       EXPECT_GE(16u, writer.length());
 
       // Set up reader and empty receive QuicPaddingFrame.
-      QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+      QuicDataReader reader(packet_buffer, writer.length(),
+                            quiche::NETWORK_BYTE_ORDER);
       QuicWindowUpdateFrame receive_frame;
 
       // Deframe it
@@ -1251,8 +1266,8 @@ TEST_F(QuicIetfFramerTest, MaxStreamDataFrame) {
                                                             &receive_frame));
 
       // Now check that received data and sent data are equal.
-      EXPECT_EQ(transmit_frame.byte_offset, window_size);
-      EXPECT_EQ(transmit_frame.byte_offset, receive_frame.byte_offset);
+      EXPECT_EQ(transmit_frame.max_data, window_size);
+      EXPECT_EQ(transmit_frame.max_data, receive_frame.max_data);
       EXPECT_EQ(stream_id, receive_frame.stream_id);
       EXPECT_EQ(transmit_frame.stream_id, receive_frame.stream_id);
     }
@@ -1286,7 +1301,7 @@ TEST_F(QuicIetfFramerTest, BlockedFrame) {
 
     // Set up the writer and transmit QuicBlockedFrame
     QuicDataWriter writer(sizeof(packet_buffer), packet_buffer,
-                          NETWORK_BYTE_ORDER);
+                          quiche::NETWORK_BYTE_ORDER);
     QuicBlockedFrame transmit_frame(
         0, QuicUtils::GetInvalidStreamId(framer_.transport_version()), offset);
 
@@ -1299,7 +1314,8 @@ TEST_F(QuicIetfFramerTest, BlockedFrame) {
     EXPECT_GE(8u, writer.length());
 
     // Set up reader and empty receive QuicFrame.
-    QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+    QuicDataReader reader(packet_buffer, writer.length(),
+                          quiche::NETWORK_BYTE_ORDER);
     QuicBlockedFrame receive_frame;
 
     // Deframe it
@@ -1328,7 +1344,7 @@ TEST_F(QuicIetfFramerTest, StreamBlockedFrame) {
 
       // Set up the writer and transmit QuicWindowUpdateFrame
       QuicDataWriter writer(sizeof(packet_buffer), packet_buffer,
-                            NETWORK_BYTE_ORDER);
+                            quiche::NETWORK_BYTE_ORDER);
       QuicBlockedFrame transmit_frame(0, stream_id, offset);
 
       // Add the frame.
@@ -1340,7 +1356,8 @@ TEST_F(QuicIetfFramerTest, StreamBlockedFrame) {
       EXPECT_GE(16u, writer.length());
 
       // Set up reader and empty receive QuicPaddingFrame.
-      QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+      QuicDataReader reader(packet_buffer, writer.length(),
+                            quiche::NETWORK_BYTE_ORDER);
       QuicBlockedFrame receive_frame;
 
       // Deframe it
@@ -1398,7 +1415,7 @@ TEST_F(QuicIetfFramerTest, NewConnectionIdFrame) {
 
   // Set up the writer and transmit a QuicNewConnectionIdFrame
   QuicDataWriter writer(sizeof(packet_buffer), packet_buffer,
-                        NETWORK_BYTE_ORDER);
+                        quiche::NETWORK_BYTE_ORDER);
 
   // Add the frame.
   EXPECT_TRUE(QuicFramerPeer::AppendNewConnectionIdFrame(
@@ -1424,7 +1441,8 @@ TEST_F(QuicIetfFramerTest, NewConnectionIdFrame) {
   EXPECT_EQ(0, memcmp(packet_buffer, packet, sizeof(packet)));
 
   // Set up reader and empty receive QuicPaddingFrame.
-  QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+  QuicDataReader reader(packet_buffer, writer.length(),
+                        quiche::NETWORK_BYTE_ORDER);
   QuicNewConnectionIdFrame receive_frame;
 
   // Deframe it
@@ -1449,7 +1467,7 @@ TEST_F(QuicIetfFramerTest, RetireConnectionIdFrame) {
 
   // Set up the writer and transmit QuicRetireConnectionIdFrame
   QuicDataWriter writer(sizeof(packet_buffer), packet_buffer,
-                        NETWORK_BYTE_ORDER);
+                        quiche::NETWORK_BYTE_ORDER);
 
   // Add the frame.
   EXPECT_TRUE(QuicFramerPeer::AppendRetireConnectionIdFrame(
@@ -1466,7 +1484,8 @@ TEST_F(QuicIetfFramerTest, RetireConnectionIdFrame) {
   EXPECT_EQ(0, memcmp(packet_buffer, packet, sizeof(packet)));
 
   // Set up reader and empty receive QuicPaddingFrame.
-  QuicDataReader reader(packet_buffer, writer.length(), NETWORK_BYTE_ORDER);
+  QuicDataReader reader(packet_buffer, writer.length(),
+                        quiche::NETWORK_BYTE_ORDER);
   QuicRetireConnectionIdFrame receive_frame;
 
   // Deframe it
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_interval.h b/chromium/net/third_party/quiche/src/quic/core/quic_interval.h
index c860e88e15e..9e87ecd051f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_interval.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_interval.h
@@ -63,17 +63,19 @@
 #include <utility>
 #include <vector>
 
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+
 namespace quic {
 
 template <typename T>
-class QuicInterval {
+class QUIC_NO_EXPORT QuicInterval {
  private:
   // Type trait for deriving the return type for QuicInterval::Length.  If
   // operator-() is not defined for T, then the return type is void.  This makes
   // the signature for Length compile so that the class can be used for such T,
   // but code that calls Length would still generate a compilation error.
   template <typename U>
-  class DiffTypeOrVoid {
+  class QUIC_NO_EXPORT DiffTypeOrVoid {
    private:
     template <typename V>
     static auto f(const V* v) -> decltype(*v - *v);
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_interval_set.h b/chromium/net/third_party/quiche/src/quic/core/quic_interval_set.h
index 47225287120..28153c19088 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_interval_set.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_interval_set.h
@@ -65,14 +65,15 @@
 namespace quic {
 
 template <typename T>
-class QuicIntervalSet {
+class QUIC_NO_EXPORT QuicIntervalSet {
  public:
   typedef QuicInterval<T> value_type;
 
  private:
-  struct IntervalLess {
+  struct QUIC_NO_EXPORT IntervalLess {
     bool operator()(const value_type& a, const value_type& b) const;
   };
+  // TODO(wub): Switch to absl::btree_set when it is available in Chromium.
   typedef std::set<value_type, IntervalLess> Set;
 
  public:
@@ -152,6 +153,49 @@ class QuicIntervalSet {
   // TODO(wub): Similar to AddOptimizedForAppend, we can also have a
   // AddOptimizedForPrepend if there is a use case.
 
+  // Remove the first interval.
+  // REQUIRES: !Empty()
+  void PopFront() {
+    DCHECK(!Empty());
+    intervals_.erase(intervals_.begin());
+  }
+
+  // Trim all values that is smaller than |value|. Which means
+  // a) If all values in an interval is smaller than |value|, the entire
+  //    interval is removed.
+  // b) If some but not all values in an interval is smaller than |value|, the
+  //    min of that interval is raised to |value|.
+  // Returns true if some intervals are trimmed.
+  bool TrimLessThan(const T& value) {
+    // Number of intervals that are fully or partially trimmed.
+    size_t num_intervals_trimmed = 0;
+
+    while (!intervals_.empty()) {
+      const_iterator first_interval = intervals_.begin();
+      if (first_interval->min() >= value) {
+        break;
+      }
+
+      ++num_intervals_trimmed;
+
+      if (first_interval->max() <= value) {
+        // a) Trim the entire interval.
+        intervals_.erase(first_interval);
+        continue;
+      }
+
+      // b) Trim a prefix of the interval.
+      //
+      // Set does not allow in-place updates due to the potential of violating
+      // its ordering requirements. But increasing the min of the first interval
+      // will not break the ordering, hence the const_cast.
+      const_cast<value_type*>(&(*first_interval))->SetMin(value);
+      break;
+    }
+
+    return num_intervals_trimmed != 0;
+  }
+
   // Returns true if this QuicIntervalSet is empty.
   bool Empty() const { return intervals_.empty(); }
 
@@ -320,7 +364,7 @@ class QuicIntervalSet {
 
  private:
   // Simple member-wise equality, since all intervals are non-empty.
-  struct NonemptyIntervalEq {
+  struct QUIC_NO_EXPORT NonemptyIntervalEq {
     bool operator()(const value_type& a, const value_type& b) const {
       return a.min() == b.min() && a.max() == b.max();
     }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_interval_set_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_interval_set_test.cc
index 3fb483aa82a..efa8fe7e960 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_interval_set_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_interval_set_test.cc
@@ -191,6 +191,47 @@ TEST_F(QuicIntervalSetTest, AddOptimizedForAppend) {
   EXPECT_TRUE(Check(iset, 3, 100, 150, 199, 250, 251, 350));
 }
 
+TEST_F(QuicIntervalSetTest, PopFront) {
+  QuicIntervalSet<int> iset{{100, 200}, {400, 500}, {700, 800}};
+  EXPECT_TRUE(Check(iset, 3, 100, 200, 400, 500, 700, 800));
+
+  iset.PopFront();
+  EXPECT_TRUE(Check(iset, 2, 400, 500, 700, 800));
+
+  iset.PopFront();
+  EXPECT_TRUE(Check(iset, 1, 700, 800));
+
+  iset.PopFront();
+  EXPECT_TRUE(iset.Empty());
+}
+
+TEST_F(QuicIntervalSetTest, TrimLessThan) {
+  QuicIntervalSet<int> iset{{100, 200}, {400, 500}, {700, 800}};
+  EXPECT_TRUE(Check(iset, 3, 100, 200, 400, 500, 700, 800));
+
+  EXPECT_FALSE(iset.TrimLessThan(99));
+  EXPECT_FALSE(iset.TrimLessThan(100));
+  EXPECT_TRUE(Check(iset, 3, 100, 200, 400, 500, 700, 800));
+
+  EXPECT_TRUE(iset.TrimLessThan(101));
+  EXPECT_TRUE(Check(iset, 3, 101, 200, 400, 500, 700, 800));
+
+  EXPECT_TRUE(iset.TrimLessThan(199));
+  EXPECT_TRUE(Check(iset, 3, 199, 200, 400, 500, 700, 800));
+
+  EXPECT_TRUE(iset.TrimLessThan(450));
+  EXPECT_TRUE(Check(iset, 2, 450, 500, 700, 800));
+
+  EXPECT_TRUE(iset.TrimLessThan(500));
+  EXPECT_TRUE(Check(iset, 1, 700, 800));
+
+  EXPECT_TRUE(iset.TrimLessThan(801));
+  EXPECT_TRUE(iset.Empty());
+
+  EXPECT_FALSE(iset.TrimLessThan(900));
+  EXPECT_TRUE(iset.Empty());
+}
+
 TEST_F(QuicIntervalSetTest, QuicIntervalSetBasic) {
   // Test Add, Get, Contains and Find
   QuicIntervalSet<int> iset;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_lru_cache.h b/chromium/net/third_party/quiche/src/quic/core/quic_lru_cache.h
index b8c78c6fd58..2ec089c820c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_lru_cache.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_lru_cache.h
@@ -8,6 +8,7 @@
 #include <memory>
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 
@@ -18,7 +19,7 @@ namespace quic {
 // Value* returned by Lookup() can be invalid if the entry is evicted by other
 // threads.
 template <class K, class V>
-class QuicLRUCache {
+class QUIC_NO_EXPORT QuicLRUCache {
  public:
   explicit QuicLRUCache(size_t capacity) : capacity_(capacity) {}
   QuicLRUCache(const QuicLRUCache&) = delete;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_mtu_discovery.cc b/chromium/net/third_party/quiche/src/quic/core/quic_mtu_discovery.cc
index c89b41a92b4..bbf18b6d7a6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_mtu_discovery.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_mtu_discovery.cc
@@ -77,10 +77,8 @@ QuicPacketLength QuicConnectionMtuDiscoverer::GetUpdatedMtuProbeSize(
     // The next probe packet is as big as the previous one. Assuming the
     // previous one exceeded MTU, we need to decrease the probe packet length.
     max_probe_length_ = probe_packet_length;
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_mtu_discovery_v2, 1, 3);
   } else {
     DCHECK_GT(probe_packet_length, last_probe_length_);
-    QUIC_RELOADABLE_FLAG_COUNT_N(quic_mtu_discovery_v2, 2, 3);
   }
   last_probe_length_ = next_probe_packet_length();
 
@@ -125,7 +123,6 @@ void QuicConnectionMtuDiscoverer::OnMaxPacketLengthUpdated(
 
   DCHECK_EQ(old_value, min_probe_length_);
   min_probe_length_ = new_value;
-  QUIC_RELOADABLE_FLAG_COUNT_N(quic_mtu_discovery_v2, 3, 3);
 }
 
 std::ostream& operator<<(std::ostream& os,
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_one_block_arena.h b/chromium/net/third_party/quiche/src/quic/core/quic_one_block_arena.h
index c76a70f2f8a..41842f35963 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_one_block_arena.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_one_block_arena.h
@@ -20,7 +20,7 @@
 namespace quic {
 
 template <uint32_t ArenaSize>
-class QuicOneBlockArena {
+class QUIC_EXPORT_PRIVATE QuicOneBlockArena {
   static const uint32_t kMaxAlign = 8;
 
  public:
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.cc
index 07fa4b15a5c..f95fe638ada 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.cc
@@ -11,7 +11,9 @@
 #include <utility>
 
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h"
+#include "net/third_party/quiche/src/quic/core/frames/quic_frame.h"
 #include "net/third_party/quiche/src/quic/core/frames/quic_path_challenge_frame.h"
+#include "net/third_party/quiche/src/quic/core/frames/quic_stream_frame.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection_id.h"
 #include "net/third_party/quiche/src/quic/core/quic_constants.h"
 #include "net/third_party/quiche/src/quic/core/quic_data_writer.h"
@@ -51,6 +53,38 @@ QuicLongHeaderType EncryptionlevelToLongHeaderType(EncryptionLevel level) {
   }
 }
 
+// ScopedPacketContextSwitcher saves |packet|'s states and change states
+// during its construction. When the switcher goes out of scope, it restores
+// saved states.
+class ScopedPacketContextSwitcher {
+ public:
+  ScopedPacketContextSwitcher(QuicPacketNumber packet_number,
+                              QuicPacketNumberLength packet_number_length,
+                              EncryptionLevel encryption_level,
+                              SerializedPacket* packet)
+
+      : saved_packet_number_(packet->packet_number),
+        saved_packet_number_length_(packet->packet_number_length),
+        saved_encryption_level_(packet->encryption_level),
+        packet_(packet) {
+    packet_->packet_number = packet_number,
+    packet_->packet_number_length = packet_number_length;
+    packet_->encryption_level = encryption_level;
+  }
+
+  ~ScopedPacketContextSwitcher() {
+    packet_->packet_number = saved_packet_number_;
+    packet_->packet_number_length = saved_packet_number_length_;
+    packet_->encryption_level = saved_encryption_level_;
+  }
+
+ private:
+  const QuicPacketNumber saved_packet_number_;
+  const QuicPacketNumberLength saved_packet_number_length_;
+  const EncryptionLevel saved_encryption_level_;
+  SerializedPacket* packet_;
+};
+
 }  // namespace
 
 #define ENDPOINT \
@@ -87,16 +121,11 @@ QuicPacketCreator::QuicPacketCreator(QuicConnectionId server_connection_id,
               false),
       pending_padding_bytes_(0),
       needs_full_padding_(false),
-      can_set_transmission_type_(false),
       next_transmission_type_(NOT_RETRANSMISSION),
       flusher_attached_(false),
       fully_pad_crypto_handshake_packets_(true),
-      combine_generator_and_creator_(
-          GetQuicReloadableFlag(quic_combine_generator_and_creator)) {
+      latched_hard_max_packet_length_(0) {
   SetMaxPacketLength(kDefaultMaxPacketSize);
-  if (combine_generator_and_creator_) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_combine_generator_and_creator);
-  }
 }
 
 QuicPacketCreator::~QuicPacketCreator() {
@@ -130,6 +159,25 @@ void QuicPacketCreator::SetMaxPacketLength(QuicByteCount length) {
       << "Attempted to set max packet length too small";
 }
 
+void QuicPacketCreator::SetSoftMaxPacketLength(QuicByteCount length) {
+  DCHECK(CanSetMaxPacketLength());
+  if (length > max_packet_length_) {
+    QUIC_BUG << ENDPOINT
+             << "Try to increase max_packet_length_ in "
+                "SetSoftMaxPacketLength, use SetMaxPacketLength instead.";
+    return;
+  }
+  if (framer_->GetMaxPlaintextSize(length) <
+      PacketHeaderSize() + MinPlaintextPacketSize(framer_->version())) {
+    QUIC_DLOG(INFO) << length << " is too small to fit packet header";
+    return;
+  }
+  QUIC_DVLOG(1) << "Setting soft max packet length to: " << length;
+  latched_hard_max_packet_length_ = max_packet_length_;
+  max_packet_length_ = length;
+  max_plaintext_size_ = framer_->GetMaxPlaintextSize(length);
+}
+
 // Stops serializing version of the protocol in packets sent after this call.
 // A packet that is already open might send kQuicVersionSize bytes less than the
 // maximum packet size if we stop sending version before it is serialized.
@@ -216,8 +264,7 @@ bool QuicPacketCreator::ConsumeCryptoDataToFillCurrentPacket(
   if (needs_full_padding) {
     needs_full_padding_ = true;
   }
-  return AddFrame(*frame, /*save_retransmittable_frames*/ true,
-                  transmission_type);
+  return AddFrame(*frame, transmission_type);
 }
 
 bool QuicPacketCreator::ConsumeDataToFillCurrentPacket(
@@ -244,8 +291,7 @@ bool QuicPacketCreator::ConsumeDataToFillCurrentPacket(
     delegate_->OnUnrecoverableError(QUIC_CRYPTO_CHLO_TOO_LARGE, error_details);
     return false;
   }
-  if (!AddFrame(*frame, /*save_retransmittable_frames=*/true,
-                transmission_type)) {
+  if (!AddFrame(*frame, transmission_type)) {
     // Fails if we try to write unencrypted stream data.
     return false;
   }
@@ -259,14 +305,28 @@ bool QuicPacketCreator::ConsumeDataToFillCurrentPacket(
 bool QuicPacketCreator::HasRoomForStreamFrame(QuicStreamId id,
                                               QuicStreamOffset offset,
                                               size_t data_size) {
-  return BytesFree() >
-         QuicFramer::GetMinStreamFrameSize(framer_->transport_version(), id,
-                                           offset, true, data_size);
+  const size_t min_stream_frame_size = QuicFramer::GetMinStreamFrameSize(
+      framer_->transport_version(), id, offset, /*last_frame_in_packet=*/true,
+      data_size);
+  if (BytesFree() > min_stream_frame_size) {
+    return true;
+  }
+  if (!RemoveSoftMaxPacketLength()) {
+    return false;
+  }
+  return BytesFree() > min_stream_frame_size;
 }
 
 bool QuicPacketCreator::HasRoomForMessageFrame(QuicByteCount length) {
-  return BytesFree() >= QuicFramer::GetMessageFrameSize(
-                            framer_->transport_version(), true, length);
+  const size_t message_frame_size = QuicFramer::GetMessageFrameSize(
+      framer_->transport_version(), /*last_frame_in_packet=*/true, length);
+  if (BytesFree() >= message_frame_size) {
+    return true;
+  }
+  if (!RemoveSoftMaxPacketLength()) {
+    return false;
+  }
+  return BytesFree() >= message_frame_size;
 }
 
 // TODO(fkastenholz): this method should not use constant values for
@@ -352,7 +412,8 @@ bool QuicPacketCreator::CreateCryptoFrame(EncryptionLevel level,
                                           QuicFrame* frame) {
   size_t min_frame_size =
       QuicFramer::GetMinCryptoFrameSize(write_length, offset);
-  if (BytesFree() <= min_frame_size) {
+  if (BytesFree() <= min_frame_size &&
+      (!RemoveSoftMaxPacketLength() || BytesFree() <= min_frame_size)) {
     return false;
   }
   size_t max_write_length = BytesFree() - min_frame_size;
@@ -361,49 +422,6 @@ bool QuicPacketCreator::CreateCryptoFrame(EncryptionLevel level,
   return true;
 }
 
-void QuicPacketCreator::ReserializeAllFrames(
-    const QuicPendingRetransmission& retransmission,
-    char* buffer,
-    size_t buffer_len) {
-  DCHECK(queued_frames_.empty());
-  DCHECK_EQ(0, packet_.num_padding_bytes);
-  QUIC_BUG_IF(retransmission.retransmittable_frames.empty())
-      << "Attempt to serialize empty packet";
-  const EncryptionLevel default_encryption_level = packet_.encryption_level;
-
-  // Temporarily set the packet number length and change the encryption level.
-  packet_.packet_number_length = retransmission.packet_number_length;
-  if (retransmission.num_padding_bytes == -1) {
-    // Only retransmit padding when original packet needs full padding. Padding
-    // from pending_padding_bytes_ are not retransmitted.
-    needs_full_padding_ = true;
-  }
-  // Only preserve the original encryption level if it's a handshake packet or
-  // if we haven't gone forward secure.
-  if (retransmission.has_crypto_handshake ||
-      packet_.encryption_level != ENCRYPTION_FORWARD_SECURE) {
-    packet_.encryption_level = retransmission.encryption_level;
-  }
-
-  // Serialize the packet and restore packet number length state.
-  for (const QuicFrame& frame : retransmission.retransmittable_frames) {
-    bool success = AddFrame(frame, false, retransmission.transmission_type);
-    QUIC_BUG_IF(!success) << " Failed to add frame of type:" << frame.type
-                          << " num_frames:"
-                          << retransmission.retransmittable_frames.size()
-                          << " retransmission.packet_number_length:"
-                          << retransmission.packet_number_length
-                          << " packet_.packet_number_length:"
-                          << packet_.packet_number_length;
-  }
-  packet_.transmission_type = retransmission.transmission_type;
-  SerializePacket(buffer, buffer_len);
-  packet_.original_packet_number = retransmission.packet_number;
-  OnSerializedPacket();
-  // Restore old values.
-  packet_.encryption_level = default_encryption_level;
-}
-
 void QuicPacketCreator::FlushCurrentPacket() {
   if (!HasPendingFrames() && pending_padding_bytes_ == 0) {
     return;
@@ -430,6 +448,7 @@ void QuicPacketCreator::OnSerializedPacket() {
 
   SerializedPacket packet(std::move(packet_));
   ClearPacket();
+  RemoveSoftMaxPacketLength();
   delegate_->OnSerializedPacket(&packet);
 }
 
@@ -438,15 +457,62 @@ void QuicPacketCreator::ClearPacket() {
   packet_.has_stop_waiting = false;
   packet_.has_crypto_handshake = NOT_HANDSHAKE;
   packet_.num_padding_bytes = 0;
-  packet_.original_packet_number.Clear();
   packet_.transmission_type = NOT_RETRANSMISSION;
   packet_.encrypted_buffer = nullptr;
   packet_.encrypted_length = 0;
   DCHECK(packet_.retransmittable_frames.empty());
+  DCHECK(packet_.nonretransmittable_frames.empty());
   packet_.largest_acked.Clear();
   needs_full_padding_ = false;
 }
 
+size_t QuicPacketCreator::ReserializeInitialPacketInCoalescedPacket(
+    const SerializedPacket& packet,
+    size_t padding_size,
+    char* buffer,
+    size_t buffer_len) {
+  QUIC_BUG_IF(packet.encryption_level != ENCRYPTION_INITIAL);
+  QUIC_BUG_IF(packet.nonretransmittable_frames.empty() &&
+              packet.retransmittable_frames.empty())
+      << "Attempt to serialize empty ENCRYPTION_INITIAL packet in coalesced "
+         "packet";
+  ScopedPacketContextSwitcher switcher(
+      packet.packet_number -
+          1,  // -1 because serialize packet increase packet number.
+      packet.packet_number_length, packet.encryption_level, &packet_);
+  for (const QuicFrame& frame : packet.nonretransmittable_frames) {
+    if (!AddFrame(frame, packet.transmission_type)) {
+      QUIC_BUG << "Failed to serialize frame: " << frame;
+      return 0;
+    }
+  }
+  for (const QuicFrame& frame : packet.retransmittable_frames) {
+    if (!AddFrame(frame, packet.transmission_type)) {
+      QUIC_BUG << "Failed to serialize frame: " << frame;
+      return 0;
+    }
+  }
+  // Add necessary padding.
+  if (padding_size > 0) {
+    QUIC_DVLOG(2) << ENDPOINT << "Add padding of size: " << padding_size;
+    if (!AddFrame(QuicFrame(QuicPaddingFrame(padding_size)),
+                  packet.transmission_type)) {
+      QUIC_BUG << "Failed to add padding of size " << padding_size
+               << " when serializing ENCRYPTION_INITIAL "
+                  "packet in coalesced packet";
+      return 0;
+    }
+  }
+  SerializePacket(buffer, buffer_len);
+  const size_t encrypted_length = packet_.encrypted_length;
+  // Clear frames in packet_. No need to DeleteFrames since frames are owned by
+  // initial_packet.
+  packet_.retransmittable_frames.clear();
+  packet_.nonretransmittable_frames.clear();
+  ClearPacket();
+  return encrypted_length;
+}
+
 void QuicPacketCreator::CreateAndSerializeStreamFrame(
     QuicStreamId id,
     size_t write_length,
@@ -530,9 +596,7 @@ void QuicPacketCreator::CreateAndSerializeStreamFrame(
     return;
   }
 
-  if (can_set_transmission_type()) {
-    packet_.transmission_type = transmission_type;
-  }
+  packet_.transmission_type = transmission_type;
 
   size_t encrypted_length = framer_->EncryptInPlace(
       packet_.encryption_level, packet_.packet_number,
@@ -606,17 +670,10 @@ size_t QuicPacketCreator::PacketSize() {
   return packet_size_;
 }
 
-bool QuicPacketCreator::AddSavedFrame(const QuicFrame& frame,
-                                      TransmissionType transmission_type) {
-  return AddFrame(frame, /*save_retransmittable_frames=*/true,
-                  transmission_type);
-}
-
 bool QuicPacketCreator::AddPaddedSavedFrame(
     const QuicFrame& frame,
     TransmissionType transmission_type) {
-  if (AddFrame(frame, /*save_retransmittable_frames=*/true,
-               transmission_type)) {
+  if (AddFrame(frame, transmission_type)) {
     needs_full_padding_ = true;
     return true;
   }
@@ -635,7 +692,8 @@ void QuicPacketCreator::SerializePacket(char* encrypted_buffer,
   MaybeAddPadding();
 
   QUIC_DVLOG(2) << ENDPOINT << "Serializing packet " << header
-                << QuicFramesToString(queued_frames_);
+                << QuicFramesToString(queued_frames_) << " at encryption_level "
+                << EncryptionLevelToString(packet_.encryption_level);
 
   DCHECK_GE(max_plaintext_size_, packet_size_);
   // Use the packet_size_ instead of the buffer size to ensure smaller
@@ -694,6 +752,7 @@ OwningSerializedPacketPointer
 QuicPacketCreator::SerializeConnectivityProbingPacket() {
   QUIC_BUG_IF(VersionHasIetfQuicFrames(framer_->transport_version()))
       << "Must not be version 99 to serialize padded ping connectivity probe";
+  RemoveSoftMaxPacketLength();
   QuicPacketHeader header;
   // FillPacketHeader increments packet_number_.
   FillPacketHeader(&header);
@@ -729,6 +788,7 @@ QuicPacketCreator::SerializePathChallengeConnectivityProbingPacket(
       << "Must be version 99 to serialize path challenge connectivity probe, "
          "is version "
       << framer_->transport_version();
+  RemoveSoftMaxPacketLength();
   QuicPacketHeader header;
   // FillPacketHeader increments packet_number_.
   FillPacketHeader(&header);
@@ -765,6 +825,7 @@ QuicPacketCreator::SerializePathResponseConnectivityProbingPacket(
       << "Must be version 99 to serialize path response connectivity probe, is "
          "version "
       << framer_->transport_version();
+  RemoveSoftMaxPacketLength();
   QuicPacketHeader header;
   // FillPacketHeader increments packet_number_.
   FillPacketHeader(&header);
@@ -879,6 +940,44 @@ size_t QuicPacketCreator::BuildConnectivityProbingPacket(
   return framer_->BuildDataPacket(header, frames, buffer, packet_length, level);
 }
 
+size_t QuicPacketCreator::SerializeCoalescedPacket(
+    const QuicCoalescedPacket& coalesced,
+    char* buffer,
+    size_t buffer_len) {
+  QUIC_BUG_IF(packet_.num_padding_bytes != 0);
+  if (HasPendingFrames()) {
+    QUIC_BUG << "Try to serialize coalesced packet with pending frames";
+    return 0;
+  }
+  RemoveSoftMaxPacketLength();
+  QUIC_BUG_IF(coalesced.length() == 0)
+      << "Attempt to serialize empty coalesced packet";
+  size_t packet_length = 0;
+  if (coalesced.initial_packet() != nullptr) {
+    size_t initial_length = ReserializeInitialPacketInCoalescedPacket(
+        *coalesced.initial_packet(),
+        /*padding_size=*/coalesced.max_packet_length() - coalesced.length(),
+        buffer, buffer_len);
+    if (initial_length == 0) {
+      QUIC_BUG << "Failed to reserialize ENCRYPTION_INITIAL packet in "
+                  "coalesced packet";
+      return 0;
+    }
+    buffer += initial_length;
+    buffer_len -= initial_length;
+    packet_length += initial_length;
+  }
+  size_t length_copied = 0;
+  if (!coalesced.CopyEncryptedBuffers(buffer, buffer_len, &length_copied)) {
+    return 0;
+  }
+  packet_length += length_copied;
+  QUIC_DVLOG(1) << ENDPOINT
+                << "Successfully serialized coalesced packet of length: "
+                << packet_length;
+  return packet_length;
+}
+
 // TODO(b/74062209): Make this a public method of framer?
 SerializedPacket QuicPacketCreator::NoPacket() {
   return SerializedPacket(QuicPacketNumber(), PACKET_1BYTE_PACKET_NUMBER,
@@ -985,13 +1084,12 @@ void QuicPacketCreator::SetRetryToken(QuicStringPiece retry_token) {
 
 bool QuicPacketCreator::ConsumeRetransmittableControlFrame(
     const QuicFrame& frame) {
-  DCHECK(combine_generator_and_creator_);
   QUIC_BUG_IF(IsControlFrame(frame.type) && !GetControlFrameId(frame))
       << "Adding a control frame with no control frame id: " << frame;
   DCHECK(QuicUtils::IsRetransmittableFrame(frame.type)) << frame;
   MaybeBundleAckOpportunistically();
   if (HasPendingFrames()) {
-    if (AddSavedFrame(frame, next_transmission_type_)) {
+    if (AddFrame(frame, next_transmission_type_)) {
       // There is pending frames and current frame fits.
       return true;
     }
@@ -1003,7 +1101,7 @@ bool QuicPacketCreator::ConsumeRetransmittableControlFrame(
     // Do not check congestion window for ping or connection close frames.
     return false;
   }
-  const bool success = AddSavedFrame(frame, next_transmission_type_);
+  const bool success = AddFrame(frame, next_transmission_type_);
   QUIC_BUG_IF(!success) << "Failed to add frame:" << frame
                         << " transmission_type:" << next_transmission_type_;
   return success;
@@ -1013,7 +1111,6 @@ QuicConsumedData QuicPacketCreator::ConsumeData(QuicStreamId id,
                                                 size_t write_length,
                                                 QuicStreamOffset offset,
                                                 StreamSendingState state) {
-  DCHECK(combine_generator_and_creator_);
   QUIC_BUG_IF(!flusher_attached_) << "Packet flusher is not attached when "
                                      "generator tries to write stream data.";
   bool has_handshake = QuicUtils::IsCryptoStreamId(transport_version(), id);
@@ -1042,7 +1139,8 @@ QuicConsumedData QuicPacketCreator::ConsumeData(QuicStreamId id,
   // the slow path loop.
   bool run_fast_path =
       !has_handshake && state != FIN_AND_PADDING && !HasPendingFrames() &&
-      write_length - total_bytes_consumed > kMaxOutgoingPacketSize;
+      write_length - total_bytes_consumed > kMaxOutgoingPacketSize &&
+      latched_hard_max_packet_length_ == 0;
 
   while (!run_fast_path && delegate_->ShouldGeneratePacket(
                                HAS_RETRANSMITTABLE_DATA,
@@ -1081,7 +1179,8 @@ QuicConsumedData QuicPacketCreator::ConsumeData(QuicStreamId id,
 
     run_fast_path =
         !has_handshake && state != FIN_AND_PADDING && !HasPendingFrames() &&
-        write_length - total_bytes_consumed > kMaxOutgoingPacketSize;
+        write_length - total_bytes_consumed > kMaxOutgoingPacketSize &&
+        latched_hard_max_packet_length_ == 0;
   }
 
   if (run_fast_path) {
@@ -1103,7 +1202,6 @@ QuicConsumedData QuicPacketCreator::ConsumeDataFastPath(
     QuicStreamOffset offset,
     bool fin,
     size_t total_bytes_consumed) {
-  DCHECK(combine_generator_and_creator_);
   DCHECK(!QuicUtils::IsCryptoStreamId(transport_version(), id));
 
   while (total_bytes_consumed < write_length &&
@@ -1114,6 +1212,19 @@ QuicConsumedData QuicPacketCreator::ConsumeDataFastPath(
     CreateAndSerializeStreamFrame(id, write_length, total_bytes_consumed,
                                   offset + total_bytes_consumed, fin,
                                   next_transmission_type_, &bytes_consumed);
+    if (GetQuicReloadableFlag(
+            quic_close_connection_on_failed_consume_data_fast_path)) {
+      QUIC_RELOADABLE_FLAG_COUNT(
+          quic_close_connection_on_failed_consume_data_fast_path);
+      if (bytes_consumed == 0) {
+        const std::string error_details =
+            "Failed in CreateAndSerializeStreamFrame.";
+        QUIC_BUG << error_details;
+        delegate_->OnUnrecoverableError(QUIC_FAILED_TO_SERIALIZE_PACKET,
+                                        error_details);
+        break;
+      }
+    }
     total_bytes_consumed += bytes_consumed;
   }
 
@@ -1124,7 +1235,6 @@ QuicConsumedData QuicPacketCreator::ConsumeDataFastPath(
 size_t QuicPacketCreator::ConsumeCryptoData(EncryptionLevel level,
                                             size_t write_length,
                                             QuicStreamOffset offset) {
-  DCHECK(combine_generator_and_creator_);
   QUIC_BUG_IF(!flusher_attached_) << "Packet flusher is not attached when "
                                      "generator tries to write crypto data.";
   MaybeBundleAckOpportunistically();
@@ -1162,7 +1272,6 @@ size_t QuicPacketCreator::ConsumeCryptoData(EncryptionLevel level,
 }
 
 void QuicPacketCreator::GenerateMtuDiscoveryPacket(QuicByteCount target_mtu) {
-  DCHECK(combine_generator_and_creator_);
   // MTU discovery frames must be sent by themselves.
   if (!CanSetMaxPacketLength()) {
     QUIC_BUG << "MTU discovery packets should only be sent when no other "
@@ -1190,7 +1299,6 @@ void QuicPacketCreator::GenerateMtuDiscoveryPacket(QuicByteCount target_mtu) {
 }
 
 void QuicPacketCreator::MaybeBundleAckOpportunistically() {
-  DCHECK(combine_generator_and_creator_);
   if (has_ack()) {
     // Ack already queued, nothing to do.
     return;
@@ -1206,13 +1314,12 @@ void QuicPacketCreator::MaybeBundleAckOpportunistically() {
 }
 
 bool QuicPacketCreator::FlushAckFrame(const QuicFrames& frames) {
-  DCHECK(combine_generator_and_creator_);
   QUIC_BUG_IF(!flusher_attached_) << "Packet flusher is not attached when "
                                      "generator tries to send ACK frame.";
   for (const auto& frame : frames) {
     DCHECK(frame.type == ACK_FRAME || frame.type == STOP_WAITING_FRAME);
     if (HasPendingFrames()) {
-      if (AddSavedFrame(frame, next_transmission_type_)) {
+      if (AddFrame(frame, next_transmission_type_)) {
         // There is pending frames and current frame fits.
         continue;
       }
@@ -1224,19 +1331,17 @@ bool QuicPacketCreator::FlushAckFrame(const QuicFrames& frames) {
                                          NOT_HANDSHAKE)) {
       return false;
     }
-    const bool success = AddSavedFrame(frame, next_transmission_type_);
+    const bool success = AddFrame(frame, next_transmission_type_);
     QUIC_BUG_IF(!success) << "Failed to flush " << frame;
   }
   return true;
 }
 
 void QuicPacketCreator::AddRandomPadding() {
-  DCHECK(combine_generator_and_creator_);
   AddPendingPadding(random_->RandUint64() % kMaxNumRandomPaddingBytes + 1);
 }
 
 void QuicPacketCreator::AttachPacketFlusher() {
-  DCHECK(combine_generator_and_creator_);
   flusher_attached_ = true;
   if (!write_start_packet_number_.IsInitialized()) {
     write_start_packet_number_ = NextSendingPacketNumber();
@@ -1244,7 +1349,6 @@ void QuicPacketCreator::AttachPacketFlusher() {
 }
 
 void QuicPacketCreator::Flush() {
-  DCHECK(combine_generator_and_creator_);
   FlushCurrentPacket();
   SendRemainingPendingPadding();
   flusher_attached_ = false;
@@ -1262,7 +1366,6 @@ void QuicPacketCreator::Flush() {
 }
 
 void QuicPacketCreator::SendRemainingPendingPadding() {
-  DCHECK(combine_generator_and_creator_);
   while (
       pending_padding_bytes() > 0 && !HasPendingFrames() &&
       delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA, NOT_HANDSHAKE)) {
@@ -1271,7 +1374,6 @@ void QuicPacketCreator::SendRemainingPendingPadding() {
 }
 
 void QuicPacketCreator::SetServerConnectionIdLength(uint32_t length) {
-  DCHECK(combine_generator_and_creator_);
   if (length == 0) {
     SetServerConnectionIdIncluded(CONNECTION_ID_ABSENT);
   } else {
@@ -1280,16 +1382,11 @@ void QuicPacketCreator::SetServerConnectionIdLength(uint32_t length) {
 }
 
 void QuicPacketCreator::SetTransmissionType(TransmissionType type) {
-  DCHECK(combine_generator_and_creator_);
-  SetTransmissionTypeOfNextPackets(type);
-  if (can_set_transmission_type()) {
-    next_transmission_type_ = type;
-  }
+  next_transmission_type_ = type;
 }
 
 MessageStatus QuicPacketCreator::AddMessageFrame(QuicMessageId message_id,
                                                  QuicMemSliceSpan message) {
-  DCHECK(combine_generator_and_creator_);
   QUIC_BUG_IF(!flusher_attached_) << "Packet flusher is not attached when "
                                      "generator tries to add message frame.";
   MaybeBundleAckOpportunistically();
@@ -1301,7 +1398,7 @@ MessageStatus QuicPacketCreator::AddMessageFrame(QuicMessageId message_id,
     FlushCurrentPacket();
   }
   QuicMessageFrame* frame = new QuicMessageFrame(message_id, message);
-  const bool success = AddSavedFrame(QuicFrame(frame), next_transmission_type_);
+  const bool success = AddFrame(QuicFrame(frame), next_transmission_type_);
   if (!success) {
     QUIC_BUG << "Failed to send message " << message_id;
     delete frame;
@@ -1352,7 +1449,6 @@ void QuicPacketCreator::FillPacketHeader(QuicPacketHeader* header) {
 }
 
 bool QuicPacketCreator::AddFrame(const QuicFrame& frame,
-                                 bool save_retransmittable_frames,
                                  TransmissionType transmission_type) {
   QUIC_DVLOG(1) << ENDPOINT << "Adding frame with transmission type "
                 << TransmissionTypeToString(transmission_type) << ": " << frame;
@@ -1369,9 +1465,23 @@ bool QuicPacketCreator::AddFrame(const QuicFrame& frame,
         QUIC_ATTEMPT_TO_SEND_UNENCRYPTED_STREAM_DATA, error_details);
     return false;
   }
+
+  if (GetQuicRestartFlag(quic_coalesce_stream_frames_2) &&
+      frame.type == STREAM_FRAME &&
+      MaybeCoalesceStreamFrame(frame.stream_frame)) {
+    QUIC_RESTART_FLAG_COUNT_N(quic_coalesce_stream_frames_2, 1, 3);
+    return true;
+  }
+
   size_t frame_len = framer_->GetSerializedFrameLength(
       frame, BytesFree(), queued_frames_.empty(),
       /* last_frame_in_packet= */ true, GetPacketNumberLength());
+  if (frame_len == 0 && RemoveSoftMaxPacketLength()) {
+    // Remove soft max_packet_length and retry.
+    frame_len = framer_->GetSerializedFrameLength(
+        frame, BytesFree(), queued_frames_.empty(),
+        /* last_frame_in_packet= */ true, GetPacketNumberLength());
+  }
   if (frame_len == 0) {
     // Current open packet is full.
     FlushCurrentPacket();
@@ -1381,14 +1491,22 @@ bool QuicPacketCreator::AddFrame(const QuicFrame& frame,
 
   packet_size_ += ExpansionOnNewFrame() + frame_len;
 
-  if (save_retransmittable_frames &&
-      QuicUtils::IsRetransmittableFrame(frame.type)) {
+  if (QuicUtils::IsRetransmittableFrame(frame.type)) {
     packet_.retransmittable_frames.push_back(frame);
     queued_frames_.push_back(frame);
     if (QuicUtils::IsHandshakeFrame(frame, framer_->transport_version())) {
       packet_.has_crypto_handshake = IS_HANDSHAKE;
     }
   } else {
+    if (frame.type == PADDING_FRAME &&
+        frame.padding_frame.num_padding_bytes == -1) {
+      // Populate the actual length of full padding frame, such that one can
+      // know how much padding is actually added.
+      packet_.nonretransmittable_frames.push_back(
+          QuicFrame(QuicPaddingFrame(frame_len)));
+    } else {
+      packet_.nonretransmittable_frames.push_back(frame);
+    }
     queued_frames_.push_back(frame);
   }
 
@@ -1405,13 +1523,57 @@ bool QuicPacketCreator::AddFrame(const QuicFrame& frame,
 
   // Packet transmission type is determined by the last added retransmittable
   // frame.
-  if (can_set_transmission_type() &&
-      QuicUtils::IsRetransmittableFrame(frame.type)) {
+  if (QuicUtils::IsRetransmittableFrame(frame.type)) {
     packet_.transmission_type = transmission_type;
   }
   return true;
 }
 
+bool QuicPacketCreator::MaybeCoalesceStreamFrame(const QuicStreamFrame& frame) {
+  if (queued_frames_.empty() || queued_frames_.back().type != STREAM_FRAME) {
+    return false;
+  }
+  QuicStreamFrame* candidate = &queued_frames_.back().stream_frame;
+  if (candidate->stream_id != frame.stream_id ||
+      candidate->offset + candidate->data_length != frame.offset ||
+      frame.data_length > BytesFree()) {
+    return false;
+  }
+  candidate->data_length += frame.data_length;
+  candidate->fin = frame.fin;
+
+  // The back of retransmittable frames must be the same as the original
+  // queued frames' back.
+  DCHECK_EQ(packet_.retransmittable_frames.back().type, STREAM_FRAME);
+  QuicStreamFrame* retransmittable =
+      &packet_.retransmittable_frames.back().stream_frame;
+  DCHECK_EQ(retransmittable->stream_id, frame.stream_id);
+  DCHECK_EQ(retransmittable->offset + retransmittable->data_length,
+            frame.offset);
+  retransmittable->data_length = candidate->data_length;
+  retransmittable->fin = candidate->fin;
+  packet_size_ += frame.data_length;
+  if (debug_delegate_ != nullptr) {
+    debug_delegate_->OnStreamFrameCoalesced(*candidate);
+  }
+  return true;
+}
+
+bool QuicPacketCreator::RemoveSoftMaxPacketLength() {
+  if (latched_hard_max_packet_length_ == 0) {
+    return false;
+  }
+  if (!CanSetMaxPacketLength()) {
+    return false;
+  }
+  QUIC_DVLOG(1) << "Restoring max packet length to: "
+                << latched_hard_max_packet_length_;
+  SetMaxPacketLength(latched_hard_max_packet_length_);
+  // Reset latched_max_packet_length_.
+  latched_hard_max_packet_length_ = 0;
+  return true;
+}
+
 void QuicPacketCreator::MaybeAddPadding() {
   // The current packet should have no padding bytes because padding is only
   // added when this method is called just before the packet is serialized.
@@ -1425,6 +1587,25 @@ void QuicPacketCreator::MaybeAddPadding() {
     needs_full_padding_ = true;
   }
 
+  // Packet coalescer pads INITIAL packets, so the creator should not.
+  if (framer_->version().CanSendCoalescedPackets() &&
+      (packet_.encryption_level == ENCRYPTION_INITIAL ||
+       packet_.encryption_level == ENCRYPTION_HANDSHAKE)) {
+    // TODO(fayang): MTU discovery packets should not ever be sent as
+    // ENCRYPTION_INITIAL or ENCRYPTION_HANDSHAKE.
+    bool is_mtu_discovery = false;
+    for (const auto& frame : packet_.nonretransmittable_frames) {
+      if (frame.type == MTU_DISCOVERY_FRAME) {
+        is_mtu_discovery = true;
+        break;
+      }
+    }
+    if (!is_mtu_discovery) {
+      // Do not add full padding if connection tries to coalesce packet.
+      needs_full_padding_ = false;
+    }
+  }
+
   // Header protection requires a minimum plaintext packet size.
   size_t extra_padding_bytes = 0;
   if (framer_->version().HasHeaderProtection()) {
@@ -1456,7 +1637,7 @@ void QuicPacketCreator::MaybeAddPadding() {
         std::max<int16_t>(packet_.num_padding_bytes, extra_padding_bytes);
   }
 
-  bool success = AddFrame(QuicFrame(QuicPaddingFrame(padding_bytes)), false,
+  bool success = AddFrame(QuicFrame(QuicPaddingFrame(padding_bytes)),
                           packet_.transmission_type);
   QUIC_BUG_IF(!success) << "Failed to add padding_bytes: " << padding_bytes
                         << " transmission_type: "
@@ -1511,19 +1692,6 @@ void QuicPacketCreator::SetClientConnectionId(
   client_connection_id_ = client_connection_id;
 }
 
-void QuicPacketCreator::SetTransmissionTypeOfNextPackets(
-    TransmissionType type) {
-  DCHECK(can_set_transmission_type_);
-
-  if (!can_set_transmission_type()) {
-    QUIC_DVLOG_IF(1, type != packet_.transmission_type)
-        << ENDPOINT << "Setting Transmission type to "
-        << TransmissionTypeToString(type);
-
-    packet_.transmission_type = type;
-  }
-}
-
 QuicPacketLength QuicPacketCreator::GetCurrentLargestMessagePayload() const {
   if (!VersionSupportsMessageFrames(framer_->transport_version())) {
     return 0;
@@ -1536,8 +1704,12 @@ QuicPacketLength QuicPacketCreator::GetCurrentLargestMessagePayload() const {
       VARIABLE_LENGTH_INTEGER_LENGTH_0, 0, GetLengthLength());
   // This is the largest possible message payload when the length field is
   // omitted.
-  return max_plaintext_size_ -
-         std::min(max_plaintext_size_, packet_header_size + kQuicFrameTypeSize);
+  size_t max_plaintext_size =
+      latched_hard_max_packet_length_ == 0
+          ? max_plaintext_size_
+          : framer_->GetMaxPlaintextSize(latched_hard_max_packet_length_);
+  return max_plaintext_size -
+         std::min(max_plaintext_size, packet_header_size + kQuicFrameTypeSize);
 }
 
 QuicPacketLength QuicPacketCreator::GetGuaranteedLargestMessagePayload() const {
@@ -1566,9 +1738,13 @@ QuicPacketLength QuicPacketCreator::GetGuaranteedLargestMessagePayload() const {
       VARIABLE_LENGTH_INTEGER_LENGTH_0, 0, length_length);
   // This is the largest possible message payload when the length field is
   // omitted.
+  size_t max_plaintext_size =
+      latched_hard_max_packet_length_ == 0
+          ? max_plaintext_size_
+          : framer_->GetMaxPlaintextSize(latched_hard_max_packet_length_);
   const QuicPacketLength largest_payload =
-      max_plaintext_size_ -
-      std::min(max_plaintext_size_, packet_header_size + kQuicFrameTypeSize);
+      max_plaintext_size -
+      std::min(max_plaintext_size, packet_header_size + kQuicFrameTypeSize);
   // This must always be less than or equal to GetCurrentLargestMessagePayload.
   DCHECK_LE(largest_payload, GetCurrentLargestMessagePayload());
   return largest_payload;
@@ -1615,7 +1791,6 @@ QuicPacketNumber QuicPacketCreator::NextSendingPacketNumber() const {
 }
 
 bool QuicPacketCreator::PacketFlusherAttached() const {
-  DCHECK(combine_generator_and_creator_);
   return flusher_attached_;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.h b/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.h
index f202af0cc47..eb7b6274af3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator.h
@@ -2,8 +2,15 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-// Accumulates frames for the next packet until more frames no longer fit or
-// it's time to create a packet from them.
+// Responsible for creating packets on behalf of a QuicConnection.
+// Packets are serialized just-in-time. Stream data and control frames will be
+// requested from the Connection just-in-time. Frames are accumulated into
+// "current" packet until no more frames can fit, then current packet gets
+// serialized and passed to connection via OnSerializedPacket().
+//
+// Whether a packet should be serialized is determined by whether delegate is
+// writable. If the Delegate is not writable, then no operations will cause
+// a packet to be serialized.
 
 #ifndef QUICHE_QUIC_CORE_QUIC_PACKET_CREATOR_H_
 #define QUICHE_QUIC_CORE_QUIC_PACKET_CREATOR_H_
@@ -13,9 +20,10 @@
 #include <utility>
 #include <vector>
 
+#include "net/third_party/quiche/src/quic/core/frames/quic_stream_frame.h"
+#include "net/third_party/quiche/src/quic/core/quic_coalesced_packet.h"
 #include "net/third_party/quiche/src/quic/core/quic_framer.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
-#include "net/third_party/quiche/src/quic/core/quic_pending_retransmission.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 
@@ -60,6 +68,10 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
 
     // Called when a frame has been added to the current packet.
     virtual void OnFrameAddedToPacket(const QuicFrame& /*frame*/) {}
+
+    // Called when a stream frame is coalesced with an existing stream frame.
+    // |frame| is the new stream frame.
+    virtual void OnStreamFrameCoalesced(const QuicStreamFrame& /*frame*/) {}
   };
 
   QuicPacketCreator(QuicConnectionId server_connection_id,
@@ -137,12 +149,6 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
   // |length|.
   bool HasRoomForMessageFrame(QuicByteCount length);
 
-  // Re-serializes frames with the original packet's packet number length.
-  // Used for retransmitting packets to ensure they aren't too long.
-  void ReserializeAllFrames(const QuicPendingRetransmission& retransmission,
-                            char* buffer,
-                            size_t buffer_len);
-
   // Serializes all added frames into a single packet and invokes the delegate_
   // to further process the SerializedPacket.
   void FlushCurrentPacket();
@@ -189,8 +195,7 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
   // Tries to add |frame| to the packet creator's list of frames to be
   // serialized. If the frame does not fit into the current packet, flushes the
   // packet and returns false.
-  bool AddSavedFrame(const QuicFrame& frame,
-                     TransmissionType transmission_type);
+  bool AddFrame(const QuicFrame& frame, TransmissionType transmission_type);
 
   // Identical to AddSavedFrame, but allows the frame to be padded.
   bool AddPaddedSavedFrame(const QuicFrame& frame,
@@ -271,13 +276,15 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
   // Sets the maximum packet length.
   void SetMaxPacketLength(QuicByteCount length);
 
+  // Set a soft maximum packet length in the creator. If a packet cannot be
+  // successfully created, creator will remove the soft limit and use the actual
+  // max packet length.
+  void SetSoftMaxPacketLength(QuicByteCount length);
+
   // Increases pending_padding_bytes by |size|. Pending padding will be sent by
   // MaybeAddPadding().
   void AddPendingPadding(QuicByteCount size);
 
-  // Sets transmission type of next constructed packets.
-  void SetTransmissionTypeOfNextPackets(TransmissionType type);
-
   // Sets the retry token to be sent over the wire in IETF Initial packets.
   void SetRetryToken(QuicStringPiece retry_token);
 
@@ -363,12 +370,6 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
     debug_delegate_ = debug_delegate;
   }
 
-  void set_can_set_transmission_type(bool can_set_transmission_type) {
-    can_set_transmission_type_ = can_set_transmission_type;
-  }
-
-  bool can_set_transmission_type() const { return can_set_transmission_type_; }
-
   QuicByteCount pending_padding_bytes() const { return pending_padding_bytes_; }
 
   QuicTransportVersion transport_version() const {
@@ -382,19 +383,13 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
   bool PacketFlusherAttached() const;
 
   void set_fully_pad_crypto_handshake_packets(bool new_value) {
-    DCHECK(combine_generator_and_creator_);
     fully_pad_crypto_handshake_packets_ = new_value;
   }
 
   bool fully_pad_crypto_handshake_packets() const {
-    DCHECK(combine_generator_and_creator_);
     return fully_pad_crypto_handshake_packets_;
   }
 
-  bool combine_generator_and_creator() const {
-    return combine_generator_and_creator_;
-  }
-
   // Serialize a probing packet that uses IETF QUIC's PATH CHALLENGE frame. Also
   // fills the packet with padding.
   size_t BuildPaddedPathChallengePacket(const QuicPacketHeader& header,
@@ -422,6 +417,12 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
                                         size_t packet_length,
                                         EncryptionLevel level);
 
+  // Serializes |coalesced| to provided |buffer|, returns coalesced packet
+  // length if serialization succeeds. Otherwise, returns 0.
+  size_t SerializeCoalescedPacket(const QuicCoalescedPacket& coalesced,
+                                  char* buffer,
+                                  size_t buffer_len);
+
  private:
   friend class test::QuicPacketCreatorPeer;
 
@@ -444,13 +445,6 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
 
   void FillPacketHeader(QuicPacketHeader* header);
 
-  // Adds a |frame| if there is space and returns false and flushes all pending
-  // frames if there isn't room. If |save_retransmittable_frames| is true,
-  // saves the |frame| in the next SerializedPacket.
-  bool AddFrame(const QuicFrame& frame,
-                bool save_retransmittable_frames,
-                TransmissionType transmission_type);
-
   // Adds a padding frame to the current packet (if there is space) when (1)
   // current packet needs full padding or (2) there are pending paddings.
   void MaybeAddPadding();
@@ -468,6 +462,27 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
   // Clears all fields of packet_ that should be cleared between serializations.
   void ClearPacket();
 
+  // Re-serialzes frames of ENCRYPTION_INITIAL packet in coalesced packet with
+  // the original packet's packet number and packet number length.
+  // |padding_size| indicates the size of necessary padding. Returns 0 if
+  // serialization fails.
+  size_t ReserializeInitialPacketInCoalescedPacket(
+      const SerializedPacket& packet,
+      size_t padding_size,
+      char* buffer,
+      size_t buffer_len);
+
+  // Tries to coalesce |frame| with the back of |queued_frames_|.
+  // Returns true on success.
+  bool MaybeCoalesceStreamFrame(const QuicStreamFrame& frame);
+
+  // Called to remove the soft max_packet_length and restores
+  // latched_hard_max_packet_length_ if the packet cannot accommodate a single
+  // frame. Returns true if the soft limit is successfully removed. Returns
+  // false if either there is no current soft limit or there are queued frames
+  // (such that the packet length cannot be changed).
+  bool RemoveSoftMaxPacketLength();
+
   // Returns true if a diversification nonce should be included in the current
   // packet's header.
   bool IncludeNonceInPublicHeader() const;
@@ -553,10 +568,6 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
   // bytes.
   bool needs_full_padding_;
 
-  // If true, packet_'s transmission type is only set by
-  // SetPacketTransmissionType and does not get cleared in ClearPacket.
-  bool can_set_transmission_type_;
-
   // Transmission type of the next serialized packet.
   TransmissionType next_transmission_type_;
 
@@ -571,8 +582,10 @@ class QUIC_EXPORT_PRIVATE QuicPacketCreator {
   // flusher detaches.
   QuicPacketNumber write_start_packet_number_;
 
-  // Latched value of quic_combine_generator_and_creator.
-  const bool combine_generator_and_creator_;
+  // If not 0, this latches the actual max_packet_length when
+  // SetSoftMaxPacketLength is called and max_packet_length_ gets
+  // set to a soft value.
+  QuicByteCount latched_hard_max_packet_length_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator_test.cc
index a647994fc8a..6ca369cd5ec 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_creator_test.cc
@@ -5,6 +5,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_packet_creator.h"
 
 #include <cstdint>
+#include <limits>
 #include <memory>
 #include <ostream>
 #include <string>
@@ -14,13 +15,15 @@
 #include "net/third_party/quiche/src/quic/core/crypto/null_encrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_decrypter.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
+#include "net/third_party/quiche/src/quic/core/frames/quic_stream_frame.h"
 #include "net/third_party/quiche/src/quic/core/quic_data_writer.h"
-#include "net/third_party/quiche/src/quic/core/quic_pending_retransmission.h"
 #include "net/third_party/quiche/src/quic/core/quic_simple_buffer_allocator.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_socket_address.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
@@ -28,6 +31,7 @@
 #include "net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/simple_data_producer.h"
+#include "net/third_party/quiche/src/quic/test_tools/simple_quic_framer.h"
 
 using testing::_;
 using testing::DoAll;
@@ -44,8 +48,9 @@ namespace {
 const QuicPacketNumber kPacketNumber = QuicPacketNumber(UINT64_C(0x12345678));
 // Use fields in which each byte is distinct to ensure that every byte is
 // framed correctly. The values are otherwise arbitrary.
-const QuicConnectionId kTestConnectionId =
-    TestConnectionId(UINT64_C(0xFEDCBA9876543210));
+QuicConnectionId CreateTestConnectionId() {
+  return TestConnectionId(UINT64_C(0xFEDCBA9876543210));
+}
 
 // Run tests with combinations of {ParsedQuicVersion,
 // ToggleVersionSerialization}.
@@ -79,6 +84,8 @@ class MockDebugDelegate : public QuicPacketCreator::DebugDelegate {
   ~MockDebugDelegate() override = default;
 
   MOCK_METHOD1(OnFrameAddedToPacket, void(const QuicFrame& frame));
+
+  MOCK_METHOD1(OnStreamFrameCoalesced, void(const QuicStreamFrame& frame));
 };
 
 class TestPacketCreator : public QuicPacketCreator {
@@ -222,7 +229,7 @@ class QuicPacketCreatorTest : public QuicTestWithParam<TestParams> {
     EXPECT_EQ(STREAM_FRAME, frame.type);
     EXPECT_EQ(stream_id, frame.stream_frame.stream_id);
     char buf[kMaxOutgoingPacketSize];
-    QuicDataWriter writer(kMaxOutgoingPacketSize, buf, HOST_BYTE_ORDER);
+    QuicDataWriter writer(kMaxOutgoingPacketSize, buf, quiche::HOST_BYTE_ORDER);
     if (frame.stream_frame.data_length > 0) {
       producer_.WriteStreamData(stream_id, frame.stream_frame.offset,
                                 frame.stream_frame.data_length, &writer);
@@ -260,18 +267,6 @@ class QuicPacketCreatorTest : public QuicTestWithParam<TestParams> {
         /* data_length= */ 0);
   }
 
-  QuicPendingRetransmission CreateRetransmission(
-      const QuicFrames& retransmittable_frames,
-      bool has_crypto_handshake,
-      int num_padding_bytes,
-      EncryptionLevel encryption_level,
-      QuicPacketNumberLength packet_number_length) {
-    return QuicPendingRetransmission(QuicPacketNumber(1u), NOT_RETRANSMISSION,
-                                     retransmittable_frames,
-                                     has_crypto_handshake, num_padding_bytes,
-                                     encryption_level, packet_number_length);
-  }
-
   bool IsDefaultTestConfiguration() {
     TestParams p = GetParam();
     return p.version == AllSupportedVersions()[0] && p.version_serialization;
@@ -318,8 +313,10 @@ TEST_P(QuicPacketCreatorTest, SerializeFrames) {
     if (level != ENCRYPTION_INITIAL && level != ENCRYPTION_HANDSHAKE) {
       frames_.push_back(
           QuicFrame(QuicStreamFrame(stream_id, false, 0u, QuicStringPiece())));
-      frames_.push_back(
-          QuicFrame(QuicStreamFrame(stream_id, true, 0u, QuicStringPiece())));
+      if (!GetQuicRestartFlag(quic_coalesce_stream_frames_2)) {
+        frames_.push_back(
+            QuicFrame(QuicStreamFrame(stream_id, true, 0u, QuicStringPiece())));
+      }
     }
     SerializedPacket serialized = SerializeAllFrames(frames_);
     EXPECT_EQ(level, serialized.encryption_level);
@@ -342,7 +339,9 @@ TEST_P(QuicPacketCreatorTest, SerializeFrames) {
           .WillOnce(Return(true));
       if (level != ENCRYPTION_INITIAL && level != ENCRYPTION_HANDSHAKE) {
         EXPECT_CALL(framer_visitor_, OnStreamFrame(_));
-        EXPECT_CALL(framer_visitor_, OnStreamFrame(_));
+        if (!GetQuicRestartFlag(quic_coalesce_stream_frames_2)) {
+          EXPECT_CALL(framer_visitor_, OnStreamFrame(_));
+        }
       }
       if (client_framer_.version().HasHeaderProtection()) {
         EXPECT_CALL(framer_visitor_, OnPaddingFrame(_))
@@ -354,248 +353,6 @@ TEST_P(QuicPacketCreatorTest, SerializeFrames) {
   }
 }
 
-TEST_P(QuicPacketCreatorTest, ReserializeFramesWithSequenceNumberLength) {
-  if (VersionHasIetfInvariantHeader(client_framer_.transport_version())) {
-    creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
-  }
-  // If the original packet number length, the current packet number
-  // length, and the configured send packet number length are different, the
-  // retransmit must sent with the original length and the others do not change.
-  QuicPacketCreatorPeer::SetPacketNumberLength(&creator_,
-                                               PACKET_2BYTE_PACKET_NUMBER);
-  QuicFrames frames;
-  std::string data("a");
-  if (!QuicVersionUsesCryptoFrames(client_framer_.transport_version())) {
-    QuicStreamFrame stream_frame(
-        QuicUtils::GetCryptoStreamId(client_framer_.transport_version()),
-        /*fin=*/false, 0u, QuicStringPiece());
-    frames.push_back(QuicFrame(stream_frame));
-  } else {
-    producer_.SaveCryptoData(ENCRYPTION_INITIAL, 0, data);
-    frames.push_back(
-        QuicFrame(new QuicCryptoFrame(ENCRYPTION_INITIAL, 0, data.length())));
-  }
-  char buffer[kMaxOutgoingPacketSize];
-  QuicPendingRetransmission retransmission(CreateRetransmission(
-      frames, true /* has_crypto_handshake */, -1 /* needs full padding */,
-      ENCRYPTION_INITIAL, PACKET_4BYTE_PACKET_NUMBER));
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
-  creator_.ReserializeAllFrames(retransmission, buffer, kMaxOutgoingPacketSize);
-  // The packet number length is updated after every packet is sent,
-  // so there is no need to restore the old length after sending.
-  EXPECT_EQ(PACKET_4BYTE_PACKET_NUMBER,
-            QuicPacketCreatorPeer::GetPacketNumberLength(&creator_));
-  EXPECT_EQ(PACKET_4BYTE_PACKET_NUMBER,
-            serialized_packet_.packet_number_length);
-
-  {
-    InSequence s;
-    EXPECT_CALL(framer_visitor_, OnPacket());
-    EXPECT_CALL(framer_visitor_, OnUnauthenticatedPublicHeader(_));
-    EXPECT_CALL(framer_visitor_, OnUnauthenticatedHeader(_));
-    EXPECT_CALL(framer_visitor_, OnDecryptedPacket(_));
-    EXPECT_CALL(framer_visitor_, OnPacketHeader(_));
-    if (!QuicVersionUsesCryptoFrames(client_framer_.transport_version())) {
-      EXPECT_CALL(framer_visitor_, OnStreamFrame(_));
-    } else {
-      EXPECT_CALL(framer_visitor_, OnCryptoFrame(_));
-    }
-    EXPECT_CALL(framer_visitor_, OnPaddingFrame(_));
-    EXPECT_CALL(framer_visitor_, OnPacketComplete());
-  }
-  ProcessPacket(serialized_packet_);
-  DeleteFrames(&frames);
-}
-
-TEST_P(QuicPacketCreatorTest, ReserializeCryptoFrameWithForwardSecurity) {
-  QuicFrames frames;
-  std::string data("a");
-  if (!QuicVersionUsesCryptoFrames(client_framer_.transport_version())) {
-    QuicStreamFrame stream_frame(
-        QuicUtils::GetCryptoStreamId(client_framer_.transport_version()),
-        /*fin=*/false, 0u, QuicStringPiece());
-    frames.push_back(QuicFrame(stream_frame));
-  } else {
-    producer_.SaveCryptoData(ENCRYPTION_INITIAL, 0, data);
-    frames.push_back(
-        QuicFrame(new QuicCryptoFrame(ENCRYPTION_INITIAL, 0, data.length())));
-  }
-  creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
-  char buffer[kMaxOutgoingPacketSize];
-  QuicPendingRetransmission retransmission(CreateRetransmission(
-      frames, true /* has_crypto_handshake */, -1 /* needs full padding */,
-      ENCRYPTION_INITIAL,
-      QuicPacketCreatorPeer::GetPacketNumberLength(&creator_)));
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
-  creator_.ReserializeAllFrames(retransmission, buffer, kMaxOutgoingPacketSize);
-  EXPECT_EQ(ENCRYPTION_INITIAL, serialized_packet_.encryption_level);
-  DeleteFrames(&frames);
-}
-
-TEST_P(QuicPacketCreatorTest, ReserializeFrameWithForwardSecurity) {
-  QuicStreamFrame stream_frame(0u, /*fin=*/false, 0u, QuicStringPiece());
-  QuicFrames frames;
-  frames.push_back(QuicFrame(stream_frame));
-  creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
-  char buffer[kMaxOutgoingPacketSize];
-  QuicPendingRetransmission retransmission(CreateRetransmission(
-      frames, false /* has_crypto_handshake */, 0 /* no padding */,
-      ENCRYPTION_INITIAL,
-      QuicPacketCreatorPeer::GetPacketNumberLength(&creator_)));
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
-  creator_.ReserializeAllFrames(retransmission, buffer, kMaxOutgoingPacketSize);
-  EXPECT_EQ(ENCRYPTION_FORWARD_SECURE, serialized_packet_.encryption_level);
-}
-
-TEST_P(QuicPacketCreatorTest, ReserializeFramesWithFullPadding) {
-  QuicFrame frame;
-  std::string data = "fake handshake message data";
-  if (!QuicVersionUsesCryptoFrames(client_framer_.transport_version())) {
-    MakeIOVector(data, &iov_);
-    producer_.SaveStreamData(
-        QuicUtils::GetCryptoStreamId(client_framer_.transport_version()), &iov_,
-        1u, 0u, iov_.iov_len);
-    QuicPacketCreatorPeer::CreateStreamFrame(
-        &creator_,
-        QuicUtils::GetCryptoStreamId(client_framer_.transport_version()),
-        iov_.iov_len, 0u, false, &frame);
-  } else {
-    producer_.SaveCryptoData(ENCRYPTION_INITIAL, 0, data);
-    EXPECT_TRUE(QuicPacketCreatorPeer::CreateCryptoFrame(
-        &creator_, ENCRYPTION_INITIAL, data.length(), 0, &frame));
-  }
-  QuicFrames frames;
-  frames.push_back(frame);
-  char buffer[kMaxOutgoingPacketSize];
-  QuicPendingRetransmission retransmission(CreateRetransmission(
-      frames, true /* has_crypto_handshake */, -1 /* needs full padding */,
-      ENCRYPTION_INITIAL,
-      QuicPacketCreatorPeer::GetPacketNumberLength(&creator_)));
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
-  creator_.ReserializeAllFrames(retransmission, buffer, kMaxOutgoingPacketSize);
-  EXPECT_EQ(kDefaultMaxPacketSize, serialized_packet_.encrypted_length);
-  DeleteFrames(&frames);
-}
-
-TEST_P(QuicPacketCreatorTest, DoNotRetransmitPendingPadding) {
-  QuicFrame frame;
-  std::string data = "fake message data";
-  if (!QuicVersionUsesCryptoFrames(client_framer_.transport_version())) {
-    MakeIOVector(data, &iov_);
-    producer_.SaveStreamData(
-        QuicUtils::GetCryptoStreamId(client_framer_.transport_version()), &iov_,
-        1u, 0u, iov_.iov_len);
-    QuicPacketCreatorPeer::CreateStreamFrame(
-        &creator_,
-        QuicUtils::GetCryptoStreamId(client_framer_.transport_version()),
-        iov_.iov_len, 0u, false, &frame);
-  } else {
-    producer_.SaveCryptoData(ENCRYPTION_INITIAL, 0, data);
-    EXPECT_TRUE(QuicPacketCreatorPeer::CreateCryptoFrame(
-        &creator_, ENCRYPTION_INITIAL, data.length(), 0, &frame));
-  }
-
-  const int kNumPaddingBytes1 = 4;
-  int packet_size = 0;
-  {
-    QuicFrames frames;
-    frames.push_back(frame);
-    char buffer[kMaxOutgoingPacketSize];
-    QuicPendingRetransmission retransmission(CreateRetransmission(
-        frames, false /* has_crypto_handshake */,
-        kNumPaddingBytes1 /* padding bytes */, ENCRYPTION_INITIAL,
-        QuicPacketCreatorPeer::GetPacketNumberLength(&creator_)));
-    EXPECT_CALL(delegate_, OnSerializedPacket(_))
-        .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
-    creator_.ReserializeAllFrames(retransmission, buffer,
-                                  kMaxOutgoingPacketSize);
-    packet_size = serialized_packet_.encrypted_length;
-  }
-
-  {
-    InSequence s;
-    EXPECT_CALL(framer_visitor_, OnPacket());
-    EXPECT_CALL(framer_visitor_, OnUnauthenticatedPublicHeader(_));
-    EXPECT_CALL(framer_visitor_, OnUnauthenticatedHeader(_));
-    EXPECT_CALL(framer_visitor_, OnDecryptedPacket(_));
-    EXPECT_CALL(framer_visitor_, OnPacketHeader(_));
-    if (QuicVersionUsesCryptoFrames(client_framer_.transport_version())) {
-      EXPECT_CALL(framer_visitor_, OnCryptoFrame(_));
-    } else {
-      EXPECT_CALL(framer_visitor_, OnStreamFrame(_));
-    }
-    // Pending paddings are not retransmitted.
-    EXPECT_CALL(framer_visitor_, OnPaddingFrame(_)).Times(0);
-    EXPECT_CALL(framer_visitor_, OnPacketComplete());
-  }
-  ProcessPacket(serialized_packet_);
-
-  const int kNumPaddingBytes2 = 44;
-  QuicFrames frames;
-  frames.push_back(frame);
-  char buffer[kMaxOutgoingPacketSize];
-  QuicPendingRetransmission retransmission(CreateRetransmission(
-      frames, false /* has_crypto_handshake */,
-      kNumPaddingBytes2 /* padding bytes */, ENCRYPTION_INITIAL,
-      QuicPacketCreatorPeer::GetPacketNumberLength(&creator_)));
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
-  creator_.ReserializeAllFrames(retransmission, buffer, kMaxOutgoingPacketSize);
-
-  EXPECT_EQ(packet_size, serialized_packet_.encrypted_length);
-  DeleteFrames(&frames);
-}
-
-TEST_P(QuicPacketCreatorTest, ReserializeFramesWithFullPacketAndPadding) {
-  creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
-  const size_t overhead =
-      GetPacketHeaderOverhead(client_framer_.transport_version()) +
-      GetEncryptionOverhead() +
-      GetStreamFrameOverhead(client_framer_.transport_version());
-  size_t capacity = kDefaultMaxPacketSize - overhead;
-  for (int delta = -5; delta <= 0; ++delta) {
-    std::string data(capacity + delta, 'A');
-    size_t bytes_free = 0 - delta;
-
-    QuicFrame frame;
-    SimpleDataProducer producer;
-    QuicPacketCreatorPeer::framer(&creator_)->set_data_producer(&producer);
-    MakeIOVector(data, &iov_);
-    QuicStreamId stream_id = QuicUtils::GetFirstBidirectionalStreamId(
-        client_framer_.transport_version(), Perspective::IS_CLIENT);
-    producer.SaveStreamData(stream_id, &iov_, 1u, 0u, iov_.iov_len);
-    QuicPacketCreatorPeer::CreateStreamFrame(&creator_, stream_id, iov_.iov_len,
-                                             kOffset, false, &frame);
-    QuicFrames frames;
-    frames.push_back(frame);
-    char buffer[kMaxOutgoingPacketSize];
-    QuicPendingRetransmission retransmission(CreateRetransmission(
-        frames, false /* has_crypto_handshake */, -1 /* needs full padding */,
-        ENCRYPTION_FORWARD_SECURE,
-        QuicPacketCreatorPeer::GetPacketNumberLength(&creator_)));
-    EXPECT_CALL(delegate_, OnSerializedPacket(_))
-        .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
-    creator_.ReserializeAllFrames(retransmission, buffer,
-                                  kMaxOutgoingPacketSize);
-
-    // If there is not enough space in the packet to fit a padding frame
-    // (1 byte) and to expand the stream frame (another 2 bytes) the packet
-    // will not be padded.
-    if (bytes_free < 3) {
-      EXPECT_EQ(kDefaultMaxPacketSize - bytes_free,
-                serialized_packet_.encrypted_length);
-    } else {
-      EXPECT_EQ(kDefaultMaxPacketSize, serialized_packet_.encrypted_length);
-    }
-
-    frames_.clear();
-  }
-}
-
 TEST_P(QuicPacketCreatorTest, SerializeConnectionClose) {
   QuicConnectionCloseFrame frame(creator_.transport_version(), QUIC_NO_ERROR,
                                  "error",
@@ -784,8 +541,10 @@ TEST_P(QuicPacketCreatorTest, CryptoStreamFramePacketPadding) {
     // If there is not enough space in the packet to fit a padding frame
     // (1 byte) and to expand the stream frame (another 2 bytes) the packet
     // will not be padded.
-    if (bytes_free < 3 &&
-        !QuicVersionUsesCryptoFrames(client_framer_.transport_version())) {
+    // Padding is skipped when we try to send coalesced packets.
+    if ((bytes_free < 3 &&
+         !QuicVersionUsesCryptoFrames(client_framer_.transport_version())) ||
+        client_framer_.version().CanSendCoalescedPackets()) {
       EXPECT_EQ(kDefaultMaxPacketSize - bytes_free,
                 serialized_packet_.encrypted_length);
     } else {
@@ -861,7 +620,7 @@ TEST_P(QuicPacketCreatorTest, BuildPathChallengePacket) {
   }
 
   QuicPacketHeader header;
-  header.destination_connection_id = kTestConnectionId;
+  header.destination_connection_id = CreateTestConnectionId();
   header.reset_flag = false;
   header.version_flag = false;
   header.packet_number = kPacketNumber;
@@ -908,7 +667,7 @@ TEST_P(QuicPacketCreatorTest, BuildPathChallengePacket) {
 
 TEST_P(QuicPacketCreatorTest, BuildConnectivityProbingPacket) {
   QuicPacketHeader header;
-  header.destination_connection_id = kTestConnectionId;
+  header.destination_connection_id = CreateTestConnectionId();
   header.reset_flag = false;
   header.version_flag = false;
   header.packet_number = kPacketNumber;
@@ -995,7 +754,7 @@ TEST_P(QuicPacketCreatorTest, BuildPathResponsePacket1ResponseUnpadded) {
   }
 
   QuicPacketHeader header;
-  header.destination_connection_id = kTestConnectionId;
+  header.destination_connection_id = CreateTestConnectionId();
   header.reset_flag = false;
   header.version_flag = false;
   header.packet_number = kPacketNumber;
@@ -1040,7 +799,7 @@ TEST_P(QuicPacketCreatorTest, BuildPathResponsePacket1ResponsePadded) {
   }
 
   QuicPacketHeader header;
-  header.destination_connection_id = kTestConnectionId;
+  header.destination_connection_id = CreateTestConnectionId();
   header.reset_flag = false;
   header.version_flag = false;
   header.packet_number = kPacketNumber;
@@ -1087,7 +846,7 @@ TEST_P(QuicPacketCreatorTest, BuildPathResponsePacket3ResponsesUnpadded) {
   }
 
   QuicPacketHeader header;
-  header.destination_connection_id = kTestConnectionId;
+  header.destination_connection_id = CreateTestConnectionId();
   header.reset_flag = false;
   header.version_flag = false;
   header.packet_number = kPacketNumber;
@@ -1139,7 +898,7 @@ TEST_P(QuicPacketCreatorTest, BuildPathResponsePacket3ResponsesPadded) {
   }
 
   QuicPacketHeader header;
-  header.destination_connection_id = kTestConnectionId;
+  header.destination_connection_id = CreateTestConnectionId();
   header.reset_flag = false;
   header.version_flag = false;
   header.packet_number = kPacketNumber;
@@ -1705,8 +1464,7 @@ TEST_P(QuicPacketCreatorTest, AddFrameAndFlush) {
   // Add a variety of frame types and then a padding frame.
   QuicAckFrame ack_frame(InitAckFrame(10u));
   EXPECT_CALL(debug, OnFrameAddedToPacket(_));
-  EXPECT_TRUE(
-      creator_.AddSavedFrame(QuicFrame(&ack_frame), NOT_RETRANSMISSION));
+  EXPECT_TRUE(creator_.AddFrame(QuicFrame(&ack_frame), NOT_RETRANSMISSION));
   EXPECT_TRUE(creator_.HasPendingFrames());
   EXPECT_FALSE(creator_.HasPendingStreamFramesOfStream(stream_id));
 
@@ -1723,16 +1481,14 @@ TEST_P(QuicPacketCreatorTest, AddFrameAndFlush) {
 
   QuicPaddingFrame padding_frame;
   EXPECT_CALL(debug, OnFrameAddedToPacket(_));
-  EXPECT_TRUE(
-      creator_.AddSavedFrame(QuicFrame(padding_frame), NOT_RETRANSMISSION));
+  EXPECT_TRUE(creator_.AddFrame(QuicFrame(padding_frame), NOT_RETRANSMISSION));
   EXPECT_TRUE(creator_.HasPendingFrames());
   EXPECT_EQ(0u, creator_.BytesFree());
 
   // Packet is full. Creator will flush.
   EXPECT_CALL(delegate_, OnSerializedPacket(_))
       .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
-  EXPECT_FALSE(
-      creator_.AddSavedFrame(QuicFrame(&ack_frame), NOT_RETRANSMISSION));
+  EXPECT_FALSE(creator_.AddFrame(QuicFrame(&ack_frame), NOT_RETRANSMISSION));
 
   // Ensure the packet is successfully created.
   ASSERT_TRUE(serialized_packet_.encrypted_buffer);
@@ -1841,7 +1597,7 @@ TEST_P(QuicPacketCreatorTest, AddUnencryptedStreamDataClosesConnection) {
   QuicStreamFrame stream_frame(GetNthClientInitiatedStreamId(0),
                                /*fin=*/false, 0u, QuicStringPiece());
   EXPECT_QUIC_BUG(
-      creator_.AddSavedFrame(QuicFrame(stream_frame), NOT_RETRANSMISSION),
+      creator_.AddFrame(QuicFrame(stream_frame), NOT_RETRANSMISSION),
       "Cannot send stream data with level: ENCRYPTION_INITIAL");
 }
 
@@ -1856,7 +1612,7 @@ TEST_P(QuicPacketCreatorTest, SendStreamDataWithEncryptionHandshake) {
   QuicStreamFrame stream_frame(GetNthClientInitiatedStreamId(0),
                                /*fin=*/false, 0u, QuicStringPiece());
   EXPECT_QUIC_BUG(
-      creator_.AddSavedFrame(QuicFrame(stream_frame), NOT_RETRANSMISSION),
+      creator_.AddFrame(QuicFrame(stream_frame), NOT_RETRANSMISSION),
       "Cannot send stream data with level: ENCRYPTION_HANDSHAKE");
 }
 
@@ -1936,99 +1692,6 @@ TEST_P(QuicPacketCreatorTest, FullPaddingDoesNotConsumePendingPadding) {
   EXPECT_EQ(kMaxNumRandomPaddingBytes, creator_.pending_padding_bytes());
 }
 
-TEST_P(QuicPacketCreatorTest, SendPendingPaddingInRetransmission) {
-  creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
-  QuicStreamId stream_id = QuicUtils::GetFirstBidirectionalStreamId(
-      client_framer_.transport_version(), Perspective::IS_CLIENT);
-  QuicStreamFrame stream_frame(stream_id,
-                               /*fin=*/false, 0u, QuicStringPiece());
-  QuicFrames frames;
-  frames.push_back(QuicFrame(stream_frame));
-  char buffer[kMaxOutgoingPacketSize];
-  QuicPendingRetransmission retransmission(CreateRetransmission(
-      frames, true, /*num_padding_bytes=*/0, ENCRYPTION_FORWARD_SECURE,
-      QuicPacketCreatorPeer::GetPacketNumberLength(&creator_)));
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
-  creator_.AddPendingPadding(kMaxNumRandomPaddingBytes);
-  creator_.ReserializeAllFrames(retransmission, buffer, kMaxOutgoingPacketSize);
-  EXPECT_EQ(0u, creator_.pending_padding_bytes());
-  {
-    InSequence s;
-    EXPECT_CALL(framer_visitor_, OnPacket());
-    EXPECT_CALL(framer_visitor_, OnUnauthenticatedPublicHeader(_));
-    EXPECT_CALL(framer_visitor_, OnUnauthenticatedHeader(_));
-    EXPECT_CALL(framer_visitor_, OnDecryptedPacket(_));
-    EXPECT_CALL(framer_visitor_, OnPacketHeader(_));
-    EXPECT_CALL(framer_visitor_, OnStreamFrame(_));
-    EXPECT_CALL(framer_visitor_, OnPaddingFrame(_));
-    EXPECT_CALL(framer_visitor_, OnPacketComplete());
-  }
-  ProcessPacket(serialized_packet_);
-}
-
-TEST_P(QuicPacketCreatorTest, SendPacketAfterFullPaddingRetransmission) {
-  // Making sure needs_full_padding gets reset after a full padding
-  // retransmission.
-  EXPECT_EQ(0u, creator_.pending_padding_bytes());
-  creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
-  QuicFrame frame;
-  std::string data = "fake handshake message data";
-  MakeIOVector(data, &iov_);
-  QuicStreamId stream_id = QuicUtils::GetFirstBidirectionalStreamId(
-      client_framer_.transport_version(), Perspective::IS_CLIENT);
-  if (!QuicVersionUsesCryptoFrames(client_framer_.transport_version())) {
-    stream_id =
-        QuicUtils::GetCryptoStreamId(client_framer_.transport_version());
-  }
-  producer_.SaveStreamData(stream_id, &iov_, 1u, 0u, iov_.iov_len);
-  QuicPacketCreatorPeer::CreateStreamFrame(&creator_, stream_id, iov_.iov_len,
-                                           0u, false, &frame);
-  QuicFrames frames;
-  frames.push_back(frame);
-  char buffer[kMaxOutgoingPacketSize];
-  QuicPendingRetransmission retransmission(CreateRetransmission(
-      frames, true, /*num_padding_bytes=*/-1, ENCRYPTION_FORWARD_SECURE,
-      QuicPacketCreatorPeer::GetPacketNumberLength(&creator_)));
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillRepeatedly(
-          Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
-  creator_.ReserializeAllFrames(retransmission, buffer, kMaxOutgoingPacketSize);
-  EXPECT_EQ(kDefaultMaxPacketSize, serialized_packet_.encrypted_length);
-  {
-    InSequence s;
-    EXPECT_CALL(framer_visitor_, OnPacket());
-    EXPECT_CALL(framer_visitor_, OnUnauthenticatedPublicHeader(_));
-    EXPECT_CALL(framer_visitor_, OnUnauthenticatedHeader(_));
-    EXPECT_CALL(framer_visitor_, OnDecryptedPacket(_));
-    EXPECT_CALL(framer_visitor_, OnPacketHeader(_));
-    EXPECT_CALL(framer_visitor_, OnStreamFrame(_));
-    // Full padding.
-    EXPECT_CALL(framer_visitor_, OnPaddingFrame(_));
-    EXPECT_CALL(framer_visitor_, OnPacketComplete());
-  }
-  ProcessPacket(serialized_packet_);
-
-  creator_.ConsumeDataToFillCurrentPacket(stream_id, &iov_, 1u, iov_.iov_len,
-                                          0u, 0u, false, false,
-                                          NOT_RETRANSMISSION, &frame);
-  creator_.FlushCurrentPacket();
-  {
-    InSequence s;
-    EXPECT_CALL(framer_visitor_, OnPacket());
-    EXPECT_CALL(framer_visitor_, OnUnauthenticatedPublicHeader(_));
-    EXPECT_CALL(framer_visitor_, OnUnauthenticatedHeader(_));
-    EXPECT_CALL(framer_visitor_, OnDecryptedPacket(_));
-    EXPECT_CALL(framer_visitor_, OnPacketHeader(_));
-    EXPECT_CALL(framer_visitor_, OnStreamFrame(_));
-    // needs_full_padding gets reset.
-    EXPECT_CALL(framer_visitor_, OnPaddingFrame(_)).Times(0);
-    EXPECT_CALL(framer_visitor_, OnPacketComplete());
-  }
-  ProcessPacket(serialized_packet_);
-  DeleteFrames(&frames);
-}
-
 TEST_P(QuicPacketCreatorTest, ConsumeDataAndRandomPadding) {
   creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
   const QuicByteCount kStreamFramePayloadSize = 100u;
@@ -2125,20 +1788,19 @@ TEST_P(QuicPacketCreatorTest, AddMessageFrame) {
   std::string message(creator_.GetCurrentLargestMessagePayload(), 'a');
   QuicMessageFrame* message_frame =
       new QuicMessageFrame(1, MakeSpan(&allocator_, message, &storage));
-  EXPECT_TRUE(
-      creator_.AddSavedFrame(QuicFrame(message_frame), NOT_RETRANSMISSION));
+  EXPECT_TRUE(creator_.AddFrame(QuicFrame(message_frame), NOT_RETRANSMISSION));
   EXPECT_TRUE(creator_.HasPendingFrames());
   creator_.FlushCurrentPacket();
 
   QuicMessageFrame* frame2 =
       new QuicMessageFrame(2, MakeSpan(&allocator_, "message", &storage));
-  EXPECT_TRUE(creator_.AddSavedFrame(QuicFrame(frame2), NOT_RETRANSMISSION));
+  EXPECT_TRUE(creator_.AddFrame(QuicFrame(frame2), NOT_RETRANSMISSION));
   EXPECT_TRUE(creator_.HasPendingFrames());
   // Verify if a new frame is added, 1 byte message length will be added.
   EXPECT_EQ(1u, creator_.ExpansionOnNewFrame());
   QuicMessageFrame* frame3 =
       new QuicMessageFrame(3, MakeSpan(&allocator_, "message2", &storage));
-  EXPECT_TRUE(creator_.AddSavedFrame(QuicFrame(frame3), NOT_RETRANSMISSION));
+  EXPECT_TRUE(creator_.AddFrame(QuicFrame(frame3), NOT_RETRANSMISSION));
   EXPECT_EQ(1u, creator_.ExpansionOnNewFrame());
   creator_.FlushCurrentPacket();
 
@@ -2151,14 +1813,14 @@ TEST_P(QuicPacketCreatorTest, AddMessageFrame) {
       NOT_RETRANSMISSION, &frame));
   QuicMessageFrame* frame4 =
       new QuicMessageFrame(4, MakeSpan(&allocator_, "message", &storage));
-  EXPECT_TRUE(creator_.AddSavedFrame(QuicFrame(frame4), NOT_RETRANSMISSION));
+  EXPECT_TRUE(creator_.AddFrame(QuicFrame(frame4), NOT_RETRANSMISSION));
   EXPECT_TRUE(creator_.HasPendingFrames());
   // Verify there is not enough room for largest payload.
   EXPECT_FALSE(creator_.HasRoomForMessageFrame(
       creator_.GetCurrentLargestMessagePayload()));
   // Add largest message will causes the flush of the stream frame.
   QuicMessageFrame frame5(5, MakeSpan(&allocator_, message, &storage));
-  EXPECT_FALSE(creator_.AddSavedFrame(QuicFrame(&frame5), NOT_RETRANSMISSION));
+  EXPECT_FALSE(creator_.AddFrame(QuicFrame(&frame5), NOT_RETRANSMISSION));
   EXPECT_FALSE(creator_.HasPendingFrames());
 }
 
@@ -2181,7 +1843,7 @@ TEST_P(QuicPacketCreatorTest, MessageFrameConsumption) {
           0, MakeSpan(&allocator_,
                       QuicStringPiece(message_buffer.data(), message_size),
                       &storage));
-      EXPECT_TRUE(creator_.AddSavedFrame(QuicFrame(frame), NOT_RETRANSMISSION));
+      EXPECT_TRUE(creator_.AddFrame(QuicFrame(frame), NOT_RETRANSMISSION));
       EXPECT_TRUE(creator_.HasPendingFrames());
 
       size_t expansion_bytes = message_size >= 64 ? 2 : 1;
@@ -2225,8 +1887,6 @@ TEST_P(QuicPacketCreatorTest, GetGuaranteedLargestMessagePayload) {
 
 TEST_P(QuicPacketCreatorTest, PacketTransmissionType) {
   creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
-  creator_.set_can_set_transmission_type(true);
-  creator_.SetTransmissionTypeOfNextPackets(NOT_RETRANSMISSION);
 
   QuicAckFrame temp_ack_frame = InitAckFrame(1);
   QuicFrame ack_frame(&temp_ack_frame);
@@ -2244,23 +1904,19 @@ TEST_P(QuicPacketCreatorTest, PacketTransmissionType) {
   EXPECT_CALL(delegate_, OnSerializedPacket(_))
       .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
 
-  EXPECT_TRUE(creator_.AddSavedFrame(ack_frame, LOSS_RETRANSMISSION));
+  EXPECT_TRUE(creator_.AddFrame(ack_frame, LOSS_RETRANSMISSION));
   ASSERT_FALSE(serialized_packet_.encrypted_buffer);
 
-  EXPECT_TRUE(creator_.AddSavedFrame(stream_frame, RTO_RETRANSMISSION));
+  EXPECT_TRUE(creator_.AddFrame(stream_frame, RTO_RETRANSMISSION));
   ASSERT_FALSE(serialized_packet_.encrypted_buffer);
 
-  EXPECT_TRUE(creator_.AddSavedFrame(padding_frame, TLP_RETRANSMISSION));
+  EXPECT_TRUE(creator_.AddFrame(padding_frame, TLP_RETRANSMISSION));
   creator_.FlushCurrentPacket();
   ASSERT_TRUE(serialized_packet_.encrypted_buffer);
 
-  if (creator_.can_set_transmission_type()) {
-    // The last retransmittable frame on packet is a stream frame, the packet's
-    // transmission type should be the same as the stream frame's.
-    EXPECT_EQ(serialized_packet_.transmission_type, RTO_RETRANSMISSION);
-  } else {
-    EXPECT_EQ(serialized_packet_.transmission_type, NOT_RETRANSMISSION);
-  }
+  // The last retransmittable frame on packet is a stream frame, the packet's
+  // transmission type should be the same as the stream frame's.
+  EXPECT_EQ(serialized_packet_.transmission_type, RTO_RETRANSMISSION);
   DeleteSerializedPacket();
 }
 
@@ -2334,6 +1990,1732 @@ TEST_P(QuicPacketCreatorTest, ClientConnectionId) {
   EXPECT_EQ(TestConnectionId(0x33), creator_.GetSourceConnectionId());
 }
 
+TEST_P(QuicPacketCreatorTest, CoalesceStreamFrames) {
+  InSequence s;
+  if (!GetParam().version_serialization) {
+    creator_.StopSendingVersion();
+  }
+  SetQuicRestartFlag(quic_coalesce_stream_frames_2, true);
+  const size_t max_plaintext_size =
+      client_framer_.GetMaxPlaintextSize(creator_.max_packet_length());
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
+  QuicStreamId stream_id1 = QuicUtils::GetFirstBidirectionalStreamId(
+      client_framer_.transport_version(), Perspective::IS_CLIENT);
+  QuicStreamId stream_id2 = GetNthClientInitiatedStreamId(1);
+  EXPECT_FALSE(creator_.HasPendingStreamFramesOfStream(stream_id1));
+  EXPECT_EQ(max_plaintext_size -
+                GetPacketHeaderSize(
+                    client_framer_.transport_version(),
+                    creator_.GetDestinationConnectionIdLength(),
+                    creator_.GetSourceConnectionIdLength(),
+                    QuicPacketCreatorPeer::SendVersionInPacket(&creator_),
+                    !kIncludeDiversificationNonce,
+                    QuicPacketCreatorPeer::GetPacketNumberLength(&creator_),
+                    QuicPacketCreatorPeer::GetRetryTokenLengthLength(&creator_),
+                    0, QuicPacketCreatorPeer::GetLengthLength(&creator_)),
+            creator_.BytesFree());
+  StrictMock<MockDebugDelegate> debug;
+  creator_.set_debug_delegate(&debug);
+
+  MakeIOVector("test", &iov_);
+  QuicFrame frame;
+  EXPECT_CALL(debug, OnFrameAddedToPacket(_));
+  ASSERT_TRUE(creator_.ConsumeDataToFillCurrentPacket(
+      stream_id1, &iov_, 1u, iov_.iov_len, 0u, 0u, false, false,
+      NOT_RETRANSMISSION, &frame));
+  EXPECT_TRUE(creator_.HasPendingFrames());
+  EXPECT_TRUE(creator_.HasPendingStreamFramesOfStream(stream_id1));
+
+  MakeIOVector("coalesce", &iov_);
+  // frame will be coalesced with the first frame.
+  const auto previous_size = creator_.PacketSize();
+  QuicStreamFrame target(stream_id1, true, 0, 12);
+  EXPECT_CALL(debug, OnStreamFrameCoalesced(target));
+  ASSERT_TRUE(creator_.ConsumeDataToFillCurrentPacket(
+      stream_id1, &iov_, 1u, iov_.iov_len, 0u, 4u, true, false,
+      NOT_RETRANSMISSION, &frame));
+  EXPECT_EQ(frame.stream_frame.data_length,
+            creator_.PacketSize() - previous_size);
+
+  // frame is for another stream, so it won't be coalesced.
+  const auto length = creator_.BytesFree() - 10u;
+  std::string large_data(length, 'x');
+  MakeIOVector(large_data, &iov_);
+  EXPECT_CALL(debug, OnFrameAddedToPacket(_));
+  ASSERT_TRUE(creator_.ConsumeDataToFillCurrentPacket(
+      stream_id2, &iov_, 1u, iov_.iov_len, 0u, 0u, false, false,
+      NOT_RETRANSMISSION, &frame));
+  EXPECT_TRUE(creator_.HasPendingStreamFramesOfStream(stream_id2));
+
+  // The packet doesn't have enough free bytes for all data, but will still be
+  // able to consume and coalesce part of them.
+  EXPECT_CALL(debug, OnStreamFrameCoalesced(_));
+  MakeIOVector("somerandomdata", &iov_);
+  ASSERT_TRUE(creator_.ConsumeDataToFillCurrentPacket(
+      stream_id2, &iov_, 1u, iov_.iov_len, 0u, length, false, false,
+      NOT_RETRANSMISSION, &frame));
+
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
+  creator_.FlushCurrentPacket();
+  EXPECT_CALL(framer_visitor_, OnPacket());
+  EXPECT_CALL(framer_visitor_, OnUnauthenticatedPublicHeader(_));
+  EXPECT_CALL(framer_visitor_, OnUnauthenticatedHeader(_));
+  EXPECT_CALL(framer_visitor_, OnDecryptedPacket(_));
+  EXPECT_CALL(framer_visitor_, OnPacketHeader(_));
+  // The packet should only have 2 stream frames.
+  EXPECT_CALL(framer_visitor_, OnStreamFrame(_));
+  EXPECT_CALL(framer_visitor_, OnStreamFrame(_));
+  EXPECT_CALL(framer_visitor_, OnPacketComplete());
+  ProcessPacket(serialized_packet_);
+}
+
+TEST_P(QuicPacketCreatorTest, SaveNonRetransmittableFrames) {
+  QuicAckFrame ack_frame(InitAckFrame(1));
+  frames_.push_back(QuicFrame(&ack_frame));
+  frames_.push_back(QuicFrame(QuicPaddingFrame(-1)));
+  SerializedPacket serialized = SerializeAllFrames(frames_);
+  ASSERT_EQ(2u, serialized.nonretransmittable_frames.size());
+  EXPECT_EQ(ACK_FRAME, serialized.nonretransmittable_frames[0].type);
+  EXPECT_EQ(PADDING_FRAME, serialized.nonretransmittable_frames[1].type);
+  // Verify full padding frame is translated to a padding frame with actual
+  // bytes of padding.
+  EXPECT_LT(
+      0,
+      serialized.nonretransmittable_frames[1].padding_frame.num_padding_bytes);
+  frames_.clear();
+
+  // Serialize another packet with the same frames.
+  SerializedPacket packet = QuicPacketCreatorPeer::SerializeAllFrames(
+      &creator_, serialized.nonretransmittable_frames, buffer_,
+      kMaxOutgoingPacketSize);
+  // Verify the packet length of both packets are equal.
+  EXPECT_EQ(serialized.encrypted_length, packet.encrypted_length);
+}
+
+TEST_P(QuicPacketCreatorTest, SerializeCoalescedPacket) {
+  QuicCoalescedPacket coalesced;
+  SimpleBufferAllocator allocator;
+  QuicSocketAddress self_address(QuicIpAddress::Loopback4(), 1);
+  QuicSocketAddress peer_address(QuicIpAddress::Loopback4(), 2);
+  for (size_t i = ENCRYPTION_INITIAL; i < NUM_ENCRYPTION_LEVELS; ++i) {
+    EncryptionLevel level = static_cast<EncryptionLevel>(i);
+    creator_.set_encryption_level(level);
+    QuicAckFrame ack_frame(InitAckFrame(1));
+    frames_.push_back(QuicFrame(&ack_frame));
+    if (level != ENCRYPTION_INITIAL && level != ENCRYPTION_HANDSHAKE) {
+      frames_.push_back(
+          QuicFrame(QuicStreamFrame(1, false, 0u, QuicStringPiece())));
+    }
+    SerializedPacket serialized = SerializeAllFrames(frames_);
+    EXPECT_EQ(level, serialized.encryption_level);
+    frames_.clear();
+    ASSERT_TRUE(coalesced.MaybeCoalescePacket(serialized, self_address,
+                                              peer_address, &allocator,
+                                              creator_.max_packet_length()));
+  }
+  char buffer[kMaxOutgoingPacketSize];
+  size_t coalesced_length = creator_.SerializeCoalescedPacket(
+      coalesced, buffer, kMaxOutgoingPacketSize);
+  // Verify packet is padded to full.
+  ASSERT_EQ(coalesced.max_packet_length(), coalesced_length);
+  if (!QuicVersionHasLongHeaderLengths(server_framer_.transport_version())) {
+    return;
+  }
+  // Verify packet process.
+  std::unique_ptr<QuicEncryptedPacket> packets[NUM_ENCRYPTION_LEVELS];
+  packets[ENCRYPTION_INITIAL] =
+      std::make_unique<QuicEncryptedPacket>(buffer, coalesced_length);
+  for (size_t i = ENCRYPTION_INITIAL; i < NUM_ENCRYPTION_LEVELS; ++i) {
+    InSequence s;
+    EXPECT_CALL(framer_visitor_, OnPacket());
+    EXPECT_CALL(framer_visitor_, OnUnauthenticatedPublicHeader(_));
+    if (i < ENCRYPTION_FORWARD_SECURE) {
+      // Save coalesced packet.
+      EXPECT_CALL(framer_visitor_, OnCoalescedPacket(_))
+          .WillOnce(Invoke([i, &packets](const QuicEncryptedPacket& packet) {
+            packets[i + 1] = packet.Clone();
+          }));
+    }
+    EXPECT_CALL(framer_visitor_, OnUnauthenticatedHeader(_));
+    EXPECT_CALL(framer_visitor_, OnDecryptedPacket(_));
+    EXPECT_CALL(framer_visitor_, OnPacketHeader(_));
+    EXPECT_CALL(framer_visitor_, OnAckFrameStart(_, _)).WillOnce(Return(true));
+    EXPECT_CALL(framer_visitor_,
+                OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2)))
+        .WillOnce(Return(true));
+    EXPECT_CALL(framer_visitor_, OnAckFrameEnd(_)).WillOnce(Return(true));
+    if (i == ENCRYPTION_INITIAL) {
+      // Verify padding is added.
+      EXPECT_CALL(framer_visitor_, OnPaddingFrame(_));
+    } else {
+      EXPECT_CALL(framer_visitor_, OnPaddingFrame(_)).Times(testing::AtMost(1));
+    }
+    if (i != ENCRYPTION_INITIAL && i != ENCRYPTION_HANDSHAKE) {
+      EXPECT_CALL(framer_visitor_, OnStreamFrame(_));
+    }
+    EXPECT_CALL(framer_visitor_, OnPacketComplete());
+
+    server_framer_.ProcessPacket(*packets[i]);
+  }
+}
+
+TEST_P(QuicPacketCreatorTest, SoftMaxPacketLength) {
+  creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
+  QuicByteCount previous_max_packet_length = creator_.max_packet_length();
+  const size_t overhead =
+      GetPacketHeaderOverhead(client_framer_.transport_version()) +
+      QuicPacketCreator::MinPlaintextPacketSize(client_framer_.version()) +
+      GetEncryptionOverhead();
+  // Make sure a length which cannot accommodate header (includes header
+  // protection minimal length) gets rejected.
+  creator_.SetSoftMaxPacketLength(overhead - 1);
+  EXPECT_EQ(previous_max_packet_length, creator_.max_packet_length());
+
+  creator_.SetSoftMaxPacketLength(overhead);
+  EXPECT_EQ(overhead, creator_.max_packet_length());
+
+  // Verify creator has room for stream frame because max_packet_length_ gets
+  // restored.
+  ASSERT_TRUE(creator_.HasRoomForStreamFrame(
+      GetNthClientInitiatedStreamId(1), kMaxIetfVarInt,
+      std::numeric_limits<uint32_t>::max()));
+  EXPECT_EQ(previous_max_packet_length, creator_.max_packet_length());
+
+  // Same for message frame.
+  if (VersionSupportsMessageFrames(client_framer_.transport_version())) {
+    creator_.SetSoftMaxPacketLength(overhead);
+    // Verify GetCurrentLargestMessagePayload is based on the actual
+    // max_packet_length.
+    EXPECT_LT(1u, creator_.GetCurrentLargestMessagePayload());
+    EXPECT_EQ(overhead, creator_.max_packet_length());
+    ASSERT_TRUE(creator_.HasRoomForMessageFrame(
+        creator_.GetCurrentLargestMessagePayload()));
+    EXPECT_EQ(previous_max_packet_length, creator_.max_packet_length());
+  }
+
+  // Verify creator can consume crypto data because max_packet_length_ gets
+  // restored.
+  creator_.SetSoftMaxPacketLength(overhead);
+  EXPECT_EQ(overhead, creator_.max_packet_length());
+  std::string data = "crypto data";
+  MakeIOVector(data, &iov_);
+  QuicFrame frame;
+  if (!QuicVersionUsesCryptoFrames(client_framer_.transport_version())) {
+    ASSERT_TRUE(creator_.ConsumeDataToFillCurrentPacket(
+        QuicUtils::GetCryptoStreamId(client_framer_.transport_version()), &iov_,
+        1u, iov_.iov_len, 0u, kOffset, false, true, NOT_RETRANSMISSION,
+        &frame));
+    size_t bytes_consumed = frame.stream_frame.data_length;
+    EXPECT_LT(0u, bytes_consumed);
+  } else {
+    producer_.SaveCryptoData(ENCRYPTION_INITIAL, kOffset, data);
+    ASSERT_TRUE(creator_.ConsumeCryptoDataToFillCurrentPacket(
+        ENCRYPTION_INITIAL, data.length(), kOffset,
+        /*needs_full_padding=*/true, NOT_RETRANSMISSION, &frame));
+    size_t bytes_consumed = frame.crypto_frame->data_length;
+    EXPECT_LT(0u, bytes_consumed);
+  }
+  EXPECT_TRUE(creator_.HasPendingFrames());
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(Invoke(this, &QuicPacketCreatorTest::SaveSerializedPacket));
+  creator_.FlushCurrentPacket();
+
+  // Verify ACK frame can be consumed.
+  creator_.SetSoftMaxPacketLength(overhead);
+  EXPECT_EQ(overhead, creator_.max_packet_length());
+  QuicAckFrame ack_frame(InitAckFrame(10u));
+  EXPECT_TRUE(creator_.AddFrame(QuicFrame(&ack_frame), NOT_RETRANSMISSION));
+  EXPECT_TRUE(creator_.HasPendingFrames());
+}
+
+class MockDelegate : public QuicPacketCreator::DelegateInterface {
+ public:
+  MockDelegate() {}
+  MockDelegate(const MockDelegate&) = delete;
+  MockDelegate& operator=(const MockDelegate&) = delete;
+  ~MockDelegate() override {}
+
+  MOCK_METHOD2(ShouldGeneratePacket,
+               bool(HasRetransmittableData retransmittable,
+                    IsHandshake handshake));
+  MOCK_METHOD0(MaybeBundleAckOpportunistically, const QuicFrames());
+  MOCK_METHOD0(GetPacketBuffer, char*());
+  MOCK_METHOD1(OnSerializedPacket, void(SerializedPacket* packet));
+  MOCK_METHOD2(OnUnrecoverableError, void(QuicErrorCode, const std::string&));
+
+  void SetCanWriteAnything() {
+    EXPECT_CALL(*this, ShouldGeneratePacket(_, _)).WillRepeatedly(Return(true));
+    EXPECT_CALL(*this, ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA, _))
+        .WillRepeatedly(Return(true));
+  }
+
+  void SetCanNotWrite() {
+    EXPECT_CALL(*this, ShouldGeneratePacket(_, _))
+        .WillRepeatedly(Return(false));
+    EXPECT_CALL(*this, ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA, _))
+        .WillRepeatedly(Return(false));
+  }
+
+  // Use this when only ack frames should be allowed to be written.
+  void SetCanWriteOnlyNonRetransmittable() {
+    EXPECT_CALL(*this, ShouldGeneratePacket(_, _))
+        .WillRepeatedly(Return(false));
+    EXPECT_CALL(*this, ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA, _))
+        .WillRepeatedly(Return(true));
+  }
+};
+
+// Simple struct for describing the contents of a packet.
+// Useful in conjunction with a SimpleQuicFrame for validating that a packet
+// contains the expected frames.
+struct PacketContents {
+  PacketContents()
+      : num_ack_frames(0),
+        num_connection_close_frames(0),
+        num_goaway_frames(0),
+        num_rst_stream_frames(0),
+        num_stop_waiting_frames(0),
+        num_stream_frames(0),
+        num_crypto_frames(0),
+        num_ping_frames(0),
+        num_mtu_discovery_frames(0),
+        num_padding_frames(0) {}
+
+  size_t num_ack_frames;
+  size_t num_connection_close_frames;
+  size_t num_goaway_frames;
+  size_t num_rst_stream_frames;
+  size_t num_stop_waiting_frames;
+  size_t num_stream_frames;
+  size_t num_crypto_frames;
+  size_t num_ping_frames;
+  size_t num_mtu_discovery_frames;
+  size_t num_padding_frames;
+};
+
+class MultiplePacketsTestPacketCreator : public QuicPacketCreator {
+ public:
+  MultiplePacketsTestPacketCreator(
+      QuicConnectionId connection_id,
+      QuicFramer* framer,
+      QuicRandom* random_generator,
+      QuicPacketCreator::DelegateInterface* delegate,
+      SimpleDataProducer* producer)
+      : QuicPacketCreator(connection_id, framer, random_generator, delegate),
+        ack_frame_(InitAckFrame(1)),
+        delegate_(static_cast<MockDelegate*>(delegate)),
+        producer_(producer) {}
+
+  bool ConsumeRetransmittableControlFrame(const QuicFrame& frame,
+                                          bool bundle_ack) {
+    if (!has_ack()) {
+      QuicFrames frames;
+      if (bundle_ack) {
+        frames.push_back(QuicFrame(&ack_frame_));
+      }
+      if (delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA,
+                                          NOT_HANDSHAKE)) {
+        EXPECT_CALL(*delegate_, MaybeBundleAckOpportunistically())
+            .WillOnce(Return(frames));
+      }
+    }
+    return QuicPacketCreator::ConsumeRetransmittableControlFrame(frame);
+  }
+
+  QuicConsumedData ConsumeDataFastPath(QuicStreamId id,
+                                       const struct iovec* iov,
+                                       int iov_count,
+                                       size_t total_length,
+                                       QuicStreamOffset offset,
+                                       bool fin) {
+    // Save data before data is consumed.
+    if (total_length > 0) {
+      producer_->SaveStreamData(id, iov, iov_count, 0, total_length);
+    }
+    return QuicPacketCreator::ConsumeDataFastPath(id, total_length, offset, fin,
+                                                  0);
+  }
+
+  QuicConsumedData ConsumeData(QuicStreamId id,
+                               const struct iovec* iov,
+                               int iov_count,
+                               size_t total_length,
+                               QuicStreamOffset offset,
+                               StreamSendingState state) {
+    // Save data before data is consumed.
+    if (total_length > 0) {
+      producer_->SaveStreamData(id, iov, iov_count, 0, total_length);
+    }
+    if (!has_ack() && delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA,
+                                                      NOT_HANDSHAKE)) {
+      EXPECT_CALL(*delegate_, MaybeBundleAckOpportunistically()).Times(1);
+    }
+    return QuicPacketCreator::ConsumeData(id, total_length, offset, state);
+  }
+
+  MessageStatus AddMessageFrame(QuicMessageId message_id,
+                                QuicMemSliceSpan message) {
+    if (!has_ack() && delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA,
+                                                      NOT_HANDSHAKE)) {
+      EXPECT_CALL(*delegate_, MaybeBundleAckOpportunistically()).Times(1);
+    }
+    return QuicPacketCreator::AddMessageFrame(message_id, message);
+  }
+
+  size_t ConsumeCryptoData(EncryptionLevel level,
+                           QuicStringPiece data,
+                           QuicStreamOffset offset) {
+    producer_->SaveCryptoData(level, offset, data);
+    if (!has_ack() && delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA,
+                                                      NOT_HANDSHAKE)) {
+      EXPECT_CALL(*delegate_, MaybeBundleAckOpportunistically()).Times(1);
+    }
+    return QuicPacketCreator::ConsumeCryptoData(level, data.length(), offset);
+  }
+
+  QuicAckFrame ack_frame_;
+  MockDelegate* delegate_;
+  SimpleDataProducer* producer_;
+};
+
+class QuicPacketCreatorMultiplePacketsTest : public QuicTest {
+ public:
+  QuicPacketCreatorMultiplePacketsTest()
+      : framer_(AllSupportedVersions(),
+                QuicTime::Zero(),
+                Perspective::IS_CLIENT,
+                kQuicDefaultConnectionIdLength),
+        creator_(TestConnectionId(),
+                 &framer_,
+                 &random_creator_,
+                 &delegate_,
+                 &producer_),
+        ack_frame_(InitAckFrame(1)) {
+    EXPECT_CALL(delegate_, GetPacketBuffer()).WillRepeatedly(Return(nullptr));
+    creator_.SetEncrypter(
+        ENCRYPTION_FORWARD_SECURE,
+        std::make_unique<NullEncrypter>(Perspective::IS_CLIENT));
+    creator_.set_encryption_level(ENCRYPTION_FORWARD_SECURE);
+    framer_.set_data_producer(&producer_);
+    if (simple_framer_.framer()->version().KnowsWhichDecrypterToUse()) {
+      simple_framer_.framer()->InstallDecrypter(
+          ENCRYPTION_FORWARD_SECURE,
+          std::make_unique<NullDecrypter>(Perspective::IS_SERVER));
+    }
+    creator_.AttachPacketFlusher();
+  }
+
+  ~QuicPacketCreatorMultiplePacketsTest() override {
+    for (SerializedPacket& packet : packets_) {
+      delete[] packet.encrypted_buffer;
+      ClearSerializedPacket(&packet);
+    }
+  }
+
+  void SavePacket(SerializedPacket* packet) {
+    packet->encrypted_buffer = CopyBuffer(*packet);
+    packets_.push_back(*packet);
+    packet->encrypted_buffer = nullptr;
+    packet->retransmittable_frames.clear();
+  }
+
+ protected:
+  QuicRstStreamFrame* CreateRstStreamFrame() {
+    return new QuicRstStreamFrame(1, 1, QUIC_STREAM_NO_ERROR, 0);
+  }
+
+  QuicGoAwayFrame* CreateGoAwayFrame() {
+    return new QuicGoAwayFrame(2, QUIC_NO_ERROR, 1, std::string());
+  }
+
+  void CheckPacketContains(const PacketContents& contents,
+                           size_t packet_index) {
+    ASSERT_GT(packets_.size(), packet_index);
+    const SerializedPacket& packet = packets_[packet_index];
+    size_t num_retransmittable_frames =
+        contents.num_connection_close_frames + contents.num_goaway_frames +
+        contents.num_rst_stream_frames + contents.num_stream_frames +
+        contents.num_crypto_frames + contents.num_ping_frames;
+    size_t num_frames =
+        contents.num_ack_frames + contents.num_stop_waiting_frames +
+        contents.num_mtu_discovery_frames + contents.num_padding_frames +
+        num_retransmittable_frames;
+
+    if (num_retransmittable_frames == 0) {
+      ASSERT_TRUE(packet.retransmittable_frames.empty());
+    } else {
+      ASSERT_FALSE(packet.retransmittable_frames.empty());
+      EXPECT_EQ(num_retransmittable_frames,
+                packet.retransmittable_frames.size());
+    }
+
+    ASSERT_TRUE(packet.encrypted_buffer != nullptr);
+    ASSERT_TRUE(simple_framer_.ProcessPacket(
+        QuicEncryptedPacket(packet.encrypted_buffer, packet.encrypted_length)));
+    size_t num_padding_frames = 0;
+    if (contents.num_padding_frames == 0) {
+      num_padding_frames = simple_framer_.padding_frames().size();
+    }
+    EXPECT_EQ(num_frames + num_padding_frames, simple_framer_.num_frames());
+    EXPECT_EQ(contents.num_ack_frames, simple_framer_.ack_frames().size());
+    EXPECT_EQ(contents.num_connection_close_frames,
+              simple_framer_.connection_close_frames().size());
+    EXPECT_EQ(contents.num_goaway_frames,
+              simple_framer_.goaway_frames().size());
+    EXPECT_EQ(contents.num_rst_stream_frames,
+              simple_framer_.rst_stream_frames().size());
+    EXPECT_EQ(contents.num_stream_frames,
+              simple_framer_.stream_frames().size());
+    EXPECT_EQ(contents.num_crypto_frames,
+              simple_framer_.crypto_frames().size());
+    EXPECT_EQ(contents.num_stop_waiting_frames,
+              simple_framer_.stop_waiting_frames().size());
+    if (contents.num_padding_frames != 0) {
+      EXPECT_EQ(contents.num_padding_frames,
+                simple_framer_.padding_frames().size());
+    }
+
+    // From the receiver's perspective, MTU discovery frames are ping frames.
+    EXPECT_EQ(contents.num_ping_frames + contents.num_mtu_discovery_frames,
+              simple_framer_.ping_frames().size());
+  }
+
+  void CheckPacketHasSingleStreamFrame(size_t packet_index) {
+    ASSERT_GT(packets_.size(), packet_index);
+    const SerializedPacket& packet = packets_[packet_index];
+    ASSERT_FALSE(packet.retransmittable_frames.empty());
+    EXPECT_EQ(1u, packet.retransmittable_frames.size());
+    ASSERT_TRUE(packet.encrypted_buffer != nullptr);
+    ASSERT_TRUE(simple_framer_.ProcessPacket(
+        QuicEncryptedPacket(packet.encrypted_buffer, packet.encrypted_length)));
+    EXPECT_EQ(1u, simple_framer_.num_frames());
+    EXPECT_EQ(1u, simple_framer_.stream_frames().size());
+  }
+
+  void CheckAllPacketsHaveSingleStreamFrame() {
+    for (size_t i = 0; i < packets_.size(); i++) {
+      CheckPacketHasSingleStreamFrame(i);
+    }
+  }
+
+  void CreateData(size_t len) {
+    data_array_.reset(new char[len]);
+    memset(data_array_.get(), '?', len);
+    iov_.iov_base = data_array_.get();
+    iov_.iov_len = len;
+  }
+
+  QuicFramer framer_;
+  MockRandom random_creator_;
+  StrictMock<MockDelegate> delegate_;
+  MultiplePacketsTestPacketCreator creator_;
+  SimpleQuicFramer simple_framer_;
+  std::vector<SerializedPacket> packets_;
+  QuicAckFrame ack_frame_;
+  struct iovec iov_;
+  SimpleBufferAllocator allocator_;
+
+ private:
+  std::unique_ptr<char[]> data_array_;
+  SimpleDataProducer producer_;
+};
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, AddControlFrame_NotWritable) {
+  delegate_.SetCanNotWrite();
+
+  QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
+  const bool consumed =
+      creator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
+                                                  /*bundle_ack=*/false);
+  EXPECT_FALSE(consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+  delete rst_frame;
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, AddControlFrame_OnlyAckWritable) {
+  delegate_.SetCanWriteOnlyNonRetransmittable();
+
+  QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
+  const bool consumed =
+      creator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
+                                                  /*bundle_ack=*/false);
+  EXPECT_FALSE(consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+  delete rst_frame;
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       AddControlFrame_WritableAndShouldNotFlush) {
+  delegate_.SetCanWriteAnything();
+
+  creator_.ConsumeRetransmittableControlFrame(QuicFrame(CreateRstStreamFrame()),
+                                              /*bundle_ack=*/false);
+  EXPECT_TRUE(creator_.HasPendingFrames());
+  EXPECT_TRUE(creator_.HasPendingRetransmittableFrames());
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       AddControlFrame_NotWritableBatchThenFlush) {
+  delegate_.SetCanNotWrite();
+
+  QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
+  const bool consumed =
+      creator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
+                                                  /*bundle_ack=*/false);
+  EXPECT_FALSE(consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+  delete rst_frame;
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       AddControlFrame_WritableAndShouldFlush) {
+  delegate_.SetCanWriteAnything();
+
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+
+  creator_.ConsumeRetransmittableControlFrame(QuicFrame(CreateRstStreamFrame()),
+                                              /*bundle_ack=*/false);
+  creator_.Flush();
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  PacketContents contents;
+  contents.num_rst_stream_frames = 1;
+  CheckPacketContains(contents, 0);
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, ConsumeCryptoData) {
+  delegate_.SetCanWriteAnything();
+
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  std::string data = "crypto data";
+  size_t consumed_bytes =
+      creator_.ConsumeCryptoData(ENCRYPTION_INITIAL, data, 0);
+  creator_.Flush();
+  EXPECT_EQ(data.length(), consumed_bytes);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  PacketContents contents;
+  contents.num_crypto_frames = 1;
+  contents.num_padding_frames = 1;
+  CheckPacketContains(contents, 0);
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, ConsumeData_NotWritable) {
+  delegate_.SetCanNotWrite();
+
+  MakeIOVector("foo", &iov_);
+  QuicConsumedData consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len, 0, FIN);
+  EXPECT_EQ(0u, consumed.bytes_consumed);
+  EXPECT_FALSE(consumed.fin_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       ConsumeData_WritableAndShouldNotFlush) {
+  delegate_.SetCanWriteAnything();
+
+  MakeIOVector("foo", &iov_);
+  QuicConsumedData consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len, 0, FIN);
+  EXPECT_EQ(3u, consumed.bytes_consumed);
+  EXPECT_TRUE(consumed.fin_consumed);
+  EXPECT_TRUE(creator_.HasPendingFrames());
+  EXPECT_TRUE(creator_.HasPendingRetransmittableFrames());
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       ConsumeData_WritableAndShouldFlush) {
+  delegate_.SetCanWriteAnything();
+
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  MakeIOVector("foo", &iov_);
+  QuicConsumedData consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len, 0, FIN);
+  creator_.Flush();
+  EXPECT_EQ(3u, consumed.bytes_consumed);
+  EXPECT_TRUE(consumed.fin_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  PacketContents contents;
+  contents.num_stream_frames = 1;
+  CheckPacketContains(contents, 0);
+}
+
+// Test the behavior of ConsumeData when the data consumed is for the crypto
+// handshake stream.  Ensure that the packet is always sent and padded even if
+// the creator operates in batch mode.
+TEST_F(QuicPacketCreatorMultiplePacketsTest, ConsumeData_Handshake) {
+  delegate_.SetCanWriteAnything();
+
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  std::string data = "foo bar";
+  MakeIOVector(data, &iov_);
+  size_t consumed_bytes = 0;
+  if (QuicVersionUsesCryptoFrames(framer_.transport_version())) {
+    consumed_bytes = creator_.ConsumeCryptoData(ENCRYPTION_INITIAL, data, 0);
+  } else {
+    consumed_bytes =
+        creator_
+            .ConsumeData(
+                QuicUtils::GetCryptoStreamId(framer_.transport_version()),
+                &iov_, 1u, iov_.iov_len, 0, NO_FIN)
+            .bytes_consumed;
+  }
+  EXPECT_EQ(7u, consumed_bytes);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  PacketContents contents;
+  if (QuicVersionUsesCryptoFrames(framer_.transport_version())) {
+    contents.num_crypto_frames = 1;
+  } else {
+    contents.num_stream_frames = 1;
+  }
+  contents.num_padding_frames = 1;
+  CheckPacketContains(contents, 0);
+
+  ASSERT_EQ(1u, packets_.size());
+  ASSERT_EQ(kDefaultMaxPacketSize, creator_.max_packet_length());
+  EXPECT_EQ(kDefaultMaxPacketSize, packets_[0].encrypted_length);
+}
+
+// Test the behavior of ConsumeData when the data is for the crypto handshake
+// stream, but padding is disabled.
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       ConsumeData_Handshake_PaddingDisabled) {
+  creator_.set_fully_pad_crypto_handshake_packets(false);
+
+  delegate_.SetCanWriteAnything();
+
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  std::string data = "foo";
+  MakeIOVector(data, &iov_);
+  size_t bytes_consumed = 0;
+  if (QuicVersionUsesCryptoFrames(framer_.transport_version())) {
+    bytes_consumed = creator_.ConsumeCryptoData(ENCRYPTION_INITIAL, data, 0);
+  } else {
+    bytes_consumed =
+        creator_
+            .ConsumeData(
+                QuicUtils::GetCryptoStreamId(framer_.transport_version()),
+                &iov_, 1u, iov_.iov_len, 0, NO_FIN)
+            .bytes_consumed;
+  }
+  EXPECT_EQ(3u, bytes_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  PacketContents contents;
+  if (QuicVersionUsesCryptoFrames(framer_.transport_version())) {
+    contents.num_crypto_frames = 1;
+  } else {
+    contents.num_stream_frames = 1;
+  }
+  contents.num_padding_frames = 0;
+  CheckPacketContains(contents, 0);
+
+  ASSERT_EQ(1u, packets_.size());
+
+  // Packet is not fully padded, but we want to future packets to be larger.
+  ASSERT_EQ(kDefaultMaxPacketSize, creator_.max_packet_length());
+  size_t expected_packet_length = 27;
+  if (QuicVersionUsesCryptoFrames(framer_.transport_version())) {
+    // The framing of CRYPTO frames is slightly different than that of stream
+    // frames, so the expected packet length differs slightly.
+    expected_packet_length = 28;
+  }
+  if (framer_.version().HasHeaderProtection()) {
+    expected_packet_length = 29;
+  }
+  EXPECT_EQ(expected_packet_length, packets_[0].encrypted_length);
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, ConsumeData_EmptyData) {
+  delegate_.SetCanWriteAnything();
+
+  EXPECT_QUIC_BUG(creator_.ConsumeData(
+                      QuicUtils::QuicUtils::GetFirstBidirectionalStreamId(
+                          framer_.transport_version(), Perspective::IS_CLIENT),
+                      nullptr, 0, 0, 0, NO_FIN),
+                  "Attempt to consume empty data without FIN.");
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       ConsumeDataMultipleTimes_WritableAndShouldNotFlush) {
+  delegate_.SetCanWriteAnything();
+
+  MakeIOVector("foo", &iov_);
+  creator_.ConsumeData(QuicUtils::GetFirstBidirectionalStreamId(
+                           framer_.transport_version(), Perspective::IS_CLIENT),
+                       &iov_, 1u, iov_.iov_len, 0, FIN);
+  MakeIOVector("quux", &iov_);
+  QuicConsumedData consumed =
+      creator_.ConsumeData(3, &iov_, 1u, iov_.iov_len, 3, NO_FIN);
+  EXPECT_EQ(4u, consumed.bytes_consumed);
+  EXPECT_FALSE(consumed.fin_consumed);
+  EXPECT_TRUE(creator_.HasPendingFrames());
+  EXPECT_TRUE(creator_.HasPendingRetransmittableFrames());
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, ConsumeData_BatchOperations) {
+  delegate_.SetCanWriteAnything();
+
+  MakeIOVector("foo", &iov_);
+  creator_.ConsumeData(QuicUtils::GetFirstBidirectionalStreamId(
+                           framer_.transport_version(), Perspective::IS_CLIENT),
+                       &iov_, 1u, iov_.iov_len, 0, NO_FIN);
+  MakeIOVector("quux", &iov_);
+  QuicConsumedData consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len, 3, FIN);
+  EXPECT_EQ(4u, consumed.bytes_consumed);
+  EXPECT_TRUE(consumed.fin_consumed);
+  EXPECT_TRUE(creator_.HasPendingFrames());
+  EXPECT_TRUE(creator_.HasPendingRetransmittableFrames());
+
+  // Now both frames will be flushed out.
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  creator_.Flush();
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  PacketContents contents;
+  contents.num_stream_frames =
+      GetQuicRestartFlag(quic_coalesce_stream_frames_2) ? 1 : 2;
+  CheckPacketContains(contents, 0);
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       ConsumeData_FramesPreviouslyQueued) {
+  // Set the packet size be enough for two stream frames with 0 stream offset,
+  // but not enough for a stream frame of 0 offset and one with non-zero offset.
+  size_t length =
+      NullEncrypter(Perspective::IS_CLIENT).GetCiphertextSize(0) +
+      GetPacketHeaderSize(
+          framer_.transport_version(),
+          creator_.GetDestinationConnectionIdLength(),
+          creator_.GetSourceConnectionIdLength(),
+          QuicPacketCreatorPeer::SendVersionInPacket(&creator_),
+          !kIncludeDiversificationNonce,
+          QuicPacketCreatorPeer::GetPacketNumberLength(&creator_),
+          QuicPacketCreatorPeer::GetRetryTokenLengthLength(&creator_), 0,
+          QuicPacketCreatorPeer::GetLengthLength(&creator_)) +
+      // Add an extra 3 bytes for the payload and 1 byte so
+      // BytesFree is larger than the GetMinStreamFrameSize.
+      QuicFramer::GetMinStreamFrameSize(framer_.transport_version(), 1, 0,
+                                        false, 3) +
+      3 +
+      QuicFramer::GetMinStreamFrameSize(framer_.transport_version(), 1, 0, true,
+                                        1) +
+      1;
+  creator_.SetMaxPacketLength(length);
+  delegate_.SetCanWriteAnything();
+  {
+    InSequence dummy;
+    EXPECT_CALL(delegate_, OnSerializedPacket(_))
+        .WillOnce(
+            Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+    EXPECT_CALL(delegate_, OnSerializedPacket(_))
+        .WillOnce(
+            Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  }
+  // Queue enough data to prevent a stream frame with a non-zero offset from
+  // fitting.
+  MakeIOVector("foo", &iov_);
+  QuicConsumedData consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len, 0, NO_FIN);
+  EXPECT_EQ(3u, consumed.bytes_consumed);
+  EXPECT_FALSE(consumed.fin_consumed);
+  EXPECT_TRUE(creator_.HasPendingFrames());
+  EXPECT_TRUE(creator_.HasPendingRetransmittableFrames());
+
+  // This frame will not fit with the existing frame, causing the queued frame
+  // to be serialized, and it will be added to a new open packet.
+  MakeIOVector("bar", &iov_);
+  consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len, 3, FIN);
+  EXPECT_EQ(3u, consumed.bytes_consumed);
+  EXPECT_TRUE(consumed.fin_consumed);
+  EXPECT_TRUE(creator_.HasPendingFrames());
+  EXPECT_TRUE(creator_.HasPendingRetransmittableFrames());
+
+  creator_.FlushCurrentPacket();
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  PacketContents contents;
+  contents.num_stream_frames = 1;
+  CheckPacketContains(contents, 0);
+  CheckPacketContains(contents, 1);
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, ConsumeDataFastPath) {
+  delegate_.SetCanWriteAnything();
+  creator_.SetTransmissionType(LOSS_RETRANSMISSION);
+
+  // Create a 10000 byte IOVector.
+  CreateData(10000);
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillRepeatedly(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  QuicConsumedData consumed = creator_.ConsumeDataFastPath(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len, 0, true);
+  EXPECT_EQ(10000u, consumed.bytes_consumed);
+  EXPECT_TRUE(consumed.fin_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  PacketContents contents;
+  contents.num_stream_frames = 1;
+  CheckPacketContains(contents, 0);
+  EXPECT_FALSE(packets_.empty());
+  SerializedPacket packet = packets_.back();
+  EXPECT_TRUE(!packet.retransmittable_frames.empty());
+  EXPECT_EQ(LOSS_RETRANSMISSION, packet.transmission_type);
+  EXPECT_EQ(STREAM_FRAME, packet.retransmittable_frames.front().type);
+  const QuicStreamFrame& stream_frame =
+      packet.retransmittable_frames.front().stream_frame;
+  EXPECT_EQ(10000u, stream_frame.data_length + stream_frame.offset);
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, ConsumeDataLarge) {
+  delegate_.SetCanWriteAnything();
+
+  // Create a 10000 byte IOVector.
+  CreateData(10000);
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillRepeatedly(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  QuicConsumedData consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len, 0, FIN);
+  EXPECT_EQ(10000u, consumed.bytes_consumed);
+  EXPECT_TRUE(consumed.fin_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  PacketContents contents;
+  contents.num_stream_frames = 1;
+  CheckPacketContains(contents, 0);
+  EXPECT_FALSE(packets_.empty());
+  SerializedPacket packet = packets_.back();
+  EXPECT_TRUE(!packet.retransmittable_frames.empty());
+  EXPECT_EQ(STREAM_FRAME, packet.retransmittable_frames.front().type);
+  const QuicStreamFrame& stream_frame =
+      packet.retransmittable_frames.front().stream_frame;
+  EXPECT_EQ(10000u, stream_frame.data_length + stream_frame.offset);
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, ConsumeDataLargeSendAckFalse) {
+  delegate_.SetCanNotWrite();
+
+  QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
+  const bool success =
+      creator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
+                                                  /*bundle_ack=*/true);
+  EXPECT_FALSE(success);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  delegate_.SetCanWriteAnything();
+
+  creator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
+                                              /*bundle_ack=*/false);
+
+  // Create a 10000 byte IOVector.
+  CreateData(10000);
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillRepeatedly(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  creator_.ConsumeRetransmittableControlFrame(QuicFrame(CreateRstStreamFrame()),
+                                              /*bundle_ack=*/true);
+  QuicConsumedData consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len, 0, FIN);
+  creator_.Flush();
+
+  EXPECT_EQ(10000u, consumed.bytes_consumed);
+  EXPECT_TRUE(consumed.fin_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  EXPECT_FALSE(packets_.empty());
+  SerializedPacket packet = packets_.back();
+  EXPECT_TRUE(!packet.retransmittable_frames.empty());
+  EXPECT_EQ(STREAM_FRAME, packet.retransmittable_frames.front().type);
+  const QuicStreamFrame& stream_frame =
+      packet.retransmittable_frames.front().stream_frame;
+  EXPECT_EQ(10000u, stream_frame.data_length + stream_frame.offset);
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, ConsumeDataLargeSendAckTrue) {
+  delegate_.SetCanNotWrite();
+  delegate_.SetCanWriteAnything();
+
+  // Create a 10000 byte IOVector.
+  CreateData(10000);
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillRepeatedly(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  QuicConsumedData consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len, 0, FIN);
+  creator_.Flush();
+
+  EXPECT_EQ(10000u, consumed.bytes_consumed);
+  EXPECT_TRUE(consumed.fin_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  EXPECT_FALSE(packets_.empty());
+  SerializedPacket packet = packets_.back();
+  EXPECT_TRUE(!packet.retransmittable_frames.empty());
+  EXPECT_EQ(STREAM_FRAME, packet.retransmittable_frames.front().type);
+  const QuicStreamFrame& stream_frame =
+      packet.retransmittable_frames.front().stream_frame;
+  EXPECT_EQ(10000u, stream_frame.data_length + stream_frame.offset);
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, NotWritableThenBatchOperations) {
+  delegate_.SetCanNotWrite();
+
+  QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
+  const bool consumed =
+      creator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
+                                                  /*bundle_ack=*/true);
+  EXPECT_FALSE(consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+  EXPECT_FALSE(creator_.HasPendingStreamFramesOfStream(3));
+
+  delegate_.SetCanWriteAnything();
+
+  EXPECT_TRUE(
+      creator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
+                                                  /*bundle_ack=*/false));
+  // Send some data and a control frame
+  MakeIOVector("quux", &iov_);
+  creator_.ConsumeData(3, &iov_, 1u, iov_.iov_len, 0, NO_FIN);
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
+    creator_.ConsumeRetransmittableControlFrame(QuicFrame(CreateGoAwayFrame()),
+                                                /*bundle_ack=*/false);
+  }
+  EXPECT_TRUE(creator_.HasPendingStreamFramesOfStream(3));
+
+  // All five frames will be flushed out in a single packet.
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  creator_.Flush();
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+  EXPECT_FALSE(creator_.HasPendingStreamFramesOfStream(3));
+
+  PacketContents contents;
+  // ACK will be flushed by connection.
+  contents.num_ack_frames = 0;
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
+    contents.num_goaway_frames = 1;
+  } else {
+    contents.num_goaway_frames = 0;
+  }
+  contents.num_rst_stream_frames = 1;
+  contents.num_stream_frames = 1;
+  CheckPacketContains(contents, 0);
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, NotWritableThenBatchOperations2) {
+  delegate_.SetCanNotWrite();
+
+  QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
+  const bool success =
+      creator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
+                                                  /*bundle_ack=*/true);
+  EXPECT_FALSE(success);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  delegate_.SetCanWriteAnything();
+
+  {
+    InSequence dummy;
+    // All five frames will be flushed out in a single packet
+    EXPECT_CALL(delegate_, OnSerializedPacket(_))
+        .WillOnce(
+            Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+    EXPECT_CALL(delegate_, OnSerializedPacket(_))
+        .WillOnce(
+            Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  }
+  EXPECT_TRUE(
+      creator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
+                                                  /*bundle_ack=*/false));
+  // Send enough data to exceed one packet
+  size_t data_len = kDefaultMaxPacketSize + 100;
+  CreateData(data_len);
+  QuicConsumedData consumed =
+      creator_.ConsumeData(3, &iov_, 1u, iov_.iov_len, 0, FIN);
+  EXPECT_EQ(data_len, consumed.bytes_consumed);
+  EXPECT_TRUE(consumed.fin_consumed);
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
+    creator_.ConsumeRetransmittableControlFrame(QuicFrame(CreateGoAwayFrame()),
+                                                /*bundle_ack=*/false);
+  }
+
+  creator_.Flush();
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  // The first packet should have the queued data and part of the stream data.
+  PacketContents contents;
+  // ACK will be sent by connection.
+  contents.num_ack_frames = 0;
+  contents.num_rst_stream_frames = 1;
+  contents.num_stream_frames = 1;
+  CheckPacketContains(contents, 0);
+
+  // The second should have the remainder of the stream data.
+  PacketContents contents2;
+  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
+    contents2.num_goaway_frames = 1;
+  } else {
+    contents2.num_goaway_frames = 0;
+  }
+  contents2.num_stream_frames = 1;
+  CheckPacketContains(contents2, 1);
+}
+
+// Regression test of b/120493795.
+TEST_F(QuicPacketCreatorMultiplePacketsTest, PacketTransmissionType) {
+  delegate_.SetCanWriteAnything();
+
+  // The first ConsumeData will fill the packet without flush.
+  creator_.SetTransmissionType(LOSS_RETRANSMISSION);
+
+  size_t data_len = 1324;
+  CreateData(data_len);
+  QuicStreamId stream1_id = QuicUtils::GetFirstBidirectionalStreamId(
+      framer_.transport_version(), Perspective::IS_CLIENT);
+  QuicConsumedData consumed =
+      creator_.ConsumeData(stream1_id, &iov_, 1u, iov_.iov_len, 0, NO_FIN);
+  EXPECT_EQ(data_len, consumed.bytes_consumed);
+  ASSERT_EQ(0u, creator_.BytesFree())
+      << "Test setup failed: Please increase data_len to "
+      << data_len + creator_.BytesFree() << " bytes.";
+
+  // The second ConsumeData can not be added to the packet and will flush.
+  creator_.SetTransmissionType(NOT_RETRANSMISSION);
+
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+
+  QuicStreamId stream2_id = stream1_id + 4;
+
+  consumed =
+      creator_.ConsumeData(stream2_id, &iov_, 1u, iov_.iov_len, 0, NO_FIN);
+  EXPECT_EQ(data_len, consumed.bytes_consumed);
+
+  // Ensure the packet is successfully created.
+  ASSERT_EQ(1u, packets_.size());
+  ASSERT_TRUE(packets_[0].encrypted_buffer);
+  ASSERT_EQ(1u, packets_[0].retransmittable_frames.size());
+  EXPECT_EQ(stream1_id,
+            packets_[0].retransmittable_frames[0].stream_frame.stream_id);
+
+  // Since the second frame was not added, the packet's transmission type
+  // should be the first frame's type.
+  EXPECT_EQ(packets_[0].transmission_type, LOSS_RETRANSMISSION);
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, TestConnectionIdLength) {
+  QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_SERVER);
+  creator_.SetServerConnectionIdLength(0);
+  EXPECT_EQ(PACKET_0BYTE_CONNECTION_ID,
+            creator_.GetDestinationConnectionIdLength());
+
+  for (size_t i = 1; i < 10; i++) {
+    creator_.SetServerConnectionIdLength(i);
+    if (VersionHasIetfInvariantHeader(framer_.transport_version())) {
+      EXPECT_EQ(PACKET_0BYTE_CONNECTION_ID,
+                creator_.GetDestinationConnectionIdLength());
+    } else {
+      EXPECT_EQ(PACKET_8BYTE_CONNECTION_ID,
+                creator_.GetDestinationConnectionIdLength());
+    }
+  }
+}
+
+// Test whether SetMaxPacketLength() works in the situation when the queue is
+// empty, and we send three packets worth of data.
+TEST_F(QuicPacketCreatorMultiplePacketsTest, SetMaxPacketLength_Initial) {
+  delegate_.SetCanWriteAnything();
+
+  // Send enough data for three packets.
+  size_t data_len = 3 * kDefaultMaxPacketSize + 1;
+  size_t packet_len = kDefaultMaxPacketSize + 100;
+  ASSERT_LE(packet_len, kMaxOutgoingPacketSize);
+  creator_.SetMaxPacketLength(packet_len);
+  EXPECT_EQ(packet_len, creator_.max_packet_length());
+
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .Times(3)
+      .WillRepeatedly(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  CreateData(data_len);
+  QuicConsumedData consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len,
+      /*offset=*/0, FIN);
+  EXPECT_EQ(data_len, consumed.bytes_consumed);
+  EXPECT_TRUE(consumed.fin_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  // We expect three packets, and first two of them have to be of packet_len
+  // size.  We check multiple packets (instead of just one) because we want to
+  // ensure that |max_packet_length_| does not get changed incorrectly by the
+  // creator after first packet is serialized.
+  ASSERT_EQ(3u, packets_.size());
+  EXPECT_EQ(packet_len, packets_[0].encrypted_length);
+  EXPECT_EQ(packet_len, packets_[1].encrypted_length);
+  CheckAllPacketsHaveSingleStreamFrame();
+}
+
+// Test whether SetMaxPacketLength() works in the situation when we first write
+// data, then change packet size, then write data again.
+TEST_F(QuicPacketCreatorMultiplePacketsTest, SetMaxPacketLength_Middle) {
+  delegate_.SetCanWriteAnything();
+
+  // We send enough data to overflow default packet length, but not the altered
+  // one.
+  size_t data_len = kDefaultMaxPacketSize;
+  size_t packet_len = kDefaultMaxPacketSize + 100;
+  ASSERT_LE(packet_len, kMaxOutgoingPacketSize);
+
+  // We expect to see three packets in total.
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .Times(3)
+      .WillRepeatedly(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+
+  // Send two packets before packet size change.
+  CreateData(data_len);
+  QuicConsumedData consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len,
+      /*offset=*/0, NO_FIN);
+  creator_.Flush();
+  EXPECT_EQ(data_len, consumed.bytes_consumed);
+  EXPECT_FALSE(consumed.fin_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  // Make sure we already have two packets.
+  ASSERT_EQ(2u, packets_.size());
+
+  // Increase packet size.
+  creator_.SetMaxPacketLength(packet_len);
+  EXPECT_EQ(packet_len, creator_.max_packet_length());
+
+  // Send a packet after packet size change.
+  CreateData(data_len);
+  creator_.AttachPacketFlusher();
+  consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len, data_len, FIN);
+  creator_.Flush();
+  EXPECT_EQ(data_len, consumed.bytes_consumed);
+  EXPECT_TRUE(consumed.fin_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  // We expect first data chunk to get fragmented, but the second one to fit
+  // into a single packet.
+  ASSERT_EQ(3u, packets_.size());
+  EXPECT_EQ(kDefaultMaxPacketSize, packets_[0].encrypted_length);
+  EXPECT_LE(kDefaultMaxPacketSize, packets_[2].encrypted_length);
+  CheckAllPacketsHaveSingleStreamFrame();
+}
+
+// Test whether SetMaxPacketLength() works correctly when we force the change of
+// the packet size in the middle of the batched packet.
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       SetMaxPacketLength_MidpacketFlush) {
+  delegate_.SetCanWriteAnything();
+
+  size_t first_write_len = kDefaultMaxPacketSize / 2;
+  size_t packet_len = kDefaultMaxPacketSize + 100;
+  size_t second_write_len = packet_len + 1;
+  ASSERT_LE(packet_len, kMaxOutgoingPacketSize);
+
+  // First send half of the packet worth of data.  We are in the batch mode, so
+  // should not cause packet serialization.
+  CreateData(first_write_len);
+  QuicConsumedData consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len,
+      /*offset=*/0, NO_FIN);
+  EXPECT_EQ(first_write_len, consumed.bytes_consumed);
+  EXPECT_FALSE(consumed.fin_consumed);
+  EXPECT_TRUE(creator_.HasPendingFrames());
+  EXPECT_TRUE(creator_.HasPendingRetransmittableFrames());
+
+  // Make sure we have no packets so far.
+  ASSERT_EQ(0u, packets_.size());
+
+  // Expect a packet to be flushed.
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+
+  // Increase packet size after flushing all frames.
+  // Ensure it's immediately enacted.
+  creator_.FlushCurrentPacket();
+  creator_.SetMaxPacketLength(packet_len);
+  EXPECT_EQ(packet_len, creator_.max_packet_length());
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  // We expect to see exactly one packet serialized after that, because we send
+  // a value somewhat exceeding new max packet size, and the tail data does not
+  // get serialized because we are still in the batch mode.
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+
+  // Send a more than a packet worth of data to the same stream.  This should
+  // trigger serialization of one packet, and queue another one.
+  CreateData(second_write_len);
+  consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len,
+      /*offset=*/first_write_len, FIN);
+  EXPECT_EQ(second_write_len, consumed.bytes_consumed);
+  EXPECT_TRUE(consumed.fin_consumed);
+  EXPECT_TRUE(creator_.HasPendingFrames());
+  EXPECT_TRUE(creator_.HasPendingRetransmittableFrames());
+
+  // We expect the first packet to be underfilled, and the second packet be up
+  // to the new max packet size.
+  ASSERT_EQ(2u, packets_.size());
+  EXPECT_GT(kDefaultMaxPacketSize, packets_[0].encrypted_length);
+  EXPECT_EQ(packet_len, packets_[1].encrypted_length);
+
+  CheckAllPacketsHaveSingleStreamFrame();
+}
+
+// Test sending a connectivity probing packet.
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       GenerateConnectivityProbingPacket) {
+  delegate_.SetCanWriteAnything();
+
+  OwningSerializedPacketPointer probing_packet;
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
+    QuicPathFrameBuffer payload = {
+        {0xde, 0xad, 0xbe, 0xef, 0xba, 0xdc, 0x0f, 0xfe}};
+    probing_packet =
+        creator_.SerializePathChallengeConnectivityProbingPacket(&payload);
+  } else {
+    probing_packet = creator_.SerializeConnectivityProbingPacket();
+  }
+
+  ASSERT_TRUE(simple_framer_.ProcessPacket(QuicEncryptedPacket(
+      probing_packet->encrypted_buffer, probing_packet->encrypted_length)));
+
+  EXPECT_EQ(2u, simple_framer_.num_frames());
+  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
+    EXPECT_EQ(1u, simple_framer_.path_challenge_frames().size());
+  } else {
+    EXPECT_EQ(1u, simple_framer_.ping_frames().size());
+  }
+  EXPECT_EQ(1u, simple_framer_.padding_frames().size());
+}
+
+// Test sending an MTU probe, without any surrounding data.
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       GenerateMtuDiscoveryPacket_Simple) {
+  delegate_.SetCanWriteAnything();
+
+  const size_t target_mtu = kDefaultMaxPacketSize + 100;
+  static_assert(target_mtu < kMaxOutgoingPacketSize,
+                "The MTU probe used by the test exceeds maximum packet size");
+
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+
+  creator_.GenerateMtuDiscoveryPacket(target_mtu);
+
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+  ASSERT_EQ(1u, packets_.size());
+  EXPECT_EQ(target_mtu, packets_[0].encrypted_length);
+
+  PacketContents contents;
+  contents.num_mtu_discovery_frames = 1;
+  contents.num_padding_frames = 1;
+  CheckPacketContains(contents, 0);
+}
+
+// Test sending an MTU probe.  Surround it with data, to ensure that it resets
+// the MTU to the value before the probe was sent.
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       GenerateMtuDiscoveryPacket_SurroundedByData) {
+  delegate_.SetCanWriteAnything();
+
+  const size_t target_mtu = kDefaultMaxPacketSize + 100;
+  static_assert(target_mtu < kMaxOutgoingPacketSize,
+                "The MTU probe used by the test exceeds maximum packet size");
+
+  // Send enough data so it would always cause two packets to be sent.
+  const size_t data_len = target_mtu + 1;
+
+  // Send a total of five packets: two packets before the probe, the probe
+  // itself, and two packets after the probe.
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .Times(5)
+      .WillRepeatedly(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+
+  // Send data before the MTU probe.
+  CreateData(data_len);
+  QuicConsumedData consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len,
+      /*offset=*/0, NO_FIN);
+  creator_.Flush();
+  EXPECT_EQ(data_len, consumed.bytes_consumed);
+  EXPECT_FALSE(consumed.fin_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  // Send the MTU probe.
+  creator_.GenerateMtuDiscoveryPacket(target_mtu);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  // Send data after the MTU probe.
+  CreateData(data_len);
+  creator_.AttachPacketFlusher();
+  consumed = creator_.ConsumeData(
+      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
+                                               Perspective::IS_CLIENT),
+      &iov_, 1u, iov_.iov_len,
+      /*offset=*/data_len, FIN);
+  creator_.Flush();
+  EXPECT_EQ(data_len, consumed.bytes_consumed);
+  EXPECT_TRUE(consumed.fin_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  ASSERT_EQ(5u, packets_.size());
+  EXPECT_EQ(kDefaultMaxPacketSize, packets_[0].encrypted_length);
+  EXPECT_EQ(target_mtu, packets_[2].encrypted_length);
+  EXPECT_EQ(kDefaultMaxPacketSize, packets_[3].encrypted_length);
+
+  PacketContents probe_contents;
+  probe_contents.num_mtu_discovery_frames = 1;
+  probe_contents.num_padding_frames = 1;
+
+  CheckPacketHasSingleStreamFrame(0);
+  CheckPacketHasSingleStreamFrame(1);
+  CheckPacketContains(probe_contents, 2);
+  CheckPacketHasSingleStreamFrame(3);
+  CheckPacketHasSingleStreamFrame(4);
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, DontCrashOnInvalidStopWaiting) {
+  if (VersionSupportsMessageFrames(framer_.transport_version())) {
+    return;
+  }
+  // Test added to ensure the creator does not crash when an invalid frame is
+  // added.  Because this is an indication of internal programming errors,
+  // DFATALs are expected.
+  // A 1 byte packet number length can't encode a gap of 1000.
+  QuicPacketCreatorPeer::SetPacketNumber(&creator_, 1000);
+
+  delegate_.SetCanNotWrite();
+  delegate_.SetCanWriteAnything();
+
+  // This will not serialize any packets, because of the invalid frame.
+  EXPECT_CALL(delegate_,
+              OnUnrecoverableError(QUIC_FAILED_TO_SERIALIZE_PACKET, _));
+  EXPECT_QUIC_BUG(creator_.Flush(),
+                  "packet_number_length 1 is too small "
+                  "for least_unacked_delta: 1001");
+}
+
+// Regression test for b/31486443.
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       ConnectionCloseFrameLargerThanPacketSize) {
+  delegate_.SetCanWriteAnything();
+  char buf[2000] = {};
+  QuicStringPiece error_details(buf, 2000);
+  const QuicErrorCode kQuicErrorCode = QUIC_PACKET_WRITE_ERROR;
+
+  QuicConnectionCloseFrame* frame = new QuicConnectionCloseFrame(
+      framer_.transport_version(), kQuicErrorCode, std::string(error_details),
+      /*transport_close_frame_type=*/0);
+  creator_.ConsumeRetransmittableControlFrame(QuicFrame(frame),
+                                              /*bundle_ack=*/false);
+  EXPECT_TRUE(creator_.HasPendingFrames());
+  EXPECT_TRUE(creator_.HasPendingRetransmittableFrames());
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       RandomPaddingAfterFinSingleStreamSinglePacket) {
+  const QuicByteCount kStreamFramePayloadSize = 100u;
+  char buf[kStreamFramePayloadSize] = {};
+  const QuicStreamId kDataStreamId = 5;
+  // Set the packet size be enough for one stream frame with 0 stream offset and
+  // max size of random padding.
+  size_t length =
+      NullEncrypter(Perspective::IS_CLIENT).GetCiphertextSize(0) +
+      GetPacketHeaderSize(
+          framer_.transport_version(),
+          creator_.GetDestinationConnectionIdLength(),
+          creator_.GetSourceConnectionIdLength(),
+          QuicPacketCreatorPeer::SendVersionInPacket(&creator_),
+          !kIncludeDiversificationNonce,
+          QuicPacketCreatorPeer::GetPacketNumberLength(&creator_),
+          QuicPacketCreatorPeer::GetRetryTokenLengthLength(&creator_), 0,
+          QuicPacketCreatorPeer::GetLengthLength(&creator_)) +
+      QuicFramer::GetMinStreamFrameSize(
+          framer_.transport_version(), kDataStreamId, 0,
+          /*last_frame_in_packet=*/false,
+          kStreamFramePayloadSize + kMaxNumRandomPaddingBytes) +
+      kStreamFramePayloadSize + kMaxNumRandomPaddingBytes;
+  creator_.SetMaxPacketLength(length);
+  delegate_.SetCanWriteAnything();
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  MakeIOVector(QuicStringPiece(buf, kStreamFramePayloadSize), &iov_);
+  QuicConsumedData consumed = creator_.ConsumeData(
+      kDataStreamId, &iov_, 1u, iov_.iov_len, 0, FIN_AND_PADDING);
+  creator_.Flush();
+  EXPECT_EQ(kStreamFramePayloadSize, consumed.bytes_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  EXPECT_EQ(1u, packets_.size());
+  PacketContents contents;
+  // The packet has both stream and padding frames.
+  contents.num_padding_frames = 1;
+  contents.num_stream_frames = 1;
+  CheckPacketContains(contents, 0);
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       RandomPaddingAfterFinSingleStreamMultiplePackets) {
+  const QuicByteCount kStreamFramePayloadSize = 100u;
+  char buf[kStreamFramePayloadSize] = {};
+  const QuicStreamId kDataStreamId = 5;
+  // Set the packet size be enough for one stream frame with 0 stream offset +
+  // 1. One or more packets will accommodate.
+  size_t length =
+      NullEncrypter(Perspective::IS_CLIENT).GetCiphertextSize(0) +
+      GetPacketHeaderSize(
+          framer_.transport_version(),
+          creator_.GetDestinationConnectionIdLength(),
+          creator_.GetSourceConnectionIdLength(),
+          QuicPacketCreatorPeer::SendVersionInPacket(&creator_),
+          !kIncludeDiversificationNonce,
+          QuicPacketCreatorPeer::GetPacketNumberLength(&creator_),
+          QuicPacketCreatorPeer::GetRetryTokenLengthLength(&creator_), 0,
+          QuicPacketCreatorPeer::GetLengthLength(&creator_)) +
+      QuicFramer::GetMinStreamFrameSize(
+          framer_.transport_version(), kDataStreamId, 0,
+          /*last_frame_in_packet=*/false, kStreamFramePayloadSize + 1) +
+      kStreamFramePayloadSize + 1;
+  creator_.SetMaxPacketLength(length);
+  delegate_.SetCanWriteAnything();
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillRepeatedly(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  MakeIOVector(QuicStringPiece(buf, kStreamFramePayloadSize), &iov_);
+  QuicConsumedData consumed = creator_.ConsumeData(
+      kDataStreamId, &iov_, 1u, iov_.iov_len, 0, FIN_AND_PADDING);
+  creator_.Flush();
+  EXPECT_EQ(kStreamFramePayloadSize, consumed.bytes_consumed);
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  EXPECT_LE(1u, packets_.size());
+  PacketContents contents;
+  // The first packet has both stream and padding frames.
+  contents.num_stream_frames = 1;
+  contents.num_padding_frames = 1;
+  CheckPacketContains(contents, 0);
+
+  for (size_t i = 1; i < packets_.size(); ++i) {
+    // Following packets only have paddings.
+    contents.num_stream_frames = 0;
+    contents.num_padding_frames = 1;
+    CheckPacketContains(contents, i);
+  }
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest,
+       RandomPaddingAfterFinMultipleStreamsMultiplePackets) {
+  const QuicByteCount kStreamFramePayloadSize = 100u;
+  char buf[kStreamFramePayloadSize] = {};
+  const QuicStreamId kDataStreamId1 = 5;
+  const QuicStreamId kDataStreamId2 = 6;
+  // Set the packet size be enough for first frame with 0 stream offset + second
+  // frame + 1 byte payload. two or more packets will accommodate.
+  size_t length =
+      NullEncrypter(Perspective::IS_CLIENT).GetCiphertextSize(0) +
+      GetPacketHeaderSize(
+          framer_.transport_version(),
+          creator_.GetDestinationConnectionIdLength(),
+          creator_.GetSourceConnectionIdLength(),
+          QuicPacketCreatorPeer::SendVersionInPacket(&creator_),
+          !kIncludeDiversificationNonce,
+          QuicPacketCreatorPeer::GetPacketNumberLength(&creator_),
+          QuicPacketCreatorPeer::GetRetryTokenLengthLength(&creator_), 0,
+          QuicPacketCreatorPeer::GetLengthLength(&creator_)) +
+      QuicFramer::GetMinStreamFrameSize(
+          framer_.transport_version(), kDataStreamId1, 0,
+          /*last_frame_in_packet=*/false, kStreamFramePayloadSize) +
+      kStreamFramePayloadSize +
+      QuicFramer::GetMinStreamFrameSize(framer_.transport_version(),
+                                        kDataStreamId1, 0,
+                                        /*last_frame_in_packet=*/false, 1) +
+      1;
+  creator_.SetMaxPacketLength(length);
+  delegate_.SetCanWriteAnything();
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillRepeatedly(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+  MakeIOVector(QuicStringPiece(buf, kStreamFramePayloadSize), &iov_);
+  QuicConsumedData consumed = creator_.ConsumeData(
+      kDataStreamId1, &iov_, 1u, iov_.iov_len, 0, FIN_AND_PADDING);
+  EXPECT_EQ(kStreamFramePayloadSize, consumed.bytes_consumed);
+  MakeIOVector(QuicStringPiece(buf, kStreamFramePayloadSize), &iov_);
+  consumed = creator_.ConsumeData(kDataStreamId2, &iov_, 1u, iov_.iov_len, 0,
+                                  FIN_AND_PADDING);
+  EXPECT_EQ(kStreamFramePayloadSize, consumed.bytes_consumed);
+  creator_.Flush();
+  EXPECT_FALSE(creator_.HasPendingFrames());
+  EXPECT_FALSE(creator_.HasPendingRetransmittableFrames());
+
+  EXPECT_LE(2u, packets_.size());
+  PacketContents contents;
+  // The first packet has two stream frames.
+  contents.num_stream_frames = 2;
+  CheckPacketContains(contents, 0);
+
+  // The second packet has one stream frame and padding frames.
+  contents.num_stream_frames = 1;
+  contents.num_padding_frames = 1;
+  CheckPacketContains(contents, 1);
+
+  for (size_t i = 2; i < packets_.size(); ++i) {
+    // Following packets only have paddings.
+    contents.num_stream_frames = 0;
+    contents.num_padding_frames = 1;
+    CheckPacketContains(contents, i);
+  }
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, AddMessageFrame) {
+  if (!VersionSupportsMessageFrames(framer_.transport_version())) {
+    return;
+  }
+  quic::QuicMemSliceStorage storage(nullptr, 0, nullptr, 0);
+  delegate_.SetCanWriteAnything();
+  EXPECT_CALL(delegate_, OnSerializedPacket(_))
+      .WillOnce(
+          Invoke(this, &QuicPacketCreatorMultiplePacketsTest::SavePacket));
+
+  MakeIOVector("foo", &iov_);
+  creator_.ConsumeData(QuicUtils::GetFirstBidirectionalStreamId(
+                           framer_.transport_version(), Perspective::IS_CLIENT),
+                       &iov_, 1u, iov_.iov_len, 0, FIN);
+  EXPECT_EQ(
+      MESSAGE_STATUS_SUCCESS,
+      creator_.AddMessageFrame(1, MakeSpan(&allocator_, "message", &storage)));
+  EXPECT_TRUE(creator_.HasPendingFrames());
+  EXPECT_TRUE(creator_.HasPendingRetransmittableFrames());
+
+  // Add a message which causes the flush of current packet.
+  EXPECT_EQ(
+      MESSAGE_STATUS_SUCCESS,
+      creator_.AddMessageFrame(
+          2,
+          MakeSpan(&allocator_,
+                   std::string(creator_.GetCurrentLargestMessagePayload(), 'a'),
+                   &storage)));
+  EXPECT_TRUE(creator_.HasPendingRetransmittableFrames());
+
+  // Failed to send messages which cannot fit into one packet.
+  EXPECT_EQ(
+      MESSAGE_STATUS_TOO_LARGE,
+      creator_.AddMessageFrame(
+          3, MakeSpan(&allocator_,
+                      std::string(
+                          creator_.GetCurrentLargestMessagePayload() + 10, 'a'),
+                      &storage)));
+}
+
+TEST_F(QuicPacketCreatorMultiplePacketsTest, ConnectionId) {
+  creator_.SetServerConnectionId(TestConnectionId(0x1337));
+  EXPECT_EQ(TestConnectionId(0x1337), creator_.GetDestinationConnectionId());
+  EXPECT_EQ(EmptyQuicConnectionId(), creator_.GetSourceConnectionId());
+  if (!framer_.version().SupportsClientConnectionIds()) {
+    return;
+  }
+  creator_.SetClientConnectionId(TestConnectionId(0x33));
+  EXPECT_EQ(TestConnectionId(0x1337), creator_.GetDestinationConnectionId());
+  EXPECT_EQ(TestConnectionId(0x33), creator_.GetSourceConnectionId());
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.cc
deleted file mode 100644
index fbb7894d0da..00000000000
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.cc
+++ /dev/null
@@ -1,556 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/third_party/quiche/src/quic/core/quic_packet_generator.h"
-
-#include <cstdint>
-
-#include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
-#include "net/third_party/quiche/src/quic/core/quic_connection_id.h"
-#include "net/third_party/quiche/src/quic/core/quic_types.h"
-#include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_server_stats.h"
-
-namespace quic {
-
-QuicPacketGenerator::QuicPacketGenerator(
-    QuicConnectionId server_connection_id,
-    QuicFramer* framer,
-    QuicRandom* random_generator,
-    QuicPacketCreator::DelegateInterface* delegate)
-    : delegate_(delegate),
-      packet_creator_(server_connection_id, framer, random_generator, delegate),
-      next_transmission_type_(NOT_RETRANSMISSION),
-      flusher_attached_(false),
-      random_generator_(random_generator),
-      fully_pad_crypto_handshake_packets_(true) {}
-
-QuicPacketGenerator::~QuicPacketGenerator() {}
-
-bool QuicPacketGenerator::ConsumeRetransmittableControlFrame(
-    const QuicFrame& frame) {
-  if (packet_creator_.combine_generator_and_creator()) {
-    return packet_creator_.ConsumeRetransmittableControlFrame(frame);
-  }
-  QUIC_BUG_IF(IsControlFrame(frame.type) && !GetControlFrameId(frame))
-      << "Adding a control frame with no control frame id: " << frame;
-  DCHECK(QuicUtils::IsRetransmittableFrame(frame.type)) << frame;
-  MaybeBundleAckOpportunistically();
-  if (packet_creator_.HasPendingFrames()) {
-    if (packet_creator_.AddSavedFrame(frame, next_transmission_type_)) {
-      // There is pending frames and current frame fits.
-      return true;
-    }
-  }
-  DCHECK(!packet_creator_.HasPendingFrames());
-  if (frame.type != PING_FRAME && frame.type != CONNECTION_CLOSE_FRAME &&
-      !delegate_->ShouldGeneratePacket(HAS_RETRANSMITTABLE_DATA,
-                                       NOT_HANDSHAKE)) {
-    // Do not check congestion window for ping or connection close frames.
-    return false;
-  }
-  const bool success =
-      packet_creator_.AddSavedFrame(frame, next_transmission_type_);
-  DCHECK(success);
-  return success;
-}
-
-size_t QuicPacketGenerator::ConsumeCryptoData(EncryptionLevel level,
-                                              size_t write_length,
-                                              QuicStreamOffset offset) {
-  if (packet_creator_.combine_generator_and_creator()) {
-    return packet_creator_.ConsumeCryptoData(level, write_length, offset);
-  }
-  QUIC_BUG_IF(!flusher_attached_) << "Packet flusher is not attached when "
-                                     "generator tries to write crypto data.";
-  MaybeBundleAckOpportunistically();
-  // To make reasoning about crypto frames easier, we don't combine them with
-  // other retransmittable frames in a single packet.
-  // TODO(nharper): Once we have separate packet number spaces, everything
-  // should be driven by encryption level, and we should stop flushing in this
-  // spot.
-  if (packet_creator_.HasPendingRetransmittableFrames()) {
-    packet_creator_.FlushCurrentPacket();
-  }
-
-  size_t total_bytes_consumed = 0;
-
-  while (total_bytes_consumed < write_length) {
-    QuicFrame frame;
-    if (!packet_creator_.ConsumeCryptoDataToFillCurrentPacket(
-            level, write_length - total_bytes_consumed,
-            offset + total_bytes_consumed, fully_pad_crypto_handshake_packets_,
-            next_transmission_type_, &frame)) {
-      // The only pending data in the packet is non-retransmittable frames. I'm
-      // assuming here that they won't occupy so much of the packet that a
-      // CRYPTO frame won't fit.
-      QUIC_BUG << "Failed to ConsumeCryptoData at level " << level;
-      return 0;
-    }
-    total_bytes_consumed += frame.crypto_frame->data_length;
-
-    // TODO(ianswett): Move to having the creator flush itself when it's full.
-    packet_creator_.FlushCurrentPacket();
-  }
-
-  // Don't allow the handshake to be bundled with other retransmittable frames.
-  packet_creator_.FlushCurrentPacket();
-
-  return total_bytes_consumed;
-}
-
-QuicConsumedData QuicPacketGenerator::ConsumeData(QuicStreamId id,
-                                                  size_t write_length,
-                                                  QuicStreamOffset offset,
-                                                  StreamSendingState state) {
-  if (packet_creator_.combine_generator_and_creator()) {
-    return packet_creator_.ConsumeData(id, write_length, offset, state);
-  }
-  QUIC_BUG_IF(!flusher_attached_) << "Packet flusher is not attached when "
-                                     "generator tries to write stream data.";
-  bool has_handshake =
-      QuicUtils::IsCryptoStreamId(packet_creator_.transport_version(), id);
-  MaybeBundleAckOpportunistically();
-  bool fin = state != NO_FIN;
-  QUIC_BUG_IF(has_handshake && fin)
-      << "Handshake packets should never send a fin";
-  // To make reasoning about crypto frames easier, we don't combine them with
-  // other retransmittable frames in a single packet.
-  if (has_handshake && packet_creator_.HasPendingRetransmittableFrames()) {
-    packet_creator_.FlushCurrentPacket();
-  }
-
-  size_t total_bytes_consumed = 0;
-  bool fin_consumed = false;
-
-  if (!packet_creator_.HasRoomForStreamFrame(id, offset, write_length)) {
-    packet_creator_.FlushCurrentPacket();
-  }
-
-  if (!fin && (write_length == 0)) {
-    QUIC_BUG << "Attempt to consume empty data without FIN.";
-    return QuicConsumedData(0, false);
-  }
-  // We determine if we can enter the fast path before executing
-  // the slow path loop.
-  bool run_fast_path =
-      !has_handshake && state != FIN_AND_PADDING && !HasPendingFrames() &&
-      write_length - total_bytes_consumed > kMaxOutgoingPacketSize;
-
-  while (!run_fast_path && delegate_->ShouldGeneratePacket(
-                               HAS_RETRANSMITTABLE_DATA,
-                               has_handshake ? IS_HANDSHAKE : NOT_HANDSHAKE)) {
-    QuicFrame frame;
-    bool needs_full_padding =
-        has_handshake && fully_pad_crypto_handshake_packets_;
-
-    if (!packet_creator_.ConsumeDataToFillCurrentPacket(
-            id, write_length - total_bytes_consumed,
-            offset + total_bytes_consumed, fin, needs_full_padding,
-            next_transmission_type_, &frame)) {
-      // The creator is always flushed if there's not enough room for a new
-      // stream frame before ConsumeData, so ConsumeData should always succeed.
-      QUIC_BUG << "Failed to ConsumeData, stream:" << id;
-      return QuicConsumedData(0, false);
-    }
-
-    // A stream frame is created and added.
-    size_t bytes_consumed = frame.stream_frame.data_length;
-    total_bytes_consumed += bytes_consumed;
-    fin_consumed = fin && total_bytes_consumed == write_length;
-    if (fin_consumed && state == FIN_AND_PADDING) {
-      AddRandomPadding();
-    }
-    DCHECK(total_bytes_consumed == write_length ||
-           (bytes_consumed > 0 && packet_creator_.HasPendingFrames()));
-
-    if (total_bytes_consumed == write_length) {
-      // We're done writing the data. Exit the loop.
-      // We don't make this a precondition because we could have 0 bytes of data
-      // if we're simply writing a fin.
-      break;
-    }
-    // TODO(ianswett): Move to having the creator flush itself when it's full.
-    packet_creator_.FlushCurrentPacket();
-
-    run_fast_path =
-        !has_handshake && state != FIN_AND_PADDING && !HasPendingFrames() &&
-        write_length - total_bytes_consumed > kMaxOutgoingPacketSize;
-  }
-
-  if (run_fast_path) {
-    return ConsumeDataFastPath(id, write_length, offset, state != NO_FIN,
-                               total_bytes_consumed);
-  }
-
-  // Don't allow the handshake to be bundled with other retransmittable frames.
-  if (has_handshake) {
-    packet_creator_.FlushCurrentPacket();
-  }
-
-  return QuicConsumedData(total_bytes_consumed, fin_consumed);
-}
-
-QuicConsumedData QuicPacketGenerator::ConsumeDataFastPath(
-    QuicStreamId id,
-    size_t write_length,
-    QuicStreamOffset offset,
-    bool fin,
-    size_t total_bytes_consumed) {
-  if (packet_creator_.combine_generator_and_creator()) {
-    return packet_creator_.ConsumeDataFastPath(id, write_length, offset, fin,
-                                               total_bytes_consumed);
-  }
-  DCHECK(!QuicUtils::IsCryptoStreamId(packet_creator_.transport_version(), id));
-
-  while (total_bytes_consumed < write_length &&
-         delegate_->ShouldGeneratePacket(HAS_RETRANSMITTABLE_DATA,
-                                         NOT_HANDSHAKE)) {
-    // Serialize and encrypt the packet.
-    size_t bytes_consumed = 0;
-    packet_creator_.CreateAndSerializeStreamFrame(
-        id, write_length, total_bytes_consumed, offset + total_bytes_consumed,
-        fin, next_transmission_type_, &bytes_consumed);
-    total_bytes_consumed += bytes_consumed;
-  }
-
-  return QuicConsumedData(total_bytes_consumed,
-                          fin && (total_bytes_consumed == write_length));
-}
-
-void QuicPacketGenerator::GenerateMtuDiscoveryPacket(QuicByteCount target_mtu) {
-  if (packet_creator_.combine_generator_and_creator()) {
-    packet_creator_.GenerateMtuDiscoveryPacket(target_mtu);
-    return;
-  }
-  // MTU discovery frames must be sent by themselves.
-  if (!packet_creator_.CanSetMaxPacketLength()) {
-    QUIC_BUG << "MTU discovery packets should only be sent when no other "
-             << "frames needs to be sent.";
-    return;
-  }
-  const QuicByteCount current_mtu = GetCurrentMaxPacketLength();
-
-  // The MTU discovery frame is allocated on the stack, since it is going to be
-  // serialized within this function.
-  QuicMtuDiscoveryFrame mtu_discovery_frame;
-  QuicFrame frame(mtu_discovery_frame);
-
-  // Send the probe packet with the new length.
-  SetMaxPacketLength(target_mtu);
-  const bool success =
-      packet_creator_.AddPaddedSavedFrame(frame, next_transmission_type_);
-  packet_creator_.FlushCurrentPacket();
-  // The only reason AddFrame can fail is that the packet is too full to fit in
-  // a ping.  This is not possible for any sane MTU.
-  DCHECK(success);
-
-  // Reset the packet length back.
-  SetMaxPacketLength(current_mtu);
-}
-
-bool QuicPacketGenerator::PacketFlusherAttached() const {
-  if (packet_creator_.combine_generator_and_creator()) {
-    return packet_creator_.PacketFlusherAttached();
-  }
-  return flusher_attached_;
-}
-
-void QuicPacketGenerator::AttachPacketFlusher() {
-  if (packet_creator_.combine_generator_and_creator()) {
-    packet_creator_.AttachPacketFlusher();
-    return;
-  }
-  flusher_attached_ = true;
-  if (!write_start_packet_number_.IsInitialized()) {
-    write_start_packet_number_ = packet_creator_.NextSendingPacketNumber();
-  }
-}
-
-void QuicPacketGenerator::Flush() {
-  if (packet_creator_.combine_generator_and_creator()) {
-    packet_creator_.Flush();
-    return;
-  }
-  packet_creator_.FlushCurrentPacket();
-  SendRemainingPendingPadding();
-  flusher_attached_ = false;
-  if (GetQuicFlag(FLAGS_quic_export_server_num_packets_per_write_histogram)) {
-    if (!write_start_packet_number_.IsInitialized()) {
-      QUIC_BUG << "write_start_packet_number is not initialized";
-      return;
-    }
-    QUIC_SERVER_HISTOGRAM_COUNTS(
-        "quic_server_num_written_packets_per_write",
-        packet_creator_.NextSendingPacketNumber() - write_start_packet_number_,
-        1, 200, 50, "Number of QUIC packets written per write operation");
-  }
-  write_start_packet_number_.Clear();
-}
-
-void QuicPacketGenerator::FlushAllQueuedFrames() {
-  packet_creator_.FlushCurrentPacket();
-}
-
-bool QuicPacketGenerator::HasPendingFrames() const {
-  return packet_creator_.HasPendingFrames();
-}
-
-void QuicPacketGenerator::StopSendingVersion() {
-  packet_creator_.StopSendingVersion();
-}
-
-void QuicPacketGenerator::SetDiversificationNonce(
-    const DiversificationNonce& nonce) {
-  packet_creator_.SetDiversificationNonce(nonce);
-}
-
-QuicPacketNumber QuicPacketGenerator::packet_number() const {
-  return packet_creator_.packet_number();
-}
-
-QuicByteCount QuicPacketGenerator::GetCurrentMaxPacketLength() const {
-  return packet_creator_.max_packet_length();
-}
-
-void QuicPacketGenerator::SetMaxPacketLength(QuicByteCount length) {
-  DCHECK(packet_creator_.CanSetMaxPacketLength());
-  packet_creator_.SetMaxPacketLength(length);
-}
-
-std::unique_ptr<QuicEncryptedPacket>
-QuicPacketGenerator::SerializeVersionNegotiationPacket(
-    bool ietf_quic,
-    bool use_length_prefix,
-    const ParsedQuicVersionVector& supported_versions) {
-  return packet_creator_.SerializeVersionNegotiationPacket(
-      ietf_quic, use_length_prefix, supported_versions);
-}
-
-OwningSerializedPacketPointer
-QuicPacketGenerator::SerializeConnectivityProbingPacket() {
-  return packet_creator_.SerializeConnectivityProbingPacket();
-}
-
-OwningSerializedPacketPointer
-QuicPacketGenerator::SerializePathChallengeConnectivityProbingPacket(
-    QuicPathFrameBuffer* payload) {
-  return packet_creator_.SerializePathChallengeConnectivityProbingPacket(
-      payload);
-}
-
-OwningSerializedPacketPointer
-QuicPacketGenerator::SerializePathResponseConnectivityProbingPacket(
-    const QuicDeque<QuicPathFrameBuffer>& payloads,
-    const bool is_padded) {
-  return packet_creator_.SerializePathResponseConnectivityProbingPacket(
-      payloads, is_padded);
-}
-
-void QuicPacketGenerator::ReserializeAllFrames(
-    const QuicPendingRetransmission& retransmission,
-    char* buffer,
-    size_t buffer_len) {
-  packet_creator_.ReserializeAllFrames(retransmission, buffer, buffer_len);
-}
-
-void QuicPacketGenerator::UpdatePacketNumberLength(
-    QuicPacketNumber least_packet_awaited_by_peer,
-    QuicPacketCount max_packets_in_flight) {
-  return packet_creator_.UpdatePacketNumberLength(least_packet_awaited_by_peer,
-                                                  max_packets_in_flight);
-}
-
-void QuicPacketGenerator::SkipNPacketNumbers(
-    QuicPacketCount count,
-    QuicPacketNumber least_packet_awaited_by_peer,
-    QuicPacketCount max_packets_in_flight) {
-  packet_creator_.SkipNPacketNumbers(count, least_packet_awaited_by_peer,
-                                     max_packets_in_flight);
-}
-
-void QuicPacketGenerator::SetServerConnectionIdLength(uint32_t length) {
-  if (packet_creator_.combine_generator_and_creator()) {
-    packet_creator_.SetServerConnectionIdLength(length);
-    return;
-  }
-  if (length == 0) {
-    packet_creator_.SetServerConnectionIdIncluded(CONNECTION_ID_ABSENT);
-  } else {
-    packet_creator_.SetServerConnectionIdIncluded(CONNECTION_ID_PRESENT);
-  }
-}
-
-void QuicPacketGenerator::set_encryption_level(EncryptionLevel level) {
-  packet_creator_.set_encryption_level(level);
-}
-
-void QuicPacketGenerator::SetEncrypter(
-    EncryptionLevel level,
-    std::unique_ptr<QuicEncrypter> encrypter) {
-  packet_creator_.SetEncrypter(level, std::move(encrypter));
-}
-
-void QuicPacketGenerator::AddRandomPadding() {
-  if (packet_creator_.combine_generator_and_creator()) {
-    packet_creator_.AddRandomPadding();
-    return;
-  }
-  packet_creator_.AddPendingPadding(
-      random_generator_->RandUint64() % kMaxNumRandomPaddingBytes + 1);
-}
-
-void QuicPacketGenerator::SendRemainingPendingPadding() {
-  if (packet_creator_.combine_generator_and_creator()) {
-    packet_creator_.SendRemainingPendingPadding();
-    return;
-  }
-  while (
-      packet_creator_.pending_padding_bytes() > 0 && !HasPendingFrames() &&
-      delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA, NOT_HANDSHAKE)) {
-    packet_creator_.FlushCurrentPacket();
-  }
-}
-
-bool QuicPacketGenerator::HasRetransmittableFrames() const {
-  return packet_creator_.HasPendingRetransmittableFrames();
-}
-
-bool QuicPacketGenerator::HasPendingStreamFramesOfStream(
-    QuicStreamId id) const {
-  return packet_creator_.HasPendingStreamFramesOfStream(id);
-}
-
-void QuicPacketGenerator::SetTransmissionType(TransmissionType type) {
-  if (packet_creator_.combine_generator_and_creator()) {
-    packet_creator_.SetTransmissionType(type);
-    return;
-  }
-  packet_creator_.SetTransmissionTypeOfNextPackets(type);
-  if (packet_creator_.can_set_transmission_type()) {
-    next_transmission_type_ = type;
-  }
-}
-
-void QuicPacketGenerator::SetRetryToken(QuicStringPiece retry_token) {
-  packet_creator_.SetRetryToken(retry_token);
-}
-
-void QuicPacketGenerator::SetCanSetTransmissionType(
-    bool can_set_transmission_type) {
-  packet_creator_.set_can_set_transmission_type(can_set_transmission_type);
-}
-
-MessageStatus QuicPacketGenerator::AddMessageFrame(QuicMessageId message_id,
-                                                   QuicMemSliceSpan message) {
-  if (packet_creator_.combine_generator_and_creator()) {
-    return packet_creator_.AddMessageFrame(message_id, message);
-  }
-  QUIC_BUG_IF(!flusher_attached_) << "Packet flusher is not attached when "
-                                     "generator tries to add message frame.";
-  MaybeBundleAckOpportunistically();
-  const QuicByteCount message_length = message.total_length();
-  if (message_length > GetCurrentLargestMessagePayload()) {
-    return MESSAGE_STATUS_TOO_LARGE;
-  }
-  if (!packet_creator_.HasRoomForMessageFrame(message_length)) {
-    packet_creator_.FlushCurrentPacket();
-  }
-  QuicMessageFrame* frame = new QuicMessageFrame(message_id, message);
-  const bool success =
-      packet_creator_.AddSavedFrame(QuicFrame(frame), next_transmission_type_);
-  if (!success) {
-    QUIC_BUG << "Failed to send message " << message_id;
-    delete frame;
-    return MESSAGE_STATUS_INTERNAL_ERROR;
-  }
-  return MESSAGE_STATUS_SUCCESS;
-}
-
-void QuicPacketGenerator::MaybeBundleAckOpportunistically() {
-  if (packet_creator_.combine_generator_and_creator()) {
-    packet_creator_.MaybeBundleAckOpportunistically();
-    return;
-  }
-  if (packet_creator_.has_ack()) {
-    // Ack already queued, nothing to do.
-    return;
-  }
-  if (!delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA,
-                                       NOT_HANDSHAKE)) {
-    return;
-  }
-  const bool flushed =
-      FlushAckFrame(delegate_->MaybeBundleAckOpportunistically());
-  DCHECK(flushed);
-}
-
-bool QuicPacketGenerator::FlushAckFrame(const QuicFrames& frames) {
-  if (packet_creator_.combine_generator_and_creator()) {
-    return packet_creator_.FlushAckFrame(frames);
-  }
-  QUIC_BUG_IF(!flusher_attached_) << "Packet flusher is not attached when "
-                                     "generator tries to send ACK frame.";
-  for (const auto& frame : frames) {
-    DCHECK(frame.type == ACK_FRAME || frame.type == STOP_WAITING_FRAME);
-    if (packet_creator_.HasPendingFrames()) {
-      if (packet_creator_.AddSavedFrame(frame, next_transmission_type_)) {
-        // There is pending frames and current frame fits.
-        continue;
-      }
-    }
-    DCHECK(!packet_creator_.HasPendingFrames());
-    // There is no pending frames, consult the delegate whether a packet can be
-    // generated.
-    if (!delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA,
-                                         NOT_HANDSHAKE)) {
-      return false;
-    }
-    const bool success =
-        packet_creator_.AddSavedFrame(frame, next_transmission_type_);
-    QUIC_BUG_IF(!success) << "Failed to flush " << frame;
-  }
-  return true;
-}
-
-QuicPacketLength QuicPacketGenerator::GetCurrentLargestMessagePayload() const {
-  return packet_creator_.GetCurrentLargestMessagePayload();
-}
-
-QuicPacketLength QuicPacketGenerator::GetGuaranteedLargestMessagePayload()
-    const {
-  return packet_creator_.GetGuaranteedLargestMessagePayload();
-}
-
-void QuicPacketGenerator::SetServerConnectionId(
-    QuicConnectionId server_connection_id) {
-  packet_creator_.SetServerConnectionId(server_connection_id);
-}
-
-void QuicPacketGenerator::SetClientConnectionId(
-    QuicConnectionId client_connection_id) {
-  packet_creator_.SetClientConnectionId(client_connection_id);
-}
-
-void QuicPacketGenerator::set_fully_pad_crypto_handshake_packets(
-    bool new_value) {
-  if (packet_creator_.combine_generator_and_creator()) {
-    packet_creator_.set_fully_pad_crypto_handshake_packets(new_value);
-    return;
-  }
-  fully_pad_crypto_handshake_packets_ = new_value;
-}
-
-bool QuicPacketGenerator::fully_pad_crypto_handshake_packets() const {
-  if (packet_creator_.combine_generator_and_creator()) {
-    return packet_creator_.fully_pad_crypto_handshake_packets();
-  }
-  return fully_pad_crypto_handshake_packets_;
-}
-
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.h b/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.h
deleted file mode 100644
index 7d8df7e778e..00000000000
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator.h
+++ /dev/null
@@ -1,269 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Responsible for generating packets on behalf of a QuicConnection.
-// Packets are serialized just-in-time.
-// Ack and Feedback frames will be requested from the Connection
-// just-in-time.  When a packet needs to be sent, the Generator
-// will serialize a packet and pass it to QuicConnection::SendOrQueuePacket()
-//
-// The Generator's mode of operation is controlled by two conditions:
-//
-// 1) Is the Delegate writable?
-//
-// If the Delegate is not writable, then no operations will cause
-// a packet to be serialized.  In particular:
-// * SetShouldSendAck will simply record that an ack is to be sent.
-// * AddControlFrame will enqueue the control frame.
-// * ConsumeData will do nothing.
-//
-// If the Delegate is writable, then the behavior depends on the second
-// condition:
-//
-// 2) Is the Generator in batch mode?
-//
-// If the Generator is NOT in batch mode, then each call to a write
-// operation will serialize one or more packets.  The contents will
-// include any previous queued frames.  If an ack should be sent
-// but has not been sent, then the Delegate will be asked to create
-// an Ack frame which will then be included in the packet.  When
-// the write call completes, the current packet will be serialized
-// and sent to the Delegate, even if it is not full.
-//
-// If the Generator is in batch mode, then each write operation will
-// add data to the "current" packet.  When the current packet becomes
-// full, it will be serialized and sent to the packet.  When batch
-// mode is ended via |FinishBatchOperations|, the current packet
-// will be serialzied, even if it is not full.
-
-#ifndef QUICHE_QUIC_CORE_QUIC_PACKET_GENERATOR_H_
-#define QUICHE_QUIC_CORE_QUIC_PACKET_GENERATOR_H_
-
-#include <cstddef>
-#include <cstdint>
-#include <list>
-
-#include "net/third_party/quiche/src/quic/core/quic_packet_creator.h"
-#include "net/third_party/quiche/src/quic/core/quic_pending_retransmission.h"
-#include "net/third_party/quiche/src/quic/core/quic_sent_packet_manager.h"
-#include "net/third_party/quiche/src/quic/core/quic_types.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_mem_slice_span.h"
-
-namespace quic {
-
-namespace test {
-class QuicPacketGeneratorPeer;
-}  // namespace test
-
-class QUIC_EXPORT_PRIVATE QuicPacketGenerator {
- public:
-  QuicPacketGenerator(QuicConnectionId server_connection_id,
-                      QuicFramer* framer,
-                      QuicRandom* random_generator,
-                      QuicPacketCreator::DelegateInterface* delegate);
-  QuicPacketGenerator(const QuicPacketGenerator&) = delete;
-  QuicPacketGenerator& operator=(const QuicPacketGenerator&) = delete;
-
-  ~QuicPacketGenerator();
-
-  // Consumes retransmittable control |frame|. Returns true if the frame is
-  // successfully consumed. Returns false otherwise.
-  bool ConsumeRetransmittableControlFrame(const QuicFrame& frame);
-
-  // Given some data, may consume part or all of it and pass it to the
-  // packet creator to be serialized into packets. If not in batch
-  // mode, these packets will also be sent during this call.
-  // When |state| is FIN_AND_PADDING, random padding of size [1, 256] will be
-  // added after stream frames. If current constructed packet cannot
-  // accommodate, the padding will overflow to the next packet(s).
-  QuicConsumedData ConsumeData(QuicStreamId id,
-                               size_t write_length,
-                               QuicStreamOffset offset,
-                               StreamSendingState state);
-
-  // Consumes data for CRYPTO frames sent at |level| starting at |offset| for a
-  // total of |write_length| bytes, and returns the number of bytes consumed.
-  // The data is passed into the packet creator and serialized into one or more
-  // packets.
-  size_t ConsumeCryptoData(EncryptionLevel level,
-                           size_t write_length,
-                           QuicStreamOffset offset);
-
-  // Sends as many data only packets as allowed by the send algorithm and the
-  // available iov.
-  // This path does not support padding, or bundling pending frames.
-  // In case we access this method from ConsumeData, total_bytes_consumed
-  // keeps track of how many bytes have already been consumed.
-  QuicConsumedData ConsumeDataFastPath(QuicStreamId id,
-                                       size_t write_length,
-                                       QuicStreamOffset offset,
-                                       bool fin,
-                                       size_t total_bytes_consumed);
-
-  // Generates an MTU discovery packet of specified size.
-  void GenerateMtuDiscoveryPacket(QuicByteCount target_mtu);
-
-  // Indicates whether packet flusher is currently attached.
-  bool PacketFlusherAttached() const;
-  // Attaches packet flusher.
-  void AttachPacketFlusher();
-  // Flushes everything, including current open packet and pending padding.
-  void Flush();
-
-  // Flushes current open packet.
-  void FlushAllQueuedFrames();
-
-  // Returns true if there are frames pending to be serialized.
-  bool HasPendingFrames() const;
-
-  // Makes the framer not serialize the protocol version in sent packets.
-  void StopSendingVersion();
-
-  // SetDiversificationNonce sets the nonce that will be sent in each public
-  // header of packets encrypted at the initial encryption level. Should only
-  // be called by servers.
-  void SetDiversificationNonce(const DiversificationNonce& nonce);
-
-  // Creates a version negotiation packet which supports |supported_versions|.
-  std::unique_ptr<QuicEncryptedPacket> SerializeVersionNegotiationPacket(
-      bool ietf_quic,
-      bool use_length_prefix,
-      const ParsedQuicVersionVector& supported_versions);
-
-  // Creates a connectivity probing packet.
-  OwningSerializedPacketPointer SerializeConnectivityProbingPacket();
-
-  // Create connectivity probing request and response packets using PATH
-  // CHALLENGE and PATH RESPONSE frames, respectively.
-  // SerializePathChallengeConnectivityProbingPacket will pad the packet to be
-  // MTU bytes long.
-  OwningSerializedPacketPointer SerializePathChallengeConnectivityProbingPacket(
-      QuicPathFrameBuffer* payload);
-
-  // If |is_padded| is true then SerializePathResponseConnectivityProbingPacket
-  // will pad the packet to be MTU bytes long, else it will not pad the packet.
-  // |payloads| is cleared.
-  OwningSerializedPacketPointer SerializePathResponseConnectivityProbingPacket(
-      const QuicDeque<QuicPathFrameBuffer>& payloads,
-      const bool is_padded);
-
-  // Re-serializes frames with the original packet's packet number length.
-  // Used for retransmitting packets to ensure they aren't too long.
-  void ReserializeAllFrames(const QuicPendingRetransmission& retransmission,
-                            char* buffer,
-                            size_t buffer_len);
-
-  // Update the packet number length to use in future packets as soon as it
-  // can be safely changed.
-  void UpdatePacketNumberLength(QuicPacketNumber least_packet_awaited_by_peer,
-                                QuicPacketCount max_packets_in_flight);
-
-  // Skip |count| packet numbers.
-  void SkipNPacketNumbers(QuicPacketCount count,
-                          QuicPacketNumber least_packet_awaited_by_peer,
-                          QuicPacketCount max_packets_in_flight);
-
-  // Set the minimum number of bytes for the server connection id length;
-  void SetServerConnectionIdLength(uint32_t length);
-
-  // Sets the encrypter to use for the encryption level.
-  void SetEncrypter(EncryptionLevel level,
-                    std::unique_ptr<QuicEncrypter> encrypter);
-
-  // Returns true if there are control frames or current constructed packet has
-  // pending retransmittable frames.
-  bool HasRetransmittableFrames() const;
-
-  // Returns true if current constructed packet has pending stream frames for
-  // stream |id|.
-  bool HasPendingStreamFramesOfStream(QuicStreamId id) const;
-
-  // Sets the encryption level that will be applied to new packets.
-  void set_encryption_level(EncryptionLevel level);
-
-  // packet number of the last created packet, or 0 if no packets have been
-  // created.
-  QuicPacketNumber packet_number() const;
-
-  // Returns the maximum length a current packet can actually have.
-  QuicByteCount GetCurrentMaxPacketLength() const;
-
-  // Set maximum packet length in the creator immediately.  May not be called
-  // when there are frames queued in the creator.
-  void SetMaxPacketLength(QuicByteCount length);
-
-  // Set transmission type of next constructed packets.
-  void SetTransmissionType(TransmissionType type);
-
-  // Sets the retry token to be sent over the wire in IETF Initial packets.
-  void SetRetryToken(QuicStringPiece retry_token);
-
-  // Allow/Disallow setting transmission type of next constructed packets.
-  void SetCanSetTransmissionType(bool can_set_transmission_type);
-
-  // Tries to add a message frame containing |message| and returns the status.
-  MessageStatus AddMessageFrame(QuicMessageId message_id,
-                                QuicMemSliceSpan message);
-
-  // Called to flush ACK and STOP_WAITING frames, returns false if the flush
-  // fails.
-  bool FlushAckFrame(const QuicFrames& frames);
-
-  // Returns the largest payload that will fit into a single MESSAGE frame.
-  QuicPacketLength GetCurrentLargestMessagePayload() const;
-  QuicPacketLength GetGuaranteedLargestMessagePayload() const;
-
-  // Update the server connection ID used in outgoing packets.
-  void SetServerConnectionId(QuicConnectionId server_connection_id);
-
-  // Update the client connection ID used in outgoing packets.
-  void SetClientConnectionId(QuicConnectionId client_connection_id);
-
-  void set_debug_delegate(QuicPacketCreator::DebugDelegate* debug_delegate) {
-    packet_creator_.set_debug_delegate(debug_delegate);
-  }
-
-  void set_fully_pad_crypto_handshake_packets(bool new_value);
-
-  bool fully_pad_crypto_handshake_packets() const;
-
- private:
-  friend class test::QuicPacketGeneratorPeer;
-
-  // Adds a random amount of padding (between 1 to 256 bytes).
-  void AddRandomPadding();
-
-  // Sends remaining pending padding.
-  // Pending paddings should only be sent when there is nothing else to send.
-  void SendRemainingPendingPadding();
-
-  // Called when there is data to be sent, Retrieves updated ACK frame from
-  // delegate_ and flushes it.
-  void MaybeBundleAckOpportunistically();
-
-  QuicPacketCreator::DelegateInterface* delegate_;
-
-  QuicPacketCreator packet_creator_;
-
-  // Transmission type of the next serialized packet.
-  TransmissionType next_transmission_type_;
-
-  // True if packet flusher is currently attached.
-  bool flusher_attached_;
-
-  QuicRandom* random_generator_;
-
-  // Whether crypto handshake packets should be fully padded.
-  bool fully_pad_crypto_handshake_packets_;
-
-  // Packet number of the first packet of a write operation. This gets set
-  // when the out-most flusher attaches and gets cleared when the out-most
-  // flusher detaches.
-  QuicPacketNumber write_start_packet_number_;
-};
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_CORE_QUIC_PACKET_GENERATOR_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator_test.cc
deleted file mode 100644
index b098958cb52..00000000000
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_generator_test.cc
+++ /dev/null
@@ -1,1512 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/third_party/quiche/src/quic/core/quic_packet_generator.h"
-
-#include <cstdint>
-#include <memory>
-#include <string>
-#include <utility>
-
-#include "net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h"
-#include "net/third_party/quiche/src/quic/core/crypto/null_decrypter.h"
-#include "net/third_party/quiche/src/quic/core/crypto/null_encrypter.h"
-#include "net/third_party/quiche/src/quic/core/crypto/quic_decrypter.h"
-#include "net/third_party/quiche/src/quic/core/crypto/quic_encrypter.h"
-#include "net/third_party/quiche/src/quic/core/quic_simple_buffer_allocator.h"
-#include "net/third_party/quiche/src/quic/core/quic_utils.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_socket_address.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
-#include "net/third_party/quiche/src/quic/test_tools/mock_random.h"
-#include "net/third_party/quiche/src/quic/test_tools/quic_framer_peer.h"
-#include "net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.h"
-#include "net/third_party/quiche/src/quic/test_tools/quic_packet_generator_peer.h"
-#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
-#include "net/third_party/quiche/src/quic/test_tools/simple_data_producer.h"
-#include "net/third_party/quiche/src/quic/test_tools/simple_quic_framer.h"
-
-using testing::_;
-using testing::InSequence;
-using testing::Return;
-using testing::StrictMock;
-
-namespace quic {
-namespace test {
-namespace {
-
-class MockDelegate : public QuicPacketCreator::DelegateInterface {
- public:
-  MockDelegate() {}
-  MockDelegate(const MockDelegate&) = delete;
-  MockDelegate& operator=(const MockDelegate&) = delete;
-  ~MockDelegate() override {}
-
-  MOCK_METHOD2(ShouldGeneratePacket,
-               bool(HasRetransmittableData retransmittable,
-                    IsHandshake handshake));
-  MOCK_METHOD0(MaybeBundleAckOpportunistically, const QuicFrames());
-  MOCK_METHOD0(GetPacketBuffer, char*());
-  MOCK_METHOD1(OnSerializedPacket, void(SerializedPacket* packet));
-  MOCK_METHOD2(OnUnrecoverableError, void(QuicErrorCode, const std::string&));
-
-  void SetCanWriteAnything() {
-    EXPECT_CALL(*this, ShouldGeneratePacket(_, _)).WillRepeatedly(Return(true));
-    EXPECT_CALL(*this, ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA, _))
-        .WillRepeatedly(Return(true));
-  }
-
-  void SetCanNotWrite() {
-    EXPECT_CALL(*this, ShouldGeneratePacket(_, _))
-        .WillRepeatedly(Return(false));
-    EXPECT_CALL(*this, ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA, _))
-        .WillRepeatedly(Return(false));
-  }
-
-  // Use this when only ack frames should be allowed to be written.
-  void SetCanWriteOnlyNonRetransmittable() {
-    EXPECT_CALL(*this, ShouldGeneratePacket(_, _))
-        .WillRepeatedly(Return(false));
-    EXPECT_CALL(*this, ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA, _))
-        .WillRepeatedly(Return(true));
-  }
-};
-
-// Simple struct for describing the contents of a packet.
-// Useful in conjunction with a SimpleQuicFrame for validating that a packet
-// contains the expected frames.
-struct PacketContents {
-  PacketContents()
-      : num_ack_frames(0),
-        num_connection_close_frames(0),
-        num_goaway_frames(0),
-        num_rst_stream_frames(0),
-        num_stop_waiting_frames(0),
-        num_stream_frames(0),
-        num_crypto_frames(0),
-        num_ping_frames(0),
-        num_mtu_discovery_frames(0),
-        num_padding_frames(0) {}
-
-  size_t num_ack_frames;
-  size_t num_connection_close_frames;
-  size_t num_goaway_frames;
-  size_t num_rst_stream_frames;
-  size_t num_stop_waiting_frames;
-  size_t num_stream_frames;
-  size_t num_crypto_frames;
-  size_t num_ping_frames;
-  size_t num_mtu_discovery_frames;
-  size_t num_padding_frames;
-};
-
-}  // namespace
-
-class TestPacketGenerator : public QuicPacketGenerator {
- public:
-  TestPacketGenerator(QuicConnectionId connection_id,
-                      QuicFramer* framer,
-                      QuicRandom* random_generator,
-                      QuicPacketCreator::DelegateInterface* delegate,
-                      SimpleDataProducer* producer)
-      : QuicPacketGenerator(connection_id, framer, random_generator, delegate),
-        ack_frame_(InitAckFrame(1)),
-        delegate_(static_cast<MockDelegate*>(delegate)),
-        producer_(producer) {}
-
-  bool ConsumeRetransmittableControlFrame(const QuicFrame& frame,
-                                          bool bundle_ack) {
-    if (!QuicPacketGeneratorPeer::GetPacketCreator(this)->has_ack()) {
-      QuicFrames frames;
-      if (bundle_ack) {
-        frames.push_back(QuicFrame(&ack_frame_));
-      }
-      if (delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA,
-                                          NOT_HANDSHAKE)) {
-        EXPECT_CALL(*delegate_, MaybeBundleAckOpportunistically())
-            .WillOnce(Return(frames));
-      }
-    }
-    return QuicPacketGenerator::ConsumeRetransmittableControlFrame(frame);
-  }
-
-  QuicConsumedData ConsumeDataFastPath(QuicStreamId id,
-                                       const struct iovec* iov,
-                                       int iov_count,
-                                       size_t total_length,
-                                       QuicStreamOffset offset,
-                                       bool fin) {
-    // Save data before data is consumed.
-    if (total_length > 0) {
-      producer_->SaveStreamData(id, iov, iov_count, 0, total_length);
-    }
-    return QuicPacketGenerator::ConsumeDataFastPath(id, total_length, offset,
-                                                    fin, 0);
-  }
-
-  QuicConsumedData ConsumeData(QuicStreamId id,
-                               const struct iovec* iov,
-                               int iov_count,
-                               size_t total_length,
-                               QuicStreamOffset offset,
-                               StreamSendingState state) {
-    // Save data before data is consumed.
-    if (total_length > 0) {
-      producer_->SaveStreamData(id, iov, iov_count, 0, total_length);
-    }
-    if (!QuicPacketGeneratorPeer::GetPacketCreator(this)->has_ack() &&
-        delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA,
-                                        NOT_HANDSHAKE)) {
-      EXPECT_CALL(*delegate_, MaybeBundleAckOpportunistically()).Times(1);
-    }
-    return QuicPacketGenerator::ConsumeData(id, total_length, offset, state);
-  }
-
-  MessageStatus AddMessageFrame(QuicMessageId message_id,
-                                QuicMemSliceSpan message) {
-    if (!QuicPacketGeneratorPeer::GetPacketCreator(this)->has_ack() &&
-        delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA,
-                                        NOT_HANDSHAKE)) {
-      EXPECT_CALL(*delegate_, MaybeBundleAckOpportunistically()).Times(1);
-    }
-    return QuicPacketGenerator::AddMessageFrame(message_id, message);
-  }
-
-  size_t ConsumeCryptoData(EncryptionLevel level,
-                           QuicStringPiece data,
-                           QuicStreamOffset offset) {
-    producer_->SaveCryptoData(level, offset, data);
-    if (!QuicPacketGeneratorPeer::GetPacketCreator(this)->has_ack() &&
-        delegate_->ShouldGeneratePacket(NO_RETRANSMITTABLE_DATA,
-                                        NOT_HANDSHAKE)) {
-      EXPECT_CALL(*delegate_, MaybeBundleAckOpportunistically()).Times(1);
-    }
-    return QuicPacketGenerator::ConsumeCryptoData(level, data.length(), offset);
-  }
-
-  QuicAckFrame ack_frame_;
-  MockDelegate* delegate_;
-  SimpleDataProducer* producer_;
-};
-
-class QuicPacketGeneratorTest : public QuicTest {
- public:
-  QuicPacketGeneratorTest()
-      : framer_(AllSupportedVersions(),
-                QuicTime::Zero(),
-                Perspective::IS_CLIENT,
-                kQuicDefaultConnectionIdLength),
-        generator_(TestConnectionId(),
-                   &framer_,
-                   &random_generator_,
-                   &delegate_,
-                   &producer_),
-        creator_(QuicPacketGeneratorPeer::GetPacketCreator(&generator_)),
-        ack_frame_(InitAckFrame(1)) {
-    EXPECT_CALL(delegate_, GetPacketBuffer()).WillRepeatedly(Return(nullptr));
-    creator_->SetEncrypter(
-        ENCRYPTION_FORWARD_SECURE,
-        std::make_unique<NullEncrypter>(Perspective::IS_CLIENT));
-    creator_->set_encryption_level(ENCRYPTION_FORWARD_SECURE);
-    framer_.set_data_producer(&producer_);
-    if (simple_framer_.framer()->version().KnowsWhichDecrypterToUse()) {
-      simple_framer_.framer()->InstallDecrypter(
-          ENCRYPTION_FORWARD_SECURE,
-          std::make_unique<NullDecrypter>(Perspective::IS_SERVER));
-    }
-    generator_.AttachPacketFlusher();
-  }
-
-  ~QuicPacketGeneratorTest() override {
-    for (SerializedPacket& packet : packets_) {
-      delete[] packet.encrypted_buffer;
-      ClearSerializedPacket(&packet);
-    }
-  }
-
-  void SavePacket(SerializedPacket* packet) {
-    packet->encrypted_buffer = CopyBuffer(*packet);
-    packets_.push_back(*packet);
-    packet->encrypted_buffer = nullptr;
-    packet->retransmittable_frames.clear();
-  }
-
- protected:
-  QuicRstStreamFrame* CreateRstStreamFrame() {
-    return new QuicRstStreamFrame(1, 1, QUIC_STREAM_NO_ERROR, 0);
-  }
-
-  QuicGoAwayFrame* CreateGoAwayFrame() {
-    return new QuicGoAwayFrame(2, QUIC_NO_ERROR, 1, std::string());
-  }
-
-  void CheckPacketContains(const PacketContents& contents,
-                           size_t packet_index) {
-    ASSERT_GT(packets_.size(), packet_index);
-    const SerializedPacket& packet = packets_[packet_index];
-    size_t num_retransmittable_frames =
-        contents.num_connection_close_frames + contents.num_goaway_frames +
-        contents.num_rst_stream_frames + contents.num_stream_frames +
-        contents.num_crypto_frames + contents.num_ping_frames;
-    size_t num_frames =
-        contents.num_ack_frames + contents.num_stop_waiting_frames +
-        contents.num_mtu_discovery_frames + contents.num_padding_frames +
-        num_retransmittable_frames;
-
-    if (num_retransmittable_frames == 0) {
-      ASSERT_TRUE(packet.retransmittable_frames.empty());
-    } else {
-      ASSERT_FALSE(packet.retransmittable_frames.empty());
-      EXPECT_EQ(num_retransmittable_frames,
-                packet.retransmittable_frames.size());
-    }
-
-    ASSERT_TRUE(packet.encrypted_buffer != nullptr);
-    ASSERT_TRUE(simple_framer_.ProcessPacket(
-        QuicEncryptedPacket(packet.encrypted_buffer, packet.encrypted_length)));
-    size_t num_padding_frames = 0;
-    if (contents.num_padding_frames == 0) {
-      num_padding_frames = simple_framer_.padding_frames().size();
-    }
-    EXPECT_EQ(num_frames + num_padding_frames, simple_framer_.num_frames());
-    EXPECT_EQ(contents.num_ack_frames, simple_framer_.ack_frames().size());
-    EXPECT_EQ(contents.num_connection_close_frames,
-              simple_framer_.connection_close_frames().size());
-    EXPECT_EQ(contents.num_goaway_frames,
-              simple_framer_.goaway_frames().size());
-    EXPECT_EQ(contents.num_rst_stream_frames,
-              simple_framer_.rst_stream_frames().size());
-    EXPECT_EQ(contents.num_stream_frames,
-              simple_framer_.stream_frames().size());
-    EXPECT_EQ(contents.num_crypto_frames,
-              simple_framer_.crypto_frames().size());
-    EXPECT_EQ(contents.num_stop_waiting_frames,
-              simple_framer_.stop_waiting_frames().size());
-    if (contents.num_padding_frames != 0) {
-      EXPECT_EQ(contents.num_padding_frames,
-                simple_framer_.padding_frames().size());
-    }
-
-    // From the receiver's perspective, MTU discovery frames are ping frames.
-    EXPECT_EQ(contents.num_ping_frames + contents.num_mtu_discovery_frames,
-              simple_framer_.ping_frames().size());
-  }
-
-  void CheckPacketHasSingleStreamFrame(size_t packet_index) {
-    ASSERT_GT(packets_.size(), packet_index);
-    const SerializedPacket& packet = packets_[packet_index];
-    ASSERT_FALSE(packet.retransmittable_frames.empty());
-    EXPECT_EQ(1u, packet.retransmittable_frames.size());
-    ASSERT_TRUE(packet.encrypted_buffer != nullptr);
-    ASSERT_TRUE(simple_framer_.ProcessPacket(
-        QuicEncryptedPacket(packet.encrypted_buffer, packet.encrypted_length)));
-    EXPECT_EQ(1u, simple_framer_.num_frames());
-    EXPECT_EQ(1u, simple_framer_.stream_frames().size());
-  }
-
-  void CheckAllPacketsHaveSingleStreamFrame() {
-    for (size_t i = 0; i < packets_.size(); i++) {
-      CheckPacketHasSingleStreamFrame(i);
-    }
-  }
-
-  void CreateData(size_t len) {
-    data_array_.reset(new char[len]);
-    memset(data_array_.get(), '?', len);
-    iov_.iov_base = data_array_.get();
-    iov_.iov_len = len;
-  }
-
-  QuicFramer framer_;
-  MockRandom random_generator_;
-  StrictMock<MockDelegate> delegate_;
-  TestPacketGenerator generator_;
-  QuicPacketCreator* creator_;
-  SimpleQuicFramer simple_framer_;
-  std::vector<SerializedPacket> packets_;
-  QuicAckFrame ack_frame_;
-  struct iovec iov_;
-  SimpleBufferAllocator allocator_;
-
- private:
-  std::unique_ptr<char[]> data_array_;
-  SimpleDataProducer producer_;
-};
-
-class MockDebugDelegate : public QuicPacketCreator::DebugDelegate {
- public:
-  MOCK_METHOD1(OnFrameAddedToPacket, void(const QuicFrame&));
-};
-
-TEST_F(QuicPacketGeneratorTest, AddControlFrame_NotWritable) {
-  delegate_.SetCanNotWrite();
-
-  QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
-  const bool consumed =
-      generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
-                                                    /*bundle_ack=*/false);
-  EXPECT_FALSE(consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-  delete rst_frame;
-}
-
-TEST_F(QuicPacketGeneratorTest, AddControlFrame_OnlyAckWritable) {
-  delegate_.SetCanWriteOnlyNonRetransmittable();
-
-  QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
-  const bool consumed =
-      generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
-                                                    /*bundle_ack=*/false);
-  EXPECT_FALSE(consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-  delete rst_frame;
-}
-
-TEST_F(QuicPacketGeneratorTest, AddControlFrame_WritableAndShouldNotFlush) {
-  delegate_.SetCanWriteAnything();
-
-  generator_.ConsumeRetransmittableControlFrame(
-      QuicFrame(CreateRstStreamFrame()),
-      /*bundle_ack=*/false);
-  EXPECT_TRUE(generator_.HasPendingFrames());
-  EXPECT_TRUE(generator_.HasRetransmittableFrames());
-}
-
-TEST_F(QuicPacketGeneratorTest, AddControlFrame_NotWritableBatchThenFlush) {
-  delegate_.SetCanNotWrite();
-
-  QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
-  const bool consumed =
-      generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
-                                                    /*bundle_ack=*/false);
-  EXPECT_FALSE(consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-  delete rst_frame;
-}
-
-TEST_F(QuicPacketGeneratorTest, AddControlFrame_WritableAndShouldFlush) {
-  delegate_.SetCanWriteAnything();
-
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-
-  generator_.ConsumeRetransmittableControlFrame(
-      QuicFrame(CreateRstStreamFrame()),
-      /*bundle_ack=*/false);
-  generator_.Flush();
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  PacketContents contents;
-  contents.num_rst_stream_frames = 1;
-  CheckPacketContains(contents, 0);
-}
-
-TEST_F(QuicPacketGeneratorTest, ConsumeCryptoData) {
-  delegate_.SetCanWriteAnything();
-
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  std::string data = "crypto data";
-  size_t consumed_bytes =
-      generator_.ConsumeCryptoData(ENCRYPTION_INITIAL, data, 0);
-  generator_.Flush();
-  EXPECT_EQ(data.length(), consumed_bytes);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  PacketContents contents;
-  contents.num_crypto_frames = 1;
-  contents.num_padding_frames = 1;
-  CheckPacketContains(contents, 0);
-}
-
-TEST_F(QuicPacketGeneratorTest, ConsumeData_NotWritable) {
-  delegate_.SetCanNotWrite();
-
-  MakeIOVector("foo", &iov_);
-  QuicConsumedData consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, 0, FIN);
-  EXPECT_EQ(0u, consumed.bytes_consumed);
-  EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-}
-
-TEST_F(QuicPacketGeneratorTest, ConsumeData_WritableAndShouldNotFlush) {
-  delegate_.SetCanWriteAnything();
-
-  MakeIOVector("foo", &iov_);
-  QuicConsumedData consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, 0, FIN);
-  EXPECT_EQ(3u, consumed.bytes_consumed);
-  EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasPendingFrames());
-  EXPECT_TRUE(generator_.HasRetransmittableFrames());
-}
-
-TEST_F(QuicPacketGeneratorTest, ConsumeData_WritableAndShouldFlush) {
-  delegate_.SetCanWriteAnything();
-
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  MakeIOVector("foo", &iov_);
-  QuicConsumedData consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, 0, FIN);
-  generator_.Flush();
-  EXPECT_EQ(3u, consumed.bytes_consumed);
-  EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  PacketContents contents;
-  contents.num_stream_frames = 1;
-  CheckPacketContains(contents, 0);
-}
-
-// Test the behavior of ConsumeData when the data consumed is for the crypto
-// handshake stream.  Ensure that the packet is always sent and padded even if
-// the generator operates in batch mode.
-TEST_F(QuicPacketGeneratorTest, ConsumeData_Handshake) {
-  delegate_.SetCanWriteAnything();
-
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  std::string data = "foo bar";
-  MakeIOVector(data, &iov_);
-  size_t consumed_bytes = 0;
-  if (QuicVersionUsesCryptoFrames(framer_.transport_version())) {
-    consumed_bytes = generator_.ConsumeCryptoData(ENCRYPTION_INITIAL, data, 0);
-  } else {
-    consumed_bytes =
-        generator_
-            .ConsumeData(
-                QuicUtils::GetCryptoStreamId(framer_.transport_version()),
-                &iov_, 1u, iov_.iov_len, 0, NO_FIN)
-            .bytes_consumed;
-  }
-  EXPECT_EQ(7u, consumed_bytes);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  PacketContents contents;
-  if (QuicVersionUsesCryptoFrames(framer_.transport_version())) {
-    contents.num_crypto_frames = 1;
-  } else {
-    contents.num_stream_frames = 1;
-  }
-  contents.num_padding_frames = 1;
-  CheckPacketContains(contents, 0);
-
-  ASSERT_EQ(1u, packets_.size());
-  ASSERT_EQ(kDefaultMaxPacketSize, generator_.GetCurrentMaxPacketLength());
-  EXPECT_EQ(kDefaultMaxPacketSize, packets_[0].encrypted_length);
-}
-
-// Test the behavior of ConsumeData when the data is for the crypto handshake
-// stream, but padding is disabled.
-TEST_F(QuicPacketGeneratorTest, ConsumeData_Handshake_PaddingDisabled) {
-  generator_.set_fully_pad_crypto_handshake_packets(false);
-
-  delegate_.SetCanWriteAnything();
-
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  std::string data = "foo";
-  MakeIOVector(data, &iov_);
-  size_t bytes_consumed = 0;
-  if (QuicVersionUsesCryptoFrames(framer_.transport_version())) {
-    bytes_consumed = generator_.ConsumeCryptoData(ENCRYPTION_INITIAL, data, 0);
-  } else {
-    bytes_consumed =
-        generator_
-            .ConsumeData(
-                QuicUtils::GetCryptoStreamId(framer_.transport_version()),
-                &iov_, 1u, iov_.iov_len, 0, NO_FIN)
-            .bytes_consumed;
-  }
-  EXPECT_EQ(3u, bytes_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  PacketContents contents;
-  if (QuicVersionUsesCryptoFrames(framer_.transport_version())) {
-    contents.num_crypto_frames = 1;
-  } else {
-    contents.num_stream_frames = 1;
-  }
-  contents.num_padding_frames = 0;
-  CheckPacketContains(contents, 0);
-
-  ASSERT_EQ(1u, packets_.size());
-
-  // Packet is not fully padded, but we want to future packets to be larger.
-  ASSERT_EQ(kDefaultMaxPacketSize, generator_.GetCurrentMaxPacketLength());
-  size_t expected_packet_length = 27;
-  if (QuicVersionUsesCryptoFrames(framer_.transport_version())) {
-    // The framing of CRYPTO frames is slightly different than that of stream
-    // frames, so the expected packet length differs slightly.
-    expected_packet_length = 28;
-  }
-  if (framer_.version().HasHeaderProtection()) {
-    expected_packet_length = 29;
-  }
-  EXPECT_EQ(expected_packet_length, packets_[0].encrypted_length);
-}
-
-TEST_F(QuicPacketGeneratorTest, ConsumeData_EmptyData) {
-  delegate_.SetCanWriteAnything();
-
-  EXPECT_QUIC_BUG(generator_.ConsumeData(
-                      QuicUtils::QuicUtils::GetFirstBidirectionalStreamId(
-                          framer_.transport_version(), Perspective::IS_CLIENT),
-                      nullptr, 0, 0, 0, NO_FIN),
-                  "Attempt to consume empty data without FIN.");
-}
-
-TEST_F(QuicPacketGeneratorTest,
-       ConsumeDataMultipleTimes_WritableAndShouldNotFlush) {
-  delegate_.SetCanWriteAnything();
-
-  MakeIOVector("foo", &iov_);
-  generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, 0, FIN);
-  MakeIOVector("quux", &iov_);
-  QuicConsumedData consumed =
-      generator_.ConsumeData(3, &iov_, 1u, iov_.iov_len, 3, NO_FIN);
-  EXPECT_EQ(4u, consumed.bytes_consumed);
-  EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasPendingFrames());
-  EXPECT_TRUE(generator_.HasRetransmittableFrames());
-}
-
-TEST_F(QuicPacketGeneratorTest, ConsumeData_BatchOperations) {
-  delegate_.SetCanWriteAnything();
-
-  MakeIOVector("foo", &iov_);
-  generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, 0, FIN);
-  MakeIOVector("quux", &iov_);
-  QuicConsumedData consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, 3, NO_FIN);
-  EXPECT_EQ(4u, consumed.bytes_consumed);
-  EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasPendingFrames());
-  EXPECT_TRUE(generator_.HasRetransmittableFrames());
-
-  // Now both frames will be flushed out.
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  generator_.Flush();
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  PacketContents contents;
-  contents.num_stream_frames = 2;
-  CheckPacketContains(contents, 0);
-}
-
-TEST_F(QuicPacketGeneratorTest, ConsumeData_FramesPreviouslyQueued) {
-  // Set the packet size be enough for two stream frames with 0 stream offset,
-  // but not enough for a stream frame of 0 offset and one with non-zero offset.
-  size_t length =
-      NullEncrypter(Perspective::IS_CLIENT).GetCiphertextSize(0) +
-      GetPacketHeaderSize(
-          framer_.transport_version(),
-          creator_->GetDestinationConnectionIdLength(),
-          creator_->GetSourceConnectionIdLength(),
-          QuicPacketCreatorPeer::SendVersionInPacket(creator_),
-          !kIncludeDiversificationNonce,
-          QuicPacketCreatorPeer::GetPacketNumberLength(creator_),
-          QuicPacketCreatorPeer::GetRetryTokenLengthLength(creator_), 0,
-          QuicPacketCreatorPeer::GetLengthLength(creator_)) +
-      // Add an extra 3 bytes for the payload and 1 byte so
-      // BytesFree is larger than the GetMinStreamFrameSize.
-      QuicFramer::GetMinStreamFrameSize(framer_.transport_version(), 1, 0,
-                                        false, 3) +
-      3 +
-      QuicFramer::GetMinStreamFrameSize(framer_.transport_version(), 1, 0, true,
-                                        1) +
-      1;
-  generator_.SetMaxPacketLength(length);
-  delegate_.SetCanWriteAnything();
-  {
-    InSequence dummy;
-    EXPECT_CALL(delegate_, OnSerializedPacket(_))
-        .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-    EXPECT_CALL(delegate_, OnSerializedPacket(_))
-        .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  }
-  // Queue enough data to prevent a stream frame with a non-zero offset from
-  // fitting.
-  MakeIOVector("foo", &iov_);
-  QuicConsumedData consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, 0, NO_FIN);
-  EXPECT_EQ(3u, consumed.bytes_consumed);
-  EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasPendingFrames());
-  EXPECT_TRUE(generator_.HasRetransmittableFrames());
-
-  // This frame will not fit with the existing frame, causing the queued frame
-  // to be serialized, and it will be added to a new open packet.
-  MakeIOVector("bar", &iov_);
-  consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, 3, FIN);
-  EXPECT_EQ(3u, consumed.bytes_consumed);
-  EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasPendingFrames());
-  EXPECT_TRUE(generator_.HasRetransmittableFrames());
-
-  creator_->FlushCurrentPacket();
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  PacketContents contents;
-  contents.num_stream_frames = 1;
-  CheckPacketContains(contents, 0);
-  CheckPacketContains(contents, 1);
-}
-
-TEST_F(QuicPacketGeneratorTest, ConsumeDataFastPath) {
-  delegate_.SetCanWriteAnything();
-  generator_.SetCanSetTransmissionType(true);
-  generator_.SetTransmissionType(LOSS_RETRANSMISSION);
-
-  // Create a 10000 byte IOVector.
-  CreateData(10000);
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillRepeatedly(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  QuicConsumedData consumed = generator_.ConsumeDataFastPath(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, 0, true);
-  EXPECT_EQ(10000u, consumed.bytes_consumed);
-  EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  PacketContents contents;
-  contents.num_stream_frames = 1;
-  CheckPacketContains(contents, 0);
-  EXPECT_FALSE(packets_.empty());
-  SerializedPacket packet = packets_.back();
-  EXPECT_TRUE(!packet.retransmittable_frames.empty());
-  EXPECT_EQ(LOSS_RETRANSMISSION, packet.transmission_type);
-  EXPECT_EQ(STREAM_FRAME, packet.retransmittable_frames.front().type);
-  const QuicStreamFrame& stream_frame =
-      packet.retransmittable_frames.front().stream_frame;
-  EXPECT_EQ(10000u, stream_frame.data_length + stream_frame.offset);
-}
-
-TEST_F(QuicPacketGeneratorTest, ConsumeDataLarge) {
-  delegate_.SetCanWriteAnything();
-
-  // Create a 10000 byte IOVector.
-  CreateData(10000);
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillRepeatedly(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  QuicConsumedData consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, 0, FIN);
-  EXPECT_EQ(10000u, consumed.bytes_consumed);
-  EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  PacketContents contents;
-  contents.num_stream_frames = 1;
-  CheckPacketContains(contents, 0);
-  EXPECT_FALSE(packets_.empty());
-  SerializedPacket packet = packets_.back();
-  EXPECT_TRUE(!packet.retransmittable_frames.empty());
-  EXPECT_EQ(STREAM_FRAME, packet.retransmittable_frames.front().type);
-  const QuicStreamFrame& stream_frame =
-      packet.retransmittable_frames.front().stream_frame;
-  EXPECT_EQ(10000u, stream_frame.data_length + stream_frame.offset);
-}
-
-TEST_F(QuicPacketGeneratorTest, ConsumeDataLargeSendAckFalse) {
-  delegate_.SetCanNotWrite();
-
-  QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
-  const bool success =
-      generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
-                                                    /*bundle_ack=*/true);
-  EXPECT_FALSE(success);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  delegate_.SetCanWriteAnything();
-
-  generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
-                                                /*bundle_ack=*/false);
-
-  // Create a 10000 byte IOVector.
-  CreateData(10000);
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillRepeatedly(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  generator_.ConsumeRetransmittableControlFrame(
-      QuicFrame(CreateRstStreamFrame()),
-      /*bundle_ack=*/true);
-  QuicConsumedData consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, 0, FIN);
-  generator_.Flush();
-
-  EXPECT_EQ(10000u, consumed.bytes_consumed);
-  EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  EXPECT_FALSE(packets_.empty());
-  SerializedPacket packet = packets_.back();
-  EXPECT_TRUE(!packet.retransmittable_frames.empty());
-  EXPECT_EQ(STREAM_FRAME, packet.retransmittable_frames.front().type);
-  const QuicStreamFrame& stream_frame =
-      packet.retransmittable_frames.front().stream_frame;
-  EXPECT_EQ(10000u, stream_frame.data_length + stream_frame.offset);
-}
-
-TEST_F(QuicPacketGeneratorTest, ConsumeDataLargeSendAckTrue) {
-  if (VersionHasIetfInvariantHeader(framer_.transport_version())) {
-    return;
-  }
-  delegate_.SetCanNotWrite();
-  delegate_.SetCanWriteAnything();
-
-  // Create a 10000 byte IOVector.
-  CreateData(10000);
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillRepeatedly(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  QuicConsumedData consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, 0, FIN);
-  generator_.Flush();
-
-  EXPECT_EQ(10000u, consumed.bytes_consumed);
-  EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  EXPECT_FALSE(packets_.empty());
-  SerializedPacket packet = packets_.back();
-  EXPECT_TRUE(!packet.retransmittable_frames.empty());
-  EXPECT_EQ(STREAM_FRAME, packet.retransmittable_frames.front().type);
-  const QuicStreamFrame& stream_frame =
-      packet.retransmittable_frames.front().stream_frame;
-  EXPECT_EQ(10000u, stream_frame.data_length + stream_frame.offset);
-}
-
-TEST_F(QuicPacketGeneratorTest, NotWritableThenBatchOperations) {
-  delegate_.SetCanNotWrite();
-
-  QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
-  const bool consumed =
-      generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
-                                                    /*bundle_ack=*/true);
-  EXPECT_FALSE(consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-  EXPECT_FALSE(generator_.HasPendingStreamFramesOfStream(3));
-
-  delegate_.SetCanWriteAnything();
-
-  EXPECT_TRUE(
-      generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
-                                                    /*bundle_ack=*/false));
-  // Send some data and a control frame
-  MakeIOVector("quux", &iov_);
-  generator_.ConsumeData(3, &iov_, 1u, iov_.iov_len, 0, NO_FIN);
-  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
-    generator_.ConsumeRetransmittableControlFrame(
-        QuicFrame(CreateGoAwayFrame()),
-        /*bundle_ack=*/false);
-  }
-  EXPECT_TRUE(generator_.HasPendingStreamFramesOfStream(3));
-
-  // All five frames will be flushed out in a single packet.
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  generator_.Flush();
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-  EXPECT_FALSE(generator_.HasPendingStreamFramesOfStream(3));
-
-  PacketContents contents;
-  // ACK will be flushed by connection.
-  contents.num_ack_frames = 0;
-  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
-    contents.num_goaway_frames = 1;
-  } else {
-    contents.num_goaway_frames = 0;
-  }
-  contents.num_rst_stream_frames = 1;
-  contents.num_stream_frames = 1;
-  CheckPacketContains(contents, 0);
-}
-
-TEST_F(QuicPacketGeneratorTest, NotWritableThenBatchOperations2) {
-  delegate_.SetCanNotWrite();
-
-  QuicRstStreamFrame* rst_frame = CreateRstStreamFrame();
-  const bool success =
-      generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
-                                                    /*bundle_ack=*/true);
-  EXPECT_FALSE(success);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  delegate_.SetCanWriteAnything();
-
-  {
-    InSequence dummy;
-    // All five frames will be flushed out in a single packet
-    EXPECT_CALL(delegate_, OnSerializedPacket(_))
-        .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-    EXPECT_CALL(delegate_, OnSerializedPacket(_))
-        .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  }
-  EXPECT_TRUE(
-      generator_.ConsumeRetransmittableControlFrame(QuicFrame(rst_frame),
-                                                    /*bundle_ack=*/false));
-  // Send enough data to exceed one packet
-  size_t data_len = kDefaultMaxPacketSize + 100;
-  CreateData(data_len);
-  QuicConsumedData consumed =
-      generator_.ConsumeData(3, &iov_, 1u, iov_.iov_len, 0, FIN);
-  EXPECT_EQ(data_len, consumed.bytes_consumed);
-  EXPECT_TRUE(consumed.fin_consumed);
-  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
-    generator_.ConsumeRetransmittableControlFrame(
-        QuicFrame(CreateGoAwayFrame()),
-        /*bundle_ack=*/false);
-  }
-
-  generator_.Flush();
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  // The first packet should have the queued data and part of the stream data.
-  PacketContents contents;
-  // ACK will be sent by connection.
-  contents.num_ack_frames = 0;
-  contents.num_rst_stream_frames = 1;
-  contents.num_stream_frames = 1;
-  CheckPacketContains(contents, 0);
-
-  // The second should have the remainder of the stream data.
-  PacketContents contents2;
-  if (!VersionHasIetfQuicFrames(framer_.transport_version())) {
-    contents2.num_goaway_frames = 1;
-  } else {
-    contents2.num_goaway_frames = 0;
-  }
-  contents2.num_stream_frames = 1;
-  CheckPacketContains(contents2, 1);
-}
-
-// Regression test of b/120493795.
-TEST_F(QuicPacketGeneratorTest, PacketTransmissionType) {
-  delegate_.SetCanWriteAnything();
-  generator_.SetCanSetTransmissionType(true);
-
-  // The first ConsumeData will fill the packet without flush.
-  generator_.SetTransmissionType(LOSS_RETRANSMISSION);
-
-  size_t data_len = 1324;
-  CreateData(data_len);
-  QuicStreamId stream1_id = QuicUtils::GetFirstBidirectionalStreamId(
-      framer_.transport_version(), Perspective::IS_CLIENT);
-  QuicConsumedData consumed =
-      generator_.ConsumeData(stream1_id, &iov_, 1u, iov_.iov_len, 0, NO_FIN);
-  EXPECT_EQ(data_len, consumed.bytes_consumed);
-  ASSERT_EQ(0u, creator_->BytesFree())
-      << "Test setup failed: Please increase data_len to "
-      << data_len + creator_->BytesFree() << " bytes.";
-
-  // The second ConsumeData can not be added to the packet and will flush.
-  generator_.SetTransmissionType(NOT_RETRANSMISSION);
-
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-
-  QuicStreamId stream2_id = stream1_id + 4;
-
-  consumed =
-      generator_.ConsumeData(stream2_id, &iov_, 1u, iov_.iov_len, 0, NO_FIN);
-  EXPECT_EQ(data_len, consumed.bytes_consumed);
-
-  // Ensure the packet is successfully created.
-  ASSERT_EQ(1u, packets_.size());
-  ASSERT_TRUE(packets_[0].encrypted_buffer);
-  ASSERT_EQ(1u, packets_[0].retransmittable_frames.size());
-  EXPECT_EQ(stream1_id,
-            packets_[0].retransmittable_frames[0].stream_frame.stream_id);
-
-  // Since the second frame was not added, the packet's transmission type
-  // should be the first frame's type.
-  EXPECT_EQ(packets_[0].transmission_type, LOSS_RETRANSMISSION);
-}
-
-TEST_F(QuicPacketGeneratorTest, TestConnectionIdLength) {
-  QuicFramerPeer::SetPerspective(&framer_, Perspective::IS_SERVER);
-  generator_.SetServerConnectionIdLength(0);
-  EXPECT_EQ(PACKET_0BYTE_CONNECTION_ID,
-            creator_->GetDestinationConnectionIdLength());
-
-  for (size_t i = 1; i < 10; i++) {
-    generator_.SetServerConnectionIdLength(i);
-    if (VersionHasIetfInvariantHeader(framer_.transport_version())) {
-      EXPECT_EQ(PACKET_0BYTE_CONNECTION_ID,
-                creator_->GetDestinationConnectionIdLength());
-    } else {
-      EXPECT_EQ(PACKET_8BYTE_CONNECTION_ID,
-                creator_->GetDestinationConnectionIdLength());
-    }
-  }
-}
-
-// Test whether SetMaxPacketLength() works in the situation when the queue is
-// empty, and we send three packets worth of data.
-TEST_F(QuicPacketGeneratorTest, SetMaxPacketLength_Initial) {
-  delegate_.SetCanWriteAnything();
-
-  // Send enough data for three packets.
-  size_t data_len = 3 * kDefaultMaxPacketSize + 1;
-  size_t packet_len = kDefaultMaxPacketSize + 100;
-  ASSERT_LE(packet_len, kMaxOutgoingPacketSize);
-  generator_.SetMaxPacketLength(packet_len);
-  EXPECT_EQ(packet_len, generator_.GetCurrentMaxPacketLength());
-
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .Times(3)
-      .WillRepeatedly(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  CreateData(data_len);
-  QuicConsumedData consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len,
-      /*offset=*/0, FIN);
-  EXPECT_EQ(data_len, consumed.bytes_consumed);
-  EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  // We expect three packets, and first two of them have to be of packet_len
-  // size.  We check multiple packets (instead of just one) because we want to
-  // ensure that |max_packet_length_| does not get changed incorrectly by the
-  // generator after first packet is serialized.
-  ASSERT_EQ(3u, packets_.size());
-  EXPECT_EQ(packet_len, packets_[0].encrypted_length);
-  EXPECT_EQ(packet_len, packets_[1].encrypted_length);
-  CheckAllPacketsHaveSingleStreamFrame();
-}
-
-// Test whether SetMaxPacketLength() works in the situation when we first write
-// data, then change packet size, then write data again.
-TEST_F(QuicPacketGeneratorTest, SetMaxPacketLength_Middle) {
-  delegate_.SetCanWriteAnything();
-
-  // We send enough data to overflow default packet length, but not the altered
-  // one.
-  size_t data_len = kDefaultMaxPacketSize;
-  size_t packet_len = kDefaultMaxPacketSize + 100;
-  ASSERT_LE(packet_len, kMaxOutgoingPacketSize);
-
-  // We expect to see three packets in total.
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .Times(3)
-      .WillRepeatedly(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-
-  // Send two packets before packet size change.
-  CreateData(data_len);
-  QuicConsumedData consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len,
-      /*offset=*/0, NO_FIN);
-  generator_.Flush();
-  EXPECT_EQ(data_len, consumed.bytes_consumed);
-  EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  // Make sure we already have two packets.
-  ASSERT_EQ(2u, packets_.size());
-
-  // Increase packet size.
-  generator_.SetMaxPacketLength(packet_len);
-  EXPECT_EQ(packet_len, generator_.GetCurrentMaxPacketLength());
-
-  // Send a packet after packet size change.
-  CreateData(data_len);
-  generator_.AttachPacketFlusher();
-  consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, data_len, FIN);
-  generator_.Flush();
-  EXPECT_EQ(data_len, consumed.bytes_consumed);
-  EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  // We expect first data chunk to get fragmented, but the second one to fit
-  // into a single packet.
-  ASSERT_EQ(3u, packets_.size());
-  EXPECT_EQ(kDefaultMaxPacketSize, packets_[0].encrypted_length);
-  EXPECT_LE(kDefaultMaxPacketSize, packets_[2].encrypted_length);
-  CheckAllPacketsHaveSingleStreamFrame();
-}
-
-// Test whether SetMaxPacketLength() works correctly when we force the change of
-// the packet size in the middle of the batched packet.
-TEST_F(QuicPacketGeneratorTest, SetMaxPacketLength_MidpacketFlush) {
-  delegate_.SetCanWriteAnything();
-
-  size_t first_write_len = kDefaultMaxPacketSize / 2;
-  size_t packet_len = kDefaultMaxPacketSize + 100;
-  size_t second_write_len = packet_len + 1;
-  ASSERT_LE(packet_len, kMaxOutgoingPacketSize);
-
-  // First send half of the packet worth of data.  We are in the batch mode, so
-  // should not cause packet serialization.
-  CreateData(first_write_len);
-  QuicConsumedData consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len,
-      /*offset=*/0, NO_FIN);
-  EXPECT_EQ(first_write_len, consumed.bytes_consumed);
-  EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasPendingFrames());
-  EXPECT_TRUE(generator_.HasRetransmittableFrames());
-
-  // Make sure we have no packets so far.
-  ASSERT_EQ(0u, packets_.size());
-
-  // Expect a packet to be flushed.
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-
-  // Increase packet size after flushing all frames.
-  // Ensure it's immediately enacted.
-  generator_.FlushAllQueuedFrames();
-  generator_.SetMaxPacketLength(packet_len);
-  EXPECT_EQ(packet_len, generator_.GetCurrentMaxPacketLength());
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  // We expect to see exactly one packet serialized after that, because we send
-  // a value somewhat exceeding new max packet size, and the tail data does not
-  // get serialized because we are still in the batch mode.
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-
-  // Send a more than a packet worth of data to the same stream.  This should
-  // trigger serialization of one packet, and queue another one.
-  CreateData(second_write_len);
-  consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len,
-      /*offset=*/first_write_len, FIN);
-  EXPECT_EQ(second_write_len, consumed.bytes_consumed);
-  EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_TRUE(generator_.HasPendingFrames());
-  EXPECT_TRUE(generator_.HasRetransmittableFrames());
-
-  // We expect the first packet to be underfilled, and the second packet be up
-  // to the new max packet size.
-  ASSERT_EQ(2u, packets_.size());
-  EXPECT_GT(kDefaultMaxPacketSize, packets_[0].encrypted_length);
-  EXPECT_EQ(packet_len, packets_[1].encrypted_length);
-
-  CheckAllPacketsHaveSingleStreamFrame();
-}
-
-// Test sending a connectivity probing packet.
-TEST_F(QuicPacketGeneratorTest, GenerateConnectivityProbingPacket) {
-  delegate_.SetCanWriteAnything();
-
-  OwningSerializedPacketPointer probing_packet;
-  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
-    QuicPathFrameBuffer payload = {
-        {0xde, 0xad, 0xbe, 0xef, 0xba, 0xdc, 0x0f, 0xfe}};
-    probing_packet =
-        generator_.SerializePathChallengeConnectivityProbingPacket(&payload);
-  } else {
-    probing_packet = generator_.SerializeConnectivityProbingPacket();
-  }
-
-  ASSERT_TRUE(simple_framer_.ProcessPacket(QuicEncryptedPacket(
-      probing_packet->encrypted_buffer, probing_packet->encrypted_length)));
-
-  EXPECT_EQ(2u, simple_framer_.num_frames());
-  if (VersionHasIetfQuicFrames(framer_.transport_version())) {
-    EXPECT_EQ(1u, simple_framer_.path_challenge_frames().size());
-  } else {
-    EXPECT_EQ(1u, simple_framer_.ping_frames().size());
-  }
-  EXPECT_EQ(1u, simple_framer_.padding_frames().size());
-}
-
-// Test sending an MTU probe, without any surrounding data.
-TEST_F(QuicPacketGeneratorTest, GenerateMtuDiscoveryPacket_Simple) {
-  delegate_.SetCanWriteAnything();
-
-  const size_t target_mtu = kDefaultMaxPacketSize + 100;
-  static_assert(target_mtu < kMaxOutgoingPacketSize,
-                "The MTU probe used by the test exceeds maximum packet size");
-
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-
-  generator_.GenerateMtuDiscoveryPacket(target_mtu);
-
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-  ASSERT_EQ(1u, packets_.size());
-  EXPECT_EQ(target_mtu, packets_[0].encrypted_length);
-
-  PacketContents contents;
-  contents.num_mtu_discovery_frames = 1;
-  contents.num_padding_frames = 1;
-  CheckPacketContains(contents, 0);
-}
-
-// Test sending an MTU probe.  Surround it with data, to ensure that it resets
-// the MTU to the value before the probe was sent.
-TEST_F(QuicPacketGeneratorTest, GenerateMtuDiscoveryPacket_SurroundedByData) {
-  delegate_.SetCanWriteAnything();
-
-  const size_t target_mtu = kDefaultMaxPacketSize + 100;
-  static_assert(target_mtu < kMaxOutgoingPacketSize,
-                "The MTU probe used by the test exceeds maximum packet size");
-
-  // Send enough data so it would always cause two packets to be sent.
-  const size_t data_len = target_mtu + 1;
-
-  // Send a total of five packets: two packets before the probe, the probe
-  // itself, and two packets after the probe.
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .Times(5)
-      .WillRepeatedly(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-
-  // Send data before the MTU probe.
-  CreateData(data_len);
-  QuicConsumedData consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len,
-      /*offset=*/0, NO_FIN);
-  generator_.Flush();
-  EXPECT_EQ(data_len, consumed.bytes_consumed);
-  EXPECT_FALSE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  // Send the MTU probe.
-  generator_.GenerateMtuDiscoveryPacket(target_mtu);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  // Send data after the MTU probe.
-  CreateData(data_len);
-  generator_.AttachPacketFlusher();
-  consumed = generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len,
-      /*offset=*/data_len, FIN);
-  generator_.Flush();
-  EXPECT_EQ(data_len, consumed.bytes_consumed);
-  EXPECT_TRUE(consumed.fin_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  ASSERT_EQ(5u, packets_.size());
-  EXPECT_EQ(kDefaultMaxPacketSize, packets_[0].encrypted_length);
-  EXPECT_EQ(target_mtu, packets_[2].encrypted_length);
-  EXPECT_EQ(kDefaultMaxPacketSize, packets_[3].encrypted_length);
-
-  PacketContents probe_contents;
-  probe_contents.num_mtu_discovery_frames = 1;
-  probe_contents.num_padding_frames = 1;
-
-  CheckPacketHasSingleStreamFrame(0);
-  CheckPacketHasSingleStreamFrame(1);
-  CheckPacketContains(probe_contents, 2);
-  CheckPacketHasSingleStreamFrame(3);
-  CheckPacketHasSingleStreamFrame(4);
-}
-
-TEST_F(QuicPacketGeneratorTest, DontCrashOnInvalidStopWaiting) {
-  if (VersionSupportsMessageFrames(framer_.transport_version())) {
-    return;
-  }
-  // Test added to ensure the generator does not crash when an invalid frame is
-  // added.  Because this is an indication of internal programming errors,
-  // DFATALs are expected.
-  // A 1 byte packet number length can't encode a gap of 1000.
-  QuicPacketCreatorPeer::SetPacketNumber(creator_, 1000);
-
-  delegate_.SetCanNotWrite();
-  delegate_.SetCanWriteAnything();
-
-  // This will not serialize any packets, because of the invalid frame.
-  EXPECT_CALL(delegate_,
-              OnUnrecoverableError(QUIC_FAILED_TO_SERIALIZE_PACKET, _));
-  EXPECT_QUIC_BUG(generator_.Flush(),
-                  "packet_number_length 1 is too small "
-                  "for least_unacked_delta: 1001");
-}
-
-// Regression test for b/31486443.
-TEST_F(QuicPacketGeneratorTest, ConnectionCloseFrameLargerThanPacketSize) {
-  delegate_.SetCanWriteAnything();
-  char buf[2000] = {};
-  QuicStringPiece error_details(buf, 2000);
-  const QuicErrorCode kQuicErrorCode = QUIC_PACKET_WRITE_ERROR;
-
-  QuicConnectionCloseFrame* frame = new QuicConnectionCloseFrame(
-      framer_.transport_version(), kQuicErrorCode, std::string(error_details),
-      /*transport_close_frame_type=*/0);
-  generator_.ConsumeRetransmittableControlFrame(QuicFrame(frame),
-                                                /*bundle_ack=*/false);
-  EXPECT_TRUE(generator_.HasPendingFrames());
-  EXPECT_TRUE(generator_.HasRetransmittableFrames());
-}
-
-TEST_F(QuicPacketGeneratorTest, RandomPaddingAfterFinSingleStreamSinglePacket) {
-  const QuicByteCount kStreamFramePayloadSize = 100u;
-  char buf[kStreamFramePayloadSize] = {};
-  const QuicStreamId kDataStreamId = 5;
-  // Set the packet size be enough for one stream frame with 0 stream offset and
-  // max size of random padding.
-  size_t length =
-      NullEncrypter(Perspective::IS_CLIENT).GetCiphertextSize(0) +
-      GetPacketHeaderSize(
-          framer_.transport_version(),
-          creator_->GetDestinationConnectionIdLength(),
-          creator_->GetSourceConnectionIdLength(),
-          QuicPacketCreatorPeer::SendVersionInPacket(creator_),
-          !kIncludeDiversificationNonce,
-          QuicPacketCreatorPeer::GetPacketNumberLength(creator_),
-          QuicPacketCreatorPeer::GetRetryTokenLengthLength(creator_), 0,
-          QuicPacketCreatorPeer::GetLengthLength(creator_)) +
-      QuicFramer::GetMinStreamFrameSize(
-          framer_.transport_version(), kDataStreamId, 0,
-          /*last_frame_in_packet=*/false,
-          kStreamFramePayloadSize + kMaxNumRandomPaddingBytes) +
-      kStreamFramePayloadSize + kMaxNumRandomPaddingBytes;
-  generator_.SetMaxPacketLength(length);
-  delegate_.SetCanWriteAnything();
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  MakeIOVector(QuicStringPiece(buf, kStreamFramePayloadSize), &iov_);
-  QuicConsumedData consumed = generator_.ConsumeData(
-      kDataStreamId, &iov_, 1u, iov_.iov_len, 0, FIN_AND_PADDING);
-  generator_.Flush();
-  EXPECT_EQ(kStreamFramePayloadSize, consumed.bytes_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  EXPECT_EQ(1u, packets_.size());
-  PacketContents contents;
-  // The packet has both stream and padding frames.
-  contents.num_padding_frames = 1;
-  contents.num_stream_frames = 1;
-  CheckPacketContains(contents, 0);
-}
-
-TEST_F(QuicPacketGeneratorTest,
-       RandomPaddingAfterFinSingleStreamMultiplePackets) {
-  const QuicByteCount kStreamFramePayloadSize = 100u;
-  char buf[kStreamFramePayloadSize] = {};
-  const QuicStreamId kDataStreamId = 5;
-  // Set the packet size be enough for one stream frame with 0 stream offset +
-  // 1. One or more packets will accommodate.
-  size_t length =
-      NullEncrypter(Perspective::IS_CLIENT).GetCiphertextSize(0) +
-      GetPacketHeaderSize(
-          framer_.transport_version(),
-          creator_->GetDestinationConnectionIdLength(),
-          creator_->GetSourceConnectionIdLength(),
-          QuicPacketCreatorPeer::SendVersionInPacket(creator_),
-          !kIncludeDiversificationNonce,
-          QuicPacketCreatorPeer::GetPacketNumberLength(creator_),
-          QuicPacketCreatorPeer::GetRetryTokenLengthLength(creator_), 0,
-          QuicPacketCreatorPeer::GetLengthLength(creator_)) +
-      QuicFramer::GetMinStreamFrameSize(
-          framer_.transport_version(), kDataStreamId, 0,
-          /*last_frame_in_packet=*/false, kStreamFramePayloadSize + 1) +
-      kStreamFramePayloadSize + 1;
-  generator_.SetMaxPacketLength(length);
-  delegate_.SetCanWriteAnything();
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillRepeatedly(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  MakeIOVector(QuicStringPiece(buf, kStreamFramePayloadSize), &iov_);
-  QuicConsumedData consumed = generator_.ConsumeData(
-      kDataStreamId, &iov_, 1u, iov_.iov_len, 0, FIN_AND_PADDING);
-  generator_.Flush();
-  EXPECT_EQ(kStreamFramePayloadSize, consumed.bytes_consumed);
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  EXPECT_LE(1u, packets_.size());
-  PacketContents contents;
-  // The first packet has both stream and padding frames.
-  contents.num_stream_frames = 1;
-  contents.num_padding_frames = 1;
-  CheckPacketContains(contents, 0);
-
-  for (size_t i = 1; i < packets_.size(); ++i) {
-    // Following packets only have paddings.
-    contents.num_stream_frames = 0;
-    contents.num_padding_frames = 1;
-    CheckPacketContains(contents, i);
-  }
-}
-
-TEST_F(QuicPacketGeneratorTest,
-       RandomPaddingAfterFinMultipleStreamsMultiplePackets) {
-  const QuicByteCount kStreamFramePayloadSize = 100u;
-  char buf[kStreamFramePayloadSize] = {};
-  const QuicStreamId kDataStreamId1 = 5;
-  const QuicStreamId kDataStreamId2 = 6;
-  // Set the packet size be enough for first frame with 0 stream offset + second
-  // frame + 1 byte payload. two or more packets will accommodate.
-  size_t length =
-      NullEncrypter(Perspective::IS_CLIENT).GetCiphertextSize(0) +
-      GetPacketHeaderSize(
-          framer_.transport_version(),
-          creator_->GetDestinationConnectionIdLength(),
-          creator_->GetSourceConnectionIdLength(),
-          QuicPacketCreatorPeer::SendVersionInPacket(creator_),
-          !kIncludeDiversificationNonce,
-          QuicPacketCreatorPeer::GetPacketNumberLength(creator_),
-          QuicPacketCreatorPeer::GetRetryTokenLengthLength(creator_), 0,
-          QuicPacketCreatorPeer::GetLengthLength(creator_)) +
-      QuicFramer::GetMinStreamFrameSize(
-          framer_.transport_version(), kDataStreamId1, 0,
-          /*last_frame_in_packet=*/false, kStreamFramePayloadSize) +
-      kStreamFramePayloadSize +
-      QuicFramer::GetMinStreamFrameSize(framer_.transport_version(),
-                                        kDataStreamId1, 0,
-                                        /*last_frame_in_packet=*/false, 1) +
-      1;
-  generator_.SetMaxPacketLength(length);
-  delegate_.SetCanWriteAnything();
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillRepeatedly(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-  MakeIOVector(QuicStringPiece(buf, kStreamFramePayloadSize), &iov_);
-  QuicConsumedData consumed = generator_.ConsumeData(
-      kDataStreamId1, &iov_, 1u, iov_.iov_len, 0, FIN_AND_PADDING);
-  EXPECT_EQ(kStreamFramePayloadSize, consumed.bytes_consumed);
-  MakeIOVector(QuicStringPiece(buf, kStreamFramePayloadSize), &iov_);
-  consumed = generator_.ConsumeData(kDataStreamId2, &iov_, 1u, iov_.iov_len, 0,
-                                    FIN_AND_PADDING);
-  EXPECT_EQ(kStreamFramePayloadSize, consumed.bytes_consumed);
-  generator_.Flush();
-  EXPECT_FALSE(generator_.HasPendingFrames());
-  EXPECT_FALSE(generator_.HasRetransmittableFrames());
-
-  EXPECT_LE(2u, packets_.size());
-  PacketContents contents;
-  // The first packet has two stream frames.
-  contents.num_stream_frames = 2;
-  CheckPacketContains(contents, 0);
-
-  // The second packet has one stream frame and padding frames.
-  contents.num_stream_frames = 1;
-  contents.num_padding_frames = 1;
-  CheckPacketContains(contents, 1);
-
-  for (size_t i = 2; i < packets_.size(); ++i) {
-    // Following packets only have paddings.
-    contents.num_stream_frames = 0;
-    contents.num_padding_frames = 1;
-    CheckPacketContains(contents, i);
-  }
-}
-
-TEST_F(QuicPacketGeneratorTest, AddMessageFrame) {
-  if (!VersionSupportsMessageFrames(framer_.transport_version())) {
-    return;
-  }
-  quic::QuicMemSliceStorage storage(nullptr, 0, nullptr, 0);
-  delegate_.SetCanWriteAnything();
-  EXPECT_CALL(delegate_, OnSerializedPacket(_))
-      .WillOnce(Invoke(this, &QuicPacketGeneratorTest::SavePacket));
-
-  MakeIOVector("foo", &iov_);
-  generator_.ConsumeData(
-      QuicUtils::GetFirstBidirectionalStreamId(framer_.transport_version(),
-                                               Perspective::IS_CLIENT),
-      &iov_, 1u, iov_.iov_len, 0, FIN);
-  EXPECT_EQ(MESSAGE_STATUS_SUCCESS,
-            generator_.AddMessageFrame(
-                1, MakeSpan(&allocator_, "message", &storage)));
-  EXPECT_TRUE(generator_.HasPendingFrames());
-  EXPECT_TRUE(generator_.HasRetransmittableFrames());
-
-  // Add a message which causes the flush of current packet.
-  EXPECT_EQ(
-      MESSAGE_STATUS_SUCCESS,
-      generator_.AddMessageFrame(
-          2, MakeSpan(
-                 &allocator_,
-                 std::string(generator_.GetCurrentLargestMessagePayload(), 'a'),
-                 &storage)));
-  EXPECT_TRUE(generator_.HasRetransmittableFrames());
-
-  // Failed to send messages which cannot fit into one packet.
-  EXPECT_EQ(
-      MESSAGE_STATUS_TOO_LARGE,
-      generator_.AddMessageFrame(
-          3,
-          MakeSpan(&allocator_,
-                   std::string(
-                       generator_.GetCurrentLargestMessagePayload() + 10, 'a'),
-                   &storage)));
-}
-
-TEST_F(QuicPacketGeneratorTest, ConnectionId) {
-  generator_.SetServerConnectionId(TestConnectionId(0x1337));
-  EXPECT_EQ(TestConnectionId(0x1337), creator_->GetDestinationConnectionId());
-  EXPECT_EQ(EmptyQuicConnectionId(), creator_->GetSourceConnectionId());
-  if (!framer_.version().SupportsClientConnectionIds()) {
-    return;
-  }
-  generator_.SetClientConnectionId(TestConnectionId(0x33));
-  EXPECT_EQ(TestConnectionId(0x1337), creator_->GetDestinationConnectionId());
-  EXPECT_EQ(TestConnectionId(0x33), creator_->GetSourceConnectionId());
-}
-
-}  // namespace test
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_number.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packet_number.cc
index b3009ce5c7a..6e6804b2a29 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_number.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_number.cc
@@ -8,15 +8,6 @@
 
 namespace quic {
 
-QuicPacketNumber::QuicPacketNumber()
-    : packet_number_(UninitializedPacketNumber()) {}
-
-QuicPacketNumber::QuicPacketNumber(uint64_t packet_number)
-    : packet_number_(packet_number) {
-  DCHECK_NE(UninitializedPacketNumber(), packet_number)
-      << "Use default constructor for uninitialized packet number";
-}
-
 void QuicPacketNumber::Clear() {
   packet_number_ = UninitializedPacketNumber();
 }
@@ -111,9 +102,4 @@ std::ostream& operator<<(std::ostream& os, const QuicPacketNumber& p) {
   return os;
 }
 
-// static
-uint64_t QuicPacketNumber::UninitializedPacketNumber() {
-  return std::numeric_limits<uint64_t>::max();
-}
-
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_number.h b/chromium/net/third_party/quiche/src/quic/core/quic_packet_number.h
index 0cf7f15d9f7..18e78bbf1bb 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_number.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_number.h
@@ -21,10 +21,20 @@ namespace quic {
 class QUIC_EXPORT_PRIVATE QuicPacketNumber {
  public:
   // Construct an uninitialized packet number.
-  QuicPacketNumber();
+  constexpr QuicPacketNumber() : packet_number_(UninitializedPacketNumber()) {}
+
   // Construct a packet number from uint64_t. |packet_number| cannot equal the
   // sentinel value.
-  explicit QuicPacketNumber(uint64_t packet_number);
+  explicit constexpr QuicPacketNumber(uint64_t packet_number)
+      : packet_number_(packet_number) {
+    DCHECK_NE(UninitializedPacketNumber(), packet_number)
+        << "Use default constructor for uninitialized packet number";
+  }
+
+  // The sentinel value representing an uninitialized packet number.
+  static constexpr uint64_t UninitializedPacketNumber() {
+    return std::numeric_limits<uint64_t>::max();
+  }
 
   // Packet number becomes uninitialized after calling this function.
   void Clear();
@@ -79,13 +89,10 @@ class QUIC_EXPORT_PRIVATE QuicPacketNumber {
   // REQUIRES: lhs >= rhs.
   friend inline uint64_t operator-(QuicPacketNumber lhs, QuicPacketNumber rhs);
 
-  // The sentinel value representing an uninitialized packet number.
-  static uint64_t UninitializedPacketNumber();
-
   uint64_t packet_number_;
 };
 
-class QuicPacketNumberHash {
+class QUIC_EXPORT_PRIVATE QuicPacketNumberHash {
  public:
   uint64_t operator()(QuicPacketNumber packet_number) const noexcept {
     return packet_number.Hash();
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_reader.h b/chromium/net/third_party/quiche/src/quic/core/quic_packet_reader.h
index 1826ef3573b..1e644aaa07a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_reader.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_reader.h
@@ -25,7 +25,7 @@ namespace quic {
 const int kNumPacketsPerReadMmsgCall = 16;
 #endif
 
-class QuicPacketReader {
+class QUIC_EXPORT_PRIVATE QuicPacketReader {
  public:
   QuicPacketReader();
   QuicPacketReader(const QuicPacketReader&) = delete;
@@ -70,7 +70,7 @@ class QuicPacketReader {
   // from exceeding maximum allowed frame size.
   // packets_ and mmsg_hdr_ are used to supply cbuf and buf to the recvmmsg
   // call.
-  struct PacketData {
+  struct QUIC_EXPORT_PRIVATE PacketData {
     iovec iov;
     // raw_address is used for address information provided by the recvmmsg
     // call on the packets.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packet_writer_wrapper.h b/chromium/net/third_party/quiche/src/quic/core/quic_packet_writer_wrapper.h
index cc3dbc29543..0b331aec6f8 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packet_writer_wrapper.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packet_writer_wrapper.h
@@ -15,7 +15,7 @@ namespace quic {
 // Wraps a writer object to allow dynamically extending functionality. Use
 // cases: replace writer while dispatcher and connections hold on to the
 // wrapper; mix in monitoring; mix in mocks in unit tests.
-class QuicPacketWriterWrapper : public QuicPacketWriter {
+class QUIC_NO_EXPORT QuicPacketWriterWrapper : public QuicPacketWriter {
  public:
   QuicPacketWriterWrapper();
   QuicPacketWriterWrapper(const QuicPacketWriterWrapper&) = delete;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packets.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packets.cc
index dfe80cf9d00..87b310e3a26 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packets.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packets.cc
@@ -456,7 +456,8 @@ SerializedPacket::SerializedPacket(QuicPacketNumber packet_number,
       encryption_level(ENCRYPTION_INITIAL),
       has_ack(has_ack),
       has_stop_waiting(has_stop_waiting),
-      transmission_type(NOT_RETRANSMISSION) {}
+      transmission_type(NOT_RETRANSMISSION),
+      has_ack_frame_copy(false) {}
 
 SerializedPacket::SerializedPacket(const SerializedPacket& other) = default;
 
@@ -474,17 +475,46 @@ SerializedPacket::SerializedPacket(SerializedPacket&& other)
       has_ack(other.has_ack),
       has_stop_waiting(other.has_stop_waiting),
       transmission_type(other.transmission_type),
-      original_packet_number(other.original_packet_number),
-      largest_acked(other.largest_acked) {
+      largest_acked(other.largest_acked),
+      has_ack_frame_copy(other.has_ack_frame_copy) {
   retransmittable_frames.swap(other.retransmittable_frames);
+  nonretransmittable_frames.swap(other.nonretransmittable_frames);
 }
 
 SerializedPacket::~SerializedPacket() {}
 
+SerializedPacket* CopySerializedPacket(const SerializedPacket& serialized,
+                                       QuicBufferAllocator* allocator,
+                                       bool copy_buffer) {
+  SerializedPacket* copy = new SerializedPacket(serialized);
+  if (copy_buffer) {
+    copy->encrypted_buffer = CopyBuffer(serialized);
+  }
+  // Copy underlying frames.
+  copy->retransmittable_frames =
+      CopyQuicFrames(allocator, serialized.retransmittable_frames);
+  copy->nonretransmittable_frames.clear();
+  for (const auto& frame : serialized.nonretransmittable_frames) {
+    if (frame.type == ACK_FRAME) {
+      copy->has_ack_frame_copy = true;
+    }
+    copy->nonretransmittable_frames.push_back(CopyQuicFrame(allocator, frame));
+  }
+  return copy;
+}
+
 void ClearSerializedPacket(SerializedPacket* serialized_packet) {
   if (!serialized_packet->retransmittable_frames.empty()) {
     DeleteFrames(&serialized_packet->retransmittable_frames);
   }
+  for (auto& frame : serialized_packet->nonretransmittable_frames) {
+    if (!serialized_packet->has_ack_frame_copy && frame.type == ACK_FRAME) {
+      // Do not delete ack frame if the packet does not own a copy of it.
+      continue;
+    }
+    DeleteFrame(&frame);
+  }
+  serialized_packet->nonretransmittable_frames.clear();
   serialized_packet->encrypted_buffer = nullptr;
   serialized_packet->encrypted_length = 0;
   serialized_packet->largest_acked.Clear();
@@ -496,6 +526,13 @@ char* CopyBuffer(const SerializedPacket& packet) {
   return dst_buffer;
 }
 
+char* CopyBuffer(const char* encrypted_buffer,
+                 QuicPacketLength encrypted_length) {
+  char* dst_buffer = new char[encrypted_length];
+  memcpy(dst_buffer, encrypted_buffer, encrypted_length);
+  return dst_buffer;
+}
+
 ReceivedPacketInfo::ReceivedPacketInfo(const QuicSocketAddress& self_address,
                                        const QuicSocketAddress& peer_address,
                                        const QuicReceivedPacket& packet)
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packets.h b/chromium/net/third_party/quiche/src/quic/core/quic_packets.h
index 82647c6e91e..93417ac1d48 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packets.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packets.h
@@ -370,6 +370,7 @@ struct QUIC_EXPORT_PRIVATE SerializedPacket {
   const char* encrypted_buffer;
   QuicPacketLength encrypted_length;
   QuicFrames retransmittable_frames;
+  QuicFrames nonretransmittable_frames;
   IsHandshake has_crypto_handshake;
   // -1: full padding to the end of a max-sized packet
   //  0: no padding
@@ -378,15 +379,25 @@ struct QUIC_EXPORT_PRIVATE SerializedPacket {
   QuicPacketNumber packet_number;
   QuicPacketNumberLength packet_number_length;
   EncryptionLevel encryption_level;
+  // TODO(fayang): Remove has_ack and has_stop_waiting.
   bool has_ack;
   bool has_stop_waiting;
   TransmissionType transmission_type;
-  QuicPacketNumber original_packet_number;
   // The largest acked of the AckFrame in this packet if has_ack is true,
   // 0 otherwise.
   QuicPacketNumber largest_acked;
+  // Indicates whether this packet has a copy of ack frame in
+  // nonretransmittable_frames.
+  bool has_ack_frame_copy;
 };
 
+// Make a copy of |serialized| (including the underlying frames). |copy_buffer|
+// indicates whether the encrypted buffer should be copied.
+QUIC_EXPORT_PRIVATE SerializedPacket* CopySerializedPacket(
+    const SerializedPacket& serialized,
+    QuicBufferAllocator* allocator,
+    bool copy_buffer);
+
 // Deletes and clears all the frames and the packet from serialized packet.
 QUIC_EXPORT_PRIVATE void ClearSerializedPacket(
     SerializedPacket* serialized_packet);
@@ -394,6 +405,10 @@ QUIC_EXPORT_PRIVATE void ClearSerializedPacket(
 // Allocates a new char[] of size |packet.encrypted_length| and copies in
 // |packet.encrypted_buffer|.
 QUIC_EXPORT_PRIVATE char* CopyBuffer(const SerializedPacket& packet);
+// Allocates a new char[] of size |encrypted_length| and copies in
+// |encrypted_buffer|.
+QUIC_EXPORT_PRIVATE char* CopyBuffer(const char* encrypted_buffer,
+                                     QuicPacketLength encrypted_length);
 
 struct QUIC_EXPORT_PRIVATE SerializedPacketDeleter {
   void operator()(SerializedPacket* packet) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_packets_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_packets_test.cc
index 7ee77979a0c..e080cd8265a 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_packets_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_packets_test.cc
@@ -4,6 +4,7 @@
 
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 
+#include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 
@@ -70,6 +71,46 @@ TEST_F(QuicPacketsTest, GetClientConnectionIdAsSender) {
             GetClientConnectionIdAsSender(header, Perspective::IS_CLIENT));
 }
 
+TEST_F(QuicPacketsTest, CopySerializedPacket) {
+  std::string buffer(1000, 'a');
+  SimpleBufferAllocator allocator;
+  SerializedPacket packet(QuicPacketNumber(1), PACKET_1BYTE_PACKET_NUMBER,
+                          buffer.data(), buffer.length(), /*has_ack=*/false,
+                          /*has_stop_waiting=*/false);
+  packet.retransmittable_frames.push_back(
+      QuicFrame(new QuicWindowUpdateFrame()));
+  packet.retransmittable_frames.push_back(QuicFrame(QuicStreamFrame()));
+
+  QuicAckFrame ack_frame(InitAckFrame(1));
+  packet.nonretransmittable_frames.push_back(QuicFrame(&ack_frame));
+  packet.nonretransmittable_frames.push_back(QuicFrame(QuicPaddingFrame(-1)));
+
+  std::unique_ptr<SerializedPacket> copy = QuicWrapUnique<SerializedPacket>(
+      CopySerializedPacket(packet, &allocator, /*copy_buffer=*/true));
+  EXPECT_EQ(quic::QuicPacketNumber(1), copy->packet_number);
+  EXPECT_EQ(PACKET_1BYTE_PACKET_NUMBER, copy->packet_number_length);
+  ASSERT_EQ(2u, copy->retransmittable_frames.size());
+  EXPECT_EQ(WINDOW_UPDATE_FRAME, copy->retransmittable_frames[0].type);
+  EXPECT_EQ(STREAM_FRAME, copy->retransmittable_frames[1].type);
+
+  ASSERT_EQ(2u, copy->nonretransmittable_frames.size());
+  EXPECT_EQ(ACK_FRAME, copy->nonretransmittable_frames[0].type);
+  EXPECT_EQ(PADDING_FRAME, copy->nonretransmittable_frames[1].type);
+  EXPECT_EQ(1000u, copy->encrypted_length);
+  test::CompareCharArraysWithHexError(
+      "encrypted_buffer", copy->encrypted_buffer, copy->encrypted_length,
+      packet.encrypted_buffer, packet.encrypted_length);
+
+  std::unique_ptr<SerializedPacket> copy2 = QuicWrapUnique<SerializedPacket>(
+      CopySerializedPacket(packet, &allocator, /*copy_buffer=*/false));
+  EXPECT_EQ(packet.encrypted_buffer, copy2->encrypted_buffer);
+  EXPECT_EQ(1000u, copy2->encrypted_length);
+  ClearSerializedPacket(&packet);
+  delete[] copy->encrypted_buffer;
+  ClearSerializedPacket(copy.get());
+  ClearSerializedPacket(copy2.get());
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_pending_retransmission.h b/chromium/net/third_party/quiche/src/quic/core/quic_pending_retransmission.h
deleted file mode 100644
index d1e9657a093..00000000000
--- a/chromium/net/third_party/quiche/src/quic/core/quic_pending_retransmission.h
+++ /dev/null
@@ -1,54 +0,0 @@
-// Copyright (c) 2016 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_QUIC_CORE_QUIC_PENDING_RETRANSMISSION_H_
-#define QUICHE_QUIC_CORE_QUIC_PENDING_RETRANSMISSION_H_
-
-#include "net/third_party/quiche/src/quic/core/frames/quic_frame.h"
-#include "net/third_party/quiche/src/quic/core/quic_transmission_info.h"
-#include "net/third_party/quiche/src/quic/core/quic_types.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
-
-namespace quic {
-
-// Struct to store the pending retransmission information.
-struct QUIC_EXPORT_PRIVATE QuicPendingRetransmission {
-  QuicPendingRetransmission(QuicPacketNumber packet_number,
-                            TransmissionType transmission_type,
-                            const QuicFrames& retransmittable_frames,
-                            bool has_crypto_handshake,
-                            int num_padding_bytes,
-                            EncryptionLevel encryption_level,
-                            QuicPacketNumberLength packet_number_length)
-      : packet_number(packet_number),
-        retransmittable_frames(retransmittable_frames),
-        transmission_type(transmission_type),
-        has_crypto_handshake(has_crypto_handshake),
-        num_padding_bytes(num_padding_bytes),
-        encryption_level(encryption_level),
-        packet_number_length(packet_number_length) {}
-
-  QuicPendingRetransmission(QuicPacketNumber packet_number,
-                            TransmissionType transmission_type,
-                            const QuicTransmissionInfo& tranmission_info)
-      : packet_number(packet_number),
-        retransmittable_frames(tranmission_info.retransmittable_frames),
-        transmission_type(transmission_type),
-        has_crypto_handshake(tranmission_info.has_crypto_handshake),
-        num_padding_bytes(tranmission_info.num_padding_bytes),
-        encryption_level(tranmission_info.encryption_level),
-        packet_number_length(tranmission_info.packet_number_length) {}
-
-  QuicPacketNumber packet_number;
-  const QuicFrames& retransmittable_frames;
-  TransmissionType transmission_type;
-  bool has_crypto_handshake;
-  int num_padding_bytes;
-  EncryptionLevel encryption_level;
-  QuicPacketNumberLength packet_number_length;
-};
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_CORE_QUIC_PENDING_RETRANSMISSION_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_process_packet_interface.h b/chromium/net/third_party/quiche/src/quic/core/quic_process_packet_interface.h
index fc4257e9927..3cd87ef33c0 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_process_packet_interface.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_process_packet_interface.h
@@ -11,7 +11,7 @@
 namespace quic {
 
 // A class to process each incoming packet.
-class ProcessPacketInterface {
+class QUIC_NO_EXPORT ProcessPacketInterface {
  public:
   virtual ~ProcessPacketInterface() {}
   virtual void ProcessPacket(const QuicSocketAddress& self_address,
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager.cc b/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager.cc
index e21f4c48b8e..908d04fb228 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_received_packet_manager.cc
@@ -25,14 +25,6 @@ namespace {
 // against an ack loss
 const size_t kMaxPacketsAfterNewMissing = 4;
 
-// Maximum number of retransmittable packets received before sending an ack.
-const QuicPacketCount kDefaultRetransmittablePacketsBeforeAck = 2;
-// Minimum number of packets received before ack decimation is enabled.
-// This intends to avoid the beginning of slow start, when CWNDs may be
-// rapidly increasing.
-const QuicPacketCount kMinReceivedBeforeAckDecimation = 100;
-// Wait for up to 10 retransmittable packets before sending an ack.
-const QuicPacketCount kMaxRetransmittablePacketsBeforeAck = 10;
 // One quarter RTT delay when doing ack decimation.
 const float kAckDecimationDelay = 0.25;
 // One eighth RTT delay when doing ack decimation.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.cc b/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.cc
index a747f0b2cd2..bd0343bdb51 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.cc
@@ -12,7 +12,6 @@
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h"
 #include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection_stats.h"
-#include "net/third_party/quiche/src/quic/core/quic_pending_retransmission.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
@@ -41,19 +40,14 @@ static const int64_t kMinHandshakeTimeoutMs = 10;
 // per draft RFC draft-dukkipati-tcpm-tcp-loss-probe.
 static const size_t kDefaultMaxTailLossProbes = 2;
 
-inline bool HasCryptoHandshake(const QuicTransmissionInfo& transmission_info) {
-  DCHECK(!transmission_info.has_crypto_handshake ||
-         !transmission_info.retransmittable_frames.empty());
-  return transmission_info.has_crypto_handshake;
-}
-
 // Returns true of retransmissions of the specified type should retransmit
 // the frames directly (as opposed to resulting in a loss notification).
 inline bool ShouldForceRetransmission(TransmissionType transmission_type) {
   return transmission_type == HANDSHAKE_RETRANSMISSION ||
          transmission_type == TLP_RETRANSMISSION ||
          transmission_type == PROBING_RETRANSMISSION ||
-         transmission_type == RTO_RETRANSMISSION;
+         transmission_type == RTO_RETRANSMISSION ||
+         transmission_type == PTO_RETRANSMISSION;
 }
 
 // If pacing rate is accurate, > 2 burst token is not likely to help first ACK
@@ -97,10 +91,8 @@ QuicSentPacketManager::QuicSentPacketManager(
           QuicTime::Delta::FromMilliseconds(kMinTailLossProbeTimeoutMs)),
       min_rto_timeout_(
           QuicTime::Delta::FromMilliseconds(kMinRetransmissionTimeMs)),
-      ietf_style_tlp_(false),
-      ietf_style_2x_tlp_(false),
       largest_mtu_acked_(0),
-      handshake_confirmed_(false),
+      handshake_state_(HANDSHAKE_START),
       peer_max_ack_delay_(
           QuicTime::Delta::FromMilliseconds(kDefaultDelayedAckTimeMs)),
       rtt_updated_(false),
@@ -108,11 +100,13 @@ QuicSentPacketManager::QuicSentPacketManager(
       pto_enabled_(false),
       max_probe_packets_per_pto_(2),
       consecutive_pto_count_(0),
-      fix_rto_retransmission_(false),
       handshake_mode_disabled_(false),
-      detect_spurious_losses_(GetQuicReloadableFlag(quic_detect_spurious_loss)),
+      skip_packet_number_for_pto_(false),
+      always_include_max_ack_delay_for_pto_timeout_(true),
+      pto_exponential_backoff_start_point_(0),
+      pto_rttvar_multiplier_(4),
       neuter_handshake_packets_once_(
-          GetQuicReloadableFlag(quic_neuter_handshake_packets_once)) {
+          GetQuicReloadableFlag(quic_neuter_handshake_packets_once2)) {
   SetSendAlgorithm(congestion_control_type);
 }
 
@@ -145,40 +139,55 @@ void QuicSentPacketManager::SetFromConfig(const QuicConfig& config) {
   if (config.HasClientSentConnectionOption(kMAD1, perspective)) {
     rtt_stats_.set_initial_max_ack_delay(peer_max_ack_delay_);
   }
-  if (GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_sent_packet_manager_cleanup);
-    if (config.HasClientSentConnectionOption(kMAD2, perspective)) {
-      // Set the minimum to the alarm granularity.
-      min_tlp_timeout_ = QuicTime::Delta::FromMilliseconds(1);
-    }
-    if (config.HasClientSentConnectionOption(kMAD3, perspective)) {
-      // Set the minimum to the alarm granularity.
-      min_rto_timeout_ = QuicTime::Delta::FromMilliseconds(1);
-    }
-  } else {
-    if (config.HasClientSentConnectionOption(kMAD2, perspective)) {
-      min_tlp_timeout_ = QuicTime::Delta::Zero();
-    }
-    if (config.HasClientSentConnectionOption(kMAD3, perspective)) {
-      min_rto_timeout_ = QuicTime::Delta::Zero();
-    }
-    if (config.HasClientSentConnectionOption(kMAD4, perspective)) {
-      ietf_style_tlp_ = true;
-    }
-    if (config.HasClientSentConnectionOption(kMAD5, perspective)) {
-      ietf_style_2x_tlp_ = true;
-    }
+  if (config.HasClientSentConnectionOption(kMAD2, perspective)) {
+    // Set the minimum to the alarm granularity.
+    min_tlp_timeout_ = QuicTime::Delta::FromMilliseconds(1);
+  }
+  if (config.HasClientSentConnectionOption(kMAD3, perspective)) {
+    // Set the minimum to the alarm granularity.
+    min_rto_timeout_ = QuicTime::Delta::FromMilliseconds(1);
   }
 
-  if (GetQuicReloadableFlag(quic_enable_pto) && fix_rto_retransmission_) {
+  if (GetQuicReloadableFlag(quic_enable_pto)) {
     if (config.HasClientSentConnectionOption(k2PTO, perspective)) {
       pto_enabled_ = true;
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_pto, 2, 4);
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_pto, 2, 8);
     }
     if (config.HasClientSentConnectionOption(k1PTO, perspective)) {
       pto_enabled_ = true;
       max_probe_packets_per_pto_ = 1;
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_pto, 1, 4);
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_pto, 1, 8);
+    }
+  }
+
+  if (GetQuicReloadableFlag(quic_skip_packet_number_for_pto) &&
+      config.HasClientSentConnectionOption(kPTOS, perspective)) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_skip_packet_number_for_pto);
+    if (!pto_enabled_) {
+      QUIC_PEER_BUG
+          << "PTO is not enabled when receiving PTOS connection option.";
+      pto_enabled_ = true;
+      max_probe_packets_per_pto_ = 1;
+    }
+    skip_packet_number_for_pto_ = true;
+  }
+
+  if (pto_enabled_) {
+    if (config.HasClientSentConnectionOption(kPTOA, perspective)) {
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_pto, 5, 8);
+      always_include_max_ack_delay_for_pto_timeout_ = false;
+    }
+    if (config.HasClientSentConnectionOption(kPEB1, perspective)) {
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_pto, 6, 8);
+      StartExponentialBackoffAfterNthPto(1);
+    }
+    if (config.HasClientSentConnectionOption(kPEB2, perspective)) {
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_pto, 7, 8);
+      StartExponentialBackoffAfterNthPto(2);
+    }
+    if (config.HasClientSentConnectionOption(kPVS1, perspective)) {
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_pto, 8, 8);
+      pto_rttvar_multiplier_ = 2;
     }
   }
 
@@ -252,26 +261,31 @@ void QuicSentPacketManager::SetFromConfig(const QuicConfig& config) {
   }
   if (GetQuicReloadableFlag(quic_enable_ietf_loss_detection)) {
     if (config.HasClientRequestedIndependentOption(kILD0, perspective)) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_ietf_loss_detection, 1, 4);
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_ietf_loss_detection, 1, 5);
       uber_loss_algorithm_.SetLossDetectionType(kIetfLossDetection);
     }
     if (config.HasClientRequestedIndependentOption(kILD1, perspective)) {
-      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_ietf_loss_detection, 2, 4);
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_ietf_loss_detection, 2, 5);
       uber_loss_algorithm_.SetLossDetectionType(kIetfLossDetection);
       uber_loss_algorithm_.SetReorderingShift(kDefaultLossDelayShift);
     }
-    if (GetQuicReloadableFlag(quic_detect_spurious_loss)) {
-      if (config.HasClientRequestedIndependentOption(kILD2, perspective)) {
-        QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_ietf_loss_detection, 3, 4);
-        uber_loss_algorithm_.SetLossDetectionType(kIetfLossDetection);
-        uber_loss_algorithm_.EnableAdaptiveReorderingThreshold();
-      }
-      if (config.HasClientRequestedIndependentOption(kILD3, perspective)) {
-        QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_ietf_loss_detection, 4, 4);
-        uber_loss_algorithm_.SetLossDetectionType(kIetfLossDetection);
-        uber_loss_algorithm_.SetReorderingShift(kDefaultLossDelayShift);
-        uber_loss_algorithm_.EnableAdaptiveReorderingThreshold();
-      }
+    if (config.HasClientRequestedIndependentOption(kILD2, perspective)) {
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_ietf_loss_detection, 3, 5);
+      uber_loss_algorithm_.SetLossDetectionType(kIetfLossDetection);
+      uber_loss_algorithm_.EnableAdaptiveReorderingThreshold();
+    }
+    if (config.HasClientRequestedIndependentOption(kILD3, perspective)) {
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_ietf_loss_detection, 4, 5);
+      uber_loss_algorithm_.SetLossDetectionType(kIetfLossDetection);
+      uber_loss_algorithm_.SetReorderingShift(kDefaultLossDelayShift);
+      uber_loss_algorithm_.EnableAdaptiveReorderingThreshold();
+    }
+    if (config.HasClientRequestedIndependentOption(kILD4, perspective)) {
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_enable_ietf_loss_detection, 5, 5);
+      uber_loss_algorithm_.SetLossDetectionType(kIetfLossDetection);
+      uber_loss_algorithm_.SetReorderingShift(kDefaultLossDelayShift);
+      uber_loss_algorithm_.EnableAdaptiveReorderingThreshold();
+      uber_loss_algorithm_.EnableAdaptiveTimeThreshold();
     }
   }
   if (config.HasClientSentConnectionOption(kCONH, perspective)) {
@@ -293,13 +307,17 @@ void QuicSentPacketManager::ResumeConnectionState(
           : cached_network_params.bandwidth_estimate_bytes_per_second());
   QuicTime::Delta rtt =
       QuicTime::Delta::FromMilliseconds(cached_network_params.min_rtt_ms());
-  AdjustNetworkParameters(bandwidth, rtt, /*allow_cwnd_to_decrease=*/false);
+  // This calls the old AdjustNetworkParameters interface, and fills certain
+  // fields in SendAlgorithmInterface::NetworkParams
+  // (e.g., quic_bbr_fix_pacing_rate) using GFE flags.
+  AdjustNetworkParameters(SendAlgorithmInterface::NetworkParams(
+      bandwidth, rtt, /*allow_cwnd_to_decrease = */ false));
 }
 
 void QuicSentPacketManager::AdjustNetworkParameters(
-    QuicBandwidth bandwidth,
-    QuicTime::Delta rtt,
-    bool allow_cwnd_to_decrease) {
+    const SendAlgorithmInterface::NetworkParams& params) {
+  const QuicBandwidth& bandwidth = params.bandwidth;
+  const QuicTime::Delta& rtt = params.rtt;
   if (!rtt.IsZero()) {
     SetInitialRtt(rtt);
   }
@@ -309,8 +327,7 @@ void QuicSentPacketManager::AdjustNetworkParameters(
     QUIC_RELOADABLE_FLAG_COUNT(quic_conservative_bursts);
     pacing_sender_.SetBurstTokens(kConservativeUnpacedBurst);
   }
-  send_algorithm_->AdjustNetworkParameters(bandwidth, rtt,
-                                           allow_cwnd_to_decrease);
+  send_algorithm_->AdjustNetworkParameters(params);
   if (debug_delegate_ != nullptr) {
     debug_delegate_->OnAdjustNetworkParameters(
         bandwidth, rtt.IsZero() ? rtt_stats_.SmoothedOrInitialRtt() : rtt,
@@ -319,11 +336,12 @@ void QuicSentPacketManager::AdjustNetworkParameters(
 }
 
 void QuicSentPacketManager::SetHandshakeConfirmed() {
-  if (!neuter_handshake_packets_once_ || !handshake_confirmed_) {
+  if (!neuter_handshake_packets_once_ ||
+      handshake_state_ < HANDSHAKE_COMPLETE) {
     if (neuter_handshake_packets_once_) {
-      QUIC_RELOADABLE_FLAG_COUNT(quic_neuter_handshake_packets_once);
+      QUIC_RELOADABLE_FLAG_COUNT_N(quic_neuter_handshake_packets_once2, 1, 3);
     }
-    handshake_confirmed_ = true;
+    handshake_state_ = HANDSHAKE_COMPLETE;
     NeuterHandshakePackets();
   }
 }
@@ -334,10 +352,8 @@ void QuicSentPacketManager::PostProcessNewlyAckedPackets(
     QuicTime ack_receive_time,
     bool rtt_updated,
     QuicByteCount prior_bytes_in_flight) {
-  if (session_decides_what_to_write()) {
-    unacked_packets_.NotifyAggregatedStreamFrameAcked(
-        last_ack_frame_.ack_delay_time);
-  }
+  unacked_packets_.NotifyAggregatedStreamFrameAcked(
+      last_ack_frame_.ack_delay_time);
   InvokeLossDetection(ack_receive_time);
   // Ignore losses in RTO mode.
   if (consecutive_rto_count_ > 0 && !use_new_rto_) {
@@ -435,53 +451,72 @@ void QuicSentPacketManager::RetransmitUnackedPackets(
 
 void QuicSentPacketManager::NeuterUnencryptedPackets() {
   QuicPacketNumber packet_number = unacked_packets_.GetLeastUnacked();
-  if (session_decides_what_to_write()) {
-    for (QuicUnackedPacketMap::const_iterator it = unacked_packets_.begin();
-         it != unacked_packets_.end(); ++it, ++packet_number) {
-      if (!it->retransmittable_frames.empty() &&
-          it->encryption_level == ENCRYPTION_INITIAL) {
-        // Once the connection swithes to forward secure, no unencrypted packets
-        // will be sent. The data has been abandoned in the cryto stream. Remove
-        // it from in flight.
-        unacked_packets_.RemoveFromInFlight(packet_number);
-      }
-    }
-    return;
-  }
-  for (QuicUnackedPacketMap::const_iterator it = unacked_packets_.begin();
+  for (QuicUnackedPacketMap::iterator it = unacked_packets_.begin();
        it != unacked_packets_.end(); ++it, ++packet_number) {
-    if (it->encryption_level == ENCRYPTION_INITIAL) {
-      // Once you're forward secure, no unencrypted packets will be sent,
-      // crypto or otherwise. Unencrypted packets are neutered and abandoned,
-      // to ensure they are not retransmitted or considered lost from a
-      // congestion control perspective.
-      pending_retransmissions_.erase(packet_number);
+    if (!it->retransmittable_frames.empty() &&
+        it->encryption_level == ENCRYPTION_INITIAL) {
+      // Once the connection swithes to forward secure, no unencrypted packets
+      // will be sent. The data has been abandoned in the cryto stream. Remove
+      // it from in flight.
       unacked_packets_.RemoveFromInFlight(packet_number);
-      unacked_packets_.RemoveRetransmittability(packet_number);
+      if (neuter_handshake_packets_once_) {
+        QUIC_RELOADABLE_FLAG_COUNT_N(quic_neuter_handshake_packets_once2, 2, 3);
+        it->state = NEUTERED;
+        DCHECK(!unacked_packets_.HasRetransmittableFrames(*it));
+      }
     }
   }
 }
 
 void QuicSentPacketManager::NeuterHandshakePackets() {
   QuicPacketNumber packet_number = unacked_packets_.GetLeastUnacked();
-  for (QuicUnackedPacketMap::const_iterator it = unacked_packets_.begin();
+  for (QuicUnackedPacketMap::iterator it = unacked_packets_.begin();
        it != unacked_packets_.end(); ++it, ++packet_number) {
-    if (session_decides_what_to_write()) {
-      if (!it->retransmittable_frames.empty() &&
-          unacked_packets_.GetPacketNumberSpace(it->encryption_level) ==
-              HANDSHAKE_DATA) {
-        unacked_packets_.RemoveFromInFlight(packet_number);
+    if (!it->retransmittable_frames.empty() &&
+        unacked_packets_.GetPacketNumberSpace(it->encryption_level) ==
+            HANDSHAKE_DATA) {
+      unacked_packets_.RemoveFromInFlight(packet_number);
+      if (neuter_handshake_packets_once_) {
+        // Notify session that the data has been delivered (but do not notify
+        // send algorithm).
+        QUIC_RELOADABLE_FLAG_COUNT_N(quic_neuter_handshake_packets_once2, 3, 3);
+        it->state = NEUTERED;
+        unacked_packets_.NotifyFramesAcked(*it, QuicTime::Delta::Zero(),
+                                           QuicTime::Zero());
       }
-      continue;
     }
-    if (unacked_packets_.GetPacketNumberSpace(it->encryption_level) ==
-            HANDSHAKE_DATA &&
-        unacked_packets_.HasRetransmittableFrames(*it)) {
-      pending_retransmissions_.erase(packet_number);
-      unacked_packets_.RemoveFromInFlight(packet_number);
-      unacked_packets_.RemoveRetransmittability(packet_number);
+  }
+}
+
+bool QuicSentPacketManager::ShouldAddMaxAckDelay() const {
+  DCHECK(pto_enabled_);
+  if (always_include_max_ack_delay_for_pto_timeout_) {
+    return true;
+  }
+  if (!unacked_packets_
+           .GetLargestSentRetransmittableOfPacketNumberSpace(APPLICATION_DATA)
+           .IsInitialized() ||
+      unacked_packets_.GetLargestSentRetransmittableOfPacketNumberSpace(
+          APPLICATION_DATA) <
+          FirstSendingPacketNumber() + kMinReceivedBeforeAckDecimation - 1) {
+    // Peer is doing TCP style acking. Expect an immediate ACK if more than 1
+    // packet are outstanding.
+    if (unacked_packets_.packets_in_flight() >=
+        kDefaultRetransmittablePacketsBeforeAck) {
+      return false;
     }
+  } else if (unacked_packets_.packets_in_flight() >=
+             kMaxRetransmittablePacketsBeforeAck) {
+    // Peer is doing ack decimation. Expect an immediate ACK if >= 10
+    // packets are outstanding.
+    return false;
+  }
+  if (skip_packet_number_for_pto_ && consecutive_pto_count_ > 0) {
+    // An immediate ACK is expected when doing PTOS. Please note, this will miss
+    // cases when PTO fires and turns out to be spurious.
+    return false;
   }
+  return true;
 }
 
 void QuicSentPacketManager::MarkForRetransmission(
@@ -489,26 +524,15 @@ void QuicSentPacketManager::MarkForRetransmission(
     TransmissionType transmission_type) {
   QuicTransmissionInfo* transmission_info =
       unacked_packets_.GetMutableTransmissionInfo(packet_number);
-  // When session decides what to write, a previous RTO retransmission may cause
-  // connection close; packets without retransmittable frames can be marked for
-  // loss retransmissions.
-  QUIC_BUG_IF((transmission_type != LOSS_RETRANSMISSION &&
-               (!session_decides_what_to_write() ||
-                transmission_type != RTO_RETRANSMISSION)) &&
+  // A previous RTO retransmission may cause connection close; packets without
+  // retransmittable frames can be marked for loss retransmissions.
+  QUIC_BUG_IF(transmission_type != LOSS_RETRANSMISSION &&
+              transmission_type != RTO_RETRANSMISSION &&
               !unacked_packets_.HasRetransmittableFrames(*transmission_info))
       << "transmission_type: " << TransmissionTypeToString(transmission_type);
   // Handshake packets should never be sent as probing retransmissions.
-  DCHECK(pto_enabled_ || !transmission_info->has_crypto_handshake ||
+  DCHECK(!transmission_info->has_crypto_handshake ||
          transmission_type != PROBING_RETRANSMISSION);
-  if (!session_decides_what_to_write()) {
-    if (!unacked_packets_.HasRetransmittableFrames(*transmission_info)) {
-      return;
-    }
-    if (!QuicContainsKey(pending_retransmissions_, packet_number)) {
-      pending_retransmissions_[packet_number] = transmission_type;
-    }
-    return;
-  }
 
   HandleRetransmission(transmission_type, transmission_info);
 
@@ -520,7 +544,6 @@ void QuicSentPacketManager::MarkForRetransmission(
 void QuicSentPacketManager::HandleRetransmission(
     TransmissionType transmission_type,
     QuicTransmissionInfo* transmission_info) {
-  DCHECK(session_decides_what_to_write());
   if (ShouldForceRetransmission(transmission_type)) {
     // TODO(fayang): Consider to make RTO and PROBING retransmission
     // strategies be configurable by applications. Today, TLP, RTO and PROBING
@@ -561,149 +584,47 @@ void QuicSentPacketManager::RecordOneSpuriousRetransmission(
   }
 }
 
-void QuicSentPacketManager::RecordSpuriousRetransmissions(
-    const QuicTransmissionInfo& info,
-    QuicPacketNumber acked_packet_number) {
-  if (session_decides_what_to_write()) {
-    RecordOneSpuriousRetransmission(info);
-    if (!detect_spurious_losses_ &&
-        info.transmission_type == LOSS_RETRANSMISSION) {
-      // Only inform the loss detection of spurious retransmits it caused.
-      loss_algorithm_->SpuriousRetransmitDetected(
-          unacked_packets_, clock_->Now(), rtt_stats_, acked_packet_number);
-    }
-    return;
-  }
-  QuicPacketNumber retransmission = info.retransmission;
-  while (retransmission.IsInitialized()) {
-    const QuicTransmissionInfo& retransmit_info =
-        unacked_packets_.GetTransmissionInfo(retransmission);
-    retransmission = retransmit_info.retransmission;
-    RecordOneSpuriousRetransmission(retransmit_info);
-  }
-  // Only inform the loss detection of spurious retransmits it caused.
-  if (unacked_packets_.GetTransmissionInfo(info.retransmission)
-          .transmission_type == LOSS_RETRANSMISSION) {
-    loss_algorithm_->SpuriousRetransmitDetected(
-        unacked_packets_, clock_->Now(), rtt_stats_, info.retransmission);
-  }
-}
-
-QuicPendingRetransmission QuicSentPacketManager::NextPendingRetransmission() {
-  QUIC_BUG_IF(pending_retransmissions_.empty())
-      << "Unexpected call to NextPendingRetransmission() with empty pending "
-      << "retransmission list. Corrupted memory usage imminent.";
-  QUIC_BUG_IF(session_decides_what_to_write())
-      << "Unexpected call to NextPendingRetransmission() when session handles "
-         "retransmissions";
-  QuicPacketNumber packet_number = pending_retransmissions_.begin()->first;
-  TransmissionType transmission_type = pending_retransmissions_.begin()->second;
-  if (unacked_packets_.HasPendingCryptoPackets()) {
-    // Ensure crypto packets are retransmitted before other packets.
-    for (const auto& pair : pending_retransmissions_) {
-      if (HasCryptoHandshake(
-              unacked_packets_.GetTransmissionInfo(pair.first))) {
-        packet_number = pair.first;
-        transmission_type = pair.second;
-        break;
-      }
-    }
-  }
-  DCHECK(unacked_packets_.IsUnacked(packet_number)) << packet_number;
-  const QuicTransmissionInfo& transmission_info =
-      unacked_packets_.GetTransmissionInfo(packet_number);
-  DCHECK(unacked_packets_.HasRetransmittableFrames(transmission_info));
-
-  return QuicPendingRetransmission(packet_number, transmission_type,
-                                   transmission_info);
-}
-
-QuicPacketNumber QuicSentPacketManager::GetNewestRetransmission(
-    QuicPacketNumber packet_number,
-    const QuicTransmissionInfo& transmission_info) const {
-  if (session_decides_what_to_write()) {
-    return packet_number;
-  }
-  QuicPacketNumber retransmission = transmission_info.retransmission;
-  while (retransmission.IsInitialized()) {
-    packet_number = retransmission;
-    retransmission =
-        unacked_packets_.GetTransmissionInfo(retransmission).retransmission;
-  }
-  return packet_number;
-}
-
 void QuicSentPacketManager::MarkPacketHandled(QuicPacketNumber packet_number,
                                               QuicTransmissionInfo* info,
                                               QuicTime ack_receive_time,
                                               QuicTime::Delta ack_delay_time,
                                               QuicTime receive_timestamp) {
-  QuicPacketNumber newest_transmission =
-      GetNewestRetransmission(packet_number, *info);
-  // Remove the most recent packet, if it is pending retransmission.
-  pending_retransmissions_.erase(newest_transmission);
-
-  if (newest_transmission == packet_number) {
-    // Try to aggregate acked stream frames if acked packet is not a
-    // retransmission.
-    const bool fast_path = session_decides_what_to_write() &&
-                           info->transmission_type == NOT_RETRANSMISSION;
-    if (fast_path) {
-      unacked_packets_.MaybeAggregateAckedStreamFrame(*info, ack_delay_time,
-                                                      receive_timestamp);
-    } else {
-      if (session_decides_what_to_write()) {
-        unacked_packets_.NotifyAggregatedStreamFrameAcked(ack_delay_time);
-      }
-      const bool new_data_acked = unacked_packets_.NotifyFramesAcked(
-          *info, ack_delay_time, receive_timestamp);
-      if (session_decides_what_to_write() && !new_data_acked &&
-          info->transmission_type != NOT_RETRANSMISSION) {
-        // Record as a spurious retransmission if this packet is a
-        // retransmission and no new data gets acked.
-        QUIC_DVLOG(1) << "Detect spurious retransmitted packet "
-                      << packet_number << " transmission type: "
-                      << TransmissionTypeToString(info->transmission_type);
-        RecordSpuriousRetransmissions(*info, packet_number);
-      }
-    }
-    if (detect_spurious_losses_ && session_decides_what_to_write() &&
-        info->state == LOST) {
-      // Record as a spurious loss as a packet previously declared lost gets
-      // acked.
-      QUIC_RELOADABLE_FLAG_COUNT(quic_detect_spurious_loss);
-      const PacketNumberSpace packet_number_space =
-          unacked_packets_.GetPacketNumberSpace(info->encryption_level);
-      const QuicPacketNumber previous_largest_acked =
-          supports_multiple_packet_number_spaces()
-              ? unacked_packets_.GetLargestAckedOfPacketNumberSpace(
-                    packet_number_space)
-              : unacked_packets_.largest_acked();
-      QUIC_DVLOG(1) << "Packet " << packet_number
-                    << " was detected lost spuriously, "
-                       "previous_largest_acked: "
-                    << previous_largest_acked;
-      loss_algorithm_->SpuriousLossDetected(unacked_packets_, rtt_stats_,
-                                            ack_receive_time, packet_number,
-                                            previous_largest_acked);
-    }
+  // Try to aggregate acked stream frames if acked packet is not a
+  // retransmission.
+  if (info->transmission_type == NOT_RETRANSMISSION) {
+    unacked_packets_.MaybeAggregateAckedStreamFrame(*info, ack_delay_time,
+                                                    receive_timestamp);
   } else {
-    DCHECK(!session_decides_what_to_write());
-    RecordSpuriousRetransmissions(*info, packet_number);
-    // Remove the most recent packet from flight if it's a crypto handshake
-    // packet, since they won't be acked now that one has been processed.
-    // Other crypto handshake packets won't be in flight, only the newest
-    // transmission of a crypto packet is in flight at once.
-    // TODO(ianswett): Instead of handling all crypto packets special,
-    // only handle null encrypted packets in a special way.
-    const QuicTransmissionInfo& newest_transmission_info =
-        unacked_packets_.GetTransmissionInfo(newest_transmission);
-    unacked_packets_.NotifyFramesAcked(newest_transmission_info, ack_delay_time,
-                                       receive_timestamp);
-    if (HasCryptoHandshake(newest_transmission_info)) {
-      unacked_packets_.RemoveFromInFlight(newest_transmission);
+    unacked_packets_.NotifyAggregatedStreamFrameAcked(ack_delay_time);
+    const bool new_data_acked = unacked_packets_.NotifyFramesAcked(
+        *info, ack_delay_time, receive_timestamp);
+    if (!new_data_acked && info->transmission_type != NOT_RETRANSMISSION) {
+      // Record as a spurious retransmission if this packet is a
+      // retransmission and no new data gets acked.
+      QUIC_DVLOG(1) << "Detect spurious retransmitted packet " << packet_number
+                    << " transmission type: "
+                    << TransmissionTypeToString(info->transmission_type);
+      RecordOneSpuriousRetransmission(*info);
     }
   }
+  if (info->state == LOST) {
+    // Record as a spurious loss as a packet previously declared lost gets
+    // acked.
+    const PacketNumberSpace packet_number_space =
+        unacked_packets_.GetPacketNumberSpace(info->encryption_level);
+    const QuicPacketNumber previous_largest_acked =
+        supports_multiple_packet_number_spaces()
+            ? unacked_packets_.GetLargestAckedOfPacketNumberSpace(
+                  packet_number_space)
+            : unacked_packets_.largest_acked();
+    QUIC_DVLOG(1) << "Packet " << packet_number
+                  << " was detected lost spuriously, "
+                     "previous_largest_acked: "
+                  << previous_largest_acked;
+    loss_algorithm_->SpuriousLossDetected(unacked_packets_, rtt_stats_,
+                                          ack_receive_time, packet_number,
+                                          previous_largest_acked);
+  }
 
   if (network_change_visitor_ != nullptr &&
       info->bytes_sent > largest_mtu_acked_) {
@@ -717,7 +638,6 @@ void QuicSentPacketManager::MarkPacketHandled(QuicPacketNumber packet_number,
 
 bool QuicSentPacketManager::OnPacketSent(
     SerializedPacket* serialized_packet,
-    QuicPacketNumber original_packet_number,
     QuicTime sent_time,
     TransmissionType transmission_type,
     HasRetransmittableData has_retransmittable_data) {
@@ -726,11 +646,6 @@ bool QuicSentPacketManager::OnPacketSent(
   DCHECK(!unacked_packets_.IsUnacked(packet_number));
   QUIC_BUG_IF(serialized_packet->encrypted_length == 0)
       << "Cannot send empty packets.";
-
-  if (original_packet_number.IsInitialized()) {
-    pending_retransmissions_.erase(original_packet_number);
-  }
-
   if (pending_timer_transmission_count_ > 0) {
     --pending_timer_transmission_count_;
   }
@@ -746,8 +661,8 @@ bool QuicSentPacketManager::OnPacketSent(
         serialized_packet->encrypted_length, has_retransmittable_data);
   }
 
-  unacked_packets_.AddSentPacket(serialized_packet, original_packet_number,
-                                 transmission_type, sent_time, in_flight);
+  unacked_packets_.AddSentPacket(serialized_packet, transmission_type,
+                                 sent_time, in_flight);
   // Reset the retransmission timer anytime a pending packet is sent.
   return in_flight;
 }
@@ -755,7 +670,7 @@ bool QuicSentPacketManager::OnPacketSent(
 QuicSentPacketManager::RetransmissionTimeoutMode
 QuicSentPacketManager::OnRetransmissionTimeout() {
   DCHECK(unacked_packets_.HasInFlightPackets() ||
-         (handshake_mode_disabled_ && !handshake_confirmed_));
+         (handshake_mode_disabled_ && handshake_state_ < HANDSHAKE_COMPLETE));
   DCHECK_EQ(0u, pending_timer_transmission_count_);
   // Handshake retransmission, timer based loss detection, TLP, and RTO are
   // implemented with a single alarm. The handshake alarm is set when the
@@ -805,25 +720,18 @@ void QuicSentPacketManager::RetransmitCryptoPackets() {
   for (QuicUnackedPacketMap::const_iterator it = unacked_packets_.begin();
        it != unacked_packets_.end(); ++it, ++packet_number) {
     // Only retransmit frames which are in flight, and therefore have been sent.
-    if (!it->in_flight ||
-        (session_decides_what_to_write() && it->state != OUTSTANDING) ||
+    if (!it->in_flight || it->state != OUTSTANDING ||
         !it->has_crypto_handshake ||
         !unacked_packets_.HasRetransmittableFrames(*it)) {
       continue;
     }
     packet_retransmitted = true;
-    if (session_decides_what_to_write()) {
-      crypto_retransmissions.push_back(packet_number);
-    } else {
-      MarkForRetransmission(packet_number, HANDSHAKE_RETRANSMISSION);
-    }
+    crypto_retransmissions.push_back(packet_number);
     ++pending_timer_transmission_count_;
   }
   DCHECK(packet_retransmitted) << "No crypto packets found to retransmit.";
-  if (session_decides_what_to_write()) {
-    for (QuicPacketNumber retransmission : crypto_retransmissions) {
-      MarkForRetransmission(retransmission, HANDSHAKE_RETRANSMISSION);
-    }
+  for (QuicPacketNumber retransmission : crypto_retransmissions) {
+    MarkForRetransmission(retransmission, HANDSHAKE_RETRANSMISSION);
   }
 }
 
@@ -843,8 +751,7 @@ bool QuicSentPacketManager::MaybeRetransmitOldestPacket(TransmissionType type) {
   for (QuicUnackedPacketMap::const_iterator it = unacked_packets_.begin();
        it != unacked_packets_.end(); ++it, ++packet_number) {
     // Only retransmit frames which are in flight, and therefore have been sent.
-    if (!it->in_flight ||
-        (session_decides_what_to_write() && it->state != OUTSTANDING) ||
+    if (!it->in_flight || it->state != OUTSTANDING ||
         !unacked_packets_.HasRetransmittableFrames(*it)) {
       continue;
     }
@@ -865,33 +772,13 @@ void QuicSentPacketManager::RetransmitRtoPackets() {
   std::vector<QuicPacketNumber> retransmissions;
   for (QuicUnackedPacketMap::const_iterator it = unacked_packets_.begin();
        it != unacked_packets_.end(); ++it, ++packet_number) {
-    if ((!session_decides_what_to_write() || it->state == OUTSTANDING) &&
+    if (it->state == OUTSTANDING &&
         unacked_packets_.HasRetransmittableFrames(*it) &&
         pending_timer_transmission_count_ < max_rto_packets_) {
-      if (session_decides_what_to_write()) {
-        retransmissions.push_back(packet_number);
-      } else {
-        MarkForRetransmission(packet_number, RTO_RETRANSMISSION);
-      }
+      DCHECK(!neuter_handshake_packets_once_ || it->in_flight);
+      retransmissions.push_back(packet_number);
       ++pending_timer_transmission_count_;
     }
-    // Abandon non-retransmittable data that's in flight to ensure it doesn't
-    // fill up the congestion window.
-    bool has_retransmissions = it->retransmission.IsInitialized();
-    if (session_decides_what_to_write()) {
-      has_retransmissions = it->state != OUTSTANDING;
-    }
-    if (!fix_rto_retransmission_ && it->in_flight && !has_retransmissions &&
-        !unacked_packets_.HasRetransmittableFrames(*it)) {
-      // Log only for non-retransmittable data.
-      // Retransmittable data is marked as lost during loss detection, and will
-      // be logged later.
-      unacked_packets_.RemoveFromInFlight(packet_number);
-      if (debug_delegate_ != nullptr) {
-        debug_delegate_->OnPacketLoss(packet_number, RTO_RETRANSMISSION,
-                                      clock_->Now());
-      }
-    }
   }
   if (pending_timer_transmission_count_ > 0) {
     if (consecutive_rto_count_ == 0) {
@@ -899,17 +786,15 @@ void QuicSentPacketManager::RetransmitRtoPackets() {
     }
     ++consecutive_rto_count_;
   }
-  if (session_decides_what_to_write()) {
-    for (QuicPacketNumber retransmission : retransmissions) {
-      MarkForRetransmission(retransmission, RTO_RETRANSMISSION);
-    }
-    if (fix_rto_retransmission_ && retransmissions.empty()) {
-      QUIC_BUG_IF(pending_timer_transmission_count_ != 0);
-      // No packets to be RTO retransmitted, raise up a credit to allow
-      // connection to send.
-      QUIC_CODE_COUNT(no_packets_to_be_rto_retransmitted);
-      pending_timer_transmission_count_ = 1;
-    }
+  for (QuicPacketNumber retransmission : retransmissions) {
+    MarkForRetransmission(retransmission, RTO_RETRANSMISSION);
+  }
+  if (retransmissions.empty()) {
+    QUIC_BUG_IF(pending_timer_transmission_count_ != 0);
+    // No packets to be RTO retransmitted, raise up a credit to allow
+    // connection to send.
+    QUIC_CODE_COUNT(no_packets_to_be_rto_retransmitted);
+    pending_timer_transmission_count_ = 1;
   }
 }
 
@@ -923,6 +808,7 @@ void QuicSentPacketManager::MaybeSendProbePackets() {
        it != unacked_packets_.end(); ++it, ++packet_number) {
     if (it->state == OUTSTANDING &&
         unacked_packets_.HasRetransmittableFrames(*it)) {
+      DCHECK(!neuter_handshake_packets_once_ || it->in_flight);
       probing_packets.push_back(packet_number);
       if (probing_packets.size() == pending_timer_transmission_count_) {
         break;
@@ -933,7 +819,7 @@ void QuicSentPacketManager::MaybeSendProbePackets() {
   for (QuicPacketNumber retransmission : probing_packets) {
     QUIC_DVLOG(1) << ENDPOINT << "Marking " << retransmission
                   << " for probing retransmission";
-    MarkForRetransmission(retransmission, PROBING_RETRANSMISSION);
+    MarkForRetransmission(retransmission, PTO_RETRANSMISSION);
   }
   // It is possible that there is not enough outstanding data for probing.
 }
@@ -949,18 +835,21 @@ void QuicSentPacketManager::AdjustPendingTimerTransmissions() {
 }
 
 void QuicSentPacketManager::EnableIetfPtoAndLossDetection() {
-  DCHECK(session_decides_what_to_write());
-  fix_rto_retransmission_ = true;
   pto_enabled_ = true;
   handshake_mode_disabled_ = true;
   uber_loss_algorithm_.SetLossDetectionType(kIetfLossDetection);
 }
 
+void QuicSentPacketManager::StartExponentialBackoffAfterNthPto(
+    size_t exponential_backoff_start_point) {
+  pto_exponential_backoff_start_point_ = exponential_backoff_start_point;
+}
+
 QuicSentPacketManager::RetransmissionTimeoutMode
 QuicSentPacketManager::GetRetransmissionMode() const {
   DCHECK(unacked_packets_.HasInFlightPackets() ||
-         (handshake_mode_disabled_ && !handshake_confirmed_));
-  if (!handshake_mode_disabled_ && !handshake_confirmed_ &&
+         (handshake_mode_disabled_ && handshake_state_ < HANDSHAKE_COMPLETE));
+  if (!handshake_mode_disabled_ && handshake_state_ < HANDSHAKE_COMPLETE &&
       unacked_packets_.HasPendingCryptoPackets()) {
     return HANDSHAKE_MODE;
   }
@@ -1045,7 +934,7 @@ QuicTime::Delta QuicSentPacketManager::TimeUntilSend(QuicTime now) const {
 
 const QuicTime QuicSentPacketManager::GetRetransmissionTime() const {
   if (!unacked_packets_.HasInFlightPackets() &&
-      (!handshake_mode_disabled_ || handshake_confirmed_ ||
+      (!handshake_mode_disabled_ || handshake_state_ >= HANDSHAKE_COMPLETE ||
        unacked_packets_.perspective() == Perspective::IS_SERVER)) {
     // Do not set the timer if there is nothing in flight. However, to avoid
     // handshake deadlock due to anti-amplification limit, client needs to set
@@ -1057,10 +946,6 @@ const QuicTime QuicSentPacketManager::GetRetransmissionTime() const {
     // Do not set the timer if there is any credit left.
     return QuicTime::Zero();
   }
-  if (!fix_rto_retransmission_ &&
-      !unacked_packets_.HasUnackedRetransmittableFrames()) {
-    return QuicTime::Zero();
-  }
   switch (GetRetransmissionMode()) {
     case HANDSHAKE_MODE:
       return unacked_packets_.GetLastCryptoPacketSentTime() +
@@ -1089,14 +974,6 @@ const QuicTime QuicSentPacketManager::GetRetransmissionTime() const {
       return std::max(tlp_time, rto_time);
     }
     case PTO_MODE: {
-      if (!unacked_packets().simple_inflight_time() &&
-          handshake_mode_disabled_ && !handshake_confirmed_ &&
-          !unacked_packets_.HasInFlightPackets()) {
-        DCHECK_EQ(Perspective::IS_CLIENT, unacked_packets_.perspective());
-        return std::max(clock_->ApproximateNow(),
-                        unacked_packets_.GetLastCryptoPacketSentTime() +
-                            GetProbeTimeoutDelay());
-      }
       // Ensure PTO never gets set to a time in the past.
       return std::max(clock_->ApproximateNow(),
                       unacked_packets_.GetLastInFlightPacketSentTime() +
@@ -1141,20 +1018,11 @@ const QuicTime::Delta QuicSentPacketManager::GetTailLossProbeDelay(
     size_t consecutive_tlp_count) const {
   QuicTime::Delta srtt = rtt_stats_.SmoothedOrInitialRtt();
   if (enable_half_rtt_tail_loss_probe_ && consecutive_tlp_count == 0u) {
-    if (!session_decides_what_to_write()) {
-      return std::max(min_tlp_timeout_, srtt * 0.5);
-    }
     if (unacked_packets().HasUnackedStreamData()) {
       // Enable TLPR if there are pending data packets.
       return std::max(min_tlp_timeout_, srtt * 0.5);
     }
   }
-  if (ietf_style_tlp_) {
-    return std::max(min_tlp_timeout_, 1.5 * srtt + rtt_stats_.max_ack_delay());
-  }
-  if (ietf_style_2x_tlp_) {
-    return std::max(min_tlp_timeout_, 2 * srtt + rtt_stats_.max_ack_delay());
-  }
   if (!unacked_packets_.HasMultipleInFlightPackets()) {
     // This expression really should be using the delayed ack time, but in TCP
     // MinRTO was traditionally set to 2x the delayed ack timer and this
@@ -1200,45 +1068,27 @@ const QuicTime::Delta QuicSentPacketManager::GetProbeTimeoutDelay() const {
   }
   const QuicTime::Delta pto_delay =
       rtt_stats_.smoothed_rtt() +
-      std::max(4 * rtt_stats_.mean_deviation(),
+      std::max(pto_rttvar_multiplier_ * rtt_stats_.mean_deviation(),
                QuicTime::Delta::FromMilliseconds(1)) +
-      peer_max_ack_delay_;
-  return pto_delay * (1 << consecutive_pto_count_);
+      (ShouldAddMaxAckDelay() ? peer_max_ack_delay_ : QuicTime::Delta::Zero());
+  return pto_delay * (1 << (consecutive_pto_count_ -
+                            std::min(consecutive_pto_count_,
+                                     pto_exponential_backoff_start_point_)));
 }
 
 QuicTime::Delta QuicSentPacketManager::GetSlowStartDuration() const {
-  if (send_algorithm_->GetCongestionControlType() != kBBR) {
-    return QuicTime::Delta::Infinite();
-  }
-
-  if (!send_algorithm_->InSlowStart()) {
-    return stats_->slowstart_duration;
+  if (send_algorithm_->GetCongestionControlType() == kBBR ||
+      send_algorithm_->GetCongestionControlType() == kBBRv2) {
+    return stats_->slowstart_duration.GetTotalElapsedTime(
+        clock_->ApproximateNow());
   }
-
-  return clock_->ApproximateNow() - stats_->slowstart_start_time +
-         stats_->slowstart_duration;
+  return QuicTime::Delta::Infinite();
 }
 
 std::string QuicSentPacketManager::GetDebugState() const {
   return send_algorithm_->GetDebugState();
 }
 
-void QuicSentPacketManager::CancelRetransmissionsForStream(
-    QuicStreamId stream_id) {
-  if (session_decides_what_to_write()) {
-    return;
-  }
-  unacked_packets_.CancelRetransmissionsForStream(stream_id);
-  auto it = pending_retransmissions_.begin();
-  while (it != pending_retransmissions_.end()) {
-    if (unacked_packets_.HasRetransmittableFrames(it->first)) {
-      ++it;
-      continue;
-    }
-    it = pending_retransmissions_.erase(it);
-  }
-}
-
 void QuicSentPacketManager::SetSendAlgorithm(
     CongestionControlType congestion_control_type) {
   SetSendAlgorithm(SendAlgorithmInterface::Create(
@@ -1331,7 +1181,7 @@ AckResult QuicSentPacketManager::OnAckFrameEnd(
     EncryptionLevel ack_decrypted_level) {
   QuicByteCount prior_bytes_in_flight = unacked_packets_.bytes_in_flight();
   // Reverse packets_acked_ so that it is in ascending order.
-  reverse(packets_acked_.begin(), packets_acked_.end());
+  std::reverse(packets_acked_.begin(), packets_acked_.end());
   for (AckedPacket& acked_packet : packets_acked_) {
     QuicTransmissionInfo* info =
         unacked_packets_.GetMutableTransmissionInfo(acked_packet.packet_number);
@@ -1370,6 +1220,9 @@ AckResult QuicSentPacketManager::OnAckFrameEnd(
       return PACKETS_ACKED_IN_WRONG_PACKET_NUMBER_SPACE;
     }
     last_ack_frame_.packets.Add(acked_packet.packet_number);
+    if (info->encryption_level == ENCRYPTION_FORWARD_SECURE) {
+      handshake_state_ = HANDSHAKE_CONFIRMED;
+    }
     largest_packet_peer_knows_is_acked_.UpdateMax(info->largest_acked);
     if (supports_multiple_packet_number_spaces()) {
       largest_packets_peer_knows_is_acked_[packet_number_space].UpdateMax(
@@ -1424,16 +1277,6 @@ void QuicSentPacketManager::SetInitialRtt(QuicTime::Delta rtt) {
   rtt_stats_.set_initial_rtt(std::max(min_rtt, std::min(max_rtt, rtt)));
 }
 
-void QuicSentPacketManager::SetSessionDecideWhatToWrite(
-    bool session_decides_what_to_write) {
-  if (GetQuicReloadableFlag(quic_fix_rto_retransmission3) &&
-      session_decides_what_to_write) {
-    fix_rto_retransmission_ = true;
-    QUIC_RELOADABLE_FLAG_COUNT(quic_fix_rto_retransmission3);
-  }
-  unacked_packets_.SetSessionDecideWhatToWrite(session_decides_what_to_write);
-}
-
 void QuicSentPacketManager::EnableMultiplePacketNumberSpacesSupport() {
   unacked_packets_.EnableMultiplePacketNumberSpacesSupport();
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.h b/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.h
index 9e903fdfa2d..5a3f2ca05d7 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager.h
@@ -19,7 +19,6 @@
 #include "net/third_party/quiche/src/quic/core/congestion_control/uber_loss_algorithm.h"
 #include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
-#include "net/third_party/quiche/src/quic/core/quic_pending_retransmission.h"
 #include "net/third_party/quiche/src/quic/core/quic_sustained_bandwidth_recorder.h"
 #include "net/third_party/quiche/src/quic/core/quic_transmission_info.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
@@ -108,6 +107,25 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
     PTO_MODE,
   };
 
+  // Handshake state of this connection.
+  enum HandshakeState {
+    // Initial state.
+    HANDSHAKE_START,
+    // Only used in IETF QUIC with TLS handshake. State proceeds to
+    // HANDSHAKE_PROCESSED after a packet of HANDSHAKE packet number space
+    // gets successfully processed, and the initial key can be dropped.
+    HANDSHAKE_PROCESSED,
+    // In QUIC crypto, state proceeds to HANDSHAKE_COMPLETE if client receives
+    // SHLO or server successfully processes an ENCRYPTION_FORWARD_SECURE
+    // packet, such that the handshake packets can be neutered. In IETF QUIC
+    // with TLS handshake, state proceeds to HANDSHAKE_COMPLETE once the
+    // endpoint has both 1-RTT send and receive keys.
+    HANDSHAKE_COMPLETE,
+    // Only used in IETF QUIC with TLS handshake. State proceeds to
+    // HANDSHAKE_CONFIRMED if a 1-RTT packet gets acknowledged.
+    HANDSHAKE_CONFIRMED,
+  };
+
   QuicSentPacketManager(Perspective perspective,
                         const QuicClock* clock,
                         QuicRandom* random,
@@ -133,8 +151,9 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
     return pacing_sender_.max_pacing_rate();
   }
 
-  // Set handshake_confirmed_ to true and neuter packets in HANDSHAKE packet
-  // number space.
+  // Called to mark the handshake state complete, and all handshake packets are
+  // neutered.
+  // TODO(fayang): Rename this function to OnHandshakeComplete.
   void SetHandshakeConfirmed();
 
   // Requests retransmission of all unacked packets of |retransmission_type|.
@@ -149,9 +168,8 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
 
   // Notify the sent packet manager of an external network measurement or
   // prediction for either |bandwidth| or |rtt|; either can be empty.
-  void AdjustNetworkParameters(QuicBandwidth bandwidth,
-                               QuicTime::Delta rtt,
-                               bool allow_cwnd_to_decrease);
+  void AdjustNetworkParameters(
+      const SendAlgorithmInterface::NetworkParams& params);
 
   // Retransmits the oldest pending packet there is still a tail loss probe
   // pending.  Invoked after OnRetransmissionTimeout.
@@ -165,16 +183,6 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // TODO(fayang): Consider replace this function with NeuterHandshakePackets.
   void NeuterUnencryptedPackets();
 
-  // Returns true if there are pending retransmissions.
-  // Not const because retransmissions may be cancelled before returning.
-  bool HasPendingRetransmissions() const {
-    return !pending_retransmissions_.empty();
-  }
-
-  // Retrieves the next pending retransmission.  You must ensure that
-  // there are pending retransmissions prior to calling this function.
-  QuicPendingRetransmission NextPendingRetransmission();
-
   // Returns true if there's outstanding crypto data.
   bool HasUnackedCryptoPackets() const {
     return unacked_packets_.HasPendingCryptoPackets();
@@ -195,7 +203,6 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // the number of bytes sent and if they were retransmitted.  Returns true if
   // the sender should reset the retransmission timer.
   bool OnPacketSent(SerializedPacket* serialized_packet,
-                    QuicPacketNumber original_packet_number,
                     QuicTime sent_time,
                     TransmissionType transmission_type,
                     HasRetransmittableData has_retransmittable_data);
@@ -276,9 +283,6 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
     return unacked_packets_.bytes_in_flight();
   }
 
-  // No longer retransmit data for |stream_id|.
-  void CancelRetransmissionsForStream(QuicStreamId stream_id);
-
   // Called when peer address changes and the connection migrates.
   void OnConnectionMigration(AddressChangeType type);
 
@@ -300,9 +304,6 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
                           QuicPacketNumber ack_packet_number,
                           EncryptionLevel ack_decrypted_level);
 
-  // Called to enable/disable letting session decide what to write.
-  void SetSessionDecideWhatToWrite(bool session_decides_what_to_write);
-
   void EnableMultiplePacketNumberSpacesSupport();
 
   void SetDebugDelegate(DebugDelegate* debug_delegate);
@@ -363,11 +364,7 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
     return largest_packet_peer_knows_is_acked_;
   }
 
-  bool handshake_confirmed() const { return handshake_confirmed_; }
-
-  bool session_decides_what_to_write() const {
-    return unacked_packets_.session_decides_what_to_write();
-  }
+  HandshakeState handshake_state() const { return handshake_state_; }
 
   size_t pending_timer_transmission_count() const {
     return pending_timer_transmission_count_;
@@ -405,25 +402,27 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // Also enable IETF loss detection.
   void EnableIetfPtoAndLossDetection();
 
+  // Called to set the start point of doing exponential backoff when calculating
+  // PTO timeout.
+  void StartExponentialBackoffAfterNthPto(
+      size_t exponential_backoff_start_point);
+
   bool supports_multiple_packet_number_spaces() const {
     return unacked_packets_.supports_multiple_packet_number_spaces();
   }
 
-  bool fix_rto_retransmission() const { return fix_rto_retransmission_; }
-
   bool pto_enabled() const { return pto_enabled_; }
 
   bool handshake_mode_disabled() const { return handshake_mode_disabled_; }
 
+  bool skip_packet_number_for_pto() const {
+    return skip_packet_number_for_pto_;
+  }
+
  private:
   friend class test::QuicConnectionPeer;
   friend class test::QuicSentPacketManagerPeer;
 
-  typedef QuicLinkedHashMap<QuicPacketNumber,
-                            TransmissionType,
-                            QuicPacketNumberHash>
-      PendingRetransmissionMap;
-
   // Returns the current retransmission mode.
   RetransmissionTimeoutMode GetRetransmissionMode() const;
 
@@ -463,11 +462,6 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // Returns the probe timeout.
   const QuicTime::Delta GetProbeTimeoutDelay() const;
 
-  // Returns the newest transmission associated with a packet.
-  QuicPacketNumber GetNewestRetransmission(
-      QuicPacketNumber packet_number,
-      const QuicTransmissionInfo& transmission_info) const;
-
   // Update the RTT if the ack is for the largest acked packet number.
   // Returns true if the rtt was updated.
   bool MaybeUpdateRTT(QuicPacketNumber largest_acked,
@@ -521,11 +515,6 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // this function.
   void RecordOneSpuriousRetransmission(const QuicTransmissionInfo& info);
 
-  // Notify observers about spurious retransmits of packet with
-  // QuicTransmissionInfo |info|.
-  void RecordSpuriousRetransmissions(const QuicTransmissionInfo& info,
-                                     QuicPacketNumber acked_packet_number);
-
   // Sets the initial RTT of the connection.
   void SetInitialRtt(QuicTime::Delta rtt);
 
@@ -539,6 +528,10 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // switches to IETF QUIC with QUIC TLS.
   void NeuterHandshakePackets();
 
+  // Indicates whether including peer_max_ack_delay_ when calculating PTO
+  // timeout.
+  bool ShouldAddMaxAckDelay() const;
+
   // Newly serialized retransmittable packets are added to this map, which
   // contains owning pointers to any contained frames.  If a packet is
   // retransmitted, this map will contain entries for both the old and the new
@@ -549,9 +542,6 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // set to nullptr.
   QuicUnackedPacketMap unacked_packets_;
 
-  // Pending retransmissions which have not been packetized and sent yet.
-  PendingRetransmissionMap pending_retransmissions_;
-
   const QuicClock* clock_;
   QuicRandom* random_;
   QuicConnectionStats* stats_;
@@ -592,10 +582,6 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   QuicTime::Delta min_tlp_timeout_;
   // The minimum RTO.
   QuicTime::Delta min_rto_timeout_;
-  // Whether to use IETF style TLP that includes the max ack delay.
-  bool ietf_style_tlp_;
-  // IETF style TLP, but with a 2x multiplier instead of 1.5x.
-  bool ietf_style_2x_tlp_;
 
   // Vectors packets acked and lost as a result of the last congestion event.
   AckedPacketVector packets_acked_;
@@ -609,11 +595,8 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // Calls into |send_algorithm_| for the underlying congestion control.
   PacingSender pacing_sender_;
 
-  // Set to true after the crypto handshake has successfully completed. After
-  // this is true we no longer use HANDSHAKE_MODE, and further frames sent on
-  // the crypto stream (i.e. SCUP messages) are treated like normal
-  // retransmittable frames.
-  bool handshake_confirmed_;
+  // Indicates current handshake state.
+  HandshakeState handshake_state_;
 
   // Records bandwidth from server to client in normal operation, over periods
   // of time with no loss events.
@@ -652,17 +635,24 @@ class QUIC_EXPORT_PRIVATE QuicSentPacketManager {
   // Number of times the PTO timer has fired in a row without receiving an ack.
   size_t consecutive_pto_count_;
 
-  // Latched value of quic_fix_rto_retransmission3 and
-  // session_decides_what_to_write.
-  bool fix_rto_retransmission_;
-
   // True if HANDSHAKE mode has been disabled.
   bool handshake_mode_disabled_;
 
-  // Latched value of quic_detect_spurious_loss.
-  const bool detect_spurious_losses_;
+  // If true, skip packet number before sending the last PTO retransmission.
+  bool skip_packet_number_for_pto_;
+
+  // If true, always include peer_max_ack_delay_ when calculating PTO timeout.
+  bool always_include_max_ack_delay_for_pto_timeout_;
+
+  // When calculating PTO timeout, the start point of doing exponential backoff.
+  // For example, 0 : always do exponential backoff. n : do exponential backoff
+  // since nth PTO.
+  size_t pto_exponential_backoff_start_point_;
+
+  // The multiplier of rttvar when calculating PTO timeout.
+  int pto_rttvar_multiplier_;
 
-  // Latched value of quic_neuter_handshake_packets_once.
+  // Latched value of quic_neuter_handshake_packets_once2.
   const bool neuter_handshake_packets_once_;
 };
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager_test.cc
index 4ee9fd31d86..8dd0c30faea 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_sent_packet_manager_test.cc
@@ -7,7 +7,6 @@
 #include <memory>
 #include <utility>
 
-#include "net/third_party/quiche/src/quic/core/quic_pending_retransmission.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
@@ -53,7 +52,7 @@ class MockDebugDelegate : public QuicSentPacketManager::DebugDelegate {
                     QuicTime detection_time));
 };
 
-class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
+class QuicSentPacketManagerTest : public QuicTest {
  public:
   void RetransmitCryptoPacket(uint64_t packet_number) {
     EXPECT_CALL(
@@ -64,8 +63,8 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
     packet.retransmittable_frames.push_back(
         QuicFrame(QuicStreamFrame(1, false, 0, QuicStringPiece())));
     packet.has_crypto_handshake = IS_HANDSHAKE;
-    manager_.OnPacketSent(&packet, QuicPacketNumber(), clock_.Now(),
-                          HANDSHAKE_RETRANSMISSION, HAS_RETRANSMITTABLE_DATA);
+    manager_.OnPacketSent(&packet, clock_.Now(), HANDSHAKE_RETRANSMISSION,
+                          HAS_RETRANSMITTABLE_DATA);
   }
 
   void RetransmitDataPacket(uint64_t packet_number,
@@ -77,7 +76,7 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
                      kDefaultLength, HAS_RETRANSMITTABLE_DATA));
     SerializedPacket packet(CreatePacket(packet_number, true));
     packet.encryption_level = level;
-    manager_.OnPacketSent(&packet, QuicPacketNumber(), clock_.Now(), type,
+    manager_.OnPacketSent(&packet, clock_.Now(), type,
                           HAS_RETRANSMITTABLE_DATA);
   }
 
@@ -102,7 +101,6 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
     clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(1000));
     manager_.SetNetworkChangeVisitor(network_change_visitor_.get());
     manager_.SetSessionNotifier(&notifier_);
-    manager_.SetSessionDecideWhatToWrite(GetParam());
 
     EXPECT_CALL(*send_algorithm_, HasReliableBandwidthEstimate())
         .Times(AnyNumber());
@@ -210,53 +208,31 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
                                uint64_t new_packet_number,
                                TransmissionType transmission_type) {
     bool is_lost = false;
-    if (manager_.session_decides_what_to_write()) {
-      if (transmission_type == HANDSHAKE_RETRANSMISSION ||
-          transmission_type == TLP_RETRANSMISSION ||
-          transmission_type == RTO_RETRANSMISSION ||
-          transmission_type == PROBING_RETRANSMISSION) {
-        EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-            .WillOnce(WithArgs<1>(
-                Invoke([this, new_packet_number](TransmissionType type) {
-                  RetransmitDataPacket(new_packet_number, type);
-                })));
-      } else {
-        EXPECT_CALL(notifier_, OnFrameLost(_)).Times(1);
-        is_lost = true;
-      }
+    if (transmission_type == HANDSHAKE_RETRANSMISSION ||
+        transmission_type == TLP_RETRANSMISSION ||
+        transmission_type == RTO_RETRANSMISSION ||
+        transmission_type == PROBING_RETRANSMISSION) {
+      EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+          .WillOnce(WithArgs<1>(
+              Invoke([this, new_packet_number](TransmissionType type) {
+                RetransmitDataPacket(new_packet_number, type);
+              })));
+    } else {
+      EXPECT_CALL(notifier_, OnFrameLost(_)).Times(1);
+      is_lost = true;
     }
     QuicSentPacketManagerPeer::MarkForRetransmission(
         &manager_, old_packet_number, transmission_type);
-    if (manager_.session_decides_what_to_write()) {
-      if (!is_lost) {
-        return;
-      }
-      EXPECT_CALL(
-          *send_algorithm_,
-          OnPacketSent(_, BytesInFlight(), QuicPacketNumber(new_packet_number),
-                       kDefaultLength, HAS_RETRANSMITTABLE_DATA));
-      SerializedPacket packet(CreatePacket(new_packet_number, true));
-      manager_.OnPacketSent(&packet, QuicPacketNumber(), clock_.Now(),
-                            transmission_type, HAS_RETRANSMITTABLE_DATA);
+    if (!is_lost) {
       return;
     }
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    QuicPendingRetransmission next_retransmission =
-        manager_.NextPendingRetransmission();
-    EXPECT_EQ(QuicPacketNumber(old_packet_number),
-              next_retransmission.packet_number);
-    EXPECT_EQ(transmission_type, next_retransmission.transmission_type);
-
     EXPECT_CALL(
         *send_algorithm_,
         OnPacketSent(_, BytesInFlight(), QuicPacketNumber(new_packet_number),
                      kDefaultLength, HAS_RETRANSMITTABLE_DATA));
-    SerializedPacket packet(CreatePacket(new_packet_number, false));
-    manager_.OnPacketSent(&packet, QuicPacketNumber(old_packet_number),
-                          clock_.Now(), transmission_type,
+    SerializedPacket packet(CreatePacket(new_packet_number, true));
+    manager_.OnPacketSent(&packet, clock_.Now(), transmission_type,
                           HAS_RETRANSMITTABLE_DATA);
-    EXPECT_TRUE(QuicSentPacketManagerPeer::IsRetransmission(&manager_,
-                                                            new_packet_number));
   }
 
   SerializedPacket CreateDataPacket(uint64_t packet_number) {
@@ -293,8 +269,8 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
                              QuicPacketNumber(packet_number), _, _));
     SerializedPacket packet(CreateDataPacket(packet_number));
     packet.encryption_level = encryption_level;
-    manager_.OnPacketSent(&packet, QuicPacketNumber(), clock_.Now(),
-                          NOT_RETRANSMISSION, HAS_RETRANSMITTABLE_DATA);
+    manager_.OnPacketSent(&packet, clock_.Now(), NOT_RETRANSMISSION,
+                          HAS_RETRANSMITTABLE_DATA);
   }
 
   void SendPingPacket(uint64_t packet_number,
@@ -304,8 +280,8 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
                              QuicPacketNumber(packet_number), _, _));
     SerializedPacket packet(CreatePingPacket(packet_number));
     packet.encryption_level = encryption_level;
-    manager_.OnPacketSent(&packet, QuicPacketNumber(), clock_.Now(),
-                          NOT_RETRANSMISSION, HAS_RETRANSMITTABLE_DATA);
+    manager_.OnPacketSent(&packet, clock_.Now(), NOT_RETRANSMISSION,
+                          HAS_RETRANSMITTABLE_DATA);
   }
 
   void SendCryptoPacket(uint64_t packet_number) {
@@ -317,12 +293,9 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
     packet.retransmittable_frames.push_back(
         QuicFrame(QuicStreamFrame(1, false, 0, QuicStringPiece())));
     packet.has_crypto_handshake = IS_HANDSHAKE;
-    manager_.OnPacketSent(&packet, QuicPacketNumber(), clock_.Now(),
-                          NOT_RETRANSMISSION, HAS_RETRANSMITTABLE_DATA);
-    if (manager_.session_decides_what_to_write()) {
-      EXPECT_CALL(notifier_, HasUnackedCryptoData())
-          .WillRepeatedly(Return(true));
-    }
+    manager_.OnPacketSent(&packet, clock_.Now(), NOT_RETRANSMISSION,
+                          HAS_RETRANSMITTABLE_DATA);
+    EXPECT_CALL(notifier_, HasUnackedCryptoData()).WillRepeatedly(Return(true));
   }
 
   void SendAckPacket(uint64_t packet_number, uint64_t largest_acked) {
@@ -339,27 +312,11 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
     SerializedPacket packet(CreatePacket(packet_number, false));
     packet.largest_acked = QuicPacketNumber(largest_acked);
     packet.encryption_level = level;
-    manager_.OnPacketSent(&packet, QuicPacketNumber(), clock_.Now(),
-                          NOT_RETRANSMISSION, NO_RETRANSMITTABLE_DATA);
-  }
-
-  // Based on QuicConnection's WritePendingRetransmissions.
-  void RetransmitNextPacket(uint64_t retransmission_packet_number) {
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    EXPECT_CALL(
-        *send_algorithm_,
-        OnPacketSent(_, _, QuicPacketNumber(retransmission_packet_number),
-                     kDefaultLength, HAS_RETRANSMITTABLE_DATA));
-    const QuicPendingRetransmission pending =
-        manager_.NextPendingRetransmission();
-    SerializedPacket packet(CreatePacket(retransmission_packet_number, false));
-    manager_.OnPacketSent(&packet, pending.packet_number, clock_.Now(),
-                          pending.transmission_type, HAS_RETRANSMITTABLE_DATA);
+    manager_.OnPacketSent(&packet, clock_.Now(), NOT_RETRANSMISSION,
+                          NO_RETRANSMITTABLE_DATA);
   }
 
   void EnablePto(QuicTag tag) {
-    SetQuicReloadableFlag(quic_fix_rto_retransmission3, true);
-    manager_.SetSessionDecideWhatToWrite(true);
     SetQuicReloadableFlag(quic_enable_pto, true);
     QuicConfig config;
     QuicTagVector options;
@@ -379,12 +336,7 @@ class QuicSentPacketManagerTest : public QuicTestWithParam<bool> {
   StrictMock<MockSessionNotifier> notifier_;
 };
 
-INSTANTIATE_TEST_SUITE_P(Tests,
-                         QuicSentPacketManagerTest,
-                         ::testing::Bool(),
-                         ::testing::PrintToStringParamName());
-
-TEST_P(QuicSentPacketManagerTest, IsUnacked) {
+TEST_F(QuicSentPacketManagerTest, IsUnacked) {
   VerifyUnackedPackets(nullptr, 0);
   SendDataPacket(1);
 
@@ -395,23 +347,18 @@ TEST_P(QuicSentPacketManagerTest, IsUnacked) {
                                QUIC_ARRAYSIZE(retransmittable));
 }
 
-TEST_P(QuicSentPacketManagerTest, IsUnAckedRetransmit) {
+TEST_F(QuicSentPacketManagerTest, IsUnAckedRetransmit) {
   SendDataPacket(1);
   RetransmitAndSendPacket(1, 2);
 
   EXPECT_TRUE(QuicSentPacketManagerPeer::IsRetransmission(&manager_, 2));
   uint64_t unacked[] = {1, 2};
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
-  std::vector<uint64_t> retransmittable;
-  if (manager_.session_decides_what_to_write()) {
-    retransmittable = {1, 2};
-  } else {
-    retransmittable = {2};
-  }
+  std::vector<uint64_t> retransmittable = {1, 2};
   VerifyRetransmittablePackets(&retransmittable[0], retransmittable.size());
 }
 
-TEST_P(QuicSentPacketManagerTest, RetransmitThenAck) {
+TEST_F(QuicSentPacketManagerTest, RetransmitThenAck) {
   SendDataPacket(1);
   RetransmitAndSendPacket(1, 2);
 
@@ -423,9 +370,7 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAck) {
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
             manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
                                    ENCRYPTION_INITIAL));
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
-  }
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
   // Packet 1 is unacked, pending, but not retransmittable.
   uint64_t unacked[] = {1};
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
@@ -433,21 +378,13 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAck) {
   VerifyRetransmittablePackets(nullptr, 0);
 }
 
-TEST_P(QuicSentPacketManagerTest, RetransmitThenAckBeforeSend) {
+TEST_F(QuicSentPacketManagerTest, RetransmitThenAckBeforeSend) {
   SendDataPacket(1);
-  if (manager_.session_decides_what_to_write()) {
-    if (manager_.session_decides_what_to_write()) {
-      EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-          .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
-            RetransmitDataPacket(2, type);
-          })));
-    }
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(2, type); })));
   QuicSentPacketManagerPeer::MarkForRetransmission(&manager_, 1,
                                                    TLP_RETRANSMISSION);
-  if (!manager_.session_decides_what_to_write()) {
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-  }
   // Ack 1.
   ExpectAck(1);
   manager_.OnAckFrameStart(QuicPacketNumber(1), QuicTime::Delta::Infinite(),
@@ -457,40 +394,21 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAckBeforeSend) {
             manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
                                    ENCRYPTION_INITIAL));
 
-  // There should no longer be a pending retransmission.
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
-
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
-    uint64_t unacked[] = {2};
-    VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
-    // We do not know packet 2 is a spurious retransmission until it gets acked.
-  } else {
-    // No unacked packets remain.
-    VerifyUnackedPackets(nullptr, 0);
-  }
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
+  uint64_t unacked[] = {2};
+  VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
+  // We do not know packet 2 is a spurious retransmission until it gets acked.
   VerifyRetransmittablePackets(nullptr, 0);
   EXPECT_EQ(0u, stats_.packets_spuriously_retransmitted);
 }
 
-TEST_P(QuicSentPacketManagerTest, RetransmitThenStopRetransmittingBeforeSend) {
+TEST_F(QuicSentPacketManagerTest, RetransmitThenStopRetransmittingBeforeSend) {
   SendDataPacket(1);
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _));
   QuicSentPacketManagerPeer::MarkForRetransmission(&manager_, 1,
                                                    TLP_RETRANSMISSION);
-  if (!manager_.session_decides_what_to_write()) {
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-  }
 
-  manager_.CancelRetransmissionsForStream(kStreamId);
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
-  }
-
-  // There should no longer be a pending retransmission.
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
 
   uint64_t unacked[] = {1};
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
@@ -498,7 +416,7 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenStopRetransmittingBeforeSend) {
   EXPECT_EQ(0u, stats_.packets_spuriously_retransmitted);
 }
 
-TEST_P(QuicSentPacketManagerTest, RetransmitThenAckPrevious) {
+TEST_F(QuicSentPacketManagerTest, RetransmitThenAckPrevious) {
   SendDataPacket(1);
   RetransmitAndSendPacket(1, 2);
   QuicTime::Delta rtt = QuicTime::Delta::FromMilliseconds(15);
@@ -512,30 +430,26 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAckPrevious) {
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
             manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
                                    ENCRYPTION_INITIAL));
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
-  }
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
   // 2 remains unacked, but no packets have retransmittable data.
   uint64_t unacked[] = {2};
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
   EXPECT_TRUE(manager_.HasInFlightPackets());
   VerifyRetransmittablePackets(nullptr, 0);
-  if (manager_.session_decides_what_to_write()) {
-    // Ack 2 causes 2 be considered as spurious retransmission.
-    EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).WillOnce(Return(false));
-    ExpectAck(2);
-    manager_.OnAckFrameStart(QuicPacketNumber(2), QuicTime::Delta::Infinite(),
-                             clock_.Now());
-    manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(3));
-    EXPECT_EQ(PACKETS_NEWLY_ACKED,
-              manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
-                                     ENCRYPTION_INITIAL));
-  }
+  // Ack 2 causes 2 be considered as spurious retransmission.
+  EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).WillOnce(Return(false));
+  ExpectAck(2);
+  manager_.OnAckFrameStart(QuicPacketNumber(2), QuicTime::Delta::Infinite(),
+                           clock_.Now());
+  manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(3));
+  EXPECT_EQ(PACKETS_NEWLY_ACKED,
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
+                                   ENCRYPTION_INITIAL));
 
   EXPECT_EQ(1u, stats_.packets_spuriously_retransmitted);
 }
 
-TEST_P(QuicSentPacketManagerTest, RetransmitThenAckPreviousThenNackRetransmit) {
+TEST_F(QuicSentPacketManagerTest, RetransmitThenAckPreviousThenNackRetransmit) {
   SendDataPacket(1);
   RetransmitAndSendPacket(1, 2);
   QuicTime::Delta rtt = QuicTime::Delta::FromMilliseconds(15);
@@ -575,13 +489,11 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAckPreviousThenNackRetransmit) {
                                    ENCRYPTION_INITIAL));
 
   ExpectAckAndLoss(true, 5, 2);
-  if (manager_.session_decides_what_to_write()) {
-    // Frames in all packets are acked.
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
-    // Notify session that stream frame in packet 2 gets lost although it is
-    // not outstanding.
-    EXPECT_CALL(notifier_, OnFrameLost(_)).Times(1);
-  }
+  // Frames in all packets are acked.
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
+  // Notify session that stream frame in packet 2 gets lost although it is
+  // not outstanding.
+  EXPECT_CALL(notifier_, OnFrameLost(_)).Times(1);
   manager_.OnAckFrameStart(QuicPacketNumber(5), QuicTime::Delta::Infinite(),
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(6));
@@ -590,13 +502,8 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAckPreviousThenNackRetransmit) {
             manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(4),
                                    ENCRYPTION_INITIAL));
 
-  if (manager_.session_decides_what_to_write()) {
-    uint64_t unacked[] = {2};
-    VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
-  } else {
-    // No packets remain unacked.
-    VerifyUnackedPackets(nullptr, 0);
-  }
+  uint64_t unacked[] = {2};
+  VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
   EXPECT_FALSE(manager_.HasInFlightPackets());
   VerifyRetransmittablePackets(nullptr, 0);
 
@@ -605,7 +512,7 @@ TEST_P(QuicSentPacketManagerTest, RetransmitThenAckPreviousThenNackRetransmit) {
   EXPECT_EQ(QuicTime::Zero(), manager_.GetRetransmissionTime());
 }
 
-TEST_P(QuicSentPacketManagerTest,
+TEST_F(QuicSentPacketManagerTest,
        DISABLED_RetransmitTwiceThenAckPreviousBeforeSend) {
   SendDataPacket(1);
   RetransmitAndSendPacket(1, 2);
@@ -614,7 +521,6 @@ TEST_P(QuicSentPacketManagerTest,
   EXPECT_CALL(*send_algorithm_, OnRetransmissionTimeout(true));
   EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
   manager_.OnRetransmissionTimeout();
-  EXPECT_TRUE(manager_.HasPendingRetransmissions());
 
   // Ack 1 but not 2, before 2 is able to be sent.
   // Since 1 has been retransmitted, it has already been lost, and so the
@@ -639,17 +545,11 @@ TEST_P(QuicSentPacketManagerTest,
   EXPECT_EQ(QuicTime::Zero(), manager_.GetRetransmissionTime());
 }
 
-TEST_P(QuicSentPacketManagerTest, RetransmitTwiceThenAckFirst) {
+TEST_F(QuicSentPacketManagerTest, RetransmitTwiceThenAckFirst) {
   StrictMock<MockDebugDelegate> debug_delegate;
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(debug_delegate, OnSpuriousPacketRetransmission(
-                                    TLP_RETRANSMISSION, kDefaultLength))
-        .Times(1);
-  } else {
-    EXPECT_CALL(debug_delegate, OnSpuriousPacketRetransmission(
-                                    TLP_RETRANSMISSION, kDefaultLength))
-        .Times(2);
-  }
+  EXPECT_CALL(debug_delegate, OnSpuriousPacketRetransmission(TLP_RETRANSMISSION,
+                                                             kDefaultLength))
+      .Times(1);
   manager_.SetDebugDelegate(&debug_delegate);
 
   SendDataPacket(1);
@@ -666,12 +566,10 @@ TEST_P(QuicSentPacketManagerTest, RetransmitTwiceThenAckFirst) {
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
             manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
                                    ENCRYPTION_INITIAL));
-  if (manager_.session_decides_what_to_write()) {
-    // Frames in packets 2 and 3 are acked.
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_))
-        .Times(2)
-        .WillRepeatedly(Return(false));
-  }
+  // Frames in packets 2 and 3 are acked.
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_))
+      .Times(2)
+      .WillRepeatedly(Return(false));
 
   // 2 and 3 remain unacked, but no packets have retransmittable data.
   uint64_t unacked[] = {2, 3};
@@ -681,12 +579,10 @@ TEST_P(QuicSentPacketManagerTest, RetransmitTwiceThenAckFirst) {
 
   // Ensure packet 2 is lost when 4 is sent and 3 and 4 are acked.
   SendDataPacket(4);
-  if (manager_.session_decides_what_to_write()) {
-    // No new data gets acked in packet 3.
-    EXPECT_CALL(notifier_, OnFrameAcked(_, _, _))
-        .WillOnce(Return(false))
-        .WillRepeatedly(Return(true));
-  }
+  // No new data gets acked in packet 3.
+  EXPECT_CALL(notifier_, OnFrameAcked(_, _, _))
+      .WillOnce(Return(false))
+      .WillRepeatedly(Return(true));
   uint64_t acked[] = {3, 4};
   ExpectAcksAndLosses(true, acked, QUIC_ARRAYSIZE(acked), nullptr, 0);
   manager_.OnAckFrameStart(QuicPacketNumber(4), QuicTime::Delta::Infinite(),
@@ -705,13 +601,11 @@ TEST_P(QuicSentPacketManagerTest, RetransmitTwiceThenAckFirst) {
   ExpectAckAndLoss(true, 5, 2);
   EXPECT_CALL(debug_delegate,
               OnPacketLoss(QuicPacketNumber(2), LOSS_RETRANSMISSION, _));
-  if (manager_.session_decides_what_to_write()) {
-    // Frames in all packets are acked.
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
-    // Notify session that stream frame in packet 2 gets lost although it is
-    // not outstanding.
-    EXPECT_CALL(notifier_, OnFrameLost(_)).Times(1);
-  }
+  // Frames in all packets are acked.
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
+  // Notify session that stream frame in packet 2 gets lost although it is
+  // not outstanding.
+  EXPECT_CALL(notifier_, OnFrameLost(_)).Times(1);
   manager_.OnAckFrameStart(QuicPacketNumber(5), QuicTime::Delta::Infinite(),
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(6));
@@ -720,23 +614,15 @@ TEST_P(QuicSentPacketManagerTest, RetransmitTwiceThenAckFirst) {
             manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(3),
                                    ENCRYPTION_INITIAL));
 
-  if (manager_.session_decides_what_to_write()) {
-    uint64_t unacked[] = {2};
-    VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
-  } else {
-    VerifyUnackedPackets(nullptr, 0);
-  }
+  uint64_t unacked3[] = {2};
+  VerifyUnackedPackets(unacked3, QUIC_ARRAYSIZE(unacked3));
   EXPECT_FALSE(manager_.HasInFlightPackets());
-  if (manager_.session_decides_what_to_write()) {
-    // Spurious retransmission is detected when packet 3 gets acked. We cannot
-    // know packet 2 is a spurious until it gets acked.
-    EXPECT_EQ(1u, stats_.packets_spuriously_retransmitted);
-  } else {
-    EXPECT_EQ(2u, stats_.packets_spuriously_retransmitted);
-  }
+  // Spurious retransmission is detected when packet 3 gets acked. We cannot
+  // know packet 2 is a spurious until it gets acked.
+  EXPECT_EQ(1u, stats_.packets_spuriously_retransmitted);
 }
 
-TEST_P(QuicSentPacketManagerTest, AckOriginalTransmission) {
+TEST_F(QuicSentPacketManagerTest, AckOriginalTransmission) {
   auto loss_algorithm = std::make_unique<MockLossAlgorithm>();
   QuicSentPacketManagerPeer::SetLossAlgorithm(&manager_, loss_algorithm.get());
 
@@ -777,15 +663,9 @@ TEST_P(QuicSentPacketManagerTest, AckOriginalTransmission) {
     uint64_t acked[] = {3};
     ExpectAcksAndLosses(false, acked, QUIC_ARRAYSIZE(acked), nullptr, 0);
     EXPECT_CALL(*loss_algorithm, DetectLosses(_, _, _, _, _, _));
-    if (GetQuicReloadableFlag(quic_detect_spurious_loss) &&
-        manager_.session_decides_what_to_write()) {
-      EXPECT_CALL(*loss_algorithm,
-                  SpuriousLossDetected(_, _, _, QuicPacketNumber(3),
-                                       QuicPacketNumber(4)));
-    } else {
-      EXPECT_CALL(*loss_algorithm,
-                  SpuriousRetransmitDetected(_, _, _, QuicPacketNumber(5)));
-    }
+    EXPECT_CALL(*loss_algorithm,
+                SpuriousLossDetected(_, _, _, QuicPacketNumber(3),
+                                     QuicPacketNumber(4)));
     manager_.OnAckFrameStart(QuicPacketNumber(4), QuicTime::Delta::Infinite(),
                              clock_.Now());
     manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(5));
@@ -793,34 +673,32 @@ TEST_P(QuicSentPacketManagerTest, AckOriginalTransmission) {
     EXPECT_EQ(PACKETS_NEWLY_ACKED,
               manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(3),
                                      ENCRYPTION_INITIAL));
-    if (manager_.session_decides_what_to_write()) {
-      // Ack 3 will not cause 5 be considered as a spurious retransmission. Ack
-      // 5 will cause 5 be considered as a spurious retransmission as no new
-      // data gets acked.
-      ExpectAck(5);
-      EXPECT_CALL(*loss_algorithm, DetectLosses(_, _, _, _, _, _));
-      EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).WillOnce(Return(false));
-      manager_.OnAckFrameStart(QuicPacketNumber(5), QuicTime::Delta::Infinite(),
-                               clock_.Now());
-      manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(6));
-      manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
-      EXPECT_EQ(PACKETS_NEWLY_ACKED,
-                manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(4),
-                                       ENCRYPTION_INITIAL));
-    }
+    // Ack 3 will not cause 5 be considered as a spurious retransmission. Ack
+    // 5 will cause 5 be considered as a spurious retransmission as no new
+    // data gets acked.
+    ExpectAck(5);
+    EXPECT_CALL(*loss_algorithm, DetectLosses(_, _, _, _, _, _));
+    EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).WillOnce(Return(false));
+    manager_.OnAckFrameStart(QuicPacketNumber(5), QuicTime::Delta::Infinite(),
+                             clock_.Now());
+    manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(6));
+    manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
+    EXPECT_EQ(PACKETS_NEWLY_ACKED,
+              manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(4),
+                                     ENCRYPTION_INITIAL));
   }
 }
 
-TEST_P(QuicSentPacketManagerTest, GetLeastUnacked) {
+TEST_F(QuicSentPacketManagerTest, GetLeastUnacked) {
   EXPECT_EQ(QuicPacketNumber(1u), manager_.GetLeastUnacked());
 }
 
-TEST_P(QuicSentPacketManagerTest, GetLeastUnackedUnacked) {
+TEST_F(QuicSentPacketManagerTest, GetLeastUnackedUnacked) {
   SendDataPacket(1);
   EXPECT_EQ(QuicPacketNumber(1u), manager_.GetLeastUnacked());
 }
 
-TEST_P(QuicSentPacketManagerTest, AckAckAndUpdateRtt) {
+TEST_F(QuicSentPacketManagerTest, AckAckAndUpdateRtt) {
   EXPECT_FALSE(manager_.largest_packet_peer_knows_is_acked().IsInitialized());
   SendDataPacket(1);
   SendAckPacket(2, 1);
@@ -851,7 +729,7 @@ TEST_P(QuicSentPacketManagerTest, AckAckAndUpdateRtt) {
             manager_.largest_packet_peer_knows_is_acked());
 }
 
-TEST_P(QuicSentPacketManagerTest, Rtt) {
+TEST_F(QuicSentPacketManagerTest, Rtt) {
   QuicTime::Delta expected_rtt = QuicTime::Delta::FromMilliseconds(20);
   SendDataPacket(1);
   clock_.AdvanceTime(expected_rtt);
@@ -866,7 +744,7 @@ TEST_P(QuicSentPacketManagerTest, Rtt) {
   EXPECT_EQ(expected_rtt, manager_.GetRttStats()->latest_rtt());
 }
 
-TEST_P(QuicSentPacketManagerTest, RttWithInvalidDelta) {
+TEST_F(QuicSentPacketManagerTest, RttWithInvalidDelta) {
   // Expect that the RTT is equal to the local time elapsed, since the
   // ack_delay_time is larger than the local time elapsed
   // and is hence invalid.
@@ -884,7 +762,7 @@ TEST_P(QuicSentPacketManagerTest, RttWithInvalidDelta) {
   EXPECT_EQ(expected_rtt, manager_.GetRttStats()->latest_rtt());
 }
 
-TEST_P(QuicSentPacketManagerTest, RttWithInfiniteDelta) {
+TEST_F(QuicSentPacketManagerTest, RttWithInfiniteDelta) {
   // Expect that the RTT is equal to the local time elapsed, since the
   // ack_delay_time is infinite, and is hence invalid.
   QuicTime::Delta expected_rtt = QuicTime::Delta::FromMilliseconds(10);
@@ -901,7 +779,7 @@ TEST_P(QuicSentPacketManagerTest, RttWithInfiniteDelta) {
   EXPECT_EQ(expected_rtt, manager_.GetRttStats()->latest_rtt());
 }
 
-TEST_P(QuicSentPacketManagerTest, RttZeroDelta) {
+TEST_F(QuicSentPacketManagerTest, RttZeroDelta) {
   // Expect that the RTT is the time between send and receive since the
   // ack_delay_time is zero.
   QuicTime::Delta expected_rtt = QuicTime::Delta::FromMilliseconds(10);
@@ -918,7 +796,7 @@ TEST_P(QuicSentPacketManagerTest, RttZeroDelta) {
   EXPECT_EQ(expected_rtt, manager_.GetRttStats()->latest_rtt());
 }
 
-TEST_P(QuicSentPacketManagerTest, TailLossProbeTimeout) {
+TEST_F(QuicSentPacketManagerTest, TailLossProbeTimeout) {
   QuicSentPacketManagerPeer::SetMaxTailLossProbes(&manager_, 2);
 
   // Send 1 packet.
@@ -927,36 +805,20 @@ TEST_P(QuicSentPacketManagerTest, TailLossProbeTimeout) {
   // The first tail loss probe retransmits 1 packet.
   manager_.OnRetransmissionTimeout();
   EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(WithArgs<1>(Invoke(
-            [this](TransmissionType type) { RetransmitDataPacket(2, type); })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(2, type); })));
   manager_.MaybeRetransmitTailLossProbe();
-  if (!manager_.session_decides_what_to_write()) {
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    RetransmitNextPacket(2);
-    EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  }
 
   // The second tail loss probe retransmits 1 packet.
   manager_.OnRetransmissionTimeout();
   EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(WithArgs<1>(Invoke(
-            [this](TransmissionType type) { RetransmitDataPacket(3, type); })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(3, type); })));
   manager_.MaybeRetransmitTailLossProbe();
-  if (!manager_.session_decides_what_to_write()) {
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    RetransmitNextPacket(3);
-  }
   EXPECT_CALL(*send_algorithm_, CanSend(_)).WillOnce(Return(false));
   EXPECT_EQ(QuicTime::Delta::Infinite(), manager_.TimeUntilSend(clock_.Now()));
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
 
   // Ack the third and ensure the first two are still pending.
   ExpectAck(3);
@@ -977,13 +839,11 @@ TEST_P(QuicSentPacketManagerTest, TailLossProbeTimeout) {
   uint64_t lost[] = {1, 2};
   ExpectAcksAndLosses(true, acked, QUIC_ARRAYSIZE(acked), lost,
                       QUIC_ARRAYSIZE(lost));
-  if (manager_.session_decides_what_to_write()) {
-    // Frames in all packets are acked.
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
-    // Notify session that stream frame in packets 1 and 2 get lost although
-    // they are not outstanding.
-    EXPECT_CALL(notifier_, OnFrameLost(_)).Times(2);
-  }
+  // Frames in all packets are acked.
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
+  // Notify session that stream frame in packets 1 and 2 get lost although
+  // they are not outstanding.
+  EXPECT_CALL(notifier_, OnFrameLost(_)).Times(2);
   manager_.OnAckFrameStart(QuicPacketNumber(5), QuicTime::Delta::Infinite(),
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(6));
@@ -991,13 +851,12 @@ TEST_P(QuicSentPacketManagerTest, TailLossProbeTimeout) {
             manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
                                    ENCRYPTION_INITIAL));
 
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
   EXPECT_FALSE(manager_.HasInFlightPackets());
   EXPECT_EQ(2u, stats_.tlp_count);
   EXPECT_EQ(0u, stats_.rto_count);
 }
 
-TEST_P(QuicSentPacketManagerTest, TailLossProbeThenRTO) {
+TEST_F(QuicSentPacketManagerTest, TailLossProbeThenRTO) {
   QuicSentPacketManagerPeer::SetMaxTailLossProbes(&manager_, 2);
 
   // Send 100 packets.
@@ -1012,38 +871,21 @@ TEST_P(QuicSentPacketManagerTest, TailLossProbeThenRTO) {
   // The first tail loss probe retransmits 1 packet.
   manager_.OnRetransmissionTimeout();
   EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
-          RetransmitDataPacket(101, type);
-        })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(101, type); })));
   manager_.MaybeRetransmitTailLossProbe();
-  if (!manager_.session_decides_what_to_write()) {
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    RetransmitNextPacket(101);
-  }
   EXPECT_CALL(*send_algorithm_, CanSend(_)).WillOnce(Return(false));
   EXPECT_EQ(QuicTime::Delta::Infinite(), manager_.TimeUntilSend(clock_.Now()));
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
   clock_.AdvanceTime(manager_.GetRetransmissionTime() - clock_.Now());
 
   // The second tail loss probe retransmits 1 packet.
   manager_.OnRetransmissionTimeout();
   EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
-          RetransmitDataPacket(102, type);
-        })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(102, type); })));
   EXPECT_TRUE(manager_.MaybeRetransmitTailLossProbe());
-  if (!manager_.session_decides_what_to_write()) {
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    RetransmitNextPacket(102);
-  }
   EXPECT_CALL(*send_algorithm_, CanSend(_)).WillOnce(Return(false));
   EXPECT_EQ(QuicTime::Delta::Infinite(), manager_.TimeUntilSend(clock_.Now()));
 
@@ -1055,43 +897,29 @@ TEST_P(QuicSentPacketManagerTest, TailLossProbeThenRTO) {
   // Advance the time enough to ensure all packets are RTO'd.
   clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(1000));
 
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .Times(2)
-        .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
-          RetransmitDataPacket(103, type);
-        })))
-        .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
-          RetransmitDataPacket(104, type);
-        })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(2)
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(103, type); })))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(104, type); })));
   manager_.OnRetransmissionTimeout();
   EXPECT_EQ(2u, stats_.tlp_count);
   EXPECT_EQ(1u, stats_.rto_count);
-  if (manager_.session_decides_what_to_write()) {
-    // There are 2 RTO retransmissions.
-    EXPECT_EQ(104 * kDefaultLength, manager_.GetBytesInFlight());
-  }
-  if (!manager_.session_decides_what_to_write()) {
-    // Send and Ack the RTO and ensure OnRetransmissionTimeout is called.
-    EXPECT_EQ(102 * kDefaultLength, manager_.GetBytesInFlight());
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    RetransmitNextPacket(103);
-  }
+  // There are 2 RTO retransmissions.
+  EXPECT_EQ(104 * kDefaultLength, manager_.GetBytesInFlight());
   QuicPacketNumber largest_acked = QuicPacketNumber(103);
   EXPECT_CALL(*send_algorithm_, OnRetransmissionTimeout(true));
   EXPECT_CALL(*send_algorithm_,
               OnCongestionEvent(
                   true, _, _, Pointwise(PacketNumberEq(), {largest_acked}), _));
   EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
-  if (manager_.session_decides_what_to_write()) {
-    // Although frames in packet 3 gets acked, it would be kept for another
-    // RTT.
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(true));
-    // Packets [1, 102] are lost, although stream frame in packet 3 is not
-    // outstanding.
-    EXPECT_CALL(notifier_, OnFrameLost(_)).Times(102);
-  }
+  // Although frames in packet 3 gets acked, it would be kept for another
+  // RTT.
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(true));
+  // Packets [1, 102] are lost, although stream frame in packet 3 is not
+  // outstanding.
+  EXPECT_CALL(notifier_, OnFrameLost(_)).Times(102);
   manager_.OnAckFrameStart(QuicPacketNumber(103), QuicTime::Delta::Infinite(),
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(103), QuicPacketNumber(104));
@@ -1099,15 +927,11 @@ TEST_P(QuicSentPacketManagerTest, TailLossProbeThenRTO) {
             manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
                                    ENCRYPTION_INITIAL));
   // All packets before 103 should be lost.
-  if (manager_.session_decides_what_to_write()) {
-    // Packet 104 is still in flight.
-    EXPECT_EQ(1000u, manager_.GetBytesInFlight());
-  } else {
-    EXPECT_EQ(0u, manager_.GetBytesInFlight());
-  }
+  // Packet 104 is still in flight.
+  EXPECT_EQ(1000u, manager_.GetBytesInFlight());
 }
 
-TEST_P(QuicSentPacketManagerTest, CryptoHandshakeTimeout) {
+TEST_F(QuicSentPacketManagerTest, CryptoHandshakeTimeout) {
   // Send 2 crypto packets and 3 data packets.
   const size_t kNumSentCryptoPackets = 2;
   for (size_t i = 1; i <= kNumSentCryptoPackets; ++i) {
@@ -1121,37 +945,21 @@ TEST_P(QuicSentPacketManagerTest, CryptoHandshakeTimeout) {
   EXPECT_EQ(5 * kDefaultLength, manager_.GetBytesInFlight());
 
   // The first retransmits 2 packets.
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .Times(2)
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(6); }))
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(7); }));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(2)
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(6); }))
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(7); }));
   manager_.OnRetransmissionTimeout();
-  if (!manager_.session_decides_what_to_write()) {
-    EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
-    RetransmitNextPacket(6);
-    RetransmitNextPacket(7);
-    EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  }
   // Expect all 4 handshake packets to be in flight and 3 data packets.
   EXPECT_EQ(7 * kDefaultLength, manager_.GetBytesInFlight());
   EXPECT_TRUE(manager_.HasUnackedCryptoPackets());
 
   // The second retransmits 2 packets.
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .Times(2)
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(8); }))
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(9); }));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(2)
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(8); }))
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(9); }));
   manager_.OnRetransmissionTimeout();
-  if (!manager_.session_decides_what_to_write()) {
-    EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
-    RetransmitNextPacket(8);
-    RetransmitNextPacket(9);
-    EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  }
   EXPECT_EQ(9 * kDefaultLength, manager_.GetBytesInFlight());
   EXPECT_TRUE(manager_.HasUnackedCryptoPackets());
 
@@ -1162,13 +970,8 @@ TEST_P(QuicSentPacketManagerTest, CryptoHandshakeTimeout) {
   uint64_t lost[] = {1, 2, 6};
   ExpectAcksAndLosses(true, acked, QUIC_ARRAYSIZE(acked), lost,
                       QUIC_ARRAYSIZE(lost));
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, OnFrameLost(_)).Times(3);
-  }
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, HasUnackedCryptoData())
-        .WillRepeatedly(Return(false));
-  }
+  EXPECT_CALL(notifier_, OnFrameLost(_)).Times(3);
+  EXPECT_CALL(notifier_, HasUnackedCryptoData()).WillRepeatedly(Return(false));
   manager_.OnAckFrameStart(QuicPacketNumber(9), QuicTime::Delta::Infinite(),
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(8), QuicPacketNumber(10));
@@ -1180,7 +983,7 @@ TEST_P(QuicSentPacketManagerTest, CryptoHandshakeTimeout) {
   EXPECT_FALSE(manager_.HasUnackedCryptoPackets());
 }
 
-TEST_P(QuicSentPacketManagerTest, CryptoHandshakeTimeoutVersionNegotiation) {
+TEST_F(QuicSentPacketManagerTest, CryptoHandshakeTimeoutVersionNegotiation) {
   // Send 2 crypto packets and 3 data packets.
   const size_t kNumSentCryptoPackets = 2;
   for (size_t i = 1; i <= kNumSentCryptoPackets; ++i) {
@@ -1192,51 +995,26 @@ TEST_P(QuicSentPacketManagerTest, CryptoHandshakeTimeoutVersionNegotiation) {
   }
   EXPECT_TRUE(manager_.HasUnackedCryptoPackets());
 
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .Times(2)
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(6); }))
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(7); }));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(2)
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(6); }))
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(7); }));
   manager_.OnRetransmissionTimeout();
-  if (!manager_.session_decides_what_to_write()) {
-    RetransmitNextPacket(6);
-    RetransmitNextPacket(7);
-    EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  }
   EXPECT_TRUE(manager_.HasUnackedCryptoPackets());
 
   // Now act like a version negotiation packet arrived, which would cause all
   // unacked packets to be retransmitted.
-  if (manager_.session_decides_what_to_write()) {
-    // Mark packets [1, 7] lost. And the frames in 6 and 7 are same as packets 1
-    // and 2, respectively.
-    EXPECT_CALL(notifier_, OnFrameLost(_)).Times(7);
-  }
+  // Mark packets [1, 7] lost. And the frames in 6 and 7 are same as packets 1
+  // and 2, respectively.
+  EXPECT_CALL(notifier_, OnFrameLost(_)).Times(7);
   manager_.RetransmitUnackedPackets(ALL_UNACKED_RETRANSMISSION);
 
   // Ensure the first two pending packets are the crypto retransmits.
-  if (manager_.session_decides_what_to_write()) {
-    RetransmitCryptoPacket(8);
-    RetransmitCryptoPacket(9);
-    RetransmitDataPacket(10, ALL_UNACKED_RETRANSMISSION);
-    RetransmitDataPacket(11, ALL_UNACKED_RETRANSMISSION);
-    RetransmitDataPacket(12, ALL_UNACKED_RETRANSMISSION);
-  } else {
-    ASSERT_TRUE(manager_.HasPendingRetransmissions());
-    EXPECT_EQ(QuicPacketNumber(6u),
-              manager_.NextPendingRetransmission().packet_number);
-    RetransmitNextPacket(8);
-    EXPECT_EQ(QuicPacketNumber(7u),
-              manager_.NextPendingRetransmission().packet_number);
-    RetransmitNextPacket(9);
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    // Send 3 more data packets and ensure the least unacked is raised.
-    RetransmitNextPacket(10);
-    RetransmitNextPacket(11);
-    RetransmitNextPacket(12);
-    EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  }
+  RetransmitCryptoPacket(8);
+  RetransmitCryptoPacket(9);
+  RetransmitDataPacket(10, ALL_UNACKED_RETRANSMISSION);
+  RetransmitDataPacket(11, ALL_UNACKED_RETRANSMISSION);
+  RetransmitDataPacket(12, ALL_UNACKED_RETRANSMISSION);
 
   EXPECT_EQ(QuicPacketNumber(1u), manager_.GetLeastUnacked());
   // Least unacked isn't raised until an ack is received, so ack the
@@ -1249,47 +1027,31 @@ TEST_P(QuicSentPacketManagerTest, CryptoHandshakeTimeoutVersionNegotiation) {
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
             manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
                                    ENCRYPTION_INITIAL));
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, HasUnackedCryptoData())
-        .WillRepeatedly(Return(false));
-  }
+  EXPECT_CALL(notifier_, HasUnackedCryptoData()).WillRepeatedly(Return(false));
   EXPECT_EQ(QuicPacketNumber(10u), manager_.GetLeastUnacked());
 }
 
-TEST_P(QuicSentPacketManagerTest, CryptoHandshakeSpuriousRetransmission) {
+TEST_F(QuicSentPacketManagerTest, CryptoHandshakeSpuriousRetransmission) {
   // Send 1 crypto packet.
   SendCryptoPacket(1);
   EXPECT_TRUE(manager_.HasUnackedCryptoPackets());
 
   // Retransmit the crypto packet as 2.
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(2); }));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(2); }));
   manager_.OnRetransmissionTimeout();
-  if (!manager_.session_decides_what_to_write()) {
-    RetransmitNextPacket(2);
-  }
 
   // Retransmit the crypto packet as 3.
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(3); }));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(3); }));
   manager_.OnRetransmissionTimeout();
-  if (!manager_.session_decides_what_to_write()) {
-    RetransmitNextPacket(3);
-  }
 
   // Now ack the second crypto packet, and ensure the first gets removed, but
   // the third does not.
   uint64_t acked[] = {2};
   ExpectAcksAndLosses(true, acked, QUIC_ARRAYSIZE(acked), nullptr, 0);
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, HasUnackedCryptoData())
-        .WillRepeatedly(Return(false));
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
-  }
+  EXPECT_CALL(notifier_, HasUnackedCryptoData()).WillRepeatedly(Return(false));
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
   manager_.OnAckFrameStart(QuicPacketNumber(2), QuicTime::Delta::Infinite(),
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(2), QuicPacketNumber(3));
@@ -1302,7 +1064,7 @@ TEST_P(QuicSentPacketManagerTest, CryptoHandshakeSpuriousRetransmission) {
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
 }
 
-TEST_P(QuicSentPacketManagerTest, CryptoHandshakeTimeoutUnsentDataPacket) {
+TEST_F(QuicSentPacketManagerTest, CryptoHandshakeTimeoutUnsentDataPacket) {
   // Send 2 crypto packets and 1 data packet.
   const size_t kNumSentCryptoPackets = 2;
   for (size_t i = 1; i <= kNumSentCryptoPackets; ++i) {
@@ -1312,22 +1074,15 @@ TEST_P(QuicSentPacketManagerTest, CryptoHandshakeTimeoutUnsentDataPacket) {
   EXPECT_TRUE(manager_.HasUnackedCryptoPackets());
 
   // Retransmit 2 crypto packets, but not the serialized packet.
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .Times(2)
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(4); }))
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(5); }));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(2)
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(4); }))
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(5); }));
   manager_.OnRetransmissionTimeout();
-  if (!manager_.session_decides_what_to_write()) {
-    RetransmitNextPacket(4);
-    RetransmitNextPacket(5);
-    EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  }
   EXPECT_TRUE(manager_.HasUnackedCryptoPackets());
 }
 
-TEST_P(QuicSentPacketManagerTest,
+TEST_F(QuicSentPacketManagerTest,
        CryptoHandshakeRetransmissionThenRetransmitAll) {
   // Send 1 crypto packet.
   SendCryptoPacket(1);
@@ -1335,36 +1090,21 @@ TEST_P(QuicSentPacketManagerTest,
   EXPECT_TRUE(manager_.HasUnackedCryptoPackets());
 
   // Retransmit the crypto packet as 2.
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(2); }));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(2); }));
   manager_.OnRetransmissionTimeout();
-  if (!manager_.session_decides_what_to_write()) {
-    RetransmitNextPacket(2);
-  }
   // Now retransmit all the unacked packets, which occurs when there is a
   // version negotiation.
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, OnFrameLost(_)).Times(2);
-  }
+  EXPECT_CALL(notifier_, OnFrameLost(_)).Times(2);
   manager_.RetransmitUnackedPackets(ALL_UNACKED_RETRANSMISSION);
-  if (manager_.session_decides_what_to_write()) {
-    // Both packets 1 and 2 are unackable.
-    EXPECT_FALSE(manager_.unacked_packets().IsUnacked(QuicPacketNumber(1)));
-    EXPECT_FALSE(manager_.unacked_packets().IsUnacked(QuicPacketNumber(2)));
-  } else {
-    // Packet 2 is useful because it does not get retransmitted and still has
-    // retransmittable frames.
-    uint64_t unacked[] = {1, 2};
-    VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-  }
+  // Both packets 1 and 2 are unackable.
+  EXPECT_FALSE(manager_.unacked_packets().IsUnacked(QuicPacketNumber(1)));
+  EXPECT_FALSE(manager_.unacked_packets().IsUnacked(QuicPacketNumber(2)));
   EXPECT_TRUE(manager_.HasUnackedCryptoPackets());
   EXPECT_FALSE(manager_.HasInFlightPackets());
 }
 
-TEST_P(QuicSentPacketManagerTest,
+TEST_F(QuicSentPacketManagerTest,
        CryptoHandshakeRetransmissionThenNeuterAndAck) {
   // Send 1 crypto packet.
   SendCryptoPacket(1);
@@ -1372,40 +1112,26 @@ TEST_P(QuicSentPacketManagerTest,
   EXPECT_TRUE(manager_.HasUnackedCryptoPackets());
 
   // Retransmit the crypto packet as 2.
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(2); }));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(2); }));
   manager_.OnRetransmissionTimeout();
-  if (!manager_.session_decides_what_to_write()) {
-    RetransmitNextPacket(2);
-  }
   EXPECT_TRUE(manager_.HasUnackedCryptoPackets());
 
   // Retransmit the crypto packet as 3.
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(3); }));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(3); }));
   manager_.OnRetransmissionTimeout();
-  if (!manager_.session_decides_what_to_write()) {
-    RetransmitNextPacket(3);
-  }
   EXPECT_TRUE(manager_.HasUnackedCryptoPackets());
 
   // Now neuter all unacked unencrypted packets, which occurs when the
   // connection goes forward secure.
+  EXPECT_CALL(notifier_, HasUnackedCryptoData()).WillRepeatedly(Return(false));
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
   manager_.NeuterUnencryptedPackets();
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, HasUnackedCryptoData())
-        .WillRepeatedly(Return(false));
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
-  }
   EXPECT_FALSE(manager_.HasUnackedCryptoPackets());
   uint64_t unacked[] = {1, 2, 3};
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
   VerifyRetransmittablePackets(nullptr, 0);
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
   EXPECT_FALSE(manager_.HasUnackedCryptoPackets());
   EXPECT_FALSE(manager_.HasInFlightPackets());
 
@@ -1422,7 +1148,7 @@ TEST_P(QuicSentPacketManagerTest,
   VerifyRetransmittablePackets(nullptr, 0);
 }
 
-TEST_P(QuicSentPacketManagerTest, RetransmissionTimeout) {
+TEST_F(QuicSentPacketManagerTest, RetransmissionTimeout) {
   StrictMock<MockDebugDelegate> debug_delegate;
   manager_.SetDebugDelegate(&debug_delegate);
 
@@ -1433,27 +1159,14 @@ TEST_P(QuicSentPacketManagerTest, RetransmissionTimeout) {
   }
 
   EXPECT_FALSE(manager_.MaybeRetransmitTailLossProbe());
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .Times(2)
-        .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
-          RetransmitDataPacket(101, type);
-        })))
-        .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
-          RetransmitDataPacket(102, type);
-        })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(2)
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(101, type); })))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(102, type); })));
   manager_.OnRetransmissionTimeout();
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_EQ(102 * kDefaultLength, manager_.GetBytesInFlight());
-  } else {
-    ASSERT_TRUE(manager_.HasPendingRetransmissions());
-    EXPECT_EQ(100 * kDefaultLength, manager_.GetBytesInFlight());
-    RetransmitNextPacket(101);
-    ASSERT_TRUE(manager_.HasPendingRetransmissions());
-    RetransmitNextPacket(102);
-    EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  }
+  EXPECT_EQ(102 * kDefaultLength, manager_.GetBytesInFlight());
 
   // Ack a retransmission.
   // Ensure no packets are lost.
@@ -1470,12 +1183,10 @@ TEST_P(QuicSentPacketManagerTest, RetransmissionTimeout) {
     EXPECT_CALL(debug_delegate,
                 OnPacketLoss(QuicPacketNumber(i), LOSS_RETRANSMISSION, _));
   }
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(true));
-    // Packets [1, 99] are considered as lost, although stream frame in packet
-    // 2 is not outstanding.
-    EXPECT_CALL(notifier_, OnFrameLost(_)).Times(99);
-  }
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(true));
+  // Packets [1, 99] are considered as lost, although stream frame in packet
+  // 2 is not outstanding.
+  EXPECT_CALL(notifier_, OnFrameLost(_)).Times(99);
   manager_.OnAckFrameStart(QuicPacketNumber(102), QuicTime::Delta::Zero(),
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(102), QuicPacketNumber(103));
@@ -1484,7 +1195,7 @@ TEST_P(QuicSentPacketManagerTest, RetransmissionTimeout) {
                                    ENCRYPTION_INITIAL));
 }
 
-TEST_P(QuicSentPacketManagerTest, RetransmissionTimeoutOnePacket) {
+TEST_F(QuicSentPacketManagerTest, RetransmissionTimeoutOnePacket) {
   // Set the 1RTO connection option.
   QuicConfig client_config;
   QuicTagVector options;
@@ -1510,25 +1221,15 @@ TEST_P(QuicSentPacketManagerTest, RetransmissionTimeoutOnePacket) {
   }
 
   EXPECT_FALSE(manager_.MaybeRetransmitTailLossProbe());
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .Times(1)
-        .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
-          RetransmitDataPacket(101, type);
-        })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(1)
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(101, type); })));
   manager_.OnRetransmissionTimeout();
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_EQ(101 * kDefaultLength, manager_.GetBytesInFlight());
-  } else {
-    ASSERT_TRUE(manager_.HasPendingRetransmissions());
-    EXPECT_EQ(100 * kDefaultLength, manager_.GetBytesInFlight());
-    RetransmitNextPacket(101);
-    EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  }
+  EXPECT_EQ(101 * kDefaultLength, manager_.GetBytesInFlight());
 }
 
-TEST_P(QuicSentPacketManagerTest, NewRetransmissionTimeout) {
+TEST_F(QuicSentPacketManagerTest, NewRetransmissionTimeout) {
   QuicConfig client_config;
   QuicTagVector options;
   options.push_back(kNRTO);
@@ -1551,26 +1252,14 @@ TEST_P(QuicSentPacketManagerTest, NewRetransmissionTimeout) {
   }
 
   EXPECT_FALSE(manager_.MaybeRetransmitTailLossProbe());
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .Times(2)
-        .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
-          RetransmitDataPacket(101, type);
-        })))
-        .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
-          RetransmitDataPacket(102, type);
-        })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(2)
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(101, type); })))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(102, type); })));
   manager_.OnRetransmissionTimeout();
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_EQ(102 * kDefaultLength, manager_.GetBytesInFlight());
-  } else {
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    EXPECT_EQ(100 * kDefaultLength, manager_.GetBytesInFlight());
-    RetransmitNextPacket(101);
-    RetransmitNextPacket(102);
-    EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  }
+  EXPECT_EQ(102 * kDefaultLength, manager_.GetBytesInFlight());
 
   // Ack a retransmission and expect no call to OnRetransmissionTimeout.
   // This will include packets in the lost packet map.
@@ -1580,12 +1269,10 @@ TEST_P(QuicSentPacketManagerTest, NewRetransmissionTimeout) {
                                 Pointwise(PacketNumberEq(), {largest_acked}),
                                 /*lost_packets=*/Not(IsEmpty())));
   EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(true));
-    // Packets [1, 99] are considered as lost, although stream frame in packet
-    // 2 is not outstanding.
-    EXPECT_CALL(notifier_, OnFrameLost(_)).Times(99);
-  }
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(true));
+  // Packets [1, 99] are considered as lost, although stream frame in packet
+  // 2 is not outstanding.
+  EXPECT_CALL(notifier_, OnFrameLost(_)).Times(99);
   manager_.OnAckFrameStart(QuicPacketNumber(102), QuicTime::Delta::Zero(),
                            clock_.Now());
   manager_.OnAckRange(QuicPacketNumber(102), QuicPacketNumber(103));
@@ -1594,40 +1281,22 @@ TEST_P(QuicSentPacketManagerTest, NewRetransmissionTimeout) {
                                    ENCRYPTION_INITIAL));
 }
 
-TEST_P(QuicSentPacketManagerTest, TwoRetransmissionTimeoutsAckSecond) {
+TEST_F(QuicSentPacketManagerTest, TwoRetransmissionTimeoutsAckSecond) {
   // Send 1 packet.
   SendDataPacket(1);
 
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(WithArgs<1>(Invoke(
-            [this](TransmissionType type) { RetransmitDataPacket(2, type); })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(2, type); })));
   manager_.OnRetransmissionTimeout();
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_EQ(2 * kDefaultLength, manager_.GetBytesInFlight());
-  } else {
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    EXPECT_EQ(kDefaultLength, manager_.GetBytesInFlight());
-    RetransmitNextPacket(2);
-    EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  }
+  EXPECT_EQ(2 * kDefaultLength, manager_.GetBytesInFlight());
 
   // Rto a second time.
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(WithArgs<1>(Invoke(
-            [this](TransmissionType type) { RetransmitDataPacket(3, type); })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(3, type); })));
   manager_.OnRetransmissionTimeout();
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_EQ(3 * kDefaultLength, manager_.GetBytesInFlight());
-  } else {
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    EXPECT_EQ(2 * kDefaultLength, manager_.GetBytesInFlight());
-    RetransmitNextPacket(3);
-    EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  }
+  EXPECT_EQ(3 * kDefaultLength, manager_.GetBytesInFlight());
 
   // Ack a retransmission and ensure OnRetransmissionTimeout is called.
   EXPECT_CALL(*send_algorithm_, OnRetransmissionTimeout(true));
@@ -1643,40 +1312,22 @@ TEST_P(QuicSentPacketManagerTest, TwoRetransmissionTimeoutsAckSecond) {
   EXPECT_EQ(2 * kDefaultLength, manager_.GetBytesInFlight());
 }
 
-TEST_P(QuicSentPacketManagerTest, TwoRetransmissionTimeoutsAckFirst) {
+TEST_F(QuicSentPacketManagerTest, TwoRetransmissionTimeoutsAckFirst) {
   // Send 1 packet.
   SendDataPacket(1);
 
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(WithArgs<1>(Invoke(
-            [this](TransmissionType type) { RetransmitDataPacket(2, type); })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(2, type); })));
   manager_.OnRetransmissionTimeout();
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_EQ(2 * kDefaultLength, manager_.GetBytesInFlight());
-  } else {
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    EXPECT_EQ(kDefaultLength, manager_.GetBytesInFlight());
-    RetransmitNextPacket(2);
-    EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  }
+  EXPECT_EQ(2 * kDefaultLength, manager_.GetBytesInFlight());
 
   // Rto a second time.
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(WithArgs<1>(Invoke(
-            [this](TransmissionType type) { RetransmitDataPacket(3, type); })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(3, type); })));
   manager_.OnRetransmissionTimeout();
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_EQ(3 * kDefaultLength, manager_.GetBytesInFlight());
-  } else {
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    EXPECT_EQ(2 * kDefaultLength, manager_.GetBytesInFlight());
-    RetransmitNextPacket(3);
-    EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  }
+  EXPECT_EQ(3 * kDefaultLength, manager_.GetBytesInFlight());
 
   // Ack a retransmission and ensure OnRetransmissionTimeout is called.
   EXPECT_CALL(*send_algorithm_, OnRetransmissionTimeout(true));
@@ -1692,11 +1343,11 @@ TEST_P(QuicSentPacketManagerTest, TwoRetransmissionTimeoutsAckFirst) {
   EXPECT_EQ(2 * kDefaultLength, manager_.GetBytesInFlight());
 }
 
-TEST_P(QuicSentPacketManagerTest, GetTransmissionTime) {
+TEST_F(QuicSentPacketManagerTest, GetTransmissionTime) {
   EXPECT_EQ(QuicTime::Zero(), manager_.GetRetransmissionTime());
 }
 
-TEST_P(QuicSentPacketManagerTest, GetTransmissionTimeCryptoHandshake) {
+TEST_F(QuicSentPacketManagerTest, GetTransmissionTimeCryptoHandshake) {
   QuicTime crypto_packet_send_time = clock_.Now();
   SendCryptoPacket(1);
 
@@ -1715,16 +1366,11 @@ TEST_P(QuicSentPacketManagerTest, GetTransmissionTimeCryptoHandshake) {
 
   // Retransmit the packet by invoking the retransmission timeout.
   clock_.AdvanceTime(1.5 * srtt);
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(2); }));
-    // When session decides what to write, crypto_packet_send_time gets updated.
-    crypto_packet_send_time = clock_.Now();
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(2); }));
+  // When session decides what to write, crypto_packet_send_time gets updated.
+  crypto_packet_send_time = clock_.Now();
   manager_.OnRetransmissionTimeout();
-  if (!manager_.session_decides_what_to_write()) {
-    RetransmitNextPacket(2);
-  }
 
   // The retransmission time should now be twice as far in the future.
   expected_time = crypto_packet_send_time + srtt * 2 * 1.5;
@@ -1732,23 +1378,18 @@ TEST_P(QuicSentPacketManagerTest, GetTransmissionTimeCryptoHandshake) {
 
   // Retransmit the packet for the 2nd time.
   clock_.AdvanceTime(2 * 1.5 * srtt);
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(3); }));
-    // When session decides what to write, crypto_packet_send_time gets updated.
-    crypto_packet_send_time = clock_.Now();
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(3); }));
+  // When session decides what to write, crypto_packet_send_time gets updated.
+  crypto_packet_send_time = clock_.Now();
   manager_.OnRetransmissionTimeout();
-  if (!manager_.session_decides_what_to_write()) {
-    RetransmitNextPacket(3);
-  }
 
   // Verify exponential backoff of the retransmission timeout.
   expected_time = crypto_packet_send_time + srtt * 4 * 1.5;
   EXPECT_EQ(expected_time, manager_.GetRetransmissionTime());
 }
 
-TEST_P(QuicSentPacketManagerTest,
+TEST_F(QuicSentPacketManagerTest,
        GetConservativeTransmissionTimeCryptoHandshake) {
   QuicConfig config;
   QuicTagVector options;
@@ -1781,22 +1422,17 @@ TEST_P(QuicSentPacketManagerTest,
 
   // Retransmit the packet by invoking the retransmission timeout.
   clock_.AdvanceTime(2 * srtt);
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(2); }));
-    crypto_packet_send_time = clock_.Now();
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(InvokeWithoutArgs([this]() { RetransmitCryptoPacket(2); }));
+  crypto_packet_send_time = clock_.Now();
   manager_.OnRetransmissionTimeout();
-  if (!manager_.session_decides_what_to_write()) {
-    RetransmitNextPacket(2);
-  }
 
   // The retransmission time should now be twice as far in the future.
   expected_time = crypto_packet_send_time + srtt * 2 * 2;
   EXPECT_EQ(expected_time, manager_.GetRetransmissionTime());
 }
 
-TEST_P(QuicSentPacketManagerTest, GetTransmissionTimeTailLossProbe) {
+TEST_F(QuicSentPacketManagerTest, GetTransmissionTimeTailLossProbe) {
   QuicSentPacketManagerPeer::SetMaxTailLossProbes(&manager_, 2);
   SendDataPacket(1);
   SendDataPacket(2);
@@ -1818,30 +1454,18 @@ TEST_P(QuicSentPacketManagerTest, GetTransmissionTimeTailLossProbe) {
   clock_.AdvanceTime(expected_tlp_delay);
   manager_.OnRetransmissionTimeout();
   EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .WillOnce(WithArgs<1>(Invoke(
-            [this](TransmissionType type) { RetransmitDataPacket(3, type); })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(3, type); })));
   EXPECT_TRUE(manager_.MaybeRetransmitTailLossProbe());
-  if (!manager_.session_decides_what_to_write()) {
-    EXPECT_TRUE(manager_.HasPendingRetransmissions());
-    RetransmitNextPacket(3);
-  }
   EXPECT_CALL(*send_algorithm_, CanSend(_)).WillOnce(Return(false));
   EXPECT_EQ(QuicTime::Delta::Infinite(), manager_.TimeUntilSend(clock_.Now()));
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
 
   expected_time = clock_.Now() + expected_tlp_delay;
   EXPECT_EQ(expected_time, manager_.GetRetransmissionTime());
 }
 
-TEST_P(QuicSentPacketManagerTest, TLPRWithPendingStreamData) {
-  if (!manager_.session_decides_what_to_write()) {
-    return;
-  }
-
+TEST_F(QuicSentPacketManagerTest, TLPRWithPendingStreamData) {
   QuicConfig config;
   QuicTagVector options;
 
@@ -1877,7 +1501,6 @@ TEST_P(QuicSentPacketManagerTest, TLPRWithPendingStreamData) {
   clock_.AdvanceTime(expected_tlp_delay);
   manager_.OnRetransmissionTimeout();
   EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
   EXPECT_CALL(notifier_, RetransmitFrames(_, _))
       .WillOnce(WithArgs<1>(Invoke(
           [this](TransmissionType type) { RetransmitDataPacket(3, type); })));
@@ -1885,7 +1508,6 @@ TEST_P(QuicSentPacketManagerTest, TLPRWithPendingStreamData) {
 
   EXPECT_CALL(*send_algorithm_, CanSend(_)).WillOnce(Return(false));
   EXPECT_EQ(QuicTime::Delta::Infinite(), manager_.TimeUntilSend(clock_.Now()));
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
 
   // 2nd TLP.
   expected_tlp_delay = 2 * srtt;
@@ -1893,11 +1515,7 @@ TEST_P(QuicSentPacketManagerTest, TLPRWithPendingStreamData) {
             manager_.GetRetransmissionTime() - clock_.Now());
 }
 
-TEST_P(QuicSentPacketManagerTest, TLPRWithoutPendingStreamData) {
-  if (!manager_.session_decides_what_to_write()) {
-    return;
-  }
-
+TEST_F(QuicSentPacketManagerTest, TLPRWithoutPendingStreamData) {
   QuicConfig config;
   QuicTagVector options;
 
@@ -1932,14 +1550,12 @@ TEST_P(QuicSentPacketManagerTest, TLPRWithoutPendingStreamData) {
   clock_.AdvanceTime(expected_tlp_delay);
   manager_.OnRetransmissionTimeout();
   EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
   EXPECT_CALL(notifier_, RetransmitFrames(_, _))
       .WillOnce(WithArgs<1>(Invoke(
           [this](TransmissionType type) { RetransmitDataPacket(3, type); })));
   EXPECT_TRUE(manager_.MaybeRetransmitTailLossProbe());
   EXPECT_CALL(*send_algorithm_, CanSend(_)).WillOnce(Return(false));
   EXPECT_EQ(QuicTime::Delta::Infinite(), manager_.TimeUntilSend(clock_.Now()));
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
 
   // 2nd TLP.
   expected_tlp_delay = 2 * srtt;
@@ -1947,7 +1563,7 @@ TEST_P(QuicSentPacketManagerTest, TLPRWithoutPendingStreamData) {
             manager_.GetRetransmissionTime() - clock_.Now());
 }
 
-TEST_P(QuicSentPacketManagerTest, GetTransmissionTimeSpuriousRTO) {
+TEST_F(QuicSentPacketManagerTest, GetTransmissionTimeSpuriousRTO) {
   RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
   rtt_stats->UpdateRtt(QuicTime::Delta::FromMilliseconds(100),
                        QuicTime::Delta::Zero(), QuicTime::Zero());
@@ -1964,24 +1580,15 @@ TEST_P(QuicSentPacketManagerTest, GetTransmissionTimeSpuriousRTO) {
 
   // Retransmit the packet by invoking the retransmission timeout.
   clock_.AdvanceTime(expected_rto_delay);
-  if (manager_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-        .Times(2)
-        .WillOnce(WithArgs<1>(Invoke(
-            [this](TransmissionType type) { RetransmitDataPacket(5, type); })))
-        .WillOnce(WithArgs<1>(Invoke(
-            [this](TransmissionType type) { RetransmitDataPacket(6, type); })));
-  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(2)
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(5, type); })))
+      .WillOnce(WithArgs<1>(Invoke(
+          [this](TransmissionType type) { RetransmitDataPacket(6, type); })));
   manager_.OnRetransmissionTimeout();
-  if (!manager_.session_decides_what_to_write()) {
-    // All packets are still considered inflight.
-    EXPECT_EQ(4 * kDefaultLength, manager_.GetBytesInFlight());
-    RetransmitNextPacket(5);
-    RetransmitNextPacket(6);
-  }
   // All previous packets are inflight, plus two rto retransmissions.
   EXPECT_EQ(6 * kDefaultLength, manager_.GetBytesInFlight());
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
 
   // The delay should double the second time.
   expected_time = clock_.Now() + expected_rto_delay + expected_rto_delay;
@@ -1998,7 +1605,6 @@ TEST_P(QuicSentPacketManagerTest, GetTransmissionTimeSpuriousRTO) {
   EXPECT_EQ(PACKETS_NEWLY_ACKED,
             manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
                                    ENCRYPTION_INITIAL));
-  EXPECT_FALSE(manager_.HasPendingRetransmissions());
   EXPECT_EQ(5 * kDefaultLength, manager_.GetBytesInFlight());
 
   // Wait 2RTTs from now for the RTO, since it's the max of the RTO time
@@ -2011,7 +1617,7 @@ TEST_P(QuicSentPacketManagerTest, GetTransmissionTimeSpuriousRTO) {
   EXPECT_EQ(expected_time, manager_.GetRetransmissionTime());
 }
 
-TEST_P(QuicSentPacketManagerTest, GetTransmissionDelayMin) {
+TEST_F(QuicSentPacketManagerTest, GetTransmissionDelayMin) {
   SendDataPacket(1);
   // Provide a 1ms RTT sample.
   const_cast<RttStats*>(manager_.GetRttStats())
@@ -2027,20 +1633,15 @@ TEST_P(QuicSentPacketManagerTest, GetTransmissionDelayMin) {
     EXPECT_EQ(delay,
               QuicSentPacketManagerPeer::GetRetransmissionDelay(&manager_, i));
     delay = delay + delay;
-    if (manager_.session_decides_what_to_write()) {
-      EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-          .WillOnce(WithArgs<1>(Invoke([this, i](TransmissionType type) {
-            RetransmitDataPacket(i + 2, type);
-          })));
-    }
+    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+        .WillOnce(WithArgs<1>(Invoke([this, i](TransmissionType type) {
+          RetransmitDataPacket(i + 2, type);
+        })));
     manager_.OnRetransmissionTimeout();
-    if (!manager_.session_decides_what_to_write()) {
-      RetransmitNextPacket(i + 2);
-    }
   }
 }
 
-TEST_P(QuicSentPacketManagerTest, GetTransmissionDelayMax) {
+TEST_F(QuicSentPacketManagerTest, GetTransmissionDelayMax) {
   SendDataPacket(1);
   // Provide a 60s RTT sample.
   const_cast<RttStats*>(manager_.GetRttStats())
@@ -2053,7 +1654,7 @@ TEST_P(QuicSentPacketManagerTest, GetTransmissionDelayMax) {
             QuicSentPacketManagerPeer::GetRetransmissionDelay(&manager_, 0));
 }
 
-TEST_P(QuicSentPacketManagerTest, GetTransmissionDelayExponentialBackoff) {
+TEST_F(QuicSentPacketManagerTest, GetTransmissionDelayExponentialBackoff) {
   SendDataPacket(1);
   QuicTime::Delta delay = QuicTime::Delta::FromMilliseconds(500);
 
@@ -2064,20 +1665,15 @@ TEST_P(QuicSentPacketManagerTest, GetTransmissionDelayExponentialBackoff) {
     EXPECT_EQ(delay,
               QuicSentPacketManagerPeer::GetRetransmissionDelay(&manager_, i));
     delay = delay + delay;
-    if (manager_.session_decides_what_to_write()) {
-      EXPECT_CALL(notifier_, RetransmitFrames(_, _))
-          .WillOnce(WithArgs<1>(Invoke([this, i](TransmissionType type) {
-            RetransmitDataPacket(i + 2, type);
-          })));
-    }
+    EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+        .WillOnce(WithArgs<1>(Invoke([this, i](TransmissionType type) {
+          RetransmitDataPacket(i + 2, type);
+        })));
     manager_.OnRetransmissionTimeout();
-    if (!manager_.session_decides_what_to_write()) {
-      RetransmitNextPacket(i + 2);
-    }
   }
 }
 
-TEST_P(QuicSentPacketManagerTest, RetransmissionDelay) {
+TEST_F(QuicSentPacketManagerTest, RetransmissionDelay) {
   RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
   const int64_t kRttMs = 250;
   const int64_t kDeviationMs = 5;
@@ -2115,7 +1711,7 @@ TEST_P(QuicSentPacketManagerTest, RetransmissionDelay) {
             QuicSentPacketManagerPeer::GetRetransmissionDelay(&manager_));
 }
 
-TEST_P(QuicSentPacketManagerTest, GetLossDelay) {
+TEST_F(QuicSentPacketManagerTest, GetLossDelay) {
   auto loss_algorithm = std::make_unique<MockLossAlgorithm>();
   QuicSentPacketManagerPeer::SetLossAlgorithm(&manager_, loss_algorithm.get());
 
@@ -2146,7 +1742,7 @@ TEST_P(QuicSentPacketManagerTest, GetLossDelay) {
   manager_.OnRetransmissionTimeout();
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateTimeLossDetectionFromOptions) {
+TEST_F(QuicSentPacketManagerTest, NegotiateTimeLossDetectionFromOptions) {
   EXPECT_EQ(kNack, QuicSentPacketManagerPeer::GetLossAlgorithm(&manager_)
                        ->GetLossDetectionType());
 
@@ -2162,7 +1758,7 @@ TEST_P(QuicSentPacketManagerTest, NegotiateTimeLossDetectionFromOptions) {
                        ->GetLossDetectionType());
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateIetfLossDetectionFromOptions) {
+TEST_F(QuicSentPacketManagerTest, NegotiateIetfLossDetectionFromOptions) {
   SetQuicReloadableFlag(quic_enable_ietf_loss_detection, true);
   EXPECT_EQ(kNack, QuicSentPacketManagerPeer::GetLossAlgorithm(&manager_)
                        ->GetLossDetectionType());
@@ -2183,7 +1779,7 @@ TEST_P(QuicSentPacketManagerTest, NegotiateIetfLossDetectionFromOptions) {
       QuicSentPacketManagerPeer::AdaptiveReorderingThresholdEnabled(&manager_));
 }
 
-TEST_P(QuicSentPacketManagerTest,
+TEST_F(QuicSentPacketManagerTest,
        NegotiateIetfLossDetectionOneFourthRttFromOptions) {
   SetQuicReloadableFlag(quic_enable_ietf_loss_detection, true);
   EXPECT_EQ(kNack, QuicSentPacketManagerPeer::GetLossAlgorithm(&manager_)
@@ -2206,10 +1802,9 @@ TEST_P(QuicSentPacketManagerTest,
       QuicSentPacketManagerPeer::AdaptiveReorderingThresholdEnabled(&manager_));
 }
 
-TEST_P(QuicSentPacketManagerTest,
+TEST_F(QuicSentPacketManagerTest,
        NegotiateIetfLossDetectionAdaptiveReorderingThreshold) {
   SetQuicReloadableFlag(quic_enable_ietf_loss_detection, true);
-  SetQuicReloadableFlag(quic_detect_spurious_loss, true);
   EXPECT_EQ(kNack, QuicSentPacketManagerPeer::GetLossAlgorithm(&manager_)
                        ->GetLossDetectionType());
   EXPECT_FALSE(
@@ -2231,10 +1826,9 @@ TEST_P(QuicSentPacketManagerTest,
       QuicSentPacketManagerPeer::AdaptiveReorderingThresholdEnabled(&manager_));
 }
 
-TEST_P(QuicSentPacketManagerTest,
+TEST_F(QuicSentPacketManagerTest,
        NegotiateIetfLossDetectionAdaptiveReorderingThreshold2) {
   SetQuicReloadableFlag(quic_enable_ietf_loss_detection, true);
-  SetQuicReloadableFlag(quic_detect_spurious_loss, true);
   EXPECT_EQ(kNack, QuicSentPacketManagerPeer::GetLossAlgorithm(&manager_)
                        ->GetLossDetectionType());
   EXPECT_FALSE(
@@ -2257,7 +1851,36 @@ TEST_P(QuicSentPacketManagerTest,
       QuicSentPacketManagerPeer::AdaptiveReorderingThresholdEnabled(&manager_));
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateCongestionControlFromOptions) {
+TEST_F(QuicSentPacketManagerTest,
+       NegotiateIetfLossDetectionAdaptiveReorderingAndTimeThreshold) {
+  SetQuicReloadableFlag(quic_enable_ietf_loss_detection, true);
+  EXPECT_EQ(kNack, QuicSentPacketManagerPeer::GetLossAlgorithm(&manager_)
+                       ->GetLossDetectionType());
+  EXPECT_FALSE(
+      QuicSentPacketManagerPeer::AdaptiveReorderingThresholdEnabled(&manager_));
+  EXPECT_FALSE(
+      QuicSentPacketManagerPeer::AdaptiveTimeThresholdEnabled(&manager_));
+
+  QuicConfig config;
+  QuicTagVector options;
+  options.push_back(kILD4);
+  QuicConfigPeer::SetReceivedConnectionOptions(&config, options);
+  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
+  EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
+  manager_.SetFromConfig(config);
+
+  EXPECT_EQ(kIetfLossDetection,
+            QuicSentPacketManagerPeer::GetLossAlgorithm(&manager_)
+                ->GetLossDetectionType());
+  EXPECT_EQ(kDefaultLossDelayShift,
+            QuicSentPacketManagerPeer::GetReorderingShift(&manager_));
+  EXPECT_TRUE(
+      QuicSentPacketManagerPeer::AdaptiveReorderingThresholdEnabled(&manager_));
+  EXPECT_TRUE(
+      QuicSentPacketManagerPeer::AdaptiveTimeThresholdEnabled(&manager_));
+}
+
+TEST_F(QuicSentPacketManagerTest, NegotiateCongestionControlFromOptions) {
   QuicConfig config;
   QuicTagVector options;
 
@@ -2293,7 +1916,7 @@ TEST_P(QuicSentPacketManagerTest, NegotiateCongestionControlFromOptions) {
                             ->GetCongestionControlType());
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateClientCongestionControlFromOptions) {
+TEST_F(QuicSentPacketManagerTest, NegotiateClientCongestionControlFromOptions) {
   QuicConfig config;
   QuicTagVector options;
 
@@ -2340,7 +1963,7 @@ TEST_P(QuicSentPacketManagerTest, NegotiateClientCongestionControlFromOptions) {
                             ->GetCongestionControlType());
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateNoMinTLPFromOptionsAtServer) {
+TEST_F(QuicSentPacketManagerTest, NegotiateNoMinTLPFromOptionsAtServer) {
   QuicConfig config;
   QuicTagVector options;
 
@@ -2362,11 +1985,8 @@ TEST_P(QuicSentPacketManagerTest, NegotiateNoMinTLPFromOptionsAtServer) {
   EXPECT_EQ(QuicTime::Delta::FromMicroseconds(100002),
             QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_, 0));
 
-  // Send two packets, and the TLP should be 2 us or 1ms.
-  QuicTime::Delta expected_tlp_delay =
-      GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)
-          ? QuicTime::Delta::FromMilliseconds(1)
-          : QuicTime::Delta::FromMicroseconds(2);
+  // Send two packets, and the TLP should be 1ms.
+  QuicTime::Delta expected_tlp_delay = QuicTime::Delta::FromMilliseconds(1);
   SendDataPacket(1);
   SendDataPacket(2);
   EXPECT_EQ(expected_tlp_delay,
@@ -2375,7 +1995,7 @@ TEST_P(QuicSentPacketManagerTest, NegotiateNoMinTLPFromOptionsAtServer) {
             QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_, 0));
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateNoMinTLPFromOptionsAtClient) {
+TEST_F(QuicSentPacketManagerTest, NegotiateNoMinTLPFromOptionsAtClient) {
   QuicConfig client_config;
   QuicTagVector options;
 
@@ -2397,11 +2017,8 @@ TEST_P(QuicSentPacketManagerTest, NegotiateNoMinTLPFromOptionsAtClient) {
             QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_));
   EXPECT_EQ(QuicTime::Delta::FromMicroseconds(100002),
             QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_, 0));
-  // Send two packets, and the TLP should be 2 us or 1ms.
-  QuicTime::Delta expected_tlp_delay =
-      GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)
-          ? QuicTime::Delta::FromMilliseconds(1)
-          : QuicTime::Delta::FromMicroseconds(2);
+  // Send two packets, and the TLP should be 1ms.
+  QuicTime::Delta expected_tlp_delay = QuicTime::Delta::FromMilliseconds(1);
   SendDataPacket(1);
   SendDataPacket(2);
   EXPECT_EQ(expected_tlp_delay,
@@ -2410,70 +2027,7 @@ TEST_P(QuicSentPacketManagerTest, NegotiateNoMinTLPFromOptionsAtClient) {
             QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_, 0));
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateIETFTLPFromOptionsAtServer) {
-  if (GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)) {
-    return;
-  }
-  QuicConfig config;
-  QuicTagVector options;
-
-  options.push_back(kMAD4);
-  QuicConfigPeer::SetReceivedConnectionOptions(&config, options);
-  EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
-  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
-  manager_.SetFromConfig(config);
-  // Provide an RTT measurement of 100ms.
-  RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
-  rtt_stats->UpdateRtt(QuicTime::Delta::FromMilliseconds(100),
-                       QuicTime::Delta::Zero(), QuicTime::Zero());
-  // Expect 1.5x * SRTT + 0ms MAD
-  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(150),
-            QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_));
-  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(150),
-            QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_, 0));
-  // Expect 1.5x * SRTT + 50ms MAD
-  rtt_stats->UpdateRtt(QuicTime::Delta::FromMilliseconds(150),
-                       QuicTime::Delta::FromMilliseconds(50), QuicTime::Zero());
-  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(100), rtt_stats->smoothed_rtt());
-  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(200),
-            QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_));
-  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(200),
-            QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_, 0));
-}
-
-TEST_P(QuicSentPacketManagerTest, NegotiateIETFTLPFromOptionsAtClient) {
-  if (GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)) {
-    return;
-  }
-  QuicConfig client_config;
-  QuicTagVector options;
-
-  options.push_back(kMAD4);
-  QuicSentPacketManagerPeer::SetPerspective(&manager_, Perspective::IS_CLIENT);
-  client_config.SetConnectionOptionsToSend(options);
-  EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
-  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
-  manager_.SetFromConfig(client_config);
-  // Provide an RTT measurement of 100ms.
-  RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
-  rtt_stats->UpdateRtt(QuicTime::Delta::FromMilliseconds(100),
-                       QuicTime::Delta::Zero(), QuicTime::Zero());
-  // Expect 1.5x * SRTT + 0ms MAD
-  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(150),
-            QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_));
-  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(150),
-            QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_, 0));
-  // Expect 1.5x * SRTT + 50ms MAD
-  rtt_stats->UpdateRtt(QuicTime::Delta::FromMilliseconds(150),
-                       QuicTime::Delta::FromMilliseconds(50), QuicTime::Zero());
-  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(100), rtt_stats->smoothed_rtt());
-  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(200),
-            QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_));
-  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(200),
-            QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_, 0));
-}
-
-TEST_P(QuicSentPacketManagerTest, NegotiateNoMinRTOFromOptionsAtServer) {
+TEST_F(QuicSentPacketManagerTest, NegotiateNoMinRTOFromOptionsAtServer) {
   QuicConfig config;
   QuicTagVector options;
 
@@ -2486,26 +2040,20 @@ TEST_P(QuicSentPacketManagerTest, NegotiateNoMinRTOFromOptionsAtServer) {
   RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
   rtt_stats->UpdateRtt(QuicTime::Delta::FromMicroseconds(1),
                        QuicTime::Delta::Zero(), QuicTime::Zero());
-  QuicTime::Delta expected_rto_delay =
-      GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)
-          ? QuicTime::Delta::FromMilliseconds(1)
-          : QuicTime::Delta::FromMicroseconds(1);
+  QuicTime::Delta expected_rto_delay = QuicTime::Delta::FromMilliseconds(1);
   EXPECT_EQ(expected_rto_delay,
             QuicSentPacketManagerPeer::GetRetransmissionDelay(&manager_));
   EXPECT_EQ(expected_rto_delay,
             QuicSentPacketManagerPeer::GetRetransmissionDelay(&manager_, 0));
   // The TLP with fewer than 2 packets outstanding includes 1/2 min RTO(0ms).
-  QuicTime::Delta expected_tlp_delay =
-      GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)
-          ? QuicTime::Delta::FromMicroseconds(502)
-          : QuicTime::Delta::FromMicroseconds(2);
+  QuicTime::Delta expected_tlp_delay = QuicTime::Delta::FromMicroseconds(502);
   EXPECT_EQ(expected_tlp_delay,
             QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_));
   EXPECT_EQ(expected_tlp_delay,
             QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_, 0));
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateNoMinRTOFromOptionsAtClient) {
+TEST_F(QuicSentPacketManagerTest, NegotiateNoMinRTOFromOptionsAtClient) {
   QuicConfig client_config;
   QuicTagVector options;
 
@@ -2519,26 +2067,20 @@ TEST_P(QuicSentPacketManagerTest, NegotiateNoMinRTOFromOptionsAtClient) {
   RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
   rtt_stats->UpdateRtt(QuicTime::Delta::FromMicroseconds(1),
                        QuicTime::Delta::Zero(), QuicTime::Zero());
-  QuicTime::Delta expected_rto_delay =
-      GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)
-          ? QuicTime::Delta::FromMilliseconds(1)
-          : QuicTime::Delta::FromMicroseconds(1);
+  QuicTime::Delta expected_rto_delay = QuicTime::Delta::FromMilliseconds(1);
   EXPECT_EQ(expected_rto_delay,
             QuicSentPacketManagerPeer::GetRetransmissionDelay(&manager_));
   EXPECT_EQ(expected_rto_delay,
             QuicSentPacketManagerPeer::GetRetransmissionDelay(&manager_, 0));
   // The TLP with fewer than 2 packets outstanding includes 1/2 min RTO(0ms).
-  QuicTime::Delta expected_tlp_delay =
-      GetQuicReloadableFlag(quic_sent_packet_manager_cleanup)
-          ? QuicTime::Delta::FromMicroseconds(502)
-          : QuicTime::Delta::FromMicroseconds(2);
+  QuicTime::Delta expected_tlp_delay = QuicTime::Delta::FromMicroseconds(502);
   EXPECT_EQ(expected_tlp_delay,
             QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_));
   EXPECT_EQ(expected_tlp_delay,
             QuicSentPacketManagerPeer::GetTailLossProbeDelay(&manager_, 0));
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateNoTLPFromOptionsAtServer) {
+TEST_F(QuicSentPacketManagerTest, NegotiateNoTLPFromOptionsAtServer) {
   QuicConfig config;
   QuicTagVector options;
 
@@ -2550,7 +2092,7 @@ TEST_P(QuicSentPacketManagerTest, NegotiateNoTLPFromOptionsAtServer) {
   EXPECT_EQ(0u, QuicSentPacketManagerPeer::GetMaxTailLossProbes(&manager_));
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateNoTLPFromOptionsAtClient) {
+TEST_F(QuicSentPacketManagerTest, NegotiateNoTLPFromOptionsAtClient) {
   QuicConfig client_config;
   QuicTagVector options;
 
@@ -2563,7 +2105,7 @@ TEST_P(QuicSentPacketManagerTest, NegotiateNoTLPFromOptionsAtClient) {
   EXPECT_EQ(0u, QuicSentPacketManagerPeer::GetMaxTailLossProbes(&manager_));
 }
 
-TEST_P(QuicSentPacketManagerTest, Negotiate1TLPFromOptionsAtServer) {
+TEST_F(QuicSentPacketManagerTest, Negotiate1TLPFromOptionsAtServer) {
   QuicConfig config;
   QuicTagVector options;
 
@@ -2575,7 +2117,7 @@ TEST_P(QuicSentPacketManagerTest, Negotiate1TLPFromOptionsAtServer) {
   EXPECT_EQ(1u, QuicSentPacketManagerPeer::GetMaxTailLossProbes(&manager_));
 }
 
-TEST_P(QuicSentPacketManagerTest, Negotiate1TLPFromOptionsAtClient) {
+TEST_F(QuicSentPacketManagerTest, Negotiate1TLPFromOptionsAtClient) {
   QuicConfig client_config;
   QuicTagVector options;
 
@@ -2588,7 +2130,7 @@ TEST_P(QuicSentPacketManagerTest, Negotiate1TLPFromOptionsAtClient) {
   EXPECT_EQ(1u, QuicSentPacketManagerPeer::GetMaxTailLossProbes(&manager_));
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateTLPRttFromOptionsAtServer) {
+TEST_F(QuicSentPacketManagerTest, NegotiateTLPRttFromOptionsAtServer) {
   QuicConfig config;
   QuicTagVector options;
 
@@ -2601,7 +2143,7 @@ TEST_P(QuicSentPacketManagerTest, NegotiateTLPRttFromOptionsAtServer) {
       QuicSentPacketManagerPeer::GetEnableHalfRttTailLossProbe(&manager_));
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateTLPRttFromOptionsAtClient) {
+TEST_F(QuicSentPacketManagerTest, NegotiateTLPRttFromOptionsAtClient) {
   QuicConfig client_config;
   QuicTagVector options;
 
@@ -2615,7 +2157,7 @@ TEST_P(QuicSentPacketManagerTest, NegotiateTLPRttFromOptionsAtClient) {
       QuicSentPacketManagerPeer::GetEnableHalfRttTailLossProbe(&manager_));
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateNewRTOFromOptionsAtServer) {
+TEST_F(QuicSentPacketManagerTest, NegotiateNewRTOFromOptionsAtServer) {
   EXPECT_FALSE(QuicSentPacketManagerPeer::GetUseNewRto(&manager_));
   QuicConfig config;
   QuicTagVector options;
@@ -2628,7 +2170,7 @@ TEST_P(QuicSentPacketManagerTest, NegotiateNewRTOFromOptionsAtServer) {
   EXPECT_TRUE(QuicSentPacketManagerPeer::GetUseNewRto(&manager_));
 }
 
-TEST_P(QuicSentPacketManagerTest, NegotiateNewRTOFromOptionsAtClient) {
+TEST_F(QuicSentPacketManagerTest, NegotiateNewRTOFromOptionsAtClient) {
   EXPECT_FALSE(QuicSentPacketManagerPeer::GetUseNewRto(&manager_));
   QuicConfig client_config;
   QuicTagVector options;
@@ -2642,7 +2184,7 @@ TEST_P(QuicSentPacketManagerTest, NegotiateNewRTOFromOptionsAtClient) {
   EXPECT_TRUE(QuicSentPacketManagerPeer::GetUseNewRto(&manager_));
 }
 
-TEST_P(QuicSentPacketManagerTest, UseInitialRoundTripTimeToSend) {
+TEST_F(QuicSentPacketManagerTest, UseInitialRoundTripTimeToSend) {
   QuicTime::Delta initial_rtt = QuicTime::Delta::FromMilliseconds(325);
   EXPECT_NE(initial_rtt, manager_.GetRttStats()->smoothed_rtt());
 
@@ -2656,22 +2198,26 @@ TEST_P(QuicSentPacketManagerTest, UseInitialRoundTripTimeToSend) {
   EXPECT_EQ(initial_rtt, manager_.GetRttStats()->initial_rtt());
 }
 
-TEST_P(QuicSentPacketManagerTest, ResumeConnectionState) {
+TEST_F(QuicSentPacketManagerTest, ResumeConnectionState) {
   // The sent packet manager should use the RTT from CachedNetworkParameters if
   // it is provided.
   const QuicTime::Delta kRtt = QuicTime::Delta::FromMilliseconds(1234);
   CachedNetworkParameters cached_network_params;
   cached_network_params.set_min_rtt_ms(kRtt.ToMilliseconds());
 
-  EXPECT_CALL(*send_algorithm_,
-              AdjustNetworkParameters(QuicBandwidth::Zero(), kRtt, false));
+  SendAlgorithmInterface::NetworkParams params;
+  params.bandwidth = QuicBandwidth::Zero();
+  params.allow_cwnd_to_decrease = false;
+  params.rtt = kRtt;
+
+  EXPECT_CALL(*send_algorithm_, AdjustNetworkParameters(params));
   EXPECT_CALL(*send_algorithm_, GetCongestionWindow())
       .Times(testing::AnyNumber());
   manager_.ResumeConnectionState(cached_network_params, false);
   EXPECT_EQ(kRtt, manager_.GetRttStats()->initial_rtt());
 }
 
-TEST_P(QuicSentPacketManagerTest, ConnectionMigrationUnspecifiedChange) {
+TEST_F(QuicSentPacketManagerTest, ConnectionMigrationUnspecifiedChange) {
   RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
   QuicTime::Delta default_init_rtt = rtt_stats->initial_rtt();
   rtt_stats->set_initial_rtt(default_init_rtt * 2);
@@ -2690,7 +2236,7 @@ TEST_P(QuicSentPacketManagerTest, ConnectionMigrationUnspecifiedChange) {
   EXPECT_EQ(0u, manager_.GetConsecutiveTlpCount());
 }
 
-TEST_P(QuicSentPacketManagerTest, ConnectionMigrationIPSubnetChange) {
+TEST_F(QuicSentPacketManagerTest, ConnectionMigrationIPSubnetChange) {
   RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
   QuicTime::Delta default_init_rtt = rtt_stats->initial_rtt();
   rtt_stats->set_initial_rtt(default_init_rtt * 2);
@@ -2708,7 +2254,7 @@ TEST_P(QuicSentPacketManagerTest, ConnectionMigrationIPSubnetChange) {
   EXPECT_EQ(2u, manager_.GetConsecutiveTlpCount());
 }
 
-TEST_P(QuicSentPacketManagerTest, ConnectionMigrationPortChange) {
+TEST_F(QuicSentPacketManagerTest, ConnectionMigrationPortChange) {
   RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
   QuicTime::Delta default_init_rtt = rtt_stats->initial_rtt();
   rtt_stats->set_initial_rtt(default_init_rtt * 2);
@@ -2726,13 +2272,13 @@ TEST_P(QuicSentPacketManagerTest, ConnectionMigrationPortChange) {
   EXPECT_EQ(2u, manager_.GetConsecutiveTlpCount());
 }
 
-TEST_P(QuicSentPacketManagerTest, PathMtuIncreased) {
+TEST_F(QuicSentPacketManagerTest, PathMtuIncreased) {
   EXPECT_CALL(*send_algorithm_,
               OnPacketSent(_, BytesInFlight(), QuicPacketNumber(1), _, _));
   SerializedPacket packet(QuicPacketNumber(1), PACKET_4BYTE_PACKET_NUMBER,
                           nullptr, kDefaultLength + 100, false, false);
-  manager_.OnPacketSent(&packet, QuicPacketNumber(), clock_.Now(),
-                        NOT_RETRANSMISSION, HAS_RETRANSMITTABLE_DATA);
+  manager_.OnPacketSent(&packet, clock_.Now(), NOT_RETRANSMISSION,
+                        HAS_RETRANSMITTABLE_DATA);
 
   // Ack the large packet and expect the path MTU to increase.
   ExpectAck(1);
@@ -2747,7 +2293,7 @@ TEST_P(QuicSentPacketManagerTest, PathMtuIncreased) {
                                    ENCRYPTION_INITIAL));
 }
 
-TEST_P(QuicSentPacketManagerTest, OnAckRangeSlowPath) {
+TEST_F(QuicSentPacketManagerTest, OnAckRangeSlowPath) {
   // Send packets 1 - 20.
   for (size_t i = 1; i <= 20; ++i) {
     SendDataPacket(i);
@@ -2782,7 +2328,7 @@ TEST_P(QuicSentPacketManagerTest, OnAckRangeSlowPath) {
                                    ENCRYPTION_INITIAL));
 }
 
-TEST_P(QuicSentPacketManagerTest, TolerateReneging) {
+TEST_F(QuicSentPacketManagerTest, TolerateReneging) {
   // Send packets 1 - 20.
   for (size_t i = 1; i <= 20; ++i) {
     SendDataPacket(i);
@@ -2815,7 +2361,7 @@ TEST_P(QuicSentPacketManagerTest, TolerateReneging) {
   EXPECT_EQ(QuicPacketNumber(16), manager_.GetLargestObserved());
 }
 
-TEST_P(QuicSentPacketManagerTest, MultiplePacketNumberSpaces) {
+TEST_F(QuicSentPacketManagerTest, MultiplePacketNumberSpaces) {
   manager_.EnableMultiplePacketNumberSpacesSupport();
   EXPECT_FALSE(
       manager_.GetLargestSentPacket(ENCRYPTION_INITIAL).IsInitialized());
@@ -2927,7 +2473,7 @@ TEST_P(QuicSentPacketManagerTest, MultiplePacketNumberSpaces) {
             manager_.GetLargestAckedPacket(ENCRYPTION_FORWARD_SECURE));
 }
 
-TEST_P(QuicSentPacketManagerTest, PacketsGetAckedInWrongPacketNumberSpace) {
+TEST_F(QuicSentPacketManagerTest, PacketsGetAckedInWrongPacketNumberSpace) {
   manager_.EnableMultiplePacketNumberSpacesSupport();
   // Send packet 1.
   SendDataPacket(1, ENCRYPTION_INITIAL);
@@ -2944,7 +2490,7 @@ TEST_P(QuicSentPacketManagerTest, PacketsGetAckedInWrongPacketNumberSpace) {
                                    ENCRYPTION_INITIAL));
 }
 
-TEST_P(QuicSentPacketManagerTest, PacketsGetAckedInWrongPacketNumberSpace2) {
+TEST_F(QuicSentPacketManagerTest, PacketsGetAckedInWrongPacketNumberSpace2) {
   manager_.EnableMultiplePacketNumberSpacesSupport();
   // Send packet 1.
   SendDataPacket(1, ENCRYPTION_INITIAL);
@@ -2961,7 +2507,7 @@ TEST_P(QuicSentPacketManagerTest, PacketsGetAckedInWrongPacketNumberSpace2) {
                                    ENCRYPTION_HANDSHAKE));
 }
 
-TEST_P(QuicSentPacketManagerTest,
+TEST_F(QuicSentPacketManagerTest,
        ToleratePacketsGetAckedInWrongPacketNumberSpace) {
   manager_.EnableMultiplePacketNumberSpacesSupport();
   // Send packet 1.
@@ -2992,10 +2538,7 @@ TEST_P(QuicSentPacketManagerTest,
 }
 
 // Regression test for b/133771183.
-TEST_P(QuicSentPacketManagerTest, PacketInLimbo) {
-  if (!manager_.session_decides_what_to_write()) {
-    return;
-  }
+TEST_F(QuicSentPacketManagerTest, PacketInLimbo) {
   QuicSentPacketManagerPeer::SetMaxTailLossProbes(&manager_, 2);
   // Send SHLO.
   SendCryptoPacket(1);
@@ -3047,10 +2590,7 @@ TEST_P(QuicSentPacketManagerTest, PacketInLimbo) {
                                    ENCRYPTION_INITIAL));
 }
 
-TEST_P(QuicSentPacketManagerTest, RtoFiresNoPacketToRetransmit) {
-  if (!manager_.session_decides_what_to_write()) {
-    return;
-  }
+TEST_F(QuicSentPacketManagerTest, RtoFiresNoPacketToRetransmit) {
   // Send 10 packets.
   for (size_t i = 1; i <= 10; ++i) {
     SendDataPacket(i);
@@ -3070,15 +2610,11 @@ TEST_P(QuicSentPacketManagerTest, RtoFiresNoPacketToRetransmit) {
   EXPECT_CALL(notifier_, RetransmitFrames(_, _)).Times(0);
   manager_.OnRetransmissionTimeout();
   EXPECT_EQ(2u, stats_.rto_count);
-  if (GetQuicReloadableFlag(quic_fix_rto_retransmission3)) {
-    // Verify a credit is raised up.
-    EXPECT_EQ(1u, manager_.pending_timer_transmission_count());
-  } else {
-    EXPECT_EQ(0u, manager_.pending_timer_transmission_count());
-  }
+  // Verify a credit is raised up.
+  EXPECT_EQ(1u, manager_.pending_timer_transmission_count());
 }
 
-TEST_P(QuicSentPacketManagerTest, ComputingProbeTimeout) {
+TEST_F(QuicSentPacketManagerTest, ComputingProbeTimeout) {
   EnablePto(k2PTO);
   EXPECT_CALL(*send_algorithm_, PacingRate(_))
       .WillRepeatedly(Return(QuicBandwidth::Zero()));
@@ -3144,7 +2680,7 @@ TEST_P(QuicSentPacketManagerTest, ComputingProbeTimeout) {
   EXPECT_EQ(sent_time + expected_pto_delay, manager_.GetRetransmissionTime());
 }
 
-TEST_P(QuicSentPacketManagerTest, SendOneProbePacket) {
+TEST_F(QuicSentPacketManagerTest, SendOneProbePacket) {
   EnablePto(k1PTO);
   EXPECT_CALL(*send_algorithm_, PacingRate(_))
       .WillRepeatedly(Return(QuicBandwidth::Zero()));
@@ -3179,9 +2715,8 @@ TEST_P(QuicSentPacketManagerTest, SendOneProbePacket) {
   manager_.MaybeSendProbePackets();
 }
 
-TEST_P(QuicSentPacketManagerTest, DisableHandshakeModeClient) {
+TEST_F(QuicSentPacketManagerTest, DisableHandshakeModeClient) {
   QuicSentPacketManagerPeer::SetPerspective(&manager_, Perspective::IS_CLIENT);
-  manager_.SetSessionDecideWhatToWrite(true);
   manager_.EnableIetfPtoAndLossDetection();
   // Send CHLO.
   SendCryptoPacket(1);
@@ -3203,8 +2738,7 @@ TEST_P(QuicSentPacketManagerTest, DisableHandshakeModeClient) {
             manager_.OnRetransmissionTimeout());
 }
 
-TEST_P(QuicSentPacketManagerTest, DisableHandshakeModeServer) {
-  manager_.SetSessionDecideWhatToWrite(true);
+TEST_F(QuicSentPacketManagerTest, DisableHandshakeModeServer) {
   manager_.EnableIetfPtoAndLossDetection();
   // Send SHLO.
   SendCryptoPacket(1);
@@ -3223,6 +2757,363 @@ TEST_P(QuicSentPacketManagerTest, DisableHandshakeModeServer) {
   EXPECT_EQ(QuicTime::Zero(), manager_.GetRetransmissionTime());
 }
 
+TEST_F(QuicSentPacketManagerTest, ForwardSecurePacketAcked) {
+  EXPECT_LT(manager_.handshake_state(),
+            QuicSentPacketManager::HANDSHAKE_CONFIRMED);
+  SendDataPacket(1, ENCRYPTION_INITIAL);
+  // Ack packet 1.
+  ExpectAck(1);
+  manager_.OnAckFrameStart(QuicPacketNumber(1), QuicTime::Delta::Infinite(),
+                           clock_.Now());
+  manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(2));
+  EXPECT_EQ(PACKETS_NEWLY_ACKED,
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_INITIAL));
+  EXPECT_LT(manager_.handshake_state(),
+            QuicSentPacketManager::HANDSHAKE_CONFIRMED);
+
+  SendDataPacket(2, ENCRYPTION_ZERO_RTT);
+  // Ack packet 2.
+  ExpectAck(2);
+  manager_.OnAckFrameStart(QuicPacketNumber(2), QuicTime::Delta::Infinite(),
+                           clock_.Now());
+  manager_.OnAckRange(QuicPacketNumber(2), QuicPacketNumber(3));
+  EXPECT_EQ(PACKETS_NEWLY_ACKED,
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(2),
+                                   ENCRYPTION_FORWARD_SECURE));
+  EXPECT_LT(manager_.handshake_state(),
+            QuicSentPacketManager::HANDSHAKE_CONFIRMED);
+
+  SendDataPacket(3, ENCRYPTION_FORWARD_SECURE);
+  // Ack packet 3.
+  ExpectAck(3);
+  manager_.OnAckFrameStart(QuicPacketNumber(3), QuicTime::Delta::Infinite(),
+                           clock_.Now());
+  manager_.OnAckRange(QuicPacketNumber(3), QuicPacketNumber(4));
+  EXPECT_EQ(PACKETS_NEWLY_ACKED,
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(3),
+                                   ENCRYPTION_FORWARD_SECURE));
+  EXPECT_EQ(manager_.handshake_state(),
+            QuicSentPacketManager::HANDSHAKE_CONFIRMED);
+}
+
+TEST_F(QuicSentPacketManagerTest, PtoTimeoutIncludesMaxAckDelay) {
+  EnablePto(k1PTO);
+  // Use PTOS and PTOA.
+  QuicConfig config;
+  QuicTagVector options;
+  options.push_back(kPTOS);
+  options.push_back(kPTOA);
+  QuicConfigPeer::SetReceivedConnectionOptions(&config, options);
+  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
+  EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
+  manager_.SetFromConfig(config);
+  EXPECT_TRUE(manager_.skip_packet_number_for_pto());
+  EXPECT_CALL(*send_algorithm_, CanSend(_)).WillRepeatedly(Return(true));
+
+  EXPECT_CALL(*send_algorithm_, PacingRate(_))
+      .WillRepeatedly(Return(QuicBandwidth::Zero()));
+  EXPECT_CALL(*send_algorithm_, GetCongestionWindow())
+      .WillRepeatedly(Return(10 * kDefaultTCPMSS));
+  RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
+  rtt_stats->UpdateRtt(QuicTime::Delta::FromMilliseconds(100),
+                       QuicTime::Delta::Zero(), QuicTime::Zero());
+  QuicTime::Delta srtt = rtt_stats->smoothed_rtt();
+
+  SendDataPacket(1, ENCRYPTION_FORWARD_SECURE);
+  // Verify PTO is correctly set and ack delay is included.
+  QuicTime::Delta expected_pto_delay =
+      srtt + 4 * rtt_stats->mean_deviation() +
+      QuicTime::Delta::FromMilliseconds(kDefaultDelayedAckTimeMs);
+  EXPECT_EQ(clock_.Now() + expected_pto_delay,
+            manager_.GetRetransmissionTime());
+
+  clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(10));
+  SendDataPacket(2, ENCRYPTION_FORWARD_SECURE);
+  // Verify PTO is correctly set based on sent time of packet 2 but ack delay is
+  // not included as an immediate ACK is expected.
+  expected_pto_delay = expected_pto_delay - QuicTime::Delta::FromMilliseconds(
+                                                kDefaultDelayedAckTimeMs);
+  EXPECT_EQ(clock_.Now() + expected_pto_delay,
+            manager_.GetRetransmissionTime());
+  EXPECT_EQ(0u, stats_.pto_count);
+
+  // Invoke PTO.
+  clock_.AdvanceTime(expected_pto_delay);
+  manager_.OnRetransmissionTimeout();
+  EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
+  EXPECT_EQ(1u, stats_.pto_count);
+
+  // Verify 1 probe packets get sent and packet number gets skipped.
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
+        RetransmitDataPacket(4, type, ENCRYPTION_FORWARD_SECURE);
+      })));
+  manager_.MaybeSendProbePackets();
+  // Verify PTO period gets set to twice the current value. Also, ack delay is
+  // not included.
+  QuicTime sent_time = clock_.Now();
+  EXPECT_EQ(sent_time + expected_pto_delay * 2,
+            manager_.GetRetransmissionTime());
+
+  // Received ACK for packets 1 and 2.
+  uint64_t acked[] = {1, 2};
+  ExpectAcksAndLosses(true, acked, QUIC_ARRAYSIZE(acked), nullptr, 0);
+  manager_.OnAckFrameStart(QuicPacketNumber(2), QuicTime::Delta::Infinite(),
+                           clock_.Now());
+  manager_.OnAckRange(QuicPacketNumber(1), QuicPacketNumber(3));
+  EXPECT_EQ(PACKETS_NEWLY_ACKED,
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(1),
+                                   ENCRYPTION_FORWARD_SECURE));
+  expected_pto_delay =
+      rtt_stats->SmoothedOrInitialRtt() +
+      std::max(4 * rtt_stats->mean_deviation(),
+               QuicTime::Delta::FromMilliseconds(1)) +
+      QuicTime::Delta::FromMilliseconds(kDefaultDelayedAckTimeMs);
+
+  // Verify PTO is correctly re-armed based on sent time of packet 4. Because of
+  // PTOS turns out to be spurious, ACK delay is included.
+  EXPECT_EQ(sent_time + expected_pto_delay, manager_.GetRetransmissionTime());
+
+  // Received ACK for packets 4.
+  ExpectAck(4);
+  manager_.OnAckFrameStart(QuicPacketNumber(4), QuicTime::Delta::Infinite(),
+                           clock_.Now());
+  manager_.OnAckRange(QuicPacketNumber(4), QuicPacketNumber(5));
+  EXPECT_EQ(PACKETS_NEWLY_ACKED,
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(4),
+                                   ENCRYPTION_FORWARD_SECURE));
+  EXPECT_EQ(QuicTime::Zero(), manager_.GetRetransmissionTime());
+  // Send more packets, such that peer will do ack decimation.
+  std::vector<uint64_t> acked2;
+  for (size_t i = 5; i <= 100; ++i) {
+    SendDataPacket(i, ENCRYPTION_FORWARD_SECURE);
+    acked2.push_back(i);
+  }
+  // Received ACK for all sent packets.
+  ExpectAcksAndLosses(true, &acked2[0], acked2.size(), nullptr, 0);
+  manager_.OnAckFrameStart(QuicPacketNumber(100), QuicTime::Delta::Infinite(),
+                           clock_.Now());
+  manager_.OnAckRange(QuicPacketNumber(5), QuicPacketNumber(101));
+  EXPECT_EQ(PACKETS_NEWLY_ACKED,
+            manager_.OnAckFrameEnd(clock_.Now(), QuicPacketNumber(100),
+                                   ENCRYPTION_FORWARD_SECURE));
+
+  expected_pto_delay =
+      rtt_stats->SmoothedOrInitialRtt() +
+      std::max(4 * rtt_stats->mean_deviation(),
+               QuicTime::Delta::FromMilliseconds(1)) +
+      QuicTime::Delta::FromMilliseconds(kDefaultDelayedAckTimeMs);
+  for (size_t i = 101; i < 110; i++) {
+    SendDataPacket(i, ENCRYPTION_FORWARD_SECURE);
+    // Verify PTO timeout includes ACK delay as there are less than 10 packets
+    // outstanding.
+    EXPECT_EQ(clock_.Now() + expected_pto_delay,
+              manager_.GetRetransmissionTime());
+  }
+  expected_pto_delay = expected_pto_delay - QuicTime::Delta::FromMilliseconds(
+                                                kDefaultDelayedAckTimeMs);
+  SendDataPacket(110, ENCRYPTION_FORWARD_SECURE);
+  // Verify ACK delay is excluded.
+  EXPECT_EQ(clock_.Now() + expected_pto_delay,
+            manager_.GetRetransmissionTime());
+}
+
+TEST_F(QuicSentPacketManagerTest, StartExponentialBackoffSince2ndPto) {
+  EnablePto(k2PTO);
+  QuicConfig config;
+  QuicTagVector options;
+  options.push_back(kPEB2);
+  QuicConfigPeer::SetReceivedConnectionOptions(&config, options);
+  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
+  EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
+  manager_.SetFromConfig(config);
+
+  EXPECT_CALL(*send_algorithm_, PacingRate(_))
+      .WillRepeatedly(Return(QuicBandwidth::Zero()));
+  EXPECT_CALL(*send_algorithm_, GetCongestionWindow())
+      .WillRepeatedly(Return(10 * kDefaultTCPMSS));
+  RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
+  rtt_stats->UpdateRtt(QuicTime::Delta::FromMilliseconds(100),
+                       QuicTime::Delta::Zero(), QuicTime::Zero());
+  QuicTime::Delta srtt = rtt_stats->smoothed_rtt();
+
+  SendDataPacket(1, ENCRYPTION_FORWARD_SECURE);
+  // Verify PTO is correctly set.
+  QuicTime::Delta expected_pto_delay =
+      srtt + 4 * rtt_stats->mean_deviation() +
+      QuicTime::Delta::FromMilliseconds(kDefaultDelayedAckTimeMs);
+  EXPECT_EQ(clock_.Now() + expected_pto_delay,
+            manager_.GetRetransmissionTime());
+
+  clock_.AdvanceTime(QuicTime::Delta::FromMilliseconds(10));
+  SendDataPacket(2, ENCRYPTION_FORWARD_SECURE);
+  // Verify PTO is correctly set based on sent time of packet 2.
+  EXPECT_EQ(clock_.Now() + expected_pto_delay,
+            manager_.GetRetransmissionTime());
+  EXPECT_EQ(0u, stats_.pto_count);
+
+  // Invoke PTO.
+  clock_.AdvanceTime(expected_pto_delay);
+  manager_.OnRetransmissionTimeout();
+  EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
+  EXPECT_EQ(1u, stats_.pto_count);
+
+  // Verify two probe packets get sent.
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(2)
+      .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
+        RetransmitDataPacket(3, type, ENCRYPTION_FORWARD_SECURE);
+      })))
+      .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
+        RetransmitDataPacket(4, type, ENCRYPTION_FORWARD_SECURE);
+      })));
+  manager_.MaybeSendProbePackets();
+  // Verify no exponential backoff.
+  EXPECT_EQ(clock_.Now() + expected_pto_delay,
+            manager_.GetRetransmissionTime());
+
+  // Invoke 2nd PTO.
+  clock_.AdvanceTime(expected_pto_delay);
+  manager_.OnRetransmissionTimeout();
+  EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
+  EXPECT_EQ(2u, stats_.pto_count);
+
+  // Verify two probe packets get sent.
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(2)
+      .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
+        RetransmitDataPacket(5, type, ENCRYPTION_FORWARD_SECURE);
+      })))
+      .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
+        RetransmitDataPacket(6, type, ENCRYPTION_FORWARD_SECURE);
+      })));
+  manager_.MaybeSendProbePackets();
+  // Verify still no exponential backoff.
+  EXPECT_EQ(clock_.Now() + expected_pto_delay,
+            manager_.GetRetransmissionTime());
+
+  // Invoke 3rd PTO.
+  clock_.AdvanceTime(expected_pto_delay);
+  manager_.OnRetransmissionTimeout();
+  EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
+  EXPECT_EQ(3u, stats_.pto_count);
+
+  // Verify two probe packets get sent.
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(2)
+      .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
+        RetransmitDataPacket(7, type, ENCRYPTION_FORWARD_SECURE);
+      })))
+      .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
+        RetransmitDataPacket(8, type, ENCRYPTION_FORWARD_SECURE);
+      })));
+  manager_.MaybeSendProbePackets();
+  // Verify exponential backoff starts.
+  EXPECT_EQ(clock_.Now() + expected_pto_delay * 2,
+            manager_.GetRetransmissionTime());
+
+  // Invoke 4th PTO.
+  clock_.AdvanceTime(expected_pto_delay * 2);
+  manager_.OnRetransmissionTimeout();
+  EXPECT_EQ(QuicTime::Delta::Zero(), manager_.TimeUntilSend(clock_.Now()));
+  EXPECT_EQ(4u, stats_.pto_count);
+
+  // Verify two probe packets get sent.
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(2)
+      .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
+        RetransmitDataPacket(9, type, ENCRYPTION_FORWARD_SECURE);
+      })))
+      .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
+        RetransmitDataPacket(10, type, ENCRYPTION_FORWARD_SECURE);
+      })));
+  manager_.MaybeSendProbePackets();
+  // Verify exponential backoff continues.
+  EXPECT_EQ(clock_.Now() + expected_pto_delay * 4,
+            manager_.GetRetransmissionTime());
+}
+
+TEST_F(QuicSentPacketManagerTest, PtoTimeoutRttVarMultiple) {
+  EnablePto(k1PTO);
+  // Use 2 * rttvar
+  QuicConfig config;
+  QuicTagVector options;
+  options.push_back(kPVS1);
+  QuicConfigPeer::SetReceivedConnectionOptions(&config, options);
+  EXPECT_CALL(*send_algorithm_, SetFromConfig(_, _));
+  EXPECT_CALL(*network_change_visitor_, OnCongestionChange());
+  manager_.SetFromConfig(config);
+
+  EXPECT_CALL(*send_algorithm_, PacingRate(_))
+      .WillRepeatedly(Return(QuicBandwidth::Zero()));
+  EXPECT_CALL(*send_algorithm_, GetCongestionWindow())
+      .WillRepeatedly(Return(10 * kDefaultTCPMSS));
+  RttStats* rtt_stats = const_cast<RttStats*>(manager_.GetRttStats());
+  rtt_stats->UpdateRtt(QuicTime::Delta::FromMilliseconds(100),
+                       QuicTime::Delta::Zero(), QuicTime::Zero());
+  QuicTime::Delta srtt = rtt_stats->smoothed_rtt();
+
+  SendDataPacket(1, ENCRYPTION_FORWARD_SECURE);
+  // Verify PTO is correctly set based on 2 times rtt var.
+  QuicTime::Delta expected_pto_delay =
+      srtt + 2 * rtt_stats->mean_deviation() +
+      QuicTime::Delta::FromMilliseconds(kDefaultDelayedAckTimeMs);
+  EXPECT_EQ(clock_.Now() + expected_pto_delay,
+            manager_.GetRetransmissionTime());
+}
+
+// Regression test for b/143962153
+TEST_F(QuicSentPacketManagerTest, RtoNotInFlightPacket) {
+  QuicSentPacketManagerPeer::SetMaxTailLossProbes(&manager_, 2);
+  // Send SHLO.
+  QuicStreamFrame crypto_frame(1, false, 0, QuicStringPiece());
+  SendCryptoPacket(1);
+  // Send data packet.
+  SendDataPacket(2, ENCRYPTION_FORWARD_SECURE);
+
+  // Successfully decrypt a forward secure packet.
+  if (GetQuicReloadableFlag(quic_neuter_handshake_packets_once2)) {
+    EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).Times(1);
+  } else {
+    EXPECT_CALL(notifier_, OnFrameAcked(_, _, _)).Times(0);
+  }
+  manager_.SetHandshakeConfirmed();
+
+  // 1st TLP.
+  manager_.OnRetransmissionTimeout();
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
+        RetransmitDataPacket(3, type, ENCRYPTION_FORWARD_SECURE);
+      })));
+  manager_.MaybeRetransmitTailLossProbe();
+
+  // 2nd TLP.
+  manager_.OnRetransmissionTimeout();
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .WillOnce(WithArgs<1>(Invoke([this](TransmissionType type) {
+        RetransmitDataPacket(4, type, ENCRYPTION_FORWARD_SECURE);
+      })));
+  manager_.MaybeRetransmitTailLossProbe();
+
+  // RTO retransmits SHLO although it is not in flight.
+  size_t num_rto_packets = 2;
+  if (GetQuicReloadableFlag(quic_neuter_handshake_packets_once2)) {
+    num_rto_packets = 1;
+  }
+  EXPECT_CALL(notifier_, RetransmitFrames(_, _))
+      .Times(num_rto_packets)
+      .WillOnce(WithArgs<0>(Invoke([&crypto_frame](const QuicFrames& frames) {
+        EXPECT_EQ(1u, frames.size());
+        if (GetQuicReloadableFlag(quic_neuter_handshake_packets_once2)) {
+          EXPECT_NE(crypto_frame, frames[0].stream_frame);
+        } else {
+          EXPECT_EQ(crypto_frame, frames[0].stream_frame);
+        }
+      })));
+  manager_.OnRetransmissionTimeout();
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_session.cc b/chromium/net/third_party/quiche/src/quic/core/quic_session.cc
index b6e4b83dd0b..ada8bf41d9d 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_session.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_session.cc
@@ -9,6 +9,7 @@
 #include <utility>
 
 #include "net/third_party/quiche/src/quic/core/quic_connection.h"
+#include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
 #include "net/third_party/quiche/src/quic/core/quic_flow_controller.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
@@ -87,7 +88,6 @@ QuicSession::QuicSession(
           perspective() == Perspective::IS_SERVER,
           nullptr),
       currently_writing_stream_id_(0),
-      is_handshake_confirmed_(false),
       goaway_sent_(false),
       goaway_received_(false),
       control_frame_manager_(this),
@@ -114,6 +114,13 @@ void QuicSession::Initialize() {
   connection_->SetDataProducer(this);
   connection_->SetFromConfig(config_);
 
+  // On the server side, version negotiation has been done by the dispatcher,
+  // and the server session is created with the right version.
+  if (connection_->quic_version_negotiated_by_default_at_server() &&
+      perspective() == Perspective::IS_SERVER) {
+    connection_->OnSuccessfulVersionNegotiation();
+  }
+
   if (QuicVersionUsesCryptoFrames(transport_version())) {
     return;
   }
@@ -200,11 +207,8 @@ void QuicSession::OnCryptoFrame(const QuicCryptoFrame& frame) {
   GetMutableCryptoStream()->OnCryptoFrame(frame);
 }
 
-bool QuicSession::OnStopSendingFrame(const QuicStopSendingFrame& frame) {
-  // We are not version 99. In theory, if not in version 99 then the framer
-  // could not call OnStopSending... This is just a check that is good when
-  // both a new protocol and a new implementation of that protocol are both
-  // being developed.
+void QuicSession::OnStopSendingFrame(const QuicStopSendingFrame& frame) {
+  // STOP_SENDING is in IETF QUIC only.
   DCHECK(VersionHasIetfQuicFrames(transport_version()));
 
   QuicStreamId stream_id = frame.stream_id;
@@ -216,21 +220,7 @@ bool QuicSession::OnStopSendingFrame(const QuicStopSendingFrame& frame) {
     connection()->CloseConnection(
         QUIC_INVALID_STREAM_ID, "Received STOP_SENDING for an invalid stream",
         ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-    return false;
-  }
-
-  // Ignore STOP_SENDING for static streams.
-  // TODO(fkastenholz): IETF Quic does not have static streams and does not
-  // make exceptions for them with respect to processing things like
-  // STOP_SENDING.
-  if (QuicUtils::IsCryptoStreamId(transport_version(), stream_id)) {
-    QUIC_DVLOG(1) << ENDPOINT
-                  << "Received STOP_SENDING for a static stream, id: "
-                  << stream_id << " Closing connection";
-    connection()->CloseConnection(
-        QUIC_INVALID_STREAM_ID, "Received STOP_SENDING for a static stream",
-        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-    return false;
+    return;
   }
 
   if (visitor_) {
@@ -243,7 +233,7 @@ bool QuicSession::OnStopSendingFrame(const QuicStopSendingFrame& frame) {
         << ENDPOINT
         << "Received STOP_SENDING for closed or non-existent stream, id: "
         << stream_id << " Ignoring.";
-    return true;  // Continue processing the packet.
+    return;
   }
   // If stream is non-existent, close the connection
   StreamMap::iterator it = stream_map_.find(stream_id);
@@ -255,20 +245,15 @@ bool QuicSession::OnStopSendingFrame(const QuicStopSendingFrame& frame) {
         IETF_QUIC_PROTOCOL_VIOLATION,
         "Received STOP_SENDING for a non-existent stream",
         ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-    return false;
+    return;
   }
 
-  // Get the QuicStream for this stream. Ignore the STOP_SENDING
-  // if the QuicStream pointer is NULL
-  // QUESTION(fkastenholz): IS THIS THE RIGHT THING TO DO? (that is, this would
-  // happen IFF there was an entry in the map, but the pointer is null. sounds
-  // more like a deep programming error rather than a simple protocol problem).
   QuicStream* stream = it->second.get();
   if (stream == nullptr) {
     QUIC_BUG << ENDPOINT
              << "Received STOP_SENDING for NULL QuicStream, stream_id: "
              << stream_id << ". Ignoring.";
-    return true;
+    return;
   }
 
   if (stream->is_static()) {
@@ -278,20 +263,28 @@ bool QuicSession::OnStopSendingFrame(const QuicStopSendingFrame& frame) {
     connection()->CloseConnection(
         QUIC_INVALID_STREAM_ID, "Received STOP_SENDING for a static stream",
         ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-    return false;
+    return;
   }
 
   stream->OnStopSending(frame.application_error_code);
 
   stream->set_stream_error(
       static_cast<QuicRstStreamErrorCode>(frame.application_error_code));
-  SendRstStreamInner(
-      stream->id(),
-      static_cast<quic::QuicRstStreamErrorCode>(frame.application_error_code),
-      stream->stream_bytes_written(),
-      /*close_write_side_only=*/true);
+  if (connection()->connected()) {
+    MaybeSendRstStreamFrame(
+        stream->id(),
+        static_cast<quic::QuicRstStreamErrorCode>(frame.application_error_code),
+        stream->stream_bytes_written());
+    connection_->OnStreamReset(stream->id(),
+                               static_cast<quic::QuicRstStreamErrorCode>(
+                                   frame.application_error_code));
+  }
+  stream->set_rst_sent(true);
+  stream->CloseWriteSide();
+}
 
-  return true;
+void QuicSession::OnPacketDecrypted(EncryptionLevel level) {
+  GetMutableCryptoStream()->OnPacketDecrypted(level);
 }
 
 void QuicSession::PendingStreamOnRstStream(const QuicRstStreamFrame& frame) {
@@ -306,7 +299,10 @@ void QuicSession::PendingStreamOnRstStream(const QuicRstStreamFrame& frame) {
   }
 
   pending->OnRstStreamFrame(frame);
-  SendRstStream(stream_id, QUIC_RST_ACKNOWLEDGEMENT, 0);
+  // Pending stream is currently read only. We can safely close the stream.
+  DCHECK_EQ(READ_UNIDIRECTIONAL,
+            QuicUtils::GetStreamType(pending->id(), perspective(),
+                                     /*peer_initiated = */ true));
   ClosePendingStream(stream_id);
 }
 
@@ -319,6 +315,16 @@ void QuicSession::OnRstStream(const QuicRstStreamFrame& frame) {
     return;
   }
 
+  if (VersionHasIetfQuicFrames(transport_version()) &&
+      QuicUtils::GetStreamType(stream_id, perspective(),
+                               IsIncomingStream(stream_id)) ==
+          WRITE_UNIDIRECTIONAL) {
+    connection()->CloseConnection(
+        QUIC_INVALID_STREAM_ID, "Received RESET_STREAM for a write-only stream",
+        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+    return;
+  }
+
   if (visitor_) {
     visitor_->OnRstStreamReceived(frame);
   }
@@ -458,9 +464,9 @@ void QuicSession::OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame) {
     // individual stream.
     QUIC_DVLOG(1) << ENDPOINT
                   << "Received connection level flow control window "
-                     "update with byte offset: "
-                  << frame.byte_offset;
-    flow_controller_.UpdateSendWindowOffset(frame.byte_offset);
+                     "update with max data: "
+                  << frame.max_data;
+    flow_controller_.UpdateSendWindowOffset(frame.max_data);
     return;
   }
 
@@ -541,9 +547,7 @@ void QuicSession::OnCanWrite() {
                      "write blocked.";
     return;
   }
-  if (session_decides_what_to_write()) {
-    SetTransmissionType(NOT_RETRANSMISSION);
-  }
+  SetTransmissionType(NOT_RETRANSMISSION);
   // We limit the number of writes to the number of pending streams. If more
   // streams become pending, WillingAndAbleToWrite will be true, which will
   // cause the connection to request resumption before yielding to other
@@ -700,7 +704,24 @@ bool QuicSession::WriteControlFrame(const QuicFrame& frame) {
 void QuicSession::SendRstStream(QuicStreamId id,
                                 QuicRstStreamErrorCode error,
                                 QuicStreamOffset bytes_written) {
-  SendRstStreamInner(id, error, bytes_written, /*close_write_side_only=*/false);
+  if (!GetQuicReloadableFlag(quic_delete_send_rst_stream_inner)) {
+    SendRstStreamInner(id, error, bytes_written, false);
+    return;
+  }
+  QUIC_RELOADABLE_FLAG_COUNT(quic_delete_send_rst_stream_inner);
+  if (connection()->connected()) {
+    QuicConnection::ScopedPacketFlusher flusher(connection());
+    MaybeSendRstStreamFrame(id, error, bytes_written);
+    MaybeSendStopSendingFrame(id, error);
+
+    connection_->OnStreamReset(id, error);
+  }
+
+  if (error != QUIC_STREAM_NO_ERROR && QuicContainsKey(zombie_streams_, id)) {
+    OnStreamDoneWaitingForAcks(id);
+    return;
+  }
+  CloseStreamInner(id, true);
 }
 
 void QuicSession::SendRstStreamInner(QuicStreamId id,
@@ -709,21 +730,23 @@ void QuicSession::SendRstStreamInner(QuicStreamId id,
                                      bool close_write_side_only) {
   if (connection()->connected()) {
     // Only send if still connected.
-    if (close_write_side_only) {
-      DCHECK(VersionHasIetfQuicFrames(transport_version()));
-      // Send a RST_STREAM frame.
-      control_frame_manager_.WriteOrBufferRstStream(id, error, bytes_written);
-    } else {
+    if (VersionHasIetfQuicFrames(transport_version())) {
       // Send a RST_STREAM frame plus, if version 99, an IETF
       // QUIC STOP_SENDING frame. Both sre sent to emulate
       // the two-way close that Google QUIC's RST_STREAM does.
-      if (VersionHasIetfQuicFrames(transport_version())) {
-        QuicConnection::ScopedPacketFlusher flusher(connection());
+      QuicConnection::ScopedPacketFlusher flusher(connection());
+      if (QuicUtils::GetStreamType(id, perspective(), IsIncomingStream(id)) !=
+          READ_UNIDIRECTIONAL) {
         control_frame_manager_.WriteOrBufferRstStream(id, error, bytes_written);
+      }
+      if (!close_write_side_only &&
+          QuicUtils::GetStreamType(id, perspective(), IsIncomingStream(id)) !=
+              WRITE_UNIDIRECTIONAL) {
         control_frame_manager_.WriteOrBufferStopSending(error, id);
-      } else {
-        control_frame_manager_.WriteOrBufferRstStream(id, error, bytes_written);
       }
+    } else {
+      DCHECK(!close_write_side_only);
+      control_frame_manager_.WriteOrBufferRstStream(id, error, bytes_written);
     }
     connection_->OnStreamReset(id, error);
   }
@@ -734,26 +757,27 @@ void QuicSession::SendRstStreamInner(QuicStreamId id,
 
   if (!close_write_side_only) {
     CloseStreamInner(id, true);
-    return;
   }
-  DCHECK(VersionHasIetfQuicFrames(transport_version()));
+}
 
-  StreamMap::iterator it = stream_map_.find(id);
-  if (it != stream_map_.end()) {
-    if (it->second->is_static()) {
-      QUIC_DVLOG(1) << ENDPOINT
-                    << "Try to send rst for a static stream, id: " << id
-                    << " Closing connection";
-      connection()->CloseConnection(
-          QUIC_INVALID_STREAM_ID, "Sending rst for a static stream",
-          ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
-      return;
-    }
-    QuicStream* stream = it->second.get();
-    if (stream) {
-      stream->set_rst_sent(true);
-      stream->CloseWriteSide();
-    }
+void QuicSession::MaybeSendRstStreamFrame(QuicStreamId id,
+                                          QuicRstStreamErrorCode error,
+                                          QuicStreamOffset bytes_written) {
+  DCHECK(connection()->connected());
+  if (!VersionHasIetfQuicFrames(transport_version()) ||
+      QuicUtils::GetStreamType(id, perspective(), IsIncomingStream(id)) !=
+          READ_UNIDIRECTIONAL) {
+    control_frame_manager_.WriteOrBufferRstStream(id, error, bytes_written);
+  }
+}
+
+void QuicSession::MaybeSendStopSendingFrame(QuicStreamId id,
+                                            QuicRstStreamErrorCode error) {
+  DCHECK(connection()->connected());
+  if (VersionHasIetfQuicFrames(transport_version()) &&
+      QuicUtils::GetStreamType(id, perspective(), IsIncomingStream(id)) !=
+          WRITE_UNIDIRECTIONAL) {
+    control_frame_manager_.WriteOrBufferStopSending(error, id);
   }
 }
 
@@ -840,9 +864,7 @@ void QuicSession::CloseStreamInner(QuicStreamId stream_id, bool locally_reset) {
     zombie_streams_[stream->id()] = std::move(it->second);
   } else {
     // Clean up the stream since it is no longer waiting for acks.
-    if (session_decides_what_to_write()) {
-      streams_waiting_for_acks_.erase(stream->id());
-    }
+    streams_waiting_for_acks_.erase(stream->id());
     closed_streams_.push_back(std::move(it->second));
     // Do not retransmit data of a closed stream.
     streams_with_pending_retransmission_.erase(stream_id);
@@ -855,7 +877,7 @@ void QuicSession::CloseStreamInner(QuicStreamId stream_id, bool locally_reset) {
   // If we haven't received a FIN or RST for this stream, we need to keep track
   // of the how many bytes the stream's flow controller believes it has
   // received, for accurate connection level flow control accounting.
-  const bool had_fin_or_rst = stream->HasFinalReceivedByteOffset();
+  const bool had_fin_or_rst = stream->HasReceivedFinalOffset();
   if (!had_fin_or_rst) {
     InsertLocallyClosedStreamsHighestOffset(
         stream_id, stream->flow_controller()->highest_received_byte_offset());
@@ -935,14 +957,16 @@ void QuicSession::OnFinalByteOffsetReceived(
 }
 
 bool QuicSession::IsEncryptionEstablished() const {
-  // Once the handshake is confirmed, it never becomes un-confirmed.
-  if (is_handshake_confirmed_) {
-    return true;
+  if (GetCryptoStream() == nullptr) {
+    return false;
   }
   return GetCryptoStream()->encryption_established();
 }
 
 bool QuicSession::IsCryptoHandshakeConfirmed() const {
+  if (GetCryptoStream() == nullptr) {
+    return false;
+  }
   return GetCryptoStream()->handshake_confirmed();
 }
 
@@ -1249,6 +1273,7 @@ void QuicSession::OnNewSessionFlowControlWindow(QuicStreamOffset new_window) {
 }
 
 void QuicSession::OnCryptoHandshakeEvent(CryptoHandshakeEvent event) {
+  DCHECK(!use_handshake_delegate());
   switch (event) {
     case ENCRYPTION_ESTABLISHED:
       // Retransmit originally packets that were sent, since they can't be
@@ -1264,7 +1289,6 @@ void QuicSession::OnCryptoHandshakeEvent(CryptoHandshakeEvent event) {
       // Discard originally encrypted packets, since they can't be decrypted by
       // the peer.
       NeuterUnencryptedData();
-      is_handshake_confirmed_ = true;
       break;
 
     default:
@@ -1272,6 +1296,93 @@ void QuicSession::OnCryptoHandshakeEvent(CryptoHandshakeEvent event) {
   }
 }
 
+void QuicSession::OnNewKeysAvailable(EncryptionLevel level,
+                                     std::unique_ptr<QuicDecrypter> decrypter,
+                                     bool set_alternative_decrypter,
+                                     bool latch_once_used,
+                                     std::unique_ptr<QuicEncrypter> encrypter) {
+  DCHECK(use_handshake_delegate());
+  // Install new keys.
+  connection()->SetEncrypter(level, std::move(encrypter));
+  if (connection()->version().KnowsWhichDecrypterToUse()) {
+    connection()->InstallDecrypter(level, std::move(decrypter));
+    return;
+  }
+  if (set_alternative_decrypter) {
+    connection()->SetAlternativeDecrypter(level, std::move(decrypter),
+                                          latch_once_used);
+    return;
+  }
+  connection()->SetDecrypter(level, std::move(decrypter));
+}
+
+void QuicSession::SetDefaultEncryptionLevel(EncryptionLevel level) {
+  DCHECK(use_handshake_delegate());
+  QUIC_DVLOG(1) << ENDPOINT << "Set default encryption level to "
+                << EncryptionLevelToString(level);
+  connection()->SetDefaultEncryptionLevel(level);
+
+  switch (level) {
+    case ENCRYPTION_INITIAL:
+      break;
+    case ENCRYPTION_ZERO_RTT:
+      // Retransmit old 0-RTT data (if any) with the new 0-RTT keys, since they
+      // can't be decrypted by the peer.
+      connection_->RetransmitUnackedPackets(ALL_INITIAL_RETRANSMISSION);
+      // Given any streams blocked by encryption a chance to write.
+      OnCanWrite();
+      break;
+    case ENCRYPTION_HANDSHAKE:
+      break;
+    case ENCRYPTION_FORWARD_SECURE:
+      QUIC_BUG_IF(!config_.negotiated())
+          << ENDPOINT << "Handshake confirmed without parameter negotiation.";
+      break;
+    default:
+      QUIC_BUG << "Unknown encryption level: "
+               << EncryptionLevelToString(level);
+  }
+}
+
+void QuicSession::DiscardOldDecryptionKey(EncryptionLevel level) {
+  DCHECK(use_handshake_delegate());
+  if (!connection()->version().KnowsWhichDecrypterToUse()) {
+    // TODO(fayang): actually discard keys.
+    return;
+  }
+  connection()->RemoveDecrypter(level);
+}
+
+void QuicSession::DiscardOldEncryptionKey(EncryptionLevel level) {
+  DCHECK(use_handshake_delegate());
+  QUIC_DVLOG(1) << ENDPOINT << "Discard keys of "
+                << EncryptionLevelToString(level);
+  // TODO(fayang): actually discard keys.
+  switch (level) {
+    case ENCRYPTION_INITIAL:
+      NeuterUnencryptedData();
+      break;
+    case ENCRYPTION_HANDSHAKE:
+      DCHECK(false);
+      // TODO(fayang): implement this when handshake keys discarding settles
+      // down.
+      break;
+    case ENCRYPTION_ZERO_RTT:
+      break;
+    case ENCRYPTION_FORWARD_SECURE:
+      QUIC_BUG << "Tries to drop 1-RTT keys";
+      break;
+    default:
+      QUIC_BUG << "Unknown encryption level: "
+               << EncryptionLevelToString(level);
+  }
+}
+
+void QuicSession::NeuterHandshakeData() {
+  DCHECK(use_handshake_delegate());
+  connection()->OnHandshakeComplete();
+}
+
 void QuicSession::OnCryptoHandshakeMessageSent(
     const CryptoHandshakeMessage& /*message*/) {}
 
@@ -1476,6 +1587,13 @@ void QuicSession::set_largest_peer_created_stream_id(
       largest_peer_created_stream_id);
 }
 
+QuicStreamId QuicSession::GetLargestPeerCreatedStreamId(
+    bool unidirectional) const {
+  // This method is only used in IETF QUIC.
+  DCHECK(VersionHasIetfQuicFrames(transport_version()));
+  return v99_streamid_manager_.GetLargestPeerCreatedStreamId(unidirectional);
+}
+
 bool QuicSession::IsClosedStream(QuicStreamId id) {
   DCHECK_NE(QuicUtils::GetInvalidStreamId(transport_version()), id);
   if (IsOpenStream(id)) {
@@ -1621,9 +1739,7 @@ bool QuicSession::IsIncomingStream(QuicStreamId id) const {
 }
 
 void QuicSession::OnStreamDoneWaitingForAcks(QuicStreamId id) {
-  if (session_decides_what_to_write()) {
-    streams_waiting_for_acks_.erase(id);
-  }
+  streams_waiting_for_acks_.erase(id);
 
   auto it = zombie_streams_.find(id);
   if (it == zombie_streams_.end()) {
@@ -1640,10 +1756,6 @@ void QuicSession::OnStreamDoneWaitingForAcks(QuicStreamId id) {
 }
 
 void QuicSession::OnStreamWaitingForAcks(QuicStreamId id) {
-  if (!session_decides_what_to_write()) {
-    return;
-  }
-
   // Exclude crypto stream's status since it is counted in HasUnackedCryptoData.
   if (GetCryptoStream() != nullptr && id == GetCryptoStream()->id()) {
     return;
@@ -1903,14 +2015,12 @@ bool QuicSession::RetransmitLostData() {
 }
 
 void QuicSession::NeuterUnencryptedData() {
-  if (connection_->session_decides_what_to_write()) {
-    QuicCryptoStream* crypto_stream = GetMutableCryptoStream();
-    crypto_stream->NeuterUnencryptedStreamData();
-    if (!crypto_stream->HasPendingRetransmission() &&
-        !QuicVersionUsesCryptoFrames(transport_version())) {
-      streams_with_pending_retransmission_.erase(
-          QuicUtils::GetCryptoStreamId(transport_version()));
-    }
+  QuicCryptoStream* crypto_stream = GetMutableCryptoStream();
+  crypto_stream->NeuterUnencryptedStreamData();
+  if (!crypto_stream->HasPendingRetransmission() &&
+      !QuicVersionUsesCryptoFrames(transport_version())) {
+    streams_with_pending_retransmission_.erase(
+        QuicUtils::GetCryptoStreamId(transport_version()));
   }
   connection_->NeuterUnencryptedPackets();
 }
@@ -1920,11 +2030,15 @@ void QuicSession::SetTransmissionType(TransmissionType type) {
 }
 
 MessageResult QuicSession::SendMessage(QuicMemSliceSpan message) {
+  return SendMessage(message, /*flush=*/false);
+}
+
+MessageResult QuicSession::SendMessage(QuicMemSliceSpan message, bool flush) {
   if (!IsEncryptionEstablished()) {
     return {MESSAGE_STATUS_ENCRYPTION_NOT_ESTABLISHED, 0};
   }
   MessageStatus result =
-      connection_->SendMessage(last_message_id_ + 1, message);
+      connection_->SendMessage(last_message_id_ + 1, message, flush);
   if (result == MESSAGE_STATUS_SUCCESS) {
     return {result, ++last_message_id_};
   }
@@ -1945,10 +2059,6 @@ void QuicSession::CleanUpClosedStreams() {
   closed_streams_.clear();
 }
 
-bool QuicSession::session_decides_what_to_write() const {
-  return connection_->session_decides_what_to_write();
-}
-
 QuicPacketLength QuicSession::GetCurrentLargestMessagePayload() const {
   return connection_->GetCurrentLargestMessagePayload();
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_session.h b/chromium/net/third_party/quiche/src/quic/core/quic_session.h
index 9a2f3aaeffc..c6861f93ca5 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_session.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_session.h
@@ -14,6 +14,7 @@
 #include <string>
 #include <vector>
 
+#include "net/third_party/quiche/src/quic/core/handshaker_delegate_interface.h"
 #include "net/third_party/quiche/src/quic/core/legacy_quic_stream_id_manager.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_control_frame_manager.h"
@@ -23,6 +24,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_stream_frame_data_producer.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_write_blocked_list.h"
 #include "net/third_party/quiche/src/quic/core/session_notifier_interface.h"
 #include "net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.h"
@@ -45,12 +47,13 @@ class QUIC_EXPORT_PRIVATE QuicSession
     : public QuicConnectionVisitorInterface,
       public SessionNotifierInterface,
       public QuicStreamFrameDataProducer,
-      public QuicStreamIdManager::DelegateInterface {
+      public QuicStreamIdManager::DelegateInterface,
+      public HandshakerDelegateInterface {
  public:
   // An interface from the session to the entity owning the session.
   // This lets the session notify its owner (the Dispatcher) when the connection
   // is closed, blocked, or added/removed from the time-wait list.
-  class Visitor {
+  class QUIC_EXPORT_PRIVATE Visitor {
    public:
     virtual ~Visitor() {}
 
@@ -72,6 +75,7 @@ class QUIC_EXPORT_PRIVATE QuicSession
   };
 
   // CryptoHandshakeEvent enumerates the events generated by a QuicCryptoStream.
+  // TODO(fayang): Replace this enum and with HandshakeState.
   enum CryptoHandshakeEvent {
     // ENCRYPTION_ESTABLISHED indicates that a client hello has been sent and
     // subsequent packets will be encrypted. (Client only.)
@@ -125,7 +129,8 @@ class QUIC_EXPORT_PRIVATE QuicSession
   void OnForwardProgressConfirmed() override;
   bool OnMaxStreamsFrame(const QuicMaxStreamsFrame& frame) override;
   bool OnStreamsBlockedFrame(const QuicStreamsBlockedFrame& frame) override;
-  bool OnStopSendingFrame(const QuicStopSendingFrame& frame) override;
+  void OnStopSendingFrame(const QuicStopSendingFrame& frame) override;
+  void OnPacketDecrypted(EncryptionLevel level) override;
 
   // QuicStreamFrameDataProducer
   WriteStreamDataResult WriteStreamData(QuicStreamId id,
@@ -197,6 +202,10 @@ class QUIC_EXPORT_PRIVATE QuicSession
   // callback.
   MessageResult SendMessage(QuicMemSliceSpan message);
 
+  // Same as above SendMessage, except caller can specify if the given |message|
+  // should be flushed even if the underlying connection is deemed unwritable.
+  MessageResult SendMessage(QuicMemSliceSpan message, bool flush);
+
   // Called when message with |message_id| gets acked.
   virtual void OnMessageAcked(QuicMessageId message_id,
                               QuicTime receive_timestamp);
@@ -208,7 +217,9 @@ class QUIC_EXPORT_PRIVATE QuicSession
   // the peer. Returns true if |frame| is consumed, false otherwise.
   virtual bool WriteControlFrame(const QuicFrame& frame);
 
-  // Called by streams when they want to close the stream in both directions.
+  // Close the stream in both directions.
+  // TODO(renjietang): rename this method as it sends both RST_STREAM and
+  // STOP_SENDING in IETF QUIC.
   virtual void SendRstStream(QuicStreamId id,
                              QuicRstStreamErrorCode error,
                              QuicStreamOffset bytes_written);
@@ -248,6 +259,18 @@ class QUIC_EXPORT_PRIVATE QuicSession
   // Servers will simply call it once with HANDSHAKE_CONFIRMED.
   virtual void OnCryptoHandshakeEvent(CryptoHandshakeEvent event);
 
+  // From HandshakerDelegateInterface
+  void OnNewKeysAvailable(EncryptionLevel level,
+                          std::unique_ptr<QuicDecrypter> decrypter,
+                          bool set_alternative_decrypter,
+                          bool latch_once_used,
+                          std::unique_ptr<QuicEncrypter> encrypter) override;
+  void SetDefaultEncryptionLevel(EncryptionLevel level) override;
+  void DiscardOldDecryptionKey(EncryptionLevel level) override;
+  void DiscardOldEncryptionKey(EncryptionLevel level) override;
+  void NeuterUnencryptedData() override;
+  void NeuterHandshakeData() override;
+
   // Called by the QuicCryptoStream when a handshake message is sent.
   virtual void OnCryptoHandshakeMessageSent(
       const CryptoHandshakeMessage& message);
@@ -330,9 +353,6 @@ class QUIC_EXPORT_PRIVATE QuicSession
   // Called when stream |id| is newly waiting for acks.
   void OnStreamWaitingForAcks(QuicStreamId id);
 
-  // Called to cancel retransmission of unencypted crypto stream data.
-  void NeuterUnencryptedData();
-
   // Returns true if the session has data to be sent, either queued in the
   // connection, or in a write-blocked stream.
   bool HasDataToWrite() const;
@@ -404,8 +424,6 @@ class QUIC_EXPORT_PRIVATE QuicSession
   // Clean up closed_streams_.
   void CleanUpClosedStreams();
 
-  bool session_decides_what_to_write() const;
-
   const ParsedQuicVersionVector& supported_versions() const {
     return supported_versions_;
   }
@@ -447,6 +465,10 @@ class QUIC_EXPORT_PRIVATE QuicSession
     return use_http2_priority_write_scheduler_;
   }
 
+  bool use_handshake_delegate() const {
+    return connection_->use_handshake_delegate();
+  }
+
   bool is_configured() const { return is_configured_; }
 
   QuicStreamCount num_expected_unidirectional_static_streams() const {
@@ -539,6 +561,10 @@ class QUIC_EXPORT_PRIVATE QuicSession
   StreamMap& stream_map() { return stream_map_; }
   const StreamMap& stream_map() const { return stream_map_; }
 
+  const PendingStreamMap& pending_streams() const {
+    return pending_stream_map_;
+  }
+
   ClosedStreams* closed_streams() { return &closed_streams_; }
 
   const ZombieStreamMap& zombie_streams() const { return zombie_streams_; }
@@ -596,7 +622,9 @@ class QUIC_EXPORT_PRIVATE QuicSession
     return false;
   }
 
-  bool IsHandshakeConfirmed() const { return is_handshake_confirmed_; }
+  // Return the largest peer created stream id depending on directionality
+  // indicated by |unidirectional|.
+  QuicStreamId GetLargestPeerCreatedStreamId(bool unidirectional) const;
 
  private:
   friend class test::QuicSessionPeer;
@@ -659,6 +687,14 @@ class QUIC_EXPORT_PRIVATE QuicSession
   // stream.
   void PendingStreamOnRstStream(const QuicRstStreamFrame& frame);
 
+  // Does actual work of sending RESET_STREAM, if the stream type allows.
+  void MaybeSendRstStreamFrame(QuicStreamId id,
+                               QuicRstStreamErrorCode error,
+                               QuicStreamOffset bytes_written);
+
+  // Sends a STOP_SENDING frame if the stream type allows.
+  void MaybeSendStopSendingFrame(QuicStreamId id, QuicRstStreamErrorCode error);
+
   // Keep track of highest received byte offset of locally closed streams, while
   // waiting for a definitive final highest offset from the peer.
   std::map<QuicStreamId, QuicStreamOffset>
@@ -732,9 +768,6 @@ class QUIC_EXPORT_PRIVATE QuicSession
   // call stack of OnCanWrite.
   QuicStreamId currently_writing_stream_id_;
 
-  // Cached value of whether the crypto handshake has been confirmed.
-  bool is_handshake_confirmed_;
-
   // Whether a GoAway has been sent.
   bool goaway_sent_;
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_session_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_session_test.cc
index 9eb4fed3de9..afb5641d8f9 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_session_test.cc
@@ -85,11 +85,16 @@ class TestCryptoStream : public QuicCryptoStream, public QuicCryptoHandshaker {
       error =
           session()->config()->ProcessPeerHello(msg, CLIENT, &error_details);
     }
-    EXPECT_EQ(QUIC_NO_ERROR, error);
+    EXPECT_THAT(error, IsQuicNoError());
     session()->OnConfigNegotiated();
-    session()->connection()->SetDefaultEncryptionLevel(
-        ENCRYPTION_FORWARD_SECURE);
-    session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
+    if (session()->use_handshake_delegate()) {
+      session()->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+      session()->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
+    } else {
+      session()->connection()->SetDefaultEncryptionLevel(
+          ENCRYPTION_FORWARD_SECURE);
+      session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
+    }
   }
 
   // QuicCryptoStream implementation
@@ -104,6 +109,7 @@ class TestCryptoStream : public QuicCryptoStream, public QuicCryptoHandshaker {
   CryptoMessageParser* crypto_message_parser() override {
     return QuicCryptoHandshaker::crypto_message_parser();
   }
+  void OnPacketDecrypted(EncryptionLevel /*level*/) override {}
 
   MOCK_METHOD0(OnCanWrite, void());
   bool HasPendingCryptoRetransmission() const override { return false; }
@@ -135,7 +141,6 @@ class TestStream : public QuicStream {
   using QuicStream::CloseReadSide;
   using QuicStream::CloseWriteSide;
   using QuicStream::WriteMemSlices;
-  using QuicStream::WritevData;
 
   void OnDataAvailable() override {}
 
@@ -144,7 +149,6 @@ class TestStream : public QuicStream {
                bool(QuicStreamOffset, QuicByteCount, bool));
 
   MOCK_CONST_METHOD0(HasPendingRetransmission, bool());
-  MOCK_METHOD1(OnStopSending, void(uint16_t code));
 };
 
 class TestSession : public QuicSession {
@@ -391,24 +395,33 @@ class QuicSessionTestBase : public QuicTestWithParam<ParsedQuicVersion> {
   }
 
   void CloseStream(QuicStreamId id) {
-    if (VersionHasIetfQuicFrames(session_.transport_version()) &&
-        QuicUtils::GetStreamType(id, session_.perspective(),
-                                 session_.IsIncomingStream(id)) ==
-            READ_UNIDIRECTIONAL) {
-      // Verify reset is not sent for READ_UNIDIRECTIONAL streams.
-      EXPECT_CALL(*connection_, SendControlFrame(_)).Times(0);
-      EXPECT_CALL(*connection_, OnStreamReset(_, _)).Times(0);
-    } else {
-      // Verify reset IS sent for BIDIRECTIONAL streams.
-      if (VersionHasIetfQuicFrames(session_.transport_version())) {
-        // Once for the RST_STREAM, Once for the STOP_SENDING
+    if (VersionHasIetfQuicFrames(transport_version())) {
+      if (QuicUtils::GetStreamType(id, session_.perspective(),
+                                   session_.IsIncomingStream(id)) ==
+          READ_UNIDIRECTIONAL) {
+        // Verify reset is not sent for READ_UNIDIRECTIONAL streams.
+        EXPECT_CALL(*connection_, SendControlFrame(_)).Times(0);
+        EXPECT_CALL(*connection_, OnStreamReset(_, _)).Times(0);
+      } else if (QuicUtils::GetStreamType(id, session_.perspective(),
+                                          session_.IsIncomingStream(id)) ==
+                 WRITE_UNIDIRECTIONAL) {
+        // Verify RESET_STREAM but not STOP_SENDING is sent for write-only
+        // stream.
         EXPECT_CALL(*connection_, SendControlFrame(_))
-            .Times(2)
-            .WillRepeatedly(Invoke(&ClearControlFrame));
+            .Times(1)
+            .WillOnce(Invoke(&ClearControlFrame));
+        EXPECT_CALL(*connection_, OnStreamReset(id, _));
       } else {
+        // Verify RESET_STREAM and STOP_SENDING are sent for BIDIRECTIONAL
+        // streams.
         EXPECT_CALL(*connection_, SendControlFrame(_))
-            .WillOnce(Invoke(&ClearControlFrame));
+            .Times(2)
+            .WillRepeatedly(Invoke(&ClearControlFrame));
+        EXPECT_CALL(*connection_, OnStreamReset(id, _));
       }
+    } else {
+      EXPECT_CALL(*connection_, SendControlFrame(_))
+          .WillOnce(Invoke(&ClearControlFrame));
       EXPECT_CALL(*connection_, OnStreamReset(id, _));
     }
     session_.CloseStream(id);
@@ -1309,7 +1322,7 @@ TEST_P(QuicSessionTestServer, OnCanWriteLimitsNumWritesIfFlowControlBlocked) {
 
 TEST_P(QuicSessionTestServer, SendGoAway) {
   if (VersionHasIetfQuicFrames(transport_version())) {
-    // GoAway frames are not in version 99
+    // In IETF QUIC, GOAWAY lives up in the HTTP layer.
     return;
   }
   connection_->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
@@ -1334,8 +1347,7 @@ TEST_P(QuicSessionTestServer, SendGoAway) {
 
 TEST_P(QuicSessionTestServer, DoNotSendGoAwayTwice) {
   if (VersionHasIetfQuicFrames(transport_version())) {
-    // TODO(b/118808809): Enable this test for version 99 when GOAWAY is
-    // supported.
+    // In IETF QUIC, GOAWAY lives up in the HTTP layer.
     return;
   }
   EXPECT_CALL(*connection_, SendControlFrame(_))
@@ -1347,8 +1359,7 @@ TEST_P(QuicSessionTestServer, DoNotSendGoAwayTwice) {
 
 TEST_P(QuicSessionTestServer, InvalidGoAway) {
   if (VersionHasIetfQuicFrames(transport_version())) {
-    // TODO(b/118808809): Enable this test for version 99 when GOAWAY is
-    // supported.
+    // In IETF QUIC, GOAWAY lives up in the HTTP layer.
     return;
   }
   QuicGoAwayFrame go_away(kInvalidControlFrameId, QUIC_PEER_GOING_AWAY,
@@ -1558,7 +1569,7 @@ TEST_P(QuicSessionTestServer, HandshakeUnblocksFlowControlBlockedCryptoStream) {
     config.ToHandshakeMessage(&crypto_message, transport_version());
     crypto_stream->SendHandshakeMessage(crypto_message);
     char buf[1000];
-    QuicDataWriter writer(1000, buf, NETWORK_BYTE_ORDER);
+    QuicDataWriter writer(1000, buf, quiche::NETWORK_BYTE_ORDER);
     crypto_stream->WriteStreamData(offset, crypto_message.size(), &writer);
   }
   EXPECT_TRUE(crypto_stream->flow_controller()->IsBlocked());
@@ -1605,7 +1616,8 @@ TEST_P(QuicSessionTestServer, ConnectionFlowControlAccountingRstOutOfOrder) {
     // stream and therefore fulfill all of the expects.
     QuicStopSendingFrame frame(kInvalidControlFrameId, stream->id(),
                                QUIC_STREAM_CANCELLED);
-    EXPECT_TRUE(session_.OnStopSendingFrame(frame));
+    EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
+    session_.OnStopSendingFrame(frame);
   }
   EXPECT_EQ(kByteOffset, session_.flow_controller()->bytes_consumed());
 }
@@ -1886,9 +1898,6 @@ TEST_P(QuicSessionTestServer, RstPendingStreams) {
   EXPECT_EQ(0, session_.num_incoming_streams_created());
   EXPECT_EQ(0u, session_.GetNumOpenIncomingStreams());
 
-  EXPECT_CALL(*connection_, SendControlFrame(_)).Times(1);
-  EXPECT_CALL(*connection_, OnStreamReset(stream_id, QUIC_RST_ACKNOWLEDGEMENT))
-      .Times(1);
   QuicRstStreamFrame rst1(kInvalidControlFrameId, stream_id,
                           QUIC_ERROR_PROCESSING_STREAM, 12);
   session_.OnRstStream(rst1);
@@ -2119,7 +2128,8 @@ TEST_P(QuicSessionTestServer, TestZombieStreams) {
     // stream and therefore fulfill all of the expects.
     QuicStopSendingFrame frame(kInvalidControlFrameId, stream2->id(),
                                QUIC_STREAM_CANCELLED);
-    EXPECT_TRUE(session_.OnStopSendingFrame(frame));
+    EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
+    session_.OnStopSendingFrame(frame);
   }
   EXPECT_FALSE(QuicContainsKey(session_.zombie_streams(), stream2->id()));
   ASSERT_EQ(1u, session_.closed_streams()->size());
@@ -2148,7 +2158,6 @@ TEST_P(QuicSessionTestServer, TestZombieStreams) {
 }
 
 TEST_P(QuicSessionTestServer, OnStreamFrameLost) {
-  QuicConnectionPeer::SetSessionDecidesWhatToWrite(connection_);
   InSequence s;
 
   // Drive congestion control manually.
@@ -2225,7 +2234,6 @@ TEST_P(QuicSessionTestServer, OnStreamFrameLost) {
 }
 
 TEST_P(QuicSessionTestServer, DonotRetransmitDataOfClosedStreams) {
-  QuicConnectionPeer::SetSessionDecidesWhatToWrite(connection_);
   InSequence s;
 
   TestStream* stream2 = session_.CreateOutgoingBidirectionalStream();
@@ -2265,7 +2273,6 @@ TEST_P(QuicSessionTestServer, DonotRetransmitDataOfClosedStreams) {
 }
 
 TEST_P(QuicSessionTestServer, RetransmitFrames) {
-  QuicConnectionPeer::SetSessionDecidesWhatToWrite(connection_);
   MockSendAlgorithm* send_algorithm = new StrictMock<MockSendAlgorithm>;
   QuicConnectionPeer::SetSendAlgorithm(session_.connection(), send_algorithm);
   InSequence s;
@@ -2301,7 +2308,6 @@ TEST_P(QuicSessionTestServer, RetransmitFrames) {
 TEST_P(QuicSessionTestServer, RetransmitLostDataCausesConnectionClose) {
   // This test mimics the scenario when a dynamic stream retransmits lost data
   // and causes connection close.
-  QuicConnectionPeer::SetSessionDecidesWhatToWrite(connection_);
   TestStream* stream = session_.CreateOutgoingBidirectionalStream();
   QuicStreamFrame frame(stream->id(), false, 0, 9);
 
@@ -2343,21 +2349,21 @@ TEST_P(QuicSessionTestServer, SendMessage) {
   EXPECT_TRUE(session_.IsCryptoHandshakeConfirmed());
 
   QuicStringPiece message;
-  EXPECT_CALL(*connection_, SendMessage(1, _))
+  EXPECT_CALL(*connection_, SendMessage(1, _, false))
       .WillOnce(Return(MESSAGE_STATUS_SUCCESS));
   EXPECT_EQ(MessageResult(MESSAGE_STATUS_SUCCESS, 1),
             session_.SendMessage(
                 MakeSpan(connection_->helper()->GetStreamSendBufferAllocator(),
                          message, &storage)));
   // Verify message_id increases.
-  EXPECT_CALL(*connection_, SendMessage(2, _))
+  EXPECT_CALL(*connection_, SendMessage(2, _, false))
       .WillOnce(Return(MESSAGE_STATUS_TOO_LARGE));
   EXPECT_EQ(MessageResult(MESSAGE_STATUS_TOO_LARGE, 0),
             session_.SendMessage(
                 MakeSpan(connection_->helper()->GetStreamSendBufferAllocator(),
                          message, &storage)));
   // Verify unsent message does not consume a message_id.
-  EXPECT_CALL(*connection_, SendMessage(2, _))
+  EXPECT_CALL(*connection_, SendMessage(2, _, false))
       .WillOnce(Return(MESSAGE_STATUS_SUCCESS));
   EXPECT_EQ(MessageResult(MESSAGE_STATUS_SUCCESS, 2),
             session_.SendMessage(
@@ -2380,8 +2386,6 @@ TEST_P(QuicSessionTestServer, SendMessage) {
 
 // Regression test of b/115323618.
 TEST_P(QuicSessionTestServer, LocallyResetZombieStreams) {
-  QuicConnectionPeer::SetSessionDecidesWhatToWrite(connection_);
-
   session_.set_writev_consumes_all_data(true);
   TestStream* stream2 = session_.CreateOutgoingBidirectionalStream();
   std::string body(100, '.');
@@ -2632,7 +2636,7 @@ TEST_P(QuicSessionTestServer, OnStopSendingInputInvalidStreamId) {
       *connection_,
       CloseConnection(QUIC_INVALID_STREAM_ID,
                       "Received STOP_SENDING for an invalid stream", _));
-  EXPECT_FALSE(session_.OnStopSendingFrame(frame));
+  session_.OnStopSendingFrame(frame);
 }
 
 // Second test, streams in the static stream map are not subject to
@@ -2652,7 +2656,7 @@ TEST_P(QuicSessionTestServer, OnStopSendingInputStaticStreams) {
   EXPECT_CALL(*connection_,
               CloseConnection(QUIC_INVALID_STREAM_ID,
                               "Received STOP_SENDING for a static stream", _));
-  EXPECT_FALSE(session_.OnStopSendingFrame(frame));
+  session_.OnStopSendingFrame(frame);
 }
 
 // Third test, if stream id specifies a closed stream:
@@ -2672,7 +2676,7 @@ TEST_P(QuicSessionTestServer, OnStopSendingInputClosedStream) {
   stream->CloseReadSide();
   QuicStopSendingFrame frame(1, stream_id, 123);
   EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
-  EXPECT_TRUE(session_.OnStopSendingFrame(frame));
+  session_.OnStopSendingFrame(frame);
 }
 
 // Fourth test, if stream id specifies a nonexistent stream, return false and
@@ -2690,7 +2694,7 @@ TEST_P(QuicSessionTestServer, OnStopSendingInputNonExistentStream) {
       CloseConnection(IETF_QUIC_PROTOCOL_VIOLATION,
                       "Received STOP_SENDING for a non-existent stream", _))
       .Times(1);
-  EXPECT_FALSE(session_.OnStopSendingFrame(frame));
+  session_.OnStopSendingFrame(frame);
 }
 
 // For a valid stream, ensure that all works
@@ -2708,15 +2712,14 @@ TEST_P(QuicSessionTestServer, OnStopSendingInputValidStream) {
 
   QuicStreamId stream_id = stream->id();
   QuicStopSendingFrame frame(1, stream_id, 123);
-  EXPECT_CALL(*stream, OnStopSending(123));
   // Expect a reset to come back out.
   EXPECT_CALL(*connection_, SendControlFrame(_));
   EXPECT_CALL(
       *connection_,
       OnStreamReset(stream_id, static_cast<QuicRstStreamErrorCode>(123)));
-  EXPECT_TRUE(session_.OnStopSendingFrame(frame));
-  // When the STOP_SENDING is received, the node generates a RST_STREAM,
-  // which closes the stream in the write direction. Ensure this.
+  EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
+  session_.OnStopSendingFrame(frame);
+
   EXPECT_FALSE(QuicStreamPeer::read_side_closed(stream));
   EXPECT_TRUE(stream->write_side_closed());
 }
@@ -2754,17 +2757,43 @@ TEST_P(QuicSessionTestServer, StreamFrameReceivedAfterFin) {
   session_.OnStreamFrame(frame);
 
   QuicStreamFrame frame1(stream->id(), false, 1, ",");
-  if (GetQuicReloadableFlag(quic_rst_if_stream_frame_beyond_close_offset)) {
+  if (!GetQuicReloadableFlag(quic_close_connection_on_wrong_offset)) {
     EXPECT_CALL(*connection_, SendControlFrame(_));
     EXPECT_CALL(*connection_,
                 OnStreamReset(stream->id(), QUIC_DATA_AFTER_CLOSE_OFFSET));
-    session_.OnStreamFrame(frame1);
-    EXPECT_TRUE(connection_->connected());
   } else {
-#if GTEST_HAS_DEATH_TEST && !defined(NDEBUG)
-    EXPECT_DEBUG_DEATH(session_.OnStreamFrame(frame1), "Check failed");
-#endif  // GTEST_HAS_DEATH_TEST && !defined(NDEBUG)
+    EXPECT_CALL(*connection_,
+                CloseConnection(QUIC_STREAM_DATA_BEYOND_CLOSE_OFFSET, _, _));
+  }
+  session_.OnStreamFrame(frame1);
+}
+
+TEST_P(QuicSessionTestServer, ResetForIETFStreamTypes) {
+  if (!VersionHasIetfQuicFrames(transport_version())) {
+    return;
   }
+
+  QuicStreamId read_only = GetNthClientInitiatedUnidirectionalId(0);
+
+  EXPECT_CALL(*connection_, SendControlFrame(_))
+      .Times(1)
+      .WillOnce(Invoke(&ClearControlFrame));
+  EXPECT_CALL(*connection_, OnStreamReset(read_only, _));
+  session_.SendRstStream(read_only, QUIC_STREAM_CANCELLED, 0);
+
+  QuicStreamId write_only = GetNthServerInitiatedUnidirectionalId(0);
+  EXPECT_CALL(*connection_, SendControlFrame(_))
+      .Times(1)
+      .WillOnce(Invoke(&ClearControlFrame));
+  EXPECT_CALL(*connection_, OnStreamReset(write_only, _));
+  session_.SendRstStream(write_only, QUIC_STREAM_CANCELLED, 0);
+
+  QuicStreamId bidirectional = GetNthClientInitiatedBidirectionalId(0);
+  EXPECT_CALL(*connection_, SendControlFrame(_))
+      .Times(2)
+      .WillRepeatedly(Invoke(&ClearControlFrame));
+  EXPECT_CALL(*connection_, OnStreamReset(bidirectional, _));
+  session_.SendRstStream(bidirectional, QUIC_STREAM_CANCELLED, 0);
 }
 
 // A client test class that can be used when the automatic configuration is not
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream.cc
index d708b13cfcf..20373272d4f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream.cc
@@ -9,6 +9,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
 #include "net/third_party/quiche/src/quic/core/quic_flow_controller.h"
 #include "net/third_party/quiche/src/quic/core/quic_session.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
@@ -21,7 +22,7 @@ using spdy::SpdyPriority;
 namespace quic {
 
 #define ENDPOINT \
-  (perspective_ == Perspective::IS_SERVER ? "Server: " : "Client: ")
+  (session_->perspective() == Perspective::IS_SERVER ? "Server: " : "Client: ")
 
 namespace {
 
@@ -135,9 +136,13 @@ void PendingStream::AddBytesConsumed(QuicByteCount bytes) {
   connection_flow_controller_->AddBytesConsumed(bytes);
 }
 
-void PendingStream::Reset(QuicRstStreamErrorCode error) {
-  // TODO: RESET_STREAM must not be sent for READ_UNIDIRECTIONAL stream.
-  session_->SendRstStream(id_, error, 0);
+void PendingStream::Reset(QuicRstStreamErrorCode /*error*/) {
+  // Currently PendingStream is only read-unidirectional. It shouldn't send
+  // Reset.
+  DCHECK_EQ(READ_UNIDIRECTIONAL,
+            QuicUtils::GetStreamType(id_, session_->perspective(),
+                                     /*peer_initiated = */ true));
+  QUIC_NOTREACHED();
 }
 
 void PendingStream::CloseConnectionWithDetails(QuicErrorCode error,
@@ -171,9 +176,13 @@ void PendingStream::OnStreamFrame(const QuicStreamFrame& frame) {
     return;
   }
 
-  if (GetQuicReloadableFlag(quic_rst_if_stream_frame_beyond_close_offset) &&
-      frame.offset + frame.data_length > sequencer_.close_offset()) {
-    Reset(QUIC_DATA_AFTER_CLOSE_OFFSET);
+  if (frame.offset + frame.data_length > sequencer_.close_offset()) {
+    CloseConnectionWithDetails(
+        QUIC_STREAM_DATA_BEYOND_CLOSE_OFFSET,
+        QuicStrCat(
+            "Stream ", id_,
+            " received data with offset: ", frame.offset + frame.data_length,
+            ", which is beyond close offset: ", sequencer()->close_offset()));
     return;
   }
 
@@ -212,6 +221,20 @@ void PendingStream::OnRstStreamFrame(const QuicRstStreamFrame& frame) {
                                "Reset frame stream offset overflow.");
     return;
   }
+
+  const QuicStreamOffset kMaxOffset =
+      std::numeric_limits<QuicStreamOffset>::max();
+  if (sequencer()->close_offset() != kMaxOffset &&
+      frame.byte_offset != sequencer()->close_offset()) {
+    CloseConnectionWithDetails(
+        QUIC_STREAM_MULTIPLE_OFFSET,
+        QuicStrCat("Stream ", id_,
+                   " received new final offset: ", frame.byte_offset,
+                   ", which is different from close offset: ",
+                   sequencer()->close_offset()));
+    return;
+  }
+
   MaybeIncreaseHighestReceivedOffset(frame.byte_offset);
   if (flow_controller_.FlowControlViolation() ||
       connection_flow_controller_->FlowControlViolation()) {
@@ -328,7 +351,6 @@ QuicStream::QuicStream(QuicStreamId id,
       fin_received_(fin_received),
       rst_sent_(false),
       rst_received_(false),
-      perspective_(session_->perspective()),
       flow_controller_(std::move(flow_controller)),
       connection_flow_controller_(connection_flow_controller),
       stream_contributes_to_connection_flow_control_(true),
@@ -342,7 +364,7 @@ QuicStream::QuicStream(QuicStreamId id,
       type_(VersionHasIetfQuicFrames(session->transport_version()) &&
                     type != CRYPTO
                 ? QuicUtils::GetStreamType(id_,
-                                           perspective_,
+                                           session->perspective(),
                                            session->IsIncomingStream(id_))
                 : type) {
   if (type_ == WRITE_UNIDIRECTIONAL) {
@@ -352,7 +374,6 @@ QuicStream::QuicStream(QuicStreamId id,
     set_fin_sent(true);
     CloseWriteSide();
   }
-  SetFromConfig();
   if (type_ != CRYPTO) {
     session_->RegisterStreamPriority(id, is_static_, precedence_);
   }
@@ -371,8 +392,6 @@ QuicStream::~QuicStream() {
   }
 }
 
-void QuicStream::SetFromConfig() {}
-
 void QuicStream::OnStreamFrame(const QuicStreamFrame& frame) {
   DCHECK_EQ(frame.stream_id, id_);
 
@@ -402,12 +421,19 @@ void QuicStream::OnStreamFrame(const QuicStreamFrame& frame) {
     return;
   }
 
-  if (GetQuicReloadableFlag(quic_rst_if_stream_frame_beyond_close_offset)) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_rst_if_stream_frame_beyond_close_offset);
-    if (frame.offset + frame.data_length > sequencer_.close_offset()) {
+  if (frame.offset + frame.data_length > sequencer_.close_offset()) {
+    if (!GetQuicReloadableFlag(quic_close_connection_on_wrong_offset)) {
       Reset(QUIC_DATA_AFTER_CLOSE_OFFSET);
       return;
     }
+    QUIC_RELOADABLE_FLAG_COUNT_N(quic_close_connection_on_wrong_offset, 1, 2);
+    CloseConnectionWithDetails(
+        QUIC_STREAM_DATA_BEYOND_CLOSE_OFFSET,
+        QuicStrCat(
+            "Stream ", id_,
+            " received data with offset: ", frame.offset + frame.data_length,
+            ", which is beyond close offset: ", sequencer_.close_offset()));
+    return;
   }
 
   if (frame.fin) {
@@ -463,6 +489,23 @@ void QuicStream::OnStreamReset(const QuicRstStreamFrame& frame) {
                                "Reset frame stream offset overflow.");
     return;
   }
+
+  if (GetQuicReloadableFlag(quic_close_connection_on_wrong_offset)) {
+    QUIC_RELOADABLE_FLAG_COUNT_N(quic_close_connection_on_wrong_offset, 2, 2);
+    const QuicStreamOffset kMaxOffset =
+        std::numeric_limits<QuicStreamOffset>::max();
+    if (sequencer()->close_offset() != kMaxOffset &&
+        frame.byte_offset != sequencer()->close_offset()) {
+      CloseConnectionWithDetails(
+          QUIC_STREAM_MULTIPLE_OFFSET,
+          QuicStrCat("Stream ", id_,
+                     " received new final offset: ", frame.byte_offset,
+                     ", which is different from close offset: ",
+                     sequencer_.close_offset()));
+      return;
+    }
+  }
+
   MaybeIncreaseHighestReceivedOffset(frame.byte_offset);
   if (flow_controller_->FlowControlViolation() ||
       connection_flow_controller_->FlowControlViolation()) {
@@ -624,64 +667,6 @@ void QuicStream::MaybeSendBlocked() {
   }
 }
 
-QuicConsumedData QuicStream::WritevData(const struct iovec* iov,
-                                        int iov_count,
-                                        bool fin) {
-  if (write_side_closed_) {
-    QUIC_DLOG(ERROR) << ENDPOINT << "Stream " << id()
-                     << "attempting to write when the write side is closed";
-    if (type_ == READ_UNIDIRECTIONAL) {
-      CloseConnectionWithDetails(
-          QUIC_TRY_TO_WRITE_DATA_ON_READ_UNIDIRECTIONAL_STREAM,
-          "Try to send data on read unidirectional stream");
-    }
-    return QuicConsumedData(0, false);
-  }
-
-  // How much data was provided.
-  size_t write_length = 0;
-  if (iov != nullptr) {
-    for (int i = 0; i < iov_count; ++i) {
-      write_length += iov[i].iov_len;
-    }
-  }
-
-  QuicConsumedData consumed_data(0, false);
-  if (fin_buffered_) {
-    QUIC_BUG << "Fin already buffered";
-    return consumed_data;
-  }
-
-  if (kMaxStreamLength - send_buffer_.stream_offset() < write_length) {
-    QUIC_BUG << "Write too many data via stream " << id_;
-    CloseConnectionWithDetails(
-        QUIC_STREAM_LENGTH_OVERFLOW,
-        QuicStrCat("Write too many data via stream ", id_));
-    return consumed_data;
-  }
-
-  bool had_buffered_data = HasBufferedData();
-  if (CanWriteNewData()) {
-    // Save all data if buffered data size is below low water mark.
-    consumed_data.bytes_consumed = write_length;
-    if (consumed_data.bytes_consumed > 0) {
-      QuicStreamOffset offset = send_buffer_.stream_offset();
-      send_buffer_.SaveStreamData(iov, iov_count, 0, write_length);
-      OnDataBuffered(offset, write_length, nullptr);
-    }
-  }
-  consumed_data.fin_consumed =
-      consumed_data.bytes_consumed == write_length && fin;
-  fin_buffered_ = consumed_data.fin_consumed;
-
-  if (!had_buffered_data && (HasBufferedData() || fin_buffered_)) {
-    // Write data if there is no buffered data before.
-    WriteBufferedData();
-  }
-
-  return consumed_data;
-}
-
 QuicConsumedData QuicStream::WriteMemSlices(QuicMemSliceSpan span, bool fin) {
   QuicConsumedData consumed_data(0, false);
   if (span.empty() && !fin) {
@@ -831,7 +816,7 @@ void QuicStream::OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame) {
     return;
   }
 
-  if (flow_controller_->UpdateSendWindowOffset(frame.byte_offset)) {
+  if (flow_controller_->UpdateSendWindowOffset(frame.max_data)) {
     // Let session unblock this stream.
     session_->MarkConnectionLevelWriteBlocked(id_);
   }
@@ -1055,9 +1040,7 @@ void QuicStream::WriteBufferedData() {
     QUIC_DVLOG(1) << "stream " << id() << " shortens write length to "
                   << write_length << " due to flow control";
   }
-  if (session_->session_decides_what_to_write()) {
-    session_->SetTransmissionType(NOT_RETRANSMISSION);
-  }
+  session_->SetTransmissionType(NOT_RETRANSMISSION);
 
   StreamSendingState state = fin ? FIN : NO_FIN;
   if (fin && add_random_padding_after_fin_) {
@@ -1180,10 +1163,6 @@ bool QuicStream::MaybeSetTtl(QuicTime::Delta ttl) {
     QUIC_DLOG(WARNING) << "Deadline has already been set.";
     return false;
   }
-  if (!session()->session_decides_what_to_write()) {
-    QUIC_DLOG(WARNING) << "This session does not support stream TTL yet.";
-    return false;
-  }
   QuicTime now = session()->connection()->clock()->ApproximateNow();
   deadline_ = now + ttl;
   return true;
@@ -1194,7 +1173,6 @@ bool QuicStream::HasDeadlinePassed() const {
     // No deadline has been set.
     return false;
   }
-  DCHECK(session()->session_decides_what_to_write());
   QuicTime now = session()->connection()->clock()->ApproximateNow();
   if (now < deadline_) {
     return false;
@@ -1218,6 +1196,4 @@ void QuicStream::SendStopSending(uint16_t code) {
   session_->SendStopSending(code, id_);
 }
 
-void QuicStream::OnStopSending(uint16_t /*code*/) {}
-
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream.h b/chromium/net/third_party/quiche/src/quic/core/quic_stream.h
index c8e5012767a..c936bc71264 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream.h
@@ -136,9 +136,6 @@ class QUIC_EXPORT_PRIVATE QuicStream
 
   virtual ~QuicStream();
 
-  // Not in use currently.
-  void SetFromConfig();
-
   // QuicStreamSequencer::StreamInterface implementation.
   QuicStreamId id() const override { return id_; }
   // Called by the stream subclass after it has consumed the final incoming
@@ -247,9 +244,7 @@ class QUIC_EXPORT_PRIVATE QuicStream
   // sent. If this is not true on deletion of the stream object, the session
   // must keep track of the stream's byte offset until a definitive final value
   // arrives.
-  bool HasFinalReceivedByteOffset() const {
-    return fin_received_ || rst_received_;
-  }
+  bool HasReceivedFinalOffset() const { return fin_received_ || rst_received_; }
 
   // Returns true if the stream has queued data waiting to write.
   bool HasBufferedData() const;
@@ -341,11 +336,8 @@ class QUIC_EXPORT_PRIVATE QuicStream
   // this method or not.
   void SendStopSending(uint16_t code);
 
-  // Invoked when QUIC receives a STOP_SENDING frame for this stream, informing
-  // the application that the peer has sent a STOP_SENDING. The default
-  // implementation is a noop. Is to be overridden by the application-specific
-  // QuicStream class.
-  virtual void OnStopSending(uint16_t code);
+  // Handle received StopSending frame.
+  virtual void OnStopSending(uint16_t /*code*/) {}
 
   // Close the write side of the socket.  Further writes will fail.
   // Can be called by the subclass or internally.
@@ -356,16 +348,6 @@ class QUIC_EXPORT_PRIVATE QuicStream
   bool is_static() const { return is_static_; }
 
  protected:
-  // Sends as many bytes in the first |count| buffers of |iov| to the connection
-  // as the connection will consume. If FIN is consumed, the write side is
-  // immediately closed.
-  // Returns the number of bytes consumed by the connection.
-  // Please note: Returned consumed data is the amount of data saved in send
-  // buffer. The data is not necessarily consumed by the connection. So write
-  // side is closed when FIN is sent.
-  // TODO(fayang): Let WritevData return boolean.
-  QuicConsumedData WritevData(const struct iovec* iov, int iov_count, bool fin);
-
   // Close the read side of the socket.  May cause the stream to be closed.
   // Subclasses and consumers should use StopReading to terminate reading early
   // if expecting a FIN. Can be used directly by subclasses if not expecting a
@@ -437,9 +419,6 @@ class QUIC_EXPORT_PRIVATE QuicStream
              QuicOptional<QuicFlowController> flow_controller,
              QuicFlowController* connection_flow_controller);
 
-  // Subclasses and consumers should use reading_stopped.
-  bool read_side_closed() const { return read_side_closed_; }
-
   // Calls MaybeSendBlocked on the stream's flow controller and the connection
   // level flow controller.  If the stream is flow control blocked by the
   // connection-level flow controller but not by the stream-level flow
@@ -501,10 +480,6 @@ class QUIC_EXPORT_PRIVATE QuicStream
   // True if this stream has received a RST_STREAM frame.
   bool rst_received_;
 
-  // Tracks if the session this stream is running under was created by a
-  // server or a client.
-  Perspective perspective_;
-
   QuicOptional<QuicFlowController> flow_controller_;
 
   // The connection level flow controller. Not owned.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager.h b/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager.h
index 1ac2947fca7..e39e14fcf85 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager.h
@@ -29,7 +29,7 @@ const int kMaxStreamsWindowDivisor = 2;
 // This class manages the stream ids for Version 99/IETF QUIC.
 class QUIC_EXPORT_PRIVATE QuicStreamIdManager {
  public:
-  class DelegateInterface {
+  class QUIC_EXPORT_PRIVATE DelegateInterface {
    public:
     virtual ~DelegateInterface() = default;
 
@@ -153,6 +153,10 @@ class QUIC_EXPORT_PRIVATE QuicStreamIdManager {
     largest_peer_created_stream_id_ = largest_peer_created_stream_id;
   }
 
+  QuicStreamId largest_peer_created_stream_id() const {
+    return largest_peer_created_stream_id_;
+  }
+
   // These are the limits for outgoing and incoming streams,
   // respectively. For incoming there are two limits, what has
   // been advertised to the peer and what is actually available.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager_test.cc
index 7b7fb1a9e72..2ff55be857c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_id_manager_test.cc
@@ -13,7 +13,6 @@
 #include "net/third_party/quiche/src/quic/test_tools/quic_stream_id_manager_peer.h"
 
 using testing::_;
-using testing::Invoke;
 using testing::StrictMock;
 
 namespace quic {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_send_buffer.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_send_buffer.cc
index ead192dd6fe..158afd80f63 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_send_buffer.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_send_buffer.cc
@@ -9,6 +9,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_stream_send_buffer.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
@@ -95,6 +96,8 @@ void QuicStreamSendBuffer::OnStreamDataConsumed(size_t bytes_consumed) {
 bool QuicStreamSendBuffer::WriteStreamData(QuicStreamOffset offset,
                                            QuicByteCount data_length,
                                            QuicDataWriter* writer) {
+  // TODO(renjietang): Remove this variable once quic_coalesce_stream_frames_2
+  // is deprecated.
   bool write_index_hit = false;
   QuicDeque<BufferedSlice>::iterator slice_it =
       write_index_ == -1
@@ -134,15 +137,33 @@ bool QuicStreamSendBuffer::WriteStreamData(QuicStreamOffset offset,
     offset += copy_length;
     data_length -= copy_length;
 
-    if (write_index_hit && copy_length == available_bytes_in_slice) {
+    if (GetQuicRestartFlag(quic_coalesce_stream_frames_2)) {
+      QUIC_RESTART_FLAG_COUNT_N(quic_coalesce_stream_frames_2, 2, 3);
+      if (write_index_ != -1) {
+        QuicDeque<BufferedSlice>::const_iterator index_slice =
+            buffered_slices_.begin() + write_index_;
+        if (index_slice->offset == slice_it->offset &&
+            copy_length == available_bytes_in_slice) {
+          // The slice pointed by write_index has been fully written, advance
+          // write index.
+          ++write_index_;
+        }
+      }
+    } else if (write_index_hit && copy_length == available_bytes_in_slice) {
       // Finished writing all data in current slice, advance write index for
       // next write.
       ++write_index_;
     }
   }
 
-  if (write_index_hit &&
-      static_cast<size_t>(write_index_) == buffered_slices_.size()) {
+  if (GetQuicRestartFlag(quic_coalesce_stream_frames_2)) {
+    QUIC_RESTART_FLAG_COUNT_N(quic_coalesce_stream_frames_2, 3, 3);
+    if (write_index_ != -1 &&
+        static_cast<size_t>(write_index_) == buffered_slices_.size()) {
+      write_index_ = -1;
+    }
+  } else if (write_index_hit &&
+             static_cast<size_t>(write_index_) == buffered_slices_.size()) {
     // Already write to the end off buffer.
     QUIC_DVLOG(2) << "Finish writing out all buffered data.";
     write_index_ = -1;
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_send_buffer.h b/chromium/net/third_party/quiche/src/quic/core/quic_stream_send_buffer.h
index 74e9d0d5ee2..51a10e9f325 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_send_buffer.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_send_buffer.h
@@ -26,7 +26,7 @@ class QuicDataWriter;
 // contiguous memory space. Please note, BufferedSlice is constructed when
 // stream data is saved in send buffer and is removed when stream data is fully
 // acked. It is move-only.
-struct BufferedSlice {
+struct QUIC_EXPORT_PRIVATE BufferedSlice {
   BufferedSlice(QuicMemSlice mem_slice, QuicStreamOffset offset);
   BufferedSlice(BufferedSlice&& other);
   BufferedSlice& operator=(BufferedSlice&& other);
@@ -41,8 +41,9 @@ struct BufferedSlice {
   QuicStreamOffset offset;
 };
 
-struct StreamPendingRetransmission {
-  StreamPendingRetransmission(QuicStreamOffset offset, QuicByteCount length)
+struct QUIC_EXPORT_PRIVATE StreamPendingRetransmission {
+  constexpr StreamPendingRetransmission(QuicStreamOffset offset,
+                                        QuicByteCount length)
       : offset(offset), length(length) {}
 
   // Starting offset of this pending retransmission.
@@ -50,8 +51,7 @@ struct StreamPendingRetransmission {
   // Length of this pending retransmission.
   QuicByteCount length;
 
-  QUIC_EXPORT_PRIVATE bool operator==(
-      const StreamPendingRetransmission& other) const;
+  bool operator==(const StreamPendingRetransmission& other) const;
 };
 
 // QuicStreamSendBuffer contains a list of QuicStreamDataSlices. New data slices
@@ -62,7 +62,7 @@ class QUIC_EXPORT_PRIVATE QuicStreamSendBuffer {
  public:
   explicit QuicStreamSendBuffer(QuicBufferAllocator* allocator);
   QuicStreamSendBuffer(const QuicStreamSendBuffer& other) = delete;
-  QuicStreamSendBuffer(QuicStreamSendBuffer&& other) = default;
+  QuicStreamSendBuffer(QuicStreamSendBuffer&& other) = delete;
   ~QuicStreamSendBuffer();
 
   // Save |data_length| of data starts at |iov_offset| in |iov| to send buffer.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_send_buffer_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_send_buffer_test.cc
index 3a5efb50e7f..90fcd6eb104 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_send_buffer_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_send_buffer_test.cc
@@ -64,7 +64,7 @@ class QuicStreamSendBufferTest : public QuicTest {
   void WriteAllData() {
     // Write all data.
     char buf[4000];
-    QuicDataWriter writer(4000, buf, HOST_BYTE_ORDER);
+    QuicDataWriter writer(4000, buf, quiche::HOST_BYTE_ORDER);
     send_buffer_.WriteStreamData(0, 3840u, &writer);
 
     send_buffer_.OnStreamDataConsumed(3840u);
@@ -78,7 +78,7 @@ class QuicStreamSendBufferTest : public QuicTest {
 
 TEST_F(QuicStreamSendBufferTest, CopyDataToBuffer) {
   char buf[4000];
-  QuicDataWriter writer(4000, buf, HOST_BYTE_ORDER);
+  QuicDataWriter writer(4000, buf, quiche::HOST_BYTE_ORDER);
   std::string copy1(1024, 'a');
   std::string copy2 =
       std::string(512, 'a') + std::string(256, 'b') + std::string(256, 'c');
@@ -95,7 +95,7 @@ TEST_F(QuicStreamSendBufferTest, CopyDataToBuffer) {
   EXPECT_EQ(copy4, QuicStringPiece(buf + 3072, 768));
 
   // Test data piece across boundries.
-  QuicDataWriter writer2(4000, buf, HOST_BYTE_ORDER);
+  QuicDataWriter writer2(4000, buf, quiche::HOST_BYTE_ORDER);
   std::string copy5 =
       std::string(536, 'a') + std::string(256, 'b') + std::string(232, 'c');
   ASSERT_TRUE(send_buffer_.WriteStreamData(1000, 1024, &writer2));
@@ -105,7 +105,7 @@ TEST_F(QuicStreamSendBufferTest, CopyDataToBuffer) {
   EXPECT_EQ(copy6, QuicStringPiece(buf + 1024, 1024));
 
   // Invalid data copy.
-  QuicDataWriter writer3(4000, buf, HOST_BYTE_ORDER);
+  QuicDataWriter writer3(4000, buf, quiche::HOST_BYTE_ORDER);
   EXPECT_FALSE(send_buffer_.WriteStreamData(3000, 1024, &writer3));
   EXPECT_QUIC_BUG(send_buffer_.WriteStreamData(0, 4000, &writer3),
                   "Writer fails to write.");
@@ -115,6 +115,41 @@ TEST_F(QuicStreamSendBufferTest, CopyDataToBuffer) {
   EXPECT_EQ(3840u, send_buffer_.stream_bytes_outstanding());
 }
 
+// Regression test for b/143491027.
+TEST_F(QuicStreamSendBufferTest,
+       WriteStreamDataContainsBothRetransmissionAndNewData) {
+  std::string copy1(1024, 'a');
+  std::string copy2 =
+      std::string(512, 'a') + std::string(256, 'b') + std::string(256, 'c');
+  std::string copy3 = std::string(1024, 'c') + std::string(100, 'd');
+  char buf[6000];
+  QuicDataWriter writer(6000, buf, quiche::HOST_BYTE_ORDER);
+  // Write more than one slice.
+  EXPECT_EQ(0, QuicStreamSendBufferPeer::write_index(&send_buffer_));
+  ASSERT_TRUE(send_buffer_.WriteStreamData(0, 1024, &writer));
+  EXPECT_EQ(copy1, QuicStringPiece(buf, 1024));
+  EXPECT_EQ(1, QuicStreamSendBufferPeer::write_index(&send_buffer_));
+
+  // Retransmit the first frame and also send new data.
+  ASSERT_TRUE(send_buffer_.WriteStreamData(0, 2048, &writer));
+  EXPECT_EQ(copy1 + copy2, QuicStringPiece(buf + 1024, 2048));
+
+  // Write new data.
+  if (!GetQuicRestartFlag(quic_coalesce_stream_frames_2)) {
+    EXPECT_EQ(1, QuicStreamSendBufferPeer::write_index(&send_buffer_));
+    EXPECT_QUIC_DEBUG_DEATH(send_buffer_.WriteStreamData(2048, 50, &writer),
+                            "Tried to write data out of sequence.");
+  } else {
+    EXPECT_EQ(2, QuicStreamSendBufferPeer::write_index(&send_buffer_));
+    ASSERT_TRUE(send_buffer_.WriteStreamData(2048, 50, &writer));
+    EXPECT_EQ(std::string(50, 'c'), QuicStringPiece(buf + 1024 + 2048, 50));
+    EXPECT_EQ(2, QuicStreamSendBufferPeer::write_index(&send_buffer_));
+    ASSERT_TRUE(send_buffer_.WriteStreamData(2048, 1124, &writer));
+    EXPECT_EQ(copy3, QuicStringPiece(buf + 1024 + 2048 + 50, 1124));
+    EXPECT_EQ(3, QuicStreamSendBufferPeer::write_index(&send_buffer_));
+  }
+}
+
 TEST_F(QuicStreamSendBufferTest, RemoveStreamFrame) {
   WriteAllData();
 
@@ -255,7 +290,7 @@ TEST_F(QuicStreamSendBufferTest, PendingRetransmission) {
 
 TEST_F(QuicStreamSendBufferTest, CurrentWriteIndex) {
   char buf[4000];
-  QuicDataWriter writer(4000, buf, HOST_BYTE_ORDER);
+  QuicDataWriter writer(4000, buf, quiche::HOST_BYTE_ORDER);
   // With data buffered, index points to the 1st slice of data.
   EXPECT_EQ(0u,
             QuicStreamSendBufferPeer::CurrentWriteSlice(&send_buffer_)->offset);
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.cc
index 8f84fb9475b..d7976689331 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.cc
@@ -9,6 +9,7 @@
 #include <string>
 #include <utility>
 
+#include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.h"
@@ -26,6 +27,7 @@ namespace quic {
 QuicStreamSequencer::QuicStreamSequencer(StreamInterface* quic_stream)
     : stream_(quic_stream),
       buffered_frames_(kStreamReceiveWindowLimit),
+      highest_offset_(0),
       close_offset_(std::numeric_limits<QuicStreamOffset>::max()),
       blocked_(false),
       num_frames_received_(0),
@@ -33,7 +35,13 @@ QuicStreamSequencer::QuicStreamSequencer(StreamInterface* quic_stream)
       ignore_read_data_(false),
       level_triggered_(false),
       stop_reading_when_level_triggered_(
-          GetQuicReloadableFlag(quic_stop_reading_when_level_triggered)) {}
+          GetQuicReloadableFlag(quic_stop_reading_when_level_triggered)),
+      close_connection_and_discard_data_on_wrong_offset_(GetQuicReloadableFlag(
+          quic_close_connection_and_discard_data_on_wrong_offset)) {
+  if (stop_reading_when_level_triggered_) {
+    QUIC_RELOADABLE_FLAG_COUNT(quic_stop_reading_when_level_triggered);
+  }
+}
 
 QuicStreamSequencer::~QuicStreamSequencer() {}
 
@@ -48,8 +56,9 @@ void QuicStreamSequencer::OnStreamFrame(const QuicStreamFrame& frame) {
     if (data_len == 0) {
       return;
     }
-    if (GetQuicReloadableFlag(quic_no_stream_data_after_reset)) {
-      QUIC_RELOADABLE_FLAG_COUNT(quic_no_stream_data_after_reset);
+    if (close_connection_and_discard_data_on_wrong_offset_) {
+      QUIC_RELOADABLE_FLAG_COUNT_N(
+          quic_close_connection_and_discard_data_on_wrong_offset, 1, 3);
       if (!should_process_data) {
         return;
       }
@@ -66,6 +75,7 @@ void QuicStreamSequencer::OnCryptoFrame(const QuicCryptoFrame& frame) {
 void QuicStreamSequencer::OnFrameData(QuicStreamOffset byte_offset,
                                       size_t data_len,
                                       const char* data_buffer) {
+  highest_offset_ = std::max(highest_offset_, byte_offset + data_len);
   const size_t previous_readable_bytes = buffered_frames_.ReadableBytes();
   size_t bytes_written;
   std::string error_details;
@@ -123,7 +133,31 @@ bool QuicStreamSequencer::CloseStreamAtOffset(QuicStreamOffset offset) {
 
   // If there is a scheduled close, the new offset should match it.
   if (close_offset_ != kMaxOffset && offset != close_offset_) {
-    stream_->Reset(QUIC_MULTIPLE_TERMINATION_OFFSETS);
+    if (!close_connection_and_discard_data_on_wrong_offset_) {
+      stream_->Reset(QUIC_MULTIPLE_TERMINATION_OFFSETS);
+      return false;
+    }
+    QUIC_RELOADABLE_FLAG_COUNT_N(
+        quic_close_connection_and_discard_data_on_wrong_offset, 2, 3);
+    stream_->CloseConnectionWithDetails(
+        QUIC_STREAM_SEQUENCER_INVALID_STATE,
+        QuicStrCat("Stream ", stream_->id(),
+                   " received new final offset: ", offset,
+                   ", which is different from close offset: ", close_offset_));
+    return false;
+  }
+
+  // The final offset should be no less than the highest offset that is
+  // received.
+  if (close_connection_and_discard_data_on_wrong_offset_ &&
+      offset < highest_offset_) {
+    QUIC_RELOADABLE_FLAG_COUNT_N(
+        quic_close_connection_and_discard_data_on_wrong_offset, 3, 3);
+    stream_->CloseConnectionWithDetails(
+        QUIC_STREAM_SEQUENCER_INVALID_STATE,
+        QuicStrCat(
+            "Stream ", stream_->id(), " received fin with offset: ", offset,
+            ", which reduces current highest offset: ", highest_offset_));
     return false;
   }
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.h b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.h
index a735a1ebbf5..878acb04307 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer.h
@@ -11,6 +11,7 @@
 
 #include "net/third_party/quiche/src/quic/core/quic_packets.h"
 #include "net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 
 namespace quic {
@@ -24,7 +25,7 @@ class QuicStreamSequencerPeer;
 class QUIC_EXPORT_PRIVATE QuicStreamSequencer {
  public:
   // Interface that thie Sequencer uses to communicate with the Stream.
-  class StreamInterface {
+  class QUIC_EXPORT_PRIVATE StreamInterface {
    public:
     virtual ~StreamInterface() = default;
 
@@ -182,6 +183,9 @@ class QUIC_EXPORT_PRIVATE QuicStreamSequencer {
   // Stores received data in offset order.
   QuicStreamSequencerBuffer buffered_frames_;
 
+  // The highest offset that is received so far.
+  QuicStreamOffset highest_offset_;
+
   // The offset, if any, we got a stream termination for.  When this many bytes
   // have been processed, the sequencer will be closed.
   QuicStreamOffset close_offset_;
@@ -207,6 +211,11 @@ class QUIC_EXPORT_PRIVATE QuicStreamSequencer {
   // the sequencer will discard incoming data (but not FIN bits) after
   // StopReading is called, even in level_triggered_ mode.
   const bool stop_reading_when_level_triggered_;
+
+  // Latched value of quic_close_connection_and_discard_data_on_wrong_offset.
+  // When true, the sequencer will inform the stream to close connection when
+  // wrong offset is received. And the stream frame's data will be discarded.
+  const bool close_connection_and_discard_data_on_wrong_offset_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.h b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.h
index 93b723f1781..406cd92edc3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer.h
@@ -85,7 +85,7 @@ class QUIC_EXPORT_PRIVATE QuicStreamSequencerBuffer {
   static const size_t kBlockSizeBytes = 8 * 1024;  // 8KB
 
   // The basic storage block used by this buffer.
-  struct BufferBlock {
+  struct QUIC_EXPORT_PRIVATE BufferBlock {
     char buffer[kBlockSizeBytes];
   };
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer_test.cc
index 028c12b6077..b17dcc498fa 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_buffer_test.cc
@@ -110,15 +110,15 @@ TEST_F(QuicStreamSequencerBufferTest, ClearOnEmpty) {
 TEST_F(QuicStreamSequencerBufferTest, OnStreamData0length) {
   QuicErrorCode error =
       buffer_->OnStreamData(800, "", &written_, &error_details_);
-  EXPECT_EQ(error, QUIC_EMPTY_STREAM_FRAME_NO_FIN);
+  EXPECT_THAT(error, IsError(QUIC_EMPTY_STREAM_FRAME_NO_FIN));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 }
 
 TEST_F(QuicStreamSequencerBufferTest, OnStreamDataWithinBlock) {
   EXPECT_FALSE(helper_->IsBufferAllocated());
   std::string source(1024, 'a');
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(800, source, &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(800, source, &written_, &error_details_),
+              IsQuicNoError());
   BufferBlock* block_ptr = helper_->GetBlock(0);
   for (size_t i = 0; i < source.size(); ++i) {
     ASSERT_EQ('a', block_ptr->buffer[helper_->GetInBlockOffset(800) + i]);
@@ -135,8 +135,8 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataWithinBlock) {
 TEST_F(QuicStreamSequencerBufferTest, Move) {
   EXPECT_FALSE(helper_->IsBufferAllocated());
   std::string source(1024, 'a');
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(800, source, &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(800, source, &written_, &error_details_),
+              IsQuicNoError());
   BufferBlock* block_ptr = helper_->GetBlock(0);
   for (size_t i = 0; i < source.size(); ++i) {
     ASSERT_EQ('a', block_ptr->buffer[helper_->GetInBlockOffset(800) + i]);
@@ -160,8 +160,8 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataInvalidSource) {
   // Pass in an invalid source, expects to return error.
   QuicStringPiece source;
   source = QuicStringPiece(nullptr, 1024);
-  EXPECT_EQ(QUIC_STREAM_SEQUENCER_INVALID_STATE,
-            buffer_->OnStreamData(800, source, &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(800, source, &written_, &error_details_),
+              IsError(QUIC_STREAM_SEQUENCER_INVALID_STATE));
   EXPECT_EQ(0u, error_details_.find(QuicStrCat(
                     "QuicStreamSequencerBuffer error: OnStreamData() "
                     "dest == nullptr: ",
@@ -171,13 +171,13 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataInvalidSource) {
 TEST_F(QuicStreamSequencerBufferTest, OnStreamDataWithOverlap) {
   std::string source(1024, 'a');
   // Write something into [800, 1824)
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(800, source, &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(800, source, &written_, &error_details_),
+              IsQuicNoError());
   // Try to write to [0, 1024) and [1024, 2048).
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(0, source, &written_, &error_details_));
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(1024, source, &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(0, source, &written_, &error_details_),
+              IsQuicNoError());
+  EXPECT_THAT(buffer_->OnStreamData(1024, source, &written_, &error_details_),
+              IsQuicNoError());
 }
 
 TEST_F(QuicStreamSequencerBufferTest,
@@ -188,31 +188,31 @@ TEST_F(QuicStreamSequencerBufferTest,
   source = std::string(800, 'b');
   std::string one_byte = "c";
   // Write [1, 801).
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(1, source, &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(1, source, &written_, &error_details_),
+              IsQuicNoError());
   // Write [0, 800).
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(0, source, &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(0, source, &written_, &error_details_),
+              IsQuicNoError());
   // Write [1823, 1824).
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(1823, one_byte, &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(1823, one_byte, &written_, &error_details_),
+              IsQuicNoError());
   EXPECT_EQ(0u, written_);
   // write one byte to [1824, 1825)
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(1824, one_byte, &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(1824, one_byte, &written_, &error_details_),
+              IsQuicNoError());
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 }
 
 TEST_F(QuicStreamSequencerBufferTest, OnStreamDataWithoutOverlap) {
   std::string source(1024, 'a');
   // Write something into [800, 1824).
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(800, source, &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(800, source, &written_, &error_details_),
+              IsQuicNoError());
   source = std::string(100, 'b');
   // Write something into [kBlockSizeBytes * 2 - 20, kBlockSizeBytes * 2 + 80).
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(kBlockSizeBytes * 2 - 20, source, &written_,
-                                  &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(kBlockSizeBytes * 2 - 20, source, &written_,
+                                    &error_details_),
+              IsQuicNoError());
   EXPECT_EQ(3, helper_->IntervalSize());
   EXPECT_EQ(1024u + 100u, buffer_->BytesBuffered());
   EXPECT_TRUE(helper_->CheckBufferInvariants());
@@ -229,20 +229,20 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataInLongStreamWithOverlap) {
   std::string source(kBytesToWrite, 'a');
   // Frame [2^32 + 500, 2^32 + 600).
   QuicStreamOffset offset = pow(2, 32) + 500;
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(offset, source, &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(offset, source, &written_, &error_details_),
+              IsQuicNoError());
   EXPECT_EQ(2, helper_->IntervalSize());
 
   // Frame [2^32 + 700, 2^32 + 800).
   offset = pow(2, 32) + 700;
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(offset, source, &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(offset, source, &written_, &error_details_),
+              IsQuicNoError());
   EXPECT_EQ(3, helper_->IntervalSize());
 
   // Another frame [2^32 + 300, 2^32 + 400).
   offset = pow(2, 32) + 300;
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(offset, source, &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(offset, source, &written_, &error_details_),
+              IsQuicNoError());
   EXPECT_EQ(4, helper_->IntervalSize());
 }
 
@@ -250,9 +250,9 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataTillEnd) {
   // Write 50 bytes to the end.
   const size_t kBytesToWrite = 50;
   std::string source(kBytesToWrite, 'a');
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(max_capacity_bytes_ - kBytesToWrite, source,
-                                  &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(max_capacity_bytes_ - kBytesToWrite, source,
+                                    &written_, &error_details_),
+              IsQuicNoError());
   EXPECT_EQ(50u, buffer_->BytesBuffered());
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 }
@@ -261,42 +261,42 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataTillEndCorner) {
   // Write 1 byte to the end.
   const size_t kBytesToWrite = 1;
   std::string source(kBytesToWrite, 'a');
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->OnStreamData(max_capacity_bytes_ - kBytesToWrite, source,
-                                  &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(max_capacity_bytes_ - kBytesToWrite, source,
+                                    &written_, &error_details_),
+              IsQuicNoError());
   EXPECT_EQ(1u, buffer_->BytesBuffered());
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 }
 
 TEST_F(QuicStreamSequencerBufferTest, OnStreamDataBeyondCapacity) {
   std::string source(60, 'a');
-  EXPECT_EQ(QUIC_INTERNAL_ERROR,
-            buffer_->OnStreamData(max_capacity_bytes_ - 50, source, &written_,
-                                  &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(max_capacity_bytes_ - 50, source, &written_,
+                                    &error_details_),
+              IsError(QUIC_INTERNAL_ERROR));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 
   source = "b";
-  EXPECT_EQ(QUIC_INTERNAL_ERROR,
-            buffer_->OnStreamData(max_capacity_bytes_, source, &written_,
-                                  &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(max_capacity_bytes_, source, &written_,
+                                    &error_details_),
+              IsError(QUIC_INTERNAL_ERROR));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 
-  EXPECT_EQ(QUIC_INTERNAL_ERROR,
-            buffer_->OnStreamData(max_capacity_bytes_ * 1000, source, &written_,
-                                  &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(max_capacity_bytes_ * 1000, source,
+                                    &written_, &error_details_),
+              IsError(QUIC_INTERNAL_ERROR));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 
   // Disallow current_gap != gaps_.end()
-  EXPECT_EQ(QUIC_INTERNAL_ERROR,
-            buffer_->OnStreamData(static_cast<QuicStreamOffset>(-1), source,
-                                  &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(static_cast<QuicStreamOffset>(-1), source,
+                                    &written_, &error_details_),
+              IsError(QUIC_INTERNAL_ERROR));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 
   // Disallow offset + size overflow
   source = "bbb";
-  EXPECT_EQ(QUIC_INTERNAL_ERROR,
-            buffer_->OnStreamData(static_cast<QuicStreamOffset>(-2), source,
-                                  &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(static_cast<QuicStreamOffset>(-2), source,
+                                    &written_, &error_details_),
+              IsError(QUIC_INTERNAL_ERROR));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
   EXPECT_EQ(0u, buffer_->BytesBuffered());
 }
@@ -314,7 +314,8 @@ TEST_F(QuicStreamSequencerBufferTest, Readv100Bytes) {
   char dest[120];
   iovec iovecs[3]{iovec{dest, 40}, iovec{dest + 40, 40}, iovec{dest + 80, 40}};
   size_t read;
-  EXPECT_EQ(QUIC_NO_ERROR, buffer_->Readv(iovecs, 3, &read, &error_details_));
+  EXPECT_THAT(buffer_->Readv(iovecs, 3, &read, &error_details_),
+              IsQuicNoError());
   QUIC_LOG(ERROR) << error_details_;
   EXPECT_EQ(100u, read);
   EXPECT_EQ(100u, buffer_->BytesConsumed());
@@ -335,7 +336,8 @@ TEST_F(QuicStreamSequencerBufferTest, ReadvAcrossBlocks) {
     std::fill(dest, dest + 512, 0);
     iovec iovecs[2]{iovec{dest, 256}, iovec{dest + 256, 256}};
     size_t read;
-    EXPECT_EQ(QUIC_NO_ERROR, buffer_->Readv(iovecs, 2, &read, &error_details_));
+    EXPECT_THAT(buffer_->Readv(iovecs, 2, &read, &error_details_),
+                IsQuicNoError());
   }
   // The last read only reads the rest 50 bytes in 2nd block.
   EXPECT_EQ(std::string(50, 'a'), std::string(dest, 50));
@@ -353,7 +355,7 @@ TEST_F(QuicStreamSequencerBufferTest, ClearAfterRead) {
   char dest[512]{0};
   const iovec iov{dest, 512};
   size_t read;
-  EXPECT_EQ(QUIC_NO_ERROR, buffer_->Readv(&iov, 1, &read, &error_details_));
+  EXPECT_THAT(buffer_->Readv(&iov, 1, &read, &error_details_), IsQuicNoError());
   // Clear() should make buffer empty while preserving BytesConsumed()
   buffer_->Clear();
   EXPECT_TRUE(buffer_->Empty());
@@ -369,14 +371,15 @@ TEST_F(QuicStreamSequencerBufferTest,
   char dest[512]{0};
   const iovec iov{dest, 512};
   size_t read;
-  EXPECT_EQ(QUIC_NO_ERROR, buffer_->Readv(&iov, 1, &read, &error_details_));
+  EXPECT_THAT(buffer_->Readv(&iov, 1, &read, &error_details_), IsQuicNoError());
   EXPECT_EQ(source.size(), written_);
 
   // Write more than half block size of bytes in the last block with 'b', which
   // will wrap to the beginning and reaches the full capacity.
   source = std::string(0.5 * kBlockSizeBytes + 512, 'b');
-  EXPECT_EQ(QUIC_NO_ERROR, buffer_->OnStreamData(2 * kBlockSizeBytes, source,
-                                                 &written_, &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(2 * kBlockSizeBytes, source, &written_,
+                                    &error_details_),
+              IsQuicNoError());
   EXPECT_EQ(source.size(), written_);
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 }
@@ -390,14 +393,14 @@ TEST_F(QuicStreamSequencerBufferTest,
   char dest[512]{0};
   const iovec iov{dest, 512};
   size_t read;
-  EXPECT_EQ(QUIC_NO_ERROR, buffer_->Readv(&iov, 1, &read, &error_details_));
+  EXPECT_THAT(buffer_->Readv(&iov, 1, &read, &error_details_), IsQuicNoError());
 
   // Try to write from [max_capacity_bytes_ - 0.5 * kBlockSizeBytes,
   // max_capacity_bytes_ +  512 + 1). But last bytes exceeds current capacity.
   source = std::string(0.5 * kBlockSizeBytes + 512 + 1, 'b');
-  EXPECT_EQ(QUIC_INTERNAL_ERROR,
-            buffer_->OnStreamData(2 * kBlockSizeBytes, source, &written_,
-                                  &error_details_));
+  EXPECT_THAT(buffer_->OnStreamData(2 * kBlockSizeBytes, source, &written_,
+                                    &error_details_),
+              IsError(QUIC_INTERNAL_ERROR));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 }
 
@@ -409,7 +412,7 @@ TEST_F(QuicStreamSequencerBufferTest, ReadvAcrossLastBlock) {
   char dest[512]{0};
   const iovec iov{dest, 512};
   size_t read;
-  EXPECT_EQ(QUIC_NO_ERROR, buffer_->Readv(&iov, 1, &read, &error_details_));
+  EXPECT_THAT(buffer_->Readv(&iov, 1, &read, &error_details_), IsQuicNoError());
   source = std::string(256, 'b');
   buffer_->OnStreamData(max_capacity_bytes_, source, &written_,
                         &error_details_);
@@ -419,7 +422,8 @@ TEST_F(QuicStreamSequencerBufferTest, ReadvAcrossLastBlock) {
   std::unique_ptr<char[]> dest1{new char[max_capacity_bytes_]};
   dest1[0] = 0;
   const iovec iov1{dest1.get(), max_capacity_bytes_};
-  EXPECT_EQ(QUIC_NO_ERROR, buffer_->Readv(&iov1, 1, &read, &error_details_));
+  EXPECT_THAT(buffer_->Readv(&iov1, 1, &read, &error_details_),
+              IsQuicNoError());
   EXPECT_EQ(max_capacity_bytes_ - 512 + 256, read);
   EXPECT_EQ(max_capacity_bytes_ + 256, buffer_->BytesConsumed());
   EXPECT_TRUE(buffer_->Empty());
@@ -430,7 +434,7 @@ TEST_F(QuicStreamSequencerBufferTest, ReadvEmpty) {
   char dest[512]{0};
   iovec iov{dest, 512};
   size_t read;
-  EXPECT_EQ(QUIC_NO_ERROR, buffer_->Readv(&iov, 1, &read, &error_details_));
+  EXPECT_THAT(buffer_->Readv(&iov, 1, &read, &error_details_), IsQuicNoError());
   EXPECT_EQ(0u, read);
   EXPECT_TRUE(helper_->CheckBufferInvariants());
 }
@@ -452,7 +456,8 @@ TEST_F(QuicStreamSequencerBufferTest, ReleaseWholeBuffer) {
   char dest[120];
   iovec iovecs[3]{iovec{dest, 40}, iovec{dest + 40, 40}, iovec{dest + 80, 40}};
   size_t read;
-  EXPECT_EQ(QUIC_NO_ERROR, buffer_->Readv(iovecs, 3, &read, &error_details_));
+  EXPECT_THAT(buffer_->Readv(iovecs, 3, &read, &error_details_),
+              IsQuicNoError());
   EXPECT_EQ(100u, read);
   EXPECT_EQ(100u, buffer_->BytesConsumed());
   EXPECT_TRUE(helper_->CheckBufferInvariants());
@@ -847,7 +852,7 @@ TEST_F(QuicStreamSequencerBufferTest, TooManyGaps) {
 
     QuicStreamOffset last_straw = 2 * kMaxNumGapsAllowed - 1;
     if (begin == last_straw) {
-      EXPECT_EQ(QUIC_TOO_MANY_STREAM_DATA_INTERVALS, rs);
+      EXPECT_THAT(rs, IsError(QUIC_TOO_MANY_STREAM_DATA_INTERVALS));
       EXPECT_EQ("Too many data intervals received for this stream.",
                 error_details_);
       break;
@@ -982,9 +987,9 @@ TEST_F(QuicStreamSequencerBufferRandomIOTest, RandomWriteAndReadv) {
           num_to_read += dest_iov[i].iov_len;
         }
         size_t actually_read;
-        EXPECT_EQ(QUIC_NO_ERROR,
-                  buffer_->Readv(dest_iov, kNumReads, &actually_read,
-                                 &error_details_));
+        EXPECT_THAT(buffer_->Readv(dest_iov, kNumReads, &actually_read,
+                                   &error_details_),
+                    IsQuicNoError());
         ASSERT_LE(actually_read, num_to_read);
         QUIC_DVLOG(1) << " read from offset: " << total_bytes_read_
                       << " size: " << num_to_read
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_test.cc
index 8ad845b80a7..cb6fb936cf6 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_sequencer_test.cc
@@ -15,6 +15,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
@@ -374,12 +375,16 @@ TEST_F(QuicStreamSequencerTest, MultipleOffsets) {
   OnFinFrame(3, "");
   EXPECT_EQ(3u, QuicStreamSequencerPeer::GetCloseOffset(sequencer_.get()));
 
-  EXPECT_CALL(stream_, Reset(QUIC_MULTIPLE_TERMINATION_OFFSETS));
+  if (!GetQuicReloadableFlag(
+          quic_close_connection_and_discard_data_on_wrong_offset)) {
+    EXPECT_CALL(stream_, Reset(QUIC_MULTIPLE_TERMINATION_OFFSETS));
+  } else {
+    EXPECT_CALL(stream_, CloseConnectionWithDetails(
+                             QUIC_STREAM_SEQUENCER_INVALID_STATE,
+                             "Stream 1 received new final offset: 1, which is "
+                             "different from close offset: 3"));
+  }
   OnFinFrame(1, "");
-  EXPECT_EQ(3u, QuicStreamSequencerPeer::GetCloseOffset(sequencer_.get()));
-
-  OnFinFrame(3, "");
-  EXPECT_EQ(3u, QuicStreamSequencerPeer::GetCloseOffset(sequencer_.get()));
 }
 
 class QuicSequencerRandomTest : public QuicStreamSequencerTest {
@@ -756,14 +761,35 @@ TEST_F(QuicStreamSequencerTest, StopReadingWithLevelTriggered) {
 
 // Regression test for https://crbug.com/992486.
 TEST_F(QuicStreamSequencerTest, CorruptFinFrames) {
-  SetQuicReloadableFlag(quic_no_stream_data_after_reset, true);
-  EXPECT_CALL(stream_, Reset(QUIC_MULTIPLE_TERMINATION_OFFSETS));
+  if (!GetQuicReloadableFlag(
+          quic_close_connection_and_discard_data_on_wrong_offset)) {
+    return;
+  }
+  EXPECT_CALL(stream_, CloseConnectionWithDetails(
+                           QUIC_STREAM_SEQUENCER_INVALID_STATE,
+                           "Stream 1 received new final offset: 1, which is "
+                           "different from close offset: 2"));
 
   OnFinFrame(2u, "");
   OnFinFrame(0u, "a");
   EXPECT_FALSE(sequencer_->HasBytesToRead());
 }
 
+// Regression test for crbug.com/1015693
+TEST_F(QuicStreamSequencerTest, ReceiveFinLessThanHighestOffset) {
+  if (!GetQuicReloadableFlag(
+          quic_close_connection_and_discard_data_on_wrong_offset)) {
+    return;
+  }
+  EXPECT_CALL(stream_, OnDataAvailable()).Times(1);
+  EXPECT_CALL(stream_, CloseConnectionWithDetails(
+                           QUIC_STREAM_SEQUENCER_INVALID_STATE,
+                           "Stream 1 received fin with offset: 0, which "
+                           "reduces current highest offset: 3"));
+  OnFrame(0u, "abc");
+  OnFinFrame(0u, "");
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_stream_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_stream_test.cc
index 411d6d00858..673c7a7405c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_stream_test.cc
@@ -8,8 +8,10 @@
 #include <string>
 #include <utility>
 
+#include "net/third_party/quiche/src/quic/core/frames/quic_rst_stream_frame.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_constants.h"
+#include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_versions.h"
@@ -50,12 +52,14 @@ const size_t kDataLen = 9;
 class TestStream : public QuicStream {
  public:
   TestStream(QuicStreamId id, QuicSession* session, StreamType type)
-      : QuicStream(id, session, /*is_static=*/false, type) {}
+      : QuicStream(id, session, /*is_static=*/false, type) {
+    sequencer()->set_level_triggered(true);
+  }
 
   TestStream(PendingStream* pending, StreamType type, bool is_static)
       : QuicStream(pending, type, is_static) {}
 
-  void OnDataAvailable() override {}
+  MOCK_METHOD0(OnDataAvailable, void());
 
   MOCK_METHOD0(OnCanWriteNewData, void());
 
@@ -66,7 +70,6 @@ class TestStream : public QuicStream {
   using QuicStream::OnClose;
   using QuicStream::WriteMemSlices;
   using QuicStream::WriteOrBufferData;
-  using QuicStream::WritevData;
 
  private:
   std::string data_;
@@ -99,7 +102,8 @@ class QuicStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
         session_->config(), 10);
     session_->OnConfigNegotiated();
 
-    stream_ = new TestStream(kTestStreamId, session_.get(), BIDIRECTIONAL);
+    stream_ = new StrictMock<TestStream>(kTestStreamId, session_.get(),
+                                         BIDIRECTIONAL);
     EXPECT_NE(nullptr, stream_);
     // session_ now owns stream_.
     session_->ActivateStream(QuicWrapUnique(stream_));
@@ -144,7 +148,7 @@ class QuicStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
   MockAlarmFactory alarm_factory_;
   MockQuicConnection* connection_;
   std::unique_ptr<MockQuicSession> session_;
-  TestStream* stream_;
+  StrictMock<TestStream>* stream_;
   QuicWriteBlockedList* write_blocked_list_;
   QuicTime::Delta zero_;
   ParsedQuicVersionVector supported_versions_;
@@ -177,8 +181,7 @@ TEST_P(QuicStreamTest, PendingStreamTooMuchData) {
   // Receive a stream frame that violates flow control: the byte offset is
   // higher than the receive window offset.
   QuicStreamFrame frame(kTestStreamId + 2, false,
-                        kInitialSessionFlowControlWindowForTest + 1,
-                        QuicStringPiece("."));
+                        kInitialSessionFlowControlWindowForTest + 1, ".");
 
   // Stream should not accept the frame, and the connection should be closed.
   EXPECT_CALL(*connection_,
@@ -221,10 +224,10 @@ TEST_P(QuicStreamTest, FromPendingStream) {
 
   PendingStream pending(kTestStreamId + 2, session_.get());
 
-  QuicStreamFrame frame(kTestStreamId + 2, false, 2, QuicStringPiece("."));
+  QuicStreamFrame frame(kTestStreamId + 2, false, 2, ".");
   pending.OnStreamFrame(frame);
   pending.OnStreamFrame(frame);
-  QuicStreamFrame frame2(kTestStreamId + 2, true, 3, QuicStringPiece("."));
+  QuicStreamFrame frame2(kTestStreamId + 2, true, 3, ".");
   pending.OnStreamFrame(frame2);
 
   TestStream stream(&pending, StreamType::READ_UNIDIRECTIONAL, false);
@@ -243,14 +246,14 @@ TEST_P(QuicStreamTest, FromPendingStreamThenData) {
 
   PendingStream pending(kTestStreamId + 2, session_.get());
 
-  QuicStreamFrame frame(kTestStreamId + 2, false, 2, QuicStringPiece("."));
+  QuicStreamFrame frame(kTestStreamId + 2, false, 2, ".");
   pending.OnStreamFrame(frame);
 
   auto stream =
       new TestStream(&pending, StreamType::READ_UNIDIRECTIONAL, false);
   session_->ActivateStream(QuicWrapUnique(stream));
 
-  QuicStreamFrame frame2(kTestStreamId + 2, true, 3, QuicStringPiece("."));
+  QuicStreamFrame frame2(kTestStreamId + 2, true, 3, ".");
   stream->OnStreamFrame(frame2);
 
   EXPECT_EQ(2, stream->num_frames_received());
@@ -301,11 +304,7 @@ TEST_P(QuicStreamTest, BlockIfOnlySomeDataConsumed) {
                                             NO_FIN);
       }));
   stream_->WriteOrBufferData(QuicStringPiece(kData1, 2), false, nullptr);
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   ASSERT_EQ(1u, write_blocked_list_->NumBlockedStreams());
   EXPECT_EQ(1u, stream_->BufferedDataBytes());
 }
@@ -323,11 +322,7 @@ TEST_P(QuicStreamTest, BlockIfFinNotConsumedWithData) {
                                             NO_FIN);
       }));
   stream_->WriteOrBufferData(QuicStringPiece(kData1, 2), true, nullptr);
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   ASSERT_EQ(1u, write_blocked_list_->NumBlockedStreams());
 }
 
@@ -374,11 +369,7 @@ TEST_P(QuicStreamTest, WriteOrBufferData) {
       }));
   stream_->WriteOrBufferData(kData1, false, nullptr);
 
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_EQ(1u, stream_->BufferedDataBytes());
   EXPECT_TRUE(HasWriteBlockedStreams());
 
@@ -392,12 +383,9 @@ TEST_P(QuicStreamTest, WriteOrBufferData) {
         return MockQuicSession::ConsumeData(stream_, stream_->id(),
                                             kDataLen - 1, kDataLen - 1, NO_FIN);
       }));
+  EXPECT_CALL(*stream_, OnCanWriteNewData());
   stream_->OnCanWrite();
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
 
   // And finally the end of the bytes_consumed.
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _))
@@ -405,12 +393,9 @@ TEST_P(QuicStreamTest, WriteOrBufferData) {
         return MockQuicSession::ConsumeData(stream_, stream_->id(), 2u,
                                             2 * kDataLen - 2, NO_FIN);
       }));
+  EXPECT_CALL(*stream_, OnCanWriteNewData());
   stream_->OnCanWrite();
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
 }
 
 TEST_P(QuicStreamTest, WriteOrBufferDataReachStreamLimit) {
@@ -421,11 +406,7 @@ TEST_P(QuicStreamTest, WriteOrBufferDataReachStreamLimit) {
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _))
       .WillOnce(Invoke(&(MockQuicSession::ConsumeData)));
   stream_->WriteOrBufferData(data, false, nullptr);
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_CALL(*connection_, CloseConnection(QUIC_STREAM_LENGTH_OVERFLOW, _, _));
   EXPECT_QUIC_BUG(stream_->WriteOrBufferData("a", false, nullptr),
                   "Write too many data via stream");
@@ -436,12 +417,12 @@ TEST_P(QuicStreamTest, ConnectionCloseAfterStreamClose) {
 
   QuicStreamPeer::CloseReadSide(stream_);
   stream_->CloseWriteSide();
-  EXPECT_EQ(QUIC_STREAM_NO_ERROR, stream_->stream_error());
-  EXPECT_EQ(QUIC_NO_ERROR, stream_->connection_error());
+  EXPECT_THAT(stream_->stream_error(), IsQuicStreamNoError());
+  EXPECT_THAT(stream_->connection_error(), IsQuicNoError());
   stream_->OnConnectionClosed(QUIC_INTERNAL_ERROR,
                               ConnectionCloseSource::FROM_SELF);
-  EXPECT_EQ(QUIC_STREAM_NO_ERROR, stream_->stream_error());
-  EXPECT_EQ(QUIC_NO_ERROR, stream_->connection_error());
+  EXPECT_THAT(stream_->stream_error(), IsQuicStreamNoError());
+  EXPECT_THAT(stream_->connection_error(), IsQuicNoError());
 }
 
 TEST_P(QuicStreamTest, RstAlwaysSentIfNoFinSent) {
@@ -460,11 +441,7 @@ TEST_P(QuicStreamTest, RstAlwaysSentIfNoFinSent) {
                                             NO_FIN);
       }));
   stream_->WriteOrBufferData(QuicStringPiece(kData1, 1), false, nullptr);
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_FALSE(fin_sent());
   EXPECT_FALSE(rst_sent());
 
@@ -540,9 +517,8 @@ TEST_P(QuicStreamTest, StreamFlowControlMultipleWindowUpdates) {
   QuicWindowUpdateFrame window_update_1(kInvalidControlFrameId, stream_->id(),
                                         kMinimumFlowControlSendWindow + 5);
   stream_->OnWindowUpdateFrame(window_update_1);
-  EXPECT_EQ(
-      window_update_1.byte_offset,
-      QuicFlowControllerPeer::SendWindowOffset(stream_->flow_controller()));
+  EXPECT_EQ(window_update_1.max_data, QuicFlowControllerPeer::SendWindowOffset(
+                                          stream_->flow_controller()));
 
   // Now send a few more WINDOW_UPDATES and make sure that only the largest is
   // remembered.
@@ -555,9 +531,8 @@ TEST_P(QuicStreamTest, StreamFlowControlMultipleWindowUpdates) {
   stream_->OnWindowUpdateFrame(window_update_2);
   stream_->OnWindowUpdateFrame(window_update_3);
   stream_->OnWindowUpdateFrame(window_update_4);
-  EXPECT_EQ(
-      window_update_3.byte_offset,
-      QuicFlowControllerPeer::SendWindowOffset(stream_->flow_controller()));
+  EXPECT_EQ(window_update_3.max_data, QuicFlowControllerPeer::SendWindowOffset(
+                                          stream_->flow_controller()));
 }
 
 TEST_P(QuicStreamTest, FrameStats) {
@@ -565,13 +540,16 @@ TEST_P(QuicStreamTest, FrameStats) {
 
   EXPECT_EQ(0, stream_->num_frames_received());
   EXPECT_EQ(0, stream_->num_duplicate_frames_received());
-  QuicStreamFrame frame(stream_->id(), false, 0, QuicStringPiece("."));
+  QuicStreamFrame frame(stream_->id(), false, 0, ".");
+  EXPECT_CALL(*stream_, OnDataAvailable()).Times(2);
   stream_->OnStreamFrame(frame);
   EXPECT_EQ(1, stream_->num_frames_received());
   EXPECT_EQ(0, stream_->num_duplicate_frames_received());
   stream_->OnStreamFrame(frame);
   EXPECT_EQ(2, stream_->num_frames_received());
   EXPECT_EQ(1, stream_->num_duplicate_frames_received());
+  QuicStreamFrame frame2(stream_->id(), false, 1, "abc");
+  stream_->OnStreamFrame(frame2);
 }
 
 // Verify that when we receive a packet which violates flow control (i.e. sends
@@ -583,8 +561,7 @@ TEST_P(QuicStreamTest, StreamSequencerNeverSeesPacketsViolatingFlowControl) {
   // Receive a stream frame that violates flow control: the byte offset is
   // higher than the receive window offset.
   QuicStreamFrame frame(stream_->id(), false,
-                        kInitialSessionFlowControlWindowForTest + 1,
-                        QuicStringPiece("."));
+                        kInitialSessionFlowControlWindowForTest + 1, ".");
   EXPECT_GT(frame.offset, QuicFlowControllerPeer::ReceiveWindowOffset(
                               stream_->flow_controller()));
 
@@ -597,6 +574,7 @@ TEST_P(QuicStreamTest, StreamSequencerNeverSeesPacketsViolatingFlowControl) {
 // Verify that after the consumer calls StopReading(), the stream still sends
 // flow control updates.
 TEST_P(QuicStreamTest, StopReadingSendsFlowControl) {
+  SetQuicReloadableFlag(quic_stop_reading_when_level_triggered, true);
   Initialize();
 
   stream_->StopReading();
@@ -624,40 +602,38 @@ TEST_P(QuicStreamTest, StopReadingSendsFlowControl) {
 TEST_P(QuicStreamTest, FinalByteOffsetFromFin) {
   Initialize();
 
-  EXPECT_FALSE(stream_->HasFinalReceivedByteOffset());
+  EXPECT_FALSE(stream_->HasReceivedFinalOffset());
 
-  QuicStreamFrame stream_frame_no_fin(stream_->id(), false, 1234,
-                                      QuicStringPiece("."));
+  QuicStreamFrame stream_frame_no_fin(stream_->id(), false, 1234, ".");
   stream_->OnStreamFrame(stream_frame_no_fin);
-  EXPECT_FALSE(stream_->HasFinalReceivedByteOffset());
+  EXPECT_FALSE(stream_->HasReceivedFinalOffset());
 
-  QuicStreamFrame stream_frame_with_fin(stream_->id(), true, 1234,
-                                        QuicStringPiece("."));
+  QuicStreamFrame stream_frame_with_fin(stream_->id(), true, 1234, ".");
   stream_->OnStreamFrame(stream_frame_with_fin);
-  EXPECT_TRUE(stream_->HasFinalReceivedByteOffset());
+  EXPECT_TRUE(stream_->HasReceivedFinalOffset());
 }
 
 TEST_P(QuicStreamTest, FinalByteOffsetFromRst) {
   Initialize();
 
-  EXPECT_FALSE(stream_->HasFinalReceivedByteOffset());
+  EXPECT_FALSE(stream_->HasReceivedFinalOffset());
   QuicRstStreamFrame rst_frame(kInvalidControlFrameId, stream_->id(),
                                QUIC_STREAM_CANCELLED, 1234);
   stream_->OnStreamReset(rst_frame);
-  EXPECT_TRUE(stream_->HasFinalReceivedByteOffset());
+  EXPECT_TRUE(stream_->HasReceivedFinalOffset());
 }
 
 TEST_P(QuicStreamTest, InvalidFinalByteOffsetFromRst) {
   Initialize();
 
-  EXPECT_FALSE(stream_->HasFinalReceivedByteOffset());
+  EXPECT_FALSE(stream_->HasReceivedFinalOffset());
   QuicRstStreamFrame rst_frame(kInvalidControlFrameId, stream_->id(),
                                QUIC_STREAM_CANCELLED, 0xFFFFFFFFFFFF);
   // Stream should not accept the frame, and the connection should be closed.
   EXPECT_CALL(*connection_,
               CloseConnection(QUIC_FLOW_CONTROL_RECEIVED_TOO_MUCH_DATA, _, _));
   stream_->OnStreamReset(rst_frame);
-  EXPECT_TRUE(stream_->HasFinalReceivedByteOffset());
+  EXPECT_TRUE(stream_->HasReceivedFinalOffset());
   stream_->OnClose();
 }
 
@@ -670,7 +646,7 @@ TEST_P(QuicStreamTest, FinalByteOffsetFromZeroLengthStreamFrame) {
   // ignores such a stream frame.
   Initialize();
 
-  EXPECT_FALSE(stream_->HasFinalReceivedByteOffset());
+  EXPECT_FALSE(stream_->HasReceivedFinalOffset());
   const QuicStreamOffset kByteOffsetExceedingFlowControlWindow =
       kInitialSessionFlowControlWindowForTest + 1;
   const QuicStreamOffset current_stream_flow_control_offset =
@@ -688,7 +664,7 @@ TEST_P(QuicStreamTest, FinalByteOffsetFromZeroLengthStreamFrame) {
 
   EXPECT_CALL(*connection_, CloseConnection(_, _, _)).Times(0);
   stream_->OnStreamFrame(zero_length_stream_frame_with_fin);
-  EXPECT_TRUE(stream_->HasFinalReceivedByteOffset());
+  EXPECT_TRUE(stream_->HasReceivedFinalOffset());
 
   // The flow control receive offset values should not have changed.
   EXPECT_EQ(
@@ -721,11 +697,9 @@ TEST_P(QuicStreamTest, OnStreamFrameUpperLimit) {
 
   EXPECT_CALL(*connection_, CloseConnection(QUIC_STREAM_LENGTH_OVERFLOW, _, _))
       .Times(0);
-  QuicStreamFrame stream_frame(stream_->id(), false, kMaxStreamLength - 1,
-                               QuicStringPiece("."));
+  QuicStreamFrame stream_frame(stream_->id(), false, kMaxStreamLength - 1, ".");
   stream_->OnStreamFrame(stream_frame);
-  QuicStreamFrame stream_frame2(stream_->id(), true, kMaxStreamLength,
-                                QuicStringPiece(""));
+  QuicStreamFrame stream_frame2(stream_->id(), true, kMaxStreamLength, "");
   stream_->OnStreamFrame(stream_frame2);
 }
 
@@ -733,8 +707,7 @@ TEST_P(QuicStreamTest, StreamTooLong) {
   Initialize();
   EXPECT_CALL(*connection_, CloseConnection(QUIC_STREAM_LENGTH_OVERFLOW, _, _))
       .Times(1);
-  QuicStreamFrame stream_frame(stream_->id(), false, kMaxStreamLength,
-                               QuicStringPiece("."));
+  QuicStreamFrame stream_frame(stream_->id(), false, kMaxStreamLength, ".");
   EXPECT_QUIC_PEER_BUG(stream_->OnStreamFrame(stream_frame),
                        QuicStrCat("Receive stream frame on stream ",
                                   stream_->id(), " reaches max stream length"));
@@ -745,11 +718,10 @@ TEST_P(QuicStreamTest, SetDrainingIncomingOutgoing) {
   Initialize();
 
   // Incoming data with FIN.
-  QuicStreamFrame stream_frame_with_fin(stream_->id(), true, 1234,
-                                        QuicStringPiece("."));
+  QuicStreamFrame stream_frame_with_fin(stream_->id(), true, 1234, ".");
   stream_->OnStreamFrame(stream_frame_with_fin);
   // The FIN has been received but not consumed.
-  EXPECT_TRUE(stream_->HasFinalReceivedByteOffset());
+  EXPECT_TRUE(stream_->HasReceivedFinalOffset());
   EXPECT_FALSE(QuicStreamPeer::read_side_closed(stream_));
   EXPECT_FALSE(stream_->reading_stopped());
 
@@ -785,11 +757,10 @@ TEST_P(QuicStreamTest, SetDrainingOutgoingIncoming) {
   EXPECT_EQ(1u, session_->GetNumOpenIncomingStreams());
 
   // Incoming data with FIN.
-  QuicStreamFrame stream_frame_with_fin(stream_->id(), true, 1234,
-                                        QuicStringPiece("."));
+  QuicStreamFrame stream_frame_with_fin(stream_->id(), true, 1234, ".");
   stream_->OnStreamFrame(stream_frame_with_fin);
   // The FIN has been received but not consumed.
-  EXPECT_TRUE(stream_->HasFinalReceivedByteOffset());
+  EXPECT_TRUE(stream_->HasReceivedFinalOffset());
   EXPECT_FALSE(QuicStreamPeer::read_side_closed(stream_));
   EXPECT_FALSE(stream_->reading_stopped());
 
@@ -808,7 +779,8 @@ TEST_P(QuicStreamTest, EarlyResponseFinHandling) {
       .WillRepeatedly(Invoke(MockQuicSession::ConsumeData));
 
   // Receive data for the request.
-  QuicStreamFrame frame1(stream_->id(), false, 0, QuicStringPiece("Start"));
+  EXPECT_CALL(*stream_, OnDataAvailable()).Times(1);
+  QuicStreamFrame frame1(stream_->id(), false, 0, "Start");
   stream_->OnStreamFrame(frame1);
   // When QuicSimpleServerStream sends the response, it calls
   // QuicStream::CloseReadSide() first.
@@ -817,10 +789,10 @@ TEST_P(QuicStreamTest, EarlyResponseFinHandling) {
   stream_->WriteOrBufferData(kData1, false, nullptr);
   EXPECT_TRUE(QuicStreamPeer::read_side_closed(stream_));
   // Receive remaining data and FIN for the request.
-  QuicStreamFrame frame2(stream_->id(), true, 0, QuicStringPiece("End"));
+  QuicStreamFrame frame2(stream_->id(), true, 0, "End");
   stream_->OnStreamFrame(frame2);
   EXPECT_TRUE(stream_->fin_received());
-  EXPECT_TRUE(stream_->HasFinalReceivedByteOffset());
+  EXPECT_TRUE(stream_->HasReceivedFinalOffset());
 }
 
 TEST_P(QuicStreamTest, StreamWaitsForAcks) {
@@ -834,11 +806,7 @@ TEST_P(QuicStreamTest, StreamWaitsForAcks) {
 
   // Send kData1.
   stream_->WriteOrBufferData(kData1, false, nullptr);
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->IsWaitingForAcks());
   QuicByteCount newly_acked_length = 0;
@@ -853,11 +821,7 @@ TEST_P(QuicStreamTest, StreamWaitsForAcks) {
   // Send kData2.
   stream_->WriteOrBufferData(kData2, false, nullptr);
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
   // Send FIN.
   stream_->WriteOrBufferData("", true, nullptr);
@@ -873,11 +837,7 @@ TEST_P(QuicStreamTest, StreamWaitsForAcks) {
   EXPECT_EQ(9u, newly_acked_length);
   // Stream is waiting for acks as FIN is not acked.
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
 
   // FIN is acked.
@@ -900,46 +860,26 @@ TEST_P(QuicStreamTest, StreamDataGetAckedOutOfOrder) {
   stream_->WriteOrBufferData("", true, nullptr);
   EXPECT_EQ(3u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   QuicByteCount newly_acked_length = 0;
   EXPECT_TRUE(stream_->OnStreamFrameAcked(9, 9, false, QuicTime::Delta::Zero(),
                                           &newly_acked_length));
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_EQ(9u, newly_acked_length);
   EXPECT_EQ(3u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->OnStreamFrameAcked(18, 9, false, QuicTime::Delta::Zero(),
                                           &newly_acked_length));
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_EQ(9u, newly_acked_length);
   EXPECT_EQ(3u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->OnStreamFrameAcked(0, 9, false, QuicTime::Delta::Zero(),
                                           &newly_acked_length));
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_EQ(9u, newly_acked_length);
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
   // FIN is not acked yet.
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_TRUE(stream_->OnStreamFrameAcked(27, 0, true, QuicTime::Delta::Zero(),
                                           &newly_acked_length));
   EXPECT_EQ(0u, newly_acked_length);
@@ -957,31 +897,23 @@ TEST_P(QuicStreamTest, CancelStream) {
 
   stream_->WriteOrBufferData(kData1, false, nullptr);
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
   // Cancel stream.
   stream_->Reset(QUIC_STREAM_NO_ERROR);
   // stream still waits for acks as the error code is QUIC_STREAM_NO_ERROR, and
   // data is going to be retransmitted.
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_CALL(*connection_,
               OnStreamReset(stream_->id(), QUIC_STREAM_CANCELLED));
-  EXPECT_CALL(*connection_, SendControlFrame(_)).Times(1);
+  EXPECT_CALL(*connection_, SendControlFrame(_))
+      .Times(AtLeast(1))
+      .WillRepeatedly(Invoke(&ClearControlFrame));
   EXPECT_CALL(*session_, SendRstStream(stream_->id(), QUIC_STREAM_CANCELLED, 9))
       .WillOnce(InvokeWithoutArgs([this]() {
-        return QuicSessionPeer::SendRstStreamInner(
-            session_.get(), stream_->id(), QUIC_STREAM_CANCELLED,
-            stream_->stream_bytes_written(),
-            /*close_write_side_only=*/false);
+        session_->ReallySendRstStream(stream_->id(), QUIC_STREAM_CANCELLED,
+                                      stream_->stream_bytes_written());
       }));
 
   stream_->Reset(QUIC_STREAM_CANCELLED);
@@ -1007,11 +939,7 @@ TEST_P(QuicStreamTest, RstFrameReceivedStreamNotFinishSending) {
 
   stream_->WriteOrBufferData(kData1, false, nullptr);
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
 
   // RST_STREAM received.
@@ -1037,11 +965,7 @@ TEST_P(QuicStreamTest, RstFrameReceivedStreamFinishSending) {
 
   stream_->WriteOrBufferData(kData1, true, nullptr);
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
 
   // RST_STREAM received.
   EXPECT_CALL(*session_, SendRstStream(_, _, _)).Times(0);
@@ -1050,11 +974,7 @@ TEST_P(QuicStreamTest, RstFrameReceivedStreamFinishSending) {
   stream_->OnStreamReset(rst_frame);
   // Stream still waits for acks as it finishes sending and has unacked data.
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
 }
 
@@ -1068,11 +988,7 @@ TEST_P(QuicStreamTest, ConnectionClosed) {
 
   stream_->WriteOrBufferData(kData1, false, nullptr);
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   EXPECT_CALL(*session_,
               SendRstStream(stream_->id(), QUIC_RST_ACKNOWLEDGEMENT, 9));
   stream_->OnConnectionClosed(QUIC_INTERNAL_ERROR,
@@ -1328,11 +1244,7 @@ TEST_P(QuicStreamTest, StreamDataGetAckedMultipleTimes) {
   stream_->WriteOrBufferData(kData1, true, nullptr);
   EXPECT_EQ(3u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
   // Ack [0, 9), [5, 22) and [18, 26)
   // Verify [0, 9) 9 bytes are acked.
   QuicByteCount newly_acked_length = 0;
@@ -1351,11 +1263,7 @@ TEST_P(QuicStreamTest, StreamDataGetAckedMultipleTimes) {
   EXPECT_EQ(4u, newly_acked_length);
   EXPECT_EQ(1u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
 
   // Ack [0, 27). Verify [26, 27) 1 byte is acked.
   EXPECT_TRUE(stream_->OnStreamFrameAcked(26, 1, false, QuicTime::Delta::Zero(),
@@ -1363,11 +1271,7 @@ TEST_P(QuicStreamTest, StreamDataGetAckedMultipleTimes) {
   EXPECT_EQ(1u, newly_acked_length);
   EXPECT_EQ(0u, QuicStreamPeer::SendBuffer(stream_).size());
   EXPECT_TRUE(stream_->IsWaitingForAcks());
-  // Session decides what to write and puts stream into set of unacked streams
-  // only after v39.
-  if (GetParam().transport_version > QUIC_VERSION_39) {
-    EXPECT_TRUE(session_->HasUnackedStreamData());
-  }
+  EXPECT_TRUE(session_->HasUnackedStreamData());
 
   // Ack Fin.
   EXPECT_TRUE(stream_->OnStreamFrameAcked(27, 0, true, QuicTime::Delta::Zero(),
@@ -1410,6 +1314,7 @@ TEST_P(QuicStreamTest, OnStreamFrameLost) {
   EXPECT_TRUE(stream_->HasPendingRetransmission());
   EXPECT_CALL(*session_, WritevData(_, _, _, _, _))
       .WillOnce(Invoke(MockQuicSession::ConsumeData));
+  EXPECT_CALL(*stream_, OnCanWriteNewData()).Times(1);
   stream_->OnCanWrite();
   EXPECT_FALSE(stream_->HasPendingRetransmission());
   EXPECT_TRUE(stream_->HasBufferedData());
@@ -1581,10 +1486,6 @@ TEST_P(QuicStreamTest, RetransmitStreamData) {
 }
 
 TEST_P(QuicStreamTest, ResetStreamOnTtlExpiresRetransmitLostData) {
-  // Version 39 and below doesn't support stream ttl.
-  if (GetParam().transport_version <= QUIC_VERSION_39) {
-    return;
-  }
   Initialize();
 
   EXPECT_CALL(*session_, WritevData(_, stream_->id(), 200, 0, FIN))
@@ -1609,10 +1510,6 @@ TEST_P(QuicStreamTest, ResetStreamOnTtlExpiresRetransmitLostData) {
 }
 
 TEST_P(QuicStreamTest, ResetStreamOnTtlExpiresEarlyRetransmitData) {
-  // Version 39 and below doesn't support stream ttl.
-  if (GetParam().transport_version <= QUIC_VERSION_39) {
-    return;
-  }
   Initialize();
 
   EXPECT_CALL(*session_, WritevData(_, stream_->id(), 200, 0, FIN))
@@ -1675,50 +1572,6 @@ TEST_P(QuicStreamTest, OnStreamResetReadOrReadWrite) {
   }
 }
 
-// Test that receiving a STOP_SENDING just closes the write side of the stream.
-// If not V99, the test is a noop (no STOP_SENDING in Google QUIC).
-TEST_P(QuicStreamTest, OnStopSendingReadOrReadWrite) {
-  Initialize();
-  if (!VersionHasIetfQuicFrames(connection_->transport_version())) {
-    return;
-  }
-
-  EXPECT_FALSE(stream_->write_side_closed());
-  EXPECT_FALSE(QuicStreamPeer::read_side_closed(stream_));
-
-  // Simulate receipt of a STOP_SENDING.
-  stream_->OnStopSending(123);
-
-  // Should close just the read side.
-  EXPECT_FALSE(QuicStreamPeer::read_side_closed(stream_));
-  // TODO(b/142425843): Currently no action is taken upon receiving stop
-  // sending. Need to figure out what to do and turn on this expectation.
-  // EXPECT_TRUE(stream_->write_side_closed());
-}
-
-// SendOnlyRstStream must only send a RESET_STREAM (no bundled STOP_SENDING).
-TEST_P(QuicStreamTest, SendOnlyRstStream) {
-  Initialize();
-  if (!VersionHasIetfQuicFrames(connection_->transport_version())) {
-    return;
-  }
-
-  EXPECT_CALL(*connection_,
-              OnStreamReset(stream_->id(), QUIC_BAD_APPLICATION_PAYLOAD));
-  EXPECT_CALL(*connection_, SendControlFrame(_))
-      .Times(1)
-      .WillOnce(Invoke(this, &QuicStreamTest::ClearResetStreamFrame));
-
-  QuicSessionPeer::SendRstStreamInner(session_.get(), stream_->id(),
-                                      QUIC_BAD_APPLICATION_PAYLOAD,
-                                      stream_->stream_bytes_written(),
-                                      /*close_write_side_only=*/true);
-
-  // ResetStreamOnly should just close the write side.
-  EXPECT_FALSE(QuicStreamPeer::read_side_closed(stream_));
-  EXPECT_TRUE(stream_->write_side_closed());
-}
-
 TEST_P(QuicStreamTest, WindowUpdateForReadOnlyStream) {
   Initialize();
 
@@ -1735,6 +1588,20 @@ TEST_P(QuicStreamTest, WindowUpdateForReadOnlyStream) {
   stream.OnWindowUpdateFrame(window_update_frame);
 }
 
+TEST_P(QuicStreamTest, RstStreamFrameChangesCloseOffset) {
+  SetQuicReloadableFlag(quic_close_connection_on_wrong_offset, true);
+  Initialize();
+
+  QuicStreamFrame stream_frame(stream_->id(), true, 0, "abc");
+  EXPECT_CALL(*stream_, OnDataAvailable());
+  stream_->OnStreamFrame(stream_frame);
+  QuicRstStreamFrame rst(kInvalidControlFrameId, stream_->id(),
+                         QUIC_STREAM_CANCELLED, 0u);
+
+  EXPECT_CALL(*connection_, CloseConnection(QUIC_STREAM_MULTIPLE_OFFSET, _, _));
+  stream_->OnStreamReset(rst);
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_time.h b/chromium/net/third_party/quiche/src/quic/core/quic_time.h
index 9a5ae7dd5b2..d4429e34ceb 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_time.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_time.h
@@ -210,6 +210,9 @@ inline bool operator<=(QuicTime::Delta lhs, QuicTime::Delta rhs) {
 inline bool operator>=(QuicTime::Delta lhs, QuicTime::Delta rhs) {
   return !(lhs < rhs);
 }
+inline QuicTime::Delta operator<<(QuicTime::Delta lhs, size_t rhs) {
+  return QuicTime::Delta(lhs.time_offset_ << rhs);
+}
 inline QuicTime::Delta operator>>(QuicTime::Delta lhs, size_t rhs) {
   return QuicTime::Delta(lhs.time_offset_ >> rhs);
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_time_accumulator.h b/chromium/net/third_party/quiche/src/quic/core/quic_time_accumulator.h
new file mode 100644
index 00000000000..6535d74c45b
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_time_accumulator.h
@@ -0,0 +1,69 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_CORE_QUIC_TIME_ACCUMULATOR_H_
+#define QUICHE_QUIC_CORE_QUIC_TIME_ACCUMULATOR_H_
+
+#include "net/third_party/quiche/src/quic/core/quic_time.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
+
+namespace quic {
+
+// QuicTimeAccumulator accumulates elapsed times between Start(s) and Stop(s).
+class QUIC_EXPORT_PRIVATE QuicTimeAccumulator {
+  // TODO(wub): Switch to a data member called kNotRunningSentinel after c++17.
+  static constexpr QuicTime NotRunningSentinel() {
+    return QuicTime::Infinite();
+  }
+
+ public:
+  // True if Started and not Stopped.
+  bool IsRunning() const { return last_start_time_ != NotRunningSentinel(); }
+
+  void Start(QuicTime now) {
+    DCHECK(!IsRunning());
+    last_start_time_ = now;
+    DCHECK(IsRunning());
+  }
+
+  void Stop(QuicTime now) {
+    DCHECK(IsRunning());
+    if (now > last_start_time_) {
+      total_elapsed_ = total_elapsed_ + (now - last_start_time_);
+    }
+    last_start_time_ = NotRunningSentinel();
+    DCHECK(!IsRunning());
+  }
+
+  // Get total elapsed time between COMPLETED Start/Stop pairs.
+  QuicTime::Delta GetTotalElapsedTime() const { return total_elapsed_; }
+
+  // Get total elapsed time between COMPLETED Start/Stop pairs, plus, if it is
+  // running, the elapsed time between |last_start_time_| and |now|.
+  QuicTime::Delta GetTotalElapsedTime(QuicTime now) const {
+    if (!IsRunning()) {
+      return total_elapsed_;
+    }
+    if (now <= last_start_time_) {
+      return total_elapsed_;
+    }
+    return total_elapsed_ + (now - last_start_time_);
+  }
+
+ private:
+  //
+  //                                       |last_start_time_|
+  //                                         |
+  //                                         V
+  // Start => Stop  =>  Start => Stop  =>  Start
+  // |           |      |           |
+  // |___________|  +   |___________|  =   |total_elapsed_|
+  QuicTime::Delta total_elapsed_ = QuicTime::Delta::Zero();
+  QuicTime last_start_time_ = NotRunningSentinel();
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_CORE_QUIC_TIME_ACCUMULATOR_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_time_accumulator_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_time_accumulator_test.cc
new file mode 100644
index 00000000000..e7bc43a0459
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_time_accumulator_test.cc
@@ -0,0 +1,82 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/core/quic_time_accumulator.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/test_tools/mock_clock.h"
+
+namespace quic {
+namespace test {
+
+TEST(QuicTimeAccumulator, DefaultConstruct) {
+  MockClock clock;
+  clock.AdvanceTime(QuicTime::Delta::FromMilliseconds(1));
+
+  QuicTimeAccumulator acc;
+  EXPECT_FALSE(acc.IsRunning());
+
+  clock.AdvanceTime(QuicTime::Delta::FromMilliseconds(1));
+  EXPECT_EQ(QuicTime::Delta::Zero(), acc.GetTotalElapsedTime());
+  EXPECT_EQ(QuicTime::Delta::Zero(), acc.GetTotalElapsedTime(clock.Now()));
+}
+
+TEST(QuicTimeAccumulator, StartStop) {
+  MockClock clock;
+  clock.AdvanceTime(QuicTime::Delta::FromMilliseconds(1));
+
+  QuicTimeAccumulator acc;
+  acc.Start(clock.Now());
+  EXPECT_TRUE(acc.IsRunning());
+
+  clock.AdvanceTime(QuicTime::Delta::FromMilliseconds(10));
+  acc.Stop(clock.Now());
+  EXPECT_FALSE(acc.IsRunning());
+
+  clock.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
+  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(10), acc.GetTotalElapsedTime());
+  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(10),
+            acc.GetTotalElapsedTime(clock.Now()));
+
+  acc.Start(clock.Now());
+  clock.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
+  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(10), acc.GetTotalElapsedTime());
+  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(15),
+            acc.GetTotalElapsedTime(clock.Now()));
+
+  clock.AdvanceTime(QuicTime::Delta::FromMilliseconds(5));
+  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(10), acc.GetTotalElapsedTime());
+  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(20),
+            acc.GetTotalElapsedTime(clock.Now()));
+
+  acc.Stop(clock.Now());
+  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(20), acc.GetTotalElapsedTime());
+  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(20),
+            acc.GetTotalElapsedTime(clock.Now()));
+}
+
+TEST(QuicTimeAccumulator, ClockStepBackwards) {
+  MockClock clock;
+  clock.AdvanceTime(QuicTime::Delta::FromMilliseconds(100));
+
+  QuicTimeAccumulator acc;
+  acc.Start(clock.Now());
+
+  clock.AdvanceTime(QuicTime::Delta::FromMilliseconds(-10));
+  acc.Stop(clock.Now());
+  EXPECT_EQ(QuicTime::Delta::Zero(), acc.GetTotalElapsedTime());
+  EXPECT_EQ(QuicTime::Delta::Zero(), acc.GetTotalElapsedTime(clock.Now()));
+
+  acc.Start(clock.Now());
+  clock.AdvanceTime(QuicTime::Delta::FromMilliseconds(50));
+  acc.Stop(clock.Now());
+
+  acc.Start(clock.Now());
+  clock.AdvanceTime(QuicTime::Delta::FromMilliseconds(-80));
+  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(50), acc.GetTotalElapsedTime());
+  EXPECT_EQ(QuicTime::Delta::FromMilliseconds(50),
+            acc.GetTotalElapsedTime(clock.Now()));
+}
+
+}  // namespace test
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.h b/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.h
index e2a45946b97..5c7553565b4 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_time_wait_list_manager.h
@@ -35,7 +35,8 @@ class QuicTimeWaitListManagerPeer;
 // wait state.  After the connection_id expires its time wait period, a new
 // connection/session will be created if a packet is received for this
 // connection_id.
-class QuicTimeWaitListManager : public QuicBlockedWriterInterface {
+class QUIC_NO_EXPORT QuicTimeWaitListManager
+    : public QuicBlockedWriterInterface {
  public:
   // Specifies what the time wait list manager should do when processing packets
   // of a time wait connection.
@@ -49,7 +50,7 @@ class QuicTimeWaitListManager : public QuicBlockedWriterInterface {
     DO_NOTHING,
   };
 
-  class Visitor : public QuicSession::Visitor {
+  class QUIC_NO_EXPORT Visitor : public QuicSession::Visitor {
    public:
     // Called after the given connection is added to the time-wait list.
     virtual void OnConnectionAddedToTimeWaitList(
@@ -159,7 +160,7 @@ class QuicTimeWaitListManager : public QuicBlockedWriterInterface {
       QuicConnectionId connection_id) const;
 
   // Internal structure to store pending termination packets.
-  class QueuedPacket {
+  class QUIC_NO_EXPORT QueuedPacket {
    public:
     QueuedPacket(const QuicSocketAddress& self_address,
                  const QuicSocketAddress& peer_address,
@@ -229,7 +230,7 @@ class QuicTimeWaitListManager : public QuicBlockedWriterInterface {
   // A map from a recently closed connection_id to the number of packets
   // received after the termination of the connection bound to the
   // connection_id.
-  struct ConnectionIdData {
+  struct QUIC_NO_EXPORT ConnectionIdData {
     ConnectionIdData(int num_packets,
                      bool ietf_quic,
                      QuicTime time_added,
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.cc b/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.cc
index 42ee003966d..50974853345 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.cc
@@ -6,7 +6,7 @@
 
 #include <string>
 
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
@@ -44,7 +44,6 @@ QuicTraceVisitor::QuicTraceVisitor(const QuicConnection* connection)
 }
 
 void QuicTraceVisitor::OnPacketSent(const SerializedPacket& serialized_packet,
-                                    QuicPacketNumber /*original_packet_number*/,
                                     TransmissionType /*transmission_type*/,
                                     QuicTime sent_time) {
   quic_trace::Event* event = trace_.add_events();
@@ -172,7 +171,7 @@ void QuicTraceVisitor::PopulateFrameInfo(const QuicFrame& frame,
 
       quic_trace::FlowControlInfo* info =
           frame_record->mutable_flow_control_info();
-      info->set_max_data(frame.window_update_frame->byte_offset);
+      info->set_max_data(frame.window_update_frame->max_data);
       if (!is_connection) {
         info->set_stream_id(frame.window_update_frame->stream_id);
       }
@@ -266,7 +265,8 @@ void QuicTraceVisitor::OnWindowUpdateFrame(const QuicWindowUpdateFrame& frame,
 
 void QuicTraceVisitor::OnSuccessfulVersionNegotiation(
     const ParsedQuicVersion& version) {
-  uint32_t tag = QuicEndian::HostToNet32(CreateQuicVersionLabel(version));
+  uint32_t tag =
+      quiche::QuicheEndian::HostToNet32(CreateQuicVersionLabel(version));
   std::string binary_tag(reinterpret_cast<const char*>(&tag), sizeof(tag));
   trace_.set_protocol_version(binary_tag);
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.h b/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.h
index 0494d874331..86d7198ebe7 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_trace_visitor.h
@@ -14,12 +14,11 @@ namespace quic {
 // Records a QUIC trace protocol buffer for a QuicConnection.  It's the
 // responsibility of the user of this visitor to process or store the resulting
 // trace, which can be accessed via trace().
-class QuicTraceVisitor : public QuicConnectionDebugVisitor {
+class QUIC_NO_EXPORT QuicTraceVisitor : public QuicConnectionDebugVisitor {
  public:
   explicit QuicTraceVisitor(const QuicConnection* connection);
 
   void OnPacketSent(const SerializedPacket& serialized_packet,
-                    QuicPacketNumber original_packet_number,
                     TransmissionType transmission_type,
                     QuicTime sent_time) override;
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_transmission_info.cc b/chromium/net/third_party/quiche/src/quic/core/quic_transmission_info.cc
index fb5cf670063..163ba384f32 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_transmission_info.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_transmission_info.cc
@@ -8,7 +8,6 @@ namespace quic {
 
 QuicTransmissionInfo::QuicTransmissionInfo()
     : encryption_level(ENCRYPTION_INITIAL),
-      packet_number_length(PACKET_1BYTE_PACKET_NUMBER),
       bytes_sent(0),
       sent_time(QuicTime::Zero()),
       transmission_type(NOT_RETRANSMISSION),
@@ -19,14 +18,12 @@ QuicTransmissionInfo::QuicTransmissionInfo()
 
 QuicTransmissionInfo::QuicTransmissionInfo(
     EncryptionLevel level,
-    QuicPacketNumberLength packet_number_length,
     TransmissionType transmission_type,
     QuicTime sent_time,
     QuicPacketLength bytes_sent,
     bool has_crypto_handshake,
     int num_padding_bytes)
     : encryption_level(level),
-      packet_number_length(packet_number_length),
       bytes_sent(bytes_sent),
       sent_time(sent_time),
       transmission_type(transmission_type),
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_transmission_info.h b/chromium/net/third_party/quiche/src/quic/core/quic_transmission_info.h
index 7c4881a290a..a4fa762d359 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_transmission_info.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_transmission_info.h
@@ -22,7 +22,6 @@ struct QUIC_EXPORT_PRIVATE QuicTransmissionInfo {
   // Constructs a Transmission with a new all_transmissions set
   // containing |packet_number|.
   QuicTransmissionInfo(EncryptionLevel level,
-                       QuicPacketNumberLength packet_number_length,
                        TransmissionType transmission_type,
                        QuicTime sent_time,
                        QuicPacketLength bytes_sent,
@@ -35,8 +34,6 @@ struct QUIC_EXPORT_PRIVATE QuicTransmissionInfo {
 
   QuicFrames retransmittable_frames;
   EncryptionLevel encryption_level;
-  // TODO(fayang): remove this when deprecating QUIC_VERSION_39.
-  QuicPacketNumberLength packet_number_length;
   QuicPacketLength bytes_sent;
   QuicTime sent_time;
   // Reason why this packet was transmitted.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_types.cc b/chromium/net/third_party/quiche/src/quic/core/quic_types.cc
index db48c5c2391..ca12e76725b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_types.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_types.cc
@@ -6,13 +6,11 @@
 
 #include <cstdint>
 
+#include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
 
 namespace quic {
 
-QuicConsumedData::QuicConsumedData(size_t bytes_consumed, bool fin_consumed)
-    : bytes_consumed(bytes_consumed), fin_consumed(fin_consumed) {}
-
 std::ostream& operator<<(std::ostream& os, const QuicConsumedData& s) {
   os << "bytes_consumed: " << s.bytes_consumed
      << " fin_consumed: " << s.fin_consumed;
@@ -53,6 +51,8 @@ std::string HistogramEnumString(WriteStatus enum_value) {
       return "ERROR";
     case WRITE_STATUS_MSG_TOO_BIG:
       return "MSG_TOO_BIG";
+    case WRITE_STATUS_FAILED_TO_COALESCE_PACKET:
+      return "WRITE_STATUS_FAILED_TO_COALESCE_PACKET";
     case WRITE_STATUS_NUM_VALUES:
       return "NUM_VALUES";
   }
@@ -60,11 +60,6 @@ std::string HistogramEnumString(WriteStatus enum_value) {
   return "<invalid>";
 }
 
-WriteResult::WriteResult() : status(WRITE_STATUS_ERROR), bytes_written(0) {}
-
-WriteResult::WriteResult(WriteStatus status, int bytes_written_or_error_code)
-    : status(status), bytes_written(bytes_written_or_error_code) {}
-
 std::ostream& operator<<(std::ostream& os, const WriteResult& s) {
   os << "{ status: " << s.status;
   if (s.status == WRITE_STATUS_OK) {
@@ -413,6 +408,23 @@ QuicErrorCodeToIetfMapping QuicErrorCodeToTransportErrorCode(
               {static_cast<uint64_t>(QUIC_TOO_MANY_BUFFERED_CONTROL_FRAMES)}};
     case QUIC_TRANSPORT_INVALID_CLIENT_INDICATION:
       return {false, {0u}};
+    case QUIC_QPACK_DECOMPRESSION_FAILED:
+      return {
+          false,
+          {static_cast<uint64_t>(IETF_QUIC_HTTP_QPACK_DECOMPRESSION_FAILED)}};
+    case QUIC_QPACK_ENCODER_STREAM_ERROR:
+      return {
+          false,
+          {static_cast<uint64_t>(IETF_QUIC_HTTP_QPACK_ENCODER_STREAM_ERROR)}};
+    case QUIC_QPACK_DECODER_STREAM_ERROR:
+      return {
+          false,
+          {static_cast<uint64_t>(IETF_QUIC_HTTP_QPACK_DECODER_STREAM_ERROR)}};
+    case QUIC_STREAM_DATA_BEYOND_CLOSE_OFFSET:
+      return {true,
+              {static_cast<uint64_t>(QUIC_STREAM_DATA_BEYOND_CLOSE_OFFSET)}};
+    case QUIC_STREAM_MULTIPLE_OFFSET:
+      return {true, {static_cast<uint64_t>(QUIC_STREAM_MULTIPLE_OFFSET)}};
     case QUIC_LAST_ERROR:
       return {false, {static_cast<uint64_t>(QUIC_LAST_ERROR)}};
   }
@@ -450,6 +462,8 @@ std::string QuicIetfFrameTypeString(QuicIetfFrameType t) {
     RETURN_STRING_LITERAL(IETF_APPLICATION_CLOSE);
     RETURN_STRING_LITERAL(IETF_EXTENSION_MESSAGE_NO_LENGTH);
     RETURN_STRING_LITERAL(IETF_EXTENSION_MESSAGE);
+    RETURN_STRING_LITERAL(IETF_EXTENSION_MESSAGE_NO_LENGTH_V99);
+    RETURN_STRING_LITERAL(IETF_EXTENSION_MESSAGE_V99);
     default:
       return QuicStrCat("Private value (", t, ")");
   }
@@ -468,6 +482,7 @@ std::string TransmissionTypeToString(TransmissionType transmission_type) {
     RETURN_STRING_LITERAL(LOSS_RETRANSMISSION);
     RETURN_STRING_LITERAL(RTO_RETRANSMISSION);
     RETURN_STRING_LITERAL(TLP_RETRANSMISSION);
+    RETURN_STRING_LITERAL(PTO_RETRANSMISSION);
     RETURN_STRING_LITERAL(PROBING_RETRANSMISSION);
     default:
       // Some varz rely on this behavior for statistic collection.
@@ -502,6 +517,33 @@ std::string QuicLongHeaderTypeToString(QuicLongHeaderType type) {
   }
 }
 
+std::string MessageStatusToString(MessageStatus message_status) {
+  switch (message_status) {
+    RETURN_STRING_LITERAL(MESSAGE_STATUS_SUCCESS);
+    RETURN_STRING_LITERAL(MESSAGE_STATUS_ENCRYPTION_NOT_ESTABLISHED);
+    RETURN_STRING_LITERAL(MESSAGE_STATUS_UNSUPPORTED);
+    RETURN_STRING_LITERAL(MESSAGE_STATUS_BLOCKED);
+    RETURN_STRING_LITERAL(MESSAGE_STATUS_TOO_LARGE);
+    RETURN_STRING_LITERAL(MESSAGE_STATUS_INTERNAL_ERROR);
+    default:
+      return QuicStrCat("Unknown(", static_cast<int>(message_status), ")");
+      break;
+  }
+}
+
+std::string MessageResultToString(MessageResult message_result) {
+  if (message_result.status != MESSAGE_STATUS_SUCCESS) {
+    return QuicStrCat("{", MessageStatusToString(message_result.status), "}");
+  }
+  return QuicStrCat("{MESSAGE_STATUS_SUCCESS,id=", message_result.message_id,
+                    "}");
+}
+
+std::ostream& operator<<(std::ostream& os, const MessageResult& mr) {
+  os << MessageResultToString(mr);
+  return os;
+}
+
 std::string PacketNumberSpaceToString(PacketNumberSpace packet_number_space) {
   switch (packet_number_space) {
     RETURN_STRING_LITERAL(INITIAL_DATA);
@@ -513,6 +555,17 @@ std::string PacketNumberSpaceToString(PacketNumberSpace packet_number_space) {
   }
 }
 
+std::string SerializedPacketFateToString(SerializedPacketFate fate) {
+  switch (fate) {
+    RETURN_STRING_LITERAL(COALESCE);
+    RETURN_STRING_LITERAL(BUFFER);
+    RETURN_STRING_LITERAL(SEND_TO_WRITER);
+    RETURN_STRING_LITERAL(FAILED_TO_WRITE_COALESCED_PACKET);
+    default:
+      return QuicStrCat("Unknown(", static_cast<int>(fate), ")");
+  }
+}
+
 std::string EncryptionLevelToString(EncryptionLevel level) {
   switch (level) {
     RETURN_STRING_LITERAL(ENCRYPTION_INITIAL);
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_types.h b/chromium/net/third_party/quiche/src/quic/core/quic_types.h
index afd42be3f46..23cbe7a4eb4 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_types.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_types.h
@@ -15,6 +15,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
 #include "net/third_party/quiche/src/quic/core/quic_packet_number.h"
 #include "net/third_party/quiche/src/quic/core/quic_time.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 
 namespace quic {
@@ -23,6 +24,7 @@ typedef uint16_t QuicPacketLength;
 typedef uint32_t QuicControlFrameId;
 typedef uint32_t QuicHeaderId;
 typedef uint32_t QuicMessageId;
+typedef uint64_t QuicDatagramFlowId;
 
 // TODO(fkastenholz): Should update this to 64 bits for V99.
 typedef uint32_t QuicStreamId;
@@ -55,7 +57,8 @@ typedef uint64_t QuicConnectionIdSequenceNumber;
 
 // A struct for functions which consume data payloads and fins.
 struct QUIC_EXPORT_PRIVATE QuicConsumedData {
-  QuicConsumedData(size_t bytes_consumed, bool fin_consumed);
+  constexpr QuicConsumedData(size_t bytes_consumed, bool fin_consumed)
+      : bytes_consumed(bytes_consumed), fin_consumed(fin_consumed) {}
 
   // By default, gtest prints the raw bytes of an object. The bool data
   // member causes this object to have padding bytes, which causes the
@@ -94,6 +97,7 @@ enum WriteStatus {
   // - Errors MUST be added after WRITE_STATUS_ERROR.
   WRITE_STATUS_ERROR,
   WRITE_STATUS_MSG_TOO_BIG,
+  WRITE_STATUS_FAILED_TO_COALESCE_PACKET,
   WRITE_STATUS_NUM_VALUES,
 };
 
@@ -115,8 +119,10 @@ inline bool IsWriteError(WriteStatus status) {
 // A struct used to return the result of write calls including either the number
 // of bytes written or the error code, depending upon the status.
 struct QUIC_EXPORT_PRIVATE WriteResult {
-  WriteResult(WriteStatus status, int bytes_written_or_error_code);
-  WriteResult();
+  constexpr WriteResult(WriteStatus status, int bytes_written_or_error_code)
+      : status(status), bytes_written(bytes_written_or_error_code) {}
+
+  constexpr WriteResult() : WriteResult(WRITE_STATUS_ERROR, 0) {}
 
   bool operator==(const WriteResult& other) const {
     if (status != other.status) {
@@ -153,6 +159,7 @@ enum TransmissionType : int8_t {
   LOSS_RETRANSMISSION,         // Retransmits due to loss detection.
   RTO_RETRANSMISSION,          // Retransmits due to retransmit time out.
   TLP_RETRANSMISSION,          // Tail loss probes.
+  PTO_RETRANSMISSION,          // Retransmission due to probe timeout.
   PROBING_RETRANSMISSION,      // Retransmission in order to probe bandwidth.
   LAST_TRANSMISSION_TYPE = PROBING_RETRANSMISSION,
 };
@@ -265,10 +272,13 @@ enum QuicIetfFrameType : uint8_t {
   IETF_CONNECTION_CLOSE = 0x1c,
   IETF_APPLICATION_CLOSE = 0x1d,
 
-  // MESSAGE frame type is not yet determined, use 0x2x temporarily to give
-  // stream frame some wiggle room.
+  // The MESSAGE frame type has not yet been fully standardized.
+  // QUIC versions starting with 46 and before 99 use 0x20-0x21.
+  // IETF QUIC (v99) uses 0x30-0x31, see draft-pauly-quic-datagram.
   IETF_EXTENSION_MESSAGE_NO_LENGTH = 0x20,
   IETF_EXTENSION_MESSAGE = 0x21,
+  IETF_EXTENSION_MESSAGE_NO_LENGTH_V99 = 0x30,
+  IETF_EXTENSION_MESSAGE_V99 = 0x31,
 };
 QUIC_EXPORT_PRIVATE std::ostream& operator<<(std::ostream& os,
                                              const QuicIetfFrameType& c);
@@ -308,7 +318,8 @@ enum QuicPacketNumberLength : uint8_t {
   PACKET_3BYTE_PACKET_NUMBER = 3,  // Used in versions 45+.
   PACKET_4BYTE_PACKET_NUMBER = 4,
   IETF_MAX_PACKET_NUMBER_LENGTH = 4,
-  // TODO(rch): Remove this when we remove QUIC_VERSION_39.
+  // TODO(rch): Remove these when we remove QUIC_VERSION_43 since these values
+  // are not representable with v46 and above.
   PACKET_6BYTE_PACKET_NUMBER = 6,
   PACKET_8BYTE_PACKET_NUMBER = 8
 };
@@ -440,7 +451,7 @@ enum StreamSendingState {
 };
 
 enum SentPacketState : uint8_t {
-  // The packet has been sent and waiting to be acked.
+  // The packet is in flight and waiting to be acked.
   OUTSTANDING,
   FIRST_PACKET_STATE = OUTSTANDING,
   // The packet was never sent.
@@ -449,6 +460,8 @@ enum SentPacketState : uint8_t {
   ACKED,
   // This packet is not expected to be acked.
   UNACKABLE,
+  // This packet has been delivered or unneeded.
+  NEUTERED,
 
   // States below are corresponding to retransmission types in TransmissionType.
 
@@ -461,6 +474,8 @@ enum SentPacketState : uint8_t {
   TLP_RETRANSMITTED,
   // This packet has been retransmitted when RTO fires.
   RTO_RETRANSMITTED,
+  // This packet has been retransmitted when PTO fires.
+  PTO_RETRANSMITTED,
   // This packet has been retransmitted for probing purpose.
   PROBE_RETRANSMITTED,
   LAST_PACKET_STATE = PROBE_RETRANSMITTED,
@@ -476,10 +491,10 @@ QUIC_EXPORT_PRIVATE std::string PacketHeaderFormatToString(
     PacketHeaderFormat format);
 
 // Information about a newly acknowledged packet.
-struct AckedPacket {
-  AckedPacket(QuicPacketNumber packet_number,
-              QuicPacketLength bytes_acked,
-              QuicTime receive_timestamp)
+struct QUIC_EXPORT_PRIVATE AckedPacket {
+  constexpr AckedPacket(QuicPacketNumber packet_number,
+                        QuicPacketLength bytes_acked,
+                        QuicTime receive_timestamp)
       : packet_number(packet_number),
         bytes_acked(bytes_acked),
         receive_timestamp(receive_timestamp) {}
@@ -498,10 +513,10 @@ struct AckedPacket {
 };
 
 // A vector of acked packets.
-typedef std::vector<AckedPacket> AckedPacketVector;
+typedef QuicInlinedVector<AckedPacket, 2> AckedPacketVector;
 
 // Information about a newly lost packet.
-struct LostPacket {
+struct QUIC_EXPORT_PRIVATE LostPacket {
   LostPacket(QuicPacketNumber packet_number, QuicPacketLength bytes_lost)
       : packet_number(packet_number), bytes_lost(bytes_lost) {}
 
@@ -515,7 +530,7 @@ struct LostPacket {
 };
 
 // A vector of lost packets.
-typedef std::vector<LostPacket> LostPacketVector;
+typedef QuicInlinedVector<LostPacket, 2> LostPacketVector;
 
 enum QuicIetfTransportErrorCodes : uint64_t {
   NO_IETF_QUIC_ERROR = 0x0,
@@ -542,7 +557,7 @@ QUIC_EXPORT_PRIVATE std::ostream& operator<<(
 // first element of the pair is false, it means that an IETF Application Close
 // should be done instead.
 
-struct QuicErrorCodeToIetfMapping {
+struct QUIC_EXPORT_PRIVATE QuicErrorCodeToIetfMapping {
   bool is_transport_close_;
   union {
     uint64_t application_error_code_;
@@ -599,6 +614,9 @@ enum MessageStatus {
                                   // reaches an invalid state.
 };
 
+QUIC_EXPORT_PRIVATE std::string MessageStatusToString(
+    MessageStatus message_status);
+
 // Used to return the result of SendMessage calls
 struct QUIC_EXPORT_PRIVATE MessageResult {
   MessageResult(MessageStatus status, QuicMessageId message_id);
@@ -607,11 +625,17 @@ struct QUIC_EXPORT_PRIVATE MessageResult {
     return status == other.status && message_id == other.message_id;
   }
 
+  QUIC_EXPORT_PRIVATE friend std::ostream& operator<<(std::ostream& os,
+                                                      const MessageResult& mr);
+
   MessageStatus status;
   // Only valid when status is MESSAGE_STATUS_SUCCESS.
   QuicMessageId message_id;
 };
 
+QUIC_EXPORT_PRIVATE std::string MessageResultToString(
+    MessageResult message_result);
+
 enum WriteStreamDataResult {
   WRITE_SUCCESS,
   STREAM_MISSING,  // Trying to write data of a nonexistent stream (e.g.
@@ -660,6 +684,18 @@ enum AckResult {
   PACKETS_ACKED_IN_WRONG_PACKET_NUMBER_SPACE,
 };
 
+// Indicates the fate of a serialized packet in WritePacket().
+enum SerializedPacketFate : uint8_t {
+  COALESCE,                          // Try to coalesce packet.
+  BUFFER,                            // Buffer packet in buffered_packets_.
+  SEND_TO_WRITER,                    // Send packet to writer.
+  FAILED_TO_WRITE_COALESCED_PACKET,  // Packet cannot be coalesced, error occurs
+                                     // when sending existing coalesced packet.
+};
+
+QUIC_EXPORT_PRIVATE std::string SerializedPacketFateToString(
+    SerializedPacketFate fate);
+
 // There are three different forms of CONNECTION_CLOSE.
 typedef enum QuicConnectionCloseType {
   GOOGLE_QUIC_CONNECTION_CLOSE = 0,
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_types_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_types_test.cc
index 8b4df895224..c7e4316a218 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_types_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_types_test.cc
@@ -13,9 +13,9 @@ namespace quic {
 namespace test {
 namespace {
 
-class QuicUtilsTest : public QuicTest {};
+class QuicTypesTest : public QuicTest {};
 
-TEST_F(QuicUtilsTest, QuicIetfTransportErrorCodeString) {
+TEST_F(QuicTypesTest, QuicIetfTransportErrorCodeString) {
   // QuicIetfTransportErrorCode out of bound.
   for (quic::QuicErrorCode error = quic::QUIC_ENCRYPTION_FAILURE;
        error < quic::QUIC_LAST_ERROR;
@@ -27,10 +27,6 @@ TEST_F(QuicUtilsTest, QuicIetfTransportErrorCodeString) {
           QuicIetfTransportErrorCodeString(mapping.transport_error_code_),
           QuicStrCat("Unknown Transport Error Code Value: ",
                      static_cast<uint16_t>(mapping.transport_error_code_)));
-    } else {
-      // Some QuicErrorCodes are no longer valid.
-      EXPECT_EQ(QuicIetfTransportErrorCodeString(mapping.transport_error_code_),
-                "NO_IETF_QUIC_ERROR");
     }
   }
 }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.cc b/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.cc
index cc9c13f7a4c..d8beb435967 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.cc
@@ -28,17 +28,11 @@ QuicUnackedPacketMap::QuicUnackedPacketMap(Perspective perspective)
     : perspective_(perspective),
       least_unacked_(FirstSendingPacketNumber()),
       bytes_in_flight_(0),
-      pending_crypto_packet_count_(0),
+      packets_in_flight_(0),
       last_inflight_packet_sent_time_(QuicTime::Zero()),
       last_crypto_packet_sent_time_(QuicTime::Zero()),
       session_notifier_(nullptr),
-      session_decides_what_to_write_(false),
-      supports_multiple_packet_number_spaces_(false),
-      simple_inflight_time_(GetQuicReloadableFlag(quic_simple_inflight_time)) {
-  if (simple_inflight_time_) {
-    QUIC_RELOADABLE_FLAG_COUNT(quic_simple_inflight_time);
-  }
-}
+      supports_multiple_packet_number_spaces_(false) {}
 
 QuicUnackedPacketMap::~QuicUnackedPacketMap() {
   for (QuicTransmissionInfo& transmission_info : unacked_packets_) {
@@ -47,7 +41,6 @@ QuicUnackedPacketMap::~QuicUnackedPacketMap() {
 }
 
 void QuicUnackedPacketMap::AddSentPacket(SerializedPacket* packet,
-                                         QuicPacketNumber old_packet_number,
                                          TransmissionType transmission_type,
                                          QuicTime sent_time,
                                          bool set_in_flight) {
@@ -65,15 +58,11 @@ void QuicUnackedPacketMap::AddSentPacket(SerializedPacket* packet,
 
   const bool has_crypto_handshake =
       packet->has_crypto_handshake == IS_HANDSHAKE;
-  QuicTransmissionInfo info(
-      packet->encryption_level, packet->packet_number_length, transmission_type,
-      sent_time, bytes_sent, has_crypto_handshake, packet->num_padding_bytes);
+  QuicTransmissionInfo info(packet->encryption_level, transmission_type,
+                            sent_time, bytes_sent, has_crypto_handshake,
+                            packet->num_padding_bytes);
   info.largest_acked = packet->largest_acked;
   largest_sent_largest_acked_.UpdateMax(packet->largest_acked);
-  if (old_packet_number.IsInitialized()) {
-    TransferRetransmissionInfo(old_packet_number, packet_number,
-                               transmission_type, &info);
-  }
 
   largest_sent_packet_ = packet_number;
   if (supports_multiple_packet_number_spaces_) {
@@ -82,6 +71,7 @@ void QuicUnackedPacketMap::AddSentPacket(SerializedPacket* packet,
   }
   if (set_in_flight) {
     bytes_in_flight_ += bytes_sent;
+    ++packets_in_flight_;
     info.in_flight = true;
     largest_sent_retransmittable_packets_[GetPacketNumberSpace(
         info.encryption_level)] = packet_number;
@@ -92,15 +82,12 @@ void QuicUnackedPacketMap::AddSentPacket(SerializedPacket* packet,
   unacked_packets_.push_back(info);
   // Swap the retransmittable frames to avoid allocations.
   // TODO(ianswett): Could use emplace_back when Chromium can.
-  if (!old_packet_number.IsInitialized()) {
-    if (has_crypto_handshake) {
-      ++pending_crypto_packet_count_;
-      last_crypto_packet_sent_time_ = sent_time;
-    }
-
-    packet->retransmittable_frames.swap(
-        unacked_packets_.back().retransmittable_frames);
+  if (has_crypto_handshake) {
+    last_crypto_packet_sent_time_ = sent_time;
   }
+
+  packet->retransmittable_frames.swap(
+      unacked_packets_.back().retransmittable_frames);
 }
 
 void QuicUnackedPacketMap::RemoveObsoletePackets() {
@@ -108,62 +95,12 @@ void QuicUnackedPacketMap::RemoveObsoletePackets() {
     if (!IsPacketUseless(least_unacked_, unacked_packets_.front())) {
       break;
     }
-    if (session_decides_what_to_write_) {
-      DeleteFrames(&unacked_packets_.front().retransmittable_frames);
-    }
+    DeleteFrames(&unacked_packets_.front().retransmittable_frames);
     unacked_packets_.pop_front();
     ++least_unacked_;
   }
 }
 
-void QuicUnackedPacketMap::TransferRetransmissionInfo(
-    QuicPacketNumber old_packet_number,
-    QuicPacketNumber new_packet_number,
-    TransmissionType transmission_type,
-    QuicTransmissionInfo* info) {
-  if (old_packet_number < least_unacked_) {
-    // This can happen when a retransmission packet is queued because of write
-    // blocked socket, and the original packet gets acked before the
-    // retransmission gets sent.
-    return;
-  }
-  if (old_packet_number > largest_sent_packet_) {
-    QUIC_BUG << "Old QuicTransmissionInfo never existed for :"
-             << old_packet_number << " largest_sent:" << largest_sent_packet_;
-    return;
-  }
-  DCHECK_GE(new_packet_number, least_unacked_ + unacked_packets_.size());
-  DCHECK_NE(NOT_RETRANSMISSION, transmission_type);
-
-  QuicTransmissionInfo* transmission_info =
-      &unacked_packets_.at(old_packet_number - least_unacked_);
-  QuicFrames* frames = &transmission_info->retransmittable_frames;
-  if (session_notifier_ != nullptr) {
-    for (const QuicFrame& frame : *frames) {
-      if (frame.type == STREAM_FRAME) {
-        session_notifier_->OnStreamFrameRetransmitted(frame.stream_frame);
-      }
-    }
-  }
-
-  // Swap the frames and preserve num_padding_bytes and has_crypto_handshake.
-  frames->swap(info->retransmittable_frames);
-  info->has_crypto_handshake = transmission_info->has_crypto_handshake;
-  transmission_info->has_crypto_handshake = false;
-  info->num_padding_bytes = transmission_info->num_padding_bytes;
-
-  // Don't link old transmissions to new ones when version or
-  // encryption changes.
-  if (transmission_type == ALL_INITIAL_RETRANSMISSION ||
-      transmission_type == ALL_UNACKED_RETRANSMISSION) {
-    transmission_info->state = UNACKABLE;
-  } else {
-    transmission_info->retransmission = new_packet_number;
-  }
-  // Proactively remove obsolete packets so the least unacked can be raised.
-  RemoveObsoletePackets();
-}
-
 bool QuicUnackedPacketMap::HasRetransmittableFrames(
     QuicPacketNumber packet_number) const {
   DCHECK_GE(packet_number, least_unacked_);
@@ -174,10 +111,6 @@ bool QuicUnackedPacketMap::HasRetransmittableFrames(
 
 bool QuicUnackedPacketMap::HasRetransmittableFrames(
     const QuicTransmissionInfo& info) const {
-  if (!session_decides_what_to_write_) {
-    return !info.retransmittable_frames.empty();
-  }
-
   if (!QuicUtils::IsAckable(info.state)) {
     return false;
   }
@@ -192,24 +125,8 @@ bool QuicUnackedPacketMap::HasRetransmittableFrames(
 
 void QuicUnackedPacketMap::RemoveRetransmittability(
     QuicTransmissionInfo* info) {
-  if (session_decides_what_to_write_) {
-    DeleteFrames(&info->retransmittable_frames);
-    info->retransmission.Clear();
-    return;
-  }
-  while (info->retransmission.IsInitialized()) {
-    const QuicPacketNumber retransmission = info->retransmission;
-    info->retransmission.Clear();
-    info = &unacked_packets_[retransmission - least_unacked_];
-  }
-
-  if (info->has_crypto_handshake) {
-    DCHECK(HasRetransmittableFrames(*info));
-    DCHECK_LT(0u, pending_crypto_packet_count_);
-    --pending_crypto_packet_count_;
-    info->has_crypto_handshake = false;
-  }
   DeleteFrames(&info->retransmittable_frames);
+  info->retransmission.Clear();
 }
 
 void QuicUnackedPacketMap::RemoveRetransmittability(
@@ -250,16 +167,6 @@ bool QuicUnackedPacketMap::IsPacketUsefulForCongestionControl(
 
 bool QuicUnackedPacketMap::IsPacketUsefulForRetransmittableData(
     const QuicTransmissionInfo& info) const {
-  if (!session_decides_what_to_write_) {
-    // Packet may have retransmittable frames, or the data may have been
-    // retransmitted with a new packet number.
-    // Allow for an extra 1 RTT before stopping to track old packets.
-    return (info.retransmission.IsInitialized() &&
-            (!largest_acked_.IsInitialized() ||
-             info.retransmission > largest_acked_)) ||
-           HasRetransmittableFrames(info);
-  }
-
   // Wait for 1 RTT before giving up on the lost packet.
   return info.retransmission.IsInitialized() &&
          (!largest_acked_.IsInitialized() ||
@@ -286,7 +193,9 @@ bool QuicUnackedPacketMap::IsUnacked(QuicPacketNumber packet_number) const {
 void QuicUnackedPacketMap::RemoveFromInFlight(QuicTransmissionInfo* info) {
   if (info->in_flight) {
     QUIC_BUG_IF(bytes_in_flight_ < info->bytes_sent);
+    QUIC_BUG_IF(packets_in_flight_ == 0);
     bytes_in_flight_ -= info->bytes_sent;
+    --packets_in_flight_;
     info->in_flight = false;
   }
 }
@@ -299,23 +208,6 @@ void QuicUnackedPacketMap::RemoveFromInFlight(QuicPacketNumber packet_number) {
   RemoveFromInFlight(info);
 }
 
-void QuicUnackedPacketMap::CancelRetransmissionsForStream(
-    QuicStreamId stream_id) {
-  DCHECK(!session_decides_what_to_write_);
-  QuicPacketNumber packet_number = least_unacked_;
-  for (auto it = unacked_packets_.begin(); it != unacked_packets_.end();
-       ++it, ++packet_number) {
-    QuicFrames* frames = &it->retransmittable_frames;
-    if (frames->empty()) {
-      continue;
-    }
-    RemoveFramesForStream(frames, stream_id);
-    if (frames->empty()) {
-      RemoveRetransmittability(packet_number);
-    }
-  }
-}
-
 bool QuicUnackedPacketMap::HasInFlightPackets() const {
   return bytes_in_flight_ > 0;
 }
@@ -331,20 +223,7 @@ QuicTransmissionInfo* QuicUnackedPacketMap::GetMutableTransmissionInfo(
 }
 
 QuicTime QuicUnackedPacketMap::GetLastInFlightPacketSentTime() const {
-  if (simple_inflight_time_) {
-    return last_inflight_packet_sent_time_;
-  }
-  auto it = unacked_packets_.rbegin();
-  while (it != unacked_packets_.rend()) {
-    if (it->in_flight) {
-      QUIC_BUG_IF(it->sent_time == QuicTime::Zero())
-          << "Sent time can never be zero for a packet in flight.";
-      return it->sent_time;
-    }
-    ++it;
-  }
-  QUIC_BUG << "GetLastPacketSentTime requires in flight packets.";
-  return QuicTime::Zero();
+  return last_inflight_packet_sent_time_;
 }
 
 QuicTime QuicUnackedPacketMap::GetLastCryptoPacketSentTime() const {
@@ -381,9 +260,6 @@ bool QuicUnackedPacketMap::HasMultipleInFlightPackets() const {
 }
 
 bool QuicUnackedPacketMap::HasPendingCryptoPackets() const {
-  if (!session_decides_what_to_write_) {
-    return pending_crypto_packet_count_ > 0;
-  }
   return session_notifier_->HasUnackedCryptoData();
 }
 
@@ -423,7 +299,6 @@ bool QuicUnackedPacketMap::NotifyFramesAcked(const QuicTransmissionInfo& info,
 
 void QuicUnackedPacketMap::NotifyFramesLost(const QuicTransmissionInfo& info,
                                             TransmissionType /*type*/) {
-  DCHECK(session_decides_what_to_write_);
   for (const QuicFrame& frame : info.retransmittable_frames) {
     session_notifier_->OnFrameLost(frame);
   }
@@ -431,7 +306,6 @@ void QuicUnackedPacketMap::NotifyFramesLost(const QuicTransmissionInfo& info,
 
 void QuicUnackedPacketMap::RetransmitFrames(const QuicTransmissionInfo& info,
                                             TransmissionType type) {
-  DCHECK(session_decides_what_to_write_);
   session_notifier_->RetransmitFrames(info.retransmittable_frames, type);
 }
 
@@ -537,15 +411,6 @@ QuicUnackedPacketMap::GetLargestSentRetransmittableOfPacketNumberSpace(
   return largest_sent_retransmittable_packets_[packet_number_space];
 }
 
-void QuicUnackedPacketMap::SetSessionDecideWhatToWrite(
-    bool session_decides_what_to_write) {
-  if (largest_sent_packet_.IsInitialized()) {
-    QUIC_BUG << "Cannot change session_decide_what_to_write with packets sent.";
-    return;
-  }
-  session_decides_what_to_write_ = session_decides_what_to_write;
-}
-
 void QuicUnackedPacketMap::EnableMultiplePacketNumberSpacesSupport() {
   if (supports_multiple_packet_number_spaces_) {
     QUIC_BUG << "Multiple packet number spaces has already been enabled";
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.h b/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.h
index 864e485fbf0..fd6510a6c77 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map.h
@@ -34,12 +34,9 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
   // Marks the packet as in flight if |set_in_flight| is true.
   // Packets marked as in flight are expected to be marked as missing when they
   // don't arrive, indicating the need for retransmission.
-  // |old_packet_number| is the packet number of the previous transmission,
-  // or 0 if there was none.
   // Any AckNotifierWrappers in |serialized_packet| are swapped from the
   // serialized packet into the QuicTransmissionInfo.
   void AddSentPacket(SerializedPacket* serialized_packet,
-                     QuicPacketNumber old_packet_number,
                      TransmissionType transmission_type,
                      QuicTime sent_time,
                      bool set_in_flight);
@@ -68,9 +65,6 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
   // Marks |packet_number| as no longer in flight.
   void RemoveFromInFlight(QuicPacketNumber packet_number);
 
-  // No longer retransmit data for |stream_id|.
-  void CancelRetransmissionsForStream(QuicStreamId stream_id);
-
   // Returns true if |packet_number| has retransmittable frames. This will
   // return false if all frames of this packet are either non-retransmittable or
   // have been acked.
@@ -100,6 +94,7 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
 
   // Returns the sum of bytes from all packets in flight.
   QuicByteCount bytes_in_flight() const { return bytes_in_flight_; }
+  QuicPacketCount packets_in_flight() const { return packets_in_flight_; }
 
   // Returns the smallest packet number of a serialized packet which has not
   // been acked by the peer.  If there are no unacked packets, returns 0.
@@ -140,16 +135,14 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
   size_t GetNumUnackedPacketsDebugOnly() const;
 
   // Returns true if there are multiple packets in flight.
+  // TODO(fayang): Remove this method and use packets_in_flight_ instead.
   bool HasMultipleInFlightPackets() const;
 
   // Returns true if there are any pending crypto packets.
-  // TODO(fayang): Remove this method and call session_notifier_'s
-  // HasUnackedCryptoData() when session_decides_what_to_write_ is default true.
   bool HasPendingCryptoPackets() const;
 
   // Returns true if there is any unacked non-crypto stream data.
   bool HasUnackedStreamData() const {
-    DCHECK(session_decides_what_to_write());
     return session_notifier_->HasUnackedStreamData();
   }
 
@@ -210,37 +203,19 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
   QuicPacketNumber GetLargestSentPacketOfPacketNumberSpace(
       EncryptionLevel encryption_level) const;
 
-  // Called to start/stop letting session decide what to write.
-  void SetSessionDecideWhatToWrite(bool session_decides_what_to_write);
-
   void SetSessionNotifier(SessionNotifierInterface* session_notifier);
 
   void EnableMultiplePacketNumberSpacesSupport();
 
-  bool session_decides_what_to_write() const {
-    return session_decides_what_to_write_;
-  }
-
   Perspective perspective() const { return perspective_; }
 
   bool supports_multiple_packet_number_spaces() const {
     return supports_multiple_packet_number_spaces_;
   }
 
-  bool simple_inflight_time() const { return simple_inflight_time_; }
-
  private:
   friend class test::QuicUnackedPacketMapPeer;
 
-  // Called when a packet is retransmitted with a new packet number.
-  // |old_packet_number| will remain unacked, but will have no
-  // retransmittable data associated with it. Retransmittable frames will be
-  // transferred to |info| and all_transmissions will be populated.
-  void TransferRetransmissionInfo(QuicPacketNumber old_packet_number,
-                                  QuicPacketNumber new_packet_number,
-                                  TransmissionType transmission_type,
-                                  QuicTransmissionInfo* info);
-
   // Returns true if packet may be useful for an RTT measurement.
   bool IsPacketUsefulForMeasuringRtt(QuicPacketNumber packet_number,
                                      const QuicTransmissionInfo& info) const;
@@ -287,8 +262,7 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
   QuicPacketNumber least_unacked_;
 
   QuicByteCount bytes_in_flight_;
-  // Number of retransmittable crypto handshake packets.
-  size_t pending_crypto_packet_count_;
+  QuicPacketCount packets_in_flight_;
 
   // Time that the last inflight packet was sent.
   QuicTime last_inflight_packet_sent_time_;
@@ -303,9 +277,6 @@ class QUIC_EXPORT_PRIVATE QuicUnackedPacketMap {
   // Receives notifications of frames being retransmitted or acknowledged.
   SessionNotifierInterface* session_notifier_;
 
-  // If true, let session decides what to write.
-  bool session_decides_what_to_write_;
-
   // If true, supports multiple packet number spaces.
   bool supports_multiple_packet_number_spaces_;
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map_test.cc
index ad096396468..92e61e3bb02 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_unacked_packet_map_test.cc
@@ -24,43 +24,12 @@ namespace {
 // Default packet length.
 const uint32_t kDefaultLength = 1000;
 
-struct TestParams {
-  TestParams(Perspective perspective, bool session_decides_what_to_write)
-      : perspective(perspective),
-        session_decides_what_to_write(session_decides_what_to_write) {}
-
-  Perspective perspective;
-  bool session_decides_what_to_write;
-};
-
-// Used by ::testing::PrintToStringParamName().
-std::string PrintToString(const TestParams& p) {
-  return QuicStrCat(
-      (p.perspective == Perspective::IS_CLIENT ? "Client" : "Server"),
-      "_Session",
-      (p.session_decides_what_to_write ? "Decides" : "DoesNotDecide"),
-      "WhatToWrite");
-}
-
-std::vector<TestParams> GetTestParams() {
-  std::vector<TestParams> params;
-  for (Perspective perspective :
-       {Perspective::IS_CLIENT, Perspective::IS_SERVER}) {
-    for (bool session_decides_what_to_write : {true, false}) {
-      params.push_back(TestParams(perspective, session_decides_what_to_write));
-    }
-  }
-  return params;
-}
-
-class QuicUnackedPacketMapTest : public QuicTestWithParam<TestParams> {
+class QuicUnackedPacketMapTest : public QuicTestWithParam<Perspective> {
  protected:
   QuicUnackedPacketMapTest()
-      : unacked_packets_(GetParam().perspective),
+      : unacked_packets_(GetParam()),
         now_(QuicTime::Zero() + QuicTime::Delta::FromMilliseconds(1000)) {
     unacked_packets_.SetSessionNotifier(&notifier_);
-    unacked_packets_.SetSessionDecideWhatToWrite(
-        GetParam().session_decides_what_to_write);
     EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(true));
     EXPECT_CALL(notifier_, OnStreamFrameRetransmitted(_))
         .Times(testing::AnyNumber());
@@ -167,14 +136,6 @@ class QuicUnackedPacketMapTest : public QuicTestWithParam<TestParams> {
                                TransmissionType transmission_type) {
     DCHECK(unacked_packets_.HasRetransmittableFrames(
         QuicPacketNumber(old_packet_number)));
-    if (!unacked_packets_.session_decides_what_to_write()) {
-      SerializedPacket packet(
-          CreateNonRetransmittablePacket(new_packet_number));
-      unacked_packets_.AddSentPacket(&packet,
-                                     QuicPacketNumber(old_packet_number),
-                                     transmission_type, now_, true);
-      return;
-    }
     QuicTransmissionInfo* info = unacked_packets_.GetMutableTransmissionInfo(
         QuicPacketNumber(old_packet_number));
     QuicStreamId stream_id = QuicUtils::GetFirstBidirectionalStreamId(
@@ -192,8 +153,7 @@ class QuicUnackedPacketMapTest : public QuicTestWithParam<TestParams> {
     info->retransmission = QuicPacketNumber(new_packet_number);
     SerializedPacket packet(
         CreateRetransmittablePacketForStream(new_packet_number, stream_id));
-    unacked_packets_.AddSentPacket(&packet, QuicPacketNumber(),
-                                   transmission_type, now_, true);
+    unacked_packets_.AddSentPacket(&packet, transmission_type, now_, true);
   }
   QuicUnackedPacketMap unacked_packets_;
   QuicTime now_;
@@ -202,14 +162,14 @@ class QuicUnackedPacketMapTest : public QuicTestWithParam<TestParams> {
 
 INSTANTIATE_TEST_SUITE_P(Tests,
                          QuicUnackedPacketMapTest,
-                         ::testing::ValuesIn(GetTestParams()),
+                         ::testing::ValuesIn({Perspective::IS_CLIENT,
+                                              Perspective::IS_SERVER}),
                          ::testing::PrintToStringParamName());
 
 TEST_P(QuicUnackedPacketMapTest, RttOnly) {
   // Acks are only tracked for RTT measurement purposes.
   SerializedPacket packet(CreateNonRetransmittablePacket(1));
-  unacked_packets_.AddSentPacket(&packet, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, false);
+  unacked_packets_.AddSentPacket(&packet, NOT_RETRANSMISSION, now_, false);
 
   uint64_t unacked[] = {1};
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
@@ -225,8 +185,7 @@ TEST_P(QuicUnackedPacketMapTest, RttOnly) {
 TEST_P(QuicUnackedPacketMapTest, RetransmittableInflightAndRtt) {
   // Simulate a retransmittable packet being sent and acked.
   SerializedPacket packet(CreateRetransmittablePacket(1));
-  unacked_packets_.AddSentPacket(&packet, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet, NOT_RETRANSMISSION, now_, true);
 
   uint64_t unacked[] = {1};
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
@@ -252,8 +211,7 @@ TEST_P(QuicUnackedPacketMapTest, RetransmittableInflightAndRtt) {
 TEST_P(QuicUnackedPacketMapTest, StopRetransmission) {
   const QuicStreamId stream_id = 2;
   SerializedPacket packet(CreateRetransmittablePacketForStream(1, stream_id));
-  unacked_packets_.AddSentPacket(&packet, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet, NOT_RETRANSMISSION, now_, true);
 
   uint64_t unacked[] = {1};
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
@@ -262,11 +220,7 @@ TEST_P(QuicUnackedPacketMapTest, StopRetransmission) {
   VerifyRetransmittablePackets(retransmittable,
                                QUIC_ARRAYSIZE(retransmittable));
 
-  if (unacked_packets_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
-  } else {
-    unacked_packets_.CancelRetransmissionsForStream(stream_id);
-  }
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
   VerifyInFlightPackets(unacked, QUIC_ARRAYSIZE(unacked));
   VerifyRetransmittablePackets(nullptr, 0);
@@ -275,8 +229,7 @@ TEST_P(QuicUnackedPacketMapTest, StopRetransmission) {
 TEST_P(QuicUnackedPacketMapTest, StopRetransmissionOnOtherStream) {
   const QuicStreamId stream_id = 2;
   SerializedPacket packet(CreateRetransmittablePacketForStream(1, stream_id));
-  unacked_packets_.AddSentPacket(&packet, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet, NOT_RETRANSMISSION, now_, true);
 
   uint64_t unacked[] = {1};
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
@@ -285,10 +238,6 @@ TEST_P(QuicUnackedPacketMapTest, StopRetransmissionOnOtherStream) {
   VerifyRetransmittablePackets(retransmittable,
                                QUIC_ARRAYSIZE(retransmittable));
 
-  // Stop retransmissions on another stream and verify the packet is unchanged.
-  if (!unacked_packets_.session_decides_what_to_write()) {
-    unacked_packets_.CancelRetransmissionsForStream(stream_id + 2);
-  }
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
   VerifyInFlightPackets(unacked, QUIC_ARRAYSIZE(unacked));
   VerifyRetransmittablePackets(retransmittable,
@@ -298,26 +247,16 @@ TEST_P(QuicUnackedPacketMapTest, StopRetransmissionOnOtherStream) {
 TEST_P(QuicUnackedPacketMapTest, StopRetransmissionAfterRetransmission) {
   const QuicStreamId stream_id = 2;
   SerializedPacket packet1(CreateRetransmittablePacketForStream(1, stream_id));
-  unacked_packets_.AddSentPacket(&packet1, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet1, NOT_RETRANSMISSION, now_, true);
   RetransmitAndSendPacket(1, 2, LOSS_RETRANSMISSION);
 
   uint64_t unacked[] = {1, 2};
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
   VerifyInFlightPackets(unacked, QUIC_ARRAYSIZE(unacked));
-  std::vector<uint64_t> retransmittable;
-  if (unacked_packets_.session_decides_what_to_write()) {
-    retransmittable = {1, 2};
-  } else {
-    retransmittable = {2};
-  }
+  std::vector<uint64_t> retransmittable = {1, 2};
   VerifyRetransmittablePackets(&retransmittable[0], retransmittable.size());
 
-  if (unacked_packets_.session_decides_what_to_write()) {
-    EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
-  } else {
-    unacked_packets_.CancelRetransmissionsForStream(stream_id);
-  }
+  EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
   VerifyInFlightPackets(unacked, QUIC_ARRAYSIZE(unacked));
   VerifyRetransmittablePackets(nullptr, 0);
@@ -327,19 +266,13 @@ TEST_P(QuicUnackedPacketMapTest, RetransmittedPacket) {
   // Simulate a retransmittable packet being sent, retransmitted, and the first
   // transmission being acked.
   SerializedPacket packet1(CreateRetransmittablePacket(1));
-  unacked_packets_.AddSentPacket(&packet1, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet1, NOT_RETRANSMISSION, now_, true);
   RetransmitAndSendPacket(1, 2, LOSS_RETRANSMISSION);
 
   uint64_t unacked[] = {1, 2};
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
   VerifyInFlightPackets(unacked, QUIC_ARRAYSIZE(unacked));
-  std::vector<uint64_t> retransmittable;
-  if (unacked_packets_.session_decides_what_to_write()) {
-    retransmittable = {1, 2};
-  } else {
-    retransmittable = {2};
-  }
+  std::vector<uint64_t> retransmittable = {1, 2};
   VerifyRetransmittablePackets(&retransmittable[0], retransmittable.size());
 
   EXPECT_CALL(notifier_, IsFrameOutstanding(_)).WillRepeatedly(Return(false));
@@ -368,11 +301,9 @@ TEST_P(QuicUnackedPacketMapTest, RetransmittedPacket) {
 TEST_P(QuicUnackedPacketMapTest, RetransmitThreeTimes) {
   // Simulate a retransmittable packet being sent and retransmitted twice.
   SerializedPacket packet1(CreateRetransmittablePacket(1));
-  unacked_packets_.AddSentPacket(&packet1, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet1, NOT_RETRANSMISSION, now_, true);
   SerializedPacket packet2(CreateRetransmittablePacket(2));
-  unacked_packets_.AddSentPacket(&packet2, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet2, NOT_RETRANSMISSION, now_, true);
 
   uint64_t unacked[] = {1, 2};
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
@@ -388,19 +319,13 @@ TEST_P(QuicUnackedPacketMapTest, RetransmitThreeTimes) {
   unacked_packets_.RemoveFromInFlight(QuicPacketNumber(1));
   RetransmitAndSendPacket(1, 3, LOSS_RETRANSMISSION);
   SerializedPacket packet4(CreateRetransmittablePacket(4));
-  unacked_packets_.AddSentPacket(&packet4, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet4, NOT_RETRANSMISSION, now_, true);
 
   uint64_t unacked2[] = {1, 3, 4};
   VerifyUnackedPackets(unacked2, QUIC_ARRAYSIZE(unacked2));
   uint64_t pending2[] = {3, 4};
   VerifyInFlightPackets(pending2, QUIC_ARRAYSIZE(pending2));
-  std::vector<uint64_t> retransmittable2;
-  if (unacked_packets_.session_decides_what_to_write()) {
-    retransmittable2 = {1, 3, 4};
-  } else {
-    retransmittable2 = {3, 4};
-  }
+  std::vector<uint64_t> retransmittable2 = {1, 3, 4};
   VerifyRetransmittablePackets(&retransmittable2[0], retransmittable2.size());
 
   // Early retransmit 3 (formerly 1) as 5, and remove 1 from unacked.
@@ -409,18 +334,10 @@ TEST_P(QuicUnackedPacketMapTest, RetransmitThreeTimes) {
   unacked_packets_.RemoveRetransmittability(QuicPacketNumber(4));
   RetransmitAndSendPacket(3, 5, LOSS_RETRANSMISSION);
   SerializedPacket packet6(CreateRetransmittablePacket(6));
-  unacked_packets_.AddSentPacket(&packet6, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
-
-  std::vector<uint64_t> unacked3;
-  std::vector<uint64_t> retransmittable3;
-  if (unacked_packets_.session_decides_what_to_write()) {
-    unacked3 = {3, 5, 6};
-    retransmittable3 = {3, 5, 6};
-  } else {
-    unacked3 = {3, 5, 6};
-    retransmittable3 = {5, 6};
-  }
+  unacked_packets_.AddSentPacket(&packet6, NOT_RETRANSMISSION, now_, true);
+
+  std::vector<uint64_t> unacked3 = {3, 5, 6};
+  std::vector<uint64_t> retransmittable3 = {3, 5, 6};
   VerifyUnackedPackets(&unacked3[0], unacked3.size());
   VerifyRetransmittablePackets(&retransmittable3[0], retransmittable3.size());
   uint64_t pending3[] = {3, 5, 6};
@@ -432,15 +349,8 @@ TEST_P(QuicUnackedPacketMapTest, RetransmitThreeTimes) {
   unacked_packets_.RemoveRetransmittability(QuicPacketNumber(6));
   RetransmitAndSendPacket(5, 7, LOSS_RETRANSMISSION);
 
-  std::vector<uint64_t> unacked4;
-  std::vector<uint64_t> retransmittable4;
-  if (unacked_packets_.session_decides_what_to_write()) {
-    unacked4 = {3, 5, 7};
-    retransmittable4 = {3, 5, 7};
-  } else {
-    unacked4 = {3, 5, 7};
-    retransmittable4 = {7};
-  }
+  std::vector<uint64_t> unacked4 = {3, 5, 7};
+  std::vector<uint64_t> retransmittable4 = {3, 5, 7};
   VerifyUnackedPackets(&unacked4[0], unacked4.size());
   VerifyRetransmittablePackets(&retransmittable4[0], retransmittable4.size());
   uint64_t pending4[] = {3, 5, 7};
@@ -456,11 +366,9 @@ TEST_P(QuicUnackedPacketMapTest, RetransmitThreeTimes) {
 TEST_P(QuicUnackedPacketMapTest, RetransmitFourTimes) {
   // Simulate a retransmittable packet being sent and retransmitted twice.
   SerializedPacket packet1(CreateRetransmittablePacket(1));
-  unacked_packets_.AddSentPacket(&packet1, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet1, NOT_RETRANSMISSION, now_, true);
   SerializedPacket packet2(CreateRetransmittablePacket(2));
-  unacked_packets_.AddSentPacket(&packet2, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet2, NOT_RETRANSMISSION, now_, true);
 
   uint64_t unacked[] = {1, 2};
   VerifyUnackedPackets(unacked, QUIC_ARRAYSIZE(unacked));
@@ -480,30 +388,19 @@ TEST_P(QuicUnackedPacketMapTest, RetransmitFourTimes) {
   VerifyUnackedPackets(unacked2, QUIC_ARRAYSIZE(unacked2));
   uint64_t pending2[] = {3};
   VerifyInFlightPackets(pending2, QUIC_ARRAYSIZE(pending2));
-  std::vector<uint64_t> retransmittable2;
-  if (unacked_packets_.session_decides_what_to_write()) {
-    retransmittable2 = {1, 3};
-  } else {
-    retransmittable2 = {3};
-  }
+  std::vector<uint64_t> retransmittable2 = {1, 3};
   VerifyRetransmittablePackets(&retransmittable2[0], retransmittable2.size());
 
   // TLP 3 (formerly 1) as 4, and don't remove 1 from unacked.
   RetransmitAndSendPacket(3, 4, TLP_RETRANSMISSION);
   SerializedPacket packet5(CreateRetransmittablePacket(5));
-  unacked_packets_.AddSentPacket(&packet5, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet5, NOT_RETRANSMISSION, now_, true);
 
   uint64_t unacked3[] = {1, 3, 4, 5};
   VerifyUnackedPackets(unacked3, QUIC_ARRAYSIZE(unacked3));
   uint64_t pending3[] = {3, 4, 5};
   VerifyInFlightPackets(pending3, QUIC_ARRAYSIZE(pending3));
-  std::vector<uint64_t> retransmittable3;
-  if (unacked_packets_.session_decides_what_to_write()) {
-    retransmittable3 = {1, 3, 4, 5};
-  } else {
-    retransmittable3 = {4, 5};
-  }
+  std::vector<uint64_t> retransmittable3 = {1, 3, 4, 5};
   VerifyRetransmittablePackets(&retransmittable3[0], retransmittable3.size());
 
   // Early retransmit 4 as 6 and ensure in flight packet 3 is removed.
@@ -514,21 +411,11 @@ TEST_P(QuicUnackedPacketMapTest, RetransmitFourTimes) {
   unacked_packets_.RemoveFromInFlight(QuicPacketNumber(4));
   RetransmitAndSendPacket(4, 6, LOSS_RETRANSMISSION);
 
-  std::vector<uint64_t> unacked4;
-  if (unacked_packets_.session_decides_what_to_write()) {
-    unacked4 = {4, 6};
-  } else {
-    unacked4 = {4, 6};
-  }
+  std::vector<uint64_t> unacked4 = {4, 6};
   VerifyUnackedPackets(&unacked4[0], unacked4.size());
   uint64_t pending4[] = {6};
   VerifyInFlightPackets(pending4, QUIC_ARRAYSIZE(pending4));
-  std::vector<uint64_t> retransmittable4;
-  if (unacked_packets_.session_decides_what_to_write()) {
-    retransmittable4 = {4, 6};
-  } else {
-    retransmittable4 = {6};
-  }
+  std::vector<uint64_t> retransmittable4 = {4, 6};
   VerifyRetransmittablePackets(&retransmittable4[0], retransmittable4.size());
 }
 
@@ -536,11 +423,9 @@ TEST_P(QuicUnackedPacketMapTest, SendWithGap) {
   // Simulate a retransmittable packet being sent, retransmitted, and the first
   // transmission being acked.
   SerializedPacket packet1(CreateRetransmittablePacket(1));
-  unacked_packets_.AddSentPacket(&packet1, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet1, NOT_RETRANSMISSION, now_, true);
   SerializedPacket packet3(CreateRetransmittablePacket(3));
-  unacked_packets_.AddSentPacket(&packet3, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet3, NOT_RETRANSMISSION, now_, true);
   RetransmitAndSendPacket(3, 5, LOSS_RETRANSMISSION);
 
   EXPECT_EQ(QuicPacketNumber(1u), unacked_packets_.GetLeastUnacked());
@@ -685,8 +570,7 @@ TEST_P(QuicUnackedPacketMapTest, LargestSentPacketMultiplePacketNumberSpaces) {
   // Send packet 1.
   SerializedPacket packet1(CreateRetransmittablePacket(1));
   packet1.encryption_level = ENCRYPTION_INITIAL;
-  unacked_packets_.AddSentPacket(&packet1, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet1, NOT_RETRANSMISSION, now_, true);
   EXPECT_EQ(QuicPacketNumber(1u), unacked_packets_.largest_sent_packet());
   EXPECT_EQ(QuicPacketNumber(1),
             unacked_packets_.GetLargestSentPacketOfPacketNumberSpace(
@@ -698,8 +582,7 @@ TEST_P(QuicUnackedPacketMapTest, LargestSentPacketMultiplePacketNumberSpaces) {
   // Send packet 2.
   SerializedPacket packet2(CreateRetransmittablePacket(2));
   packet2.encryption_level = ENCRYPTION_HANDSHAKE;
-  unacked_packets_.AddSentPacket(&packet2, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet2, NOT_RETRANSMISSION, now_, true);
   EXPECT_EQ(QuicPacketNumber(2u), unacked_packets_.largest_sent_packet());
   EXPECT_EQ(QuicPacketNumber(1),
             unacked_packets_.GetLargestSentPacketOfPacketNumberSpace(
@@ -713,8 +596,7 @@ TEST_P(QuicUnackedPacketMapTest, LargestSentPacketMultiplePacketNumberSpaces) {
   // Send packet 3.
   SerializedPacket packet3(CreateRetransmittablePacket(3));
   packet3.encryption_level = ENCRYPTION_ZERO_RTT;
-  unacked_packets_.AddSentPacket(&packet3, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet3, NOT_RETRANSMISSION, now_, true);
   EXPECT_EQ(QuicPacketNumber(3u), unacked_packets_.largest_sent_packet());
   EXPECT_EQ(QuicPacketNumber(1),
             unacked_packets_.GetLargestSentPacketOfPacketNumberSpace(
@@ -734,8 +616,7 @@ TEST_P(QuicUnackedPacketMapTest, LargestSentPacketMultiplePacketNumberSpaces) {
   // Send packet 4.
   SerializedPacket packet4(CreateRetransmittablePacket(4));
   packet4.encryption_level = ENCRYPTION_FORWARD_SECURE;
-  unacked_packets_.AddSentPacket(&packet4, QuicPacketNumber(),
-                                 NOT_RETRANSMISSION, now_, true);
+  unacked_packets_.AddSentPacket(&packet4, NOT_RETRANSMISSION, now_, true);
   EXPECT_EQ(QuicPacketNumber(4u), unacked_packets_.largest_sent_packet());
   EXPECT_EQ(QuicPacketNumber(1),
             unacked_packets_.GetLargestSentPacketOfPacketNumberSpace(
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_utils.cc b/chromium/net/third_party/quiche/src/quic/core/quic_utils.cc
index 33f7de16c18..a69efcdf822 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_utils.cc
@@ -15,11 +15,11 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_aligned.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_prefetch.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_uint128.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 namespace {
@@ -161,10 +161,12 @@ const char* QuicUtils::SentPacketStateToString(SentPacketState state) {
     RETURN_STRING_LITERAL(NEVER_SENT);
     RETURN_STRING_LITERAL(ACKED);
     RETURN_STRING_LITERAL(UNACKABLE);
+    RETURN_STRING_LITERAL(NEUTERED);
     RETURN_STRING_LITERAL(HANDSHAKE_RETRANSMITTED);
     RETURN_STRING_LITERAL(LOST);
     RETURN_STRING_LITERAL(TLP_RETRANSMITTED);
     RETURN_STRING_LITERAL(RTO_RETRANSMITTED);
+    RETURN_STRING_LITERAL(PTO_RETRANSMITTED);
     RETURN_STRING_LITERAL(PROBE_RETRANSMITTED);
   }
   return "INVALID_SENT_PACKET_STATE";
@@ -329,6 +331,8 @@ SentPacketState QuicUtils::RetransmissionTypeToPacketState(
       return TLP_RETRANSMITTED;
     case RTO_RETRANSMISSION:
       return RTO_RETRANSMITTED;
+    case PTO_RETRANSMISSION:
+      return PTO_RETRANSMITTED;
     case PROBING_RETRANSMISSION:
       return PROBE_RETRANSMITTED;
     default:
@@ -514,7 +518,7 @@ bool QuicUtils::VariableLengthConnectionIdAllowedForVersion(
   // We allow variable length connection IDs for unsupported versions to
   // ensure that IETF version negotiation works when other implementations
   // trigger version negotiation with custom connection ID lengths.
-  return version >= QUIC_VERSION_47 || version == QUIC_VERSION_UNSUPPORTED;
+  return version > QUIC_VERSION_46 || version == QUIC_VERSION_UNSUPPORTED;
 }
 
 // static
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_utils_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_utils_test.cc
index 62cfbd0cc99..362c766b7de 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_utils_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_utils_test.cc
@@ -131,6 +131,8 @@ TEST_F(QuicUtilsTest, RetransmissionTypeToPacketState) {
       EXPECT_EQ(TLP_RETRANSMITTED, state);
     } else if (i == RTO_RETRANSMISSION) {
       EXPECT_EQ(RTO_RETRANSMITTED, state);
+    } else if (i == PTO_RETRANSMISSION) {
+      EXPECT_EQ(PTO_RETRANSMITTED, state);
     } else if (i == PROBING_RETRANSMISSION) {
       EXPECT_EQ(PROBE_RETRANSMITTED, state);
     } else {
@@ -244,17 +246,17 @@ TEST_F(QuicUtilsTest, RandomConnectionIdVariableLength) {
 
 TEST_F(QuicUtilsTest, VariableLengthConnectionId) {
   EXPECT_FALSE(
-      QuicUtils::VariableLengthConnectionIdAllowedForVersion(QUIC_VERSION_39));
+      QuicUtils::VariableLengthConnectionIdAllowedForVersion(QUIC_VERSION_43));
   EXPECT_TRUE(QuicUtils::IsConnectionIdValidForVersion(
-      QuicUtils::CreateZeroConnectionId(QUIC_VERSION_39), QUIC_VERSION_39));
+      QuicUtils::CreateZeroConnectionId(QUIC_VERSION_43), QUIC_VERSION_43));
   EXPECT_TRUE(QuicUtils::IsConnectionIdValidForVersion(
       QuicUtils::CreateZeroConnectionId(QUIC_VERSION_99), QUIC_VERSION_99));
-  EXPECT_NE(QuicUtils::CreateZeroConnectionId(QUIC_VERSION_39),
+  EXPECT_NE(QuicUtils::CreateZeroConnectionId(QUIC_VERSION_43),
             EmptyQuicConnectionId());
   EXPECT_EQ(QuicUtils::CreateZeroConnectionId(QUIC_VERSION_99),
             EmptyQuicConnectionId());
   EXPECT_FALSE(QuicUtils::IsConnectionIdValidForVersion(EmptyQuicConnectionId(),
-                                                        QUIC_VERSION_39));
+                                                        QUIC_VERSION_43));
 }
 
 TEST_F(QuicUtilsTest, StatelessResetToken) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.cc b/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.cc
index 5f14ad4e80a..476bbc7fad3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.cc
@@ -17,13 +17,9 @@ QuicVersionManager::QuicVersionManager(
     ParsedQuicVersionVector supported_versions)
     : enable_version_99_(GetQuicReloadableFlag(quic_enable_version_99)),
       enable_version_50_(GetQuicReloadableFlag(quic_enable_version_50)),
-      enable_version_49_(GetQuicReloadableFlag(quic_enable_version_49)),
-      enable_version_48_(GetQuicReloadableFlag(quic_enable_version_48_2)),
-      enable_version_47_(GetQuicReloadableFlag(quic_enable_version_47)),
-      disable_version_39_(GetQuicReloadableFlag(quic_disable_version_39)),
       enable_tls_(GetQuicReloadableFlag(quic_supports_tls_handshake)),
       allowed_supported_versions_(std::move(supported_versions)) {
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync");
   RefilterSupportedVersions();
 }
@@ -42,21 +38,13 @@ const ParsedQuicVersionVector& QuicVersionManager::GetSupportedVersions() {
 }
 
 void QuicVersionManager::MaybeRefilterSupportedVersions() {
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync");
   if (enable_version_99_ != GetQuicReloadableFlag(quic_enable_version_99) ||
       enable_version_50_ != GetQuicReloadableFlag(quic_enable_version_50) ||
-      enable_version_49_ != GetQuicReloadableFlag(quic_enable_version_49) ||
-      enable_version_48_ != GetQuicReloadableFlag(quic_enable_version_48_2) ||
-      enable_version_47_ != GetQuicReloadableFlag(quic_enable_version_47) ||
-      disable_version_39_ != GetQuicReloadableFlag(quic_disable_version_39) ||
       enable_tls_ != GetQuicReloadableFlag(quic_supports_tls_handshake)) {
     enable_version_99_ = GetQuicReloadableFlag(quic_enable_version_99);
     enable_version_50_ = GetQuicReloadableFlag(quic_enable_version_50);
-    enable_version_49_ = GetQuicReloadableFlag(quic_enable_version_49);
-    enable_version_48_ = GetQuicReloadableFlag(quic_enable_version_48_2);
-    enable_version_47_ = GetQuicReloadableFlag(quic_enable_version_47);
-    disable_version_39_ = GetQuicReloadableFlag(quic_disable_version_39);
     enable_tls_ = GetQuicReloadableFlag(quic_supports_tls_handshake);
     RefilterSupportedVersions();
   }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.h b/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.h
index 3b2ec854230..0851464b857 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_version_manager.h
@@ -45,14 +45,6 @@ class QUIC_EXPORT_PRIVATE QuicVersionManager {
   bool enable_version_99_;
   // quic_enable_version_50 flag
   bool enable_version_50_;
-  // quic_enable_version_49 flag
-  bool enable_version_49_;
-  // quic_enable_version_48_2 flag
-  bool enable_version_48_;
-  // quic_enable_version_47 flag
-  bool enable_version_47_;
-  // quic_disable_version_39 flag
-  bool disable_version_39_;
   // quic_supports_tls_handshake flag
   bool enable_tls_;
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_version_manager_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_version_manager_test.cc
index 87494772887..48623a878f3 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_version_manager_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_version_manager_test.cc
@@ -16,64 +16,36 @@ namespace {
 class QuicVersionManagerTest : public QuicTest {};
 
 TEST_F(QuicVersionManagerTest, QuicVersionManager) {
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync");
   SetQuicReloadableFlag(quic_enable_version_99, false);
   SetQuicReloadableFlag(quic_enable_version_50, false);
-  SetQuicReloadableFlag(quic_enable_version_49, false);
-  SetQuicReloadableFlag(quic_enable_version_48_2, false);
-  SetQuicReloadableFlag(quic_enable_version_47, false);
-  SetQuicReloadableFlag(quic_disable_version_39, true);
   QuicVersionManager manager(AllSupportedVersions());
 
   EXPECT_EQ(FilterSupportedTransportVersions(AllSupportedTransportVersions()),
             manager.GetSupportedTransportVersions());
 
-  EXPECT_EQ(QuicTransportVersionVector({QUIC_VERSION_46, QUIC_VERSION_43}),
-            manager.GetSupportedTransportVersions());
-
-  SetQuicReloadableFlag(quic_disable_version_39, false);
-  EXPECT_EQ(QuicTransportVersionVector(
-                {QUIC_VERSION_46, QUIC_VERSION_43, QUIC_VERSION_39}),
-            manager.GetSupportedTransportVersions());
-
-  SetQuicReloadableFlag(quic_enable_version_47, true);
-  EXPECT_EQ(QuicTransportVersionVector({QUIC_VERSION_47, QUIC_VERSION_46,
-                                        QUIC_VERSION_43, QUIC_VERSION_39}),
-            manager.GetSupportedTransportVersions());
-
-  SetQuicReloadableFlag(quic_enable_version_48_2, true);
-  EXPECT_EQ(QuicTransportVersionVector({QUIC_VERSION_48, QUIC_VERSION_47,
-                                        QUIC_VERSION_46, QUIC_VERSION_43,
-                                        QUIC_VERSION_39}),
-            manager.GetSupportedTransportVersions());
-
-  SetQuicReloadableFlag(quic_enable_version_49, true);
   EXPECT_EQ(QuicTransportVersionVector({QUIC_VERSION_49, QUIC_VERSION_48,
-                                        QUIC_VERSION_47, QUIC_VERSION_46,
-                                        QUIC_VERSION_43, QUIC_VERSION_39}),
+                                        QUIC_VERSION_46, QUIC_VERSION_43}),
             manager.GetSupportedTransportVersions());
 
   SetQuicReloadableFlag(quic_enable_version_50, true);
-  EXPECT_EQ(
-      QuicTransportVersionVector(
-          {QUIC_VERSION_50, QUIC_VERSION_49, QUIC_VERSION_48, QUIC_VERSION_47,
-           QUIC_VERSION_46, QUIC_VERSION_43, QUIC_VERSION_39}),
-      manager.GetSupportedTransportVersions());
+  EXPECT_EQ(QuicTransportVersionVector({QUIC_VERSION_50, QUIC_VERSION_49,
+                                        QUIC_VERSION_48, QUIC_VERSION_46,
+                                        QUIC_VERSION_43}),
+            manager.GetSupportedTransportVersions());
 
   SetQuicReloadableFlag(quic_enable_version_99, true);
-  EXPECT_EQ(
-      QuicTransportVersionVector(
-          {QUIC_VERSION_99, QUIC_VERSION_50, QUIC_VERSION_49, QUIC_VERSION_48,
-           QUIC_VERSION_47, QUIC_VERSION_46, QUIC_VERSION_43, QUIC_VERSION_39}),
-      manager.GetSupportedTransportVersions());
+  EXPECT_EQ(QuicTransportVersionVector({QUIC_VERSION_99, QUIC_VERSION_50,
+                                        QUIC_VERSION_49, QUIC_VERSION_48,
+                                        QUIC_VERSION_46, QUIC_VERSION_43}),
+            manager.GetSupportedTransportVersions());
 
   SetQuicReloadableFlag(quic_enable_version_99, true);
-  EXPECT_EQ(
-      QuicTransportVersionVector(
-          {QUIC_VERSION_99, QUIC_VERSION_50, QUIC_VERSION_49, QUIC_VERSION_48,
-           QUIC_VERSION_47, QUIC_VERSION_46, QUIC_VERSION_43, QUIC_VERSION_39}),
-      manager.GetSupportedTransportVersions());
+  EXPECT_EQ(QuicTransportVersionVector({QUIC_VERSION_99, QUIC_VERSION_50,
+                                        QUIC_VERSION_49, QUIC_VERSION_48,
+                                        QUIC_VERSION_46, QUIC_VERSION_43}),
+            manager.GetSupportedTransportVersions());
 
   // Ensure that all versions are now supported.
   EXPECT_EQ(FilterSupportedTransportVersions(AllSupportedTransportVersions()),
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_versions.cc b/chromium/net/third_party/quiche/src/quic/core/quic_versions.cc
index 7aabc3d4b2f..abeb64e7f7f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_versions.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_versions.cc
@@ -11,11 +11,11 @@
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flag_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 namespace {
@@ -27,10 +27,6 @@ QuicVersionLabel MakeVersionLabel(char a, char b, char c, char d) {
 }
 
 QuicVersionLabel CreateRandomVersionLabelForNegotiation() {
-  if (!GetQuicReloadableFlag(quic_version_negotiation_grease)) {
-    return MakeVersionLabel(0xda, 0x5a, 0x3a, 0x3a);
-  }
-  QUIC_RELOADABLE_FLAG_COUNT_N(quic_version_negotiation_grease, 2, 2);
   QuicVersionLabel result;
   if (!GetQuicFlag(FLAGS_quic_disable_version_negotiation_grease_randomness)) {
     QuicRandom::GetInstance()->RandBytes(&result, sizeof(result));
@@ -44,13 +40,8 @@ QuicVersionLabel CreateRandomVersionLabelForNegotiation() {
 
 }  // namespace
 
-ParsedQuicVersion::ParsedQuicVersion(HandshakeProtocol handshake_protocol,
-                                     QuicTransportVersion transport_version)
-    : handshake_protocol(handshake_protocol),
-      transport_version(transport_version) {}
-
 bool ParsedQuicVersion::KnowsWhichDecrypterToUse() const {
-  return transport_version >= QUIC_VERSION_47 ||
+  return transport_version > QUIC_VERSION_46 ||
          handshake_protocol == PROTOCOL_TLS1_3;
 }
 
@@ -89,6 +80,11 @@ bool ParsedQuicVersion::SupportsAntiAmplificationLimit() const {
          handshake_protocol == PROTOCOL_TLS1_3;
 }
 
+bool ParsedQuicVersion::CanSendCoalescedPackets() const {
+  return QuicVersionHasLongHeaderLengths(transport_version) &&
+         handshake_protocol == PROTOCOL_TLS1_3;
+}
+
 bool VersionHasLengthPrefixedConnectionIds(
     QuicTransportVersion transport_version) {
   return transport_version > QUIC_VERSION_48;
@@ -113,17 +109,13 @@ QuicVersionLabel CreateQuicVersionLabel(ParsedQuicVersion parsed_version) {
                << parsed_version.handshake_protocol;
       return 0;
   }
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync");
   switch (parsed_version.transport_version) {
-    case QUIC_VERSION_39:
-      return MakeVersionLabel(proto, '0', '3', '9');
     case QUIC_VERSION_43:
       return MakeVersionLabel(proto, '0', '4', '3');
     case QUIC_VERSION_46:
       return MakeVersionLabel(proto, '0', '4', '6');
-    case QUIC_VERSION_47:
-      return MakeVersionLabel(proto, '0', '4', '7');
     case QUIC_VERSION_48:
       return MakeVersionLabel(proto, '0', '4', '8');
     case QUIC_VERSION_49:
@@ -274,22 +266,6 @@ ParsedQuicVersionVector FilterSupportedVersions(
       if (GetQuicReloadableFlag(quic_enable_version_50)) {
         filtered_versions.push_back(version);
       }
-    } else if (version.transport_version == QUIC_VERSION_49) {
-      if (GetQuicReloadableFlag(quic_enable_version_49)) {
-        filtered_versions.push_back(version);
-      }
-    } else if (version.transport_version == QUIC_VERSION_48) {
-      if (GetQuicReloadableFlag(quic_enable_version_48_2)) {
-        filtered_versions.push_back(version);
-      }
-    } else if (version.transport_version == QUIC_VERSION_47) {
-      if (GetQuicReloadableFlag(quic_enable_version_47)) {
-        filtered_versions.push_back(version);
-      }
-    } else if (version.transport_version == QUIC_VERSION_39) {
-      if (!GetQuicReloadableFlag(quic_disable_version_39)) {
-        filtered_versions.push_back(version);
-      }
     } else {
       filtered_versions.push_back(version);
     }
@@ -340,7 +316,7 @@ QuicVersionLabel QuicVersionToQuicVersionLabel(
 }
 
 std::string QuicVersionLabelToString(QuicVersionLabel version_label) {
-  return QuicTagToString(QuicEndian::HostToNet32(version_label));
+  return QuicTagToString(quiche::QuicheEndian::HostToNet32(version_label));
 }
 
 std::string QuicVersionLabelVectorToString(
@@ -377,13 +353,11 @@ HandshakeProtocol QuicVersionLabelToHandshakeProtocol(
     return #x
 
 std::string QuicVersionToString(QuicTransportVersion transport_version) {
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync");
   switch (transport_version) {
-    RETURN_STRING_LITERAL(QUIC_VERSION_39);
     RETURN_STRING_LITERAL(QUIC_VERSION_43);
     RETURN_STRING_LITERAL(QUIC_VERSION_46);
-    RETURN_STRING_LITERAL(QUIC_VERSION_47);
     RETURN_STRING_LITERAL(QUIC_VERSION_48);
     RETURN_STRING_LITERAL(QUIC_VERSION_49);
     RETURN_STRING_LITERAL(QUIC_VERSION_50);
@@ -430,6 +404,10 @@ std::string ParsedQuicVersionVectorToString(
   return result;
 }
 
+bool VersionSupportsGoogleAltSvcFormat(QuicTransportVersion transport_version) {
+  return transport_version <= QUIC_VERSION_46;
+}
+
 bool QuicVersionLabelUses4BitConnectionIdLength(
     QuicVersionLabel version_label) {
   // As we deprecate old versions, we still need the ability to send valid
@@ -478,14 +456,13 @@ std::string AlpnForVersion(ParsedQuicVersion parsed_version) {
 void QuicVersionInitializeSupportForIetfDraft() {
   // Enable necessary flags.
   SetQuicReloadableFlag(quic_supports_tls_handshake, true);
-  SetQuicReloadableFlag(quic_simplify_stop_waiting, true);
 }
 
 void QuicEnableVersion(ParsedQuicVersion parsed_version) {
   if (parsed_version.handshake_protocol == PROTOCOL_TLS1_3) {
     SetQuicReloadableFlag(quic_supports_tls_handshake, true);
   }
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync");
   if (parsed_version.transport_version == QUIC_VERSION_99) {
     SetQuicReloadableFlag(quic_enable_version_99, true);
@@ -493,15 +470,6 @@ void QuicEnableVersion(ParsedQuicVersion parsed_version) {
   if (parsed_version.transport_version == QUIC_VERSION_50) {
     SetQuicReloadableFlag(quic_enable_version_50, true);
   }
-  if (parsed_version.transport_version == QUIC_VERSION_49) {
-    SetQuicReloadableFlag(quic_enable_version_49, true);
-  }
-  if (parsed_version.transport_version == QUIC_VERSION_48) {
-    SetQuicReloadableFlag(quic_enable_version_48_2, true);
-  }
-  if (parsed_version.transport_version == QUIC_VERSION_47) {
-    SetQuicReloadableFlag(quic_enable_version_47, true);
-  }
 }
 
 #undef RETURN_STRING_LITERAL  // undef for jumbo builds
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_versions.h b/chromium/net/third_party/quiche/src/quic/core/quic_versions.h
index de5bbea167c..0a4022e2006 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_versions.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_versions.h
@@ -82,10 +82,9 @@ enum QuicTransportVersion {
   // Version 38 switched to IETF padding frame format and support for NSTP (no
   //            stop waiting frame) connection option.
 
-  QUIC_VERSION_39 = 39,  // Integers and floating numbers are written in big
-                         // endian. Dot not ack acks. Send a connection level
-                         // WINDOW_UPDATE every 20 sent packets which do not
-                         // contain retransmittable frames.
+  // Version 39 writes integers and floating numbers in big endian, stops acking
+  // acks, sends a connection level WINDOW_UPDATE every 20 sent packets which do
+  // not contain retransmittable frames.
 
   // Version 40 was an attempt to convert QUIC to IETF frame format; it was
   //            never shipped due to a bug.
@@ -103,7 +102,7 @@ enum QuicTransportVersion {
 
   QUIC_VERSION_46 = 46,  // Use IETF draft-17 header format with demultiplexing
                          // bit.
-  QUIC_VERSION_47 = 47,  // Allow variable-length QUIC connection IDs.
+  // Version 47 added variable-length QUIC server connection IDs.
   QUIC_VERSION_48 = 48,  // Use CRYPTO frames for the handshake.
   QUIC_VERSION_49 = 49,  // Client connection IDs, long header lengths, IETF
                          // header format from draft-ietf-quic-invariants-06.
@@ -120,7 +119,7 @@ enum QuicTransportVersion {
 };
 
 // IETF draft version most closely approximated by TLS + v99.
-static const int kQuicIetfDraftVersion = 23;
+static const int kQuicIetfDraftVersion = 24;
 
 // The crypto handshake protocols that can be used with QUIC.
 enum HandshakeProtocol {
@@ -135,10 +134,12 @@ struct QUIC_EXPORT_PRIVATE ParsedQuicVersion {
   HandshakeProtocol handshake_protocol;
   QuicTransportVersion transport_version;
 
-  ParsedQuicVersion(HandshakeProtocol handshake_protocol,
-                    QuicTransportVersion transport_version);
+  constexpr ParsedQuicVersion(HandshakeProtocol handshake_protocol,
+                              QuicTransportVersion transport_version)
+      : handshake_protocol(handshake_protocol),
+        transport_version(transport_version) {}
 
-  ParsedQuicVersion(const ParsedQuicVersion& other)
+  constexpr ParsedQuicVersion(const ParsedQuicVersion& other)
       : handshake_protocol(other.handshake_protocol),
         transport_version(other.transport_version) {}
 
@@ -192,6 +193,9 @@ struct QUIC_EXPORT_PRIVATE ParsedQuicVersion {
   // i.e., server will send no more than FLAGS_quic_anti_amplification_factor
   // times received bytes until address can be validated.
   bool SupportsAntiAmplificationLimit() const;
+
+  // Returns true if this version can send coalesced packets.
+  bool CanSendCoalescedPackets() const;
 };
 
 QUIC_EXPORT_PRIVATE ParsedQuicVersion UnsupportedQuicVersion();
@@ -215,8 +219,8 @@ using QuicVersionLabelVector = std::vector<QuicVersionLabel>;
 //
 // See go/new-quic-version for more details on how to roll out new versions.
 static const QuicTransportVersion kSupportedTransportVersions[] = {
-    QUIC_VERSION_99, QUIC_VERSION_50, QUIC_VERSION_49, QUIC_VERSION_48,
-    QUIC_VERSION_47, QUIC_VERSION_46, QUIC_VERSION_43, QUIC_VERSION_39,
+    QUIC_VERSION_99, QUIC_VERSION_50, QUIC_VERSION_49,
+    QUIC_VERSION_48, QUIC_VERSION_46, QUIC_VERSION_43,
 };
 
 // This vector contains all crypto handshake protocols that are supported.
@@ -416,6 +420,11 @@ QUIC_EXPORT_PRIVATE inline bool VersionHasIetfQuicFrames(
 QUIC_EXPORT_PRIVATE bool VersionHasLengthPrefixedConnectionIds(
     QuicTransportVersion transport_version);
 
+// Returns true if this version supports the old Google-style Alt-Svc
+// advertisement format.
+QUIC_EXPORT_PRIVATE bool VersionSupportsGoogleAltSvcFormat(
+    QuicTransportVersion transport_version);
+
 // Returns whether this version label supports long header 4-bit encoded
 // connection ID lengths as described in draft-ietf-quic-invariants-05 and
 // draft-ietf-quic-transport-21.
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_versions_test.cc b/chromium/net/third_party/quiche/src/quic/core/quic_versions_test.cc
index a631187c561..283113fe37f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_versions_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_versions_test.cc
@@ -35,8 +35,8 @@ TEST_F(QuicVersionsTest, QuicVersionToQuicVersionLabel) {
   log.StartCapturingLogs();
 
   // Explicitly test a specific version.
-  EXPECT_EQ(MakeQuicTag('9', '3', '0', 'Q'),
-            QuicVersionToQuicVersionLabel(QUIC_VERSION_39));
+  EXPECT_EQ(MakeQuicTag('3', '4', '0', 'Q'),
+            QuicVersionToQuicVersionLabel(QUIC_VERSION_43));
 
   // Loop over all supported versions and make sure that we never hit the
   // default case (i.e. all supported versions should be successfully converted
@@ -63,8 +63,8 @@ TEST_F(QuicVersionsTest, QuicVersionLabelToQuicTransportVersion) {
   log.StartCapturingLogs();
 
   // Explicitly test specific versions.
-  EXPECT_EQ(QUIC_VERSION_39,
-            QuicVersionLabelToQuicVersion(MakeQuicTag('9', '3', '0', 'Q')));
+  EXPECT_EQ(QUIC_VERSION_43,
+            QuicVersionLabelToQuicVersion(MakeQuicTag('3', '4', '0', 'Q')));
 
   for (size_t i = 0; i < QUIC_ARRAYSIZE(kSupportedTransportVersions); ++i) {
     QuicTransportVersion version = kSupportedTransportVersions[i];
@@ -112,28 +112,20 @@ TEST_F(QuicVersionsTest, QuicVersionLabelToHandshakeProtocol) {
 }
 
 TEST_F(QuicVersionsTest, ParseQuicVersionLabel) {
-  EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_39),
-            ParseQuicVersionLabel(MakeVersionLabel('Q', '0', '3', '9')));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_43),
             ParseQuicVersionLabel(MakeVersionLabel('Q', '0', '4', '3')));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_46),
             ParseQuicVersionLabel(MakeVersionLabel('Q', '0', '4', '6')));
-  EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47),
-            ParseQuicVersionLabel(MakeVersionLabel('Q', '0', '4', '7')));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48),
             ParseQuicVersionLabel(MakeVersionLabel('Q', '0', '4', '8')));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_50),
             ParseQuicVersionLabel(MakeVersionLabel('Q', '0', '5', '0')));
 
   // Test TLS versions:
-  EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_39),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '3', '9')));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_43),
             ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '3')));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_46),
             ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '6')));
-  EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_47),
-            ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '7')));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_48),
             ParseQuicVersionLabel(MakeVersionLabel('T', '0', '4', '8')));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_50),
@@ -141,33 +133,25 @@ TEST_F(QuicVersionsTest, ParseQuicVersionLabel) {
 }
 
 TEST_F(QuicVersionsTest, ParseQuicVersionString) {
-  EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_39),
-            ParseQuicVersionString("Q039"));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_43),
             ParseQuicVersionString("Q043"));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_46),
             ParseQuicVersionString("Q046"));
-  EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47),
-            ParseQuicVersionString("Q047"));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48),
             ParseQuicVersionString("Q048"));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_50),
             ParseQuicVersionString("Q050"));
 
   EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString(""));
-  EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString("Q 47"));
-  EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString("Q047 "));
+  EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString("Q 46"));
+  EXPECT_EQ(UnsupportedQuicVersion(), ParseQuicVersionString("Q046 "));
 
   // Test a TLS version:
   SetQuicReloadableFlag(quic_supports_tls_handshake, true);
-  EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_39),
-            ParseQuicVersionString("T039"));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_43),
             ParseQuicVersionString("T043"));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_46),
             ParseQuicVersionString("T046"));
-  EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_47),
-            ParseQuicVersionString("T047"));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_48),
             ParseQuicVersionString("T048"));
   EXPECT_EQ(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_50),
@@ -175,18 +159,12 @@ TEST_F(QuicVersionsTest, ParseQuicVersionString) {
 }
 
 TEST_F(QuicVersionsTest, CreateQuicVersionLabel) {
-  EXPECT_EQ(MakeVersionLabel('Q', '0', '3', '9'),
-            CreateQuicVersionLabel(
-                ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_39)));
   EXPECT_EQ(MakeVersionLabel('Q', '0', '4', '3'),
             CreateQuicVersionLabel(
                 ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_43)));
   EXPECT_EQ(MakeVersionLabel('Q', '0', '4', '6'),
             CreateQuicVersionLabel(
                 ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_46)));
-  EXPECT_EQ(MakeVersionLabel('Q', '0', '4', '7'),
-            CreateQuicVersionLabel(
-                ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47)));
   EXPECT_EQ(MakeVersionLabel('Q', '0', '4', '8'),
             CreateQuicVersionLabel(
                 ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48)));
@@ -195,18 +173,12 @@ TEST_F(QuicVersionsTest, CreateQuicVersionLabel) {
                 ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_50)));
 
   // Test a TLS version:
-  EXPECT_EQ(MakeVersionLabel('T', '0', '3', '9'),
-            CreateQuicVersionLabel(
-                ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_39)));
   EXPECT_EQ(MakeVersionLabel('T', '0', '4', '3'),
             CreateQuicVersionLabel(
                 ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_43)));
   EXPECT_EQ(MakeVersionLabel('T', '0', '4', '6'),
             CreateQuicVersionLabel(
                 ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_46)));
-  EXPECT_EQ(MakeVersionLabel('T', '0', '4', '7'),
-            CreateQuicVersionLabel(
-                ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_47)));
   EXPECT_EQ(MakeVersionLabel('T', '0', '4', '8'),
             CreateQuicVersionLabel(
                 ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_48)));
@@ -245,25 +217,24 @@ TEST_F(QuicVersionsTest, QuicVersionLabelToString) {
 }
 
 TEST_F(QuicVersionsTest, QuicVersionToString) {
-  EXPECT_EQ("QUIC_VERSION_39", QuicVersionToString(QUIC_VERSION_39));
   EXPECT_EQ("QUIC_VERSION_UNSUPPORTED",
             QuicVersionToString(QUIC_VERSION_UNSUPPORTED));
 
-  QuicTransportVersion single_version[] = {QUIC_VERSION_39};
+  QuicTransportVersion single_version[] = {QUIC_VERSION_43};
   QuicTransportVersionVector versions_vector;
   for (size_t i = 0; i < QUIC_ARRAYSIZE(single_version); ++i) {
     versions_vector.push_back(single_version[i]);
   }
-  EXPECT_EQ("QUIC_VERSION_39",
+  EXPECT_EQ("QUIC_VERSION_43",
             QuicTransportVersionVectorToString(versions_vector));
 
   QuicTransportVersion multiple_versions[] = {QUIC_VERSION_UNSUPPORTED,
-                                              QUIC_VERSION_39};
+                                              QUIC_VERSION_43};
   versions_vector.clear();
   for (size_t i = 0; i < QUIC_ARRAYSIZE(multiple_versions); ++i) {
     versions_vector.push_back(multiple_versions[i]);
   }
-  EXPECT_EQ("QUIC_VERSION_UNSUPPORTED,QUIC_VERSION_39",
+  EXPECT_EQ("QUIC_VERSION_UNSUPPORTED,QUIC_VERSION_43",
             QuicTransportVersionVectorToString(versions_vector));
 
   // Make sure that all supported versions are present in QuicVersionToString.
@@ -275,16 +246,16 @@ TEST_F(QuicVersionsTest, QuicVersionToString) {
 
 TEST_F(QuicVersionsTest, ParsedQuicVersionToString) {
   ParsedQuicVersion unsupported = UnsupportedQuicVersion();
-  ParsedQuicVersion version39(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_39);
-  EXPECT_EQ("Q039", ParsedQuicVersionToString(version39));
+  ParsedQuicVersion version43(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_43);
+  EXPECT_EQ("Q043", ParsedQuicVersionToString(version43));
   EXPECT_EQ("0", ParsedQuicVersionToString(unsupported));
 
-  ParsedQuicVersionVector versions_vector = {version39};
-  EXPECT_EQ("Q039", ParsedQuicVersionVectorToString(versions_vector));
+  ParsedQuicVersionVector versions_vector = {version43};
+  EXPECT_EQ("Q043", ParsedQuicVersionVectorToString(versions_vector));
 
-  versions_vector = {unsupported, version39};
-  EXPECT_EQ("0,Q039", ParsedQuicVersionVectorToString(versions_vector));
-  EXPECT_EQ("0:Q039", ParsedQuicVersionVectorToString(versions_vector, ":",
+  versions_vector = {unsupported, version43};
+  EXPECT_EQ("0,Q043", ParsedQuicVersionVectorToString(versions_vector));
+  EXPECT_EQ("0:Q043", ParsedQuicVersionVectorToString(versions_vector, ":",
                                                       versions_vector.size()));
   EXPECT_EQ("0|...", ParsedQuicVersionVectorToString(versions_vector, "|", 0));
 
@@ -307,12 +278,8 @@ TEST_F(QuicVersionsTest, AllSupportedTransportVersions) {
 
 TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsAllVersions) {
   QuicTransportVersionVector all_versions = AllSupportedTransportVersions();
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync");
-  SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_47, true);
-  SetQuicReloadableFlag(quic_enable_version_48_2, true);
-  SetQuicReloadableFlag(quic_enable_version_49, true);
   SetQuicReloadableFlag(quic_enable_version_50, true);
   SetQuicReloadableFlag(quic_enable_version_99, true);
   ParsedQuicVersionVector parsed_versions;
@@ -320,8 +287,8 @@ TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsAllVersions) {
     parsed_versions.push_back(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
   }
   QuicTransportVersionVector expected_versions = {
-      QUIC_VERSION_99, QUIC_VERSION_50, QUIC_VERSION_49, QUIC_VERSION_48,
-      QUIC_VERSION_47, QUIC_VERSION_46, QUIC_VERSION_43, QUIC_VERSION_39};
+      QUIC_VERSION_99, QUIC_VERSION_50, QUIC_VERSION_49,
+      QUIC_VERSION_48, QUIC_VERSION_46, QUIC_VERSION_43};
   ParsedQuicVersionVector expected_parsed_versions;
   for (QuicTransportVersion version : expected_versions) {
     expected_parsed_versions.push_back(
@@ -334,12 +301,8 @@ TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsAllVersions) {
 
 TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo99) {
   QuicTransportVersionVector all_versions = AllSupportedTransportVersions();
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync");
-  SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_47, true);
-  SetQuicReloadableFlag(quic_enable_version_48_2, true);
-  SetQuicReloadableFlag(quic_enable_version_49, true);
   SetQuicReloadableFlag(quic_enable_version_50, true);
   SetQuicReloadableFlag(quic_enable_version_99, false);
   ParsedQuicVersionVector parsed_versions;
@@ -347,8 +310,8 @@ TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo99) {
     parsed_versions.push_back(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
   }
   QuicTransportVersionVector expected_versions = {
-      QUIC_VERSION_50, QUIC_VERSION_49, QUIC_VERSION_48, QUIC_VERSION_47,
-      QUIC_VERSION_46, QUIC_VERSION_43, QUIC_VERSION_39};
+      QUIC_VERSION_50, QUIC_VERSION_49, QUIC_VERSION_48, QUIC_VERSION_46,
+      QUIC_VERSION_43};
   ParsedQuicVersionVector expected_parsed_versions;
   for (QuicTransportVersion version : expected_versions) {
     expected_parsed_versions.push_back(
@@ -361,64 +324,6 @@ TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo99) {
 
 TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo50) {
   QuicTransportVersionVector all_versions = AllSupportedTransportVersions();
-  SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_47, true);
-  SetQuicReloadableFlag(quic_enable_version_48_2, true);
-  SetQuicReloadableFlag(quic_enable_version_49, true);
-  SetQuicReloadableFlag(quic_enable_version_50, false);
-  SetQuicReloadableFlag(quic_enable_version_99, false);
-  ParsedQuicVersionVector parsed_versions;
-  for (QuicTransportVersion version : all_versions) {
-    parsed_versions.push_back(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
-  }
-  QuicTransportVersionVector expected_versions = {
-      QUIC_VERSION_49, QUIC_VERSION_48, QUIC_VERSION_47,
-      QUIC_VERSION_46, QUIC_VERSION_43, QUIC_VERSION_39};
-  ParsedQuicVersionVector expected_parsed_versions;
-  for (QuicTransportVersion version : expected_versions) {
-    expected_parsed_versions.push_back(
-        ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
-  }
-
-  ASSERT_EQ(expected_versions, FilterSupportedTransportVersions(all_versions));
-  ASSERT_EQ(expected_parsed_versions, FilterSupportedVersions(parsed_versions));
-}
-
-TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo49) {
-  QuicTransportVersionVector all_versions = AllSupportedTransportVersions();
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
-                "Supported versions out of sync");
-  SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_47, true);
-  SetQuicReloadableFlag(quic_enable_version_48_2, true);
-  SetQuicReloadableFlag(quic_enable_version_49, false);
-  SetQuicReloadableFlag(quic_enable_version_50, false);
-  SetQuicReloadableFlag(quic_enable_version_99, false);
-  ParsedQuicVersionVector parsed_versions;
-  for (QuicTransportVersion version : all_versions) {
-    parsed_versions.push_back(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
-  }
-  QuicTransportVersionVector expected_versions = {
-      QUIC_VERSION_48, QUIC_VERSION_47, QUIC_VERSION_46, QUIC_VERSION_43,
-      QUIC_VERSION_39};
-  ParsedQuicVersionVector expected_parsed_versions;
-  for (QuicTransportVersion version : expected_versions) {
-    expected_parsed_versions.push_back(
-        ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
-  }
-
-  ASSERT_EQ(expected_versions, FilterSupportedTransportVersions(all_versions));
-  ASSERT_EQ(expected_parsed_versions, FilterSupportedVersions(parsed_versions));
-}
-
-TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo48) {
-  QuicTransportVersionVector all_versions = AllSupportedTransportVersions();
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
-                "Supported versions out of sync");
-  SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_47, true);
-  SetQuicReloadableFlag(quic_enable_version_48_2, false);
-  SetQuicReloadableFlag(quic_enable_version_49, false);
   SetQuicReloadableFlag(quic_enable_version_50, false);
   SetQuicReloadableFlag(quic_enable_version_99, false);
   ParsedQuicVersionVector parsed_versions;
@@ -426,7 +331,7 @@ TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo48) {
     parsed_versions.push_back(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
   }
   QuicTransportVersionVector expected_versions = {
-      QUIC_VERSION_47, QUIC_VERSION_46, QUIC_VERSION_43, QUIC_VERSION_39};
+      QUIC_VERSION_49, QUIC_VERSION_48, QUIC_VERSION_46, QUIC_VERSION_43};
   ParsedQuicVersionVector expected_parsed_versions;
   for (QuicTransportVersion version : expected_versions) {
     expected_parsed_versions.push_back(
@@ -437,14 +342,10 @@ TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo48) {
   ASSERT_EQ(expected_parsed_versions, FilterSupportedVersions(parsed_versions));
 }
 
-TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo47) {
+TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNoFlags) {
   QuicTransportVersionVector all_versions = AllSupportedTransportVersions();
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync");
-  SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_47, false);
-  SetQuicReloadableFlag(quic_enable_version_48_2, false);
-  SetQuicReloadableFlag(quic_enable_version_49, false);
   SetQuicReloadableFlag(quic_enable_version_50, false);
   SetQuicReloadableFlag(quic_enable_version_99, false);
   ParsedQuicVersionVector parsed_versions;
@@ -452,33 +353,7 @@ TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo47) {
     parsed_versions.push_back(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
   }
   QuicTransportVersionVector expected_versions = {
-      QUIC_VERSION_46, QUIC_VERSION_43, QUIC_VERSION_39};
-  ParsedQuicVersionVector expected_parsed_versions;
-  for (QuicTransportVersion version : expected_versions) {
-    expected_parsed_versions.push_back(
-        ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
-  }
-
-  ASSERT_EQ(expected_versions, FilterSupportedTransportVersions(all_versions));
-  ASSERT_EQ(expected_parsed_versions, FilterSupportedVersions(parsed_versions));
-}
-
-TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo39) {
-  QuicTransportVersionVector all_versions = AllSupportedTransportVersions();
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
-                "Supported versions out of sync");
-  SetQuicReloadableFlag(quic_disable_version_39, true);
-  SetQuicReloadableFlag(quic_enable_version_47, false);
-  SetQuicReloadableFlag(quic_enable_version_48_2, false);
-  SetQuicReloadableFlag(quic_enable_version_49, false);
-  SetQuicReloadableFlag(quic_enable_version_50, false);
-  SetQuicReloadableFlag(quic_enable_version_99, false);
-  ParsedQuicVersionVector parsed_versions;
-  for (QuicTransportVersion version : all_versions) {
-    parsed_versions.push_back(ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, version));
-  }
-  QuicTransportVersionVector expected_versions = {QUIC_VERSION_46,
-                                                  QUIC_VERSION_43};
+      QUIC_VERSION_49, QUIC_VERSION_48, QUIC_VERSION_46, QUIC_VERSION_43};
   ParsedQuicVersionVector expected_parsed_versions;
   for (QuicTransportVersion version : expected_versions) {
     expected_parsed_versions.push_back(
@@ -490,7 +365,7 @@ TEST_F(QuicVersionsTest, FilterSupportedTransportVersionsNo39) {
 }
 
 TEST_F(QuicVersionsTest, LookUpVersionByIndex) {
-  QuicTransportVersionVector all_versions = {QUIC_VERSION_39};
+  QuicTransportVersionVector all_versions = {QUIC_VERSION_43};
   int version_count = all_versions.size();
   for (int i = -5; i <= version_count + 1; ++i) {
     if (i >= 0 && i < version_count) {
@@ -528,12 +403,10 @@ TEST_F(QuicVersionsTest, ParsedVersionsToTransportVersions) {
 // yet a typo was made in doing the #defines and it was caught
 // only in some test far removed from here... Better safe than sorry.
 TEST_F(QuicVersionsTest, CheckVersionNumbersForTypos) {
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync");
-  EXPECT_EQ(QUIC_VERSION_39, 39);
   EXPECT_EQ(QUIC_VERSION_43, 43);
   EXPECT_EQ(QUIC_VERSION_46, 46);
-  EXPECT_EQ(QUIC_VERSION_47, 47);
   EXPECT_EQ(QUIC_VERSION_48, 48);
   EXPECT_EQ(QUIC_VERSION_49, 49);
   EXPECT_EQ(QUIC_VERSION_50, 50);
@@ -541,12 +414,8 @@ TEST_F(QuicVersionsTest, CheckVersionNumbersForTypos) {
 }
 
 TEST_F(QuicVersionsTest, AlpnForVersion) {
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync");
-  ParsedQuicVersion parsed_version_q047 =
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47);
-  ParsedQuicVersion parsed_version_t047 =
-      ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_47);
   ParsedQuicVersion parsed_version_q048 =
       ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48);
   ParsedQuicVersion parsed_version_t048 =
@@ -562,33 +431,21 @@ TEST_F(QuicVersionsTest, AlpnForVersion) {
   ParsedQuicVersion parsed_version_t099 =
       ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_99);
 
-  EXPECT_EQ("h3-Q047", AlpnForVersion(parsed_version_q047));
-  EXPECT_EQ("h3-T047", AlpnForVersion(parsed_version_t047));
   EXPECT_EQ("h3-Q048", AlpnForVersion(parsed_version_q048));
   EXPECT_EQ("h3-T048", AlpnForVersion(parsed_version_t048));
   EXPECT_EQ("h3-Q049", AlpnForVersion(parsed_version_q049));
   EXPECT_EQ("h3-T049", AlpnForVersion(parsed_version_t049));
   EXPECT_EQ("h3-Q050", AlpnForVersion(parsed_version_q050));
   EXPECT_EQ("h3-T050", AlpnForVersion(parsed_version_t050));
-  EXPECT_EQ("h3-23", AlpnForVersion(parsed_version_t099));
+  EXPECT_EQ("h3-24", AlpnForVersion(parsed_version_t099));
+  static_assert(kQuicIetfDraftVersion == 24,
+                "ALPN does not match draft version");
 }
 
 TEST_F(QuicVersionsTest, QuicEnableVersion) {
-  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 8u,
+  static_assert(QUIC_ARRAYSIZE(kSupportedTransportVersions) == 6u,
                 "Supported versions out of sync");
   SetQuicReloadableFlag(quic_supports_tls_handshake, true);
-  ParsedQuicVersion parsed_version_q047 =
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_47);
-  ParsedQuicVersion parsed_version_t047 =
-      ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_47);
-  ParsedQuicVersion parsed_version_q048 =
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_48);
-  ParsedQuicVersion parsed_version_t048 =
-      ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_48);
-  ParsedQuicVersion parsed_version_q049 =
-      ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_49);
-  ParsedQuicVersion parsed_version_t049 =
-      ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_49);
   ParsedQuicVersion parsed_version_q050 =
       ParsedQuicVersion(PROTOCOL_QUIC_CRYPTO, QUIC_VERSION_50);
   ParsedQuicVersion parsed_version_t050 =
@@ -596,59 +453,13 @@ TEST_F(QuicVersionsTest, QuicEnableVersion) {
   ParsedQuicVersion parsed_version_t099 =
       ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_99);
   SetQuicReloadableFlag(quic_supports_tls_handshake, false);
-  SetQuicReloadableFlag(quic_disable_version_39, false);
-  SetQuicReloadableFlag(quic_enable_version_47, false);
-  SetQuicReloadableFlag(quic_enable_version_48_2, false);
-  SetQuicReloadableFlag(quic_enable_version_49, false);
   SetQuicReloadableFlag(quic_enable_version_50, false);
   SetQuicReloadableFlag(quic_enable_version_99, false);
 
   {
     QuicFlagSaver flag_saver;
-    QuicEnableVersion(parsed_version_q047);
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_supports_tls_handshake));
-    EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_47));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_48_2));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_50));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
-  }
-
-  {
-    QuicFlagSaver flag_saver;
-    QuicEnableVersion(parsed_version_t047);
-    EXPECT_TRUE(GetQuicReloadableFlag(quic_supports_tls_handshake));
-    EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_47));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_48_2));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_50));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
-  }
-
-  {
-    QuicFlagSaver flag_saver;
-    QuicEnableVersion(parsed_version_q048);
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_supports_tls_handshake));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_47));
-    EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_48_2));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_50));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
-  }
-
-  {
-    QuicFlagSaver flag_saver;
-    QuicEnableVersion(parsed_version_t048);
-    EXPECT_TRUE(GetQuicReloadableFlag(quic_supports_tls_handshake));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_47));
-    EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_48_2));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_50));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
-  }
-
-  {
-    QuicFlagSaver flag_saver;
     QuicEnableVersion(parsed_version_q050);
     EXPECT_FALSE(GetQuicReloadableFlag(quic_supports_tls_handshake));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_47));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_48_2));
     EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_50));
     EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
   }
@@ -657,38 +468,14 @@ TEST_F(QuicVersionsTest, QuicEnableVersion) {
     QuicFlagSaver flag_saver;
     QuicEnableVersion(parsed_version_t050);
     EXPECT_TRUE(GetQuicReloadableFlag(quic_supports_tls_handshake));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_47));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_48_2));
     EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_50));
     EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
   }
 
   {
     QuicFlagSaver flag_saver;
-    QuicEnableVersion(parsed_version_q049);
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_supports_tls_handshake));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_47));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_48_2));
-    EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_49));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
-  }
-
-  {
-    QuicFlagSaver flag_saver;
-    QuicEnableVersion(parsed_version_t049);
-    EXPECT_TRUE(GetQuicReloadableFlag(quic_supports_tls_handshake));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_47));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_48_2));
-    EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_49));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_99));
-  }
-
-  {
-    QuicFlagSaver flag_saver;
     QuicEnableVersion(parsed_version_t099);
     EXPECT_TRUE(GetQuicReloadableFlag(quic_supports_tls_handshake));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_47));
-    EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_48_2));
     EXPECT_FALSE(GetQuicReloadableFlag(quic_enable_version_50));
     EXPECT_TRUE(GetQuicReloadableFlag(quic_enable_version_99));
   }
diff --git a/chromium/net/third_party/quiche/src/quic/core/quic_write_blocked_list.h b/chromium/net/third_party/quiche/src/quic/core/quic_write_blocked_list.h
index 7cab768a56d..b80eca6e963 100644
--- a/chromium/net/third_party/quiche/src/quic/core/quic_write_blocked_list.h
+++ b/chromium/net/third_party/quiche/src/quic/core/quic_write_blocked_list.h
@@ -247,9 +247,9 @@ class QUIC_EXPORT_PRIVATE QuicWriteBlockedList {
 
   // A StaticStreamCollection is a vector of <QuicStreamId, bool> pairs plus a
   // eagerly-computed number of blocked static streams.
-  class StaticStreamCollection {
+  class QUIC_EXPORT_PRIVATE StaticStreamCollection {
    public:
-    struct StreamIdBlockedPair {
+    struct QUIC_EXPORT_PRIVATE StreamIdBlockedPair {
       QuicStreamId id;
       bool is_blocked;
     };
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.cc b/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.cc
index 674cf2cdeb3..a65fefc308f 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.cc
@@ -43,22 +43,21 @@ void TlsClientHandshaker::ProofVerifierCallbackImpl::Cancel() {
 }
 
 TlsClientHandshaker::TlsClientHandshaker(
+    const QuicServerId& server_id,
     QuicCryptoStream* stream,
     QuicSession* session,
-    const QuicServerId& server_id,
-    ProofVerifier* proof_verifier,
-    SSL_CTX* ssl_ctx,
     std::unique_ptr<ProofVerifyContext> verify_context,
-    QuicCryptoClientStream::ProofHandler* proof_handler,
-    const std::string& user_agent_id)
-    : TlsHandshaker(stream, session, ssl_ctx),
+    QuicCryptoClientConfig* crypto_config,
+    QuicCryptoClientStream::ProofHandler* proof_handler)
+    : TlsHandshaker(stream, session, crypto_config->ssl_ctx()),
       server_id_(server_id),
-      proof_verifier_(proof_verifier),
+      proof_verifier_(crypto_config->proof_verifier()),
       verify_context_(std::move(verify_context)),
       proof_handler_(proof_handler),
-      user_agent_id_(user_agent_id),
+      session_cache_(crypto_config->session_cache()),
+      user_agent_id_(crypto_config->user_agent_id()),
       crypto_negotiated_params_(new QuicCryptoNegotiatedParameters),
-      tls_connection_(ssl_ctx, this) {}
+      tls_connection_(crypto_config->ssl_ctx(), this) {}
 
 TlsClientHandshaker::~TlsClientHandshaker() {
   if (proof_verify_callback_) {
@@ -66,11 +65,6 @@ TlsClientHandshaker::~TlsClientHandshaker() {
   }
 }
 
-// static
-bssl::UniquePtr<SSL_CTX> TlsClientHandshaker::CreateSslCtx() {
-  return TlsClientConnection::CreateSslCtx();
-}
-
 bool TlsClientHandshaker::CryptoConnect() {
   state_ = STATE_HANDSHAKE_RUNNING;
 
@@ -92,6 +86,15 @@ bool TlsClientHandshaker::CryptoConnect() {
     return false;
   }
 
+  // Set a session to resume, if there is one.
+  if (session_cache_) {
+    std::unique_ptr<QuicResumptionState> cached_state =
+        session_cache_->Lookup(server_id_, SSL_get_SSL_CTX(ssl()));
+    if (cached_state) {
+      SSL_set_session(ssl(), cached_state->tls_session.get());
+    }
+  }
+
   // Start the handshake.
   AdvanceHandshake();
   return session()->connection()->connected();
@@ -202,6 +205,11 @@ int TlsClientHandshaker::num_sent_client_hellos() const {
   return 0;
 }
 
+bool TlsClientHandshaker::IsResumption() const {
+  QUIC_BUG_IF(!handshake_confirmed_);
+  return SSL_session_reused(ssl()) == 1;
+}
+
 int TlsClientHandshaker::num_scup_messages_received() const {
   // SCUP messages aren't sent or received when using the TLS handshake.
   return 0;
@@ -245,7 +253,10 @@ void TlsClientHandshaker::AdvanceHandshake() {
     return;
   }
   if (state_ == STATE_HANDSHAKE_COMPLETE) {
-    // TODO(nharper): Handle post-handshake messages.
+    int rv = SSL_process_quic_post_handshake(ssl());
+    if (rv != 1) {
+      CloseConnection(QUIC_HANDSHAKE_FAILED, "Unexpected post-handshake data");
+    }
     return;
   }
 
@@ -322,12 +333,9 @@ void TlsClientHandshaker::FinishHandshake() {
   QUIC_DLOG(INFO) << "Client: server selected ALPN: '" << received_alpn_string
                   << "'";
 
-  session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
-  session()->NeuterUnencryptedData();
   encryption_established_ = true;
   handshake_confirmed_ = true;
-  session()->OnCryptoHandshakeEvent(QuicSession::ENCRYPTION_ESTABLISHED);
-  session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
+  delegate()->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
 
   // Fill crypto_negotiated_params_:
   const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl());
@@ -337,8 +345,9 @@ void TlsClientHandshaker::FinishHandshake() {
   crypto_negotiated_params_->key_exchange_group = SSL_get_curve_id(ssl());
   crypto_negotiated_params_->peer_signature_algorithm =
       SSL_get_peer_signature_algorithm(ssl());
-
-  session()->connection()->OnHandshakeComplete();
+  // TODO(fayang): Replace this with DiscardOldKeys(ENCRYPTION_HANDSHAKE) when
+  // handshake key discarding settles down.
+  delegate()->NeuterHandshakeData();
 }
 
 enum ssl_verify_result_t TlsClientHandshaker::VerifyCert(uint8_t* out_alert) {
@@ -394,4 +403,25 @@ enum ssl_verify_result_t TlsClientHandshaker::VerifyCert(uint8_t* out_alert) {
   }
 }
 
+void TlsClientHandshaker::InsertSession(bssl::UniquePtr<SSL_SESSION> session) {
+  if (session_cache_ == nullptr) {
+    QUIC_DVLOG(1) << "No session cache, not inserting a session";
+    return;
+  }
+  auto cache_state = std::make_unique<QuicResumptionState>();
+  cache_state->tls_session = std::move(session);
+  session_cache_->Insert(server_id_, std::move(cache_state));
+}
+
+void TlsClientHandshaker::WriteMessage(EncryptionLevel level,
+                                       QuicStringPiece data) {
+  if (level == ENCRYPTION_HANDSHAKE &&
+      state_ < STATE_ENCRYPTION_HANDSHAKE_DATA_SENT) {
+    state_ = STATE_ENCRYPTION_HANDSHAKE_DATA_SENT;
+    delegate()->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
+    delegate()->DiscardOldDecryptionKey(ENCRYPTION_INITIAL);
+  }
+  TlsHandshaker::WriteMessage(level, data);
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.h b/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.h
index 4672821f72b..319cd1704bc 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.h
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_client_handshaker.h
@@ -24,26 +24,21 @@ class QUIC_EXPORT_PRIVATE TlsClientHandshaker
       public QuicCryptoClientStream::HandshakerDelegate,
       public TlsClientConnection::Delegate {
  public:
-  TlsClientHandshaker(QuicCryptoStream* stream,
+  TlsClientHandshaker(const QuicServerId& server_id,
+                      QuicCryptoStream* stream,
                       QuicSession* session,
-                      const QuicServerId& server_id,
-                      ProofVerifier* proof_verifier,
-                      SSL_CTX* ssl_ctx,
                       std::unique_ptr<ProofVerifyContext> verify_context,
-                      QuicCryptoClientStream::ProofHandler* proof_handler,
-                      const std::string& user_agent_id);
+                      QuicCryptoClientConfig* crypto_config,
+                      QuicCryptoClientStream::ProofHandler* proof_handler);
   TlsClientHandshaker(const TlsClientHandshaker&) = delete;
   TlsClientHandshaker& operator=(const TlsClientHandshaker&) = delete;
 
   ~TlsClientHandshaker() override;
 
-  // Creates and configures an SSL_CTX to be used with a TlsClientHandshaker.
-  // The caller is responsible for ownership of the newly created struct.
-  static bssl::UniquePtr<SSL_CTX> CreateSslCtx();
-
   // From QuicCryptoClientStream::HandshakerDelegate
   bool CryptoConnect() override;
   int num_sent_client_hellos() const override;
+  bool IsResumption() const override;
   int num_scup_messages_received() const override;
   std::string chlo_hash() const override;
 
@@ -55,6 +50,9 @@ class QUIC_EXPORT_PRIVATE TlsClientHandshaker
   CryptoMessageParser* crypto_message_parser() override;
   size_t BufferSizeLimitForLevel(EncryptionLevel level) const override;
 
+  // Override to drop initial keys if trying to write ENCRYPTION_HANDSHAKE data.
+  void WriteMessage(EncryptionLevel level, QuicStringPiece data) override;
+
   void AllowEmptyAlpnForTests() { allow_empty_alpn_for_tests_ = true; }
 
  protected:
@@ -73,7 +71,8 @@ class QUIC_EXPORT_PRIVATE TlsClientHandshaker
  private:
   // ProofVerifierCallbackImpl handles the result of an asynchronous certificate
   // verification operation.
-  class ProofVerifierCallbackImpl : public ProofVerifierCallback {
+  class QUIC_EXPORT_PRIVATE ProofVerifierCallbackImpl
+      : public ProofVerifierCallback {
    public:
     explicit ProofVerifierCallbackImpl(TlsClientHandshaker* parent);
     ~ProofVerifierCallbackImpl() override;
@@ -94,6 +93,7 @@ class QUIC_EXPORT_PRIVATE TlsClientHandshaker
     STATE_IDLE,
     STATE_HANDSHAKE_RUNNING,
     STATE_CERT_VERIFY_PENDING,
+    STATE_ENCRYPTION_HANDSHAKE_DATA_SENT,
     STATE_HANDSHAKE_COMPLETE,
     STATE_CONNECTION_CLOSED,
   } state_ = STATE_IDLE;
@@ -103,6 +103,8 @@ class QUIC_EXPORT_PRIVATE TlsClientHandshaker
   bool ProcessTransportParameters(std::string* error_details);
   void FinishHandshake();
 
+  void InsertSession(bssl::UniquePtr<SSL_SESSION> session) override;
+
   QuicServerId server_id_;
 
   // Objects used for verifying the server's certificate chain.
@@ -115,6 +117,10 @@ class QUIC_EXPORT_PRIVATE TlsClientHandshaker
   // certificate verification.
   QuicCryptoClientStream::ProofHandler* proof_handler_;
 
+  // Used for session resumption. |session_cache_| is owned by the
+  // QuicCryptoClientConfig passed into TlsClientHandshaker's constructor.
+  SessionCache* session_cache_;
+
   std::string user_agent_id_;
 
   // ProofVerifierCallback used for async certificate verification. This object
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.cc b/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.cc
index f2089cd102e..08b4eb9525c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.cc
@@ -16,7 +16,7 @@ namespace quic {
 TlsHandshaker::TlsHandshaker(QuicCryptoStream* stream,
                              QuicSession* session,
                              SSL_CTX* /*ssl_ctx*/)
-    : stream_(stream), session_(session) {
+    : stream_(stream), session_(session), delegate_(session) {
   QUIC_BUG_IF(!GetQuicReloadableFlag(quic_supports_tls_handshake))
       << "Attempted to create TLS handshaker when TLS is disabled";
 }
@@ -64,32 +64,22 @@ const EVP_MD* TlsHandshaker::Prf() {
       SSL_CIPHER_get_prf_nid(SSL_get_pending_cipher(ssl())));
 }
 
-std::unique_ptr<QuicEncrypter> TlsHandshaker::CreateEncrypter(
-    const std::vector<uint8_t>& pp_secret) {
+void TlsHandshaker::SetEncryptionSecret(
+    EncryptionLevel level,
+    const std::vector<uint8_t>& read_secret,
+    const std::vector<uint8_t>& write_secret) {
   std::unique_ptr<QuicEncrypter> encrypter =
       QuicEncrypter::CreateFromCipherSuite(
           SSL_CIPHER_get_id(SSL_get_pending_cipher(ssl())));
-  CryptoUtils::SetKeyAndIV(Prf(), pp_secret, encrypter.get());
-  return encrypter;
-}
-
-std::unique_ptr<QuicDecrypter> TlsHandshaker::CreateDecrypter(
-    const std::vector<uint8_t>& pp_secret) {
+  CryptoUtils::SetKeyAndIV(Prf(), write_secret, encrypter.get());
   std::unique_ptr<QuicDecrypter> decrypter =
       QuicDecrypter::CreateFromCipherSuite(
           SSL_CIPHER_get_id(SSL_get_pending_cipher(ssl())));
-  CryptoUtils::SetKeyAndIV(Prf(), pp_secret, decrypter.get());
-  return decrypter;
-}
-
-void TlsHandshaker::SetEncryptionSecret(
-    EncryptionLevel level,
-    const std::vector<uint8_t>& read_secret,
-    const std::vector<uint8_t>& write_secret) {
-  std::unique_ptr<QuicEncrypter> encrypter = CreateEncrypter(write_secret);
-  session()->connection()->SetEncrypter(level, std::move(encrypter));
-  std::unique_ptr<QuicDecrypter> decrypter = CreateDecrypter(read_secret);
-  session()->connection()->InstallDecrypter(level, std::move(decrypter));
+  CryptoUtils::SetKeyAndIV(Prf(), read_secret, decrypter.get());
+  delegate_->OnNewKeysAvailable(level, std::move(decrypter),
+                                /*set_alternative_decrypter=*/false,
+                                /*latch_once_used=*/false,
+                                std::move(encrypter));
 }
 
 void TlsHandshaker::WriteMessage(EncryptionLevel level, QuicStringPiece data) {
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.h b/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.h
index 7d5b9bcb75f..14503cde549 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.h
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_handshaker.h
@@ -61,17 +61,13 @@ class QUIC_EXPORT_PRIVATE TlsHandshaker : public TlsConnection::Delegate,
   // Returns the PRF used by the cipher suite negotiated in the TLS handshake.
   const EVP_MD* Prf();
 
-  std::unique_ptr<QuicEncrypter> CreateEncrypter(
-      const std::vector<uint8_t>& pp_secret);
-  std::unique_ptr<QuicDecrypter> CreateDecrypter(
-      const std::vector<uint8_t>& pp_secret);
-
   virtual const TlsConnection* tls_connection() const = 0;
 
   SSL* ssl() const { return tls_connection()->ssl(); }
 
   QuicCryptoStream* stream() { return stream_; }
   QuicSession* session() { return session_; }
+  HandshakerDelegateInterface* delegate() { return delegate_; }
 
   // SetEncryptionSecret provides the encryption secret to use at a particular
   // encryption level. The secrets provided here are the ones from the TLS 1.3
@@ -100,6 +96,7 @@ class QUIC_EXPORT_PRIVATE TlsHandshaker : public TlsConnection::Delegate,
  private:
   QuicCryptoStream* stream_;
   QuicSession* session_;
+  HandshakerDelegateInterface* delegate_;
 
   QuicErrorCode parser_error_ = QUIC_NO_ERROR;
   std::string parser_error_detail_;
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_handshaker_test.cc b/chromium/net/third_party/quiche/src/quic/core/tls_handshaker_test.cc
index c23d56b44eb..a86b5217bfb 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_handshaker_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_handshaker_test.cc
@@ -177,6 +177,8 @@ class TestQuicCryptoStream : public QuicCryptoStream {
     pending_writes_.push_back(std::make_pair(std::string(data), level));
   }
 
+  void OnPacketDecrypted(EncryptionLevel /*level*/) override {}
+
   const std::vector<std::pair<std::string, EncryptionLevel>>& pending_writes() {
     return pending_writes_;
   }
@@ -223,17 +225,15 @@ class TestQuicCryptoClientStream : public TestQuicCryptoStream {
  public:
   explicit TestQuicCryptoClientStream(QuicSession* session)
       : TestQuicCryptoStream(session),
-        proof_verifier_(new FakeProofVerifier),
-        ssl_ctx_(TlsClientConnection::CreateSslCtx()),
+        crypto_config_(std::make_unique<FakeProofVerifier>(),
+                       /*session_cache*/ nullptr),
         handshaker_(new TlsClientHandshaker(
+            QuicServerId("test.example.com", 443, false),
             this,
             session,
-            QuicServerId("test.example.com", 443, false),
-            proof_verifier_.get(),
-            ssl_ctx_.get(),
             crypto_test_utils::ProofVerifyContextForTesting(),
-            &proof_handler_,
-            "quic-tester")) {}
+            &crypto_config_,
+            &proof_handler_)) {}
 
   ~TestQuicCryptoClientStream() override = default;
 
@@ -244,13 +244,12 @@ class TestQuicCryptoClientStream : public TestQuicCryptoStream {
   bool CryptoConnect() { return handshaker_->CryptoConnect(); }
 
   FakeProofVerifier* GetFakeProofVerifier() const {
-    return proof_verifier_.get();
+    return static_cast<FakeProofVerifier*>(crypto_config_.proof_verifier());
   }
 
  private:
-  std::unique_ptr<FakeProofVerifier> proof_verifier_;
   MockProofHandler proof_handler_;
-  bssl::UniquePtr<SSL_CTX> ssl_ctx_;
+  QuicCryptoClientConfig crypto_config_;
   std::unique_ptr<TlsClientHandshaker> handshaker_;
 };
 
@@ -272,6 +271,10 @@ class TestQuicCryptoServerStream : public TestQuicCryptoStream {
     handshaker_->CancelOutstandingCallbacks();
   }
 
+  void OnPacketDecrypted(EncryptionLevel level) override {
+    handshaker_->OnPacketDecrypted(level);
+  }
+
   TlsHandshaker* handshaker() const override { return handshaker_.get(); }
 
   FakeProofSource* GetFakeProofSource() const { return proof_source_; }
@@ -334,8 +337,8 @@ class TlsHandshakerTest : public QuicTest {
     EXPECT_TRUE(client_stream_->encryption_established());
     EXPECT_TRUE(server_stream_->handshake_confirmed());
     EXPECT_TRUE(server_stream_->encryption_established());
-    EXPECT_TRUE(client_conn_->IsHandshakeConfirmed());
-    EXPECT_TRUE(server_conn_->IsHandshakeConfirmed());
+    EXPECT_TRUE(client_conn_->IsHandshakeComplete());
+    EXPECT_TRUE(server_conn_->IsHandshakeComplete());
 
     const auto& client_crypto_params =
         client_stream_->crypto_negotiated_params();
@@ -370,17 +373,11 @@ class TlsHandshakerTest : public QuicTest {
 };
 
 TEST_F(TlsHandshakerTest, CryptoHandshake) {
-  EXPECT_FALSE(client_conn_->IsHandshakeConfirmed());
-  EXPECT_FALSE(server_conn_->IsHandshakeConfirmed());
+  EXPECT_FALSE(client_conn_->IsHandshakeComplete());
+  EXPECT_FALSE(server_conn_->IsHandshakeComplete());
 
   EXPECT_CALL(*client_conn_, CloseConnection(_, _, _)).Times(0);
   EXPECT_CALL(*server_conn_, CloseConnection(_, _, _)).Times(0);
-  EXPECT_CALL(client_session_,
-              OnCryptoHandshakeEvent(QuicSession::ENCRYPTION_ESTABLISHED));
-  EXPECT_CALL(client_session_,
-              OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED));
-  EXPECT_CALL(server_session_,
-              OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED));
   EXPECT_CALL(client_stream_->proof_handler(), OnProofVerifyDetailsAvailable);
   client_stream_->CryptoConnect();
   ExchangeHandshakeMessages(client_stream_, server_stream_);
@@ -505,7 +502,7 @@ TEST_F(TlsHandshakerTest, ClientNotSendingALPN) {
 }
 
 TEST_F(TlsHandshakerTest, ClientSendingBadALPN) {
-  static std::string kTestBadClientAlpn = "bad-client-alpn";
+  const std::string kTestBadClientAlpn = "bad-client-alpn";
   EXPECT_CALL(client_session_, GetAlpnsToOffer())
       .WillOnce(Return(std::vector<std::string>({kTestBadClientAlpn})));
   EXPECT_CALL(*client_conn_, CloseConnection(QUIC_HANDSHAKE_FAILED,
@@ -539,9 +536,9 @@ TEST_F(TlsHandshakerTest, ClientSendingTooManyALPNs) {
 }
 
 TEST_F(TlsHandshakerTest, ServerRequiresCustomALPN) {
-  static const std::string kTestAlpn = "An ALPN That Client Did Not Offer";
+  const std::string kTestAlpn = "An ALPN That Client Did Not Offer";
   EXPECT_CALL(server_session_, SelectAlpn(_))
-      .WillOnce([](const std::vector<QuicStringPiece>& alpns) {
+      .WillOnce([kTestAlpn](const std::vector<QuicStringPiece>& alpns) {
         return std::find(alpns.cbegin(), alpns.cend(), kTestAlpn);
       });
   EXPECT_CALL(*client_conn_, CloseConnection(QUIC_HANDSHAKE_FAILED,
@@ -561,23 +558,18 @@ TEST_F(TlsHandshakerTest, ServerRequiresCustomALPN) {
 TEST_F(TlsHandshakerTest, CustomALPNNegotiation) {
   EXPECT_CALL(*client_conn_, CloseConnection(_, _, _)).Times(0);
   EXPECT_CALL(*server_conn_, CloseConnection(_, _, _)).Times(0);
-  EXPECT_CALL(client_session_,
-              OnCryptoHandshakeEvent(QuicSession::ENCRYPTION_ESTABLISHED));
-  EXPECT_CALL(client_session_,
-              OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED));
-  EXPECT_CALL(server_session_,
-              OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED));
-
-  static const std::string kTestAlpn = "A Custom ALPN Value";
-  static const std::vector<std::string> kTestAlpns(
+
+  const std::string kTestAlpn = "A Custom ALPN Value";
+  const std::vector<std::string> kTestAlpns(
       {"foo", "bar", kTestAlpn, "something else"});
   EXPECT_CALL(client_session_, GetAlpnsToOffer())
       .WillRepeatedly(Return(kTestAlpns));
   EXPECT_CALL(server_session_, SelectAlpn(_))
-      .WillOnce([](const std::vector<QuicStringPiece>& alpns) {
-        EXPECT_THAT(alpns, ElementsAreArray(kTestAlpns));
-        return std::find(alpns.cbegin(), alpns.cend(), kTestAlpn);
-      });
+      .WillOnce(
+          [kTestAlpn, kTestAlpns](const std::vector<QuicStringPiece>& alpns) {
+            EXPECT_THAT(alpns, ElementsAreArray(kTestAlpns));
+            return std::find(alpns.cbegin(), alpns.cend(), kTestAlpn);
+          });
   EXPECT_CALL(client_session_, OnAlpnSelected(QuicStringPiece(kTestAlpn)));
   EXPECT_CALL(server_session_, OnAlpnSelected(QuicStringPiece(kTestAlpn)));
   client_stream_->CryptoConnect();
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.cc b/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.cc
index f08f7817466..24af98daf00 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.cc
@@ -39,11 +39,6 @@ void TlsServerHandshaker::SignatureCallback::Cancel() {
   handshaker_ = nullptr;
 }
 
-// static
-bssl::UniquePtr<SSL_CTX> TlsServerHandshaker::CreateSslCtx() {
-  return TlsServerConnection::CreateSslCtx();
-}
-
 TlsServerHandshaker::TlsServerHandshaker(QuicCryptoStream* stream,
                                          QuicSession* session,
                                          SSL_CTX* ssl_ctx,
@@ -114,6 +109,15 @@ bool TlsServerHandshaker::ZeroRttAttempted() const {
 void TlsServerHandshaker::SetPreviousCachedNetworkParams(
     CachedNetworkParameters /*cached_network_params*/) {}
 
+void TlsServerHandshaker::OnPacketDecrypted(EncryptionLevel level) {
+  if (level == ENCRYPTION_HANDSHAKE &&
+      state_ < STATE_ENCRYPTION_HANDSHAKE_DATA_PROCESSED) {
+    state_ = STATE_ENCRYPTION_HANDSHAKE_DATA_PROCESSED;
+    delegate()->DiscardOldEncryptionKey(ENCRYPTION_INITIAL);
+    delegate()->DiscardOldDecryptionKey(ENCRYPTION_INITIAL);
+  }
+}
+
 bool TlsServerHandshaker::ShouldSendExpectCTHeader() const {
   return false;
 }
@@ -257,11 +261,9 @@ void TlsServerHandshaker::FinishHandshake() {
   QUIC_LOG(INFO) << "Server: handshake finished";
   state_ = STATE_HANDSHAKE_COMPLETE;
 
-  session()->connection()->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
-  session()->NeuterUnencryptedData();
   encryption_established_ = true;
   handshake_confirmed_ = true;
-  session()->OnCryptoHandshakeEvent(QuicSession::HANDSHAKE_CONFIRMED);
+  delegate()->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
 
   // Fill crypto_negotiated_params_:
   const SSL_CIPHER* cipher = SSL_get_current_cipher(ssl());
@@ -269,8 +271,9 @@ void TlsServerHandshaker::FinishHandshake() {
     crypto_negotiated_params_->cipher_suite = SSL_CIPHER_get_value(cipher);
   }
   crypto_negotiated_params_->key_exchange_group = SSL_get_curve_id(ssl());
-
-  session()->connection()->OnHandshakeComplete();
+  // TODO(fayang): Replace this with DiscardOldKeys(ENCRYPTION_HANDSHAKE) when
+  // handshake key discarding settles down.
+  delegate()->NeuterHandshakeData();
 }
 
 ssl_private_key_result_t TlsServerHandshaker::PrivateKeySign(
diff --git a/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.h b/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.h
index 829aeaf618b..507324b9ccd 100644
--- a/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.h
+++ b/chromium/net/third_party/quiche/src/quic/core/tls_server_handshaker.h
@@ -34,10 +34,6 @@ class QUIC_EXPORT_PRIVATE TlsServerHandshaker
 
   ~TlsServerHandshaker() override;
 
-  // Creates and configures an SSL_CTX to be used with a TlsServerHandshaker.
-  // The caller is responsible for ownership of the newly created struct.
-  static bssl::UniquePtr<SSL_CTX> CreateSslCtx();
-
   // From QuicCryptoServerStream::HandshakerDelegate
   void CancelOutstandingCallbacks() override;
   bool GetBase64SHA256ClientChannelID(std::string* output) const override;
@@ -50,6 +46,7 @@ class QUIC_EXPORT_PRIVATE TlsServerHandshaker
   bool ZeroRttAttempted() const override;
   void SetPreviousCachedNetworkParams(
       CachedNetworkParameters cached_network_params) override;
+  void OnPacketDecrypted(EncryptionLevel level) override;
   bool ShouldSendExpectCTHeader() const override;
 
   // From QuicCryptoServerStream::HandshakerDelegate and TlsHandshaker
@@ -88,7 +85,8 @@ class QUIC_EXPORT_PRIVATE TlsServerHandshaker
   TlsConnection::Delegate* ConnectionDelegate() override { return this; }
 
  private:
-  class SignatureCallback : public ProofSource::SignatureCallback {
+  class QUIC_EXPORT_PRIVATE SignatureCallback
+      : public ProofSource::SignatureCallback {
    public:
     explicit SignatureCallback(TlsServerHandshaker* handshaker);
     void Run(bool ok, std::string signature) override;
@@ -104,6 +102,7 @@ class QUIC_EXPORT_PRIVATE TlsServerHandshaker
     STATE_LISTENING,
     STATE_SIGNATURE_PENDING,
     STATE_SIGNATURE_COMPLETE,
+    STATE_ENCRYPTION_HANDSHAKE_DATA_PROCESSED,
     STATE_HANDSHAKE_COMPLETE,
     STATE_CONNECTION_CLOSED,
   };
diff --git a/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.cc b/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.cc
index f258384a46a..3fb5be8379b 100644
--- a/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.cc
+++ b/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.cc
@@ -135,6 +135,14 @@ void UberQuicStreamIdManager::SetLargestPeerCreatedStreamId(
       largest_peer_created_stream_id);
 }
 
+QuicStreamId UberQuicStreamIdManager::GetLargestPeerCreatedStreamId(
+    bool unidirectional) const {
+  if (unidirectional) {
+    return unidirectional_stream_id_manager_.largest_peer_created_stream_id();
+  }
+  return bidirectional_stream_id_manager_.largest_peer_created_stream_id();
+}
+
 QuicStreamId UberQuicStreamIdManager::next_outgoing_bidirectional_stream_id()
     const {
   return bidirectional_stream_id_manager_.next_outgoing_stream_id();
diff --git a/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.h b/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.h
index a725fdd1285..75fcb9d7d3c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.h
+++ b/chromium/net/third_party/quiche/src/quic/core/uber_quic_stream_id_manager.h
@@ -73,6 +73,8 @@ class QUIC_EXPORT_PRIVATE UberQuicStreamIdManager {
   void SetLargestPeerCreatedStreamId(
       QuicStreamId largest_peer_created_stream_id);
 
+  QuicStreamId GetLargestPeerCreatedStreamId(bool unidirectional) const;
+
   QuicStreamId next_outgoing_bidirectional_stream_id() const;
   QuicStreamId next_outgoing_unidirectional_stream_id() const;
 
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_cert_utils.h b/chromium/net/third_party/quiche/src/quic/platform/api/quic_cert_utils.h
index 1c660b5a92c..8e21fcb65db 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_cert_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_cert_utils.h
@@ -5,12 +5,13 @@
 #ifndef QUICHE_QUIC_PLATFORM_API_QUIC_CERT_UTILS_H_
 #define QUICHE_QUIC_PLATFORM_API_QUIC_CERT_UTILS_H_
 
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/quic/platform/impl/quic_cert_utils_impl.h"
 
 namespace quic {
 
-class QuicCertUtils {
+class QUIC_EXPORT_PRIVATE QuicCertUtils {
  public:
   static bool ExtractSubjectNameFromDERCert(QuicStringPiece cert,
                                             QuicStringPiece* subject_out) {
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_endian_test.cc b/chromium/net/third_party/quiche/src/quic/platform/api/quic_endian_test.cc
deleted file mode 100644
index d054d963021..00000000000
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_endian_test.cc
+++ /dev/null
@@ -1,51 +0,0 @@
-// Copyright 2017 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
-
-#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
-
-namespace quic {
-namespace test {
-namespace {
-
-const uint16_t k16BitTestData = 0xaabb;
-const uint16_t k16BitSwappedTestData = 0xbbaa;
-const uint32_t k32BitTestData = 0xaabbccdd;
-const uint32_t k32BitSwappedTestData = 0xddccbbaa;
-const uint64_t k64BitTestData = 0xaabbccdd44332211;
-const uint64_t k64BitSwappedTestData = 0x11223344ddccbbaa;
-
-class QuicEndianTest : public QuicTest {};
-
-TEST_F(QuicEndianTest, HostToNet) {
-  if (QuicEndian::HostIsLittleEndian()) {
-    EXPECT_EQ(k16BitSwappedTestData, QuicEndian::HostToNet16(k16BitTestData));
-    EXPECT_EQ(k32BitSwappedTestData, QuicEndian::HostToNet32(k32BitTestData));
-    EXPECT_EQ(k64BitSwappedTestData, QuicEndian::HostToNet64(k64BitTestData));
-  } else {
-    EXPECT_EQ(k16BitTestData, QuicEndian::HostToNet16(k16BitTestData));
-    EXPECT_EQ(k32BitTestData, QuicEndian::HostToNet32(k32BitTestData));
-    EXPECT_EQ(k64BitTestData, QuicEndian::HostToNet64(k64BitTestData));
-  }
-}
-
-TEST_F(QuicEndianTest, NetToHost) {
-  if (QuicEndian::HostIsLittleEndian()) {
-    EXPECT_EQ(k16BitTestData, QuicEndian::NetToHost16(k16BitSwappedTestData));
-    EXPECT_EQ(k32BitTestData, QuicEndian::NetToHost32(k32BitSwappedTestData));
-    EXPECT_EQ(k64BitTestData, QuicEndian::NetToHost64(k64BitSwappedTestData));
-  } else {
-    EXPECT_EQ(k16BitSwappedTestData,
-              QuicEndian::NetToHost16(k16BitSwappedTestData));
-    EXPECT_EQ(k32BitSwappedTestData,
-              QuicEndian::NetToHost32(k32BitSwappedTestData));
-    EXPECT_EQ(k64BitSwappedTestData,
-              QuicEndian::NetToHost64(k64BitSwappedTestData));
-  }
-}
-
-}  // namespace
-}  // namespace test
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_export.h b/chromium/net/third_party/quiche/src/quic/platform/api/quic_export.h
index 8ffd6765259..90696a6fba6 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_export.h
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_export.h
@@ -7,4 +7,11 @@
 
 #include "net/quic/platform/impl/quic_export_impl.h"
 
+// quic_export_impl.h defines the following macros:
+// - QUIC_EXPORT is not meant to be used.
+// - QUIC_EXPORT_PRIVATE is meant for QUIC functionality that is built in
+//   Chromium as part of //net, and not fully contained in headers.
+// - QUIC_NO_EXPORT is meant for QUIC functionality that is either fully defined
+//   in a header, or is built in Chromium as part of tests or tools.
+
 #endif  // QUICHE_QUIC_PLATFORM_API_QUIC_EXPORT_H_
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h b/chromium/net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h
index d0ed4606cbb..71045e1c30e 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h
@@ -12,11 +12,6 @@
 
 namespace quic {
 
-template <typename T, typename... Args>
-std::unique_ptr<T> QuicMakeUnique(Args&&... args) {
-  return QuicMakeUniqueImpl<T>(std::forward<Args>(args)...);
-}
-
 template <typename T>
 std::unique_ptr<T> QuicWrapUnique(T* ptr) {
   return QuicWrapUniqueImpl<T>(ptr);
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_reference_counted.h b/chromium/net/third_party/quiche/src/quic/platform/api/quic_reference_counted.h
index 6ffc237db36..18f6f37f5ab 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_reference_counted.h
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_reference_counted.h
@@ -51,7 +51,7 @@ class QUIC_EXPORT_PRIVATE QuicReferenceCounted
 // QuicReferenceCountedPointer<T> r_ptr_b = std::move(r_ptr_a);
 
 template <class T>
-class QuicReferenceCountedPointer {
+class QUIC_NO_EXPORT QuicReferenceCountedPointer {
  public:
   QuicReferenceCountedPointer() = default;
 
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_test.h b/chromium/net/third_party/quiche/src/quic/platform/api/quic_test.h
index 2f3286541a9..f4ef99a3624 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_test.h
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_test.h
@@ -23,6 +23,11 @@ using ScopedEnvironmentForThreads = ScopedEnvironmentForThreadsImpl;
 
 inline std::string QuicGetTestMemoryCachePath() {
   return QuicGetTestMemoryCachePathImpl();
+
+#define EXPECT_QUIC_DEBUG_DEATH(condition, message) \
+  EXPECT_QUIC_DEBUG_DEATH_IMPL(condition, message)
 }
 
+#define QUIC_SLOW_TEST(test) QUIC_SLOW_TEST_IMPL(test)
+
 #endif  // QUICHE_QUIC_PLATFORM_API_QUIC_TEST_H_
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_test_mem_slice_vector.h b/chromium/net/third_party/quiche/src/quic/platform/api/quic_test_mem_slice_vector.h
index 06be8f7a501..734db63684b 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_test_mem_slice_vector.h
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_test_mem_slice_vector.h
@@ -18,7 +18,7 @@ namespace test {
 // Tests using QuicTestMemSliceVector need to make sure the actual data buffers
 // outlive QuicTestMemSliceVector, and QuicTestMemSliceVector outlive the
 // returned QuicMemSliceSpan.
-class QuicTestMemSliceVector {
+class QUIC_NO_EXPORT QuicTestMemSliceVector {
  public:
   explicit QuicTestMemSliceVector(std::vector<std::pair<char*, size_t>> buffers)
       : impl_(std::move(buffers)) {}
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_text_utils.h b/chromium/net/third_party/quiche/src/quic/platform/api/quic_text_utils.h
index 1fa3c72ab16..186368f4f37 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_text_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_text_utils.h
@@ -7,13 +7,14 @@
 
 #include <string>
 
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/quic/platform/impl/quic_text_utils_impl.h"
 
 namespace quic {
 
 // Various utilities for manipulating text.
-class QuicTextUtils {
+class QUIC_EXPORT_PRIVATE QuicTextUtils {
  public:
   // Returns true if |data| starts with |prefix|, case sensitively.
   static bool StartsWith(QuicStringPiece data, QuicStringPiece prefix) {
diff --git a/chromium/net/third_party/quiche/src/quic/platform/api/quic_thread.h b/chromium/net/third_party/quiche/src/quic/platform/api/quic_thread.h
index 7032dc425af..4b1e5642c58 100644
--- a/chromium/net/third_party/quiche/src/quic/platform/api/quic_thread.h
+++ b/chromium/net/third_party/quiche/src/quic/platform/api/quic_thread.h
@@ -7,12 +7,13 @@
 
 #include <string>
 
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
 #include "net/quic/platform/impl/quic_thread_impl.h"
 
 namespace quic {
 
 // A class representing a thread of execution in QUIC.
-class QuicThread : public QuicThreadImpl {
+class QUIC_EXPORT_PRIVATE QuicThread : public QuicThreadImpl {
  public:
   QuicThread(const std::string& string) : QuicThreadImpl(string) {}
   QuicThread(const QuicThread&) = delete;
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/bonnet/icmp_reachable.cc b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/icmp_reachable.cc
index 7779a8b212f..a6913d10fd6 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/bonnet/icmp_reachable.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/icmp_reachable.cc
@@ -7,11 +7,11 @@
 #include <netinet/ip6.h>
 
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_mutex.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
 #include "net/third_party/quiche/src/quic/qbone/platform/icmp_packet.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 namespace {
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/bonnet/icmp_reachable_test.cc b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/icmp_reachable_test.cc
index 303f0e280b7..99de19ca9ad 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/bonnet/icmp_reachable_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/icmp_reachable_test.cc
@@ -118,7 +118,7 @@ class IcmpReachableTest : public QuicTest {
 };
 
 TEST_F(IcmpReachableTest, SendsPings) {
-  IcmpReachable reachable(source_, destination_, absl::Seconds(0), &kernel_,
+  IcmpReachable reachable(source_, destination_, absl::ZeroDuration(), &kernel_,
                           &epoll_server_, &stats_);
 
   SetFdExpectations();
@@ -140,7 +140,7 @@ TEST_F(IcmpReachableTest, SendsPings) {
 }
 
 TEST_F(IcmpReachableTest, HandlesUnreachableEvents) {
-  IcmpReachable reachable(source_, destination_, absl::Seconds(0), &kernel_,
+  IcmpReachable reachable(source_, destination_, absl::ZeroDuration(), &kernel_,
                           &epoll_server_, &stats_);
 
   SetFdExpectations();
@@ -164,7 +164,7 @@ TEST_F(IcmpReachableTest, HandlesUnreachableEvents) {
 }
 
 TEST_F(IcmpReachableTest, HandlesReachableEvents) {
-  IcmpReachable reachable(source_, destination_, absl::Seconds(0), &kernel_,
+  IcmpReachable reachable(source_, destination_, absl::ZeroDuration(), &kernel_,
                           &epoll_server_, &stats_);
 
   SetFdExpectations();
@@ -212,7 +212,7 @@ TEST_F(IcmpReachableTest, HandlesReachableEvents) {
 }
 
 TEST_F(IcmpReachableTest, HandlesWriteErrors) {
-  IcmpReachable reachable(source_, destination_, absl::Seconds(0), &kernel_,
+  IcmpReachable reachable(source_, destination_, absl::ZeroDuration(), &kernel_,
                           &epoll_server_, &stats_);
 
   SetFdExpectations();
@@ -232,7 +232,7 @@ TEST_F(IcmpReachableTest, HandlesWriteErrors) {
 }
 
 TEST_F(IcmpReachableTest, HandlesReadErrors) {
-  IcmpReachable reachable(source_, destination_, absl::Seconds(0), &kernel_,
+  IcmpReachable reachable(source_, destination_, absl::ZeroDuration(), &kernel_,
                           &epoll_server_, &stats_);
 
   SetFdExpectations();
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/bonnet/mock_packet_exchanger_stats_interface.h b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/mock_packet_exchanger_stats_interface.h
new file mode 100644
index 00000000000..f74e2a3bd30
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/mock_packet_exchanger_stats_interface.h
@@ -0,0 +1,27 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_QBONE_BONNET_MOCK_PACKET_EXCHANGER_STATS_INTERFACE_H_
+#define QUICHE_QUIC_QBONE_BONNET_MOCK_PACKET_EXCHANGER_STATS_INTERFACE_H_
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger.h"
+
+namespace quic {
+
+class MockPacketExchangerStatsInterface
+    : public TunDevicePacketExchanger::StatsInterface {
+ public:
+  MOCK_METHOD0(OnPacketRead, void());
+  MOCK_METHOD0(OnPacketWritten, void());
+  MOCK_METHOD1(OnReadError, void(string*));
+  MOCK_METHOD1(OnWriteError, void(string*));
+
+  MOCK_CONST_METHOD0(PacketsRead, int64_t());
+  MOCK_CONST_METHOD0(PacketsWritten, int64_t());
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_QBONE_BONNET_MOCK_PACKET_EXCHANGER_STATS_INTERFACE_H_
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device.cc b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device.cc
index 6c0a8a55ed8..e266654892b 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device.cc
@@ -30,7 +30,9 @@ TunDevice::TunDevice(const string& interface_name,
       kernel_(*kernel) {}
 
 TunDevice::~TunDevice() {
-  Down();
+  if (!persist_) {
+    Down();
+  }
   CleanUpFileDescriptor();
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger.cc b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger.cc
index 799247c0dfa..37fd2c0163b 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger.cc
@@ -81,4 +81,9 @@ int TunDevicePacketExchanger::file_descriptor() const {
   return fd_;
 }
 
+const TunDevicePacketExchanger::StatsInterface*
+TunDevicePacketExchanger::stats_interface() const {
+  return stats_;
+}
+
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger.h b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger.h
index 12d9efa714a..42ed7fb5214 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger.h
+++ b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger.h
@@ -30,6 +30,9 @@ class TunDevicePacketExchanger : public QbonePacketExchanger {
     virtual void OnPacketWritten() = 0;
     virtual void OnReadError(string* error) = 0;
     virtual void OnWriteError(string* error) = 0;
+
+    ABSL_MUST_USE_RESULT virtual int64_t PacketsRead() const = 0;
+    ABSL_MUST_USE_RESULT virtual int64_t PacketsWritten() const = 0;
   };
 
   // |fd| is a open file descriptor on a TUN device that's opened for both read
@@ -48,7 +51,9 @@ class TunDevicePacketExchanger : public QbonePacketExchanger {
                            size_t max_pending_packets,
                            StatsInterface* stats);
 
-  int file_descriptor() const;
+  ABSL_MUST_USE_RESULT int file_descriptor() const;
+
+  ABSL_MUST_USE_RESULT const StatsInterface* stats_interface() const;
 
  private:
   // From QbonePacketExchanger.
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger_test.cc b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger_test.cc
index 026ec26da5e..0f25e73eab4 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger_test.cc
@@ -5,6 +5,7 @@
 #include "net/third_party/quiche/src/quic/qbone/bonnet/tun_device_packet_exchanger.h"
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/qbone/bonnet/mock_packet_exchanger_stats_interface.h"
 #include "net/third_party/quiche/src/quic/qbone/mock_qbone_client.h"
 #include "net/third_party/quiche/src/quic/qbone/platform/mock_kernel.h"
 
@@ -26,15 +27,6 @@ class MockVisitor : public QbonePacketExchanger::Visitor {
   MOCK_METHOD1(OnWriteError, void(const string&));
 };
 
-class MockStatsInterface : public TunDevicePacketExchanger::StatsInterface {
- public:
-  MOCK_METHOD0(OnPacketRead, void());
-  MOCK_METHOD0(OnPacketWritten, void());
-
-  MOCK_METHOD1(OnReadError, void(string*));
-  MOCK_METHOD1(OnWriteError, void(string*));
-};
-
 class TunDevicePacketExchangerTest : public QuicTest {
  protected:
   TunDevicePacketExchangerTest()
@@ -50,7 +42,7 @@ class TunDevicePacketExchangerTest : public QuicTest {
   MockKernel mock_kernel_;
   StrictMock<MockVisitor> mock_visitor_;
   StrictMock<MockQboneClient> mock_client_;
-  StrictMock<MockStatsInterface> mock_stats_;
+  StrictMock<MockPacketExchangerStatsInterface> mock_stats_;
   TunDevicePacketExchanger exchanger_;
 };
 
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/platform/icmp_packet.cc b/chromium/net/third_party/quiche/src/quic/qbone/platform/icmp_packet.cc
index 8ba3916b951..9039944583c 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/platform/icmp_packet.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/platform/icmp_packet.cc
@@ -5,8 +5,9 @@
 #include "net/third_party/quiche/src/quic/qbone/platform/icmp_packet.h"
 
 #include <netinet/ip6.h>
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
+
 #include "net/third_party/quiche/src/quic/qbone/platform/internet_checksum.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 namespace {
@@ -46,7 +47,8 @@ void CreateIcmpPacket(in6_addr src,
   // Set version to 6.
   icmp_packet.ip_header.ip6_vfc = 0x6 << 4;
   // Set the payload size, protocol and TTL.
-  icmp_packet.ip_header.ip6_plen = QuicEndian::HostToNet16(payload_size);
+  icmp_packet.ip_header.ip6_plen =
+      quiche::QuicheEndian::HostToNet16(payload_size);
   icmp_packet.ip_header.ip6_nxt = IPPROTO_ICMPV6;
   icmp_packet.ip_header.ip6_hops = kIcmpTtl;
   // Set the source address to the specified self IP.
@@ -58,7 +60,7 @@ void CreateIcmpPacket(in6_addr src,
   icmp_packet.icmp_header.icmp6_cksum = 0;
 
   IPv6PseudoHeader pseudo_header{};
-  pseudo_header.payload_size = QuicEndian::HostToNet32(payload_size);
+  pseudo_header.payload_size = quiche::QuicheEndian::HostToNet32(payload_size);
 
   InternetChecksum checksum;
   // Pseudoheader.
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/platform/internet_checksum.cc b/chromium/net/third_party/quiche/src/quic/qbone/platform/internet_checksum.cc
index 9cbe227abdc..b98c85767b4 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/platform/internet_checksum.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/platform/internet_checksum.cc
@@ -3,7 +3,6 @@
 // found in the LICENSE file.
 
 #include "net/third_party/quiche/src/quic/qbone/platform/internet_checksum.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 
 namespace quic {
 
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/platform/ip_range.cc b/chromium/net/third_party/quiche/src/quic/qbone/platform/ip_range.cc
index 15ebb726b86..03ad6407996 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/platform/ip_range.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/platform/ip_range.cc
@@ -4,7 +4,7 @@
 
 #include "net/third_party/quiche/src/quic/qbone/platform/ip_range.h"
 
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
@@ -23,9 +23,9 @@ QuicIpAddress TruncateToLength(const QuicIpAddress& input,
     }
     uint32_t raw_address =
         *reinterpret_cast<const uint32_t*>(input.ToPackedString().data());
-    raw_address = QuicEndian::NetToHost32(raw_address);
+    raw_address = quiche::QuicheEndian::NetToHost32(raw_address);
     raw_address &= ~0U << (kIPv4Size - *prefix_length);
-    raw_address = QuicEndian::HostToNet32(raw_address);
+    raw_address = quiche::QuicheEndian::HostToNet32(raw_address);
     output.FromPackedString(reinterpret_cast<const char*>(&raw_address),
                             sizeof(raw_address));
     return output;
@@ -42,16 +42,16 @@ QuicIpAddress TruncateToLength(const QuicIpAddress& input,
     // out.
     // The endianess between raw_address[0] and raw_address[1] is handled
     // explicitly by handling lower and higher bytes separately.
-    raw_address[0] = QuicEndian::NetToHost64(raw_address[0]);
-    raw_address[1] = QuicEndian::NetToHost64(raw_address[1]);
+    raw_address[0] = quiche::QuicheEndian::NetToHost64(raw_address[0]);
+    raw_address[1] = quiche::QuicheEndian::NetToHost64(raw_address[1]);
     if (*prefix_length <= kIPv6Size / 2) {
       raw_address[0] &= ~uint64_t{0} << (kIPv6Size / 2 - *prefix_length);
       raw_address[1] = 0;
     } else {
       raw_address[1] &= ~uint64_t{0} << (kIPv6Size - *prefix_length);
     }
-    raw_address[0] = QuicEndian::HostToNet64(raw_address[0]);
-    raw_address[1] = QuicEndian::HostToNet64(raw_address[1]);
+    raw_address[0] = quiche::QuicheEndian::HostToNet64(raw_address[0]);
+    raw_address[1] = quiche::QuicheEndian::HostToNet64(raw_address[1]);
     output.FromPackedString(reinterpret_cast<const char*>(raw_address),
                             sizeof(raw_address));
     return output;
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/platform/netlink_test.cc b/chromium/net/third_party/quiche/src/quic/qbone/platform/netlink_test.cc
index 7bd5f6b8563..04ce68cd9a9 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/platform/netlink_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/platform/netlink_test.cc
@@ -45,7 +45,7 @@ class NetlinkTest : public QuicTest {
     InSequence s;
 
     EXPECT_CALL(mock_kernel_, sendmsg(kSocketFd, _, _))
-        .WillOnce(Invoke([this, type, flags, send_callback](
+        .WillOnce(Invoke([type, flags, send_callback](
                              Unused, const struct msghdr* msg, int) {
           EXPECT_EQ(sizeof(struct sockaddr_nl), msg->msg_namelen);
           auto* nl_addr =
@@ -251,7 +251,7 @@ TEST_F(NetlinkTest, GetLinkInfoWorks) {
 
   ExpectNetlinkPacket(
       RTM_GETLINK, NLM_F_ROOT | NLM_F_MATCH | NLM_F_REQUEST,
-      [this, &hwaddr, &bcaddr](void* buf, size_t len, int seq) {
+      [&hwaddr, &bcaddr](void* buf, size_t len, int seq) {
         int ret = 0;
 
         struct nlmsghdr* netlink_message =
@@ -291,7 +291,7 @@ TEST_F(NetlinkTest, GetAddressesWorks) {
 
   ExpectNetlinkPacket(
       RTM_GETADDR, NLM_F_ROOT | NLM_F_MATCH | NLM_F_REQUEST,
-      [this, &addresses](void* buf, size_t len, int seq) {
+      [&addresses](void* buf, size_t len, int seq) {
         int ret = 0;
 
         struct nlmsghdr* nlm = nullptr;
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/platform/tcp_packet.cc b/chromium/net/third_party/quiche/src/quic/qbone/platform/tcp_packet.cc
index 56fa88ab2d3..2566d25eded 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/platform/tcp_packet.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/platform/tcp_packet.cc
@@ -6,9 +6,9 @@
 
 #include <netinet/ip6.h>
 
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/qbone/platform/internet_checksum.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 namespace {
@@ -45,8 +45,8 @@ void CreateTcpResetPacket(
   if (QUIC_PREDICT_FALSE(ip6_header->ip6_nxt != IPPROTO_TCP)) {
     return;
   }
-  if (QUIC_PREDICT_FALSE(QuicEndian::NetToHost16(ip6_header->ip6_plen) <
-                         sizeof(tcphdr))) {
+  if (QUIC_PREDICT_FALSE(quiche::QuicheEndian::NetToHost16(
+                             ip6_header->ip6_plen) < sizeof(tcphdr))) {
     return;
   }
   auto* tcp_header = reinterpret_cast<const tcphdr*>(ip6_header + 1);
@@ -60,7 +60,8 @@ void CreateTcpResetPacket(
   // Set version to 6.
   tcp_packet.ip_header.ip6_vfc = 0x6 << 4;
   // Set the payload size, protocol and TTL.
-  tcp_packet.ip_header.ip6_plen = QuicEndian::HostToNet16(payload_size);
+  tcp_packet.ip_header.ip6_plen =
+      quiche::QuicheEndian::HostToNet16(payload_size);
   tcp_packet.ip_header.ip6_nxt = IPPROTO_TCP;
   tcp_packet.ip_header.ip6_hops = kTcpTtl;
   // Since the TCP RST is impersonating the endpoint, flip the source and
@@ -98,12 +99,12 @@ void CreateTcpResetPacket(
     // the sum of the sequence number and segment length of the incoming segment
     tcp_packet.tcp_header.ack = 1;
     tcp_packet.tcp_header.seq = 0;
-    tcp_packet.tcp_header.ack_seq =
-        QuicEndian::HostToNet32(QuicEndian::NetToHost32(tcp_header->seq) + 1);
+    tcp_packet.tcp_header.ack_seq = quiche::QuicheEndian::HostToNet32(
+        quiche::QuicheEndian::NetToHost32(tcp_header->seq) + 1);
   }
 
   TCPv6PseudoHeader pseudo_header{};
-  pseudo_header.payload_size = QuicEndian::HostToNet32(payload_size);
+  pseudo_header.payload_size = quiche::QuicheEndian::HostToNet32(payload_size);
 
   InternetChecksum checksum;
   // Pseudoheader.
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/qbone_client.cc b/chromium/net/third_party/quiche/src/quic/qbone/qbone_client.cc
index e585d058386..95e3aeaf090 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/qbone_client.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/qbone_client.cc
@@ -40,7 +40,8 @@ QboneClient::QboneClient(QuicSocketAddress server_address,
           new QuicEpollConnectionHelper(epoll_server, QuicAllocator::SIMPLE),
           new QuicEpollAlarmFactory(epoll_server),
           CreateNetworkHelper(epoll_server, this),
-          std::move(proof_verifier)),
+          std::move(proof_verifier),
+          nullptr),
       qbone_writer_(qbone_writer),
       qbone_handler_(qbone_handler),
       session_owner_(session_owner) {
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/qbone_packet_processor.cc b/chromium/net/third_party/quiche/src/quic/qbone/qbone_packet_processor.cc
index db7a1382a8f..39b622b4de5 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/qbone_packet_processor.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/qbone_packet_processor.cc
@@ -7,11 +7,11 @@
 #include <cstring>
 
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/qbone/platform/icmp_packet.h"
 #include "net/third_party/quiche/src/quic/qbone/platform/internet_checksum.h"
 #include "net/third_party/quiche/src/quic/qbone/platform/tcp_packet.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace {
 
@@ -171,7 +171,7 @@ QbonePacketProcessor::ProcessingResult QbonePacketProcessor::ProcessIPv6Header(
 
   // Check payload size.
   const size_t declared_payload_size =
-      QuicEndian::NetToHost16(header->ip6_plen);
+      quiche::QuicheEndian::NetToHost16(header->ip6_plen);
   const size_t actual_payload_size = packet->size() - kIPv6HeaderSize;
   if (declared_payload_size != actual_payload_size) {
     QUIC_DVLOG(1)
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/qbone_session_base.cc b/chromium/net/third_party/quiche/src/quic/qbone/qbone_session_base.cc
index 62bcaa4a511..c3e7731bcd0 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/qbone_session_base.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/qbone_session_base.cc
@@ -4,11 +4,15 @@
 
 #include "net/third_party/quiche/src/quic/qbone/qbone_session_base.h"
 
+#include <netinet/icmp6.h>
+#include <netinet/ip6.h>
+
 #include <utility>
 
 #include "net/third_party/quiche/src/quic/core/quic_data_reader.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_exported_stats.h"
+#include "net/third_party/quiche/src/quic/qbone/platform/icmp_packet.h"
 #include "net/third_party/quiche/src/quic/qbone/qbone_constants.h"
 
 namespace quic {
@@ -137,12 +141,41 @@ void QboneSessionBase::SendPacketToPeer(QuicStringPiece packet) {
     QuicMemSlice slice(connection()->helper()->GetStreamSendBufferAllocator(),
                        packet.size());
     memcpy(const_cast<char*>(slice.data()), packet.data(), packet.size());
-    if (SendMessage(QuicMemSliceSpan(&slice)).status ==
-        MESSAGE_STATUS_SUCCESS) {
-      return;
+    switch (SendMessage(QuicMemSliceSpan(&slice), /*flush=*/true).status) {
+      case MESSAGE_STATUS_SUCCESS:
+        break;
+      case MESSAGE_STATUS_TOO_LARGE: {
+        if (packet.size() < sizeof(ip6_hdr)) {
+          QUIC_BUG << "Dropped malformed packet: IPv6 header too short";
+          break;
+        }
+        auto* header = reinterpret_cast<const ip6_hdr*>(packet.begin());
+        icmp6_hdr icmp_header{};
+        icmp_header.icmp6_type = ICMP6_PACKET_TOO_BIG;
+        icmp_header.icmp6_mtu =
+            connection()->GetGuaranteedLargestMessagePayload();
+
+        CreateIcmpPacket(header->ip6_dst, header->ip6_src, icmp_header, packet,
+                         [this](QuicStringPiece icmp_packet) {
+                           writer_->WritePacketToNetwork(icmp_packet.data(),
+                                                         icmp_packet.size());
+                         });
+        break;
+      }
+      case MESSAGE_STATUS_ENCRYPTION_NOT_ESTABLISHED:
+        QUIC_BUG << "MESSAGE_STATUS_ENCRYPTION_NOT_ESTABLISHED";
+        break;
+      case MESSAGE_STATUS_UNSUPPORTED:
+        QUIC_BUG << "MESSAGE_STATUS_UNSUPPORTED";
+        break;
+      case MESSAGE_STATUS_BLOCKED:
+        QUIC_BUG << "MESSAGE_STATUS_BLOCKED";
+        break;
+      case MESSAGE_STATUS_INTERNAL_ERROR:
+        QUIC_BUG << "MESSAGE_STATUS_INTERNAL_ERROR";
+        break;
     }
-    // If SendMessage() fails for any reason, fall back to ephemeral streams.
-    num_fallback_to_stream_++;
+    return;
   }
 
   // Qbone streams are ephemeral.
diff --git a/chromium/net/third_party/quiche/src/quic/qbone/qbone_session_test.cc b/chromium/net/third_party/quiche/src/quic/qbone/qbone_session_test.cc
index 83ee0877683..19ecd2c54fe 100644
--- a/chromium/net/third_party/quiche/src/quic/qbone/qbone_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/qbone/qbone_session_test.cc
@@ -12,6 +12,7 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test_loopback.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/quic/qbone/platform/icmp_packet.h"
 #include "net/third_party/quiche/src/quic/qbone/qbone_client_session.h"
 #include "net/third_party/quiche/src/quic/qbone/qbone_constants.h"
 #include "net/third_party/quiche/src/quic/qbone/qbone_control_placeholder.pb.h"
@@ -170,7 +171,7 @@ class DataSavingQboneControlHandler : public QboneControlHandler<T> {
 class FakeTaskRunner {
  public:
   explicit FakeTaskRunner(MockQuicConnectionHelper* helper)
-      : tasks_([this](const TaskType& l, const TaskType& r) {
+      : tasks_([](const TaskType& l, const TaskType& r) {
           // Items at a later time should run after items at an earlier time.
           // Priority queue comparisons should return true if l appears after r.
           return l->time() > r->time();
@@ -298,7 +299,7 @@ class QboneSessionTest : public QuicTest {
           server_crypto_config_->GenerateConfig(QuicRandom::GetInstance(),
                                                 GetClock(), options);
       std::unique_ptr<CryptoHandshakeMessage> message(
-          server_crypto_config_->AddConfig(std::move(primary_config),
+          server_crypto_config_->AddConfig(primary_config,
                                            GetClock()->WallNow()));
 
       server_peer_ = std::make_unique<QboneServerSession>(
@@ -353,6 +354,23 @@ class QboneSessionTest : public QuicTest {
     runner_.Run();
   }
 
+  void ExpectICMPTooBigResponse(const std::vector<string>& written_packets,
+                                const int mtu,
+                                const string& packet) {
+    auto* header = reinterpret_cast<const ip6_hdr*>(packet.data());
+    icmp6_hdr icmp_header{};
+    icmp_header.icmp6_type = ICMP6_PACKET_TOO_BIG;
+    icmp_header.icmp6_mtu = mtu;
+
+    string expected;
+    CreateIcmpPacket(header->ip6_dst, header->ip6_src, icmp_header, packet,
+                     [&expected](QuicStringPiece icmp_packet) {
+                       expected = string(icmp_packet);
+                     });
+
+    EXPECT_THAT(written_packets, Contains(expected));
+  }
+
   // Test handshake establishment and sending/receiving of data for two
   // directions.
   void TestStreamConnection(bool use_messages) {
@@ -395,7 +413,14 @@ class QboneSessionTest : public QuicTest {
     QUIC_LOG(INFO) << "Sending server -> client long data";
     server_peer_->ProcessPacketFromNetwork(TestPacketIn(long_data));
     runner_.Run();
-    EXPECT_THAT(client_writer_->data(), Contains(TestPacketOut(long_data)));
+    if (use_messages) {
+      ExpectICMPTooBigResponse(
+          server_writer_->data(),
+          server_peer_->connection()->GetGuaranteedLargestMessagePayload(),
+          TestPacketOut(long_data));
+    } else {
+      EXPECT_THAT(client_writer_->data(), Contains(TestPacketOut(long_data)));
+    }
     EXPECT_THAT(server_writer_->data(),
                 Not(Contains(TestPacketOut(long_data))));
     EXPECT_EQ(0u, server_peer_->GetNumActiveStreams());
@@ -404,11 +429,22 @@ class QboneSessionTest : public QuicTest {
     QUIC_LOG(INFO) << "Sending client -> server long data";
     client_peer_->ProcessPacketFromNetwork(TestPacketIn(long_data));
     runner_.Run();
-    EXPECT_THAT(server_writer_->data(), Contains(TestPacketOut(long_data)));
+    if (use_messages) {
+      ExpectICMPTooBigResponse(
+          client_writer_->data(),
+          client_peer_->connection()->GetGuaranteedLargestMessagePayload(),
+          TestPacketIn(long_data));
+    } else {
+      EXPECT_THAT(server_writer_->data(), Contains(TestPacketOut(long_data)));
+    }
     EXPECT_THAT(client_peer_->GetNumSentClientHellos(), Eq(2));
     EXPECT_THAT(client_peer_->GetNumReceivedServerConfigUpdates(), Eq(0));
-    EXPECT_THAT(client_peer_->GetNumStreamedPackets(), Eq(1));
-    EXPECT_THAT(server_peer_->GetNumStreamedPackets(), Eq(1));
+
+    if (!use_messages) {
+      EXPECT_THAT(client_peer_->GetNumStreamedPackets(), Eq(1));
+      EXPECT_THAT(server_peer_->GetNumStreamedPackets(), Eq(1));
+    }
+
     if (use_messages) {
       EXPECT_THAT(client_peer_->GetNumEphemeralPackets(), Eq(0));
       EXPECT_THAT(server_peer_->GetNumEphemeralPackets(), Eq(0));
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint_test.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint_test.cc
index 165139c46f1..8506067f13d 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_endpoint_test.cc
@@ -11,6 +11,7 @@
 #include "net/third_party/quiche/src/quic/quartc/quartc_crypto_helpers.h"
 #include "net/third_party/quiche/src/quic/quartc/quartc_fakes.h"
 #include "net/third_party/quiche/src/quic/quartc/simulated_packet_transport.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/simulator/link.h"
 #include "net/third_party/quiche/src/quic/test_tools/simulator/simulator.h"
 
@@ -195,7 +196,8 @@ TEST_F(QuartcEndpointTest,
     return client_endpoint_delegate_.session() != nullptr &&
            client_endpoint_delegate_.session()->error() != QUIC_NO_ERROR;
   }));
-  EXPECT_EQ(client_endpoint_delegate_.session()->error(), QUIC_INVALID_VERSION);
+  EXPECT_THAT(client_endpoint_delegate_.session()->error(),
+              test::IsError(QUIC_INVALID_VERSION));
 }
 
 // Tests that the client endpoint can create a new session in order to continue
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_factory.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_factory.cc
index 413c4f83f74..ad677fd8c94 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_factory.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_factory.cc
@@ -63,11 +63,8 @@ void ConfigureGlobalQuicSettings() {
   // Fixes behavior of StopReading() with level-triggered stream sequencers.
   SetQuicReloadableFlag(quic_stop_reading_when_level_triggered, true);
 
-  // Enable version 47 to enable variable-length connection ids.
-  SetQuicReloadableFlag(quic_enable_version_47, true);
-
-  // Enable version 48 to be compatible with the latest version of Chrome.
-  SetQuicReloadableFlag(quic_enable_version_48_2, true);
+  // Enable version 50 to be compatible with the latest version of Chrome.
+  SetQuicReloadableFlag(quic_enable_version_50, true);
 
   // Ensure that we don't drop data because QUIC streams refuse to buffer it.
   // TODO(b/120099046):  Replace this with correct handling of WriteMemSlices().
@@ -98,7 +95,7 @@ QuicConfig CreateQuicConfig(const QuartcSessionConfig& quartc_session_config) {
 
   // In exoblaze this may return false. DCHECK to avoid problems caused by
   // incorrect flags configuration.
-  DCHECK(GetQuicReloadableFlag(quic_enable_version_47))
+  DCHECK(GetQuicReloadableFlag(quic_enable_version_50))
       << "Your build does not support quic reloadable flags and shouldn't "
          "place Quartc calls";
 
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_multiplexer_test.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_multiplexer_test.cc
index a8f53528e5e..3cc088b4da1 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_multiplexer_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_multiplexer_test.cc
@@ -23,6 +23,7 @@
 #include "net/third_party/quiche/src/quic/quartc/quartc_session.h"
 #include "net/third_party/quiche/src/quic/quartc/quartc_stream.h"
 #include "net/third_party/quiche/src/quic/quartc/simulated_packet_transport.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/simulator/link.h"
 #include "net/third_party/quiche/src/quic/test_tools/simulator/simulator.h"
 
@@ -468,8 +469,10 @@ TEST_F(QuartcMultiplexerTest, CloseEvent) {
   Connect();
   Disconnect();
 
-  EXPECT_EQ(client_session_delegate_.error(), QUIC_CONNECTION_CANCELLED);
-  EXPECT_EQ(server_session_delegate_.error(), QUIC_CONNECTION_CANCELLED);
+  EXPECT_THAT(client_session_delegate_.error(),
+              test::IsError(QUIC_CONNECTION_CANCELLED));
+  EXPECT_THAT(server_session_delegate_.error(),
+              test::IsError(QUIC_CONNECTION_CANCELLED));
 }
 
 TEST_F(QuartcMultiplexerTest, CongestionEvent) {
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_packet_writer.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_packet_writer.cc
index 5ffb892ef44..f67cc774ea8 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_packet_writer.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_packet_writer.cc
@@ -29,7 +29,7 @@ WriteResult QuartcPacketWriter::WritePacket(
       static_cast<QuartcPerPacketOptions*>(options);
   if (quartc_options && quartc_options->connection) {
     info.packet_number =
-        quartc_options->connection->packet_generator().packet_number();
+        quartc_options->connection->packet_creator().packet_number();
   }
   int bytes_written = packet_transport_->Write(buffer, buf_len, info);
   if (bytes_written <= 0) {
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.cc
index 0868d72adbe..654e54081aa 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.cc
@@ -175,6 +175,36 @@ void QuartcSession::OnCryptoHandshakeEvent(CryptoHandshakeEvent event) {
   }
 }
 
+void QuartcSession::SetDefaultEncryptionLevel(EncryptionLevel level) {
+  QuicSession::SetDefaultEncryptionLevel(level);
+  switch (level) {
+    case ENCRYPTION_INITIAL:
+      break;
+    case ENCRYPTION_ZERO_RTT:
+      if (connection()->perspective() == Perspective::IS_CLIENT) {
+        DCHECK(IsEncryptionEstablished());
+        DCHECK(session_delegate_);
+        session_delegate_->OnConnectionWritable();
+      }
+      break;
+    case ENCRYPTION_HANDSHAKE:
+      break;
+    case ENCRYPTION_FORWARD_SECURE:
+      // On the server, handshake confirmed is the first time when you can start
+      // writing packets.
+      DCHECK(IsEncryptionEstablished());
+      DCHECK(IsCryptoHandshakeConfirmed());
+
+      DCHECK(session_delegate_);
+      session_delegate_->OnConnectionWritable();
+      session_delegate_->OnCryptoHandshakeComplete();
+      break;
+    default:
+      QUIC_BUG << "Unknown encryption level: "
+               << EncryptionLevelToString(level);
+  }
+}
+
 void QuartcSession::CancelStream(QuicStreamId stream_id) {
   ResetStream(stream_id, QuicRstStreamErrorCode::QUIC_STREAM_CANCELLED);
 }
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.h b/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.h
index e9001d635d9..1c0fd317b4c 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.h
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_session.h
@@ -74,6 +74,7 @@ class QuartcSession : public QuicSession,
   }
 
   void OnCryptoHandshakeEvent(CryptoHandshakeEvent event) override;
+  void SetDefaultEncryptionLevel(EncryptionLevel level) override;
 
   // QuicConnectionVisitorInterface overrides.
   void OnCongestionWindowChange(QuicTime now) override;
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_session_test.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_session_test.cc
index 6ed8ec514e2..956073bade9 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_session_test.cc
@@ -20,6 +20,7 @@
 #include "net/third_party/quiche/src/quic/quartc/quartc_packet_writer.h"
 #include "net/third_party/quiche/src/quic/quartc/simulated_packet_transport.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_clock.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/simulator/packet_filter.h"
 #include "net/third_party/quiche/src/quic/test_tools/simulator/simulator.h"
 
@@ -543,10 +544,10 @@ TEST_F(QuartcSessionTest, StreamRetransmissionDisabled) {
 
   EXPECT_TRUE(client_peer_->IsClosedStream(stream_id));
   EXPECT_TRUE(server_peer_->IsClosedStream(stream_id));
-  EXPECT_EQ(client_stream_delegate_->stream_error(stream_id),
-            QUIC_STREAM_CANCELLED);
-  EXPECT_EQ(server_stream_delegate_->stream_error(stream_id),
-            QUIC_STREAM_CANCELLED);
+  EXPECT_THAT(client_stream_delegate_->stream_error(stream_id),
+              test::IsStreamError(QUIC_STREAM_CANCELLED));
+  EXPECT_THAT(server_stream_delegate_->stream_error(stream_id),
+              test::IsStreamError(QUIC_STREAM_CANCELLED));
 }
 
 TEST_F(QuartcSessionTest, LostDatagramNotifications) {
diff --git a/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream_test.cc b/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream_test.cc
index c8a68fcefff..0e972e50aff 100644
--- a/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/quartc/quartc_stream_test.cc
@@ -27,7 +27,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_versions.h"
 #include "net/third_party/quiche/src/quic/core/quic_write_blocked_list.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_clock.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_ip_address.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_socket_address.h"
@@ -36,8 +35,12 @@
 #include "net/third_party/quiche/src/quic/quartc/quartc_factory.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_clock.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_protocol.h"
 
+using ::quic::test::IsQuicStreamNoError;
+using ::quic::test::IsStreamError;
+
 namespace quic {
 
 namespace {
@@ -73,7 +76,7 @@ class MockQuicSession : public QuicSession {
     // WritevData does not pass down a iovec, data is saved in stream before
     // data is consumed. Retrieve data from stream.
     char* buf = new char[write_length];
-    QuicDataWriter writer(write_length, buf, NETWORK_BYTE_ORDER);
+    QuicDataWriter writer(write_length, buf, quiche::NETWORK_BYTE_ORDER);
     if (write_length > 0) {
       stream->WriteStreamData(offset, write_length, &writer);
     }
@@ -419,7 +422,7 @@ TEST_F(QuartcStreamTest, TestCancelOnLossDisabled) {
   stream_->OnCanWrite();
 
   EXPECT_EQ("Foo barFoo bar", write_buffer_);
-  EXPECT_EQ(stream_->stream_error(), QUIC_STREAM_NO_ERROR);
+  EXPECT_THAT(stream_->stream_error(), IsQuicStreamNoError());
 }
 
 TEST_F(QuartcStreamTest, TestCancelOnLossEnabled) {
@@ -436,7 +439,7 @@ TEST_F(QuartcStreamTest, TestCancelOnLossEnabled) {
   stream_->OnCanWrite();
 
   EXPECT_EQ("Foo bar", write_buffer_);
-  EXPECT_EQ(stream_->stream_error(), QUIC_STREAM_CANCELLED);
+  EXPECT_THAT(stream_->stream_error(), IsStreamError(QUIC_STREAM_CANCELLED));
 }
 
 TEST_F(QuartcStreamTest, MaxRetransmissionsAbsent) {
@@ -456,7 +459,7 @@ TEST_F(QuartcStreamTest, MaxRetransmissionsAbsent) {
   stream_->OnCanWrite();
 
   EXPECT_EQ("Foo barFoo bar", write_buffer_);
-  EXPECT_EQ(stream_->stream_error(), QUIC_STREAM_NO_ERROR);
+  EXPECT_THAT(stream_->stream_error(), IsQuicStreamNoError());
 }
 
 TEST_F(QuartcStreamTest, MaxRetransmissionsSet) {
@@ -483,7 +486,7 @@ TEST_F(QuartcStreamTest, MaxRetransmissionsSet) {
   stream_->OnCanWrite();
 
   EXPECT_EQ("Foo barFoo barFoo bar", write_buffer_);
-  EXPECT_EQ(stream_->stream_error(), QUIC_STREAM_CANCELLED);
+  EXPECT_THAT(stream_->stream_error(), IsStreamError(QUIC_STREAM_CANCELLED));
 }
 
 TEST_F(QuartcStreamTest, MaxRetransmissionsDisjointFrames) {
@@ -542,7 +545,7 @@ TEST_F(QuartcStreamTest, MaxRetransmissionsOverlappingFrames) {
   stream_->OnCanWrite();
 
   EXPECT_EQ("Foo barFoo  bar", write_buffer_);
-  EXPECT_EQ(stream_->stream_error(), QUIC_STREAM_CANCELLED);
+  EXPECT_THAT(stream_->stream_error(), IsStreamError(QUIC_STREAM_CANCELLED));
 }
 
 TEST_F(QuartcStreamTest, MaxRetransmissionsWithAckedFrame) {
@@ -579,7 +582,7 @@ TEST_F(QuartcStreamTest, MaxRetransmissionsWithAckedFrame) {
 
   // QuartcStream should be cancelled, but it stopped tracking the lost bytes
   // after they were acked, so it's not.
-  EXPECT_EQ(stream_->stream_error(), QUIC_STREAM_NO_ERROR);
+  EXPECT_THAT(stream_->stream_error(), IsQuicStreamNoError());
 }
 
 TEST_F(QuartcStreamTest, TestBytesPendingRetransmission) {
@@ -605,7 +608,7 @@ TEST_F(QuartcStreamTest, TestBytesPendingRetransmission) {
   EXPECT_EQ(mock_stream_delegate_->last_bytes_pending_retransmission(), 0u);
 
   EXPECT_EQ("Foo barFoo bar", write_buffer_);
-  EXPECT_EQ(stream_->stream_error(), QUIC_STREAM_NO_ERROR);
+  EXPECT_THAT(stream_->stream_error(), IsQuicStreamNoError());
 }
 
 TEST_F(QuartcStreamTest, TestBytesPendingRetransmissionWithCancelOnLoss) {
@@ -631,7 +634,7 @@ TEST_F(QuartcStreamTest, TestBytesPendingRetransmissionWithCancelOnLoss) {
   EXPECT_EQ(mock_stream_delegate_->last_bytes_pending_retransmission(), 0u);
 
   EXPECT_EQ("Foo bar", write_buffer_);
-  EXPECT_EQ(stream_->stream_error(), QUIC_STREAM_CANCELLED);
+  EXPECT_THAT(stream_->stream_error(), IsStreamError(QUIC_STREAM_CANCELLED));
 }
 
 }  // namespace
diff --git a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session.cc b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session.cc
index 032f61d3bcb..e9487ec0458 100644
--- a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session.cc
+++ b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session.cc
@@ -16,9 +16,12 @@
 #include "net/third_party/quiche/src/quic/core/quic_session.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/core/quic_versions.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_protocol.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.h"
 
 namespace quic {
 
@@ -40,15 +43,18 @@ QuicTransportClientSession::QuicTransportClientSession(
     Visitor* owner,
     const QuicConfig& config,
     const ParsedQuicVersionVector& supported_versions,
-    const QuicServerId& server_id,
+    const GURL& url,
     QuicCryptoClientConfig* crypto_config,
-    url::Origin origin)
+    url::Origin origin,
+    ClientVisitor* visitor)
     : QuicSession(connection,
                   owner,
                   config,
                   supported_versions,
                   /*num_expected_unidirectional_static_streams*/ 0),
-      origin_(origin) {
+      url_(url),
+      origin_(origin),
+      visitor_(visitor) {
   for (const ParsedQuicVersion& version : supported_versions) {
     QUIC_BUG_IF(version.handshake_protocol != PROTOCOL_TLS1_3)
         << "QuicTransport requires TLS 1.3 handshake";
@@ -56,8 +62,22 @@ QuicTransportClientSession::QuicTransportClientSession(
   // ProofHandler API is not used by TLS 1.3.
   static DummyProofHandler* proof_handler = new DummyProofHandler();
   crypto_stream_ = std::make_unique<QuicCryptoClientStream>(
-      server_id, this, crypto_config->proof_verifier()->CreateDefaultContext(),
-      crypto_config, proof_handler);
+      QuicServerId(url.host(), url.EffectiveIntPort()), this,
+      crypto_config->proof_verifier()->CreateDefaultContext(), crypto_config,
+      proof_handler);
+}
+
+QuicStream* QuicTransportClientSession::CreateIncomingStream(QuicStreamId id) {
+  QUIC_DVLOG(1) << "Creating incoming QuicTransport stream " << id;
+  QuicTransportStream* stream = CreateStream(id);
+  if (stream->type() == BIDIRECTIONAL) {
+    incoming_bidirectional_streams_.push_back(stream);
+    visitor_->OnIncomingBidirectionalStreamAvailable();
+  } else {
+    incoming_unidirectional_streams_.push_back(stream);
+    visitor_->OnIncomingUnidirectionalStreamAvailable();
+  }
+  return stream;
 }
 
 void QuicTransportClientSession::OnCryptoHandshakeEvent(
@@ -70,6 +90,59 @@ void QuicTransportClientSession::OnCryptoHandshakeEvent(
   SendClientIndication();
 }
 
+void QuicTransportClientSession::SetDefaultEncryptionLevel(
+    EncryptionLevel level) {
+  QuicSession::SetDefaultEncryptionLevel(level);
+  if (level == ENCRYPTION_FORWARD_SECURE) {
+    SendClientIndication();
+  }
+}
+
+QuicTransportStream*
+QuicTransportClientSession::AcceptIncomingBidirectionalStream() {
+  if (incoming_bidirectional_streams_.empty()) {
+    return nullptr;
+  }
+  QuicTransportStream* stream = incoming_bidirectional_streams_.front();
+  incoming_bidirectional_streams_.pop_front();
+  return stream;
+}
+
+QuicTransportStream*
+QuicTransportClientSession::AcceptIncomingUnidirectionalStream() {
+  if (incoming_unidirectional_streams_.empty()) {
+    return nullptr;
+  }
+  QuicTransportStream* stream = incoming_unidirectional_streams_.front();
+  incoming_unidirectional_streams_.pop_front();
+  return stream;
+}
+
+QuicTransportStream*
+QuicTransportClientSession::OpenOutgoingBidirectionalStream() {
+  if (!CanOpenNextOutgoingBidirectionalStream()) {
+    QUIC_BUG << "Attempted to open a stream in violation of flow control";
+    return nullptr;
+  }
+  return CreateStream(GetNextOutgoingBidirectionalStreamId());
+}
+
+QuicTransportStream*
+QuicTransportClientSession::OpenOutgoingUnidirectionalStream() {
+  if (!CanOpenNextOutgoingUnidirectionalStream()) {
+    QUIC_BUG << "Attempted to open a stream in violation of flow control";
+    return nullptr;
+  }
+  return CreateStream(GetNextOutgoingUnidirectionalStreamId());
+}
+
+QuicTransportStream* QuicTransportClientSession::CreateStream(QuicStreamId id) {
+  auto stream = std::make_unique<QuicTransportStream>(id, this, this);
+  QuicTransportStream* stream_ptr = stream.get();
+  ActivateStream(std::move(stream));
+  return stream_ptr;
+}
+
 std::string QuicTransportClientSession::SerializeClientIndication() {
   std::string serialized_origin = origin_.Serialize();
   if (serialized_origin.size() > std::numeric_limits<uint16_t>::max()) {
@@ -82,16 +155,40 @@ std::string QuicTransportClientSession::SerializeClientIndication() {
   QUIC_DLOG(INFO) << "Sending client indication with origin "
                   << serialized_origin;
 
+  std::string path = url_.PathForRequest();
+  if (path.size() > std::numeric_limits<uint16_t>::max()) {
+    connection()->CloseConnection(
+        QUIC_TRANSPORT_INVALID_CLIENT_INDICATION, "Requested URL path too long",
+        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+    return "";
+  }
+
+  constexpr size_t kPrefixSize =
+      sizeof(QuicTransportClientIndicationKeys) + sizeof(uint16_t);
+  const size_t buffer_size =
+      2 * kPrefixSize + serialized_origin.size() + path.size();
+  if (buffer_size > std::numeric_limits<uint16_t>::max()) {
+    connection()->CloseConnection(
+        QUIC_TRANSPORT_INVALID_CLIENT_INDICATION,
+        "Client indication size limit exceeded",
+        ConnectionCloseBehavior::SEND_CONNECTION_CLOSE_PACKET);
+    return "";
+  }
+
   std::string buffer;
-  buffer.resize(/* key */ sizeof(QuicTransportClientIndicationKeys) +
-                /* length */ sizeof(uint16_t) + serialized_origin.size());
+  buffer.resize(buffer_size);
   QuicDataWriter writer(buffer.size(), &buffer[0]);
-  writer.WriteUInt16(
-      static_cast<uint16_t>(QuicTransportClientIndicationKeys::kOrigin));
-  writer.WriteUInt16(serialized_origin.size());
-  writer.WriteStringPiece(serialized_origin);
-
-  buffer.resize(writer.length());
+  bool success =
+      writer.WriteUInt16(
+          static_cast<uint16_t>(QuicTransportClientIndicationKeys::kOrigin)) &&
+      writer.WriteUInt16(serialized_origin.size()) &&
+      writer.WriteStringPiece(serialized_origin) &&
+      writer.WriteUInt16(
+          static_cast<uint16_t>(QuicTransportClientIndicationKeys::kPath)) &&
+      writer.WriteUInt16(path.size()) && writer.WriteStringPiece(path);
+  QUIC_BUG_IF(!success) << "Failed to serialize client indication";
+  QUIC_BUG_IF(writer.length() != buffer.length())
+      << "Serialized client indication has length different from expected";
   return buffer;
 }
 
@@ -113,8 +210,11 @@ void QuicTransportClientSession::SendClientIndication() {
   }
 
   auto client_indication_owned = std::make_unique<ClientIndication>(
-      /*stream_id=*/ClientIndicationStream(), this, /*is_static=*/false,
-      WRITE_UNIDIRECTIONAL);
+      /*stream_id=*/GetNextOutgoingUnidirectionalStreamId(), this,
+      /*is_static=*/false, WRITE_UNIDIRECTIONAL);
+  QUIC_BUG_IF(client_indication_owned->id() != ClientIndicationStream())
+      << "Client indication stream is " << client_indication_owned->id()
+      << " instead of expected " << ClientIndicationStream();
   ClientIndication* client_indication = client_indication_owned.get();
   ActivateStream(std::move(client_indication_owned));
 
diff --git a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session.h b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session.h
index 32149dfbb00..b3d8f17186b 100644
--- a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session.h
+++ b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session.h
@@ -8,6 +8,7 @@
 #include <cstdint>
 #include <memory>
 
+#include "url/gurl.h"
 #include "url/origin.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.h"
 #include "net/third_party/quiche/src/quic/core/quic_config.h"
@@ -19,24 +20,38 @@
 #include "net/third_party/quiche/src/quic/core/quic_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_versions.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_bug_tracker.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/quic_transport/quic_transport_protocol.h"
 #include "net/third_party/quiche/src/quic/quic_transport/quic_transport_session_interface.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.h"
 
 namespace quic {
 
 // A client session for the QuicTransport protocol.
-class QUIC_EXPORT QuicTransportClientSession
+class QUIC_EXPORT_PRIVATE QuicTransportClientSession
     : public QuicSession,
       public QuicTransportSessionInterface {
  public:
+  class QUIC_EXPORT_PRIVATE ClientVisitor {
+   public:
+    virtual ~ClientVisitor() {}
+
+    // Notifies the visitor when a new stream has been received.  The stream in
+    // question can be retrieved using AcceptIncomingBidirectionalStream() or
+    // AcceptIncomingUnidirectionalStream().
+    virtual void OnIncomingBidirectionalStreamAvailable() = 0;
+    virtual void OnIncomingUnidirectionalStreamAvailable() = 0;
+  };
+
   QuicTransportClientSession(QuicConnection* connection,
                              Visitor* owner,
                              const QuicConfig& config,
                              const ParsedQuicVersionVector& supported_versions,
-                             const QuicServerId& server_id,
+                             const GURL& url,
                              QuicCryptoClientConfig* crypto_config,
-                             url::Origin origin);
+                             url::Origin origin,
+                             ClientVisitor* visitor);
 
   std::vector<std::string> GetAlpnsToOffer() const override {
     return std::vector<std::string>({QuicTransportAlpn()});
@@ -53,12 +68,35 @@ class QUIC_EXPORT QuicTransportClientSession
     return crypto_stream_.get();
   }
 
+  // Returns true once the encryption has been established and the client
+  // indication has been sent.  No application data will be read or written
+  // before the connection is ready.  Once the connection becomes ready, this
+  // method will never return false.
   bool IsSessionReady() const override { return ready_; }
 
+  QuicStream* CreateIncomingStream(QuicStreamId id) override;
+  QuicStream* CreateIncomingStream(PendingStream* /*pending*/) override {
+    QUIC_BUG << "QuicTransportClientSession::CreateIncomingStream("
+                "PendingStream) not implemented";
+    return nullptr;
+  }
+
   void OnCryptoHandshakeEvent(CryptoHandshakeEvent event) override;
+  void SetDefaultEncryptionLevel(EncryptionLevel level) override;
+
+  // Return the earliest incoming stream that has been received by the session
+  // but has not been accepted.  Returns nullptr if there are no incoming
+  // streams.
+  QuicTransportStream* AcceptIncomingBidirectionalStream();
+  QuicTransportStream* AcceptIncomingUnidirectionalStream();
+
+  using QuicSession::CanOpenNextOutgoingBidirectionalStream;
+  using QuicSession::CanOpenNextOutgoingUnidirectionalStream;
+  QuicTransportStream* OpenOutgoingBidirectionalStream();
+  QuicTransportStream* OpenOutgoingUnidirectionalStream();
 
  protected:
-  class ClientIndication : public QuicStream {
+  class QUIC_EXPORT_PRIVATE ClientIndication : public QuicStream {
    public:
     using QuicStream::QuicStream;
 
@@ -69,6 +107,9 @@ class QUIC_EXPORT QuicTransportClientSession
     }
   };
 
+  // Creates and activates a QuicTransportStream for the given ID.
+  QuicTransportStream* CreateStream(QuicStreamId id);
+
   // Serializes the client indication as described in
   // https://vasilvv.github.io/webtransport/draft-vvv-webtransport-quic.html#rfc.section.3.2
   std::string SerializeClientIndication();
@@ -76,9 +117,22 @@ class QUIC_EXPORT QuicTransportClientSession
   void SendClientIndication();
 
   std::unique_ptr<QuicCryptoClientStream> crypto_stream_;
+  GURL url_;
   url::Origin origin_;
+  ClientVisitor* visitor_;  // not owned
   bool client_indication_sent_ = false;
   bool ready_ = false;
+
+  // Contains all of the streams that has been received by the session but have
+  // not been processed by the application.
+  // TODO(vasilvv): currently, we always send MAX_STREAMS as long as the overall
+  // maximum number of streams for the connection has not been exceeded. We
+  // should also limit the maximum number of streams that the consuming code
+  // has not accepted to a smaller number, by checking the size of
+  // |incoming_bidirectional_streams_| and |incoming_unidirectional_streams_|
+  // before sending MAX_STREAMS.
+  QuicDeque<QuicTransportStream*> incoming_bidirectional_streams_;
+  QuicDeque<QuicTransportStream*> incoming_unidirectional_streams_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session_test.cc b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session_test.cc
index 24e1071d3e9..17a475751d6 100644
--- a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session_test.cc
@@ -20,6 +20,7 @@
 #include "net/third_party/quiche/src/quic/test_tools/quic_session_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_stream_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_transport_test_tools.h"
 
 namespace quic {
 namespace test {
@@ -29,8 +30,6 @@ using testing::_;
 using testing::ElementsAre;
 
 const char* kTestOrigin = "https://test-origin.test";
-constexpr char kTestOriginClientIndication[] =
-    "\0\0\0\x18https://test-origin.test";
 url::Origin GetTestOrigin() {
   GURL origin_url(kTestOrigin);
   return url::Origin::Create(origin_url);
@@ -50,32 +49,6 @@ std::string DataInStream(QuicStream* stream) {
   return result;
 }
 
-class TestClientSession : public QuicTransportClientSession {
- public:
-  using QuicTransportClientSession::QuicTransportClientSession;
-
-  class Stream : public QuicStream {
-   public:
-    using QuicStream::QuicStream;
-    void OnDataAvailable() override {}
-  };
-
-  QuicStream* CreateIncomingStream(QuicStreamId id) override {
-    auto stream = std::make_unique<Stream>(
-        id, this, /*is_static=*/false,
-        QuicUtils::GetStreamType(id, connection()->perspective(),
-                                 /*peer_initiated=*/true));
-    QuicStream* result = stream.get();
-    ActivateStream(std::move(stream));
-    return result;
-  }
-
-  QuicStream* CreateIncomingStream(PendingStream* /*pending*/) override {
-    QUIC_NOTREACHED();
-    return nullptr;
-  }
-};
-
 class QuicTransportClientSessionTest : public QuicTest {
  protected:
   QuicTransportClientSessionTest()
@@ -83,16 +56,16 @@ class QuicTransportClientSessionTest : public QuicTest {
                     &alarm_factory_,
                     Perspective::IS_CLIENT,
                     GetVersions()),
-        server_id_("test.example.com", 443),
         crypto_config_(crypto_test_utils::ProofVerifierForTesting()) {
     SetQuicReloadableFlag(quic_supports_tls_handshake, true);
-    CreateSession(GetTestOrigin());
+    CreateSession(GetTestOrigin(), "");
   }
 
-  void CreateSession(url::Origin origin) {
-    session_ = std::make_unique<TestClientSession>(
-        &connection_, nullptr, DefaultQuicConfig(), GetVersions(), server_id_,
-        &crypto_config_, origin);
+  void CreateSession(url::Origin origin, std::string url_suffix) {
+    session_ = std::make_unique<QuicTransportClientSession>(
+        &connection_, nullptr, DefaultQuicConfig(), GetVersions(),
+        GURL("quic-transport://test.example.com:50000" + url_suffix),
+        &crypto_config_, origin, &visitor_);
     session_->Initialize();
     crypto_stream_ = static_cast<QuicCryptoClientStream*>(
         session_->GetMutableCryptoStream());
@@ -101,18 +74,20 @@ class QuicTransportClientSessionTest : public QuicTest {
   void Connect() {
     session_->CryptoConnect();
     QuicConfig server_config = DefaultQuicConfig();
+    std::unique_ptr<QuicCryptoServerConfig> crypto_config(
+        crypto_test_utils::CryptoServerConfigForTesting());
     crypto_test_utils::HandshakeWithFakeServer(
-        &server_config, &helper_, &alarm_factory_, &connection_, crypto_stream_,
-        QuicTransportAlpn());
+        &server_config, crypto_config.get(), &helper_, &alarm_factory_,
+        &connection_, crypto_stream_, QuicTransportAlpn());
   }
 
   MockAlarmFactory alarm_factory_;
   MockQuicConnectionHelper helper_;
 
   PacketSavingConnection connection_;
-  QuicServerId server_id_;
   QuicCryptoClientConfig crypto_config_;
-  std::unique_ptr<TestClientSession> session_;
+  MockClientVisitor visitor_;
+  std::unique_ptr<QuicTransportClientSession> session_;
   QuicCryptoClientStream* crypto_stream_;
 };
 
@@ -121,6 +96,39 @@ TEST_F(QuicTransportClientSessionTest, HasValidAlpn) {
 }
 
 TEST_F(QuicTransportClientSessionTest, SuccessfulConnection) {
+  constexpr char kTestOriginClientIndication[] =
+      "\0\0"                      // key (0x0000, origin)
+      "\0\x18"                    // length
+      "https://test-origin.test"  // value
+      "\0\x01"                    // key (0x0001, path)
+      "\0\x01"                    // length
+      "/";                        // value
+
+  Connect();
+  EXPECT_TRUE(session_->IsSessionReady());
+
+  QuicStream* client_indication_stream =
+      QuicSessionPeer::zombie_streams(session_.get())[ClientIndicationStream()]
+          .get();
+  ASSERT_TRUE(client_indication_stream != nullptr);
+  const std::string client_indication = DataInStream(client_indication_stream);
+  const std::string expected_client_indication{
+      kTestOriginClientIndication,
+      QUIC_ARRAYSIZE(kTestOriginClientIndication) - 1};
+  EXPECT_EQ(client_indication, expected_client_indication);
+}
+
+TEST_F(QuicTransportClientSessionTest, SuccessfulConnectionWithPath) {
+  constexpr char kSuffix[] = "/foo/bar?hello=world#not-sent";
+  constexpr char kTestOriginClientIndication[] =
+      "\0\0"                      // key (0x0000, origin)
+      "\0\x18"                    // length
+      "https://test-origin.test"  // value
+      "\0\x01"                    // key (0x0001, path)
+      "\0\x14"                    // length
+      "/foo/bar?hello=world";     // value
+
+  CreateSession(GetTestOrigin(), kSuffix);
   Connect();
   EXPECT_TRUE(session_->IsSessionReady());
 
@@ -139,11 +147,28 @@ TEST_F(QuicTransportClientSessionTest, OriginTooLong) {
   std::string long_string(68000, 'a');
   GURL bad_origin_url{"https://" + long_string + ".example/"};
   EXPECT_TRUE(bad_origin_url.is_valid());
-  CreateSession(url::Origin::Create(bad_origin_url));
+  CreateSession(url::Origin::Create(bad_origin_url), "");
 
   EXPECT_QUIC_BUG(Connect(), "Client origin too long");
 }
 
+TEST_F(QuicTransportClientSessionTest, ReceiveNewStreams) {
+  Connect();
+  ASSERT_TRUE(session_->IsSessionReady());
+  ASSERT_TRUE(session_->AcceptIncomingUnidirectionalStream() == nullptr);
+
+  const QuicStreamId id = GetNthServerInitiatedUnidirectionalStreamId(
+      session_->transport_version(), 0);
+  QuicStreamFrame frame(id, /*fin=*/false, /*offset=*/0, "test");
+  EXPECT_CALL(visitor_, OnIncomingUnidirectionalStreamAvailable()).Times(1);
+  session_->OnStreamFrame(frame);
+
+  QuicTransportStream* stream = session_->AcceptIncomingUnidirectionalStream();
+  ASSERT_TRUE(stream != nullptr);
+  EXPECT_EQ(stream->ReadableBytes(), 4u);
+  EXPECT_EQ(stream->id(), id);
+}
+
 }  // namespace
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_integration_test.cc b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_integration_test.cc
new file mode 100644
index 00000000000..57f53804c3a
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_integration_test.cc
@@ -0,0 +1,331 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// An integration test that covers interactions between QuicTransport client and
+// server sessions.
+
+#include <memory>
+#include <vector>
+
+#include "url/gurl.h"
+#include "url/origin.h"
+#include "net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.h"
+#include "net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h"
+#include "net/third_party/quiche/src/quic/core/quic_connection.h"
+#include "net/third_party/quiche/src/quic/core/quic_error_codes.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/core/quic_versions.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.h"
+#include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_transport_test_tools.h"
+#include "net/third_party/quiche/src/quic/test_tools/simulator/link.h"
+#include "net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_base.h"
+#include "net/third_party/quiche/src/quic/test_tools/simulator/simulator.h"
+#include "net/third_party/quiche/src/quic/test_tools/simulator/switch.h"
+#include "net/third_party/quiche/src/quic/tools/quic_transport_simple_server_session.h"
+
+namespace quic {
+namespace test {
+namespace {
+
+using simulator::QuicEndpointBase;
+using simulator::Simulator;
+using testing::Assign;
+
+url::Origin GetTestOrigin() {
+  constexpr char kTestOrigin[] = "https://test-origin.test";
+  GURL origin_url(kTestOrigin);
+  return url::Origin::Create(origin_url);
+}
+
+ParsedQuicVersionVector GetVersions() {
+  return {ParsedQuicVersion{PROTOCOL_TLS1_3, QUIC_VERSION_99}};
+}
+
+class QuicTransportEndpointBase : public QuicEndpointBase {
+ public:
+  QuicTransportEndpointBase(Simulator* simulator,
+                            const std::string& name,
+                            const std::string& peer_name,
+                            Perspective perspective)
+      : QuicEndpointBase(simulator, name, peer_name) {
+    connection_ = std::make_unique<QuicConnection>(
+        TestConnectionId(0x10), simulator::GetAddressFromName(peer_name),
+        simulator, simulator->GetAlarmFactory(), &writer_,
+        /*owns_writer=*/false, perspective, GetVersions());
+    connection_->SetSelfAddress(simulator::GetAddressFromName(name));
+
+    SetQuicReloadableFlag(quic_supports_tls_handshake, true);
+  }
+};
+
+class QuicTransportClientEndpoint : public QuicTransportEndpointBase {
+ public:
+  QuicTransportClientEndpoint(Simulator* simulator,
+                              const std::string& name,
+                              const std::string& peer_name,
+                              url::Origin origin)
+      : QuicTransportEndpointBase(simulator,
+                                  name,
+                                  peer_name,
+                                  Perspective::IS_CLIENT),
+        crypto_config_(crypto_test_utils::ProofVerifierForTesting()),
+        session_(connection_.get(),
+                 nullptr,
+                 DefaultQuicConfig(),
+                 GetVersions(),
+                 GURL("quic-transport://test.example.com:50000"),
+                 &crypto_config_,
+                 origin,
+                 &visitor_) {
+    session_.Initialize();
+  }
+
+  QuicTransportClientSession* session() { return &session_; }
+  MockClientVisitor* visitor() { return &visitor_; }
+
+ private:
+  QuicCryptoClientConfig crypto_config_;
+  MockClientVisitor visitor_;
+  QuicTransportClientSession session_;
+};
+
+class QuicTransportServerEndpoint : public QuicTransportEndpointBase {
+ public:
+  QuicTransportServerEndpoint(Simulator* simulator,
+                              const std::string& name,
+                              const std::string& peer_name,
+                              QuicTransportSimpleServerSession::Mode mode,
+                              std::vector<url::Origin> accepted_origins)
+      : QuicTransportEndpointBase(simulator,
+                                  name,
+                                  peer_name,
+                                  Perspective::IS_SERVER),
+        crypto_config_(QuicCryptoServerConfig::TESTING,
+                       QuicRandom::GetInstance(),
+                       crypto_test_utils::ProofSourceForTesting(),
+                       KeyExchangeSource::Default()),
+        compressed_certs_cache_(
+            QuicCompressedCertsCache::kQuicCompressedCertsCacheSize),
+        session_(connection_.get(),
+                 /*owns_connection=*/false,
+                 nullptr,
+                 DefaultQuicConfig(),
+                 GetVersions(),
+                 &crypto_config_,
+                 &compressed_certs_cache_,
+                 mode,
+                 accepted_origins) {
+    session_.Initialize();
+  }
+
+  QuicTransportServerSession* session() { return &session_; }
+
+ private:
+  QuicCryptoServerConfig crypto_config_;
+  QuicCompressedCertsCache compressed_certs_cache_;
+  QuicTransportSimpleServerSession session_;
+};
+
+std::unique_ptr<MockStreamVisitor> VisitorExpectingFin() {
+  auto visitor = std::make_unique<MockStreamVisitor>();
+  EXPECT_CALL(*visitor, OnFinRead());
+  return visitor;
+}
+
+constexpr QuicBandwidth kClientBandwidth =
+    QuicBandwidth::FromKBitsPerSecond(10000);
+constexpr QuicTime::Delta kClientPropagationDelay =
+    QuicTime::Delta::FromMilliseconds(2);
+constexpr QuicBandwidth kServerBandwidth =
+    QuicBandwidth::FromKBitsPerSecond(4000);
+constexpr QuicTime::Delta kServerPropagationDelay =
+    QuicTime::Delta::FromMilliseconds(50);
+const QuicTime::Delta kTransferTime =
+    kClientBandwidth.TransferTime(kMaxOutgoingPacketSize) +
+    kServerBandwidth.TransferTime(kMaxOutgoingPacketSize);
+const QuicTime::Delta kRtt =
+    (kClientPropagationDelay + kServerPropagationDelay + kTransferTime) * 2;
+const QuicByteCount kBdp = kRtt * kServerBandwidth;
+
+constexpr QuicTime::Delta kDefaultTimeout = QuicTime::Delta::FromSeconds(3);
+
+class QuicTransportIntegrationTest : public QuicTest {
+ public:
+  QuicTransportIntegrationTest()
+      : switch_(&simulator_, "Switch", 8, 2 * kBdp) {}
+
+  void CreateDefaultEndpoints(QuicTransportSimpleServerSession::Mode mode) {
+    client_ = std::make_unique<QuicTransportClientEndpoint>(
+        &simulator_, "Client", "Server", GetTestOrigin());
+    server_ = std::make_unique<QuicTransportServerEndpoint>(
+        &simulator_, "Server", "Client", mode, accepted_origins_);
+  }
+
+  void WireUpEndpoints() {
+    client_link_ = std::make_unique<simulator::SymmetricLink>(
+        client_.get(), switch_.port(1), kClientBandwidth,
+        kClientPropagationDelay);
+    server_link_ = std::make_unique<simulator::SymmetricLink>(
+        server_.get(), switch_.port(2), kServerBandwidth,
+        kServerPropagationDelay);
+  }
+
+  void RunHandshake() {
+    client_->session()->CryptoConnect();
+    bool result = simulator_.RunUntilOrTimeout(
+        [this]() {
+          return IsHandshakeDone(client_->session()) &&
+                 IsHandshakeDone(server_->session());
+        },
+        kDefaultTimeout);
+    EXPECT_TRUE(result);
+  }
+
+ protected:
+  template <class Session>
+  static bool IsHandshakeDone(const Session* session) {
+    return session->IsSessionReady() || session->error() != QUIC_NO_ERROR;
+  }
+
+  Simulator simulator_;
+  simulator::Switch switch_;
+  std::unique_ptr<simulator::SymmetricLink> client_link_;
+  std::unique_ptr<simulator::SymmetricLink> server_link_;
+
+  std::unique_ptr<QuicTransportClientEndpoint> client_;
+  std::unique_ptr<QuicTransportServerEndpoint> server_;
+
+  std::vector<url::Origin> accepted_origins_ = {GetTestOrigin()};
+};
+
+TEST_F(QuicTransportIntegrationTest, SuccessfulHandshake) {
+  CreateDefaultEndpoints(QuicTransportSimpleServerSession::DISCARD);
+  WireUpEndpoints();
+  RunHandshake();
+  EXPECT_TRUE(client_->session()->IsSessionReady());
+  EXPECT_TRUE(server_->session()->IsSessionReady());
+}
+
+TEST_F(QuicTransportIntegrationTest, OriginMismatch) {
+  accepted_origins_ = {url::Origin::Create(GURL{"https://wrong-origin.test"})};
+  CreateDefaultEndpoints(QuicTransportSimpleServerSession::DISCARD);
+  WireUpEndpoints();
+  RunHandshake();
+  // Wait until the client receives CONNECTION_CLOSE.
+  simulator_.RunUntilOrTimeout(
+      [this]() { return !client_->session()->connection()->connected(); },
+      kDefaultTimeout);
+  EXPECT_TRUE(client_->session()->IsSessionReady());
+  EXPECT_FALSE(server_->session()->IsSessionReady());
+  EXPECT_FALSE(client_->session()->connection()->connected());
+  EXPECT_FALSE(server_->session()->connection()->connected());
+  EXPECT_THAT(client_->session()->error(),
+              IsError(QUIC_TRANSPORT_INVALID_CLIENT_INDICATION));
+  EXPECT_THAT(server_->session()->error(),
+              IsError(QUIC_TRANSPORT_INVALID_CLIENT_INDICATION));
+}
+
+TEST_F(QuicTransportIntegrationTest, SendOutgoingStreams) {
+  CreateDefaultEndpoints(QuicTransportSimpleServerSession::DISCARD);
+  WireUpEndpoints();
+  RunHandshake();
+
+  std::vector<QuicTransportStream*> streams;
+  for (int i = 0; i < 10; i++) {
+    QuicTransportStream* stream =
+        client_->session()->OpenOutgoingUnidirectionalStream();
+    ASSERT_TRUE(stream->Write("test"));
+    streams.push_back(stream);
+  }
+  ASSERT_TRUE(simulator_.RunUntilOrTimeout(
+      [this]() {
+        return server_->session()->GetNumOpenIncomingStreams() == 10;
+      },
+      kDefaultTimeout));
+
+  for (QuicTransportStream* stream : streams) {
+    ASSERT_TRUE(stream->SendFin());
+  }
+  ASSERT_TRUE(simulator_.RunUntilOrTimeout(
+      [this]() { return server_->session()->GetNumOpenIncomingStreams() == 0; },
+      kDefaultTimeout));
+}
+
+TEST_F(QuicTransportIntegrationTest, EchoBidirectionalStreams) {
+  CreateDefaultEndpoints(QuicTransportSimpleServerSession::ECHO);
+  WireUpEndpoints();
+  RunHandshake();
+
+  QuicTransportStream* stream =
+      client_->session()->OpenOutgoingBidirectionalStream();
+  EXPECT_TRUE(stream->Write("Hello!"));
+
+  ASSERT_TRUE(simulator_.RunUntilOrTimeout(
+      [stream]() { return stream->ReadableBytes() == strlen("Hello!"); },
+      kDefaultTimeout));
+  std::string received;
+  EXPECT_EQ(stream->Read(&received), strlen("Hello!"));
+  EXPECT_EQ(received, "Hello!");
+
+  EXPECT_TRUE(stream->SendFin());
+  ASSERT_TRUE(simulator_.RunUntilOrTimeout(
+      [this]() { return server_->session()->GetNumOpenIncomingStreams() == 0; },
+      kDefaultTimeout));
+}
+
+TEST_F(QuicTransportIntegrationTest, EchoUnidirectionalStreams) {
+  CreateDefaultEndpoints(QuicTransportSimpleServerSession::ECHO);
+  WireUpEndpoints();
+  RunHandshake();
+
+  // Send two streams, but only send FIN on the second one.
+  QuicTransportStream* stream1 =
+      client_->session()->OpenOutgoingUnidirectionalStream();
+  EXPECT_TRUE(stream1->Write("Stream One"));
+  QuicTransportStream* stream2 =
+      client_->session()->OpenOutgoingUnidirectionalStream();
+  EXPECT_TRUE(stream2->Write("Stream Two"));
+  EXPECT_TRUE(stream2->SendFin());
+
+  // Wait until a stream is received.
+  bool stream_received = false;
+  EXPECT_CALL(*client_->visitor(), OnIncomingUnidirectionalStreamAvailable())
+      .Times(2)
+      .WillRepeatedly(Assign(&stream_received, true));
+  ASSERT_TRUE(simulator_.RunUntilOrTimeout(
+      [&stream_received]() { return stream_received; }, kDefaultTimeout));
+
+  // Receive a reply stream and expect it to be the second one.
+  QuicTransportStream* reply =
+      client_->session()->AcceptIncomingUnidirectionalStream();
+  ASSERT_TRUE(reply != nullptr);
+  std::string buffer;
+  reply->set_visitor(VisitorExpectingFin());
+  EXPECT_GT(reply->Read(&buffer), 0u);
+  EXPECT_EQ(buffer, "Stream Two");
+
+  // Reset reply-related variables.
+  stream_received = false;
+  buffer = "";
+
+  // Send FIN on the first stream, and expect to receive it back.
+  EXPECT_TRUE(stream1->SendFin());
+  ASSERT_TRUE(simulator_.RunUntilOrTimeout(
+      [&stream_received]() { return stream_received; }, kDefaultTimeout));
+  reply = client_->session()->AcceptIncomingUnidirectionalStream();
+  ASSERT_TRUE(reply != nullptr);
+  reply->set_visitor(VisitorExpectingFin());
+  EXPECT_GT(reply->Read(&buffer), 0u);
+  EXPECT_EQ(buffer, "Stream One");
+}
+
+}  // namespace
+}  // namespace test
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_protocol.h b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_protocol.h
index 307354f32ad..f97b8e777de 100644
--- a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_protocol.h
+++ b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_protocol.h
@@ -12,23 +12,24 @@
 namespace quic {
 
 // The ALPN used by QuicTransport.
-QUIC_EXPORT inline const char* QuicTransportAlpn() {
+QUIC_EXPORT_PRIVATE inline const char* QuicTransportAlpn() {
   return "wq-vvv-01";
 }
 
 // The stream ID on which the client indication is sent.
-QUIC_EXPORT constexpr QuicStreamId ClientIndicationStream() {
+QUIC_EXPORT_PRIVATE constexpr QuicStreamId ClientIndicationStream() {
   return 2;
 }
 
 // The maximum allowed size of the client indication.
-QUIC_EXPORT constexpr QuicByteCount ClientIndicationMaxSize() {
+QUIC_EXPORT_PRIVATE constexpr QuicByteCount ClientIndicationMaxSize() {
   return 65536;
 }
 
 // The keys of the fields in the client indication.
 enum class QuicTransportClientIndicationKeys : uint16_t {
   kOrigin = 0x0000,
+  kPath = 0x0001,
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session.cc b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session.cc
index 92cffcd9156..7f00acd470f 100644
--- a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session.cc
+++ b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session.cc
@@ -12,8 +12,8 @@
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
-#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session.h"
 #include "net/third_party/quiche/src/quic/quic_transport/quic_transport_protocol.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.h"
 
 namespace quic {
 
@@ -63,9 +63,11 @@ QuicStream* QuicTransportServerSession::CreateIncomingStream(QuicStreamId id) {
     return indication_ptr;
   }
 
-  // TODO(vasilvv): implement incoming data streams.
-  QUIC_BUG << "Not implemented";
-  return nullptr;
+  auto stream = std::make_unique<QuicTransportStream>(id, this, this);
+  QuicTransportStream* stream_ptr = stream.get();
+  ActivateStream(std::move(stream));
+  OnIncomingDataStream(stream_ptr);
+  return stream_ptr;
 }
 
 QuicTransportServerSession::ClientIndication::ClientIndication(
diff --git a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session.h b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session.h
index 7183eada1c8..b3fcfa07588 100644
--- a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session.h
+++ b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session.h
@@ -12,15 +12,16 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/quic_transport/quic_transport_protocol.h"
 #include "net/third_party/quiche/src/quic/quic_transport/quic_transport_session_interface.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.h"
 
 namespace quic {
 
 // A server session for the QuicTransport protocol.
-class QUIC_EXPORT QuicTransportServerSession
+class QUIC_EXPORT_PRIVATE QuicTransportServerSession
     : public QuicSession,
       public QuicTransportSessionInterface {
  public:
-  class ServerVisitor {
+  class QUIC_EXPORT_PRIVATE ServerVisitor {
    public:
     virtual ~ServerVisitor() {}
 
@@ -49,6 +50,10 @@ class QUIC_EXPORT QuicTransportServerSession
     return crypto_stream_.get();
   }
 
+  // Returns true once the encryption has been established, the client
+  // indication has been received and the origin has been verified.  No
+  // application data will be read or written before the connection is ready.
+  // Once the connection becomes ready, this method will never return false.
   bool IsSessionReady() const override { return ready_; }
 
   QuicStream* CreateIncomingStream(QuicStreamId id) override;
@@ -59,7 +64,7 @@ class QUIC_EXPORT QuicTransportServerSession
   }
 
  protected:
-  class ClientIndication : public QuicStream {
+  class QUIC_EXPORT_PRIVATE ClientIndication : public QuicStream {
    public:
     explicit ClientIndication(QuicTransportServerSession* session);
     void OnDataAvailable() override;
@@ -70,7 +75,7 @@ class QUIC_EXPORT QuicTransportServerSession
   };
 
   // Utility class for parsing the client indication.
-  class ClientIndicationParser {
+  class QUIC_EXPORT_PRIVATE ClientIndicationParser {
    public:
     ClientIndicationParser(QuicTransportServerSession* session,
                            QuicStringPiece indication)
@@ -93,6 +98,8 @@ class QUIC_EXPORT QuicTransportServerSession
   // https://vasilvv.github.io/webtransport/draft-vvv-webtransport-quic.html#rfc.section.3.2
   void ProcessClientIndication(QuicStringPiece indication);
 
+  virtual void OnIncomingDataStream(QuicTransportStream* /*stream*/) {}
+
   std::unique_ptr<QuicCryptoServerStream> crypto_stream_;
   bool ready_ = false;
   ServerVisitor* visitor_;
diff --git a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session_test.cc b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session_test.cc
index 818c08db9e4..5e6774810f0 100644
--- a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session_test.cc
@@ -21,6 +21,7 @@
 #include "net/third_party/quiche/src/quic/quic_transport/quic_transport_protocol.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_transport_test_tools.h"
 
 namespace quic {
 namespace test {
@@ -48,11 +49,6 @@ ParsedQuicVersionVector GetVersions() {
   return {ParsedQuicVersion{PROTOCOL_TLS1_3, QUIC_VERSION_99}};
 }
 
-class MockVisitor : public QuicTransportServerSession::ServerVisitor {
- public:
-  MOCK_METHOD1(CheckOrigin, bool(url::Origin));
-};
-
 class QuicTransportServerSessionTest : public QuicTest {
  public:
   QuicTransportServerSessionTest()
@@ -76,7 +72,9 @@ class QuicTransportServerSessionTest : public QuicTest {
     session_->Initialize();
     crypto_stream_ = static_cast<QuicCryptoServerStream*>(
         session_->GetMutableCryptoStream());
-    crypto_stream_->OnSuccessfulVersionNegotiation(GetVersions()[0]);
+    if (!GetQuicReloadableFlag(quic_version_negotiated_by_default_at_server)) {
+      crypto_stream_->OnSuccessfulVersionNegotiation(GetVersions()[0]);
+    }
   }
 
   void Connect() {
@@ -111,7 +109,7 @@ class QuicTransportServerSessionTest : public QuicTest {
   QuicCryptoServerConfig crypto_config_;
   std::unique_ptr<QuicTransportServerSession> session_;
   QuicCompressedCertsCache compressed_certs_cache_;
-  testing::StrictMock<MockVisitor> visitor_;
+  testing::StrictMock<MockServerVisitor> visitor_;
   QuicCryptoServerStream* crypto_stream_;
 };
 
diff --git a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_session_interface.h b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_session_interface.h
index 971fa5b3c73..cdb3e999790 100644
--- a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_session_interface.h
+++ b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_session_interface.h
@@ -5,11 +5,13 @@
 #ifndef QUICHE_QUIC_QUIC_TRANSPORT_QUIC_TRANSPORT_SESSION_INTERFACE_H_
 #define QUICHE_QUIC_QUIC_TRANSPORT_QUIC_TRANSPORT_SESSION_INTERFACE_H_
 
+#include "net/third_party/quiche/src/quic/platform/api/quic_export.h"
+
 namespace quic {
 
 // Shared interface between QuicTransportClientSession and
 // QuicTransportServerSession.
-class QuicTransportSessionInterface {
+class QUIC_EXPORT_PRIVATE QuicTransportSessionInterface {
  public:
   virtual ~QuicTransportSessionInterface() {}
 
diff --git a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.cc b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.cc
new file mode 100644
index 00000000000..61f4345d61b
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.cc
@@ -0,0 +1,112 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.h"
+
+#include <sys/types.h>
+
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/core/quic_utils.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+
+namespace quic {
+
+QuicTransportStream::QuicTransportStream(
+    QuicStreamId id,
+    QuicSession* session,
+    QuicTransportSessionInterface* session_interface)
+    : QuicStream(id,
+                 session,
+                 /*is_static=*/false,
+                 QuicUtils::GetStreamType(id,
+                                          session->connection()->perspective(),
+                                          session->IsIncomingStream(id))),
+      session_interface_(session_interface) {}
+
+size_t QuicTransportStream::Read(char* buffer, size_t buffer_size) {
+  if (!session_interface_->IsSessionReady()) {
+    return 0;
+  }
+
+  iovec iov;
+  iov.iov_base = buffer;
+  iov.iov_len = buffer_size;
+  const size_t result = sequencer()->Readv(&iov, 1);
+  if (sequencer()->IsClosed() && visitor_ != nullptr) {
+    visitor_->OnFinRead();
+  }
+  return result;
+}
+
+size_t QuicTransportStream::Read(std::string* output) {
+  const size_t old_size = output->size();
+  const size_t bytes_to_read = ReadableBytes();
+  output->resize(old_size + bytes_to_read);
+  size_t bytes_read = Read(&(*output)[old_size], bytes_to_read);
+  DCHECK_EQ(bytes_to_read, bytes_read);
+  output->resize(old_size + bytes_read);
+  return bytes_read;
+}
+
+bool QuicTransportStream::Write(QuicStringPiece data) {
+  if (!CanWrite()) {
+    return false;
+  }
+
+  // TODO(vasilvv): use WriteMemSlices()
+  WriteOrBufferData(data, /*fin=*/false, nullptr);
+  return true;
+}
+
+bool QuicTransportStream::SendFin() {
+  if (!CanWrite()) {
+    return false;
+  }
+
+  WriteOrBufferData(QuicStringPiece(), /*fin=*/true, nullptr);
+  return true;
+}
+
+bool QuicTransportStream::CanWrite() const {
+  return session_interface_->IsSessionReady() && CanWriteNewData();
+}
+
+size_t QuicTransportStream::ReadableBytes() const {
+  if (!session_interface_->IsSessionReady()) {
+    return 0;
+  }
+
+  return sequencer()->ReadableBytes();
+}
+
+void QuicTransportStream::OnDataAvailable() {
+  if (sequencer()->IsClosed()) {
+    if (visitor_ != nullptr) {
+      visitor_->OnFinRead();
+    }
+    OnFinRead();
+    return;
+  }
+
+  if (visitor_ == nullptr) {
+    return;
+  }
+  if (ReadableBytes() == 0) {
+    return;
+  }
+  visitor_->OnCanRead();
+}
+
+void QuicTransportStream::OnCanWriteNewData() {
+  // Ensure the origin check has been completed, as the stream can be notified
+  // about being writable before that.
+  if (!CanWrite()) {
+    return;
+  }
+  if (visitor_ != nullptr) {
+    visitor_->OnCanWrite();
+  }
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.h b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.h
new file mode 100644
index 00000000000..1651a1cb082
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.h
@@ -0,0 +1,72 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_QUIC_TRANSPORT_QUIC_TRANSPORT_STREAM_H_
+#define QUICHE_QUIC_QUIC_TRANSPORT_QUIC_TRANSPORT_STREAM_H_
+
+#include <cstddef>
+#include <memory>
+
+#include "net/third_party/quiche/src/quic/core/quic_session.h"
+#include "net/third_party/quiche/src/quic/core/quic_stream.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_macros.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_session_interface.h"
+
+namespace quic {
+
+// QuicTransportStream is an extension of QuicStream that provides I/O interface
+// that is safe to use in the QuicTransport context.  The interface ensures no
+// application data is processed before the client indication is processed.
+class QUIC_EXPORT_PRIVATE QuicTransportStream : public QuicStream {
+ public:
+  class QUIC_EXPORT_PRIVATE Visitor {
+   public:
+    virtual ~Visitor() {}
+    virtual void OnCanRead() = 0;
+    virtual void OnFinRead() = 0;
+    virtual void OnCanWrite() = 0;
+  };
+
+  QuicTransportStream(QuicStreamId id,
+                      QuicSession* session,
+                      QuicTransportSessionInterface* session_interface);
+
+  // Reads at most |buffer_size| bytes into |buffer| and returns the number of
+  // bytes actually read.
+  size_t Read(char* buffer, size_t buffer_size);
+  // Reads all available data and appends it to the end of |output|.
+  size_t Read(std::string* output);
+  // Writes |data| into the stream.  Returns true on success.
+  QUIC_MUST_USE_RESULT bool Write(QuicStringPiece data);
+  // Sends the FIN on the stream.  Returns true on success.
+  QUIC_MUST_USE_RESULT bool SendFin();
+
+  // Indicates whether it is possible to write into stream right now.
+  bool CanWrite() const;
+  // Indicates the number of bytes that can be read from the stream.
+  size_t ReadableBytes() const;
+
+  // QuicSession method implementations.
+  void OnDataAvailable() override;
+  void OnCanWriteNewData() override;
+
+  Visitor* visitor() { return visitor_.get(); }
+  void set_visitor(std::unique_ptr<Visitor> visitor) {
+    visitor_ = std::move(visitor);
+  }
+
+ protected:
+  // Hide the methods that allow writing data without checking IsSessionReady().
+  using QuicStream::WriteMemSlices;
+  using QuicStream::WriteOrBufferData;
+
+  QuicTransportSessionInterface* session_interface_;
+  std::unique_ptr<Visitor> visitor_ = nullptr;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_QUIC_TRANSPORT_QUIC_TRANSPORT_STREAM_H_
diff --git a/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_stream_test.cc b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_stream_test.cc
new file mode 100644
index 00000000000..c291b54cf2b
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/quic_transport/quic_transport_stream_test.cc
@@ -0,0 +1,123 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.h"
+
+#include <memory>
+
+#include "net/third_party/quiche/src/quic/core/frames/quic_window_update_frame.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_ptr_util.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_session_interface.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_config_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_transport_test_tools.h"
+
+namespace quic {
+namespace test {
+namespace {
+
+using testing::Return;
+
+ParsedQuicVersionVector GetVersions() {
+  return {ParsedQuicVersion{PROTOCOL_TLS1_3, QUIC_VERSION_99}};
+}
+
+class MockQuicTransportSessionInterface : public QuicTransportSessionInterface {
+ public:
+  MOCK_CONST_METHOD0(IsSessionReady, bool());
+};
+
+class QuicTransportStreamTest : public QuicTest {
+ public:
+  QuicTransportStreamTest()
+      : connection_(new MockQuicConnection(&helper_,
+                                           &alarm_factory_,
+                                           Perspective::IS_CLIENT,
+                                           GetVersions())),
+        session_(connection_) {
+    session_.Initialize();
+
+    stream_ = new QuicTransportStream(0, &session_, &interface_);
+    session_.ActivateStream(QuicWrapUnique(stream_));
+
+    auto visitor = std::make_unique<MockStreamVisitor>();
+    visitor_ = visitor.get();
+    stream_->set_visitor(std::move(visitor));
+  }
+
+  void ReceiveStreamData(QuicStringPiece data, QuicStreamOffset offset) {
+    QuicStreamFrame frame(0, false, offset, data);
+    stream_->OnStreamFrame(frame);
+  }
+
+ protected:
+  MockAlarmFactory alarm_factory_;
+  MockQuicConnectionHelper helper_;
+
+  MockQuicConnection* connection_;  // Owned by |session_|.
+  MockQuicSession session_;
+  MockQuicTransportSessionInterface interface_;
+  QuicTransportStream* stream_;  // Owned by |session_|.
+  MockStreamVisitor* visitor_;   // Owned by |stream_|.
+};
+
+TEST_F(QuicTransportStreamTest, NotReady) {
+  EXPECT_CALL(interface_, IsSessionReady()).WillRepeatedly(Return(false));
+  ReceiveStreamData("test", 0);
+  EXPECT_EQ(stream_->ReadableBytes(), 0u);
+  EXPECT_FALSE(stream_->CanWrite());
+}
+
+TEST_F(QuicTransportStreamTest, ReadWhenNotReady) {
+  EXPECT_CALL(interface_, IsSessionReady()).WillRepeatedly(Return(false));
+  ReceiveStreamData("test", 0);
+  char buffer[4];
+  QuicByteCount bytes_read = stream_->Read(buffer, sizeof(buffer));
+  EXPECT_EQ(bytes_read, 0u);
+}
+
+TEST_F(QuicTransportStreamTest, WriteWhenNotReady) {
+  EXPECT_CALL(interface_, IsSessionReady()).WillRepeatedly(Return(false));
+  EXPECT_FALSE(stream_->Write("test"));
+}
+
+TEST_F(QuicTransportStreamTest, Ready) {
+  EXPECT_CALL(interface_, IsSessionReady()).WillRepeatedly(Return(true));
+  ReceiveStreamData("test", 0);
+  EXPECT_EQ(stream_->ReadableBytes(), 4u);
+  EXPECT_TRUE(stream_->CanWrite());
+  EXPECT_TRUE(stream_->Write("test"));
+}
+
+TEST_F(QuicTransportStreamTest, ReceiveData) {
+  EXPECT_CALL(interface_, IsSessionReady()).WillRepeatedly(Return(true));
+  EXPECT_CALL(*visitor_, OnCanRead());
+  ReceiveStreamData("test", 0);
+}
+
+TEST_F(QuicTransportStreamTest, FinReadWithNoDataPending) {
+  EXPECT_CALL(interface_, IsSessionReady()).WillRepeatedly(Return(true));
+  EXPECT_CALL(*visitor_, OnFinRead());
+  QuicStreamFrame frame(0, true, 0, "");
+  stream_->OnStreamFrame(frame);
+}
+
+TEST_F(QuicTransportStreamTest, FinReadWithDataPending) {
+  EXPECT_CALL(interface_, IsSessionReady()).WillRepeatedly(Return(true));
+
+  EXPECT_CALL(*visitor_, OnCanRead());
+  EXPECT_CALL(*visitor_, OnFinRead()).Times(0);
+  QuicStreamFrame frame(0, true, 0, "test");
+  stream_->OnStreamFrame(frame);
+
+  EXPECT_CALL(*visitor_, OnFinRead()).Times(1);
+  std::string buffer;
+  ASSERT_EQ(stream_->Read(&buffer), 4u);
+}
+
+}  // namespace
+}  // namespace test
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils.cc b/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils.cc
index 98d65e8d0fe..6716dec2605 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils.cc
@@ -209,7 +209,14 @@ class FullChloGenerator {
 
 }  // namespace
 
+std::unique_ptr<QuicCryptoServerConfig> CryptoServerConfigForTesting() {
+  return std::make_unique<QuicCryptoServerConfig>(
+      QuicCryptoServerConfig::TESTING, QuicRandom::GetInstance(),
+      ProofSourceForTesting(), KeyExchangeSource::Default());
+}
+
 int HandshakeWithFakeServer(QuicConfig* server_quic_config,
+                            QuicCryptoServerConfig* crypto_config,
                             MockQuicConnectionHelper* helper,
                             MockAlarmFactory* alarm_factory,
                             PacketSavingConnection* client_conn,
@@ -219,19 +226,19 @@ int HandshakeWithFakeServer(QuicConfig* server_quic_config,
       helper, alarm_factory, Perspective::IS_SERVER,
       ParsedVersionOfIndex(client_conn->supported_versions(), 0));
 
-  QuicCryptoServerConfig crypto_config(
-      QuicCryptoServerConfig::TESTING, QuicRandom::GetInstance(),
-      ProofSourceForTesting(), KeyExchangeSource::Default());
   QuicCompressedCertsCache compressed_certs_cache(
       QuicCompressedCertsCache::kQuicCompressedCertsCacheSize);
   SetupCryptoServerConfigForTest(
-      server_conn->clock(), server_conn->random_generator(), &crypto_config);
+      server_conn->clock(), server_conn->random_generator(), crypto_config);
 
   TestQuicSpdyServerSession server_session(
       server_conn, *server_quic_config, client_conn->supported_versions(),
-      &crypto_config, &compressed_certs_cache);
-  server_session.OnSuccessfulVersionNegotiation(
-      client_conn->supported_versions().front());
+      crypto_config, &compressed_certs_cache);
+  server_session.Initialize();
+  if (!GetQuicReloadableFlag(quic_version_negotiated_by_default_at_server)) {
+    server_session.OnSuccessfulVersionNegotiation(
+        client_conn->supported_versions().front());
+  }
   EXPECT_CALL(*server_session.helper(),
               CanAcceptClientHello(testing::_, testing::_, testing::_,
                                    testing::_, testing::_))
@@ -346,7 +353,8 @@ void CommunicateHandshakeMessages(PacketSavingConnection* client_conn,
     MovePackets(client_conn, &client_i, server, server_conn,
                 Perspective::IS_SERVER);
 
-    if (client->handshake_confirmed() && server->handshake_confirmed()) {
+    if (client->handshake_confirmed() && server->handshake_confirmed() &&
+        server_conn->encrypted_packets_.size() == server_i) {
       break;
     }
     ASSERT_GT(server_conn->encrypted_packets_.size(), server_i);
@@ -782,7 +790,7 @@ std::string GenerateClientNonceHex(const QuicClock* clock,
       QuicRandom::GetInstance(), clock, new_config_options);
   primary_config.set_primary_time(clock->WallNow().ToUNIXSeconds());
   std::unique_ptr<CryptoHandshakeMessage> msg =
-      crypto_config->AddConfig(std::move(primary_config), clock->WallNow());
+      crypto_config->AddConfig(primary_config, clock->WallNow());
   QuicStringPiece orbit;
   CHECK(msg->GetStringPiece(kORBT, &orbit));
   std::string nonce;
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h b/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h
index 6f87e90494c..327eb673523 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h
@@ -64,8 +64,13 @@ struct FakeClientOptions {
   bool only_tls_versions = false;
 };
 
+// Returns a QuicCryptoServerConfig that is in a reasonable configuration to
+// pass into HandshakeWithFakeServer.
+std::unique_ptr<QuicCryptoServerConfig> CryptoServerConfigForTesting();
+
 // returns: the number of client hellos that the client sent.
 int HandshakeWithFakeServer(QuicConfig* server_quic_config,
+                            QuicCryptoServerConfig* crypto_config,
                             MockQuicConnectionHelper* helper,
                             MockAlarmFactory* alarm_factory,
                             PacketSavingConnection* client_conn,
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils_test.cc b/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils_test.cc
index 59a3947393e..656549772fa 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/crypto_test_utils_test.cc
@@ -128,7 +128,7 @@ TEST_F(CryptoTestUtilsTest, TestGenerateFullCHLO) {
       QuicRandom::GetInstance(), &clock, new_config_options);
   primary_config.set_primary_time(clock.WallNow().ToUNIXSeconds());
   std::unique_ptr<CryptoHandshakeMessage> msg =
-      crypto_config.AddConfig(std::move(primary_config), clock.WallNow());
+      crypto_config.AddConfig(primary_config, clock.WallNow());
   QuicStringPiece orbit;
   ASSERT_TRUE(msg->GetStringPiece(kORBT, &orbit));
   std::string nonce;
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.cc b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_decoder_test_utils.cc
index eaf66648cb0..2b835ae2e46 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_decoder_test_utils.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_decoder_test_utils.h"
 
 #include <algorithm>
 #include <cstddef>
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_decoder_test_utils.h
index 6505b60a1fe..213aded1ba5 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_decoder_test_utils.h
@@ -2,16 +2,16 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef QUICHE_QUIC_CORE_QPACK_QPACK_DECODER_TEST_UTILS_H_
-#define QUICHE_QUIC_CORE_QPACK_QPACK_DECODER_TEST_UTILS_H_
+#ifndef QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_DECODER_TEST_UTILS_H_
+#define QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_DECODER_TEST_UTILS_H_
 
 #include <string>
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h"
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_progressive_decoder.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_header_block.h"
 
 namespace quic {
@@ -100,4 +100,4 @@ void QpackDecode(
 }  // namespace test
 }  // namespace quic
 
-#endif  // QUICHE_QUIC_CORE_QPACK_QPACK_DECODER_TEST_UTILS_H_
+#endif  // QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_DECODER_TEST_UTILS_H_
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/qpack_encoder_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_peer.cc
index 9719bdb9b7a..709686a85e8 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/qpack_encoder_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_peer.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/third_party/quiche/src/quic/test_tools/qpack_encoder_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_peer.h"
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h"
 
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/qpack_encoder_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_peer.h
index 2edf4274611..a824276bc4c 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/qpack_encoder_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_peer.h
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef QUICHE_QUIC_TEST_TOOLS_QPACK_ENCODER_PEER_H_
-#define QUICHE_QUIC_TEST_TOOLS_QPACK_ENCODER_PEER_H_
+#ifndef QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_ENCODER_PEER_H_
+#define QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_ENCODER_PEER_H_
 
 #include <cstdint>
 
@@ -27,4 +27,4 @@ class QpackEncoderPeer {
 
 }  // namespace quic
 
-#endif  // QUICHE_QUIC_TEST_TOOLS_QPACK_ENCODER_PEER_H_
+#endif  // QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_ENCODER_PEER_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.cc b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_test_utils.cc
index d91d3d13d5e..dbdd3690d55 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_test_utils.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_test_utils.h"
 
 #include "net/third_party/quiche/src/spdy/core/hpack/hpack_encoder.h"
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_test_utils.h
index b1103dae6c3..5fa229256b4 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_encoder_test_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_encoder_test_utils.h
@@ -2,15 +2,15 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef QUICHE_QUIC_CORE_QPACK_QPACK_ENCODER_TEST_UTILS_H_
-#define QUICHE_QUIC_CORE_QPACK_QPACK_ENCODER_TEST_UTILS_H_
+#ifndef QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_ENCODER_TEST_UTILS_H_
+#define QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_ENCODER_TEST_UTILS_H_
 
 #include <string>
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_encoder.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_header_block.h"
 
 namespace quic {
@@ -37,4 +37,4 @@ class MockDecoderStreamErrorDelegate
 }  // namespace test
 }  // namespace quic
 
-#endif  // QUICHE_QUIC_CORE_QPACK_QPACK_ENCODER_TEST_UTILS_H_
+#endif  // QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_ENCODER_TEST_UTILS_H_
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/qpack_header_table_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_header_table_peer.cc
index bb18731dae7..c554a97d1ce 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/qpack_header_table_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_header_table_peer.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/third_party/quiche/src/quic/test_tools/qpack_header_table_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_header_table_peer.h"
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_header_table.h"
 
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/qpack_header_table_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_header_table_peer.h
index cbf3f448a28..19e8d0d64e3 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/qpack_header_table_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_header_table_peer.h
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef QUICHE_QUIC_TEST_TOOLS_QPACK_HEADER_TABLE_PEER_H_
-#define QUICHE_QUIC_TEST_TOOLS_QPACK_HEADER_TABLE_PEER_H_
+#ifndef QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_HEADER_TABLE_PEER_H_
+#define QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_HEADER_TABLE_PEER_H_
 
 #include <cstdint>
 
@@ -26,4 +26,4 @@ class QpackHeaderTablePeer {
 
 }  // namespace quic
 
-#endif  // QUICHE_QUIC_TEST_TOOLS_QPACK_HEADER_TABLE_PEER_H_
+#endif  // QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_HEADER_TABLE_PEER_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.cc b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_offline_decoder.cc
index 379cb6ad835..a5a74aa4cb0 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_offline_decoder.cc
@@ -2,18 +2,40 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.h"
+// Decoder to test QPACK Offline Interop corpus
+//
+// See https://github.com/quicwg/base-drafts/wiki/QPACK-Offline-Interop for
+// description of test data format.
+//
+// Example usage
+//
+//  cd $TEST_DATA
+//  git clone https://github.com/qpackers/qifs.git
+//  TEST_ENCODED_DATA=$TEST_DATA/qifs/encoded/qpack-06
+//  TEST_QIF_DATA=$TEST_DATA/qifs/qifs
+//  $BIN/qpack_offline_decoder \
+//      $TEST_ENCODED_DATA/f5/fb-req.qifencoded.4096.100.0 \
+//      $TEST_QIF_DATA/fb-req.qif
+//      $TEST_ENCODED_DATA/h2o/fb-req-hq.out.512.0.1 \
+//      $TEST_QIF_DATA/fb-req-hq.qif
+//      $TEST_ENCODED_DATA/ls-qpack/fb-resp-hq.out.0.0.0 \
+//      $TEST_QIF_DATA/fb-resp-hq.qif
+//      $TEST_ENCODED_DATA/proxygen/netbsd.qif.proxygen.out.4096.0.0 \
+//      $TEST_QIF_DATA/netbsd.qif
+//
+
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_offline_decoder.h"
 
 #include <cstdint>
 #include <string>
 #include <utility>
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_file_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 
 namespace quic {
 
@@ -120,11 +142,11 @@ bool QpackOfflineDecoder::DecodeHeaderBlocksFromFile(
       return false;
     }
 
-    uint64_t stream_id = QuicEndian::NetToHost64(
+    uint64_t stream_id = quiche::QuicheEndian::NetToHost64(
         *reinterpret_cast<const uint64_t*>(input_data.data()));
     input_data = input_data.substr(sizeof(uint64_t));
 
-    uint32_t length = QuicEndian::NetToHost32(
+    uint32_t length = quiche::QuicheEndian::NetToHost32(
         *reinterpret_cast<const uint32_t*>(input_data.data()));
     input_data = input_data.substr(sizeof(uint32_t));
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.h b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_offline_decoder.h
index c12c49181fa..cb7dedd3aaf 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/offline/qpack_offline_decoder.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_offline_decoder.h
@@ -2,15 +2,15 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef QUICHE_QUIC_CORE_QPACK_OFFLINE_QPACK_OFFLINE_DECODER_H_
-#define QUICHE_QUIC_CORE_QPACK_OFFLINE_QPACK_OFFLINE_DECODER_H_
+#ifndef QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_OFFLINE_DECODER_H_
+#define QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_OFFLINE_DECODER_H_
 
 #include <list>
 
 #include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_decoder_test_utils.h"
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_decoder_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_header_block.h"
 
 namespace quic {
@@ -71,7 +71,7 @@ class QpackOfflineDecoder : public QpackDecoder::EncoderStreamErrorDelegate {
                            spdy::SpdyHeaderBlock expected_header_list);
 
   bool encoder_stream_error_detected_;
-  NoopQpackStreamSenderDelegate decoder_stream_sender_delegate_;
+  test::NoopQpackStreamSenderDelegate decoder_stream_sender_delegate_;
   std::unique_ptr<QpackDecoder> qpack_decoder_;
 
   // Objects necessary for decoding, one list element for each header block.
@@ -83,4 +83,4 @@ class QpackOfflineDecoder : public QpackDecoder::EncoderStreamErrorDelegate {
 
 }  // namespace quic
 
-#endif  // QUICHE_QUIC_CORE_QPACK_OFFLINE_QPACK_OFFLINE_DECODER_H_
+#endif  // QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_OFFLINE_DECODER_H_
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.cc b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.cc
index 2d4a72e71b0..faaddcb2187 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.cc
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h"
 
 #include <limits>
 
diff --git a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h
index 42fa383a3ea..08cab4e0b2c 100644
--- a/chromium/net/third_party/quiche/src/quic/core/qpack/qpack_test_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/qpack/qpack_test_utils.h
@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef QUICHE_QUIC_CORE_QPACK_QPACK_TEST_UTILS_H_
-#define QUICHE_QUIC_CORE_QPACK_QPACK_TEST_UTILS_H_
+#ifndef QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_TEST_UTILS_H_
+#define QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_TEST_UTILS_H_
 
 #include <cstddef>
 #include <functional>
@@ -34,7 +34,14 @@ class MockQpackStreamSenderDelegate : public QpackStreamSenderDelegate {
   MOCK_METHOD1(WriteStreamData, void(QuicStringPiece data));
 };
 
+class NoopQpackStreamSenderDelegate : public QpackStreamSenderDelegate {
+ public:
+  ~NoopQpackStreamSenderDelegate() override = default;
+
+  void WriteStreamData(QuicStringPiece /*data*/) override {}
+};
+
 }  // namespace test
 }  // namespace quic
 
-#endif  // QUICHE_QUIC_CORE_QPACK_QPACK_TEST_UTILS_H_
+#endif  // QUICHE_QUIC_TEST_TOOLS_QPACK_QPACK_TEST_UTILS_H_
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.cc
index 02775caf901..7b9264c31b8 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.cc
@@ -9,7 +9,6 @@
 #include "net/third_party/quiche/src/quic/core/quic_received_packet_manager.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_framer_peer.h"
-#include "net/third_party/quiche/src/quic/test_tools/quic_packet_generator_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_sent_packet_manager_peer.h"
 
 namespace quic {
@@ -37,22 +36,9 @@ void QuicConnectionPeer::PopulateStopWaitingFrame(
 }
 
 // static
-QuicConnectionVisitorInterface* QuicConnectionPeer::GetVisitor(
-    QuicConnection* connection) {
-  return connection->visitor_;
-}
-
-// static
 QuicPacketCreator* QuicConnectionPeer::GetPacketCreator(
     QuicConnection* connection) {
-  return QuicPacketGeneratorPeer::GetPacketCreator(
-      &connection->packet_generator_);
-}
-
-// static
-QuicPacketGenerator* QuicConnectionPeer::GetPacketGenerator(
-    QuicConnection* connection) {
-  return &connection->packet_generator_;
+  return &connection->packet_creator_;
 }
 
 // static
@@ -226,22 +212,7 @@ QuicConnectionStats* QuicConnectionPeer::GetStats(QuicConnection* connection) {
 // static
 QuicPacketCount QuicConnectionPeer::GetPacketsBetweenMtuProbes(
     QuicConnection* connection) {
-  if (connection->mtu_discovery_v2_) {
-    return connection->mtu_discoverer_.packets_between_probes();
-  }
-  return connection->packets_between_mtu_probes_;
-}
-
-// static
-void QuicConnectionPeer::SetPacketsBetweenMtuProbes(QuicConnection* connection,
-                                                    QuicPacketCount packets) {
-  connection->packets_between_mtu_probes_ = packets;
-}
-
-// static
-void QuicConnectionPeer::SetNextMtuProbeAt(QuicConnection* connection,
-                                           QuicPacketNumber number) {
-  connection->next_mtu_probe_at_ = number;
+  return connection->mtu_discoverer_.packets_between_probes();
 }
 
 // static
@@ -308,15 +279,13 @@ void QuicConnectionPeer::SetMaxTrackedPackets(
 }
 
 // static
-void QuicConnectionPeer::SetSessionDecidesWhatToWrite(
-    QuicConnection* connection) {
-  connection->sent_packet_manager_.SetSessionDecideWhatToWrite(true);
-  connection->packet_generator_.SetCanSetTransmissionType(true);
-}
-
-// static
 void QuicConnectionPeer::SetNegotiatedVersion(QuicConnection* connection) {
   connection->version_negotiated_ = true;
+  if (connection->perspective() == Perspective::IS_SERVER &&
+      !QuicFramerPeer::infer_packet_header_type_from_version(
+          &connection->framer_)) {
+    connection->framer_.InferPacketHeaderTypeFromVersion();
+  }
 }
 
 // static
@@ -364,5 +333,18 @@ void QuicConnectionPeer::SendConnectionClosePacket(QuicConnection* connection,
   connection->SendConnectionClosePacket(error, details);
 }
 
+// static
+size_t QuicConnectionPeer::GetNumEncryptionLevels(QuicConnection* connection) {
+  size_t count = 0;
+  for (EncryptionLevel level :
+       {ENCRYPTION_INITIAL, ENCRYPTION_HANDSHAKE, ENCRYPTION_ZERO_RTT,
+        ENCRYPTION_FORWARD_SECURE}) {
+    if (connection->framer_.HasEncrypterOfEncryptionLevel(level)) {
+      ++count;
+    }
+  }
+  return count;
+}
+
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h
index c5c972f9cc0..b7140ded5ed 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h
@@ -20,7 +20,6 @@ class QuicConnectionVisitorInterface;
 class QuicEncryptedPacket;
 class QuicFramer;
 class QuicPacketCreator;
-class QuicPacketGenerator;
 class QuicPacketWriter;
 class QuicSentPacketManager;
 class SendAlgorithmInterface;
@@ -41,12 +40,8 @@ class QuicConnectionPeer {
   static void PopulateStopWaitingFrame(QuicConnection* connection,
                                        QuicStopWaitingFrame* stop_waiting);
 
-  static QuicConnectionVisitorInterface* GetVisitor(QuicConnection* connection);
-
   static QuicPacketCreator* GetPacketCreator(QuicConnection* connection);
 
-  static QuicPacketGenerator* GetPacketGenerator(QuicConnection* connection);
-
   static QuicSentPacketManager* GetSentPacketManager(
       QuicConnection* connection);
 
@@ -107,10 +102,6 @@ class QuicConnectionPeer {
 
   static QuicPacketCount GetPacketsBetweenMtuProbes(QuicConnection* connection);
 
-  static void SetPacketsBetweenMtuProbes(QuicConnection* connection,
-                                         QuicPacketCount packets);
-  static void SetNextMtuProbeAt(QuicConnection* connection,
-                                QuicPacketNumber number);
   static void ReInitializeMtuDiscoverer(
       QuicConnection* connection,
       QuicPacketCount packets_between_probes_base,
@@ -127,7 +118,6 @@ class QuicConnectionPeer {
                                      bool no_stop_waiting_frames);
   static void SetMaxTrackedPackets(QuicConnection* connection,
                                    QuicPacketCount max_tracked_packets);
-  static void SetSessionDecidesWhatToWrite(QuicConnection* connection);
   static void SetNegotiatedVersion(QuicConnection* connection);
   static void SetMaxConsecutiveNumPacketsWithNoRetransmittableFrames(
       QuicConnection* connection,
@@ -143,6 +133,8 @@ class QuicConnectionPeer {
   static void SendConnectionClosePacket(QuicConnection* connection,
                                         QuicErrorCode error,
                                         const std::string& details);
+
+  static size_t GetNumEncryptionLevels(QuicConnection* connection);
 };
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_dispatcher_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_dispatcher_peer.cc
index 2590834891c..b460165d906 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_dispatcher_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_dispatcher_peer.cc
@@ -11,6 +11,12 @@ namespace quic {
 namespace test {
 
 // static
+QuicTimeWaitListManager* QuicDispatcherPeer::GetTimeWaitListManager(
+    QuicDispatcher* dispatcher) {
+  return dispatcher->time_wait_list_manager_.get();
+}
+
+// static
 void QuicDispatcherPeer::SetTimeWaitListManager(
     QuicDispatcher* dispatcher,
     QuicTimeWaitListManager* time_wait_list_manager) {
@@ -77,8 +83,7 @@ const QuicDispatcher::SessionMap& QuicDispatcherPeer::session_map(
 void QuicDispatcherPeer::set_new_sessions_allowed_per_event_loop(
     QuicDispatcher* dispatcher,
     size_t num_session_allowed) {
-  return dispatcher->set_new_sessions_allowed_per_event_loop(
-      num_session_allowed);
+  dispatcher->new_sessions_allowed_per_event_loop_ = num_session_allowed;
 }
 
 // static
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_dispatcher_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_dispatcher_peer.h
index a888b4e0967..7cb4c92c5a9 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_dispatcher_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_dispatcher_peer.h
@@ -17,6 +17,9 @@ class QuicDispatcherPeer {
  public:
   QuicDispatcherPeer() = delete;
 
+  static QuicTimeWaitListManager* GetTimeWaitListManager(
+      QuicDispatcher* dispatcher);
+
   static void SetTimeWaitListManager(
       QuicDispatcher* dispatcher,
       QuicTimeWaitListManager* time_wait_list_manager);
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_framer_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_framer_peer.h
index 661def5493a..d462555a104 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_framer_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_framer_peer.h
@@ -187,6 +187,10 @@ class QuicFramerPeer {
       uint64_t current_received_frame_type) {
     framer->current_received_frame_type_ = current_received_frame_type;
   }
+
+  static bool infer_packet_header_type_from_version(QuicFramer* framer) {
+    return framer->infer_packet_header_type_from_version_;
+  }
 };
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.cc
index d4e5598ffa0..7c8db91da7f 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.cc
@@ -4,6 +4,7 @@
 
 #include "net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.h"
 
+#include "net/third_party/quiche/src/quic/core/frames/quic_frame.h"
 #include "net/third_party/quiche/src/quic/core/quic_packet_creator.h"
 #include "net/third_party/quiche/src/quic/core/quic_types.h"
 
@@ -63,6 +64,11 @@ void QuicPacketCreatorPeer::SetPacketNumber(QuicPacketCreator* creator,
   creator->packet_.packet_number = QuicPacketNumber(s);
 }
 
+void QuicPacketCreatorPeer::SetPacketNumber(QuicPacketCreator* creator,
+                                            QuicPacketNumber num) {
+  creator->packet_.packet_number = num;
+}
+
 // static
 void QuicPacketCreatorPeer::ClearPacketNumber(QuicPacketCreator* creator) {
   creator->packet_.packet_number.Clear();
@@ -102,14 +108,13 @@ SerializedPacket QuicPacketCreatorPeer::SerializeAllFrames(
   DCHECK(creator->queued_frames_.empty());
   DCHECK(!frames.empty());
   for (const QuicFrame& frame : frames) {
-    bool success = creator->AddFrame(frame, false, NOT_RETRANSMISSION);
+    bool success = creator->AddFrame(frame, NOT_RETRANSMISSION);
     DCHECK(success);
   }
   creator->SerializePacket(buffer, buffer_len);
-  SerializedPacket packet = creator->packet_;
+  SerializedPacket packet = std::move(creator->packet_);
   // The caller takes ownership of the QuicEncryptedPacket.
   creator->packet_.encrypted_buffer = nullptr;
-  DCHECK(packet.retransmittable_frames.empty());
   return packet;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.h
index e040090f6dd..88587a212b5 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_creator_peer.h
@@ -31,6 +31,7 @@ class QuicPacketCreatorPeer {
   static QuicVariableLengthIntegerLength GetLengthLength(
       QuicPacketCreator* creator);
   static void SetPacketNumber(QuicPacketCreator* creator, uint64_t s);
+  static void SetPacketNumber(QuicPacketCreator* creator, QuicPacketNumber num);
   static void ClearPacketNumber(QuicPacketCreator* creator);
   static void FillPacketHeader(QuicPacketCreator* creator,
                                QuicPacketHeader* header);
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_generator_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_generator_peer.cc
deleted file mode 100644
index 91a875282c2..00000000000
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_generator_peer.cc
+++ /dev/null
@@ -1,20 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/third_party/quiche/src/quic/test_tools/quic_packet_generator_peer.h"
-
-#include "net/third_party/quiche/src/quic/core/quic_packet_creator.h"
-#include "net/third_party/quiche/src/quic/core/quic_packet_generator.h"
-
-namespace quic {
-namespace test {
-
-// static
-QuicPacketCreator* QuicPacketGeneratorPeer::GetPacketCreator(
-    QuicPacketGenerator* generator) {
-  return &generator->packet_creator_;
-}
-
-}  // namespace test
-}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_generator_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_generator_peer.h
deleted file mode 100644
index 6941b089d23..00000000000
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_packet_generator_peer.h
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef QUICHE_QUIC_TEST_TOOLS_QUIC_PACKET_GENERATOR_PEER_H_
-#define QUICHE_QUIC_TEST_TOOLS_QUIC_PACKET_GENERATOR_PEER_H_
-
-#include "net/third_party/quiche/src/quic/core/quic_packets.h"
-
-namespace quic {
-
-class QuicPacketCreator;
-class QuicPacketGenerator;
-
-namespace test {
-
-class QuicPacketGeneratorPeer {
- public:
-  QuicPacketGeneratorPeer() = delete;
-
-  static QuicPacketCreator* GetPacketCreator(QuicPacketGenerator* generator);
-};
-
-}  // namespace test
-
-}  // namespace quic
-
-#endif  // QUICHE_QUIC_TEST_TOOLS_QUIC_PACKET_GENERATOR_PEER_H_
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_sent_packet_manager_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_sent_packet_manager_peer.cc
index b680f66d815..cd8297a961e 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_sent_packet_manager_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_sent_packet_manager_peer.cc
@@ -86,18 +86,9 @@ bool QuicSentPacketManagerPeer::IsRetransmission(
   if (!HasRetransmittableFrames(sent_packet_manager, packet_number)) {
     return false;
   }
-  if (sent_packet_manager->session_decides_what_to_write()) {
-    return sent_packet_manager->unacked_packets_
-               .GetTransmissionInfo(QuicPacketNumber(packet_number))
-               .transmission_type != NOT_RETRANSMISSION;
-  }
-  for (auto transmission_info : sent_packet_manager->unacked_packets_) {
-    if (transmission_info.retransmission.IsInitialized() &&
-        transmission_info.retransmission == QuicPacketNumber(packet_number)) {
-      return true;
-    }
-  }
-  return false;
+  return sent_packet_manager->unacked_packets_
+             .GetTransmissionInfo(QuicPacketNumber(packet_number))
+             .transmission_type != NOT_RETRANSMISSION;
 }
 
 // static
@@ -223,5 +214,12 @@ bool QuicSentPacketManagerPeer::AdaptiveReorderingThresholdEnabled(
       .use_adaptive_reordering_threshold();
 }
 
+// static
+bool QuicSentPacketManagerPeer::AdaptiveTimeThresholdEnabled(
+    QuicSentPacketManager* sent_packet_manager) {
+  return sent_packet_manager->uber_loss_algorithm_.general_loss_algorithms_[0]
+      .use_adaptive_time_threshold();
+}
+
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_sent_packet_manager_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_sent_packet_manager_peer.h
index 6be8b46308f..3927189ee3f 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_sent_packet_manager_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_sent_packet_manager_peer.h
@@ -98,6 +98,9 @@ class QuicSentPacketManagerPeer {
 
   static bool AdaptiveReorderingThresholdEnabled(
       QuicSentPacketManager* sent_packet_manager);
+
+  static bool AdaptiveTimeThresholdEnabled(
+      QuicSentPacketManager* sent_packet_manager);
 };
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.cc
index 001f1ca2b87..f9e785d2c98 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.cc
@@ -226,15 +226,6 @@ QuicStreamIdManager* QuicSessionPeer::v99_unidirectional_stream_id_manager(
 }
 
 // static
-void QuicSessionPeer::SendRstStreamInner(QuicSession* session,
-                                         QuicStreamId id,
-                                         QuicRstStreamErrorCode error,
-                                         QuicStreamOffset bytes_written,
-                                         bool close_write_side_only) {
-  session->SendRstStreamInner(id, error, bytes_written, close_write_side_only);
-}
-
-// static
 PendingStream* QuicSessionPeer::GetPendingStream(QuicSession* session,
                                                  QuicStreamId stream_id) {
   auto it = session->pending_stream_map_.find(stream_id);
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.h
index eed3bddcf88..446cd67b176 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_session_peer.h
@@ -79,11 +79,6 @@ class QuicSessionPeer {
       QuicSession* session);
   static QuicStreamIdManager* v99_unidirectional_stream_id_manager(
       QuicSession* session);
-  static void SendRstStreamInner(QuicSession* session,
-                                 QuicStreamId id,
-                                 QuicRstStreamErrorCode error,
-                                 QuicStreamOffset bytes_written,
-                                 bool close_write_side_only);
   static PendingStream* GetPendingStream(QuicSession* session,
                                          QuicStreamId stream_id);
   static void set_is_configured(QuicSession* session, bool value);
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_stream_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_stream_peer.cc
index d501debb7e3..42961984527 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_stream_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_stream_peer.cc
@@ -29,7 +29,7 @@ void QuicStreamPeer::SetStreamBytesWritten(
 
 // static
 bool QuicStreamPeer::read_side_closed(QuicStream* stream) {
-  return stream->read_side_closed();
+  return stream->read_side_closed_;
 }
 
 // static
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_stream_send_buffer_peer.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_stream_send_buffer_peer.h
index f61cb0049a5..3adb173b91d 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_stream_send_buffer_peer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_stream_send_buffer_peer.h
@@ -20,6 +20,10 @@ class QuicStreamSendBufferPeer {
       QuicStreamSendBuffer* send_buffer);
 
   static QuicByteCount TotalLength(QuicStreamSendBuffer* send_buffer);
+
+  static int32_t write_index(QuicStreamSendBuffer* send_buffer) {
+    return send_buffer->write_index_;
+  }
 };
 
 }  // namespace test
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_stream_sequencer_buffer_peer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_stream_sequencer_buffer_peer.cc
index 36d2b04ee60..b3bf224df4e 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_stream_sequencer_buffer_peer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_stream_sequencer_buffer_peer.cc
@@ -7,6 +7,7 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
 
 typedef quic::QuicStreamSequencerBuffer::BufferBlock BufferBlock;
 
@@ -28,8 +29,8 @@ size_t QuicStreamSequencerBufferPeer::Read(char* dest_buffer, size_t size) {
   dest.iov_base = dest_buffer, dest.iov_len = size;
   size_t bytes_read;
   std::string error_details;
-  EXPECT_EQ(QUIC_NO_ERROR,
-            buffer_->Readv(&dest, 1, &bytes_read, &error_details));
+  EXPECT_THAT(buffer_->Readv(&dest, 1, &bytes_read, &error_details),
+              IsQuicNoError());
   return bytes_read;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_client.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_client.cc
index 237d9f66d8f..ca5e95ab0f6 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_client.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_client.cc
@@ -382,7 +382,9 @@ ssize_t QuicTestClient::SendRequestAndRstTogether(const std::string& uri) {
 
   QuicStreamId stream_id = GetNthClientInitiatedBidirectionalStreamId(
       session->transport_version(), 0);
-  session->SendRstStream(stream_id, QUIC_STREAM_CANCELLED, 0);
+  QuicStream* stream = session->GetOrCreateStream(stream_id);
+  session->SendRstStream(stream_id, QUIC_STREAM_CANCELLED,
+                         stream->stream_bytes_written());
   return ret;
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_server.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_server.cc
index a893830102e..81b54d47260 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_server.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_server.cc
@@ -230,12 +230,20 @@ ImmediateGoAwaySession::ImmediateGoAwaySession(
                               quic_simple_server_backend) {}
 
 void ImmediateGoAwaySession::OnStreamFrame(const QuicStreamFrame& frame) {
-  SendGoAway(QUIC_PEER_GOING_AWAY, "");
+  if (VersionUsesHttp3(transport_version())) {
+    SendHttp3GoAway();
+  } else {
+    SendGoAway(QUIC_PEER_GOING_AWAY, "");
+  }
   QuicSimpleServerSession::OnStreamFrame(frame);
 }
 
 void ImmediateGoAwaySession::OnCryptoFrame(const QuicCryptoFrame& frame) {
-  SendGoAway(QUIC_PEER_GOING_AWAY, "");
+  // In IETF QUIC, GOAWAY lives up in HTTP/3 layer. Even if it's a immediate
+  // goaway session, goaway shouldn't be sent when crypto frame is received.
+  if (!VersionUsesHttp3(transport_version())) {
+    SendGoAway(QUIC_PEER_GOING_AWAY, "");
+  }
   QuicSimpleServerSession::OnCryptoFrame(frame);
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.cc b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.cc
index ff0239213a2..4b10826660b 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.cc
@@ -22,12 +22,12 @@
 #include "net/third_party/quiche/src/quic/core/quic_packet_creator.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
-#include "net/third_party/quiche/src/quic/platform/api/quic_endian.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
 #include "net/third_party/quiche/src/quic/test_tools/crypto_test_utils.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_config_peer.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h"
+#include "net/third_party/quiche/src/common/platform/api/quiche_endian.h"
 #include "net/third_party/quiche/src/spdy/core/spdy_frame_builder.h"
 
 using testing::_;
@@ -44,14 +44,14 @@ QuicConnectionId TestConnectionId() {
 
 QuicConnectionId TestConnectionId(uint64_t connection_number) {
   const uint64_t connection_id64_net =
-      QuicEndian::HostToNet64(connection_number);
+      quiche::QuicheEndian::HostToNet64(connection_number);
   return QuicConnectionId(reinterpret_cast<const char*>(&connection_id64_net),
                           sizeof(connection_id64_net));
 }
 
 QuicConnectionId TestConnectionIdNineBytesLong(uint64_t connection_number) {
   const uint64_t connection_number_net =
-      QuicEndian::HostToNet64(connection_number);
+      quiche::QuicheEndian::HostToNet64(connection_number);
   char connection_id_bytes[9] = {};
   static_assert(
       sizeof(connection_id_bytes) == 1 + sizeof(connection_number_net),
@@ -67,7 +67,7 @@ uint64_t TestConnectionIdToUInt64(QuicConnectionId connection_id) {
   memcpy(&connection_id64_net, connection_id.data(),
          std::min<size_t>(static_cast<size_t>(connection_id.length()),
                           sizeof(connection_id64_net)));
-  return QuicEndian::NetToHost64(connection_id64_net);
+  return quiche::QuicheEndian::NetToHost64(connection_id64_net);
 }
 
 QuicAckFrame InitAckFrame(const std::vector<QuicAckBlock>& ack_blocks) {
@@ -531,7 +531,7 @@ void PacketSavingConnection::SendOrQueuePacket(SerializedPacket* packet) {
   // Transfer ownership of the packet to the SentPacketManager and the
   // ack notifier to the AckNotifierManager.
   QuicConnectionPeer::GetSentPacketManager(this)->OnPacketSent(
-      packet, QuicPacketNumber(), clock_.ApproximateNow(), NOT_RETRANSMISSION,
+      packet, clock_.ApproximateNow(), NOT_RETRANSMISSION,
       HAS_RETRANSMITTABLE_DATA);
 }
 
@@ -576,7 +576,7 @@ QuicConsumedData MockQuicSession::ConsumeData(QuicStream* stream,
                                               StreamSendingState state) {
   if (write_length > 0) {
     auto buf = std::make_unique<char[]>(write_length);
-    QuicDataWriter writer(write_length, buf.get(), HOST_BYTE_ORDER);
+    QuicDataWriter writer(write_length, buf.get(), quiche::HOST_BYTE_ORDER);
     stream->WriteStreamData(offset, write_length, &writer);
   } else {
     DCHECK(state != NO_FIN);
@@ -652,7 +652,6 @@ TestQuicSpdyServerSession::TestQuicSpdyServerSession(
                             &helper_,
                             crypto_config,
                             compressed_certs_cache) {
-  Initialize();
   ON_CALL(helper_, CanAcceptClientHello(_, _, _, _, _))
       .WillByDefault(testing::Return(true));
 }
@@ -992,7 +991,7 @@ QuicEncryptedPacket* ConstructMisFramedEncryptedPacket(
     QuicConnectionIdIncluded destination_connection_id_included,
     QuicConnectionIdIncluded source_connection_id_included,
     QuicPacketNumberLength packet_number_length,
-    ParsedQuicVersionVector* versions,
+    ParsedQuicVersion version,
     Perspective perspective) {
   QuicPacketHeader header;
   header.destination_connection_id = destination_connection_id;
@@ -1004,7 +1003,7 @@ QuicEncryptedPacket* ConstructMisFramedEncryptedPacket(
   header.reset_flag = reset_flag;
   header.packet_number_length = packet_number_length;
   header.packet_number = QuicPacketNumber(packet_number);
-  if (QuicVersionHasLongHeaderLengths((*versions)[0].transport_version) &&
+  if (QuicVersionHasLongHeaderLengths(version.transport_version) &&
       version_flag) {
     header.retry_token_length_length = VARIABLE_LENGTH_INTEGER_LENGTH_1;
     header.length_length = VARIABLE_LENGTH_INTEGER_LENGTH_2;
@@ -1012,10 +1011,7 @@ QuicEncryptedPacket* ConstructMisFramedEncryptedPacket(
   QuicFrame frame(QuicStreamFrame(1, false, 0, QuicStringPiece(data)));
   QuicFrames frames;
   frames.push_back(frame);
-  ParsedQuicVersion version =
-      (versions != nullptr ? *versions : AllSupportedVersions())[0];
-  QuicFramer framer(versions != nullptr ? *versions : AllSupportedVersions(),
-                    QuicTime::Zero(), perspective,
+  QuicFramer framer({version}, QuicTime::Zero(), perspective,
                     kQuicDefaultConnectionIdLength);
   framer.SetInitialObfuscators(destination_connection_id);
   EncryptionLevel level =
@@ -1184,6 +1180,7 @@ void CreateServerSessionForTest(
   *server_session = new TestQuicSpdyServerSession(
       *server_connection, DefaultQuicConfig(), supported_versions,
       server_crypto_config, compressed_certs_cache);
+  (*server_session)->Initialize();
 
   // We advance the clock initially because the default time is zero and the
   // strike register worries that we've just overflowed a uint32_t time.
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.h
index be6e84d7746..7919ef30299 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_test_utils.h
@@ -23,6 +23,7 @@
 #include "net/third_party/quiche/src/quic/core/quic_sent_packet_manager.h"
 #include "net/third_party/quiche/src/quic/core/quic_simple_buffer_allocator.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_mem_slice_storage.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
 #include "net/third_party/quiche/src/quic/test_tools/mock_clock.h"
@@ -161,7 +162,7 @@ QuicEncryptedPacket* ConstructMisFramedEncryptedPacket(
     QuicConnectionIdIncluded destination_connection_id_included,
     QuicConnectionIdIncluded source_connection_id_included,
     QuicPacketNumberLength packet_number_length,
-    ParsedQuicVersionVector* versions,
+    ParsedQuicVersion version,
     Perspective perspective);
 
 void CompareCharArraysWithHexError(const std::string& description,
@@ -412,7 +413,8 @@ class MockQuicConnectionVisitor : public QuicConnectionVisitorInterface {
   MOCK_METHOD1(OnMaxStreamsFrame, bool(const QuicMaxStreamsFrame& frame));
   MOCK_METHOD1(OnStreamsBlockedFrame,
                bool(const QuicStreamsBlockedFrame& frame));
-  MOCK_METHOD1(OnStopSendingFrame, bool(const QuicStopSendingFrame& frame));
+  MOCK_METHOD1(OnStopSendingFrame, void(const QuicStopSendingFrame& frame));
+  MOCK_METHOD1(OnPacketDecrypted, void(EncryptionLevel));
 };
 
 class MockQuicConnectionHelper : public QuicConnectionHelperInterface {
@@ -533,7 +535,8 @@ class MockQuicConnection : public QuicConnection {
 
   MOCK_METHOD2(OnStreamReset, void(QuicStreamId, QuicRstStreamErrorCode));
   MOCK_METHOD1(SendControlFrame, bool(const QuicFrame& frame));
-  MOCK_METHOD2(SendMessage, MessageStatus(QuicMessageId, QuicMemSliceSpan));
+  MOCK_METHOD3(SendMessage,
+               MessageStatus(QuicMessageId, QuicMemSliceSpan, bool));
   MOCK_METHOD3(OnConnectionClosed,
                void(QuicErrorCode error,
                     const std::string& error_details,
@@ -666,6 +669,12 @@ class MockQuicSession : public QuicSession {
                                       QuicStreamOffset offset,
                                       StreamSendingState state);
 
+  void ReallySendRstStream(QuicStreamId id,
+                           QuicRstStreamErrorCode error,
+                           QuicStreamOffset bytes_written) {
+    QuicSession::SendRstStream(id, error, bytes_written);
+  }
+
  private:
   std::unique_ptr<QuicCryptoStream> crypto_stream_;
 };
@@ -681,6 +690,7 @@ class MockQuicCryptoStream : public QuicCryptoStream {
   const QuicCryptoNegotiatedParameters& crypto_negotiated_params()
       const override;
   CryptoMessageParser* crypto_message_parser() override;
+  void OnPacketDecrypted(EncryptionLevel /*level*/) override {}
 
  private:
   QuicReferenceCountedPointer<QuicCryptoNegotiatedParameters> params_;
@@ -947,7 +957,9 @@ class MockSendAlgorithm : public SendAlgorithmInterface {
   MOCK_CONST_METHOD0(GetCongestionControlType, CongestionControlType());
   MOCK_METHOD3(AdjustNetworkParameters,
                void(QuicBandwidth, QuicTime::Delta, bool));
+  MOCK_METHOD1(AdjustNetworkParameters, void(const NetworkParams&));
   MOCK_METHOD1(OnApplicationLimited, void(QuicByteCount));
+  MOCK_CONST_METHOD1(PopulateConnectionStats, void(QuicConnectionStats*));
 };
 
 class MockLossAlgorithm : public LossDetectionInterface {
@@ -966,11 +978,6 @@ class MockLossAlgorithm : public LossDetectionInterface {
                     const AckedPacketVector& packets_acked,
                     LostPacketVector* packets_lost));
   MOCK_CONST_METHOD0(GetLossTimeout, QuicTime());
-  MOCK_METHOD4(SpuriousRetransmitDetected,
-               void(const QuicUnackedPacketMap&,
-                    QuicTime,
-                    const RttStats&,
-                    QuicPacketNumber));
   MOCK_METHOD5(SpuriousLossDetected,
                void(const QuicUnackedPacketMap&,
                     const RttStats&,
@@ -1014,11 +1021,8 @@ class MockQuicConnectionDebugVisitor : public QuicConnectionDebugVisitor {
 
   MOCK_METHOD1(OnFrameAddedToPacket, void(const QuicFrame&));
 
-  MOCK_METHOD4(OnPacketSent,
-               void(const SerializedPacket&,
-                    QuicPacketNumber,
-                    TransmissionType,
-                    QuicTime));
+  MOCK_METHOD3(OnPacketSent,
+               void(const SerializedPacket&, TransmissionType, QuicTime));
 
   MOCK_METHOD0(OnPingSent, void());
 
@@ -1195,8 +1199,6 @@ void ExpectApproxEq(T expected, T actual, float relative_margin) {
 template <typename T>
 QuicHeaderList AsHeaderList(const T& container) {
   QuicHeaderList l;
-  // No need to enforce header list size limits again in this handler.
-  l.set_max_header_list_size(UINT_MAX);
   l.OnHeaderBlockStart();
   size_t total_size = 0;
   for (auto p : container) {
@@ -1254,6 +1256,46 @@ MATCHER_P2(InRange, min, max, "") {
   return arg >= min && arg <= max;
 }
 
+// A GMock matcher that prints expected and actual QuicErrorCode strings
+// upon failure.  Example usage:
+// EXPECT_THAT(stream_->connection_error()), IsError(QUIC_INTERNAL_ERROR));
+MATCHER_P(IsError,
+          expected,
+          QuicStrCat(negation ? "isn't equal to " : "is equal to ",
+                     QuicErrorCodeToString(expected))) {
+  *result_listener << QuicErrorCodeToString(arg);
+  return arg == expected;
+}
+
+// Shorthand for IsError(QUIC_NO_ERROR).
+// Example usage: EXPECT_THAT(stream_->connection_error(), IsQuicNoError());
+MATCHER(IsQuicNoError,
+        QuicStrCat(negation ? "isn't equal to " : "is equal to ",
+                   QuicErrorCodeToString(QUIC_NO_ERROR))) {
+  *result_listener << QuicErrorCodeToString(arg);
+  return arg == QUIC_NO_ERROR;
+}
+
+// A GMock matcher that prints expected and actual QuicRstStreamErrorCode
+// strings upon failure.  Example usage:
+// EXPECT_THAT(stream_->stream_error(), IsStreamError(QUIC_INTERNAL_ERROR));
+MATCHER_P(IsStreamError,
+          expected,
+          QuicStrCat(negation ? "isn't equal to " : "is equal to ",
+                     QuicRstStreamErrorCodeToString(expected))) {
+  *result_listener << QuicRstStreamErrorCodeToString(arg);
+  return arg == expected;
+}
+
+// Shorthand for IsStreamError(QUIC_STREAM_NO_ERROR).  Example usage:
+// EXPECT_THAT(stream_->stream_error(), IsQuicStreamNoError());
+MATCHER(IsQuicStreamNoError,
+        QuicStrCat(negation ? "isn't equal to " : "is equal to ",
+                   QuicRstStreamErrorCodeToString(QUIC_STREAM_NO_ERROR))) {
+  *result_listener << QuicRstStreamErrorCodeToString(arg);
+  return arg == QUIC_STREAM_NO_ERROR;
+}
+
 }  // namespace test
 }  // namespace quic
 
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/quic_transport_test_tools.h b/chromium/net/third_party/quiche/src/quic/test_tools/quic_transport_test_tools.h
new file mode 100644
index 00000000000..c6a8b46496e
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/quic_transport_test_tools.h
@@ -0,0 +1,36 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_TEST_TOOLS_QUIC_TRANSPORT_TEST_TOOLS_H_
+#define QUICHE_QUIC_TEST_TOOLS_QUIC_TRANSPORT_TEST_TOOLS_H_
+
+#include "net/third_party/quiche/src/quic/platform/api/quic_test.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_client_session.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session.h"
+
+namespace quic {
+namespace test {
+
+class MockClientVisitor : public QuicTransportClientSession::ClientVisitor {
+ public:
+  MOCK_METHOD0(OnIncomingBidirectionalStreamAvailable, void());
+  MOCK_METHOD0(OnIncomingUnidirectionalStreamAvailable, void());
+};
+
+class MockServerVisitor : public QuicTransportServerSession::ServerVisitor {
+ public:
+  MOCK_METHOD1(CheckOrigin, bool(url::Origin));
+};
+
+class MockStreamVisitor : public QuicTransportStream::Visitor {
+ public:
+  MOCK_METHOD0(OnCanRead, void());
+  MOCK_METHOD0(OnFinRead, void());
+  MOCK_METHOD0(OnCanWrite, void());
+};
+
+}  // namespace test
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_TEST_TOOLS_QUIC_TRANSPORT_TEST_TOOLS_H_
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simple_quic_framer.cc b/chromium/net/third_party/quiche/src/quic/test_tools/simple_quic_framer.cc
index be03aa1c869..588f3b66d43 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simple_quic_framer.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simple_quic_framer.cc
@@ -59,7 +59,9 @@ class SimpleFramerVisitor : public QuicFramerVisitorInterface {
     return true;
   }
 
-  void OnCoalescedPacket(const QuicEncryptedPacket& /*packet*/) override {}
+  void OnCoalescedPacket(const QuicEncryptedPacket& packet) override {
+    coalesced_packet_ = packet.Clone();
+  }
 
   void OnUndecryptablePacket(const QuicEncryptedPacket& /*packet*/,
                              EncryptionLevel /*decryption_level*/,
@@ -253,6 +255,9 @@ class SimpleFramerVisitor : public QuicFramerVisitorInterface {
     return version_negotiation_packet_.get();
   }
   EncryptionLevel last_decrypted_level() const { return last_decrypted_level_; }
+  const QuicEncryptedPacket* coalesced_packet() const {
+    return coalesced_packet_.get();
+  }
 
  private:
   QuicErrorCode error_;
@@ -284,6 +289,7 @@ class SimpleFramerVisitor : public QuicFramerVisitorInterface {
   std::vector<std::unique_ptr<std::string>> stream_data_;
   std::vector<std::unique_ptr<std::string>> crypto_data_;
   EncryptionLevel last_decrypted_level_;
+  std::unique_ptr<QuicEncryptedPacket> coalesced_packet_;
 };
 
 SimpleQuicFramer::SimpleQuicFramer()
@@ -404,5 +410,9 @@ const std::vector<QuicPaddingFrame>& SimpleQuicFramer::padding_frames() const {
   return visitor_->padding_frames();
 }
 
+const QuicEncryptedPacket* SimpleQuicFramer::coalesced_packet() const {
+  return visitor_->coalesced_packet();
+}
+
 }  // namespace test
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simple_quic_framer.h b/chromium/net/third_party/quiche/src/quic/test_tools/simple_quic_framer.h
index a254ce523e9..3e063d07334 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simple_quic_framer.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simple_quic_framer.h
@@ -50,6 +50,7 @@ class SimpleQuicFramer {
   const std::vector<QuicPaddingFrame>& padding_frames() const;
   const QuicVersionNegotiationPacket* version_negotiation_packet() const;
   EncryptionLevel last_decrypted_level() const;
+  const QuicEncryptedPacket* coalesced_packet() const;
 
   QuicFramer* framer();
 
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_cache.cc b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_cache.cc
new file mode 100644
index 00000000000..7787fbeb059
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_cache.cc
@@ -0,0 +1,28 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/test_tools/simple_session_cache.h"
+
+namespace quic {
+namespace test {
+
+void SimpleSessionCache::Insert(const QuicServerId& server_id,
+                                std::unique_ptr<QuicResumptionState> state) {
+  cache_entries_.insert(std::make_pair(server_id, std::move(state)));
+}
+
+std::unique_ptr<QuicResumptionState> SimpleSessionCache::Lookup(
+    const QuicServerId& server_id,
+    const SSL_CTX* /*ctx*/) {
+  auto it = cache_entries_.find(server_id);
+  if (it == cache_entries_.end()) {
+    return nullptr;
+  }
+  std::unique_ptr<QuicResumptionState> state = std::move(it->second);
+  cache_entries_.erase(it);
+  return state;
+}
+
+}  // namespace test
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_cache.h b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_cache.h
new file mode 100644
index 00000000000..40a6946dfde
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_cache.h
@@ -0,0 +1,35 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_TEST_TOOLS_SIMPLE_SESSION_CACHE_H_
+#define QUICHE_QUIC_TEST_TOOLS_SIMPLE_SESSION_CACHE_H_
+
+#include "net/third_party/quiche/src/quic/core/crypto/quic_crypto_client_config.h"
+
+namespace quic {
+namespace test {
+
+// SimpleSessionCache provides a simple implementation of SessionCache that
+// stores only one QuicResumptionState per QuicServerId. No limit is placed on
+// the total number of entries in the cache. When Lookup is called, if a cache
+// entry exists for the provided QuicServerId, the entry will be removed from
+// the cached when it is returned.
+class SimpleSessionCache : public SessionCache {
+ public:
+  SimpleSessionCache() = default;
+  ~SimpleSessionCache() override = default;
+
+  void Insert(const QuicServerId& server_id,
+              std::unique_ptr<QuicResumptionState> state) override;
+  std::unique_ptr<QuicResumptionState> Lookup(const QuicServerId& server_id,
+                                              const SSL_CTX* ctx) override;
+
+ private:
+  std::map<QuicServerId, std::unique_ptr<QuicResumptionState>> cache_entries_;
+};
+
+}  // namespace test
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_TEST_TOOLS_SIMPLE_SESSION_CACHE_H_
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier.cc b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier.cc
index 72a23d73178..9e67c899f51 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier.cc
@@ -46,7 +46,6 @@ QuicConsumedData SimpleSessionNotifier::WriteOrBufferData(
   StreamState& stream_state = stream_map_.find(id)->second;
   const bool had_buffered_data =
       HasBufferedStreamData() || HasBufferedControlFrames();
-  QuicConsumedData total_consumed(0, false);
   QuicStreamOffset offset = stream_state.bytes_sent;
   QUIC_DVLOG(1) << "WriteOrBuffer stream_id: " << id << " [" << offset << ", "
                 << offset + data_length << "), fin: " << (state != NO_FIN);
@@ -127,8 +126,13 @@ void SimpleSessionNotifier::WriteOrBufferPing() {
 }
 
 void SimpleSessionNotifier::NeuterUnencryptedData() {
-  // TODO(nharper): Handle CRYPTO frame case.
   if (QuicVersionUsesCryptoFrames(connection_->transport_version())) {
+    for (const auto& interval : crypto_bytes_transferred_[ENCRYPTION_INITIAL]) {
+      QuicCryptoFrame crypto_frame(ENCRYPTION_INITIAL, interval.min(),
+                                   interval.max() - interval.min());
+      OnFrameAcked(QuicFrame(&crypto_frame), QuicTime::Delta::Zero(),
+                   QuicTime::Zero());
+    }
     return;
   }
   for (const auto& interval : crypto_bytes_transferred_[ENCRYPTION_INITIAL]) {
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier_test.cc b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier_test.cc
index 93f11aa387d..4dc48a7c1d5 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simple_session_notifier_test.cc
@@ -42,7 +42,7 @@ class SimpleSessionNotifierTest : public QuicTest {
       : connection_(&helper_, &alarm_factory_, Perspective::IS_CLIENT),
         notifier_(&connection_) {
     connection_.set_visitor(&visitor_);
-    QuicConnectionPeer::SetSessionDecidesWhatToWrite(&connection_);
+    connection_.SetSessionNotifier(&notifier_);
     EXPECT_FALSE(notifier_.WillingToWrite());
     EXPECT_EQ(0u, notifier_.StreamBytesSent());
     EXPECT_FALSE(notifier_.HasBufferedStreamData());
@@ -135,6 +135,8 @@ TEST_F(SimpleSessionNotifierTest, WriteOrBufferPing) {
 
 TEST_F(SimpleSessionNotifierTest, NeuterUnencryptedData) {
   if (QuicVersionUsesCryptoFrames(connection_.transport_version())) {
+    // This test writes crypto data through crypto streams. It won't work when
+    // crypto frames are used instead.
     return;
   }
   InSequence s;
@@ -175,6 +177,8 @@ TEST_F(SimpleSessionNotifierTest, NeuterUnencryptedData) {
 
 TEST_F(SimpleSessionNotifierTest, OnCanWrite) {
   if (QuicVersionUsesCryptoFrames(connection_.transport_version())) {
+    // This test writes crypto data through crypto streams. It won't work when
+    // crypto frames are used instead.
     return;
   }
   InSequence s;
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.cc b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.cc
index bd01c43d252..9f504359dbf 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.cc
@@ -4,6 +4,7 @@
 
 #include "net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.h"
 
+#include <memory>
 #include <utility>
 
 #include "net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message.h"
@@ -23,89 +24,41 @@ const QuicStreamId kDataStream = 3;
 const QuicByteCount kWriteChunkSize = 128 * 1024;
 const char kStreamDataContents = 'Q';
 
-// Takes a SHA-1 hash of the name and converts it into five 32-bit integers.
-static std::vector<uint32_t> HashNameIntoFive32BitIntegers(std::string name) {
-  const std::string hash = test::Sha1Hash(name);
-
-  std::vector<uint32_t> output;
-  uint32_t current_number = 0;
-  for (size_t i = 0; i < hash.size(); i++) {
-    current_number = (current_number << 8) + hash[i];
-    if (i % 4 == 3) {
-      output.push_back(i);
-      current_number = 0;
-    }
-  }
-
-  return output;
-}
-
-QuicSocketAddress GetAddressFromName(std::string name) {
-  const std::vector<uint32_t> hash = HashNameIntoFive32BitIntegers(name);
-
-  // Generate a random port between 1025 and 65535.
-  const uint16_t port = 1025 + hash[0] % (65535 - 1025 + 1);
-
-  // Generate a random 10.x.x.x address, where x is between 1 and 254.
-  std::string ip_address{"\xa\0\0\0", 4};
-  for (size_t i = 1; i < 4; i++) {
-    ip_address[i] = 1 + hash[i] % 254;
-  }
-  QuicIpAddress host;
-  host.FromPackedString(ip_address.c_str(), ip_address.length());
-  return QuicSocketAddress(host, port);
-}
-
 QuicEndpoint::QuicEndpoint(Simulator* simulator,
                            std::string name,
                            std::string peer_name,
                            Perspective perspective,
                            QuicConnectionId connection_id)
-    : Endpoint(simulator, name),
-      peer_name_(peer_name),
-      writer_(this),
-      nic_tx_queue_(simulator,
-                    QuicStringPrintf("%s (TX Queue)", name.c_str()),
-                    kMaxOutgoingPacketSize * kTxQueueSize),
-      connection_(connection_id,
-                  GetAddressFromName(peer_name),
-                  simulator,
-                  simulator->GetAlarmFactory(),
-                  &writer_,
-                  false,
-                  perspective,
-                  ParsedVersionOfIndex(CurrentSupportedVersions(), 0)),
+    : QuicEndpointBase(simulator, name, peer_name),
       bytes_to_transfer_(0),
       bytes_transferred_(0),
-      write_blocked_count_(0),
       wrong_data_received_(false),
-      drop_next_packet_(false),
       notifier_(nullptr) {
-  nic_tx_queue_.set_listener_interface(this);
-
-  connection_.SetSelfAddress(GetAddressFromName(name));
-  connection_.set_visitor(this);
-  connection_.SetEncrypter(ENCRYPTION_FORWARD_SECURE,
-                           std::make_unique<NullEncrypter>(perspective));
-  connection_.SetEncrypter(ENCRYPTION_INITIAL, nullptr);
-  if (connection_.version().KnowsWhichDecrypterToUse()) {
-    connection_.InstallDecrypter(ENCRYPTION_FORWARD_SECURE,
-                                 std::make_unique<NullDecrypter>(perspective));
-    connection_.RemoveDecrypter(ENCRYPTION_INITIAL);
+  connection_ = std::make_unique<QuicConnection>(
+      connection_id, GetAddressFromName(peer_name), simulator,
+      simulator->GetAlarmFactory(), &writer_, false, perspective,
+      ParsedVersionOfIndex(CurrentSupportedVersions(), 0));
+  connection_->SetSelfAddress(GetAddressFromName(name));
+  connection_->set_visitor(this);
+  connection_->SetEncrypter(ENCRYPTION_FORWARD_SECURE,
+                            std::make_unique<NullEncrypter>(perspective));
+  connection_->SetEncrypter(ENCRYPTION_INITIAL, nullptr);
+  if (connection_->version().KnowsWhichDecrypterToUse()) {
+    connection_->InstallDecrypter(ENCRYPTION_FORWARD_SECURE,
+                                  std::make_unique<NullDecrypter>(perspective));
+    connection_->RemoveDecrypter(ENCRYPTION_INITIAL);
   } else {
-    connection_.SetDecrypter(ENCRYPTION_FORWARD_SECURE,
-                             std::make_unique<NullDecrypter>(perspective));
+    connection_->SetDecrypter(ENCRYPTION_FORWARD_SECURE,
+                              std::make_unique<NullDecrypter>(perspective));
   }
-  connection_.SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
+  connection_->SetDefaultEncryptionLevel(ENCRYPTION_FORWARD_SECURE);
   if (perspective == Perspective::IS_SERVER) {
     // Skip version negotiation.
-    test::QuicConnectionPeer::SetNegotiatedVersion(&connection_);
-  }
-  connection_.SetDataProducer(&producer_);
-  connection_.SetSessionNotifier(this);
-  if (connection_.session_decides_what_to_write()) {
-    notifier_ = std::make_unique<test::SimpleSessionNotifier>(&connection_);
+    test::QuicConnectionPeer::SetNegotiatedVersion(connection_.get());
   }
+  connection_->SetDataProducer(&producer_);
+  connection_->SetSessionNotifier(this);
+  notifier_ = std::make_unique<test::SimpleSessionNotifier>(connection_.get());
 
   // Configure the connection as if it received a handshake.  This is important
   // primarily because
@@ -122,19 +75,7 @@ QuicEndpoint::QuicEndpoint(Simulator* simulator,
       peer_hello, perspective == Perspective::IS_CLIENT ? SERVER : CLIENT,
       &error);
   DCHECK_EQ(error_code, QUIC_NO_ERROR) << "Configuration failed: " << error;
-  connection_.SetFromConfig(config);
-}
-
-QuicEndpoint::~QuicEndpoint() {
-  if (trace_visitor_ != nullptr) {
-    const char* perspective_prefix =
-        connection_.perspective() == Perspective::IS_CLIENT ? "C" : "S";
-
-    std::string identifier =
-        QuicStrCat(perspective_prefix, connection_.connection_id().ToString());
-    QuicRecordTestOutput(identifier,
-                         trace_visitor_->trace()->SerializeAsString());
-  }
+  connection_->SetFromConfig(config);
 }
 
 QuicByteCount QuicEndpoint::bytes_received() const {
@@ -176,48 +117,6 @@ void QuicEndpoint::AddBytesToTransfer(QuicByteCount bytes) {
   WriteStreamData();
 }
 
-void QuicEndpoint::DropNextIncomingPacket() {
-  drop_next_packet_ = true;
-}
-
-void QuicEndpoint::RecordTrace() {
-  trace_visitor_ = std::make_unique<QuicTraceVisitor>(&connection_);
-  connection_.set_debug_visitor(trace_visitor_.get());
-}
-
-void QuicEndpoint::AcceptPacket(std::unique_ptr<Packet> packet) {
-  if (packet->destination != name_) {
-    return;
-  }
-  if (drop_next_packet_) {
-    drop_next_packet_ = false;
-    return;
-  }
-
-  QuicReceivedPacket received_packet(packet->contents.data(),
-                                     packet->contents.size(), clock_->Now());
-  connection_.ProcessUdpPacket(connection_.self_address(),
-                               connection_.peer_address(), received_packet);
-}
-
-UnconstrainedPortInterface* QuicEndpoint::GetRxPort() {
-  return this;
-}
-
-void QuicEndpoint::SetTxPort(ConstrainedPortInterface* port) {
-  // Any egress done by the endpoint is actually handled by a queue on an NIC.
-  nic_tx_queue_.set_tx_port(port);
-}
-
-void QuicEndpoint::OnPacketDequeued() {
-  if (writer_.IsWriteBlocked() &&
-      (nic_tx_queue_.capacity() - nic_tx_queue_.bytes_queued()) >=
-          kMaxOutgoingPacketSize) {
-    writer_.SetWritable();
-    connection_.OnCanWrite();
-  }
-}
-
 void QuicEndpoint::OnStreamFrame(const QuicStreamFrame& frame) {
   // Verify that the data received always matches the expected.
   DCHECK(frame.stream_id == kDataStream);
@@ -302,73 +201,6 @@ bool QuicEndpoint::HasUnackedStreamData() const {
   return false;
 }
 
-QuicEndpoint::Writer::Writer(QuicEndpoint* endpoint)
-    : endpoint_(endpoint), is_blocked_(false) {}
-
-QuicEndpoint::Writer::~Writer() {}
-
-WriteResult QuicEndpoint::Writer::WritePacket(
-    const char* buffer,
-    size_t buf_len,
-    const QuicIpAddress& /*self_address*/,
-    const QuicSocketAddress& /*peer_address*/,
-    PerPacketOptions* options) {
-  DCHECK(!IsWriteBlocked());
-  DCHECK(options == nullptr);
-  DCHECK(buf_len <= kMaxOutgoingPacketSize);
-
-  // Instead of losing a packet, become write-blocked when the egress queue is
-  // full.
-  if (endpoint_->nic_tx_queue_.packets_queued() > kTxQueueSize) {
-    is_blocked_ = true;
-    endpoint_->write_blocked_count_++;
-    return WriteResult(WRITE_STATUS_BLOCKED, 0);
-  }
-
-  auto packet = std::make_unique<Packet>();
-  packet->source = endpoint_->name();
-  packet->destination = endpoint_->peer_name_;
-  packet->tx_timestamp = endpoint_->clock_->Now();
-
-  packet->contents = std::string(buffer, buf_len);
-  packet->size = buf_len;
-
-  endpoint_->nic_tx_queue_.AcceptPacket(std::move(packet));
-
-  return WriteResult(WRITE_STATUS_OK, buf_len);
-}
-
-bool QuicEndpoint::Writer::IsWriteBlocked() const {
-  return is_blocked_;
-}
-
-void QuicEndpoint::Writer::SetWritable() {
-  is_blocked_ = false;
-}
-
-QuicByteCount QuicEndpoint::Writer::GetMaxPacketSize(
-    const QuicSocketAddress& /*peer_address*/) const {
-  return kMaxOutgoingPacketSize;
-}
-
-bool QuicEndpoint::Writer::SupportsReleaseTime() const {
-  return false;
-}
-
-bool QuicEndpoint::Writer::IsBatchMode() const {
-  return false;
-}
-
-char* QuicEndpoint::Writer::GetNextWriteLocation(
-    const QuicIpAddress& /*self_address*/,
-    const QuicSocketAddress& /*peer_address*/) {
-  return nullptr;
-}
-
-WriteResult QuicEndpoint::Writer::Flush() {
-  return WriteResult(WRITE_STATUS_OK, 0);
-}
-
 WriteStreamDataResult QuicEndpoint::DataProducer::WriteStreamData(
     QuicStreamId /*id*/,
     QuicStreamOffset /*offset*/,
@@ -388,14 +220,14 @@ bool QuicEndpoint::DataProducer::WriteCryptoData(EncryptionLevel /*level*/,
 
 void QuicEndpoint::WriteStreamData() {
   // Instantiate a flusher which would normally be here due to QuicSession.
-  QuicConnection::ScopedPacketFlusher flusher(&connection_);
+  QuicConnection::ScopedPacketFlusher flusher(connection_.get());
 
   while (bytes_to_transfer_ > 0) {
     // Transfer data in chunks of size at most |kWriteChunkSize|.
     const size_t transmission_size =
         std::min(kWriteChunkSize, bytes_to_transfer_);
 
-    QuicConsumedData consumed_data = connection_.SendStreamData(
+    QuicConsumedData consumed_data = connection_->SendStreamData(
         kDataStream, transmission_size, bytes_transferred_, NO_FIN);
 
     DCHECK(consumed_data.bytes_consumed <= transmission_size);
@@ -407,33 +239,5 @@ void QuicEndpoint::WriteStreamData() {
   }
 }
 
-QuicEndpointMultiplexer::QuicEndpointMultiplexer(
-    std::string name,
-    const std::vector<QuicEndpoint*>& endpoints)
-    : Endpoint((*endpoints.begin())->simulator(), name) {
-  for (QuicEndpoint* endpoint : endpoints) {
-    mapping_.insert(std::make_pair(endpoint->name(), endpoint));
-  }
-}
-
-QuicEndpointMultiplexer::~QuicEndpointMultiplexer() {}
-
-void QuicEndpointMultiplexer::AcceptPacket(std::unique_ptr<Packet> packet) {
-  auto key_value_pair_it = mapping_.find(packet->destination);
-  if (key_value_pair_it == mapping_.end()) {
-    return;
-  }
-
-  key_value_pair_it->second->GetRxPort()->AcceptPacket(std::move(packet));
-}
-UnconstrainedPortInterface* QuicEndpointMultiplexer::GetRxPort() {
-  return this;
-}
-void QuicEndpointMultiplexer::SetTxPort(ConstrainedPortInterface* port) {
-  for (auto& key_value_pair : mapping_) {
-    key_value_pair.second->SetTxPort(port);
-  }
-}
-
 }  // namespace simulator
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.h b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.h
index 43fce53bb4c..c2d24ac5404 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.h
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint.h
@@ -16,26 +16,17 @@
 #include "net/third_party/quiche/src/quic/test_tools/simple_session_notifier.h"
 #include "net/third_party/quiche/src/quic/test_tools/simulator/link.h"
 #include "net/third_party/quiche/src/quic/test_tools/simulator/queue.h"
+#include "net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_base.h"
 
 namespace quic {
 namespace simulator {
 
-// Size of the TX queue used by the kernel/NIC.  1000 is the Linux
-// kernel default.
-const QuicByteCount kTxQueueSize = 1000;
-
-// Generate a random local network host-port tuple based on the name of the
-// endpoint.
-QuicSocketAddress GetAddressFromName(std::string name);
-
 // A QUIC connection endpoint.  Wraps around QuicConnection.  In order to
 // initiate a transfer, the caller has to call AddBytesToTransfer().  The data
 // transferred is always the same and is always transferred on a single stream.
 // The endpoint receives all packets addressed to it, and verifies that the data
 // received is what it's supposed to be.
-class QuicEndpoint : public Endpoint,
-                     public UnconstrainedPortInterface,
-                     public Queue::ListenerInterface,
+class QuicEndpoint : public QuicEndpointBase,
                      public QuicConnectionVisitorInterface,
                      public SessionNotifierInterface {
  public:
@@ -44,40 +35,16 @@ class QuicEndpoint : public Endpoint,
                std::string peer_name,
                Perspective perspective,
                QuicConnectionId connection_id);
-  ~QuicEndpoint() override;
 
-  inline QuicConnection* connection() { return &connection_; }
   QuicByteCount bytes_to_transfer() const;
   QuicByteCount bytes_transferred() const;
   QuicByteCount bytes_received() const;
-  inline size_t write_blocked_count() { return write_blocked_count_; }
   inline bool wrong_data_received() const { return wrong_data_received_; }
 
   // Send |bytes| bytes.  Initiates the transfer if one is not already in
   // progress.
   void AddBytesToTransfer(QuicByteCount bytes);
 
-  // Drop the next packet upon receipt.
-  void DropNextIncomingPacket();
-
-  // UnconstrainedPortInterface method.  Called whenever the endpoint receives a
-  // packet.
-  void AcceptPacket(std::unique_ptr<Packet> packet) override;
-
-  // Enables logging of the connection trace at the end of the unit test.
-  void RecordTrace();
-
-  // Begin Endpoint implementation.
-  UnconstrainedPortInterface* GetRxPort() override;
-  void SetTxPort(ConstrainedPortInterface* port) override;
-  // End Endpoint implementation.
-
-  // Actor method.
-  void Act() override {}
-
-  // Queue::ListenerInterface method.
-  void OnPacketDequeued() override;
-
   // Begin QuicConnectionVisitorInterface implementation.
   void OnStreamFrame(const QuicStreamFrame& frame) override;
   void OnCryptoFrame(const QuicCryptoFrame& frame) override;
@@ -114,9 +81,8 @@ class QuicEndpoint : public Endpoint,
       const QuicStreamsBlockedFrame& /*frame*/) override {
     return true;
   }
-  bool OnStopSendingFrame(const QuicStopSendingFrame& /*frame*/) override {
-    return true;
-  }
+  void OnStopSendingFrame(const QuicStopSendingFrame& /*frame*/) override {}
+  void OnPacketDecrypted(EncryptionLevel /*level*/) override {}
 
   // End QuicConnectionVisitorInterface implementation.
 
@@ -134,33 +100,6 @@ class QuicEndpoint : public Endpoint,
   // End SessionNotifierInterface implementation.
 
  private:
-  // A Writer object that writes into the |nic_tx_queue_|.
-  class Writer : public QuicPacketWriter {
-   public:
-    explicit Writer(QuicEndpoint* endpoint);
-    ~Writer() override;
-
-    WriteResult WritePacket(const char* buffer,
-                            size_t buf_len,
-                            const QuicIpAddress& self_address,
-                            const QuicSocketAddress& peer_address,
-                            PerPacketOptions* options) override;
-    bool IsWriteBlocked() const override;
-    void SetWritable() override;
-    QuicByteCount GetMaxPacketSize(
-        const QuicSocketAddress& peer_address) const override;
-    bool SupportsReleaseTime() const override;
-    bool IsBatchMode() const override;
-    char* GetNextWriteLocation(const QuicIpAddress& self_address,
-                               const QuicSocketAddress& peer_address) override;
-    WriteResult Flush() override;
-
-   private:
-    QuicEndpoint* endpoint_;
-
-    bool is_blocked_;
-  };
-
   // The producer outputs the repetition of the same byte.  That sequence is
   // verified by the receiver.
   class DataProducer : public QuicStreamFrameDataProducer {
@@ -175,60 +114,30 @@ class QuicEndpoint : public Endpoint,
                          QuicDataWriter* writer) override;
   };
 
+  std::unique_ptr<QuicConnection> CreateConnection(
+      Simulator* simulator,
+      std::string name,
+      std::string peer_name,
+      Perspective perspective,
+      QuicConnectionId connection_id);
+
   // Write stream data until |bytes_to_transfer_| is zero or the connection is
   // write-blocked.
   void WriteStreamData();
 
-  std::string peer_name_;
-
-  Writer writer_;
   DataProducer producer_;
-  // The queue for the outgoing packets.  In reality, this might be either on
-  // the network card, or in the kernel, but for concreteness we assume it's on
-  // the network card.
-  Queue nic_tx_queue_;
-  QuicConnection connection_;
 
   QuicByteCount bytes_to_transfer_;
   QuicByteCount bytes_transferred_;
 
-  // Counts the number of times the writer became write-blocked.
-  size_t write_blocked_count_;
-
   // Set to true if the endpoint receives stream data different from what it
   // expects.
   bool wrong_data_received_;
 
-  // If true, drop the next packet when receiving it.
-  bool drop_next_packet_;
-
   // Record of received offsets in the data stream.
   QuicIntervalSet<QuicStreamOffset> offsets_received_;
 
   std::unique_ptr<test::SimpleSessionNotifier> notifier_;
-  std::unique_ptr<QuicTraceVisitor> trace_visitor_;
-};
-
-// Multiplexes multiple connections at the same host on the network.
-class QuicEndpointMultiplexer : public Endpoint,
-                                public UnconstrainedPortInterface {
- public:
-  QuicEndpointMultiplexer(std::string name,
-                          const std::vector<QuicEndpoint*>& endpoints);
-  ~QuicEndpointMultiplexer() override;
-
-  // Receives a packet and passes it to the specified endpoint if that endpoint
-  // is one of the endpoints being multiplexed, otherwise ignores the packet.
-  void AcceptPacket(std::unique_ptr<Packet> packet) override;
-  UnconstrainedPortInterface* GetRxPort() override;
-
-  // Sets the egress port for all the endpoints being multiplexed.
-  void SetTxPort(ConstrainedPortInterface* port) override;
-
-  void Act() override {}
-
- private:
-  QuicUnorderedMap<std::string, QuicEndpoint*> mapping_;
 };
 
 }  // namespace simulator
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_base.cc b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_base.cc
new file mode 100644
index 00000000000..537a94737b4
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_base.cc
@@ -0,0 +1,222 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_base.h"
+
+#include <memory>
+#include <utility>
+
+#include "net/third_party/quiche/src/quic/core/crypto/crypto_handshake_message.h"
+#include "net/third_party/quiche/src/quic/core/crypto/crypto_protocol.h"
+#include "net/third_party/quiche/src/quic/core/quic_connection.h"
+#include "net/third_party/quiche/src/quic/core/quic_data_writer.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_str_cat.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_test_output.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_test_utils.h"
+#include "net/third_party/quiche/src/quic/test_tools/simulator/simulator.h"
+
+namespace quic {
+namespace simulator {
+
+// Takes a SHA-1 hash of the name and converts it into five 32-bit integers.
+static std::vector<uint32_t> HashNameIntoFive32BitIntegers(std::string name) {
+  const std::string hash = test::Sha1Hash(name);
+
+  std::vector<uint32_t> output;
+  uint32_t current_number = 0;
+  for (size_t i = 0; i < hash.size(); i++) {
+    current_number = (current_number << 8) + hash[i];
+    if (i % 4 == 3) {
+      output.push_back(i);
+      current_number = 0;
+    }
+  }
+
+  return output;
+}
+
+QuicSocketAddress GetAddressFromName(std::string name) {
+  const std::vector<uint32_t> hash = HashNameIntoFive32BitIntegers(name);
+
+  // Generate a random port between 1025 and 65535.
+  const uint16_t port = 1025 + hash[0] % (65535 - 1025 + 1);
+
+  // Generate a random 10.x.x.x address, where x is between 1 and 254.
+  std::string ip_address{"\xa\0\0\0", 4};
+  for (size_t i = 1; i < 4; i++) {
+    ip_address[i] = 1 + hash[i] % 254;
+  }
+  QuicIpAddress host;
+  host.FromPackedString(ip_address.c_str(), ip_address.length());
+  return QuicSocketAddress(host, port);
+}
+
+QuicEndpointBase::QuicEndpointBase(Simulator* simulator,
+                                   std::string name,
+                                   std::string peer_name)
+    : Endpoint(simulator, name),
+      peer_name_(peer_name),
+      writer_(this),
+      nic_tx_queue_(simulator,
+                    QuicStringPrintf("%s (TX Queue)", name.c_str()),
+                    kMaxOutgoingPacketSize * kTxQueueSize),
+      connection_(nullptr),
+      write_blocked_count_(0),
+      drop_next_packet_(false) {
+  nic_tx_queue_.set_listener_interface(this);
+}
+
+QuicEndpointBase::~QuicEndpointBase() {
+  if (trace_visitor_ != nullptr) {
+    const char* perspective_prefix =
+        connection_->perspective() == Perspective::IS_CLIENT ? "C" : "S";
+
+    std::string identifier =
+        QuicStrCat(perspective_prefix, connection_->connection_id().ToString());
+    QuicRecordTestOutput(identifier,
+                         trace_visitor_->trace()->SerializeAsString());
+  }
+}
+
+void QuicEndpointBase::DropNextIncomingPacket() {
+  drop_next_packet_ = true;
+}
+
+void QuicEndpointBase::RecordTrace() {
+  trace_visitor_ = std::make_unique<QuicTraceVisitor>(connection_.get());
+  connection_->set_debug_visitor(trace_visitor_.get());
+}
+
+void QuicEndpointBase::AcceptPacket(std::unique_ptr<Packet> packet) {
+  if (packet->destination != name_) {
+    return;
+  }
+  if (drop_next_packet_) {
+    drop_next_packet_ = false;
+    return;
+  }
+
+  QuicReceivedPacket received_packet(packet->contents.data(),
+                                     packet->contents.size(), clock_->Now());
+  connection_->ProcessUdpPacket(connection_->self_address(),
+                                connection_->peer_address(), received_packet);
+}
+
+UnconstrainedPortInterface* QuicEndpointBase::GetRxPort() {
+  return this;
+}
+
+void QuicEndpointBase::SetTxPort(ConstrainedPortInterface* port) {
+  // Any egress done by the endpoint is actually handled by a queue on an NIC.
+  nic_tx_queue_.set_tx_port(port);
+}
+
+void QuicEndpointBase::OnPacketDequeued() {
+  if (writer_.IsWriteBlocked() &&
+      (nic_tx_queue_.capacity() - nic_tx_queue_.bytes_queued()) >=
+          kMaxOutgoingPacketSize) {
+    writer_.SetWritable();
+    connection_->OnCanWrite();
+  }
+}
+
+QuicEndpointBase::Writer::Writer(QuicEndpointBase* endpoint)
+    : endpoint_(endpoint), is_blocked_(false) {}
+
+QuicEndpointBase::Writer::~Writer() {}
+
+WriteResult QuicEndpointBase::Writer::WritePacket(
+    const char* buffer,
+    size_t buf_len,
+    const QuicIpAddress& /*self_address*/,
+    const QuicSocketAddress& /*peer_address*/,
+    PerPacketOptions* options) {
+  DCHECK(!IsWriteBlocked());
+  DCHECK(options == nullptr);
+  DCHECK(buf_len <= kMaxOutgoingPacketSize);
+
+  // Instead of losing a packet, become write-blocked when the egress queue is
+  // full.
+  if (endpoint_->nic_tx_queue_.packets_queued() > kTxQueueSize) {
+    is_blocked_ = true;
+    endpoint_->write_blocked_count_++;
+    return WriteResult(WRITE_STATUS_BLOCKED, 0);
+  }
+
+  auto packet = std::make_unique<Packet>();
+  packet->source = endpoint_->name();
+  packet->destination = endpoint_->peer_name_;
+  packet->tx_timestamp = endpoint_->clock_->Now();
+
+  packet->contents = std::string(buffer, buf_len);
+  packet->size = buf_len;
+
+  endpoint_->nic_tx_queue_.AcceptPacket(std::move(packet));
+
+  return WriteResult(WRITE_STATUS_OK, buf_len);
+}
+
+bool QuicEndpointBase::Writer::IsWriteBlocked() const {
+  return is_blocked_;
+}
+
+void QuicEndpointBase::Writer::SetWritable() {
+  is_blocked_ = false;
+}
+
+QuicByteCount QuicEndpointBase::Writer::GetMaxPacketSize(
+    const QuicSocketAddress& /*peer_address*/) const {
+  return kMaxOutgoingPacketSize;
+}
+
+bool QuicEndpointBase::Writer::SupportsReleaseTime() const {
+  return false;
+}
+
+bool QuicEndpointBase::Writer::IsBatchMode() const {
+  return false;
+}
+
+char* QuicEndpointBase::Writer::GetNextWriteLocation(
+    const QuicIpAddress& /*self_address*/,
+    const QuicSocketAddress& /*peer_address*/) {
+  return nullptr;
+}
+
+WriteResult QuicEndpointBase::Writer::Flush() {
+  return WriteResult(WRITE_STATUS_OK, 0);
+}
+
+QuicEndpointMultiplexer::QuicEndpointMultiplexer(
+    std::string name,
+    const std::vector<QuicEndpointBase*>& endpoints)
+    : Endpoint((*endpoints.begin())->simulator(), name) {
+  for (QuicEndpointBase* endpoint : endpoints) {
+    mapping_.insert(std::make_pair(endpoint->name(), endpoint));
+  }
+}
+
+QuicEndpointMultiplexer::~QuicEndpointMultiplexer() {}
+
+void QuicEndpointMultiplexer::AcceptPacket(std::unique_ptr<Packet> packet) {
+  auto key_value_pair_it = mapping_.find(packet->destination);
+  if (key_value_pair_it == mapping_.end()) {
+    return;
+  }
+
+  key_value_pair_it->second->GetRxPort()->AcceptPacket(std::move(packet));
+}
+UnconstrainedPortInterface* QuicEndpointMultiplexer::GetRxPort() {
+  return this;
+}
+void QuicEndpointMultiplexer::SetTxPort(ConstrainedPortInterface* port) {
+  for (auto& key_value_pair : mapping_) {
+    key_value_pair.second->SetTxPort(port);
+  }
+}
+
+}  // namespace simulator
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_base.h b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_base.h
new file mode 100644
index 00000000000..ae9f69b95fc
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_base.h
@@ -0,0 +1,158 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_TEST_TOOLS_SIMULATOR_QUIC_ENDPOINT_BASE_H_
+#define QUICHE_QUIC_TEST_TOOLS_SIMULATOR_QUIC_ENDPOINT_BASE_H_
+
+#include <memory>
+
+#include "net/third_party/quiche/src/quic/core/crypto/null_decrypter.h"
+#include "net/third_party/quiche/src/quic/core/crypto/null_encrypter.h"
+#include "net/third_party/quiche/src/quic/core/quic_connection.h"
+#include "net/third_party/quiche/src/quic/core/quic_default_packet_writer.h"
+#include "net/third_party/quiche/src/quic/core/quic_packets.h"
+#include "net/third_party/quiche/src/quic/core/quic_stream_frame_data_producer.h"
+#include "net/third_party/quiche/src/quic/core/quic_trace_visitor.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
+#include "net/third_party/quiche/src/quic/test_tools/simple_session_notifier.h"
+#include "net/third_party/quiche/src/quic/test_tools/simulator/link.h"
+#include "net/third_party/quiche/src/quic/test_tools/simulator/queue.h"
+
+namespace quic {
+namespace simulator {
+
+// Size of the TX queue used by the kernel/NIC.  1000 is the Linux
+// kernel default.
+const QuicByteCount kTxQueueSize = 1000;
+
+// Generate a random local network host-port tuple based on the name of the
+// endpoint.
+QuicSocketAddress GetAddressFromName(std::string name);
+
+// A QUIC connection endpoint.  If the specific data transmitted does not matter
+// (e.g. for congestion control purposes), QuicEndpoint is the subclass that
+// transmits dummy data.  If the actual semantics of the connection matter,
+// subclassing QuicEndpointBase is required.
+class QuicEndpointBase : public Endpoint,
+                         public UnconstrainedPortInterface,
+                         public Queue::ListenerInterface {
+ public:
+  // Does not create the connection; the subclass has to create connection by
+  // itself.
+  QuicEndpointBase(Simulator* simulator,
+                   std::string name,
+                   std::string peer_name);
+  ~QuicEndpointBase() override;
+
+  inline QuicConnection* connection() { return connection_.get(); }
+  inline size_t write_blocked_count() { return write_blocked_count_; }
+
+  // Drop the next packet upon receipt.
+  void DropNextIncomingPacket();
+
+  // UnconstrainedPortInterface method.  Called whenever the endpoint receives a
+  // packet.
+  void AcceptPacket(std::unique_ptr<Packet> packet) override;
+
+  // Enables logging of the connection trace at the end of the unit test.
+  void RecordTrace();
+
+  // Begin Endpoint implementation.
+  UnconstrainedPortInterface* GetRxPort() override;
+  void SetTxPort(ConstrainedPortInterface* port) override;
+  // End Endpoint implementation.
+
+  // Actor method.
+  void Act() override {}
+
+  // Queue::ListenerInterface method.
+  void OnPacketDequeued() override;
+
+ protected:
+  // A Writer object that writes into the |nic_tx_queue_|.
+  class Writer : public QuicPacketWriter {
+   public:
+    explicit Writer(QuicEndpointBase* endpoint);
+    ~Writer() override;
+
+    WriteResult WritePacket(const char* buffer,
+                            size_t buf_len,
+                            const QuicIpAddress& self_address,
+                            const QuicSocketAddress& peer_address,
+                            PerPacketOptions* options) override;
+    bool IsWriteBlocked() const override;
+    void SetWritable() override;
+    QuicByteCount GetMaxPacketSize(
+        const QuicSocketAddress& peer_address) const override;
+    bool SupportsReleaseTime() const override;
+    bool IsBatchMode() const override;
+    char* GetNextWriteLocation(const QuicIpAddress& self_address,
+                               const QuicSocketAddress& peer_address) override;
+    WriteResult Flush() override;
+
+   private:
+    QuicEndpointBase* endpoint_;
+
+    bool is_blocked_;
+  };
+
+  // The producer outputs the repetition of the same byte.  That sequence is
+  // verified by the receiver.
+  class DataProducer : public QuicStreamFrameDataProducer {
+   public:
+    WriteStreamDataResult WriteStreamData(QuicStreamId id,
+                                          QuicStreamOffset offset,
+                                          QuicByteCount data_length,
+                                          QuicDataWriter* writer) override;
+    bool WriteCryptoData(EncryptionLevel level,
+                         QuicStreamOffset offset,
+                         QuicByteCount data_length,
+                         QuicDataWriter* writer) override;
+  };
+
+  std::string peer_name_;
+
+  Writer writer_;
+  // The queue for the outgoing packets.  In reality, this might be either on
+  // the network card, or in the kernel, but for concreteness we assume it's on
+  // the network card.
+  Queue nic_tx_queue_;
+  // Created by the subclass.
+  std::unique_ptr<QuicConnection> connection_;
+
+  // Counts the number of times the writer became write-blocked.
+  size_t write_blocked_count_;
+
+  // If true, drop the next packet when receiving it.
+  bool drop_next_packet_;
+
+  std::unique_ptr<QuicTraceVisitor> trace_visitor_;
+};
+
+// Multiplexes multiple connections at the same host on the network.
+class QuicEndpointMultiplexer : public Endpoint,
+                                public UnconstrainedPortInterface {
+ public:
+  QuicEndpointMultiplexer(std::string name,
+                          const std::vector<QuicEndpointBase*>& endpoints);
+  ~QuicEndpointMultiplexer() override;
+
+  // Receives a packet and passes it to the specified endpoint if that endpoint
+  // is one of the endpoints being multiplexed, otherwise ignores the packet.
+  void AcceptPacket(std::unique_ptr<Packet> packet) override;
+  UnconstrainedPortInterface* GetRxPort() override;
+
+  // Sets the egress port for all the endpoints being multiplexed.
+  void SetTxPort(ConstrainedPortInterface* port) override;
+
+  void Act() override {}
+
+ private:
+  QuicUnorderedMap<std::string, QuicEndpointBase*> mapping_;
+};
+
+}  // namespace simulator
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_TEST_TOOLS_SIMULATOR_QUIC_ENDPOINT_BASE_H_
diff --git a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_test.cc b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_test.cc
index 772cd2e4ffd..0989a3bc0f7 100644
--- a/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/test_tools/simulator/quic_endpoint_test.cc
@@ -104,8 +104,8 @@ TEST_F(QuicEndpointTest, WriteBlocked) {
   EXPECT_CALL(*sender, BandwidthEstimate())
       .WillRepeatedly(Return(10 * kDefaultBandwidth));
   EXPECT_CALL(*sender, GetCongestionWindow())
-      .WillRepeatedly(
-          Return(kMaxOutgoingPacketSize * kDefaultMaxCongestionWindowPackets));
+      .WillRepeatedly(Return(kMaxOutgoingPacketSize *
+                             GetQuicFlag(FLAGS_quic_max_congestion_window)));
   test::QuicConnectionPeer::SetSendAlgorithm(endpoint_a.connection(), sender);
 
   // First transmit a small, packet-size chunk of data.
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_client.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_client.cc
index cccb7ba3e6f..379cfac3c13 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_client.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_client.cc
@@ -70,7 +70,24 @@ QuicClient::QuicClient(QuicSocketAddress server_address,
           QuicConfig(),
           epoll_server,
           QuicWrapUnique(new QuicClientEpollNetworkHelper(epoll_server, this)),
-          std::move(proof_verifier)) {}
+          std::move(proof_verifier),
+          nullptr) {}
+
+QuicClient::QuicClient(QuicSocketAddress server_address,
+                       const QuicServerId& server_id,
+                       const ParsedQuicVersionVector& supported_versions,
+                       QuicEpollServer* epoll_server,
+                       std::unique_ptr<ProofVerifier> proof_verifier,
+                       std::unique_ptr<SessionCache> session_cache)
+    : QuicClient(
+          server_address,
+          server_id,
+          supported_versions,
+          QuicConfig(),
+          epoll_server,
+          QuicWrapUnique(new QuicClientEpollNetworkHelper(epoll_server, this)),
+          std::move(proof_verifier),
+          std::move(session_cache)) {}
 
 QuicClient::QuicClient(
     QuicSocketAddress server_address,
@@ -85,7 +102,8 @@ QuicClient::QuicClient(
                  QuicConfig(),
                  epoll_server,
                  std::move(network_helper),
-                 std::move(proof_verifier)) {}
+                 std::move(proof_verifier),
+                 nullptr) {}
 
 QuicClient::QuicClient(
     QuicSocketAddress server_address,
@@ -95,6 +113,24 @@ QuicClient::QuicClient(
     QuicEpollServer* epoll_server,
     std::unique_ptr<QuicClientEpollNetworkHelper> network_helper,
     std::unique_ptr<ProofVerifier> proof_verifier)
+    : QuicClient(server_address,
+                 server_id,
+                 supported_versions,
+                 config,
+                 epoll_server,
+                 std::move(network_helper),
+                 std::move(proof_verifier),
+                 nullptr) {}
+
+QuicClient::QuicClient(
+    QuicSocketAddress server_address,
+    const QuicServerId& server_id,
+    const ParsedQuicVersionVector& supported_versions,
+    const QuicConfig& config,
+    QuicEpollServer* epoll_server,
+    std::unique_ptr<QuicClientEpollNetworkHelper> network_helper,
+    std::unique_ptr<ProofVerifier> proof_verifier,
+    std::unique_ptr<SessionCache> session_cache)
     : QuicSpdyClientBase(
           server_id,
           supported_versions,
@@ -102,7 +138,8 @@ QuicClient::QuicClient(
           new QuicEpollConnectionHelper(epoll_server, QuicAllocator::SIMPLE),
           new QuicEpollAlarmFactory(epoll_server),
           std::move(network_helper),
-          std::move(proof_verifier)) {
+          std::move(proof_verifier),
+          std::move(session_cache)) {
   set_server_address(server_address);
 }
 
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_client.h b/chromium/net/third_party/quiche/src/quic/tools/quic_client.h
index 8e43be8498b..10c61f378d0 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_client.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_client.h
@@ -37,12 +37,18 @@ QuicSocketAddress LookupAddress(std::string host, std::string port);
 
 class QuicClient : public QuicSpdyClientBase {
  public:
-  // This will create its own QuicClientEpollNetworkHelper.
+  // These will create their own QuicClientEpollNetworkHelper.
   QuicClient(QuicSocketAddress server_address,
              const QuicServerId& server_id,
              const ParsedQuicVersionVector& supported_versions,
              QuicEpollServer* epoll_server,
              std::unique_ptr<ProofVerifier> proof_verifier);
+  QuicClient(QuicSocketAddress server_address,
+             const QuicServerId& server_id,
+             const ParsedQuicVersionVector& supported_versions,
+             QuicEpollServer* epoll_server,
+             std::unique_ptr<ProofVerifier> proof_verifier,
+             std::unique_ptr<SessionCache> session_cache);
   // This will take ownership of a passed in network primitive.
   QuicClient(QuicSocketAddress server_address,
              const QuicServerId& server_id,
@@ -57,6 +63,14 @@ class QuicClient : public QuicSpdyClientBase {
              QuicEpollServer* epoll_server,
              std::unique_ptr<QuicClientEpollNetworkHelper> network_helper,
              std::unique_ptr<ProofVerifier> proof_verifier);
+  QuicClient(QuicSocketAddress server_address,
+             const QuicServerId& server_id,
+             const ParsedQuicVersionVector& supported_versions,
+             const QuicConfig& config,
+             QuicEpollServer* epoll_server,
+             std::unique_ptr<QuicClientEpollNetworkHelper> network_helper,
+             std::unique_ptr<ProofVerifier> proof_verifier,
+             std::unique_ptr<SessionCache> session_cache);
   QuicClient(const QuicClient&) = delete;
   QuicClient& operator=(const QuicClient&) = delete;
 
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.cc
index b03f7cc342d..b6c33759b47 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.cc
@@ -23,12 +23,13 @@ QuicClientBase::QuicClientBase(
     QuicConnectionHelperInterface* helper,
     QuicAlarmFactory* alarm_factory,
     std::unique_ptr<NetworkHelper> network_helper,
-    std::unique_ptr<ProofVerifier> proof_verifier)
+    std::unique_ptr<ProofVerifier> proof_verifier,
+    std::unique_ptr<SessionCache> session_cache)
     : server_id_(server_id),
       initialized_(false),
       local_port_(0),
       config_(config),
-      crypto_config_(std::move(proof_verifier)),
+      crypto_config_(std::move(proof_verifier), std::move(session_cache)),
       helper_(helper),
       alarm_factory_(alarm_factory),
       supported_versions_(supported_versions),
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.h b/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.h
index fb15b862b08..8cb639bd58f 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_client_base.h
@@ -23,6 +23,7 @@ namespace quic {
 
 class ProofVerifier;
 class QuicServerId;
+class SessionCache;
 
 // QuicClientBase handles establishing a connection to the passed in
 // server id, including ensuring that it supports the passed in versions
@@ -64,7 +65,8 @@ class QuicClientBase {
                  QuicConnectionHelperInterface* helper,
                  QuicAlarmFactory* alarm_factory,
                  std::unique_ptr<NetworkHelper> network_helper,
-                 std::unique_ptr<ProofVerifier> proof_verifier);
+                 std::unique_ptr<ProofVerifier> proof_verifier,
+                 std::unique_ptr<SessionCache> session_cache);
   QuicClientBase(const QuicClientBase&) = delete;
   QuicClientBase& operator=(const QuicClientBase&) = delete;
 
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_client_interop_test_bin.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_client_interop_test_bin.cc
index 278a22e29ba..8c9f6d16930 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_client_interop_test_bin.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_client_interop_test_bin.cc
@@ -13,6 +13,8 @@
 #include "net/third_party/quiche/src/quic/platform/api/quic_system_event_loop.h"
 #include "net/quic/platform/impl/quic_epoll_clock.h"
 #include "net/third_party/quiche/src/quic/test_tools/quic_connection_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/quic_session_peer.h"
+#include "net/third_party/quiche/src/quic/test_tools/simple_session_cache.h"
 #include "net/third_party/quiche/src/quic/tools/fake_proof_verifier.h"
 #include "net/third_party/quiche/src/quic/tools/quic_client.h"
 #include "net/third_party/quiche/src/quic/tools/quic_url.h"
@@ -36,6 +38,8 @@ enum class Feature {
   kStreamData,
   // The connection close procedcure completes with a zero error code.
   kConnectionClose,
+  // The connection was established using TLS resumption.
+  kResumption,
   // A RETRY packet was successfully processed.
   kRetry,
 
@@ -46,6 +50,9 @@ enum class Feature {
   // Third row of features (H3 tests)
   // An H3 transaction succeeded.
   kHttp3,
+  // One or both endpoints insert entries into dynamic table and subsequenly
+  // reference them from header blocks.
+  kDynamicEntryReferenced,
 };
 
 char MatrixLetter(Feature f) {
@@ -58,39 +65,80 @@ char MatrixLetter(Feature f) {
       return 'D';
     case Feature::kConnectionClose:
       return 'C';
-    case Feature::kHttp3:
-      return '3';
+    case Feature::kResumption:
+      return 'R';
     case Feature::kRetry:
       return 'S';
     case Feature::kRebinding:
       return 'B';
+    case Feature::kHttp3:
+      return '3';
+    case Feature::kDynamicEntryReferenced:
+      return 'd';
+  }
+}
+
+// Attempts a resumption using |client| by disconnecting and reconnecting. If
+// resumption is successful, |features| is modified to add Feature::kResumption
+// to it, otherwise it is left unmodified.
+void AttemptResumption(QuicClient* client, std::set<Feature>* features) {
+  client->Disconnect();
+  if (!client->Initialize()) {
+    QUIC_LOG(ERROR) << "Failed to reinitialize client";
+    return;
+  }
+  if (!client->Connect() || !client->session()->IsCryptoHandshakeConfirmed()) {
+    return;
+  }
+  if (static_cast<QuicCryptoClientStream*>(
+          test::QuicSessionPeer::GetMutableCryptoStream(client->session()))
+          ->IsResumption()) {
+    features->insert(Feature::kResumption);
   }
 }
 
 std::set<Feature> AttemptRequest(QuicSocketAddress addr,
                                  std::string authority,
                                  QuicServerId server_id,
-                                 ParsedQuicVersionVector versions,
+                                 bool test_version_negotiation,
                                  bool attempt_rebind) {
+  ParsedQuicVersion version(PROTOCOL_TLS1_3, QUIC_VERSION_99);
+  ParsedQuicVersionVector versions = {version};
+  if (test_version_negotiation) {
+    versions.insert(versions.begin(), QuicVersionReservedForNegotiation());
+  }
+
   std::set<Feature> features;
   auto proof_verifier = std::make_unique<FakeProofVerifier>();
+  auto session_cache = std::make_unique<test::SimpleSessionCache>();
   QuicEpollServer epoll_server;
   QuicEpollClock epoll_clock(&epoll_server);
   auto client = std::make_unique<QuicClient>(
-      addr, server_id, versions, &epoll_server, std::move(proof_verifier));
+      addr, server_id, versions, &epoll_server, std::move(proof_verifier),
+      std::move(session_cache));
   if (!client->Initialize()) {
+    QUIC_LOG(ERROR) << "Failed to initialize client";
     return features;
   }
-  if (!client->Connect()) {
-    QuicErrorCode error = client->session()->error();
-    if (error == QUIC_INVALID_VERSION) {
-      // QuicFramer::ProcessPacket returns RaiseError(QUIC_INVALID_VERSION) if
-      // it receives a packet containing a version in the header that is not our
-      // version. It might be possible that we didn't actually process a VN
-      // packet here.
+  const bool connect_result = client->Connect();
+  QuicConnection* connection = client->session()->connection();
+  if (connection != nullptr) {
+    QuicConnectionStats client_stats = connection->GetStats();
+    if (client_stats.retry_packet_processed) {
+      features.insert(Feature::kRetry);
+    }
+    if (test_version_negotiation && connection->version() == version) {
       features.insert(Feature::kVersionNegotiation);
-      return features;
     }
+  }
+  if (test_version_negotiation && !connect_result) {
+    // Failed to negotiate version, retry without version negotiation.
+    std::set<Feature> features_without_version_negotiation =
+        AttemptRequest(addr, authority, server_id,
+                       /*test_version_negotiation=*/false, attempt_rebind);
+
+    features.insert(features_without_version_negotiation.begin(),
+                    features_without_version_negotiation.end());
     return features;
   }
   if (!client->session()->IsCryptoHandshakeConfirmed()) {
@@ -109,19 +157,17 @@ std::set<Feature> AttemptRequest(QuicSocketAddress addr,
 
   const QuicTime request_start_time = epoll_clock.Now();
   static const auto request_timeout = QuicTime::Delta::FromSeconds(20);
+  bool request_timed_out = false;
   while (client->WaitForEvents()) {
     if (epoll_clock.Now() - request_start_time >= request_timeout) {
       QUIC_LOG(ERROR) << "Timed out waiting for HTTP response";
-      return features;
+      request_timed_out = true;
+      break;
     }
   }
 
-  QuicConnection* connection = client->session()->connection();
   if (connection != nullptr) {
     QuicConnectionStats client_stats = connection->GetStats();
-    if (client_stats.retry_packet_processed) {
-      features.insert(Feature::kRetry);
-    }
     QuicSentPacketManager* sent_packet_manager =
         test::QuicConnectionPeer::GetSentPacketManager(connection);
     const bool received_forward_secure_ack =
@@ -133,13 +179,17 @@ std::set<Feature> AttemptRequest(QuicSocketAddress addr,
     }
   }
 
-  if (!client->connected()) {
+  if (request_timed_out || !client->connected()) {
     return features;
   }
 
   if (client->latest_response_code() != -1) {
     features.insert(Feature::kHttp3);
 
+    if (client->client_session()->dynamic_table_entry_referenced()) {
+      features.insert(Feature::kDynamicEntryReferenced);
+    }
+
     if (attempt_rebind) {
       // Now make a second request after switching to a different client port.
       if (client->ChangeEphemeralPort()) {
@@ -150,11 +200,19 @@ std::set<Feature> AttemptRequest(QuicSocketAddress addr,
           if (epoll_clock.Now() - second_request_start_time >=
               request_timeout) {
             // Rebinding does not work, retry without attempting it.
-            return AttemptRequest(addr, authority, server_id, versions,
-                                  /*attempt_rebind=*/false);
+            std::set<Feature> features_without_rebind = AttemptRequest(
+                addr, authority, server_id, test_version_negotiation,
+                /*attempt_rebind=*/false);
+            features.insert(features_without_rebind.begin(),
+                            features_without_rebind.end());
+            return features;
           }
         }
         features.insert(Feature::kRebinding);
+
+        if (client->client_session()->dynamic_table_entry_referenced()) {
+          features.insert(Feature::kDynamicEntryReferenced);
+        }
       } else {
         QUIC_LOG(ERROR) << "Failed to change ephemeral port";
       }
@@ -170,6 +228,7 @@ std::set<Feature> AttemptRequest(QuicSocketAddress addr,
       client->epoll_network_helper()->RunEventLoop();
       if (epoll_clock.Now() - close_start_time >= close_timeout) {
         QUIC_LOG(ERROR) << "Timed out waiting for connection close";
+        AttemptResumption(client.get(), &features);
         return features;
       }
     }
@@ -183,35 +242,27 @@ std::set<Feature> AttemptRequest(QuicSocketAddress addr,
     }
   }
 
+  AttemptResumption(client.get(), &features);
   return features;
 }
 
 std::set<Feature> ServerSupport(std::string host, int port) {
-  // Configure version list.
+  // Enable IETF version support.
   QuicVersionInitializeSupportForIetfDraft();
-  ParsedQuicVersion version =
-      ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_99);
-  ParsedQuicVersionVector versions = {version};
-  QuicEnableVersion(version);
+  QuicEnableVersion(ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_99));
 
   // Build the client, and try to connect.
   QuicSocketAddress addr = tools::LookupAddress(host, QuicStrCat(port));
+  if (!addr.IsInitialized()) {
+    QUIC_LOG(ERROR) << "Failed to resolve " << host;
+    return std::set<Feature>();
+  }
   QuicServerId server_id(host, port, false);
   std::string authority = QuicStrCat(host, ":", port);
 
-  ParsedQuicVersionVector versions_with_negotiation = versions;
-  versions_with_negotiation.insert(versions_with_negotiation.begin(),
-                                   QuicVersionReservedForNegotiation());
-  auto supported_features =
-      AttemptRequest(addr, authority, server_id, versions_with_negotiation,
-                     /*attempt_rebind=*/true);
-  if (!supported_features.empty()) {
-    supported_features.insert(Feature::kVersionNegotiation);
-  } else {
-    supported_features = AttemptRequest(addr, authority, server_id, versions,
-                                        /*attempt_rebind=*/true);
-  }
-  return supported_features;
+  return AttemptRequest(addr, authority, server_id,
+                        /*test_version_negotiation=*/true,
+                        /*attempt_rebind=*/true);
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend.cc
index 6452d22c5ed..38d25e53734 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend.cc
@@ -289,7 +289,6 @@ void QuicMemoryCacheBackend::GenerateDynamicResponses() {
   QuicWriterMutexLock lock(&response_mutex_);
   // Add a generate bytes response.
   spdy::SpdyHeaderBlock response_headers;
-  response_headers[":version"] = "HTTP/1.1";
   response_headers[":status"] = "200";
   generate_bytes_response_ = std::make_unique<QuicBackendResponse>();
   generate_bytes_response_->set_headers(std::move(response_headers));
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend.h b/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend.h
index e0ff400f410..f88d458e965 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend.h
@@ -134,9 +134,6 @@ class QuicMemoryCacheBackend : public QuicSimpleServerBackend {
   // 'response'.
   void AddDefaultResponse(QuicBackendResponse* response);
 
-  // |cache_cirectory| can be generated using `wget -p --save-headers <url>`.
-  void InitializeFromDirectory(const std::string& cache_directory);
-
   // Once called, URLs which have a numeric path will send a dynamically
   // generated response of that many bytes.
   void GenerateDynamicResponses();
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend_test.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend_test.cc
index 80b1b293206..01ac334d1dd 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_memory_cache_backend_test.cc
@@ -59,7 +59,6 @@ TEST_F(QuicMemoryCacheBackendTest, AddResponse) {
   const std::string kResponseBody("hello response");
 
   spdy::SpdyHeaderBlock response_headers;
-  response_headers[":version"] = "HTTP/1.1";
   response_headers[":status"] = "200";
   response_headers["content-length"] =
       QuicTextUtils::Uint64ToString(kResponseBody.size());
@@ -123,7 +122,6 @@ TEST_F(QuicMemoryCacheBackendTest, DefaultResponse) {
 
   // Add a default response.
   spdy::SpdyHeaderBlock response_headers;
-  response_headers[":version"] = "HTTP/1.1";
   response_headers[":status"] = "200";
   response_headers["content-length"] = "0";
   Response* default_response = new Response;
@@ -164,7 +162,6 @@ TEST_F(QuicMemoryCacheBackendTest, AddSimpleResponseWithServerPushResources) {
     std::string body =
         QuicStrCat("This is server push response body for ", path);
     spdy::SpdyHeaderBlock response_headers;
-    response_headers[":version"] = "HTTP/1.1";
     response_headers[":status"] = "200";
     response_headers["content-length"] =
         QuicTextUtils::Uint64ToString(body.size());
@@ -203,7 +200,6 @@ TEST_F(QuicMemoryCacheBackendTest, GetServerPushResourcesAndPushResponses) {
     QuicUrl resource_url(url);
     std::string body = "This is server push response body for " + path;
     spdy::SpdyHeaderBlock response_headers;
-    response_headers[":version"] = "HTTP/1.1";
     response_headers[":status"] = push_response_status[i];
     response_headers["content-length"] =
         QuicTextUtils::Uint64ToString(body.size());
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_server.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_server.cc
index 294dbc50ee7..04cc9508aad 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_server.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_server.cc
@@ -218,8 +218,6 @@ void QuicServer::OnEvent(int fd, QuicEpollEvent* event) {
       event->out_ready_mask |= EPOLLOUT;
     }
   }
-  if (event->in_events & EPOLLERR) {
-  }
 }
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_client_stream.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_client_stream.cc
index a627007972c..b851a1d7eb0 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_client_stream.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_client_stream.cc
@@ -26,8 +26,4 @@ void QuicSimpleClientStream::OnBodyAvailable() {
   }
 }
 
-void QuicSimpleClientStream::OnStopSending(uint16_t code) {
-  last_stop_sending_code_ = code;
-}
-
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_client_stream.h b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_client_stream.h
index f1eb653bea4..aa6d2f6fe44 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_client_stream.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_client_stream.h
@@ -16,17 +16,11 @@ class QuicSimpleClientStream : public QuicSpdyClientStream {
                          StreamType type,
                          bool drop_response_body)
       : QuicSpdyClientStream(id, session, type),
-        drop_response_body_(drop_response_body),
-        last_stop_sending_code_(0) {}
+        drop_response_body_(drop_response_body) {}
   void OnBodyAvailable() override;
-  void OnStopSending(uint16_t code) override;
 
-  uint16_t last_stop_sending_code() { return last_stop_sending_code_; }
  private:
   const bool drop_response_body_;
-  // Application code value that was in the most recently received
-  // STOP_SENDING frame for this stream.
-  uint16_t last_stop_sending_code_;
 };
 
 }  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session_test.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session_test.cc
index a4bab0f5380..a548c6c906a 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_session_test.cc
@@ -10,10 +10,12 @@
 
 #include "net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h"
 #include "net/third_party/quiche/src/quic/core/crypto/quic_random.h"
+#include "net/third_party/quiche/src/quic/core/http/http_encoder.h"
 #include "net/third_party/quiche/src/quic/core/proto/cached_network_parameters_proto.h"
 #include "net/third_party/quiche/src/quic/core/quic_connection.h"
 #include "net/third_party/quiche/src/quic/core/quic_crypto_server_stream.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
+#include "net/third_party/quiche/src/quic/core/quic_versions.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_expect_bug.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
@@ -228,9 +230,10 @@ class QuicSimpleServerSessionTest
         QuicRandom::GetInstance(), &clock,
         QuicCryptoServerConfig::ConfigOptions());
     session_->Initialize();
-    QuicSessionPeer::GetMutableCryptoStream(session_.get())
-        ->OnSuccessfulVersionNegotiation(supported_versions.front());
-    visitor_ = QuicConnectionPeer::GetVisitor(connection_);
+    if (!GetQuicReloadableFlag(quic_version_negotiated_by_default_at_server)) {
+      QuicSessionPeer::GetMutableCryptoStream(session_.get())
+          ->OnSuccessfulVersionNegotiation(supported_versions.front());
+    }
 
     if (VersionHasIetfQuicFrames(transport_version())) {
       EXPECT_CALL(*connection_, SendControlFrame(_))
@@ -284,12 +287,12 @@ class QuicSimpleServerSessionTest
   QuicMemoryCacheBackend memory_cache_backend_;
   std::unique_ptr<MockQuicSimpleServerSession> session_;
   std::unique_ptr<CryptoHandshakeMessage> handshake_message_;
-  QuicConnectionVisitorInterface* visitor_;
 };
 
 INSTANTIATE_TEST_SUITE_P(Tests,
                          QuicSimpleServerSessionTest,
-                         ::testing::ValuesIn(AllSupportedVersions()));
+                         ::testing::ValuesIn(AllSupportedVersions()),
+                         ::testing::PrintToStringParamName());
 
 TEST_P(QuicSimpleServerSessionTest, CloseStreamDueToReset) {
   // Open a stream, then reset it.
@@ -311,7 +314,7 @@ TEST_P(QuicSimpleServerSessionTest, CloseStreamDueToReset) {
                 OnStreamReset(GetNthClientInitiatedBidirectionalId(0),
                               QUIC_RST_ACKNOWLEDGEMENT));
   }
-  visitor_->OnRstStream(rst1);
+  session_->OnRstStream(rst1);
   // Create and inject a STOP_SENDING frame. In GOOGLE QUIC, receiving a
   // RST_STREAM frame causes a two-way close. For IETF QUIC, RST_STREAM causes
   // a one-way close.
@@ -320,7 +323,7 @@ TEST_P(QuicSimpleServerSessionTest, CloseStreamDueToReset) {
   EXPECT_EQ(0u, session_->GetNumOpenIncomingStreams());
 
   // Send the same two bytes of payload in a new packet.
-  visitor_->OnStreamFrame(data1);
+  session_->OnStreamFrame(data1);
 
   // The stream should not be re-opened.
   EXPECT_EQ(0u, session_->GetNumOpenIncomingStreams());
@@ -340,7 +343,7 @@ TEST_P(QuicSimpleServerSessionTest, NeverOpenStreamDueToReset) {
                 OnStreamReset(GetNthClientInitiatedBidirectionalId(0),
                               QUIC_RST_ACKNOWLEDGEMENT));
   }
-  visitor_->OnRstStream(rst1);
+  session_->OnRstStream(rst1);
   // Create and inject a STOP_SENDING frame. In GOOGLE QUIC, receiving a
   // RST_STREAM frame causes a two-way close. For IETF QUIC, RST_STREAM causes
   // a one-way close.
@@ -352,7 +355,7 @@ TEST_P(QuicSimpleServerSessionTest, NeverOpenStreamDueToReset) {
   // Send two bytes of payload.
   QuicStreamFrame data1(GetNthClientInitiatedBidirectionalId(0), false, 0,
                         QuicStringPiece("HT"));
-  visitor_->OnStreamFrame(data1);
+  session_->OnStreamFrame(data1);
 
   // The stream should never be opened, now that the reset is received.
   EXPECT_EQ(0u, session_->GetNumOpenIncomingStreams());
@@ -365,8 +368,8 @@ TEST_P(QuicSimpleServerSessionTest, AcceptClosedStream) {
                          QuicStringPiece("\1\0\0\0\0\0\0\0HT"));
   QuicStreamFrame frame2(GetNthClientInitiatedBidirectionalId(1), false, 0,
                          QuicStringPiece("\2\0\0\0\0\0\0\0HT"));
-  visitor_->OnStreamFrame(frame1);
-  visitor_->OnStreamFrame(frame2);
+  session_->OnStreamFrame(frame1);
+  session_->OnStreamFrame(frame2);
   EXPECT_EQ(2u, session_->GetNumOpenIncomingStreams());
 
   // Send a reset (and expect the peer to send a RST in response).
@@ -381,7 +384,7 @@ TEST_P(QuicSimpleServerSessionTest, AcceptClosedStream) {
                 OnStreamReset(GetNthClientInitiatedBidirectionalId(0),
                               QUIC_RST_ACKNOWLEDGEMENT));
   }
-  visitor_->OnRstStream(rst);
+  session_->OnRstStream(rst);
   // Create and inject a STOP_SENDING frame. In GOOGLE QUIC, receiving a
   // RST_STREAM frame causes a two-way close. For IETF QUIC, RST_STREAM causes
   // a one-way close.
@@ -395,8 +398,8 @@ TEST_P(QuicSimpleServerSessionTest, AcceptClosedStream) {
                          QuicStringPiece("TP"));
   QuicStreamFrame frame4(GetNthClientInitiatedBidirectionalId(1), false, 2,
                          QuicStringPiece("TP"));
-  visitor_->OnStreamFrame(frame3);
-  visitor_->OnStreamFrame(frame4);
+  session_->OnStreamFrame(frame3);
+  session_->OnStreamFrame(frame4);
   // The stream should never be opened, now that the reset is received.
   EXPECT_EQ(1u, session_->GetNumOpenIncomingStreams());
   EXPECT_TRUE(connection_->connected());
@@ -589,8 +592,10 @@ class QuicSimpleServerSessionServerPushTest
         config_, connection_, &owner_, &stream_helper_, &crypto_config_,
         &compressed_certs_cache_, &memory_cache_backend_);
     session_->Initialize();
-    QuicSessionPeer::GetMutableCryptoStream(session_.get())
-        ->OnSuccessfulVersionNegotiation(supported_versions.front());
+    if (!GetQuicReloadableFlag(quic_version_negotiated_by_default_at_server)) {
+      QuicSessionPeer::GetMutableCryptoStream(session_.get())
+          ->OnSuccessfulVersionNegotiation(supported_versions.front());
+    }
     // Needed to make new session flow control window and server push work.
 
     if (VersionHasIetfQuicFrames(transport_version())) {
@@ -600,8 +605,6 @@ class QuicSimpleServerSessionServerPushTest
     }
     session_->OnConfigNegotiated();
 
-    visitor_ = QuicConnectionPeer::GetVisitor(connection_);
-
     if (!VersionUsesHttp3(connection_->transport_version())) {
       session_->UnregisterStreamPriority(
           QuicUtils::GetHeadersStreamId(connection_->transport_version()),
@@ -657,10 +660,9 @@ class QuicSimpleServerSessionServerPushTest
       std::string data;
       data_frame_header_length = 0;
       if (VersionUsesHttp3(connection_->transport_version())) {
-        HttpEncoder encoder;
         std::unique_ptr<char[]> buffer;
         data_frame_header_length =
-            encoder.SerializeDataFrameHeader(body.length(), &buffer);
+            HttpEncoder::SerializeDataFrameHeader(body.length(), &buffer);
         std::string header(buffer.get(), data_frame_header_length);
         data = header + body;
       } else {
@@ -813,6 +815,12 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
 // prevent a promised resource to be send out.
 TEST_P(QuicSimpleServerSessionServerPushTest,
        ResetPromisedStreamToCancelServerPush) {
+  if (VersionHasIetfQuicFrames(transport_version())) {
+    // This test is resetting a stream that is not opened yet. IETF QUIC has no
+    // way to handle this. Some similar tests can be added once CANCEL_PUSH is
+    // supported.
+    return;
+  }
   MaybeConsumeHeadersStreamData();
   session_->SetMaxAllowedPushId(kMaxQuicStreamId);
 
@@ -844,7 +852,7 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
       .WillOnce(Invoke(&ClearControlFrame));
   EXPECT_CALL(*connection_,
               OnStreamReset(stream_got_reset, QUIC_RST_ACKNOWLEDGEMENT));
-  visitor_->OnRstStream(rst);
+  session_->OnRstStream(rst);
 
   // When the first 2 streams becomes draining, the two queued up stream could
   // be created. But since one of them was marked cancelled due to RST frame,
@@ -863,8 +871,6 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
     EXPECT_CALL(*connection_,
                 SendStreamData(stream_not_reset, 1, offset, NO_FIN));
     offset++;
-  }
-  if (VersionUsesHttp3(connection_->transport_version())) {
     EXPECT_CALL(*connection_,
                 SendStreamData(stream_not_reset, kHeadersFrameHeaderLength,
                                offset, NO_FIN));
@@ -873,8 +879,6 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
                 SendStreamData(stream_not_reset, kHeadersFramePayloadLength,
                                offset, NO_FIN));
     offset += kHeadersFramePayloadLength;
-  }
-  if (VersionUsesHttp3(connection_->transport_version())) {
     EXPECT_CALL(*connection_,
                 SendStreamData(stream_not_reset, data_frame_header_length,
                                offset, NO_FIN));
@@ -924,9 +928,9 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
   // Resetting an open stream will close the stream and give space for extra
   // stream to be opened.
   QuicStreamId stream_got_reset = GetNthServerInitiatedUnidirectionalId(3);
-  EXPECT_CALL(owner_, OnRstStreamReceived(_)).Times(1);
   EXPECT_CALL(*connection_, SendControlFrame(_));
   if (!VersionHasIetfQuicFrames(transport_version())) {
+    EXPECT_CALL(owner_, OnRstStreamReceived(_)).Times(1);
     // For version 99, this is covered in InjectStopSending()
     EXPECT_CALL(*connection_,
                 OnStreamReset(stream_got_reset, QUIC_RST_ACKNOWLEDGEMENT));
@@ -936,8 +940,6 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
     EXPECT_CALL(*connection_,
                 SendStreamData(stream_to_open, 1, offset, NO_FIN));
     offset++;
-  }
-  if (VersionUsesHttp3(connection_->transport_version())) {
     EXPECT_CALL(*connection_,
                 SendStreamData(stream_to_open, kHeadersFrameHeaderLength,
                                offset, NO_FIN));
@@ -946,8 +948,6 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
                 SendStreamData(stream_to_open, kHeadersFramePayloadLength,
                                offset, NO_FIN));
     offset += kHeadersFramePayloadLength;
-  }
-  if (VersionUsesHttp3(connection_->transport_version())) {
     EXPECT_CALL(*connection_,
                 SendStreamData(stream_to_open, data_frame_header_length, offset,
                                NO_FIN));
@@ -968,8 +968,9 @@ TEST_P(QuicSimpleServerSessionServerPushTest,
     // available as it closes/etc them.
     session_->OnMaxStreamsFrame(
         QuicMaxStreamsFrame(0, num_resources + 3, /*unidirectional=*/true));
+  } else {
+    session_->OnRstStream(rst);
   }
-  visitor_->OnRstStream(rst);
   // Create and inject a STOP_SENDING frame. In GOOGLE QUIC, receiving a
   // RST_STREAM frame causes a two-way close. For IETF QUIC, RST_STREAM causes
   // a one-way close.
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream_test.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream_test.cc
index 783dba0c55c..50ca84fd188 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream_test.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_simple_server_stream_test.cc
@@ -8,6 +8,7 @@
 #include <memory>
 #include <utility>
 
+#include "net/third_party/quiche/src/quic/core/http/http_encoder.h"
 #include "net/third_party/quiche/src/quic/core/http/spdy_utils.h"
 #include "net/third_party/quiche/src/quic/core/quic_utils.h"
 #include "net/third_party/quiche/src/quic/platform/api/quic_arraysize.h"
@@ -192,7 +193,6 @@ class QuicSimpleServerStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
     header_list_.OnHeader(":authority", "www.google.com");
     header_list_.OnHeader(":path", "/");
     header_list_.OnHeader(":method", "POST");
-    header_list_.OnHeader(":version", "HTTP/1.1");
     header_list_.OnHeader("content-length", "11");
 
     header_list_.OnHeaderBlockEnd(128, 128);
@@ -248,7 +248,6 @@ class QuicSimpleServerStreamTest : public QuicTestWithParam<ParsedQuicVersion> {
   std::unique_ptr<QuicBackendResponse> quic_response_;
   std::string body_;
   QuicHeaderList header_list_;
-  HttpEncoder encoder_;
 };
 
 INSTANTIATE_TEST_SUITE_P(Tests,
@@ -262,7 +261,7 @@ TEST_P(QuicSimpleServerStreamTest, TestFraming) {
   stream_->OnStreamHeaderList(false, kFakeFrameLen, header_list_);
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body_.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(body_.length(), &buffer);
   std::string header = std::string(buffer.get(), header_length);
   std::string data = UsesHttp3() ? header + body_ : body_;
   stream_->OnStreamFrame(
@@ -280,7 +279,7 @@ TEST_P(QuicSimpleServerStreamTest, TestFramingOnePacket) {
   stream_->OnStreamHeaderList(false, kFakeFrameLen, header_list_);
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body_.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(body_.length(), &buffer);
   std::string header = std::string(buffer.get(), header_length);
   std::string data = UsesHttp3() ? header + body_ : body_;
   stream_->OnStreamFrame(
@@ -321,7 +320,7 @@ TEST_P(QuicSimpleServerStreamTest, TestFramingExtraData) {
   stream_->OnStreamHeaderList(false, kFakeFrameLen, header_list_);
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body_.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(body_.length(), &buffer);
   std::string header = std::string(buffer.get(), header_length);
   std::string data = UsesHttp3() ? header + body_ : body_;
 
@@ -330,7 +329,7 @@ TEST_P(QuicSimpleServerStreamTest, TestFramingExtraData) {
   // Content length is still 11.  This will register as an error and we won't
   // accept the bytes.
   header_length =
-      encoder_.SerializeDataFrameHeader(large_body.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(large_body.length(), &buffer);
   header = std::string(buffer.get(), header_length);
   std::string data2 = UsesHttp3() ? header + large_body : large_body;
   stream_->OnStreamFrame(
@@ -345,17 +344,15 @@ TEST_P(QuicSimpleServerStreamTest, SendResponseWithIllegalResponseStatus) {
   spdy::SpdyHeaderBlock* request_headers = stream_->mutable_headers();
   (*request_headers)[":path"] = "/bar";
   (*request_headers)[":authority"] = "www.google.com";
-  (*request_headers)[":version"] = "HTTP/1.1";
   (*request_headers)[":method"] = "GET";
 
-  response_headers_[":version"] = "HTTP/1.1";
   // HTTP/2 only supports integer responsecode, so "200 OK" is illegal.
   response_headers_[":status"] = "200 OK";
   response_headers_["content-length"] = "5";
   std::string body = "Yummm";
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(body.length(), &buffer);
 
   memory_cache_backend_.AddResponse("www.google.com", "/bar",
                                     std::move(response_headers_), body);
@@ -379,10 +376,8 @@ TEST_P(QuicSimpleServerStreamTest, SendResponseWithIllegalResponseStatus2) {
   spdy::SpdyHeaderBlock* request_headers = stream_->mutable_headers();
   (*request_headers)[":path"] = "/bar";
   (*request_headers)[":authority"] = "www.google.com";
-  (*request_headers)[":version"] = "HTTP/1.1";
   (*request_headers)[":method"] = "GET";
 
-  response_headers_[":version"] = "HTTP/1.1";
   // HTTP/2 only supports 3-digit-integer, so "+200" is illegal.
   response_headers_[":status"] = "+200";
   response_headers_["content-length"] = "5";
@@ -390,7 +385,7 @@ TEST_P(QuicSimpleServerStreamTest, SendResponseWithIllegalResponseStatus2) {
 
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(body.length(), &buffer);
 
   memory_cache_backend_.AddResponse("www.google.com", "/bar",
                                     std::move(response_headers_), body);
@@ -422,10 +417,8 @@ TEST_P(QuicSimpleServerStreamTest, SendPushResponseWith404Response) {
   spdy::SpdyHeaderBlock* request_headers = promised_stream->mutable_headers();
   (*request_headers)[":path"] = "/bar";
   (*request_headers)[":authority"] = "www.google.com";
-  (*request_headers)[":version"] = "HTTP/1.1";
   (*request_headers)[":method"] = "GET";
 
-  response_headers_[":version"] = "HTTP/1.1";
   response_headers_[":status"] = "404";
   response_headers_["content-length"] = "8";
   std::string body = "NotFound";
@@ -445,17 +438,15 @@ TEST_P(QuicSimpleServerStreamTest, SendResponseWithValidHeaders) {
   spdy::SpdyHeaderBlock* request_headers = stream_->mutable_headers();
   (*request_headers)[":path"] = "/bar";
   (*request_headers)[":authority"] = "www.google.com";
-  (*request_headers)[":version"] = "HTTP/1.1";
   (*request_headers)[":method"] = "GET";
 
-  response_headers_[":version"] = "HTTP/1.1";
   response_headers_[":status"] = "200";
   response_headers_["content-length"] = "5";
   std::string body = "Yummm";
 
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(body.length(), &buffer);
 
   memory_cache_backend_.AddResponse("www.google.com", "/bar",
                                     std::move(response_headers_), body);
@@ -483,7 +474,7 @@ TEST_P(QuicSimpleServerStreamTest, SendResponseWithPushResources) {
   std::string body = "Yummm";
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(body.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(body.length(), &buffer);
   QuicBackendResponse::ServerPushInfo push_info(
       QuicUrl(host, "/bar"), spdy::SpdyHeaderBlock(),
       QuicStream::kDefaultPriority, "Push body");
@@ -495,7 +486,6 @@ TEST_P(QuicSimpleServerStreamTest, SendResponseWithPushResources) {
   spdy::SpdyHeaderBlock* request_headers = stream_->mutable_headers();
   (*request_headers)[":path"] = request_path;
   (*request_headers)[":authority"] = host;
-  (*request_headers)[":version"] = "HTTP/1.1";
   (*request_headers)[":method"] = "GET";
 
   stream_->set_fin_received(true);
@@ -546,16 +536,14 @@ TEST_P(QuicSimpleServerStreamTest, PushResponseOnServerInitiatedStream) {
   spdy::SpdyHeaderBlock headers;
   headers[":path"] = kPath;
   headers[":authority"] = kHost;
-  headers[":version"] = "HTTP/1.1";
   headers[":method"] = "GET";
 
-  response_headers_[":version"] = "HTTP/1.1";
   response_headers_[":status"] = "200";
   response_headers_["content-length"] = "5";
   const std::string kBody = "Hello";
   std::unique_ptr<char[]> buffer;
   QuicByteCount header_length =
-      encoder_.SerializeDataFrameHeader(kBody.length(), &buffer);
+      HttpEncoder::SerializeDataFrameHeader(kBody.length(), &buffer);
   memory_cache_backend_.AddResponse(kHost, kPath, std::move(response_headers_),
                                     kBody);
 
@@ -645,6 +633,16 @@ TEST_P(QuicSimpleServerStreamTest,
   EXPECT_FALSE(stream_->reading_stopped());
 
   EXPECT_CALL(session_, SendRstStream(_, QUIC_STREAM_NO_ERROR, _)).Times(0);
+  if (VersionUsesHttp3(connection_->transport_version())) {
+    // Unidirectional stream type and then a Stream Cancellation instruction is
+    // sent on the QPACK decoder stream.  Ignore these writes without any
+    // assumption on their number or size.
+    auto* qpack_decoder_stream =
+        QuicSpdySessionPeer::GetQpackDecoderSendStream(&session_);
+    EXPECT_CALL(session_, WritevData(qpack_decoder_stream,
+                                     qpack_decoder_stream->id(), _, _, _))
+        .Times(AnyNumber());
+  }
   EXPECT_CALL(session_, SendRstStream(_, QUIC_RST_ACKNOWLEDGEMENT, _)).Times(1);
   QuicRstStreamFrame rst_frame(kInvalidControlFrameId, stream_->id(),
                                QUIC_STREAM_CANCELLED, 1234);
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.cc
index 3cd4cbdf4cf..6b4cc8d042f 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.cc
@@ -37,14 +37,16 @@ QuicSpdyClientBase::QuicSpdyClientBase(
     QuicConnectionHelperInterface* helper,
     QuicAlarmFactory* alarm_factory,
     std::unique_ptr<NetworkHelper> network_helper,
-    std::unique_ptr<ProofVerifier> proof_verifier)
+    std::unique_ptr<ProofVerifier> proof_verifier,
+    std::unique_ptr<SessionCache> session_cache)
     : QuicClientBase(server_id,
                      supported_versions,
                      config,
                      helper,
                      alarm_factory,
                      std::move(network_helper),
-                     std::move(proof_verifier)),
+                     std::move(proof_verifier),
+                     std::move(session_cache)),
       store_response_(false),
       latest_response_code_(-1),
       max_allowed_push_id_(0),
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.h b/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.h
index 2a1267fa8be..d95303855c4 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.h
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_spdy_client_base.h
@@ -23,6 +23,7 @@ namespace quic {
 
 class ProofVerifier;
 class QuicServerId;
+class SessionCache;
 
 class QuicSpdyClientBase : public QuicClientBase,
                            public QuicClientPushPromiseIndex::Delegate,
@@ -69,7 +70,8 @@ class QuicSpdyClientBase : public QuicClientBase,
                      QuicConnectionHelperInterface* helper,
                      QuicAlarmFactory* alarm_factory,
                      std::unique_ptr<NetworkHelper> network_helper,
-                     std::unique_ptr<ProofVerifier> proof_verifier);
+                     std::unique_ptr<ProofVerifier> proof_verifier,
+                     std::unique_ptr<SessionCache> session_cache);
   QuicSpdyClientBase(const QuicSpdyClientBase&) = delete;
   QuicSpdyClientBase& operator=(const QuicSpdyClientBase&) = delete;
 
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_toy_client.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_toy_client.cc
index eee4e6132d7..41597359280 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_toy_client.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_toy_client.cc
@@ -63,7 +63,6 @@
 
 namespace {
 
-using quic::QuicSocketAddress;
 using quic::QuicStringPiece;
 using quic::QuicTextUtils;
 using quic::QuicUrl;
@@ -237,10 +236,6 @@ int QuicToyClient::SendRequestsAndPrintResponses(
     std::cerr << "Failed to initialize client." << std::endl;
     return 1;
   }
-  client->client_session()->set_qpack_maximum_dynamic_table_capacity(
-      kDefaultQpackMaxDynamicTableCapacity);
-  client->client_session()->set_qpack_maximum_blocked_streams(
-      kDefaultMaximumBlockedStreams);
   if (!client->Connect()) {
     quic::QuicErrorCode error = client->session()->error();
     if (error == quic::QUIC_INVALID_VERSION) {
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_toy_server.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_toy_server.cc
index fdb1bb6ce78..390dcf6aa0c 100644
--- a/chromium/net/third_party/quiche/src/quic/tools/quic_toy_server.cc
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_toy_server.cc
@@ -62,12 +62,13 @@ int QuicToyServer::Start() {
   ParsedQuicVersionVector supported_versions;
   if (GetQuicFlag(FLAGS_quic_ietf_draft)) {
     QuicVersionInitializeSupportForIetfDraft();
-    ParsedQuicVersion version(PROTOCOL_TLS1_3, QUIC_VERSION_99);
-    QuicEnableVersion(version);
-    supported_versions = {version};
+    supported_versions = {ParsedQuicVersion(PROTOCOL_TLS1_3, QUIC_VERSION_99)};
   } else {
     supported_versions = AllSupportedVersions();
   }
+  for (const auto& version : supported_versions) {
+    QuicEnableVersion(version);
+  }
   auto proof_source = quic::CreateDefaultProofSource();
   auto backend = backend_factory_->CreateBackend();
   auto server = server_factory_->CreateServer(
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_transport_simple_server_dispatcher.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_transport_simple_server_dispatcher.cc
new file mode 100644
index 00000000000..9b1ea04cfe6
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_transport_simple_server_dispatcher.cc
@@ -0,0 +1,55 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/tools/quic_transport_simple_server_dispatcher.h"
+
+#include <memory>
+
+#include "net/third_party/quiche/src/quic/core/quic_connection.h"
+#include "net/third_party/quiche/src/quic/core/quic_dispatcher.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/core/quic_versions.h"
+#include "net/third_party/quiche/src/quic/tools/quic_transport_simple_server_session.h"
+
+namespace quic {
+
+QuicTransportSimpleServerDispatcher::QuicTransportSimpleServerDispatcher(
+    const QuicConfig* config,
+    const QuicCryptoServerConfig* crypto_config,
+    QuicVersionManager* version_manager,
+    std::unique_ptr<QuicConnectionHelperInterface> helper,
+    std::unique_ptr<QuicCryptoServerStream::Helper> session_helper,
+    std::unique_ptr<QuicAlarmFactory> alarm_factory,
+    uint8_t expected_server_connection_id_length,
+    QuicTransportSimpleServerSession::Mode mode,
+    std::vector<url::Origin> accepted_origins)
+    : QuicDispatcher(config,
+                     crypto_config,
+                     version_manager,
+                     std::move(helper),
+                     std::move(session_helper),
+                     std::move(alarm_factory),
+                     expected_server_connection_id_length),
+      mode_(mode),
+      accepted_origins_(accepted_origins) {}
+
+QuicSession* QuicTransportSimpleServerDispatcher::CreateQuicSession(
+    QuicConnectionId server_connection_id,
+    const QuicSocketAddress& peer_address,
+    QuicStringPiece /*alpn*/,
+    const ParsedQuicVersion& version) {
+  auto connection = std::make_unique<QuicConnection>(
+      server_connection_id, peer_address, helper(), alarm_factory(), writer(),
+      /*owns_writer=*/false, Perspective::IS_SERVER,
+      ParsedQuicVersionVector{version});
+  QuicTransportSimpleServerSession* session =
+      new QuicTransportSimpleServerSession(
+          connection.release(), /*owns_connection=*/true, this, config(),
+          GetSupportedVersions(), crypto_config(), compressed_certs_cache(),
+          mode_, accepted_origins_);
+  session->Initialize();
+  return session;
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_transport_simple_server_dispatcher.h b/chromium/net/third_party/quiche/src/quic/tools/quic_transport_simple_server_dispatcher.h
new file mode 100644
index 00000000000..ea4eb8bf8ef
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_transport_simple_server_dispatcher.h
@@ -0,0 +1,41 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_TOOLS_QUIC_TRANSPORT_SIMPLE_SERVER_DISPATCHER_H_
+#define QUICHE_QUIC_TOOLS_QUIC_TRANSPORT_SIMPLE_SERVER_DISPATCHER_H_
+
+#include "url/origin.h"
+#include "net/third_party/quiche/src/quic/core/quic_dispatcher.h"
+#include "net/third_party/quiche/src/quic/tools/quic_transport_simple_server_session.h"
+
+namespace quic {
+
+// Dispatcher that creates a QuicTransportSimpleServerSession for every incoming
+// connection.
+class QuicTransportSimpleServerDispatcher : public QuicDispatcher {
+ public:
+  QuicTransportSimpleServerDispatcher(
+      const QuicConfig* config,
+      const QuicCryptoServerConfig* crypto_config,
+      QuicVersionManager* version_manager,
+      std::unique_ptr<QuicConnectionHelperInterface> helper,
+      std::unique_ptr<QuicCryptoServerStream::Helper> session_helper,
+      std::unique_ptr<QuicAlarmFactory> alarm_factory,
+      uint8_t expected_server_connection_id_length,
+      QuicTransportSimpleServerSession::Mode mode,
+      std::vector<url::Origin> accepted_origins);
+
+ protected:
+  QuicSession* CreateQuicSession(QuicConnectionId server_connection_id,
+                                 const QuicSocketAddress& peer_address,
+                                 QuicStringPiece alpn,
+                                 const ParsedQuicVersion& version) override;
+
+  QuicTransportSimpleServerSession::Mode mode_;
+  std::vector<url::Origin> accepted_origins_;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_TOOLS_QUIC_TRANSPORT_SIMPLE_SERVER_DISPATCHER_H_
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_transport_simple_server_session.cc b/chromium/net/third_party/quiche/src/quic/tools/quic_transport_simple_server_session.cc
new file mode 100644
index 00000000000..6e86ccab78d
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_transport_simple_server_session.cc
@@ -0,0 +1,226 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/third_party/quiche/src/quic/tools/quic_transport_simple_server_session.h"
+
+#include <memory>
+
+#include "url/gurl.h"
+#include "url/origin.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/core/quic_versions.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_logging.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_string_piece.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_text_utils.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_protocol.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.h"
+
+namespace quic {
+
+namespace {
+
+// Discards any incoming data.
+class DiscardVisitor : public QuicTransportStream::Visitor {
+ public:
+  DiscardVisitor(QuicTransportStream* stream) : stream_(stream) {}
+
+  void OnCanRead() override {
+    std::string buffer;
+    size_t bytes_read = stream_->Read(&buffer);
+    QUIC_DVLOG(2) << "Read " << bytes_read << " bytes from stream "
+                  << stream_->id();
+  }
+
+  void OnFinRead() override {}
+  void OnCanWrite() override {}
+
+ private:
+  QuicTransportStream* stream_;
+};
+
+// Echoes any incoming data back on the same stream.
+class BidirectionalEchoVisitor : public QuicTransportStream::Visitor {
+ public:
+  BidirectionalEchoVisitor(QuicTransportStream* stream) : stream_(stream) {}
+
+  void OnCanRead() override {
+    stream_->Read(&buffer_);
+    OnCanWrite();
+  }
+
+  void OnFinRead() override {
+    bool success = stream_->SendFin();
+    DCHECK(success);
+  }
+
+  void OnCanWrite() override {
+    if (buffer_.empty()) {
+      return;
+    }
+
+    bool success = stream_->Write(buffer_);
+    if (success) {
+      buffer_ = "";
+    }
+  }
+
+ private:
+  QuicTransportStream* stream_;
+  std::string buffer_;
+};
+
+// Buffers all of the data and calls EchoStreamBack() on the parent session.
+class UnidirectionalEchoReadVisitor : public QuicTransportStream::Visitor {
+ public:
+  UnidirectionalEchoReadVisitor(QuicTransportSimpleServerSession* session,
+                                QuicTransportStream* stream)
+      : session_(session), stream_(stream) {}
+
+  void OnCanRead() override {
+    bool success = stream_->Read(&buffer_);
+    DCHECK(success);
+  }
+
+  void OnFinRead() override {
+    QUIC_DVLOG(1) << "Finished receiving data on stream " << stream_->id()
+                  << ", queueing up the echo";
+    session_->EchoStreamBack(buffer_);
+  }
+
+  void OnCanWrite() override { QUIC_NOTREACHED(); }
+
+ private:
+  QuicTransportSimpleServerSession* session_;
+  QuicTransportStream* stream_;
+  std::string buffer_;
+};
+
+// Sends supplied data.
+class UnidirectionalEchoWriteVisitor : public QuicTransportStream::Visitor {
+ public:
+  UnidirectionalEchoWriteVisitor(QuicTransportStream* stream,
+                                 const std::string& data)
+      : stream_(stream), data_(data) {}
+
+  void OnCanRead() override { QUIC_NOTREACHED(); }
+  void OnFinRead() override { QUIC_NOTREACHED(); }
+  void OnCanWrite() override {
+    if (data_.empty()) {
+      return;
+    }
+    if (!stream_->Write(data_)) {
+      return;
+    }
+    data_ = "";
+    bool fin_sent = stream_->SendFin();
+    DCHECK(fin_sent);
+  }
+
+ private:
+  QuicTransportStream* stream_;
+  std::string data_;
+};
+
+}  // namespace
+
+QuicTransportSimpleServerSession::QuicTransportSimpleServerSession(
+    QuicConnection* connection,
+    bool owns_connection,
+    Visitor* owner,
+    const QuicConfig& config,
+    const ParsedQuicVersionVector& supported_versions,
+    const QuicCryptoServerConfig* crypto_config,
+    QuicCompressedCertsCache* compressed_certs_cache,
+    Mode mode,
+    std::vector<url::Origin> accepted_origins)
+    : QuicTransportServerSession(connection,
+                                 owner,
+                                 config,
+                                 supported_versions,
+                                 crypto_config,
+                                 compressed_certs_cache,
+                                 this),
+      connection_(connection),
+      owns_connection_(owns_connection),
+      mode_(mode),
+      accepted_origins_(accepted_origins) {}
+
+QuicTransportSimpleServerSession::~QuicTransportSimpleServerSession() {
+  if (owns_connection_) {
+    delete connection_;
+  }
+}
+
+void QuicTransportSimpleServerSession::OnIncomingDataStream(
+    QuicTransportStream* stream) {
+  switch (mode_) {
+    case DISCARD:
+      stream->set_visitor(std::make_unique<DiscardVisitor>(stream));
+      break;
+
+    case ECHO:
+      switch (stream->type()) {
+        case BIDIRECTIONAL:
+          QUIC_DVLOG(1) << "Opening bidirectional echo stream " << stream->id();
+          stream->set_visitor(
+              std::make_unique<BidirectionalEchoVisitor>(stream));
+          break;
+        case READ_UNIDIRECTIONAL:
+          QUIC_DVLOG(1)
+              << "Started receiving data on unidirectional echo stream "
+              << stream->id();
+          stream->set_visitor(
+              std::make_unique<UnidirectionalEchoReadVisitor>(this, stream));
+          break;
+        default:
+          QUIC_NOTREACHED();
+          break;
+      }
+      break;
+  }
+}
+
+void QuicTransportSimpleServerSession::OnCanCreateNewOutgoingStream(
+    bool unidirectional) {
+  if (mode_ == ECHO && unidirectional) {
+    MaybeEchoStreamsBack();
+  }
+}
+
+bool QuicTransportSimpleServerSession::CheckOrigin(url::Origin origin) {
+  if (accepted_origins_.empty()) {
+    return true;
+  }
+
+  for (const url::Origin& accepted_origin : accepted_origins_) {
+    if (origin.IsSameOriginWith(accepted_origin)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+void QuicTransportSimpleServerSession::MaybeEchoStreamsBack() {
+  while (!streams_to_echo_back_.empty() &&
+         CanOpenNextOutgoingUnidirectionalStream()) {
+    // Remove the stream from the queue first, in order to avoid accidentally
+    // entering an infinite loop in case any of the following code calls
+    // OnCanCreateNewOutgoingStream().
+    std::string data = std::move(streams_to_echo_back_.front());
+    streams_to_echo_back_.pop_front();
+
+    auto stream_owned = std::make_unique<QuicTransportStream>(
+        GetNextOutgoingUnidirectionalStreamId(), this, this);
+    QuicTransportStream* stream = stream_owned.get();
+    ActivateStream(std::move(stream_owned));
+    QUIC_DVLOG(1) << "Opened echo response stream " << stream->id();
+
+    stream->set_visitor(
+        std::make_unique<UnidirectionalEchoWriteVisitor>(stream, data));
+    stream->visitor()->OnCanWrite();
+  }
+}
+
+}  // namespace quic
diff --git a/chromium/net/third_party/quiche/src/quic/tools/quic_transport_simple_server_session.h b/chromium/net/third_party/quiche/src/quic/tools/quic_transport_simple_server_session.h
new file mode 100644
index 00000000000..11f82f2d272
--- /dev/null
+++ b/chromium/net/third_party/quiche/src/quic/tools/quic_transport_simple_server_session.h
@@ -0,0 +1,72 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef QUICHE_QUIC_TOOLS_QUIC_TRANSPORT_SIMPLE_SERVER_SESSION_H_
+#define QUICHE_QUIC_TOOLS_QUIC_TRANSPORT_SIMPLE_SERVER_SESSION_H_
+
+#include <memory>
+#include <vector>
+
+#include "url/origin.h"
+#include "net/third_party/quiche/src/quic/core/quic_types.h"
+#include "net/third_party/quiche/src/quic/core/quic_versions.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_containers.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_server_session.h"
+#include "net/third_party/quiche/src/quic/quic_transport/quic_transport_stream.h"
+
+namespace quic {
+
+// QuicTransport simple server is a non-production server that can be used for
+// testing QuicTransport.  It has two modes that can be changed using the
+// command line flags, "echo" and "discard".
+class QuicTransportSimpleServerSession
+    : public QuicTransportServerSession,
+      QuicTransportServerSession::ServerVisitor {
+ public:
+  enum Mode {
+    // In DISCARD mode, any data on incoming streams is discarded and no
+    // outgoing streams are initiated.
+    DISCARD,
+    // In ECHO mode, any data sent on a bidirectional stream is echoed back.
+    // Any data sent on a unidirectional stream is buffered, and echoed back on
+    // a server-initiated unidirectional stream that is sent as soon as a FIN is
+    // received on the incoming stream.
+    ECHO,
+  };
+
+  QuicTransportSimpleServerSession(
+      QuicConnection* connection,
+      bool owns_connection,
+      Visitor* owner,
+      const QuicConfig& config,
+      const ParsedQuicVersionVector& supported_versions,
+      const QuicCryptoServerConfig* crypto_config,
+      QuicCompressedCertsCache* compressed_certs_cache,
+      Mode mode,
+      std::vector<url::Origin> accepted_origins);
+  ~QuicTransportSimpleServerSession();
+
+  void OnIncomingDataStream(QuicTransportStream* stream) override;
+  void OnCanCreateNewOutgoingStream(bool unidirectional) override;
+  bool CheckOrigin(url::Origin origin) override;
+
+  void EchoStreamBack(const std::string& data) {
+    streams_to_echo_back_.push_back(data);
+    MaybeEchoStreamsBack();
+  }
+
+ private:
+  void MaybeEchoStreamsBack();
+
+  QuicConnection* connection_;
+  const bool owns_connection_;
+  Mode mode_;
+  std::vector<url::Origin> accepted_origins_;
+  QuicDeque<std::string> streams_to_echo_back_;
+};
+
+}  // namespace quic
+
+#endif  // QUICHE_QUIC_TOOLS_QUIC_TRANSPORT_SIMPLE_SERVER_SESSION_H_
diff --git a/chromium/net/third_party/quiche/src/spdy/core/spdy_header_block_test.cc b/chromium/net/third_party/quiche/src/spdy/core/spdy_header_block_test.cc
index c34b718a1a4..56facb4039a 100644
--- a/chromium/net/third_party/quiche/src/spdy/core/spdy_header_block_test.cc
+++ b/chromium/net/third_party/quiche/src/spdy/core/spdy_header_block_test.cc
@@ -177,6 +177,21 @@ TEST(SpdyHeaderBlockTest, AppendHeaders) {
   EXPECT_EQ("singleton", block["h4"]);
 }
 
+// This test demonstrates that the SpdyHeaderBlock data structure does not place
+// any limitations on the characters present in the header names.
+TEST(SpdyHeaderBlockTest, UpperCaseNames) {
+  SpdyHeaderBlock block;
+  block["Foo"] = "foo";
+  block.AppendValueOrAddHeader("Foo", "bar");
+  EXPECT_EQ(block.end(), block.find("foo"));
+  EXPECT_EQ(Pair("Foo", std::string("foo\0bar", 7)), *block.find("Foo"));
+
+  // The map is case sensitive, so both "Foo" and "foo" can be present.
+  block.AppendValueOrAddHeader("foo", "baz");
+  EXPECT_THAT(block, ElementsAre(Pair("Foo", std::string("foo\0bar", 7)),
+                                 Pair("foo", "baz")));
+}
+
 TEST(JoinTest, JoinEmpty) {
   std::vector<SpdyStringPiece> empty;
   SpdyStringPiece separator = ", ";
diff --git a/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_ptr_util.h b/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_ptr_util.h
index 32b8515f4ca..dd77e8eca03 100644
--- a/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_ptr_util.h
+++ b/chromium/net/third_party/quiche/src/spdy/platform/api/spdy_ptr_util.h
@@ -12,11 +12,6 @@
 
 namespace spdy {
 
-template <typename T, typename... Args>
-std::unique_ptr<T> SpdyMakeUnique(Args&&... args) {
-  return SpdyMakeUniqueImpl<T>(std::forward<Args>(args)...);
-}
-
 template <typename T>
 std::unique_ptr<T> SpdyWrapUnique(T* ptr) {
   return SpdyWrapUniqueImpl<T>(ptr);
diff --git a/chromium/net/tools/cachetool/cachetool.cc b/chromium/net/tools/cachetool/cachetool.cc
index 5dca7bb8ab4..c9a761356f8 100644
--- a/chromium/net/tools/cachetool/cachetool.cc
+++ b/chromium/net/tools/cachetool/cachetool.cc
@@ -262,9 +262,9 @@ class StreamCommandMarshal final : public CommandMarshal {
       return "";
     }
     std::vector<char> tmp_buffer(string_size + 1);
-    std::cin.read(&tmp_buffer[0], string_size);
+    std::cin.read(tmp_buffer.data(), string_size);
     tmp_buffer[string_size] = 0;
-    return std::string(&tmp_buffer[0], string_size);
+    return std::string(tmp_buffer.data(), string_size);
   }
 
   // Implements CommandMarshal.
@@ -709,9 +709,10 @@ int main(int argc, char* argv[]) {
 
   std::unique_ptr<Backend> cache_backend;
   net::TestCompletionCallback cb;
-  int rv = disk_cache::CreateCacheBackend(net::DISK_CACHE, backend_type,
-                                          cache_path, INT_MAX, false, nullptr,
-                                          &cache_backend, cb.callback());
+  int rv = disk_cache::CreateCacheBackend(
+      net::DISK_CACHE, backend_type, cache_path, INT_MAX,
+      disk_cache::ResetHandling::kNeverReset, nullptr, &cache_backend,
+      cb.callback());
   if (cb.GetResult(rv) != net::OK) {
     std::cerr << "Invalid cache." << std::endl;
     return 1;
diff --git a/chromium/net/tools/cert_verify_tool/cert_verify_tool.cc b/chromium/net/tools/cert_verify_tool/cert_verify_tool.cc
index b707f7002a6..80499199905 100644
--- a/chromium/net/tools/cert_verify_tool/cert_verify_tool.cc
+++ b/chromium/net/tools/cert_verify_tool/cert_verify_tool.cc
@@ -21,7 +21,7 @@
 #include "net/cert/cert_verify_proc_builtin.h"
 #include "net/cert/crl_set.h"
 #include "net/cert/internal/system_trust_store.h"
-#include "net/cert_net/cert_net_fetcher_impl.h"
+#include "net/cert_net/cert_net_fetcher_url_request.h"
 #include "net/tools/cert_verify_tool/cert_verify_tool_util.h"
 #include "net/tools/cert_verify_tool/verify_using_cert_verify_proc.h"
 #include "net/tools/cert_verify_tool/verify_using_path_builder.h"
@@ -46,7 +46,7 @@ std::string GetUserAgent() {
 
 void SetUpOnNetworkThread(
     std::unique_ptr<net::URLRequestContext>* context,
-    scoped_refptr<net::CertNetFetcherImpl>* cert_net_fetcher,
+    scoped_refptr<net::CertNetFetcherURLRequest>* cert_net_fetcher,
     base::WaitableEvent* initialization_complete_event) {
   net::URLRequestContextBuilder url_request_context_builder;
   url_request_context_builder.set_user_agent(GetUserAgent());
@@ -66,14 +66,14 @@ void SetUpOnNetworkThread(
 #endif
   // TODO(mattm): add command line flag to configure using
   // CertNetFetcher
-  *cert_net_fetcher = base::MakeRefCounted<net::CertNetFetcherImpl>();
+  *cert_net_fetcher = base::MakeRefCounted<net::CertNetFetcherURLRequest>();
   (*cert_net_fetcher)->SetURLRequestContext(context->get());
   initialization_complete_event->Signal();
 }
 
 void ShutdownOnNetworkThread(
     std::unique_ptr<net::URLRequestContext>* context,
-    scoped_refptr<net::CertNetFetcherImpl>* cert_net_fetcher) {
+    scoped_refptr<net::CertNetFetcherURLRequest>* cert_net_fetcher) {
   (*cert_net_fetcher)->Shutdown();
   cert_net_fetcher->reset();
   context->reset();
@@ -300,6 +300,7 @@ void PrintUsage(const char* argv0) {
   // TODO(mattm): allow target to specify an HTTPS URL to check the cert of?
   // TODO(mattm): allow target to be a verify_certificate_chain_unittest .test
   // file?
+  // TODO(mattm): allow specifying ocsp_response and sct_list inputs as well.
 }
 
 }  // namespace
@@ -397,7 +398,7 @@ int main(int argc, char** argv) {
   // Owned by this thread, but initialized, used, and shutdown on the network
   // thread.
   std::unique_ptr<net::URLRequestContext> context;
-  scoped_refptr<net::CertNetFetcherImpl> cert_net_fetcher;
+  scoped_refptr<net::CertNetFetcherURLRequest> cert_net_fetcher;
   base::WaitableEvent initialization_complete_event(
       base::WaitableEvent::ResetPolicy::MANUAL,
       base::WaitableEvent::InitialState::NOT_SIGNALED);
diff --git a/chromium/net/tools/cert_verify_tool/cert_verify_tool_util.cc b/chromium/net/tools/cert_verify_tool/cert_verify_tool_util.cc
index 183a7cbfff4..95aa01c6e5a 100644
--- a/chromium/net/tools/cert_verify_tool/cert_verify_tool_util.cc
+++ b/chromium/net/tools/cert_verify_tool/cert_verify_tool_util.cc
@@ -9,7 +9,7 @@
 #include "base/files/file_util.h"
 #include "base/strings/stringprintf.h"
 #include "build/build_config.h"
-#include "net/cert/pem_tokenizer.h"
+#include "net/cert/pem.h"
 
 #if defined(OS_MACOSX) && !defined(OS_IOS)
 #include <Security/Security.h>
diff --git a/chromium/net/tools/cert_verify_tool/verify_using_path_builder.cc b/chromium/net/tools/cert_verify_tool/verify_using_path_builder.cc
index abb86143b01..9c8bb058f81 100644
--- a/chromium/net/tools/cert_verify_tool/verify_using_path_builder.cc
+++ b/chromium/net/tools/cert_verify_tool/verify_using_path_builder.cc
@@ -178,6 +178,9 @@ bool VerifyUsingPathBuilder(
     path_builder.AddCertIssuerSource(aia_cert_issuer_source.get());
   }
 
+  // TODO(mattm): should this be a command line flag?
+  path_builder.SetExploreAllPaths(true);
+
   // Run the path builder.
   net::CertPathBuilder::Result result = path_builder.Run();
 
diff --git a/chromium/net/tools/content_decoder_tool/content_decoder_tool.cc b/chromium/net/tools/content_decoder_tool/content_decoder_tool.cc
index 94cd33606a4..4d0e8ef3021 100644
--- a/chromium/net/tools/content_decoder_tool/content_decoder_tool.cc
+++ b/chromium/net/tools/content_decoder_tool/content_decoder_tool.cc
@@ -49,6 +49,8 @@ class StdinSourceStream : public SourceStream {
 
   std::string Description() const override { return ""; }
 
+  bool MayHaveMoreBytes() const override { return true; }
+
  private:
   std::istream* input_stream_;
 
diff --git a/chromium/net/tools/dafsa/make_dafsa.py b/chromium/net/tools/dafsa/make_dafsa.py
index 5c9082d372c..4aeb1514ff9 100755
--- a/chromium/net/tools/dafsa/make_dafsa.py
+++ b/chromium/net/tools/dafsa/make_dafsa.py
@@ -7,7 +7,7 @@
 A Deterministic acyclic finite state automaton (DAFSA) is a compact
 representation of an unordered word list (dictionary).
 
-http://en.wikipedia.org/wiki/Deterministic_acyclic_finite_state_automaton
+https://en.wikipedia.org/wiki/Deterministic_acyclic_finite_state_automaton
 
 This python program converts a list of strings to a byte array in C++.
 This python program fetches strings and return values from a gperf file
diff --git a/chromium/net/tools/disk_cache_memory_test/disk_cache_memory_test.cc b/chromium/net/tools/disk_cache_memory_test/disk_cache_memory_test.cc
index bb624b27576..f18b5084f45 100644
--- a/chromium/net/tools/disk_cache_memory_test/disk_cache_memory_test.cc
+++ b/chromium/net/tools/disk_cache_memory_test/disk_cache_memory_test.cc
@@ -97,7 +97,8 @@ std::unique_ptr<Backend> CreateAndInitBackend(const CacheSpec& spec) {
       base::BindOnce(&SetSuccessCodeOnCompletion, &run_loop, &succeeded);
   const int net_error =
       CreateCacheBackend(spec.cache_type, spec.backend_type, spec.path, 0,
-                         false, nullptr, &backend, std::move(callback));
+                         disk_cache::ResetHandling::kNeverReset, nullptr,
+                         &backend, std::move(callback));
   if (net_error == net::OK)
     SetSuccessCodeOnCompletion(&run_loop, &succeeded, net::OK);
   else
diff --git a/chromium/net/tools/net_watcher/net_watcher.cc b/chromium/net/tools/net_watcher/net_watcher.cc
index 67db6332864..0f6e73067b0 100644
--- a/chromium/net/tools/net_watcher/net_watcher.cc
+++ b/chromium/net/tools/net_watcher/net_watcher.cc
@@ -119,9 +119,6 @@ class NetWatcher :
 
   // net::NetworkChangeNotifier::DNSObserver implementation.
   void OnDNSChanged() override { LOG(INFO) << "OnDNSChanged()"; }
-  void OnInitialDNSConfigRead() override {
-    LOG(INFO) << "OnInitialDNSConfigRead()";
-  }
 
   // net::NetworkChangeNotifier::NetworkChangeObserver implementation.
   void OnNetworkChanged(
diff --git a/chromium/net/tools/quic/quic_simple_client.cc b/chromium/net/tools/quic/quic_simple_client.cc
index be2dc03e1c4..ee8d31eb85d 100644
--- a/chromium/net/tools/quic/quic_simple_client.cc
+++ b/chromium/net/tools/quic/quic_simple_client.cc
@@ -47,7 +47,8 @@ QuicSimpleClient::QuicSimpleClient(
           CreateQuicAlarmFactory(),
           quic::QuicWrapUnique(
               new QuicClientMessageLooplNetworkHelper(&clock_, this)),
-          std::move(proof_verifier)),
+          std::move(proof_verifier),
+          nullptr),
       initialized_(false) {
   set_server_address(server_address);
 }
diff --git a/chromium/net/tools/quic/quic_simple_server.cc b/chromium/net/tools/quic/quic_simple_server.cc
index da14e4f3d97..9d8f58bf490 100644
--- a/chromium/net/tools/quic/quic_simple_server.cc
+++ b/chromium/net/tools/quic/quic_simple_server.cc
@@ -24,6 +24,7 @@
 #include "net/third_party/quiche/src/quic/tools/quic_simple_dispatcher.h"
 #include "net/tools/quic/quic_simple_server_packet_writer.h"
 #include "net/tools/quic/quic_simple_server_session_helper.h"
+#include "net/tools/quic/quic_simple_server_socket.h"
 
 namespace net {
 
@@ -95,50 +96,17 @@ QuicSimpleServer::~QuicSimpleServer() = default;
 
 bool QuicSimpleServer::CreateUDPSocketAndListen(
     const quic::QuicSocketAddress& address) {
-  return Listen(ToIPEndPoint(address)) == 0;
+  return Listen(ToIPEndPoint(address));
 }
 
 void QuicSimpleServer::HandleEventsForever() {
   base::RunLoop().Run();
 }
 
-int QuicSimpleServer::Listen(const IPEndPoint& address) {
-  std::unique_ptr<UDPServerSocket> socket(
-      new UDPServerSocket(nullptr, NetLogSource()));
-
-  socket->AllowAddressReuse();
-
-  int rc = socket->Listen(address);
-  if (rc < 0) {
-    LOG(ERROR) << "Listen() failed: " << ErrorToString(rc);
-    return rc;
-  }
-
-  // These send and receive buffer sizes are sized for a single connection,
-  // because the default usage of QuicSimpleServer is as a test server with
-  // one or two clients.  Adjust higher for use with many clients.
-  rc = socket->SetReceiveBufferSize(
-      static_cast<int32_t>(quic::kDefaultSocketReceiveBuffer));
-  if (rc < 0) {
-    LOG(ERROR) << "SetReceiveBufferSize() failed: " << ErrorToString(rc);
-    return rc;
-  }
-
-  rc = socket->SetSendBufferSize(20 * quic::kMaxOutgoingPacketSize);
-  if (rc < 0) {
-    LOG(ERROR) << "SetSendBufferSize() failed: " << ErrorToString(rc);
-    return rc;
-  }
-
-  rc = socket->GetLocalAddress(&server_address_);
-  if (rc < 0) {
-    LOG(ERROR) << "GetLocalAddress() failed: " << ErrorToString(rc);
-    return rc;
-  }
-
-  DVLOG(1) << "Listening on " << server_address_.ToString();
-
-  socket_.swap(socket);
+bool QuicSimpleServer::Listen(const IPEndPoint& address) {
+  socket_ = CreateQuicSimpleServerSocket(address, &server_address_);
+  if (socket_ == nullptr)
+    return false;
 
   dispatcher_.reset(new quic::QuicSimpleDispatcher(
       &config_, &crypto_config_, &version_manager_,
@@ -153,7 +121,7 @@ int QuicSimpleServer::Listen(const IPEndPoint& address) {
 
   StartReading();
 
-  return OK;
+  return true;
 }
 
 void QuicSimpleServer::Shutdown() {
diff --git a/chromium/net/tools/quic/quic_simple_server.h b/chromium/net/tools/quic/quic_simple_server.h
index 8b512ff7927..ae8b0f767ba 100644
--- a/chromium/net/tools/quic/quic_simple_server.h
+++ b/chromium/net/tools/quic/quic_simple_server.h
@@ -52,8 +52,8 @@ class QuicSimpleServer : public quic::QuicSpdyServerBase {
       const quic::QuicSocketAddress& address) override;
   void HandleEventsForever() override;
 
-  // Start listening on the specified address. Returns an error code.
-  int Listen(const IPEndPoint& address);
+  // Start listening on the specified address. Returns true on success.
+  bool Listen(const IPEndPoint& address);
 
   // Server deletion is imminent. Start cleaning up.
   void Shutdown();
diff --git a/chromium/net/tools/quic/quic_simple_server_socket.cc b/chromium/net/tools/quic/quic_simple_server_socket.cc
new file mode 100644
index 00000000000..5680aaa33ec
--- /dev/null
+++ b/chromium/net/tools/quic/quic_simple_server_socket.cc
@@ -0,0 +1,53 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/tools/quic/quic_simple_server_socket.h"
+
+#include "net/base/net_errors.h"
+#include "net/log/net_log_source.h"
+#include "net/third_party/quiche/src/quic/core/quic_constants.h"
+
+namespace net {
+
+std::unique_ptr<UDPServerSocket> CreateQuicSimpleServerSocket(
+    const IPEndPoint& address,
+    IPEndPoint* server_address) {
+  auto socket =
+      std::make_unique<UDPServerSocket>(/*net_log=*/nullptr, NetLogSource());
+
+  socket->AllowAddressReuse();
+
+  int rc = socket->Listen(address);
+  if (rc < 0) {
+    LOG(ERROR) << "Listen() failed: " << ErrorToString(rc);
+    return nullptr;
+  }
+
+  // These send and receive buffer sizes are sized for a single connection,
+  // because the default usage of QuicSimpleServer is as a test server with
+  // one or two clients.  Adjust higher for use with many clients.
+  rc = socket->SetReceiveBufferSize(
+      static_cast<int32_t>(quic::kDefaultSocketReceiveBuffer));
+  if (rc < 0) {
+    LOG(ERROR) << "SetReceiveBufferSize() failed: " << ErrorToString(rc);
+    return nullptr;
+  }
+
+  rc = socket->SetSendBufferSize(20 * quic::kMaxOutgoingPacketSize);
+  if (rc < 0) {
+    LOG(ERROR) << "SetSendBufferSize() failed: " << ErrorToString(rc);
+    return nullptr;
+  }
+
+  rc = socket->GetLocalAddress(server_address);
+  if (rc < 0) {
+    LOG(ERROR) << "GetLocalAddress() failed: " << ErrorToString(rc);
+    return nullptr;
+  }
+
+  VLOG(1) << "Listening on " << server_address->ToString();
+  return socket;
+}
+
+}  // namespace net
diff --git a/chromium/net/tools/quic/quic_simple_server_socket.h b/chromium/net/tools/quic/quic_simple_server_socket.h
new file mode 100644
index 00000000000..56cf9d9ceb4
--- /dev/null
+++ b/chromium/net/tools/quic/quic_simple_server_socket.h
@@ -0,0 +1,20 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_TOOLS_QUIC_QUIC_SIMPLE_SERVER_SOCKET_H_
+#define NET_TOOLS_QUIC_QUIC_SIMPLE_SERVER_SOCKET_H_
+
+#include "net/base/ip_endpoint.h"
+#include "net/socket/udp_server_socket.h"
+
+namespace net {
+
+// Creates a UDP server socket tuned for use in a QUIC server.
+std::unique_ptr<UDPServerSocket> CreateQuicSimpleServerSocket(
+    const IPEndPoint& address,
+    IPEndPoint* server_address);
+
+}  // namespace net
+
+#endif  // NET_TOOLS_QUIC_QUIC_SIMPLE_SERVER_SOCKET_H_
diff --git a/chromium/net/tools/quic/quic_transport_simple_server.cc b/chromium/net/tools/quic/quic_transport_simple_server.cc
new file mode 100644
index 00000000000..b9bc02466c2
--- /dev/null
+++ b/chromium/net/tools/quic/quic_transport_simple_server.cc
@@ -0,0 +1,137 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/tools/quic/quic_transport_simple_server.h"
+
+#include <stdlib.h>
+
+#include "base/run_loop.h"
+#include "base/threading/thread_task_runner_handle.h"
+#include "net/base/net_errors.h"
+#include "net/quic/address_utils.h"
+#include "net/quic/platform/impl/quic_chromium_clock.h"
+#include "net/quic/quic_chromium_alarm_factory.h"
+#include "net/quic/quic_chromium_connection_helper.h"
+#include "net/socket/udp_server_socket.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_default_proof_providers.h"
+#include "net/third_party/quiche/src/quic/tools/quic_transport_simple_server_dispatcher.h"
+#include "net/tools/quic/quic_simple_server_packet_writer.h"
+#include "net/tools/quic/quic_simple_server_socket.h"
+
+namespace net {
+namespace {
+
+using quic::CryptoHandshakeMessage;
+using quic::ParsedQuicVersion;
+using quic::PROTOCOL_TLS1_3;
+using quic::QUIC_VERSION_99;
+using quic::QuicChromiumClock;
+using quic::QuicCryptoServerStream;
+using quic::QuicSocketAddress;
+using quic::QuicTransportSimpleServerSession;
+
+constexpr char kSourceAddressTokenSecret[] = "test";
+constexpr size_t kMaxReadsPerEvent = 32;
+constexpr size_t kMaxNewConnectionsPerEvent = 32;
+constexpr int kReadBufferSize = 2 * quic::kMaxIncomingPacketSize;
+
+}  // namespace
+
+class QuicTransportSimpleServerSessionHelper
+    : public QuicCryptoServerStream::Helper {
+ public:
+  bool CanAcceptClientHello(const CryptoHandshakeMessage& /*message*/,
+                            const QuicSocketAddress& /*client_address*/,
+                            const QuicSocketAddress& /*peer_address*/,
+                            const QuicSocketAddress& /*self_address*/,
+                            std::string* /*error_details*/) const override {
+    return true;
+  }
+};
+
+QuicTransportSimpleServer::QuicTransportSimpleServer(
+    int port,
+    QuicTransportSimpleServerSession::Mode mode,
+    std::vector<url::Origin> accepted_origins)
+    : port_(port),
+      version_manager_({ParsedQuicVersion{PROTOCOL_TLS1_3, QUIC_VERSION_99}}),
+      clock_(QuicChromiumClock::GetInstance()),
+      crypto_config_(kSourceAddressTokenSecret,
+                     quic::QuicRandom::GetInstance(),
+                     quic::CreateDefaultProofSource(),
+                     quic::KeyExchangeSource::Default()),
+      dispatcher_(&config_,
+                  &crypto_config_,
+                  &version_manager_,
+                  std::make_unique<QuicChromiumConnectionHelper>(
+                      clock_,
+                      quic::QuicRandom::GetInstance()),
+                  std::make_unique<QuicTransportSimpleServerSessionHelper>(),
+                  std::make_unique<QuicChromiumAlarmFactory>(
+                      base::ThreadTaskRunnerHandle::Get().get(),
+                      clock_),
+                  quic::kQuicDefaultConnectionIdLength,
+                  mode,
+                  accepted_origins),
+      read_buffer_(base::MakeRefCounted<IOBufferWithSize>(kReadBufferSize)) {}
+
+QuicTransportSimpleServer::~QuicTransportSimpleServer() {}
+
+int QuicTransportSimpleServer::Run() {
+  socket_ = CreateQuicSimpleServerSocket(
+      IPEndPoint{IPAddress::IPv6AllZeros(), port_}, &server_address_);
+  if (socket_ == nullptr)
+    return EXIT_FAILURE;
+
+  dispatcher_.InitializeWithWriter(
+      new QuicSimpleServerPacketWriter(socket_.get(), &dispatcher_));
+
+  ScheduleReadPackets();
+  base::RunLoop().Run();
+  return EXIT_SUCCESS;
+}
+
+void QuicTransportSimpleServer::ScheduleReadPackets() {
+  base::ThreadTaskRunnerHandle::Get()->PostTask(
+      FROM_HERE, base::BindOnce(&QuicTransportSimpleServer::ReadPackets,
+                                weak_factory_.GetWeakPtr()));
+}
+
+void QuicTransportSimpleServer::ReadPackets() {
+  dispatcher_.ProcessBufferedChlos(kMaxNewConnectionsPerEvent);
+  for (size_t i = 0; i < kMaxReadsPerEvent; i++) {
+    int result = socket_->RecvFrom(
+        read_buffer_.get(), read_buffer_->size(), &client_address_,
+        base::BindOnce(&QuicTransportSimpleServer::OnReadComplete,
+                       base::Unretained(this)));
+    if (result == ERR_IO_PENDING)
+      return;
+    ProcessReadPacket(result);
+  }
+  ScheduleReadPackets();
+}
+
+void QuicTransportSimpleServer::OnReadComplete(int result) {
+  ProcessReadPacket(result);
+  ReadPackets();
+}
+
+void QuicTransportSimpleServer::ProcessReadPacket(int result) {
+  if (result == 0)
+    result = ERR_CONNECTION_CLOSED;
+  if (result < 0) {
+    LOG(ERROR) << "QuicTransportSimpleServer read failed: "
+               << ErrorToString(result);
+    dispatcher_.Shutdown();
+    exit(EXIT_FAILURE);
+    return;
+  }
+
+  quic::QuicReceivedPacket packet(read_buffer_->data(), /*length=*/result,
+                                  clock_->Now(), /*owns_buffer=*/false);
+  dispatcher_.ProcessPacket(ToQuicSocketAddress(server_address_),
+                            ToQuicSocketAddress(client_address_), packet);
+}
+
+}  // namespace net
diff --git a/chromium/net/tools/quic/quic_transport_simple_server.h b/chromium/net/tools/quic/quic_transport_simple_server.h
new file mode 100644
index 00000000000..64b768d2d71
--- /dev/null
+++ b/chromium/net/tools/quic/quic_transport_simple_server.h
@@ -0,0 +1,64 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_TOOLS_QUIC_QUIC_TRANSPORT_SIMPLE_SERVER_H_
+#define NET_TOOLS_QUIC_QUIC_TRANSPORT_SIMPLE_SERVER_H_
+
+#include "base/memory/weak_ptr.h"
+#include "net/base/io_buffer.h"
+#include "net/base/ip_endpoint.h"
+#include "net/quic/platform/impl/quic_chromium_clock.h"
+#include "net/socket/udp_server_socket.h"
+#include "net/third_party/quiche/src/quic/core/crypto/quic_crypto_server_config.h"
+#include "net/third_party/quiche/src/quic/core/quic_config.h"
+#include "net/third_party/quiche/src/quic/core/quic_version_manager.h"
+#include "net/third_party/quiche/src/quic/tools/quic_transport_simple_server_dispatcher.h"
+#include "net/third_party/quiche/src/quic/tools/quic_transport_simple_server_session.h"
+#include "url/origin.h"
+
+namespace net {
+
+// Server for QuicTransportSimpleSession.  This class is responsible for
+// creating a UDP server socket, listening on it and passing the packets
+// received to the dispatcher.
+class QuicTransportSimpleServer {
+ public:
+  QuicTransportSimpleServer(int port,
+                            quic::QuicTransportSimpleServerSession::Mode mode,
+                            std::vector<url::Origin> accepted_origins);
+  ~QuicTransportSimpleServer();
+
+  int Run();
+
+ private:
+  // Schedules a ReadPackets() call on the next iteration of the event loop.
+  void ScheduleReadPackets();
+  // Reads a fixed number of packets and then reschedules itself.
+  void ReadPackets();
+  // Called when an asynchronous read from the socket is complete.
+  void OnReadComplete(int result);
+  // Passes the most recently read packet into the dispatcher.
+  void ProcessReadPacket(int result);
+
+  const int port_;
+
+  quic::QuicVersionManager version_manager_;
+  quic::QuicChromiumClock* clock_;  // Not owned.
+  quic::QuicConfig config_;
+  quic::QuicCryptoServerConfig crypto_config_;
+
+  quic::QuicTransportSimpleServerDispatcher dispatcher_;
+  std::unique_ptr<UDPServerSocket> socket_;
+  IPEndPoint server_address_;
+
+  // Results of the potentially asynchronous read operation.
+  scoped_refptr<IOBufferWithSize> read_buffer_;
+  IPEndPoint client_address_;
+
+  base::WeakPtrFactory<QuicTransportSimpleServer> weak_factory_{this};
+};
+
+}  // namespace net
+
+#endif  // NET_TOOLS_QUIC_QUIC_TRANSPORT_SIMPLE_SERVER_H_
diff --git a/chromium/net/tools/quic/quic_transport_simple_server_bin.cc b/chromium/net/tools/quic/quic_transport_simple_server_bin.cc
new file mode 100644
index 00000000000..f2537458ede
--- /dev/null
+++ b/chromium/net/tools/quic/quic_transport_simple_server_bin.cc
@@ -0,0 +1,61 @@
+// Copyright (c) 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/strings/string_split.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_flags.h"
+#include "net/third_party/quiche/src/quic/platform/api/quic_system_event_loop.h"
+#include "net/tools/quic/quic_transport_simple_server.h"
+#include "url/gurl.h"
+
+DEFINE_QUIC_COMMAND_LINE_FLAG(int, port, 20557, "The port to listen on.");
+
+DEFINE_QUIC_COMMAND_LINE_FLAG(
+    std::string,
+    mode,
+    "discard",
+    "The mode used by the SimpleServer.  Can be \"echo\" or \"discard\".");
+
+DEFINE_QUIC_COMMAND_LINE_FLAG(std::string,
+                              accepted_origins,
+                              "",
+                              "Comma-separated list of accepted origins");
+
+int main(int argc, char** argv) {
+  const char* usage = "quic_transport_simple_server";
+  QuicSystemEventLoop event_loop("quic_transport_simple_server");
+  std::vector<std::string> non_option_args =
+      quic::QuicParseCommandLineFlags(usage, argc, argv);
+  if (!non_option_args.empty()) {
+    quic::QuicPrintCommandLineFlagHelp(usage);
+    return 0;
+  }
+
+  std::string mode_text = GetQuicFlag(FLAGS_mode);
+  quic::QuicTransportSimpleServerSession::Mode mode;
+  if (mode_text == "discard") {
+    mode = quic::QuicTransportSimpleServerSession::DISCARD;
+  } else if (mode_text == "echo") {
+    mode = quic::QuicTransportSimpleServerSession::ECHO;
+  } else {
+    LOG(ERROR) << "Invalid mode specified: " << mode_text;
+    return 1;
+  }
+
+  std::string accepted_origins_text = GetQuicFlag(FLAGS_accepted_origins);
+  std::vector<url::Origin> accepted_origins;
+  for (const base::StringPiece& origin :
+       base::SplitStringPiece(accepted_origins_text, ",", base::TRIM_WHITESPACE,
+                              base::SPLIT_WANT_NONEMPTY)) {
+    GURL url{origin};
+    if (!url.is_valid()) {
+      LOG(ERROR) << "Failed to parse origin specified: " << origin;
+      return 1;
+    }
+    accepted_origins.push_back(url::Origin::Create(url));
+  }
+
+  net::QuicTransportSimpleServer server(GetQuicFlag(FLAGS_port), mode,
+                                        accepted_origins);
+  return server.Run();
+}
diff --git a/chromium/net/tools/quic/synchronous_host_resolver.cc b/chromium/net/tools/quic/synchronous_host_resolver.cc
index fb2572d3f95..a3c64ea5986 100644
--- a/chromium/net/tools/quic/synchronous_host_resolver.cc
+++ b/chromium/net/tools/quic/synchronous_host_resolver.cc
@@ -21,6 +21,7 @@
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/base/host_port_pair.h"
 #include "net/base/net_errors.h"
+#include "net/base/network_isolation_key.h"
 #include "net/dns/host_resolver.h"
 #include "net/log/net_log.h"
 #include "net/log/net_log_with_source.h"
@@ -60,17 +61,18 @@ ResolverThread::~ResolverThread() = default;
 void ResolverThread::Run() {
   base::SingleThreadTaskExecutor io_task_executor(base::MessagePumpType::IO);
 
-  net::NetLog net_log;
   net::HostResolver::ManagerOptions options;
   options.max_concurrent_resolves = 6;
   options.max_system_retry_attempts = 3u;
   std::unique_ptr<net::HostResolver> resolver =
-      net::HostResolver::CreateStandaloneResolver(&net_log, options);
+      net::HostResolver::CreateStandaloneResolver(NetLog::Get(), options);
 
   HostPortPair host_port_pair(host_, 80);
+  // No need to use a NetworkIsolationKey here, since this is an external tool
+  // not used by net/ consumers.
   std::unique_ptr<net::HostResolver::ResolveHostRequest> request =
-      resolver->CreateRequest(host_port_pair, NetLogWithSource(),
-                              base::nullopt);
+      resolver->CreateRequest(host_port_pair, NetworkIsolationKey(),
+                              NetLogWithSource(), base::nullopt);
 
   base::RunLoop run_loop;
   rv_ = request->Start(base::BindOnce(&ResolverThread::OnResolutionComplete,
diff --git a/chromium/net/tools/update_ios_bundle_data.py b/chromium/net/tools/update_ios_bundle_data.py
index 02a5505b327..32cf0fd2763 100755
--- a/chromium/net/tools/update_ios_bundle_data.py
+++ b/chromium/net/tools/update_ios_bundle_data.py
@@ -49,6 +49,8 @@ net_unittest_bundle_data_globs = [
     "data/name_constraints_unittest/*.pem",
     "data/ocsp_unittest/*.pem",
     "data/ov_name_constraints/*.pem",
+    "data/path_builder_unittest/**/*.pem",
+    "data/parse_certificate_unittest/**/*.pem",
     "data/parse_certificate_unittest/*.pem",
     "data/parse_certificate_unittest/*.pk8",
     "data/test.html",
diff --git a/chromium/net/url_request/data_protocol_handler.cc b/chromium/net/url_request/data_protocol_handler.cc
deleted file mode 100644
index 3f4d318e8dd..00000000000
--- a/chromium/net/url_request/data_protocol_handler.cc
+++ /dev/null
@@ -1,22 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/url_request/data_protocol_handler.h"
-
-#include "net/url_request/url_request_data_job.h"
-
-namespace net {
-
-DataProtocolHandler::DataProtocolHandler() = default;
-
-URLRequestJob* DataProtocolHandler::MaybeCreateJob(
-    URLRequest* request, NetworkDelegate* network_delegate) const {
-  return new URLRequestDataJob(request, network_delegate);
-}
-
-bool DataProtocolHandler::IsSafeRedirectTarget(const GURL& location) const {
-  return false;
-}
-
-}  // namespace net
diff --git a/chromium/net/url_request/data_protocol_handler.h b/chromium/net/url_request/data_protocol_handler.h
deleted file mode 100644
index c65758f01e0..00000000000
--- a/chromium/net/url_request/data_protocol_handler.h
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_URL_REQUEST_DATA_PROTOCOL_HANDLER_H_
-#define NET_URL_REQUEST_DATA_PROTOCOL_HANDLER_H_
-
-#include "base/compiler_specific.h"
-#include "base/macros.h"
-#include "net/base/net_export.h"
-#include "net/url_request/url_request_job_factory.h"
-
-namespace net {
-
-class URLRequestJob;
-
-// Implements a ProtocolHandler for Data jobs.
-class NET_EXPORT DataProtocolHandler
-    : public URLRequestJobFactory::ProtocolHandler {
- public:
-  DataProtocolHandler();
-  URLRequestJob* MaybeCreateJob(
-      URLRequest* request,
-      NetworkDelegate* network_delegate) const override;
-  bool IsSafeRedirectTarget(const GURL& location) const override;
-
- private:
-  DISALLOW_COPY_AND_ASSIGN(DataProtocolHandler);
-};
-
-}  // namespace net
-
-#endif  // NET_URL_REQUEST_DATA_PROTOCOL_HANDLER_H_
diff --git a/chromium/net/url_request/http_with_dns_over_https_unittest.cc b/chromium/net/url_request/http_with_dns_over_https_unittest.cc
index e0ea11b6dc0..6405d4dd02b 100644
--- a/chromium/net/url_request/http_with_dns_over_https_unittest.cc
+++ b/chromium/net/url_request/http_with_dns_over_https_unittest.cc
@@ -8,6 +8,7 @@
 #include "base/memory/scoped_refptr.h"
 #include "net/base/privacy_mode.h"
 #include "net/base/proxy_server.h"
+#include "net/cert/mock_cert_verifier.h"
 #include "net/dns/context_host_resolver.h"
 #include "net/dns/dns_client.h"
 #include "net/dns/dns_config.h"
@@ -38,29 +39,37 @@ const char kTestBody[] = "<html><body>TEST RESPONSE</body></html>";
 
 class TestHostResolverProc : public HostResolverProc {
  public:
-  TestHostResolverProc() : HostResolverProc(nullptr) {}
+  TestHostResolverProc()
+      : HostResolverProc(nullptr), insecure_queries_served_(0) {}
 
   int Resolve(const std::string& hostname,
               AddressFamily address_family,
               HostResolverFlags host_resolver_flags,
               AddressList* addrlist,
               int* os_error) override {
-    return ERR_NAME_NOT_RESOLVED;
+    insecure_queries_served_++;
+    *addrlist = AddressList::CreateFromIPAddress(IPAddress(127, 0, 0, 1), 443);
+    return OK;
   }
 
+  uint32_t insecure_queries_served() { return insecure_queries_served_; }
+
  private:
   ~TestHostResolverProc() override {}
+  uint32_t insecure_queries_served_;
 };
 
 class HttpWithDnsOverHttpsTest : public TestWithTaskEnvironment {
  public:
   HttpWithDnsOverHttpsTest()
       : resolver_(HostResolver::CreateStandaloneContextResolver(nullptr)),
+        host_resolver_proc_(new TestHostResolverProc()),
+        cert_verifier_(std::make_unique<MockCertVerifier>()),
         request_context_(true),
         doh_server_(EmbeddedTestServer::Type::TYPE_HTTPS),
         test_server_(EmbeddedTestServer::Type::TYPE_HTTPS),
         doh_queries_served_(0),
-        test_requests_served_(0) {
+        test_https_requests_served_(0) {
     doh_server_.RegisterRequestHandler(
         base::BindRepeating(&HttpWithDnsOverHttpsTest::HandleDefaultConnect,
                             base::Unretained(this)));
@@ -69,7 +78,7 @@ class HttpWithDnsOverHttpsTest : public TestWithTaskEnvironment {
                             base::Unretained(this)));
     EXPECT_TRUE(doh_server_.Start());
     EXPECT_TRUE(test_server_.Start());
-    GURL url(doh_server_.GetURL("/dns_query"));
+    GURL url(doh_server_.GetURL("doh-server.com", "/dns_query"));
     std::unique_ptr<DnsClient> dns_client(DnsClient::CreateClient(nullptr));
 
     DnsConfig config;
@@ -79,7 +88,7 @@ class HttpWithDnsOverHttpsTest : public TestWithTaskEnvironment {
 
     resolver_->SetRequestContext(&request_context_);
     resolver_->SetProcParamsForTesting(
-        ProcTaskParams(new TestHostResolverProc(), 1));
+        ProcTaskParams(host_resolver_proc_.get(), 1));
     resolver_->GetManagerForTesting()->SetDnsClientForTesting(
         std::move(dns_client));
 
@@ -90,8 +99,11 @@ class HttpWithDnsOverHttpsTest : public TestWithTaskEnvironment {
     overrides.use_local_ipv6 = true;
     resolver_->GetManagerForTesting()->SetDnsConfigOverrides(
         std::move(overrides));
-
     request_context_.set_host_resolver(resolver_.get());
+
+    cert_verifier_->set_default_result(net::OK);
+    request_context_.set_cert_verifier(cert_verifier_.get());
+
     request_context_.Init();
   }
 
@@ -138,7 +150,7 @@ class HttpWithDnsOverHttpsTest : public TestWithTaskEnvironment {
       http_response->set_content_type("application/dns-message");
       return std::move(http_response);
     } else {
-      test_requests_served_++;
+      test_https_requests_served_++;
       std::unique_ptr<test_server::BasicHttpResponse> http_response(
           new test_server::BasicHttpResponse);
       http_response->set_content(kTestBody);
@@ -149,11 +161,13 @@ class HttpWithDnsOverHttpsTest : public TestWithTaskEnvironment {
 
  protected:
   std::unique_ptr<ContextHostResolver> resolver_;
+  scoped_refptr<net::TestHostResolverProc> host_resolver_proc_;
+  std::unique_ptr<MockCertVerifier> cert_verifier_;
   TestURLRequestContext request_context_;
   EmbeddedTestServer doh_server_;
   EmbeddedTestServer test_server_;
   uint32_t doh_queries_served_;
-  uint32_t test_requests_served_;
+  uint32_t test_https_requests_served_;
 };
 
 class TestHttpDelegate : public HttpStreamRequest::Delegate {
@@ -238,6 +252,13 @@ TEST_F(HttpWithDnsOverHttpsTest, EndToEnd) {
                 ->IdleSocketCountInGroup(group_id),
             1u);
 
+  // The domain "localhost" is resolved locally, so no DNS lookups should have
+  // occurred.
+  EXPECT_EQ(doh_queries_served_, 0u);
+  EXPECT_EQ(host_resolver_proc_->insecure_queries_served(), 0u);
+  // A stream was established, but no HTTPS request has been made yet.
+  EXPECT_EQ(test_https_requests_served_, 0u);
+
   // Make a request that will trigger a DoH query as well.
   TestDelegate d;
   d.set_allow_certificate_errors(true);
@@ -249,8 +270,17 @@ TEST_F(HttpWithDnsOverHttpsTest, EndToEnd) {
   EXPECT_TRUE(test_server_.ShutdownAndWaitUntilComplete());
   EXPECT_TRUE(http_server.ShutdownAndWaitUntilComplete());
   EXPECT_TRUE(doh_server_.ShutdownAndWaitUntilComplete());
+
+  // There should be two DoH lookups for "bar.example.com" (both A and AAAA
+  // records are queried).
   EXPECT_EQ(doh_queries_served_, 2u);
-  EXPECT_EQ(test_requests_served_, 1u);
+  // The requests to the DoH server are pooled, so there should only be one
+  // insecure lookup for the DoH server hostname.
+  EXPECT_EQ(host_resolver_proc_->insecure_queries_served(), 1u);
+  // There should be one non-DoH HTTPS request for the connection to
+  // "bar.example.com".
+  EXPECT_EQ(test_https_requests_served_, 1u);
+
   EXPECT_TRUE(d.response_completed());
   EXPECT_EQ(d.request_status(), 0);
   EXPECT_EQ(d.data_received(), kTestBody);
diff --git a/chromium/net/url_request/redirect_info_unittest.cc b/chromium/net/url_request/redirect_info_unittest.cc
index d92e688a021..cc304bbab67 100644
--- a/chromium/net/url_request/redirect_info_unittest.cc
+++ b/chromium/net/url_request/redirect_info_unittest.cc
@@ -81,7 +81,7 @@ TEST(RedirectInfoTest, CopyFragment) {
        "http://foo.test/redirected#2"},
   };
 
-  const std::string KOriginalMethod = "GET";
+  const std::string kOriginalMethod = "GET";
   const GURL kOriginalSiteForCookies = GURL("https://foo.test/");
   const URLRequest::FirstPartyURLPolicy kOriginalFirstPartyUrlPolicy =
       net::URLRequest::NEVER_CHANGE_FIRST_PARTY_URL;
@@ -98,7 +98,7 @@ TEST(RedirectInfoTest, CopyFragment) {
                  << " new_location: " << test.new_location);
 
     RedirectInfo redirect_info = RedirectInfo::ComputeRedirectInfo(
-        KOriginalMethod, GURL(test.original_url), kOriginalSiteForCookies,
+        kOriginalMethod, GURL(test.original_url), kOriginalSiteForCookies,
         kOriginalFirstPartyUrlPolicy, kOriginalReferrerPolicy,
         kOriginalReferrer, kHttpStatusCode, GURL(test.new_location),
         base::nullopt /* referrer_policy_header */, kInsecureSchemeWasUpgraded,
@@ -119,7 +119,7 @@ TEST(RedirectInfoTest, FirstPartyURLPolicy) {
        "https://foo.test/redirected"},
   };
 
-  const std::string KOriginalMethod = "GET";
+  const std::string kOriginalMethod = "GET";
   const GURL kOriginalUrl = GURL("https://foo.test/");
   const GURL kOriginalSiteForCookies = GURL("https://foo.test/");
   const URLRequest::ReferrerPolicy kOriginalReferrerPolicy =
@@ -136,7 +136,7 @@ TEST(RedirectInfoTest, FirstPartyURLPolicy) {
                  << static_cast<int>(test.original_first_party_url_policy));
 
     RedirectInfo redirect_info = RedirectInfo::ComputeRedirectInfo(
-        KOriginalMethod, kOriginalUrl, kOriginalSiteForCookies,
+        kOriginalMethod, kOriginalUrl, kOriginalSiteForCookies,
         test.original_first_party_url_policy, kOriginalReferrerPolicy,
         kOriginalReferrer, kHttpStatusCode, kNewLocation,
         base::nullopt /* referrer_policy_header */, kInsecureSchemeWasUpgraded,
@@ -420,7 +420,7 @@ TEST(RedirectInfoTest, ReferrerPolicy) {
        "http://foo.test/one" /* expected new referrer */},
   };
 
-  const std::string KOriginalMethod = "GET";
+  const std::string kOriginalMethod = "GET";
   const GURL kOriginalSiteForCookies = GURL("https://foo.test/");
   const URLRequest::FirstPartyURLPolicy kOriginalFirstPartyUrlPolicy =
       net::URLRequest::NEVER_CHANGE_FIRST_PARTY_URL;
@@ -449,7 +449,7 @@ TEST(RedirectInfoTest, ReferrerPolicy) {
     const GURL new_location = original_url.Resolve(location_string);
 
     RedirectInfo redirect_info = RedirectInfo::ComputeRedirectInfo(
-        KOriginalMethod, original_url, kOriginalSiteForCookies,
+        kOriginalMethod, original_url, kOriginalSiteForCookies,
         kOriginalFirstPartyUrlPolicy, test.original_referrer_policy,
         test.original_referrer, response_headers->response_code(), new_location,
         RedirectUtil::GetReferrerPolicyHeader(response_headers.get()),
diff --git a/chromium/net/url_request/url_fetcher_response_writer_unittest.cc b/chromium/net/url_request/url_fetcher_response_writer_unittest.cc
index b5379a5a62e..33306361847 100644
--- a/chromium/net/url_request/url_fetcher_response_writer_unittest.cc
+++ b/chromium/net/url_request/url_fetcher_response_writer_unittest.cc
@@ -61,6 +61,7 @@ class URLFetcherFileWriterTest : public PlatformTest,
                                  public WithTaskEnvironment {
  protected:
   void SetUp() override {
+    PlatformTest::SetUp();
     ASSERT_TRUE(temp_dir_.CreateUniqueTempDir());
     file_path_ = temp_dir_.GetPath().AppendASCII("test.txt");
     writer_.reset(new URLFetcherFileWriter(base::ThreadTaskRunnerHandle::Get(),
@@ -68,6 +69,11 @@ class URLFetcherFileWriterTest : public PlatformTest,
     buf_ = base::MakeRefCounted<StringIOBuffer>(kData);
   }
 
+  void TearDown() override {
+    ASSERT_TRUE(temp_dir_.Delete());
+    PlatformTest::TearDown();
+  }
+
   base::ScopedTempDir temp_dir_;
   base::FilePath file_path_;
   std::unique_ptr<URLFetcherFileWriter> writer_;
@@ -187,6 +193,10 @@ TEST_F(URLFetcherFileWriterTest, InitializeAgainAfterFinishWithError) {
   EXPECT_THAT(callback4.WaitForResult(), IsOk());
   // Verify the result.
   EXPECT_TRUE(base::PathExists(file_path_));
+
+  // Destroy the writer and allow all files to be closed.
+  writer_.reset();
+  base::RunLoop().RunUntilIdle();
 }
 
 TEST_F(URLFetcherFileWriterTest, DisownFile) {
diff --git a/chromium/net/url_request/url_range_request_job.cc b/chromium/net/url_request/url_range_request_job.cc
deleted file mode 100644
index 68cf15660c4..00000000000
--- a/chromium/net/url_request/url_range_request_job.cc
+++ /dev/null
@@ -1,30 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/url_request/url_range_request_job.h"
-
-#include "net/base/net_errors.h"
-#include "net/http/http_request_headers.h"
-#include "net/http/http_util.h"
-
-namespace net {
-
-URLRangeRequestJob::URLRangeRequestJob(URLRequest* request,
-    NetworkDelegate* delegate)
-    : URLRequestJob(request, delegate), range_parse_result_(OK) {
-}
-
-URLRangeRequestJob::~URLRangeRequestJob() = default;
-
-void URLRangeRequestJob::SetExtraRequestHeaders(
-    const HttpRequestHeaders& headers) {
-  std::string range_header;
-  if (headers.GetHeader(HttpRequestHeaders::kRange, &range_header)) {
-    if (!HttpUtil::ParseRangeHeader(range_header, &ranges_)) {
-      range_parse_result_ = ERR_REQUEST_RANGE_NOT_SATISFIABLE;
-    }
-  }
-}
-
-}  // namespace net
diff --git a/chromium/net/url_request/url_range_request_job.h b/chromium/net/url_request/url_range_request_job.h
deleted file mode 100644
index 38a6802b85c..00000000000
--- a/chromium/net/url_request/url_range_request_job.h
+++ /dev/null
@@ -1,42 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_URL_REQUEST_URL_RANGE_REQUEST_JOB_H_
-#define NET_URL_REQUEST_URL_RANGE_REQUEST_JOB_H_
-
-#include <vector>
-
-#include "net/base/net_export.h"
-#include "net/http/http_byte_range.h"
-#include "net/url_request/url_request_job.h"
-
-namespace net {
-
-class HttpRequestHeaders;
-
-// URLRequestJob with support for parsing range requests.
-// It is up to subclasses to handle the response
-// and deal with an errors parsing the range request header.
-// This must be done after Start() has been called.
-class NET_EXPORT URLRangeRequestJob : public URLRequestJob {
- public:
-  URLRangeRequestJob(URLRequest* request,
-                     NetworkDelegate* delegate);
-
-  void SetExtraRequestHeaders(const HttpRequestHeaders& headers) override;
-
-  const std::vector<HttpByteRange>& ranges() const { return ranges_; }
-  int range_parse_result() const { return range_parse_result_; }
-
- protected:
-  ~URLRangeRequestJob() override;
-
- private:
-  std::vector<HttpByteRange> ranges_;
-  int range_parse_result_;
-};
-
-}  // namespace net
-
-#endif  // NET_URL_REQUEST_URL_RANGE_REQUEST_JOB_H_
diff --git a/chromium/net/url_request/url_request.cc b/chromium/net/url_request/url_request.cc
index dabcd7afa65..b82b412c18d 100644
--- a/chromium/net/url_request/url_request.cc
+++ b/chromium/net/url_request/url_request.cc
@@ -278,6 +278,8 @@ base::Value URLRequest::GetStateAsValue() const {
     dict.SetStringKey("delegate_blocked_by", blocked_by_);
 
   dict.SetStringKey("method", method_);
+  dict.SetStringKey("network_isolation_key",
+                    network_isolation_key_.ToDebugString());
   dict.SetBoolKey("has_upload", has_upload());
   dict.SetBoolKey("is_pending", is_pending_);
 
@@ -442,21 +444,6 @@ void URLRequest::SetDefaultCookiePolicyToBlock() {
   g_default_can_use_cookies = false;
 }
 
-// static
-bool URLRequest::IsHandledProtocol(const std::string& scheme) {
-  return URLRequestJobManager::SupportsScheme(scheme);
-}
-
-// static
-bool URLRequest::IsHandledURL(const GURL& url) {
-  if (!url.is_valid()) {
-    // We handle error cases.
-    return true;
-  }
-
-  return IsHandledProtocol(url.scheme());
-}
-
 void URLRequest::set_site_for_cookies(const GURL& site_for_cookies) {
   DCHECK(!is_pending_);
   site_for_cookies_ = site_for_cookies;
@@ -635,7 +622,7 @@ void URLRequest::StartJob(URLRequestJob* job) {
 
   net_log_.BeginEvent(NetLogEventType::URL_REQUEST_START_JOB, [&] {
     return NetLogURLRequestStartParams(
-        url(), method_, load_flags_, privacy_mode_,
+        url(), method_, load_flags_, privacy_mode_, network_isolation_key_,
         upload_data_stream_ ? upload_data_stream_->identifier() : -1);
   });
 
@@ -657,8 +644,11 @@ void URLRequest::StartJob(URLRequestJob* job) {
   maybe_stored_cookies_.clear();
 
   GURL referrer_url(referrer_);
-  if (referrer_url != URLRequestJob::ComputeReferrerForPolicy(
-                          referrer_policy_, referrer_url, url())) {
+  bool same_origin_for_metrics;
+
+  if (referrer_url !=
+      URLRequestJob::ComputeReferrerForPolicy(
+          referrer_policy_, referrer_url, url(), &same_origin_for_metrics)) {
     if (!network_delegate_ ||
         !network_delegate_->CancelURLRequestWithPolicyViolatingReferrerHeader(
             *this, url(), referrer_url)) {
@@ -675,6 +665,8 @@ void URLRequest::StartJob(URLRequestJob* job) {
     }
   }
 
+  RecordReferrerGranularityMetrics(same_origin_for_metrics);
+
   // Start() always completes asynchronously.
   //
   // Status is generally set by URLRequestJob itself, but Start() calls
@@ -779,23 +771,6 @@ int URLRequest::Read(IOBuffer* dest, int dest_size) {
   return rv;
 }
 
-// Deprecated.
-bool URLRequest::Read(IOBuffer* dest, int dest_size, int* bytes_read) {
-  int result = Read(dest, dest_size);
-  if (result >= 0) {
-    *bytes_read = result;
-    return true;
-  }
-
-  if (result == ERR_IO_PENDING) {
-    *bytes_read = 0;
-  } else {
-    *bytes_read = -1;
-  }
-
-  return false;
-}
-
 void URLRequest::NotifyReceivedRedirect(const RedirectInfo& redirect_info,
                                         bool* defer_redirect) {
   is_redirecting_ = true;
@@ -1134,6 +1109,31 @@ void URLRequest::OnCallToDelegateComplete() {
   delegate_event_type_ = NetLogEventType::FAILED;
 }
 
+void URLRequest::RecordReferrerGranularityMetrics(
+    bool request_is_same_origin) const {
+  GURL referrer_url(referrer_);
+  bool referrer_more_descriptive_than_its_origin =
+      referrer_url.is_valid() && referrer_url.PathForRequestPiece().size() > 1;
+
+  // To avoid renaming the existing enum, we have to use the three-argument
+  // histogram macro.
+  if (request_is_same_origin) {
+    UMA_HISTOGRAM_ENUMERATION(
+        "Net.URLRequest.ReferrerPolicyForRequest.SameOrigin", referrer_policy_,
+        MAX_REFERRER_POLICY + 1);
+    UMA_HISTOGRAM_BOOLEAN(
+        "Net.URLRequest.ReferrerHasInformativePath.SameOrigin",
+        referrer_more_descriptive_than_its_origin);
+  } else {
+    UMA_HISTOGRAM_ENUMERATION(
+        "Net.URLRequest.ReferrerPolicyForRequest.CrossOrigin", referrer_policy_,
+        MAX_REFERRER_POLICY + 1);
+    UMA_HISTOGRAM_BOOLEAN(
+        "Net.URLRequest.ReferrerHasInformativePath.CrossOrigin",
+        referrer_more_descriptive_than_its_origin);
+  }
+}
+
 void URLRequest::GetConnectionAttempts(ConnectionAttempts* out) const {
   if (job_)
     job_->GetConnectionAttempts(out);
diff --git a/chromium/net/url_request/url_request.h b/chromium/net/url_request/url_request.h
index afbd582da10..672a5f93c06 100644
--- a/chromium/net/url_request/url_request.h
+++ b/chromium/net/url_request/url_request.h
@@ -93,32 +93,37 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
   // of the initial leg of the request; the caller is responsible for
   // setting the initial Referer, and the ReferrerPolicy only controls
   // what happens to the Referer while following redirects.
+  //
+  // NOTE: This enum is persisted to histograms. Do not change or reorder
+  // values.
+  // TODO(~M82): Once the Net.URLRequest.ReferrerPolicyForRequest
+  // metric is retired, remove this notice.
   enum ReferrerPolicy {
     // Clear the referrer header if the header value is HTTPS but the request
     // destination is HTTP. This is the default behavior of URLRequest.
-    CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE,
+    CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE = 0,
     // A slight variant on CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE:
     // If the request destination is HTTP, an HTTPS referrer will be cleared. If
     // the request's destination is cross-origin with the referrer (but does not
     // downgrade), the referrer's granularity will be stripped down to an origin
     // rather than a full URL. Same-origin requests will send the full referrer.
-    REDUCE_REFERRER_GRANULARITY_ON_TRANSITION_CROSS_ORIGIN,
+    REDUCE_REFERRER_GRANULARITY_ON_TRANSITION_CROSS_ORIGIN = 1,
     // Strip the referrer down to an origin when the origin of the referrer is
     // different from the destination's origin.
-    ORIGIN_ONLY_ON_TRANSITION_CROSS_ORIGIN,
+    ORIGIN_ONLY_ON_TRANSITION_CROSS_ORIGIN = 2,
     // Never change the referrer.
-    NEVER_CLEAR_REFERRER,
+    NEVER_CLEAR_REFERRER = 3,
     // Strip the referrer down to the origin regardless of the redirect
     // location.
-    ORIGIN,
+    ORIGIN = 4,
     // Clear the referrer when the request's referrer is cross-origin with
     // the request's destination.
-    CLEAR_REFERRER_ON_TRANSITION_CROSS_ORIGIN,
+    CLEAR_REFERRER_ON_TRANSITION_CROSS_ORIGIN = 5,
     // Strip the referrer down to the origin, but clear it entirely if the
     // referrer value is HTTPS and the destination is HTTP.
-    ORIGIN_CLEAR_ON_TRANSITION_FROM_SECURE_TO_INSECURE,
+    ORIGIN_CLEAR_ON_TRANSITION_FROM_SECURE_TO_INSECURE = 6,
     // Always clear the referrer regardless of the request destination.
-    NO_REFERRER,
+    NO_REFERRER = 7,
     MAX_REFERRER_POLICY = NO_REFERRER
   };
 
@@ -153,12 +158,9 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
   //   Read() initiated by delegate
   //    - OnReadCompleted* (zero or more calls until all data is read)
   //
-  // Read() must be called at least once. Read() returns true when it completed
-  // immediately, and false if an IO is pending or if there is an error.  When
-  // Read() returns false, the caller can check the Request's status() to see
-  // if an error occurred, or if the IO is just pending.  When Read() returns
-  // true with zero bytes read, it indicates the end of the response.
-  //
+  // Read() must be called at least once. Read() returns bytes read when it
+  // completes immediately, and a negative error value if an IO is pending or if
+  // there is an error.
   class NET_EXPORT Delegate {
    public:
     // Called upon receiving a redirect.  The delegate may call the request's
@@ -247,17 +249,6 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
   // started. Once it was set to block all cookies, it cannot be changed back.
   static void SetDefaultCookiePolicyToBlock();
 
-  // Returns true if the scheme can be handled by URLRequest. False otherwise.
-  static bool IsHandledProtocol(const std::string& scheme);
-
-  // Returns true if the url can be handled by URLRequest. False otherwise.
-  // The function returns true for invalid urls because URLRequest knows how
-  // to handle those.
-  // NOTE: This will also return true for URLs that are handled by
-  // ProtocolFactories that only work for requests that are scoped to a
-  // Profile.
-  static bool IsHandledURL(const GURL& url);
-
   // The original url is the url used to initialize the request, and it may
   // differ from the url if the request was redirected.
   const GURL& original_url() const { return url_chain_.front(); }
@@ -613,7 +604,7 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
   // request.
   void CancelWithSSLError(int error, const SSLInfo& ssl_info);
 
-  //  Read initiates an asynchronous read from the response, and must only be
+  // Read initiates an asynchronous read from the response, and must only be
   // called after the OnResponseStarted callback is received with a net::OK. If
   // data is available, length and the data will be returned immediately. If the
   // request has failed, an error code will be returned. If data is not yet
@@ -628,9 +619,6 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
   //
   // The |max_bytes| parameter is the maximum number of bytes to read.
   int Read(IOBuffer* buf, int max_bytes);
-  // Deprecated.
-  // TODO(maksims): Remove this.
-  bool Read(IOBuffer* buf, int max_bytes, int* bytes_read);
 
   // This method may be called to follow a redirect that was deferred in
   // response to an OnReceivedRedirect call. If non-null,
@@ -836,6 +824,12 @@ class NET_EXPORT URLRequest : public base::SupportsUserData {
   // cancellation.
   void OnCallToDelegateComplete();
 
+  // Records the referrer policy of the given request, bucketed by
+  // whether the request is same-origin or not. To save computation,
+  // takes this fact as a boolean parameter rather than dynamically
+  // checking.
+  void RecordReferrerGranularityMetrics(bool request_is_same_origin) const;
+
   // Contextual information used for this request. Cannot be NULL. This contains
   // most of the dependencies which are shared between requests (disk cache,
   // cookie store, socket pool, etc.)
diff --git a/chromium/net/url_request/url_request_context.cc b/chromium/net/url_request/url_request_context.cc
index 4b7b5547750..e6ff304cc65 100644
--- a/chromium/net/url_request/url_request_context.cc
+++ b/chromium/net/url_request/url_request_context.cc
@@ -46,6 +46,7 @@ URLRequestContext::URLRequestContext(bool allow_copy)
       http_transaction_factory_(nullptr),
       job_factory_(nullptr),
       throttler_manager_(nullptr),
+      quic_context_(nullptr),
       network_quality_estimator_(nullptr),
 #if BUILDFLAG(ENABLE_REPORTING)
       reporting_service_(nullptr),
@@ -174,6 +175,7 @@ void URLRequestContext::CopyFrom(const URLRequestContext* other) {
   set_http_transaction_factory(other->http_transaction_factory_);
   set_job_factory(other->job_factory_);
   set_throttler_manager(other->throttler_manager_);
+  set_quic_context(other->quic_context_);
   set_http_user_agent_settings(other->http_user_agent_settings_);
   set_network_quality_estimator(other->network_quality_estimator_);
 #if BUILDFLAG(ENABLE_REPORTING)
diff --git a/chromium/net/url_request/url_request_context.h b/chromium/net/url_request/url_request_context.h
index 3e4b923e4fb..9c8e79bc79a 100644
--- a/chromium/net/url_request/url_request_context.h
+++ b/chromium/net/url_request/url_request_context.h
@@ -54,6 +54,7 @@ class NetworkDelegate;
 class NetworkQualityEstimator;
 class ProxyDelegate;
 class ProxyResolutionService;
+class QuicContext;
 class SSLConfigService;
 class URLRequest;
 class URLRequestJobFactory;
@@ -228,6 +229,11 @@ class NET_EXPORT URLRequestContext
     throttler_manager_ = throttler_manager;
   }
 
+  QuicContext* quic_context() const { return quic_context_; }
+  void set_quic_context(QuicContext* quic_context) {
+    quic_context_ = quic_context;
+  }
+
   // Gets the URLRequest objects that hold a reference to this
   // URLRequestContext.
   std::set<const URLRequest*>* url_requests() const {
@@ -349,6 +355,7 @@ class NET_EXPORT URLRequestContext
   HttpTransactionFactory* http_transaction_factory_;
   const URLRequestJobFactory* job_factory_;
   URLRequestThrottlerManager* throttler_manager_;
+  QuicContext* quic_context_;
   NetworkQualityEstimator* network_quality_estimator_;
 #if BUILDFLAG(ENABLE_REPORTING)
   ReportingService* reporting_service_;
diff --git a/chromium/net/url_request/url_request_context_builder.cc b/chromium/net/url_request/url_request_context_builder.cc
index 7825bf238ed..759363ac6db 100644
--- a/chromium/net/url_request/url_request_context_builder.cc
+++ b/chromium/net/url_request/url_request_context_builder.cc
@@ -36,9 +36,9 @@
 #include "net/log/net_log.h"
 #include "net/net_buildflags.h"
 #include "net/nqe/network_quality_estimator.h"
+#include "net/quic/quic_context.h"
 #include "net/quic/quic_stream_factory.h"
 #include "net/ssl/ssl_config_service_defaults.h"
-#include "net/url_request/data_protocol_handler.h"
 #include "net/url_request/static_http_user_agent_settings.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_context_storage.h"
@@ -89,7 +89,7 @@ class BasicNetworkDelegate : public NetworkDelegateImpl {
       const HttpResponseHeaders* original_response_headers,
       scoped_refptr<HttpResponseHeaders>* override_response_headers,
       const IPEndPoint& endpoint,
-      GURL* allowed_unsafe_redirect_url) override {
+      base::Optional<GURL>* preserve_fragment_on_redirect_url) override {
     return OK;
   }
 
@@ -203,6 +203,7 @@ void URLRequestContextBuilder::SetHttpNetworkSessionComponents(
       request_context->http_auth_handler_factory();
   session_context->http_server_properties =
       request_context->http_server_properties();
+  session_context->quic_context = request_context->quic_context();
   session_context->net_log = request_context->net_log();
   session_context->network_quality_estimator =
       request_context->network_quality_estimator();
@@ -259,6 +260,11 @@ void URLRequestContextBuilder::set_ct_policy_enforcer(
   ct_policy_enforcer_ = std::move(ct_policy_enforcer);
 }
 
+void URLRequestContextBuilder::set_quic_context(
+    std::unique_ptr<QuicContext> quic_context) {
+  quic_context_ = std::move(quic_context);
+}
+
 void URLRequestContextBuilder::SetCertVerifier(
     std::unique_ptr<CertVerifier> cert_verifier) {
   DCHECK(!shared_cert_verifier_);
@@ -388,7 +394,7 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
     // builder or resulting context.
     context->set_net_log(net_log_);
   } else {
-    storage->set_net_log(std::make_unique<NetLog>());
+    context->set_net_log(NetLog::Get());
   }
 
   if (host_resolver_) {
@@ -472,7 +478,7 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
   } else if (shared_cert_verifier_) {
     context->set_cert_verifier(shared_cert_verifier_);
   } else {
-    // TODO(mattm): Should URLRequestContextBuilder create a CertNetFetcherImpl?
+    // TODO(mattm): Should URLRequestContextBuilder create a CertNetFetcher?
     storage->set_cert_verifier(
         CertVerifier::CreateDefault(/*cert_net_fetcher=*/nullptr));
   }
@@ -490,6 +496,12 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
         std::make_unique<DefaultCTPolicyEnforcer>());
   }
 
+  if (quic_context_) {
+    storage->set_quic_context(std::move(quic_context_));
+  } else {
+    storage->set_quic_context(std::make_unique<QuicContext>());
+  }
+
   if (throttling_enabled_) {
     storage->set_throttler_manager(
         std::make_unique<URLRequestThrottlerManager>());
@@ -610,17 +622,13 @@ std::unique_ptr<URLRequestContext> URLRequestContextBuilder::Build() {
 
   URLRequestJobFactoryImpl* job_factory = new URLRequestJobFactoryImpl;
   // Adds caller-provided protocol handlers first so that these handlers are
-  // used over data/file/ftp handlers below.
+  // used over the ftp handler below.
   for (auto& scheme_handler : protocol_handlers_) {
     job_factory->SetProtocolHandler(scheme_handler.first,
                                     std::move(scheme_handler.second));
   }
   protocol_handlers_.clear();
 
-  if (data_enabled_)
-    job_factory->SetProtocolHandler(url::kDataScheme,
-                                    std::make_unique<DataProtocolHandler>());
-
 #if !BUILDFLAG(DISABLE_FTP_SUPPORT)
   if (ftp_enabled_) {
     storage->set_ftp_auth_cache(std::make_unique<FtpAuthCache>());
diff --git a/chromium/net/url_request/url_request_context_builder.h b/chromium/net/url_request/url_request_context_builder.h
index 203a6fea76f..9a3f5e067b6 100644
--- a/chromium/net/url_request/url_request_context_builder.h
+++ b/chromium/net/url_request/url_request_context_builder.h
@@ -195,9 +195,6 @@ class NET_EXPORT URLRequestContextBuilder {
   void set_http_user_agent_settings(
       std::unique_ptr<HttpUserAgentSettings> http_user_agent_settings);
 
-  // Control support for data:// requests. By default it's disabled.
-  void set_data_enabled(bool enable) { data_enabled_ = enable; }
-
 #if !BUILDFLAG(DISABLE_FTP_SUPPORT)
   // Control support for ftp:// requests. By default it's disabled.
   void set_ftp_enabled(bool enable) { ftp_enabled_ = enable; }
@@ -283,6 +280,7 @@ class NET_EXPORT URLRequestContextBuilder {
   void set_ct_verifier(std::unique_ptr<CTVerifier> ct_verifier);
   void set_ct_policy_enforcer(
       std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer);
+  void set_quic_context(std::unique_ptr<QuicContext> quic_context);
 
   void SetCertVerifier(std::unique_ptr<CertVerifier> cert_verifier);
   // Same as above, but does not take ownership. The CertVerifier must outlive
@@ -357,8 +355,6 @@ class NET_EXPORT URLRequestContextBuilder {
   std::string user_agent_;
   std::unique_ptr<HttpUserAgentSettings> http_user_agent_settings_;
 
-  // Include support for data:// requests.
-  bool data_enabled_ = false;
 #if !BUILDFLAG(DISABLE_FTP_SUPPORT)
   // Include support for ftp:// requests.
   bool ftp_enabled_ = false;
@@ -389,6 +385,7 @@ class NET_EXPORT URLRequestContextBuilder {
   CertVerifier* shared_cert_verifier_ = nullptr;
   std::unique_ptr<CTVerifier> ct_verifier_;
   std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer_;
+  std::unique_ptr<QuicContext> quic_context_;
 #if BUILDFLAG(ENABLE_REPORTING)
   std::unique_ptr<ReportingPolicy> reporting_policy_;
   bool network_error_logging_enabled_ = false;
diff --git a/chromium/net/url_request/url_request_context_builder_unittest.cc b/chromium/net/url_request/url_request_context_builder_unittest.cc
index 35571c3ae69..419068c457b 100644
--- a/chromium/net/url_request/url_request_context_builder_unittest.cc
+++ b/chromium/net/url_request/url_request_context_builder_unittest.cc
@@ -63,7 +63,7 @@ class MockHttpAuthHandlerFactory : public HttpAuthHandlerFactory {
                         std::unique_ptr<HttpAuthHandler>* handler) override {
     handler->reset();
 
-    return challenge->scheme() == supported_scheme_
+    return challenge->auth_scheme() == supported_scheme_
                ? return_code_
                : ERR_UNSUPPORTED_AUTH_SCHEME;
   }
@@ -139,7 +139,7 @@ TEST_F(URLRequestContextBuilderTest, CustomHttpAuthHandlerFactory) {
   const int kBasicReturnCode = OK;
   std::unique_ptr<HttpAuthHandler> handler;
   builder_.SetHttpAuthHandlerFactory(
-      std::make_unique<MockHttpAuthHandlerFactory>("ExtraScheme",
+      std::make_unique<MockHttpAuthHandlerFactory>("extrascheme",
                                                    kBasicReturnCode));
   std::unique_ptr<URLRequestContext> context(builder_.Build());
   SSLInfo null_ssl_info;
diff --git a/chromium/net/url_request/url_request_context_storage.cc b/chromium/net/url_request/url_request_context_storage.cc
index aa1e7d33d62..258c5700f5b 100644
--- a/chromium/net/url_request/url_request_context_storage.cc
+++ b/chromium/net/url_request/url_request_context_storage.cc
@@ -18,8 +18,8 @@
 #include "net/http/http_auth_handler_factory.h"
 #include "net/http/http_server_properties.h"
 #include "net/http/http_transaction_factory.h"
-#include "net/log/net_log.h"
 #include "net/proxy_resolution/proxy_resolution_service.h"
+#include "net/quic/quic_context.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_job_factory.h"
 #include "net/url_request/url_request_throttler_manager.h"
@@ -43,11 +43,6 @@ URLRequestContextStorage::URLRequestContextStorage(URLRequestContext* context)
 
 URLRequestContextStorage::~URLRequestContextStorage() = default;
 
-void URLRequestContextStorage::set_net_log(std::unique_ptr<NetLog> net_log) {
-  context_->set_net_log(net_log.get());
-  net_log_ = std::move(net_log);
-}
-
 void URLRequestContextStorage::set_host_resolver(
     std::unique_ptr<HostResolver> host_resolver) {
   context_->set_host_resolver(host_resolver.get());
@@ -143,6 +138,12 @@ void URLRequestContextStorage::set_throttler_manager(
   throttler_manager_ = std::move(throttler_manager);
 }
 
+void URLRequestContextStorage::set_quic_context(
+    std::unique_ptr<QuicContext> quic_context) {
+  context_->set_quic_context(quic_context.get());
+  quic_context_ = std::move(quic_context);
+}
+
 void URLRequestContextStorage::set_http_user_agent_settings(
     std::unique_ptr<HttpUserAgentSettings> http_user_agent_settings) {
   context_->set_http_user_agent_settings(http_user_agent_settings.get());
diff --git a/chromium/net/url_request/url_request_context_storage.h b/chromium/net/url_request/url_request_context_storage.h
index a91bb3d060b..bda9e883edd 100644
--- a/chromium/net/url_request/url_request_context_storage.h
+++ b/chromium/net/url_request/url_request_context_storage.h
@@ -26,10 +26,10 @@ class HttpNetworkSession;
 class HttpServerProperties;
 class HttpTransactionFactory;
 class HttpUserAgentSettings;
-class NetLog;
 class NetworkDelegate;
 class ProxyDelegate;
 class ProxyResolutionService;
+class QuicContext;
 class SSLConfigService;
 class TransportSecurityState;
 class URLRequestContext;
@@ -55,7 +55,6 @@ class NET_EXPORT URLRequestContextStorage {
   // These setters will set both the member variables and call the setter on the
   // URLRequestContext object. In all cases, ownership is passed to |this|.
 
-  void set_net_log(std::unique_ptr<NetLog> net_log);
   void set_host_resolver(std::unique_ptr<HostResolver> host_resolver);
   void set_cert_verifier(std::unique_ptr<CertVerifier> cert_verifier);
   void set_http_auth_handler_factory(
@@ -82,6 +81,7 @@ class NET_EXPORT URLRequestContextStorage {
   void set_job_factory(std::unique_ptr<URLRequestJobFactory> job_factory);
   void set_throttler_manager(
       std::unique_ptr<URLRequestThrottlerManager> throttler_manager);
+  void set_quic_context(std::unique_ptr<QuicContext> quic_context);
   void set_http_user_agent_settings(
       std::unique_ptr<HttpUserAgentSettings> http_user_agent_settings);
 #if !BUILDFLAG(DISABLE_FTP_SUPPORT)
@@ -110,7 +110,6 @@ class NET_EXPORT URLRequestContextStorage {
   URLRequestContext* const context_;
 
   // Owned members.
-  std::unique_ptr<NetLog> net_log_;
   std::unique_ptr<HostResolver> host_resolver_;
   std::unique_ptr<CertVerifier> cert_verifier_;
   std::unique_ptr<HttpAuthHandlerFactory> http_auth_handler_factory_;
@@ -124,6 +123,7 @@ class NET_EXPORT URLRequestContextStorage {
   std::unique_ptr<TransportSecurityState> transport_security_state_;
   std::unique_ptr<CTVerifier> cert_transparency_verifier_;
   std::unique_ptr<CTPolicyEnforcer> ct_policy_enforcer_;
+  std::unique_ptr<QuicContext> quic_context_;
 #if !BUILDFLAG(DISABLE_FTP_SUPPORT)
   std::unique_ptr<FtpAuthCache> ftp_auth_cache_;
 #endif  // !BUILDFLAG(DISABLE_FTP_SUPPORT)
diff --git a/chromium/net/url_request/url_request_data_job.cc b/chromium/net/url_request/url_request_data_job.cc
deleted file mode 100644
index d297f1177c6..00000000000
--- a/chromium/net/url_request/url_request_data_job.cc
+++ /dev/null
@@ -1,73 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Simple implementation of a data: protocol handler.
-
-#include "net/url_request/url_request_data_job.h"
-
-#include "net/base/data_url.h"
-#include "net/base/net_errors.h"
-#include "net/http/http_response_headers.h"
-#include "url/gurl.h"
-
-namespace net {
-
-int URLRequestDataJob::BuildResponse(const GURL& url,
-                                     base::StringPiece method,
-                                     std::string* mime_type,
-                                     std::string* charset,
-                                     std::string* data,
-                                     HttpResponseHeaders* headers) {
-  if (!DataURL::Parse(url, mime_type, charset, data))
-    return ERR_INVALID_URL;
-
-  // |mime_type| set by DataURL::Parse() is guaranteed to be in
-  //     token "/" token
-  // form. |charset| can be an empty string.
-
-  DCHECK(!mime_type->empty());
-
-  if (headers) {
-    headers->ReplaceStatusLine("HTTP/1.1 200 OK");
-    // "charset" in the Content-Type header is specified explicitly to follow
-    // the "token" ABNF in the HTTP spec. When DataURL::Parse() call is
-    // successful, it's guaranteed that the string in |charset| follows the
-    // "token" ABNF.
-    std::string content_type_header = "Content-Type: " + *mime_type;
-    if (!charset->empty())
-      content_type_header.append(";charset=" + *charset);
-    headers->AddHeader(content_type_header);
-  }
-
-  if (base::EqualsCaseInsensitiveASCII(method, "HEAD")) {
-    data->clear();
-  }
-
-  return OK;
-}
-
-URLRequestDataJob::URLRequestDataJob(
-    URLRequest* request, NetworkDelegate* network_delegate)
-    : URLRequestSimpleJob(request, network_delegate) {
-}
-
-int URLRequestDataJob::GetData(std::string* mime_type,
-                               std::string* charset,
-                               std::string* data,
-                               CompletionOnceCallback callback) const {
-  // Check if data URL is valid. If not, don't bother to try to extract data.
-  // Otherwise, parse the data from the data URL.
-  const GURL& url = request_->url();
-  if (!url.is_valid())
-    return ERR_INVALID_URL;
-
-  // TODO(tyoshino): Get the headers and export via
-  // URLRequestJob::GetResponseInfo().
-  return BuildResponse(url, request_->method(), mime_type, charset, data,
-                       nullptr);
-}
-
-URLRequestDataJob::~URLRequestDataJob() = default;
-
-}  // namespace net
diff --git a/chromium/net/url_request/url_request_data_job.h b/chromium/net/url_request/url_request_data_job.h
deleted file mode 100644
index cc3e7b6683b..00000000000
--- a/chromium/net/url_request/url_request_data_job.h
+++ /dev/null
@@ -1,50 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_URL_REQUEST_URL_REQUEST_DATA_JOB_H_
-#define NET_URL_REQUEST_URL_REQUEST_DATA_JOB_H_
-
-#include <string>
-
-#include "base/macros.h"
-#include "net/base/completion_once_callback.h"
-#include "net/base/net_export.h"
-#include "net/url_request/url_request.h"
-#include "net/url_request/url_request_simple_job.h"
-
-class GURL;
-
-namespace net {
-
-class HttpResponseHeaders;
-class URLRequest;
-
-class NET_EXPORT URLRequestDataJob : public URLRequestSimpleJob {
- public:
-  // Extracts info from a data scheme URL. Returns OK if successful. Returns
-  // ERR_INVALID_URL otherwise.
-  static int BuildResponse(const GURL& url,
-                           base::StringPiece method,
-                           std::string* mime_type,
-                           std::string* charset,
-                           std::string* data,
-                           HttpResponseHeaders* headers);
-
-  URLRequestDataJob(URLRequest* request, NetworkDelegate* network_delegate);
-
-  // URLRequestSimpleJob
-  int GetData(std::string* mime_type,
-              std::string* charset,
-              std::string* data,
-              CompletionOnceCallback callback) const override;
-
- private:
-  ~URLRequestDataJob() override;
-
-  DISALLOW_COPY_AND_ASSIGN(URLRequestDataJob);
-};
-
-}  // namespace net
-
-#endif  // NET_URL_REQUEST_URL_REQUEST_DATA_JOB_H_
diff --git a/chromium/net/url_request/url_request_data_job_fuzzer.cc b/chromium/net/url_request/url_request_data_job_fuzzer.cc
deleted file mode 100644
index 8432df2722e..00000000000
--- a/chromium/net/url_request/url_request_data_job_fuzzer.cc
+++ /dev/null
@@ -1,178 +0,0 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <fuzzer/FuzzedDataProvider.h>
-
-#include <string>
-
-#include "base/memory/singleton.h"
-#include "base/run_loop.h"
-#include "base/threading/thread_task_runner_handle.h"
-#include "net/http/http_request_headers.h"
-#include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
-#include "net/url_request/data_protocol_handler.h"
-#include "net/url_request/url_request.h"
-#include "net/url_request/url_request_job_factory_impl.h"
-#include "net/url_request/url_request_test_util.h"
-
-namespace {
-
-const size_t kMaxLengthForFuzzedRange = 32;
-
-}  // namespace
-
-// This class tests creating and reading to completion a URLRequest with fuzzed
-// input. The fuzzer provides a data: URL and optionally generates custom Range
-// headers. The amount of data read in each Read call is also fuzzed, as is
-// the size of the IOBuffer to read data into.
-class URLRequestDataJobFuzzerHarness : public net::URLRequest::Delegate {
- public:
-  URLRequestDataJobFuzzerHarness()
-      : task_runner_(base::ThreadTaskRunnerHandle::Get()), context_(true) {
-    job_factory_.SetProtocolHandler(
-        "data", std::make_unique<net::DataProtocolHandler>());
-    context_.set_job_factory(&job_factory_);
-    context_.Init();
-  }
-
-  static URLRequestDataJobFuzzerHarness* GetInstance() {
-    return base::Singleton<URLRequestDataJobFuzzerHarness>::get();
-  }
-
-  int CreateAndReadFromDataURLRequest(const uint8_t* data, size_t size) {
-    FuzzedDataProvider provider(data, size);
-    read_lengths_.clear();
-
-    // Allocate an IOBuffer with fuzzed size.
-    int buf_size = provider.ConsumeIntegralInRange(1, 127);  // 7 bits.
-    buf_ = base::MakeRefCounted<net::IOBufferWithSize>(buf_size);
-
-    // Generate a range header, and a bool determining whether to use it.
-    // Generate the header regardless of the bool value to keep the data URL and
-    // header in consistent byte addresses so the fuzzer doesn't have to work as
-    // hard.
-    bool use_range = provider.ConsumeBool();
-    std::string range = provider.ConsumeBytesAsString(kMaxLengthForFuzzedRange);
-
-    // Generate a sequence of reads sufficient to read the entire data URL,
-    // capping it at 20000 reads, to avoid hangs. Once the limit is reached,
-    // all subsequent reads will be 32k.
-    size_t simulated_bytes_read = 0;
-    while (simulated_bytes_read < provider.remaining_bytes() &&
-           read_lengths_.size() < 20000u) {
-      size_t read_length = provider.ConsumeIntegralInRange(1, buf_size);
-      read_lengths_.push_back(read_length);
-      simulated_bytes_read += read_length;
-    }
-
-    // The data URL is the rest of the fuzzed data with "data:" prepended, to
-    // ensure that if it's a URL, it's a data URL. If the URL is invalid just
-    // use a test variant, so the fuzzer has a chance to execute something.
-    std::string data_url_string =
-        std::string("data:") + provider.ConsumeRemainingBytesAsString();
-    GURL data_url(data_url_string);
-    if (!data_url.is_valid())
-      data_url = GURL("data:text/html;charset=utf-8,<p>test</p>");
-
-    // Create a URLRequest with the given data URL and start reading
-    // from it.
-    std::unique_ptr<net::URLRequest> request = context_.CreateRequest(
-        data_url, net::DEFAULT_PRIORITY, this, TRAFFIC_ANNOTATION_FOR_TESTS);
-    if (use_range) {
-      if (!net::HttpUtil::IsValidHeaderValue(range))
-        range = "bytes=3-";
-      request->SetExtraRequestHeaderByName("Range", range, true);
-    }
-
-    // Block the thread while the request is read.
-    base::RunLoop read_loop;
-    read_loop_ = &read_loop;
-    request->Start();
-    read_loop.Run();
-    read_loop_ = nullptr;
-    return 0;
-  }
-
-  void QuitLoop() {
-    DCHECK(read_loop_);
-    task_runner_->PostTask(FROM_HERE, read_loop_->QuitClosure());
-  }
-
-  void ReadFromRequest(net::URLRequest* request) {
-    int bytes_read = 0;
-    do {
-      size_t read_size = 32 * 1024;
-      // If possible, pop the next read size.
-      if (read_lengths_.size() > 0) {
-        read_size = read_lengths_.back();
-        read_lengths_.pop_back();
-      }
-      if (read_size > static_cast<size_t>(buf_->size()))
-        buf_ = base::MakeRefCounted<net::IOBufferWithSize>(read_size);
-
-      bytes_read = request->Read(buf_.get(), read_size);
-    } while (bytes_read > 0);
-
-    if (bytes_read != net::ERR_IO_PENDING)
-      QuitLoop();
-  }
-
-  // net::URLRequest::Delegate:
-  void OnReceivedRedirect(net::URLRequest* request,
-                          const net::RedirectInfo& redirect_info,
-                          bool* defer_redirect) override {}
-  void OnAuthRequired(net::URLRequest* request,
-                      const net::AuthChallengeInfo& auth_info) override {}
-  void OnCertificateRequested(
-      net::URLRequest* request,
-      net::SSLCertRequestInfo* cert_request_info) override {}
-  void OnSSLCertificateError(net::URLRequest* request,
-                             int net_error,
-                             const net::SSLInfo& ssl_info,
-                             bool fatal) override {}
-  void OnResponseStarted(net::URLRequest* request, int net_error) override {
-    DCHECK(buf_.get());
-    DCHECK(read_loop_);
-    DCHECK_NE(net::ERR_IO_PENDING, net_error);
-
-    if (net_error == net::OK) {
-      ReadFromRequest(request);
-    } else {
-      QuitLoop();
-    }
-  }
-  void OnReadCompleted(net::URLRequest* request, int bytes_read) override {
-    DCHECK_NE(net::ERR_IO_PENDING, bytes_read);
-    DCHECK(buf_.get());
-    DCHECK(read_loop_);
-
-    if (bytes_read > 0) {
-      ReadFromRequest(request);
-    } else {
-      QuitLoop();
-    }
-  }
-
- private:
-  friend struct base::DefaultSingletonTraits<URLRequestDataJobFuzzerHarness>;
-
-  scoped_refptr<base::SingleThreadTaskRunner> task_runner_;
-
-  net::TestURLRequestContext context_;
-  net::URLRequestJobFactoryImpl job_factory_;
-  std::vector<size_t> read_lengths_;
-  scoped_refptr<net::IOBufferWithSize> buf_;
-  base::RunLoop* read_loop_ = nullptr;
-
-  DISALLOW_COPY_AND_ASSIGN(URLRequestDataJobFuzzerHarness);
-};
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-  // Using a static singleton test harness lets the test run ~3-4x faster.
-  return URLRequestDataJobFuzzerHarness::GetInstance()
-      ->CreateAndReadFromDataURLRequest(data, size);
-}
diff --git a/chromium/net/url_request/url_request_data_job_unittest.cc b/chromium/net/url_request/url_request_data_job_unittest.cc
deleted file mode 100644
index ff2711a45e8..00000000000
--- a/chromium/net/url_request/url_request_data_job_unittest.cc
+++ /dev/null
@@ -1,109 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <string>
-
-#include "base/memory/ref_counted.h"
-#include "net/base/net_errors.h"
-#include "net/http/http_response_headers.h"
-#include "net/http/http_version.h"
-#include "net/url_request/url_request_data_job.h"
-#include "testing/gtest/include/gtest/gtest.h"
-#include "url/gurl.h"
-
-namespace net {
-
-TEST(BuildResponseTest, Simple) {
-  std::string mime_type;
-  std::string charset;
-  std::string data;
-  scoped_refptr<HttpResponseHeaders> headers(
-      new HttpResponseHeaders(std::string()));
-
-  ASSERT_EQ(OK, URLRequestDataJob::BuildResponse(GURL("data:,Hello"), "GET",
-                                                 &mime_type, &charset, &data,
-                                                 headers.get()));
-
-  EXPECT_EQ("text/plain", mime_type);
-  EXPECT_EQ("US-ASCII", charset);
-  EXPECT_EQ("Hello", data);
-
-  const HttpVersion& version = headers->GetHttpVersion();
-  EXPECT_EQ(1, version.major_value());
-  EXPECT_EQ(1, version.minor_value());
-  EXPECT_EQ("OK", headers->GetStatusText());
-  std::string value;
-  EXPECT_TRUE(headers->GetNormalizedHeader("Content-Type", &value));
-  EXPECT_EQ(value, "text/plain;charset=US-ASCII");
-  value.clear();
-}
-
-TEST(BuildResponseTest, HeadMethod) {
-  std::string mime_type;
-  std::string charset;
-  std::string data;
-  scoped_refptr<HttpResponseHeaders> headers =
-      HttpResponseHeaders::TryToCreate("");
-
-  ASSERT_EQ(OK, URLRequestDataJob::BuildResponse(GURL("data:,Hello"), "HEAD",
-                                                 &mime_type, &charset, &data,
-                                                 headers.get()));
-
-  EXPECT_EQ("text/plain", mime_type);
-  EXPECT_EQ("US-ASCII", charset);
-  EXPECT_EQ("", data);
-
-  HttpVersion version = headers->GetHttpVersion();
-  EXPECT_EQ(1, version.major_value());
-  EXPECT_EQ(1, version.minor_value());
-  EXPECT_EQ("OK", headers->GetStatusText());
-  std::string content_type;
-  EXPECT_TRUE(headers->GetNormalizedHeader("Content-Type", &content_type));
-  EXPECT_EQ(content_type, "text/plain;charset=US-ASCII");
-}
-
-TEST(BuildResponseTest, InvalidInput) {
-  std::string mime_type;
-  std::string charset;
-  std::string data;
-  scoped_refptr<HttpResponseHeaders> headers(
-      new HttpResponseHeaders(std::string()));
-
-  EXPECT_EQ(ERR_INVALID_URL,
-            URLRequestDataJob::BuildResponse(GURL("bogus"), "GET", &mime_type,
-                                             &charset, &data, headers.get()));
-}
-
-TEST(BuildResponseTest, InvalidMimeType) {
-  std::string mime_type;
-  std::string charset;
-  std::string data;
-  scoped_refptr<HttpResponseHeaders> headers(
-      new HttpResponseHeaders(std::string()));
-
-  // MIME type contains delimiters. Must be accepted but Content-Type header
-  // should be generated as if the mediatype was text/plain.
-  EXPECT_EQ(OK, URLRequestDataJob::BuildResponse(GURL("data:f(o/b)r,test"),
-                                                 "GET", &mime_type, &charset,
-                                                 &data, headers.get()));
-
-  std::string value;
-  EXPECT_TRUE(headers->GetNormalizedHeader("Content-Type", &value));
-  EXPECT_EQ(value, "text/plain;charset=US-ASCII");
-}
-
-TEST(BuildResponseTest, InvalidCharset) {
-  std::string mime_type;
-  std::string charset;
-  std::string data;
-  scoped_refptr<HttpResponseHeaders> headers(
-      new HttpResponseHeaders(std::string()));
-
-  // MIME type contains delimiters. Must be rejected.
-  EXPECT_EQ(ERR_INVALID_URL, URLRequestDataJob::BuildResponse(
-                                 GURL("data:text/html;charset=(),test"), "GET",
-                                 &mime_type, &charset, &data, headers.get()));
-}
-
-}  // namespace net
diff --git a/chromium/net/url_request/url_request_filter.cc b/chromium/net/url_request/url_request_filter.cc
index 5a8a7209fdf..6b0f70a15db 100644
--- a/chromium/net/url_request/url_request_filter.cc
+++ b/chromium/net/url_request/url_request_filter.cc
@@ -5,7 +5,6 @@
 #include "net/url_request/url_request_filter.h"
 
 #include "base/logging.h"
-#include "base/message_loop/message_loop.h"
 #include "base/message_loop/message_loop_current.h"
 #include "base/stl_util.h"
 #include "net/url_request/url_request.h"
diff --git a/chromium/net/url_request/url_request_ftp_job.cc b/chromium/net/url_request/url_request_ftp_job.cc
index 05c02eb4b3b..2987879267e 100644
--- a/chromium/net/url_request/url_request_ftp_job.cc
+++ b/chromium/net/url_request/url_request_ftp_job.cc
@@ -100,8 +100,10 @@ void URLRequestFtpJob::Start() {
   } else {
     DCHECK_EQ(request_->context()->proxy_resolution_service(),
               proxy_resolution_service_);
+    // "Fine" to use an empty NetworkIsolationKey() because FTP is slated for
+    // removal.
     rv = proxy_resolution_service_->ResolveProxy(
-        request_->url(), "GET", &proxy_info_,
+        request_->url(), "GET", NetworkIsolationKey(), &proxy_info_,
         base::BindOnce(&URLRequestFtpJob::OnResolveProxyComplete,
                        base::Unretained(this)),
         &proxy_resolve_request_, request_->net_log());
diff --git a/chromium/net/url_request/url_request_http_job.cc b/chromium/net/url_request/url_request_http_job.cc
index a2ea5595550..4c19c0567d1 100644
--- a/chromium/net/url_request/url_request_http_job.cc
+++ b/chromium/net/url_request/url_request_http_job.cc
@@ -71,7 +71,6 @@
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_error_job.h"
-#include "net/url_request/url_request_http_job_histogram.h"
 #include "net/url_request/url_request_job_factory.h"
 #include "net/url_request/url_request_redirect_job.h"
 #include "net/url_request/url_request_throttler_manager.h"
@@ -154,88 +153,6 @@ void RecordCTHistograms(const net::SSLInfo& ssl_info) {
   }
 }
 
-net::CookieNetworkSecurity HistogramEntryForCookie(
-    const net::CanonicalCookie& cookie,
-    const net::URLRequest& request,
-    const net::HttpRequestInfo& request_info) {
-  if (!request_info.url.SchemeIsCryptographic()) {
-    return net::CookieNetworkSecurity::k1pNonsecureConnection;
-  }
-
-  if (cookie.IsSecure()) {
-    return net::CookieNetworkSecurity::k1pSecureAttribute;
-  }
-
-  net::TransportSecurityState* transport_security_state =
-      request.context()->transport_security_state();
-  net::TransportSecurityState::STSState sts_state;
-  const std::string cookie_domain =
-      cookie.IsHostCookie() ? request.url().host() : cookie.Domain().substr(1);
-  const bool hsts =
-      transport_security_state->GetSTSState(cookie_domain, &sts_state) &&
-      sts_state.ShouldUpgradeToSSL();
-  if (!hsts) {
-    return net::CookieNetworkSecurity::k1pSecureConnection;
-  }
-
-  if (cookie.IsHostCookie()) {
-    if (cookie.IsPersistent() && sts_state.expiry >= cookie.ExpiryDate()) {
-      return net::CookieNetworkSecurity::k1pHSTSHostCookie;
-    } else {
-      // Session cookies are assumed to live forever.
-      return net::CookieNetworkSecurity::k1pExpiringHSTSHostCookie;
-    }
-  }
-
-  // Domain cookies require HSTS to include subdomains to prevent spoofing.
-  if (sts_state.include_subdomains) {
-    if (cookie.IsPersistent() && sts_state.expiry >= cookie.ExpiryDate()) {
-      return net::CookieNetworkSecurity::k1pHSTSSubdomainsIncluded;
-    } else {
-      // Session cookies are assumed to live forever.
-      return net::CookieNetworkSecurity::k1pExpiringHSTSSubdomainsIncluded;
-    }
-  }
-
-  return net::CookieNetworkSecurity::k1pHSTSSpoofable;
-}
-
-void LogCookieUMA(const net::CookieList& cookie_list,
-                  const net::URLRequest& request,
-                  const net::HttpRequestInfo& request_info) {
-  const bool secure_request = request_info.url.SchemeIsCryptographic();
-  const bool same_site = net::registry_controlled_domains::SameDomainOrHost(
-      request.url(), request.site_for_cookies(),
-      net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
-
-  const base::Time now = base::Time::Now();
-  base::Time oldest = base::Time::Max();
-  for (const auto& cookie : cookie_list) {
-    const std::string histogram_name =
-        std::string("Cookie.AllAgesFor") +
-        (secure_request ? "Secure" : "NonSecure") +
-        (same_site ? "SameSite" : "CrossSite") + "Request";
-    const int age_in_days = (now - cookie.CreationDate()).InDays();
-    base::UmaHistogramCounts1000(histogram_name, age_in_days);
-    oldest = std::min(cookie.CreationDate(), oldest);
-
-    net::CookieNetworkSecurity entry =
-        HistogramEntryForCookie(cookie, request, request_info);
-    if (!same_site) {
-      entry =
-          static_cast<net::CookieNetworkSecurity>(static_cast<int>(entry) | 1);
-    }
-    UMA_HISTOGRAM_ENUMERATION("Cookie.NetworkSecurity", entry,
-                              net::CookieNetworkSecurity::kCount);
-  }
-
-  const std::string histogram_name =
-      std::string("Cookie.AgeFor") + (secure_request ? "Secure" : "NonSecure") +
-      (same_site ? "SameSite" : "CrossSite") + "Request";
-  const int age_in_days = (now - oldest).InDays();
-  base::UmaHistogramCounts1000(histogram_name, age_in_days);
-}
-
 }  // namespace
 
 namespace net {
@@ -358,10 +275,10 @@ void URLRequestHttpJob::Start() {
   // instance WebCore::FrameLoader::HideReferrer.
   if (referrer.is_valid()) {
     std::string referer_value = referrer.spec();
-    UMA_HISTOGRAM_COUNTS_10000("Referrer.HeaderLength", referer_value.length());
-    if (base::FeatureList::IsEnabled(features::kCapRefererHeaderLength) &&
-        base::saturated_cast<int>(referer_value.length()) >
-            features::kMaxRefererHeaderLength.Get()) {
+    // We limit the `referer` header to 4k: see step 6 of
+    // https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer
+    // and https://github.com/whatwg/fetch/issues/903.
+    if (referer_value.length() > 4096) {
       // Strip the referrer down to its origin, but ensure that it's serialized
       // as a URL (e.g. retaining a trailing `/` character).
       referer_value = url::Origin::Create(referrer).GetURL().spec();
@@ -629,10 +546,17 @@ void URLRequestHttpJob::AddCookieHeaderAndStart() {
     CookieOptions options;
     options.set_return_excluded_cookies();
     options.set_include_httponly();
+    bool attach_same_site_cookies = request_->attach_same_site_cookies();
+    if (cookie_store->cookie_access_delegate() &&
+        cookie_store->cookie_access_delegate()
+            ->ShouldIgnoreSameSiteRestrictions(request_->url(),
+                                               request_->site_for_cookies())) {
+      attach_same_site_cookies = true;
+    }
     options.set_same_site_cookie_context(
         net::cookie_util::ComputeSameSiteContextForRequest(
             request_->method(), request_->url(), request_->site_for_cookies(),
-            request_->initiator(), request_->attach_same_site_cookies()));
+            request_->initiator(), attach_same_site_cookies));
     cookie_store->GetCookieListWithOptionsAsync(
         request_->url(), options,
         base::BindOnce(&URLRequestHttpJob::SetCookieHeaderAndStart,
@@ -657,8 +581,6 @@ void URLRequestHttpJob::SetCookieHeaderAndStart(
 
   bool can_get_cookies = CanGetCookies(cookie_list);
   if (!cookies_with_status_list.empty() && can_get_cookies) {
-    LogCookieUMA(cookie_list, *request_, request_info_);
-
     std::string cookie_line =
         CanonicalCookie::BuildCookieLine(cookies_with_status_list);
     UMA_HISTOGRAM_COUNTS_10000("Cookie.HeaderLength", cookie_line.length());
@@ -667,6 +589,37 @@ void URLRequestHttpJob::SetCookieHeaderAndStart(
 
     // Disable privacy mode as we are sending cookies anyway.
     request_info_.privacy_mode = PRIVACY_MODE_DISABLED;
+
+    // TODO(crbug.com/1031664): Reduce the number of times the cookie list is
+    // iterated over. Get metrics for every cookie which is included.
+    for (const auto& c : cookies_with_status_list) {
+      bool request_is_secure = request_->url().SchemeIsCryptographic();
+      net::CookieSourceScheme cookie_scheme = c.cookie.SourceScheme();
+      CookieRequestScheme cookie_request_schemes;
+
+      switch (cookie_scheme) {
+        case net::CookieSourceScheme::kSecure:
+          cookie_request_schemes =
+              request_is_secure
+                  ? CookieRequestScheme::kSecureSetSecureRequest
+                  : CookieRequestScheme::kSecureSetNonsecureRequest;
+          break;
+
+        case net::CookieSourceScheme::kNonSecure:
+          cookie_request_schemes =
+              request_is_secure
+                  ? CookieRequestScheme::kNonsecureSetSecureRequest
+                  : CookieRequestScheme::kNonsecureSetNonsecureRequest;
+          break;
+
+        case net::CookieSourceScheme::kUnset:
+          cookie_request_schemes = CookieRequestScheme::kUnsetCookieScheme;
+          break;
+      }
+
+      UMA_HISTOGRAM_ENUMERATION("Cookie.CookieSchemeRequestScheme",
+                                cookie_request_schemes);
+    }
   }
 
   // Report status for things in |excluded_list| and |cookies_with_status_list|
@@ -725,8 +678,9 @@ void URLRequestHttpJob::SaveCookiesAndNotifyHeadersComplete(int result) {
     return;
   }
 
-  if ((request_info_.load_flags & LOAD_DO_NOT_SAVE_COOKIES) ||
-      !request_->context()->cookie_store()) {
+  CookieStore* cookie_store = request_->context()->cookie_store();
+
+  if ((request_info_.load_flags & LOAD_DO_NOT_SAVE_COOKIES) || !cookie_store) {
     NotifyHeadersComplete();
     return;
   }
@@ -738,10 +692,16 @@ void URLRequestHttpJob::SaveCookiesAndNotifyHeadersComplete(int result) {
 
   CookieOptions options;
   options.set_include_httponly();
+  bool attach_same_site_cookies = request_->attach_same_site_cookies();
+  if (cookie_store->cookie_access_delegate() &&
+      cookie_store->cookie_access_delegate()->ShouldIgnoreSameSiteRestrictions(
+          request_->url(), request_->site_for_cookies())) {
+    attach_same_site_cookies = true;
+  }
   options.set_same_site_cookie_context(
       net::cookie_util::ComputeSameSiteContextForResponse(
           request_->url(), request_->site_for_cookies(), request_->initiator(),
-          request_->attach_same_site_cookies()));
+          attach_same_site_cookies));
 
   options.set_return_excluded_cookies();
 
@@ -909,7 +869,7 @@ void URLRequestHttpJob::OnStartCompleted(int result) {
       // |URLRequestHttpJob::OnHeadersReceivedCallback()| or
       // |NetworkDelegate::URLRequestDestroyed()| has been called.
       OnCallToDelegate(NetLogEventType::NETWORK_DELEGATE_HEADERS_RECEIVED);
-      allowed_unsafe_redirect_url_ = GURL();
+      preserve_fragment_on_redirect_url_ = base::nullopt;
       IPEndPoint endpoint;
       if (transaction_)
         transaction_->GetRemoteEndpoint(&endpoint);
@@ -922,7 +882,7 @@ void URLRequestHttpJob::OnStartCompleted(int result) {
           base::BindOnce(&URLRequestHttpJob::OnHeadersReceivedCallback,
                          weak_factory_.GetWeakPtr()),
           headers.get(), &override_response_headers_, endpoint,
-          &allowed_unsafe_redirect_url_);
+          &preserve_fragment_on_redirect_url_);
       if (error != OK) {
         if (error == ERR_IO_PENDING) {
           awaiting_callback_ = true;
@@ -943,7 +903,8 @@ void URLRequestHttpJob::OnStartCompleted(int result) {
     TransportSecurityState* state = context->transport_security_state();
     NotifySSLCertificateError(
         result, transaction_->GetResponseInfo()->ssl_info,
-        state->ShouldSSLErrorsBeFatal(request_info_.url.host()));
+        state->ShouldSSLErrorsBeFatal(request_info_.url.host()) &&
+            result != ERR_CERT_KNOWN_INTERCEPTION_BLOCKED);
   } else if (result == ERR_SSL_CLIENT_AUTH_CERT_NEEDED) {
     NotifyCertificateRequested(
         transaction_->GetResponseInfo()->cert_request_info.get());
@@ -1157,12 +1118,9 @@ std::unique_ptr<SourceStream> URLRequestHttpJob::SetUpSourceStream() {
 
 bool URLRequestHttpJob::CopyFragmentOnRedirect(const GURL& location) const {
   // Allow modification of reference fragments by default, unless
-  // |allowed_unsafe_redirect_url_| is set and equal to the redirect URL.
-  // When this is the case, we assume that the network delegate has set the
-  // desired redirect URL (with or without fragment), so it must not be changed
-  // any more.
-  return !allowed_unsafe_redirect_url_.is_valid() ||
-       allowed_unsafe_redirect_url_ != location;
+  // |preserve_fragment_on_redirect_url_| is set and equal to the redirect URL.
+  return !preserve_fragment_on_redirect_url_.has_value() ||
+         preserve_fragment_on_redirect_url_ != location;
 }
 
 bool URLRequestHttpJob::IsSafeRedirect(const GURL& location) {
@@ -1172,11 +1130,6 @@ bool URLRequestHttpJob::IsSafeRedirect(const GURL& location) {
       (location.scheme() == "http" || location.scheme() == "https")) {
     return true;
   }
-  // Delegates may mark a URL as safe for redirection.
-  if (allowed_unsafe_redirect_url_.is_valid() &&
-      allowed_unsafe_redirect_url_ == location) {
-    return true;
-  }
   // Query URLRequestJobFactory as to whether |location| would be safe to
   // redirect to.
   return request_->context()->job_factory() &&
diff --git a/chromium/net/url_request/url_request_http_job.h b/chromium/net/url_request/url_request_http_job.h
index 528cbd5cf0b..62d496ca501 100644
--- a/chromium/net/url_request/url_request_http_job.h
+++ b/chromium/net/url_request/url_request_http_job.h
@@ -13,8 +13,10 @@
 #include <vector>
 
 #include "base/compiler_specific.h"
+#include "base/gtest_prod_util.h"
 #include "base/macros.h"
 #include "base/memory/weak_ptr.h"
+#include "base/optional.h"
 #include "base/time/time.h"
 #include "net/base/auth.h"
 #include "net/base/ip_endpoint.h"
@@ -66,11 +68,33 @@ class NET_EXPORT_PRIVATE URLRequestHttpJob : public URLRequestJob {
   }
 
  private:
+  // For CookieRequestScheme histogram enum.
+  FRIEND_TEST_ALL_PREFIXES(URLRequestHttpJobTest,
+                           CookieSchemeRequestSchemeHistogram);
+
   enum CompletionCause {
     ABORTED,
     FINISHED
   };
 
+  // Used to indicate which kind of cookies are sent on which kind of requests,
+  // for use in histograms. A (non)secure set cookie means that the cookie was
+  // originally set by a (non)secure url. A (non)secure request means that the
+  // request url is (non)secure. An unset cookie scheme means that the cookie's
+  // source scheme was marked as "Unset" and thus cannot be compared  with the
+  // request.
+  // These values are persisted to logs. Entries should not be renumbered and
+  // numeric values should never be reused.
+  enum class CookieRequestScheme {
+    kUnsetCookieScheme = 0,
+    kNonsecureSetNonsecureRequest,
+    kSecureSetSecureRequest,
+    kNonsecureSetSecureRequest,
+    kSecureSetNonsecureRequest,
+
+    kMaxValue = kSecureSetNonsecureRequest  // Keep as the last value.
+  };
+
   typedef base::RefCountedData<bool> SharedBoolean;
 
   // Shadows URLRequestJob's version of this method so we can grab cookies.
@@ -202,10 +226,15 @@ class NET_EXPORT_PRIVATE URLRequestHttpJob : public URLRequestJob {
   // layers of the network stack.
   scoped_refptr<HttpResponseHeaders> override_response_headers_;
 
-  // The network delegate can mark a URL as safe for redirection.
-  // The reference fragment of the original URL is not appended to the redirect
-  // URL when the redirect URL is equal to |allowed_unsafe_redirect_url_|.
-  GURL allowed_unsafe_redirect_url_;
+  // Ordinarily the original URL's fragment is copied during redirects, unless
+  // the destination URL already has one. However, the NetworkDelegate can
+  // override this behavior by setting |preserve_fragment_on_redirect_url_|:
+  // * If set to base::nullopt, the default behavior is used.
+  // * If the final URL in the redirect chain matches
+  //     |preserve_fragment_on_redirect_url_|, its fragment unchanged. So this
+  //     is basically a way for the embedder to force a redirect not to copy the
+  //     original URL's fragment when the original URL had one.
+  base::Optional<GURL> preserve_fragment_on_redirect_url_;
 
   // Flag used to verify that |this| is not deleted while we are awaiting
   // a callback from the NetworkDelegate. Used as a fail-fast mechanism.
diff --git a/chromium/net/url_request/url_request_http_job_histogram.h b/chromium/net/url_request/url_request_http_job_histogram.h
deleted file mode 100644
index abacae498a6..00000000000
--- a/chromium/net/url_request/url_request_http_job_histogram.h
+++ /dev/null
@@ -1,39 +0,0 @@
-// Copyright 2018 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_URL_REQUEST_URL_REQUEST_HTTP_JOB_HISTOGRAM_H_
-#define NET_URL_REQUEST_URL_REQUEST_HTTP_JOB_HISTOGRAM_H_
-
-namespace net {
-
-// Degree of protection against cookie theft in decreasing order (split by 1st
-// party and 3rd party cookies).
-//
-// These values are persisted to logs. Entries should not be renumbered and
-// numeric values should never be reused. First-party entries need to reside at
-// even values and the corresponding third-party entry needs to be at
-// [first-party] + 1 to allow bit manipulation.
-enum class CookieNetworkSecurity {
-  k1pSecureAttribute = 0,                 // Secure attribute
-  k3pSecureAttribute = 1,                 // "
-  k1pHSTSHostCookie = 2,                  // HSTS covering cookie lifetime
-  k3pHSTSHostCookie = 3,                  //   host cookie
-  k1pHSTSSubdomainsIncluded = 4,          // HSTS covering cookie lifetime
-  k3pHSTSSubdomainsIncluded = 5,          //   subdomains included
-  k1pExpiringHSTSHostCookie = 6,          // HSTS not covering cookie lifetime
-  k3pExpiringHSTSHostCookie = 7,          //   host cookie
-  k1pExpiringHSTSSubdomainsIncluded = 8,  // HSTS not covering cookie lifetime
-  k3pExpiringHSTSSubdomainsIncluded = 9,  //   subdomains included
-  k1pHSTSSpoofable = 10,                  // HSTS and neither host cookie nor
-  k3pHSTSSpoofable = 11,                  //   subdomains included
-  k1pSecureConnection = 12,               // Secure connection but no HSTS
-  k3pSecureConnection = 13,               // "
-  k1pNonsecureConnection = 14,            // Nonsecure connection
-  k3pNonsecureConnection = 15,            // "
-  kCount
-};
-
-}  // namespace net
-
-#endif  // NET_URL_REQUEST_URL_REQUEST_HTTP_JOB_HISTOGRAM_H_
diff --git a/chromium/net/url_request/url_request_http_job_unittest.cc b/chromium/net/url_request/url_request_http_job_unittest.cc
index 2f6a4abd8da..293b5321455 100644
--- a/chromium/net/url_request/url_request_http_job_unittest.cc
+++ b/chromium/net/url_request/url_request_http_job_unittest.cc
@@ -23,6 +23,8 @@
 #include "net/base/auth.h"
 #include "net/base/request_priority.h"
 #include "net/cert/ct_policy_status.h"
+#include "net/cookies/cookie_monster.h"
+#include "net/cookies/cookie_store_test_callbacks.h"
 #include "net/cookies/cookie_store_test_helpers.h"
 #include "net/http/http_transaction_factory.h"
 #include "net/http/http_transaction_test_util.h"
@@ -357,7 +359,7 @@ class URLRequestHttpJobTest : public TestWithTaskEnvironment {
 
   TestURLRequestContext context_;
   TestDelegate delegate_;
-  TestNetLog net_log_;
+  RecordingTestNetLog net_log_;
   std::unique_ptr<URLRequest> req_;
 };
 
@@ -454,6 +456,10 @@ TEST_F(URLRequestHttpJobWithMockSocketsTest, TestSuccessfulHeadWithContent) {
 }
 
 TEST_F(URLRequestHttpJobWithMockSocketsTest, TestSuccessfulCachedHeadRequest) {
+  const url::Origin kOrigin1 =
+      url::Origin::Create(GURL("http://www.example.com"));
+  const NetworkIsolationKey kTestNetworkIsolationKey(kOrigin1, kOrigin1);
+
   // Cache the response.
   {
     MockWrite writes[] = {MockWrite(kSimpleGetMockWrite)};
@@ -469,6 +475,7 @@ TEST_F(URLRequestHttpJobWithMockSocketsTest, TestSuccessfulCachedHeadRequest) {
         GURL("http://www.example.com"), DEFAULT_PRIORITY, &delegate,
         TRAFFIC_ANNOTATION_FOR_TESTS);
 
+    request->set_network_isolation_key(kTestNetworkIsolationKey);
     request->Start();
     ASSERT_TRUE(request->is_pending());
     delegate.RunUntilComplete();
@@ -497,6 +504,7 @@ TEST_F(URLRequestHttpJobWithMockSocketsTest, TestSuccessfulCachedHeadRequest) {
     // Use the cached version.
     request->SetLoadFlags(LOAD_SKIP_CACHE_VALIDATION);
     request->set_method("HEAD");
+    request->set_network_isolation_key(kTestNetworkIsolationKey);
     request->Start();
     ASSERT_TRUE(request->is_pending());
     delegate.RunUntilComplete();
@@ -1634,6 +1642,127 @@ TEST_F(URLRequestHttpJobWebSocketTest, CreateHelperPassedThrough) {
 
 #endif  // BUILDFLAG(ENABLE_WEBSOCKETS)
 
+bool SetAllCookies(CookieMonster* cm, const CookieList& list) {
+  DCHECK(cm);
+  ResultSavingCookieCallback<CanonicalCookie::CookieInclusionStatus> callback;
+  cm->SetAllCookiesAsync(list, callback.MakeCallback());
+  callback.WaitUntilDone();
+  return callback.result().IsInclude();
+}
+
+bool CreateAndSetCookie(CookieStore* cs,
+                        const GURL& url,
+                        const std::string& cookie_line) {
+  auto cookie = CanonicalCookie::Create(url, cookie_line, base::Time::Now(),
+                                        base::nullopt);
+  if (!cookie)
+    return false;
+  DCHECK(cs);
+  ResultSavingCookieCallback<CanonicalCookie::CookieInclusionStatus> callback;
+  cs->SetCanonicalCookieAsync(std::move(cookie), url.scheme(),
+                              CookieOptions::MakeAllInclusive(),
+                              callback.MakeCallback());
+  callback.WaitUntilDone();
+  return callback.result().IsInclude();
+}
+
+void RunRequest(TestURLRequestContext* context, const GURL& url) {
+  TestDelegate delegate;
+  std::unique_ptr<URLRequest> request = context->CreateRequest(
+      url, DEFAULT_PRIORITY, &delegate, TRAFFIC_ANNOTATION_FOR_TESTS);
+
+  request->Start();
+  delegate.RunUntilComplete();
+}
+
 }  // namespace
 
+TEST_F(URLRequestHttpJobTest, CookieSchemeRequestSchemeHistogram) {
+  base::HistogramTester histograms;
+  const std::string test_histogram = "Cookie.CookieSchemeRequestScheme";
+
+  CookieMonster cm(nullptr, nullptr);
+  TestURLRequestContext context(true);
+  context.set_cookie_store(&cm);
+  context.Init();
+
+  // Secure set cookie marked as Unset source scheme.
+  // Using port 7 because it fails the transaction without sending a request and
+  // prevents a timeout due to the fake addresses. Because we only need the
+  // headers to be generated (and thus the histogram filled) and not actually
+  // sent this is acceptable.
+  GURL nonsecure_url_for_unset1("http://unset1.example:7");
+  GURL secure_url_for_unset1("https://unset1.example:7");
+
+  // Normally the source scheme would be set by
+  // CookieMonster::SetCanonicalCookie(), however we're using SetAllCookies() to
+  // bypass the source scheme check in order to test the kUnset state which
+  // would normally only happen during an existing cookie DB version upgrade.
+  std::unique_ptr<CanonicalCookie> unset_cookie1 = CanonicalCookie::Create(
+      secure_url_for_unset1, "NoSourceSchemeHttps=val", base::Time::Now(),
+      base::nullopt /* server_time */);
+  unset_cookie1->SetSourceScheme(net::CookieSourceScheme::kUnset);
+
+  CookieList list1 = {*unset_cookie1};
+  EXPECT_TRUE(SetAllCookies(&cm, list1));
+  RunRequest(&context, nonsecure_url_for_unset1);
+  histograms.ExpectBucketCount(
+      test_histogram,
+      URLRequestHttpJob::CookieRequestScheme::kUnsetCookieScheme, 1);
+  RunRequest(&context, secure_url_for_unset1);
+  histograms.ExpectBucketCount(
+      test_histogram,
+      URLRequestHttpJob::CookieRequestScheme::kUnsetCookieScheme, 2);
+
+  // Nonsecure set cookie marked as unset source scheme.
+  GURL nonsecure_url_for_unset2("http://unset2.example:7");
+  GURL secure_url_for_unset2("https://unset2.example:7");
+
+  std::unique_ptr<CanonicalCookie> unset_cookie2 = CanonicalCookie::Create(
+      nonsecure_url_for_unset2, "NoSourceSchemeHttp=val", base::Time::Now(),
+      base::nullopt /* server_time */);
+  unset_cookie2->SetSourceScheme(net::CookieSourceScheme::kUnset);
+
+  CookieList list2 = {*unset_cookie2};
+  EXPECT_TRUE(SetAllCookies(&cm, list2));
+  RunRequest(&context, nonsecure_url_for_unset2);
+  histograms.ExpectBucketCount(
+      test_histogram,
+      URLRequestHttpJob::CookieRequestScheme::kUnsetCookieScheme, 3);
+  RunRequest(&context, secure_url_for_unset2);
+  histograms.ExpectBucketCount(
+      test_histogram,
+      URLRequestHttpJob::CookieRequestScheme::kUnsetCookieScheme, 4);
+
+  // Secure set cookie with source scheme marked appropriately.
+  GURL nonsecure_url_for_secure_set("http://secureset.example:7");
+  GURL secure_url_for_secure_set("https://secureset.example:7");
+
+  EXPECT_TRUE(
+      CreateAndSetCookie(&cm, secure_url_for_secure_set, "SecureScheme=val"));
+  RunRequest(&context, nonsecure_url_for_secure_set);
+  histograms.ExpectBucketCount(
+      test_histogram,
+      URLRequestHttpJob::CookieRequestScheme::kSecureSetNonsecureRequest, 1);
+  RunRequest(&context, secure_url_for_secure_set);
+  histograms.ExpectBucketCount(
+      test_histogram,
+      URLRequestHttpJob::CookieRequestScheme::kSecureSetSecureRequest, 1);
+
+  // Nonsecure set cookie with source scheme marked appropriately.
+  GURL nonsecure_url_for_nonsecure_set("http://nonsecureset.example:7");
+  GURL secure_url_for_nonsecure_set("https://nonsecureset.example:7");
+
+  EXPECT_TRUE(CreateAndSetCookie(&cm, nonsecure_url_for_nonsecure_set,
+                                 "NonSecureScheme=val"));
+  RunRequest(&context, nonsecure_url_for_nonsecure_set);
+  histograms.ExpectBucketCount(
+      test_histogram,
+      URLRequestHttpJob::CookieRequestScheme::kNonsecureSetNonsecureRequest, 1);
+  RunRequest(&context, secure_url_for_nonsecure_set);
+  histograms.ExpectBucketCount(
+      test_histogram,
+      URLRequestHttpJob::CookieRequestScheme::kNonsecureSetSecureRequest, 1);
+}
+
 }  // namespace net
diff --git a/chromium/net/url_request/url_request_job.cc b/chromium/net/url_request/url_request_job.cc
index 957a6014497..bd7141c6737 100644
--- a/chromium/net/url_request/url_request_job.cc
+++ b/chromium/net/url_request/url_request_job.cc
@@ -67,6 +67,8 @@ class URLRequestJob::URLRequestJobSourceStream : public SourceStream {
 
   std::string Description() const override { return std::string(); }
 
+  bool MayHaveMoreBytes() const override { return true; }
+
  private:
   // It is safe to keep a raw pointer because |job_| owns the last stream which
   // indirectly owns |this|. Therefore, |job_| will not be destroyed when |this|
@@ -270,15 +272,19 @@ void URLRequestJob::GetConnectionAttempts(ConnectionAttempts* out) const {
 }
 
 // static
-GURL URLRequestJob::ComputeReferrerForPolicy(URLRequest::ReferrerPolicy policy,
-                                             const GURL& original_referrer,
-                                             const GURL& destination) {
+GURL URLRequestJob::ComputeReferrerForPolicy(
+    URLRequest::ReferrerPolicy policy,
+    const GURL& original_referrer,
+    const GURL& destination,
+    bool* same_origin_out_for_metrics) {
   bool secure_referrer_but_insecure_destination =
       original_referrer.SchemeIsCryptographic() &&
       !destination.SchemeIsCryptographic();
   url::Origin referrer_origin = url::Origin::Create(original_referrer);
   bool same_origin =
       referrer_origin.IsSameOriginWith(url::Origin::Create(destination));
+  if (same_origin_out_for_metrics)
+    *same_origin_out_for_metrics = same_origin;
   switch (policy) {
     case URLRequest::CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE:
       return secure_referrer_but_insecure_destination ? GURL()
diff --git a/chromium/net/url_request/url_request_job.h b/chromium/net/url_request/url_request_job.h
index ebab2dd61d2..a96439d5320 100644
--- a/chromium/net/url_request/url_request_job.h
+++ b/chromium/net/url_request/url_request_job.h
@@ -242,11 +242,19 @@ class NET_EXPORT URLRequestJob {
   // from the remote party with the actual response headers recieved.
   virtual void SetResponseHeadersCallback(ResponseHeadersCallback callback) {}
 
-  // Given |policy|, |referrer|, and |destination|, returns the
+  // Given |policy|, |original_referrer|, and |destination|, returns the
   // referrer URL mandated by |request|'s referrer policy.
-  static GURL ComputeReferrerForPolicy(URLRequest::ReferrerPolicy policy,
-                                       const GURL& original_referrer,
-                                       const GURL& destination);
+  //
+  // If |same_origin_out_for_metrics| is non-null, saves to
+  // |*same_origin_out_for_metrics| whether |original_referrer| and
+  // |destination| are cross-origin.
+  // (This allows reporting in a UMA whether the request is same-origin, without
+  // recomputing that information.)
+  static GURL ComputeReferrerForPolicy(
+      URLRequest::ReferrerPolicy policy,
+      const GURL& original_referrer,
+      const GURL& destination,
+      bool* same_origin_out_for_metrics = nullptr);
 
  protected:
   // Notifies the job that a certificate is requested.
diff --git a/chromium/net/url_request/url_request_job_unittest.cc b/chromium/net/url_request/url_request_job_unittest.cc
index 66dbc2df863..9766161fa6c 100644
--- a/chromium/net/url_request/url_request_job_unittest.cc
+++ b/chromium/net/url_request/url_request_job_unittest.cc
@@ -635,4 +635,28 @@ TEST_F(URLRequestJobTest, SlowBrotliRead) {
   RemoveMockTransaction(&kBrotliSlowTransaction);
 }
 
+TEST(URLRequestJobComputeReferrer, SetsSameOriginForMetricsOnSameOrigin) {
+  bool same_origin = false;
+  URLRequestJob::ComputeReferrerForPolicy(
+      URLRequest::ReferrerPolicy(),
+      /*original_referrer=*/GURL("http://google.com"),
+      /*destination=*/GURL("http://google.com"), &same_origin);
+  EXPECT_TRUE(same_origin);
+}
+
+TEST(URLRequestJobComputeReferrer, SetsSameOriginForMetricsOnCrossOrigin) {
+  bool same_origin = true;
+  URLRequestJob::ComputeReferrerForPolicy(
+      URLRequest::ReferrerPolicy(),
+      /*original_referrer=*/GURL("http://google.com"),
+      /*destination=*/GURL("http://boggle.com"), &same_origin);
+  EXPECT_FALSE(same_origin);
+}
+
+TEST(URLRequestJobComputeReferrer, AcceptsNullptrInput) {
+  // Shouldn't segfault.
+  URLRequestJob::ComputeReferrerForPolicy(URLRequest::ReferrerPolicy(), GURL(),
+                                          GURL(), nullptr);
+}
+
 }  // namespace net
diff --git a/chromium/net/url_request/url_request_netlog_params.cc b/chromium/net/url_request/url_request_netlog_params.cc
index a9c705a47e3..aba5718ca60 100644
--- a/chromium/net/url_request/url_request_netlog_params.cc
+++ b/chromium/net/url_request/url_request_netlog_params.cc
@@ -8,6 +8,7 @@
 
 #include "base/strings/string_number_conversions.h"
 #include "base/values.h"
+#include "net/base/network_isolation_key.h"
 #include "net/log/net_log_capture_mode.h"
 #include "url/gurl.h"
 
@@ -24,16 +25,20 @@ base::Value NetLogURLRequestConstructorParams(
   return dict;
 }
 
-base::Value NetLogURLRequestStartParams(const GURL& url,
-                                        const std::string& method,
-                                        int load_flags,
-                                        PrivacyMode privacy_mode,
-                                        int64_t upload_id) {
+base::Value NetLogURLRequestStartParams(
+    const GURL& url,
+    const std::string& method,
+    int load_flags,
+    PrivacyMode privacy_mode,
+    const NetworkIsolationKey& network_isolation_key,
+    int64_t upload_id) {
   base::Value dict(base::Value::Type::DICTIONARY);
   dict.SetStringKey("url", url.possibly_invalid_spec());
   dict.SetStringKey("method", method);
   dict.SetIntKey("load_flags", load_flags);
   dict.SetIntKey("privacy_mode", privacy_mode == PRIVACY_MODE_ENABLED);
+  dict.SetStringKey("network_isolation_key",
+                    network_isolation_key.ToDebugString());
   if (upload_id > -1)
     dict.SetStringKey("upload_id", base::NumberToString(upload_id));
   return dict;
diff --git a/chromium/net/url_request/url_request_netlog_params.h b/chromium/net/url_request/url_request_netlog_params.h
index 248a891559f..0394e08262f 100644
--- a/chromium/net/url_request/url_request_netlog_params.h
+++ b/chromium/net/url_request/url_request_netlog_params.h
@@ -24,6 +24,8 @@ class Value;
 
 namespace net {
 
+class NetworkIsolationKey;
+
 // Returns a Value containing NetLog parameters for constructing a URLRequest.
 NET_EXPORT base::Value NetLogURLRequestConstructorParams(
     const GURL& url,
@@ -31,11 +33,13 @@ NET_EXPORT base::Value NetLogURLRequestConstructorParams(
     NetworkTrafficAnnotationTag traffic_annotation);
 
 // Returns a Value containing NetLog parameters for starting a URLRequest.
-NET_EXPORT base::Value NetLogURLRequestStartParams(const GURL& url,
-                                                   const std::string& method,
-                                                   int load_flags,
-                                                   PrivacyMode privacy_mode,
-                                                   int64_t upload_id);
+NET_EXPORT base::Value NetLogURLRequestStartParams(
+    const GURL& url,
+    const std::string& method,
+    int load_flags,
+    PrivacyMode privacy_mode,
+    const NetworkIsolationKey& network_isolation_key,
+    int64_t upload_id);
 
 }  // namespace net
 
diff --git a/chromium/net/url_request/url_request_quic_perftest.cc b/chromium/net/url_request/url_request_quic_perftest.cc
index 90f2d97ba91..86150d5c819 100644
--- a/chromium/net/url_request/url_request_quic_perftest.cc
+++ b/chromium/net/url_request/url_request_quic_perftest.cc
@@ -26,6 +26,7 @@
 #include "net/dns/mock_host_resolver.h"
 #include "net/http/http_status_code.h"
 #include "net/quic/crypto/proof_source_chromium.h"
+#include "net/quic/quic_context.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "net/test/embedded_test_server/http_response.h"
@@ -83,9 +84,7 @@ std::unique_ptr<test_server::HttpResponse> HandleRequest(
   http_response->AddCustomHeader(
       "Alt-Svc",
       base::StringPrintf("quic=\"%s:%d\"; v=\"%u\"", kAltSvcHost, kAltSvcPort,
-                         HttpNetworkSession::Params()
-                             .quic_params.supported_versions[0]
-                             .transport_version));
+                         kDefaultSupportedQuicVersion.transport_version));
   http_response->set_code(HTTP_OK);
   http_response->set_content(kHelloOriginResponse);
   http_response->set_content_type("text/plain");
@@ -122,10 +121,11 @@ class URLRequestQuicPerfTest : public ::testing::Test {
         new HttpNetworkSession::Params);
     params->enable_quic = true;
     params->enable_user_alternate_protocol_ports = true;
-    params->quic_params.allow_remote_alt_svc = true;
+    quic_context_.params()->allow_remote_alt_svc = true;
     context_->set_host_resolver(host_resolver_.get());
     context_->set_http_network_session_params(std::move(params));
     context_->set_cert_verifier(&cert_verifier_);
+    context_->set_quic_context(&quic_context_);
     context_->Init();
   }
 
@@ -191,6 +191,7 @@ class URLRequestQuicPerfTest : public ::testing::Test {
   std::unique_ptr<TestURLRequestContext> context_;
   quic::QuicMemoryCacheBackend memory_cache_backend_;
   MockCertVerifier cert_verifier_;
+  QuicContext quic_context_;
 };
 
 void CheckScalarInDump(const MemoryAllocatorDump* dump,
diff --git a/chromium/net/url_request/url_request_quic_unittest.cc b/chromium/net/url_request/url_request_quic_unittest.cc
index b3e119b38a5..dddfc4571eb 100644
--- a/chromium/net/url_request/url_request_quic_unittest.cc
+++ b/chromium/net/url_request/url_request_quic_unittest.cc
@@ -4,11 +4,13 @@
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
+#include "base/feature_list.h"
 #include "base/files/file_path.h"
 #include "base/macros.h"
 #include "base/run_loop.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/stringprintf.h"
+#include "net/base/features.h"
 #include "net/base/load_timing_info.h"
 #include "net/base/network_delegate.h"
 #include "net/cert/mock_cert_verifier.h"
@@ -18,6 +20,7 @@
 #include "net/log/test_net_log.h"
 #include "net/log/test_net_log_util.h"
 #include "net/quic/crypto/proof_source_chromium.h"
+#include "net/quic/quic_context.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/gtest_util.h"
 #include "net/test/test_data_directory.h"
@@ -60,7 +63,8 @@ class URLRequestQuicTest : public TestWithTaskEnvironment {
                                            OK);
     // To simplify the test, and avoid the race with the HTTP request, we force
     // QUIC for these requests.
-    params->quic_params.origins_to_force_quic_on.insert(
+    context_->set_quic_context(&quic_context_);
+    quic_context_.params()->origins_to_force_quic_on.insert(
         HostPortPair(kTestServerHost, 443));
     params->enable_quic = true;
     params->enable_server_push_cancellation = true;
@@ -130,7 +134,7 @@ class URLRequestQuicTest : public TestWithTaskEnvironment {
   }
 
  protected:
-  TestNetLog net_log_;
+  RecordingTestNetLog net_log_;
 
  private:
   void StartQuicServer() {
@@ -178,6 +182,7 @@ class URLRequestQuicTest : public TestWithTaskEnvironment {
   std::unique_ptr<MappedHostResolver> host_resolver_;
   std::unique_ptr<QuicSimpleServer> server_;
   std::unique_ptr<TestURLRequestContext> context_;
+  QuicContext quic_context_;
   quic::QuicMemoryCacheBackend memory_cache_backend_;
   MockCertVerifier cert_verifier_;
 };
@@ -267,6 +272,19 @@ TEST_F(URLRequestQuicTest, TestGetRequest) {
 }
 
 TEST_F(URLRequestQuicTest, CancelPushIfCached_SomeCached) {
+  // Skip test if "split cache" is enabled while "partition connections" is
+  // disabled, as it breaks push.
+  if (base::FeatureList::IsEnabled(
+          net::features::kSplitCacheByNetworkIsolationKey) &&
+      !base::FeatureList::IsEnabled(
+          net::features::kPartitionConnectionsByNetworkIsolationKey)) {
+    return;
+  }
+
+  const url::Origin kOrigin1 =
+      url::Origin::Create(GURL("http://www.example.com"));
+  const NetworkIsolationKey kTestNetworkIsolationKey(kOrigin1, kOrigin1);
+
   Init();
 
   // Send a request to the pushed url: /kitten-1.jpg to pull the resource into
@@ -277,6 +295,7 @@ TEST_F(URLRequestQuicTest, CancelPushIfCached_SomeCached) {
   std::unique_ptr<URLRequest> request_0 =
       CreateRequest(GURL(url_0), DEFAULT_PRIORITY, &delegate_0);
 
+  request_0->set_network_isolation_key(kTestNetworkIsolationKey);
   request_0->Start();
   ASSERT_TRUE(request_0->is_pending());
 
@@ -295,6 +314,7 @@ TEST_F(URLRequestQuicTest, CancelPushIfCached_SomeCached) {
   std::unique_ptr<URLRequest> request =
       CreateRequest(GURL(url), DEFAULT_PRIORITY, &delegate);
 
+  request->set_network_isolation_key(kTestNetworkIsolationKey);
   request->Start();
   ASSERT_TRUE(request->is_pending());
 
@@ -340,6 +360,19 @@ TEST_F(URLRequestQuicTest, CancelPushIfCached_SomeCached) {
 }
 
 TEST_F(URLRequestQuicTest, CancelPushIfCached_AllCached) {
+  // Skip test if "split cache" is enabled while "partition connections" is
+  // disabled, as it breaks push.
+  if (base::FeatureList::IsEnabled(
+          net::features::kSplitCacheByNetworkIsolationKey) &&
+      !base::FeatureList::IsEnabled(
+          net::features::kPartitionConnectionsByNetworkIsolationKey)) {
+    return;
+  }
+
+  const url::Origin kOrigin1 =
+      url::Origin::Create(GURL("http://www.example.com"));
+  const NetworkIsolationKey kTestNetworkIsolationKey(kOrigin1, kOrigin1);
+
   Init();
 
   // Send a request to the pushed url: /kitten-1.jpg to pull the resource into
@@ -350,6 +383,7 @@ TEST_F(URLRequestQuicTest, CancelPushIfCached_AllCached) {
   std::unique_ptr<URLRequest> request_0 =
       CreateRequest(GURL(url_0), DEFAULT_PRIORITY, &delegate_0);
 
+  request_0->set_network_isolation_key(kTestNetworkIsolationKey);
   request_0->Start();
   ASSERT_TRUE(request_0->is_pending());
 
@@ -368,6 +402,7 @@ TEST_F(URLRequestQuicTest, CancelPushIfCached_AllCached) {
   std::unique_ptr<URLRequest> request_1 =
       CreateRequest(GURL(url_1), DEFAULT_PRIORITY, &delegate_1);
 
+  request_1->set_network_isolation_key(kTestNetworkIsolationKey);
   request_1->Start();
   ASSERT_TRUE(request_1->is_pending());
 
@@ -386,6 +421,7 @@ TEST_F(URLRequestQuicTest, CancelPushIfCached_AllCached) {
   std::unique_ptr<URLRequest> request =
       CreateRequest(GURL(url), DEFAULT_PRIORITY, &delegate);
 
+  request->set_network_isolation_key(kTestNetworkIsolationKey);
   request->Start();
   ASSERT_TRUE(request->is_pending());
 
diff --git a/chromium/net/url_request/url_request_simple_job.cc b/chromium/net/url_request/url_request_simple_job.cc
deleted file mode 100644
index 9d2316dd0be..00000000000
--- a/chromium/net/url_request/url_request_simple_job.cc
+++ /dev/null
@@ -1,144 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/url_request/url_request_simple_job.h"
-
-#include <utility>
-#include <vector>
-
-#include "base/bind.h"
-#include "base/compiler_specific.h"
-#include "base/location.h"
-#include "base/memory/ref_counted_memory.h"
-#include "base/single_thread_task_runner.h"
-#include "base/task/post_task.h"
-#include "base/threading/thread_task_runner_handle.h"
-#include "net/base/io_buffer.h"
-#include "net/base/net_errors.h"
-#include "net/http/http_request_headers.h"
-#include "net/http/http_util.h"
-#include "net/url_request/url_request_status.h"
-
-namespace net {
-
-namespace {
-
-void CopyData(const scoped_refptr<IOBuffer>& buf,
-              int buf_size,
-              const scoped_refptr<base::RefCountedMemory>& data,
-              int64_t data_offset) {
-  memcpy(buf->data(), data->front() + data_offset, buf_size);
-}
-
-}  // namespace
-
-URLRequestSimpleJob::URLRequestSimpleJob(URLRequest* request,
-                                         NetworkDelegate* network_delegate)
-    : URLRangeRequestJob(request, network_delegate), next_data_offset_(0) {}
-
-void URLRequestSimpleJob::Start() {
-  // Start reading asynchronously so that all error reporting and data
-  // callbacks happen as they would for network requests.
-  base::ThreadTaskRunnerHandle::Get()->PostTask(
-      FROM_HERE, base::BindOnce(&URLRequestSimpleJob::StartAsync,
-                                weak_factory_.GetWeakPtr()));
-}
-
-void URLRequestSimpleJob::Kill() {
-  weak_factory_.InvalidateWeakPtrs();
-  URLRangeRequestJob::Kill();
-}
-
-bool URLRequestSimpleJob::GetMimeType(std::string* mime_type) const {
-  *mime_type = mime_type_;
-  return true;
-}
-
-bool URLRequestSimpleJob::GetCharset(std::string* charset) {
-  *charset = charset_;
-  return true;
-}
-
-URLRequestSimpleJob::~URLRequestSimpleJob() = default;
-
-int URLRequestSimpleJob::ReadRawData(IOBuffer* buf, int buf_size) {
-  buf_size = std::min(static_cast<int64_t>(buf_size),
-                      byte_range_.last_byte_position() - next_data_offset_ + 1);
-  if (buf_size == 0)
-    return 0;
-
-  // Do memory copy asynchronously on a thread that is not the network thread.
-  // See crbug.com/422489.
-  base::PostTaskAndReply(
-      FROM_HERE,
-      {base::ThreadPool(), base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN},
-      base::BindOnce(&CopyData, base::WrapRefCounted(buf), buf_size, data_,
-                     next_data_offset_),
-      base::BindOnce(&URLRequestSimpleJob::ReadRawDataComplete,
-                     weak_factory_.GetWeakPtr(), buf_size));
-  next_data_offset_ += buf_size;
-  return ERR_IO_PENDING;
-}
-
-int URLRequestSimpleJob::GetData(std::string* mime_type,
-                                 std::string* charset,
-                                 std::string* data,
-                                 CompletionOnceCallback callback) const {
-  NOTREACHED();
-  return ERR_UNEXPECTED;
-}
-
-int URLRequestSimpleJob::GetRefCountedData(
-    std::string* mime_type,
-    std::string* charset,
-    scoped_refptr<base::RefCountedMemory>* data,
-    CompletionOnceCallback callback) const {
-  scoped_refptr<base::RefCountedString> str_data(new base::RefCountedString());
-  int result =
-      GetData(mime_type, charset, &str_data->data(), std::move(callback));
-  *data = str_data;
-  return result;
-}
-
-void URLRequestSimpleJob::StartAsync() {
-  if (!request_)
-    return;
-
-  if (ranges().size() > 1) {
-    NotifyStartError(URLRequestStatus(URLRequestStatus::FAILED,
-                                      ERR_REQUEST_RANGE_NOT_SATISFIABLE));
-    return;
-  }
-
-  if (!ranges().empty() && range_parse_result() == OK)
-    byte_range_ = ranges().front();
-
-  const int result =
-      GetRefCountedData(&mime_type_, &charset_, &data_,
-                        base::BindOnce(&URLRequestSimpleJob::OnGetDataCompleted,
-                                       weak_factory_.GetWeakPtr()));
-
-  if (result != ERR_IO_PENDING)
-    OnGetDataCompleted(result);
-}
-
-void URLRequestSimpleJob::OnGetDataCompleted(int result) {
-  if (result == OK) {
-    // Notify that the headers are complete
-    if (!byte_range_.ComputeBounds(data_->size())) {
-      NotifyStartError(URLRequestStatus(URLRequestStatus::FAILED,
-                                        ERR_REQUEST_RANGE_NOT_SATISFIABLE));
-      return;
-    }
-
-    next_data_offset_ = byte_range_.first_byte_position();
-    set_expected_content_size(byte_range_.last_byte_position() -
-                              next_data_offset_ + 1);
-    NotifyHeadersComplete();
-  } else {
-    NotifyStartError(URLRequestStatus(URLRequestStatus::FAILED, result));
-  }
-}
-
-}  // namespace net
diff --git a/chromium/net/url_request/url_request_simple_job.h b/chromium/net/url_request/url_request_simple_job.h
deleted file mode 100644
index 18ead7d10f4..00000000000
--- a/chromium/net/url_request/url_request_simple_job.h
+++ /dev/null
@@ -1,78 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef NET_URL_REQUEST_URL_REQUEST_SIMPLE_JOB_H_
-#define NET_URL_REQUEST_URL_REQUEST_SIMPLE_JOB_H_
-
-#include <stdint.h>
-
-#include <string>
-
-#include "base/memory/ref_counted.h"
-#include "base/memory/weak_ptr.h"
-#include "base/strings/string_piece.h"
-#include "net/base/completion_once_callback.h"
-#include "net/base/net_export.h"
-#include "net/url_request/url_range_request_job.h"
-
-namespace base {
-class RefCountedMemory;
-}
-
-namespace net {
-
-class URLRequest;
-
-class NET_EXPORT URLRequestSimpleJob : public URLRangeRequestJob {
- public:
-  URLRequestSimpleJob(URLRequest* request, NetworkDelegate* network_delegate);
-
-  void Start() override;
-  void Kill() override;
-  int ReadRawData(IOBuffer* buf, int buf_size) override;
-  bool GetMimeType(std::string* mime_type) const override;
-  bool GetCharset(std::string* charset) override;
-
- protected:
-  ~URLRequestSimpleJob() override;
-
-  // Subclasses must override either GetData or GetRefCountedData to define the
-  // way response data is determined.
-  // The return value should be:
-  //  - OK if data is obtained;
-  //  - ERR_IO_PENDING if async processing is needed to finish obtaining data.
-  //    This is the only case when |callback| should be called after
-  //    completion of the operation. In other situations |callback| should
-  //    never be called;
-  //  - any other ERR_* code to indicate an error. This code will be used
-  //    as the error code in the URLRequestStatus when the URLRequest
-  //    is finished.
-  virtual int GetData(std::string* mime_type,
-                      std::string* charset,
-                      std::string* data,
-                      CompletionOnceCallback callback) const;
-
-  // Similar to GetData(), except |*data| can share ownership of the bytes
-  // instead of copying them into a std::string.
-  virtual int GetRefCountedData(std::string* mime_type,
-                                std::string* charset,
-                                scoped_refptr<base::RefCountedMemory>* data,
-                                CompletionOnceCallback callback) const;
-
-  void StartAsync();
-
- private:
-  void OnGetDataCompleted(int result);
-
-  HttpByteRange byte_range_;
-  std::string mime_type_;
-  std::string charset_;
-  scoped_refptr<base::RefCountedMemory> data_;
-  int64_t next_data_offset_;
-  base::WeakPtrFactory<URLRequestSimpleJob> weak_factory_{this};
-};
-
-}  // namespace net
-
-#endif  // NET_URL_REQUEST_URL_REQUEST_SIMPLE_JOB_H_
diff --git a/chromium/net/url_request/url_request_simple_job_unittest.cc b/chromium/net/url_request/url_request_simple_job_unittest.cc
deleted file mode 100644
index 81c24409083..00000000000
--- a/chromium/net/url_request/url_request_simple_job_unittest.cc
+++ /dev/null
@@ -1,229 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "net/url_request/url_request_simple_job.h"
-
-#include <memory>
-#include <utility>
-
-#include "base/bind_helpers.h"
-#include "base/run_loop.h"
-#include "base/sequenced_task_runner.h"
-#include "base/stl_util.h"
-#include "base/strings/string_piece.h"
-#include "base/strings/stringprintf.h"
-#include "net/base/request_priority.h"
-#include "net/test/gtest_util.h"
-#include "net/test/test_with_task_environment.h"
-#include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
-#include "net/url_request/url_request_job.h"
-#include "net/url_request/url_request_job_factory.h"
-#include "net/url_request/url_request_job_factory_impl.h"
-#include "net/url_request/url_request_test_util.h"
-#include "testing/gmock/include/gmock/gmock.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-using net::test::IsError;
-using net::test::IsOk;
-
-namespace net {
-
-namespace {
-
-const char kTestData[] = "Huge data array";
-const int kRangeFirstPosition = 5;
-const int kRangeLastPosition = 8;
-static_assert(kRangeFirstPosition > 0 &&
-                  kRangeFirstPosition < kRangeLastPosition &&
-                  kRangeLastPosition <
-                      static_cast<int>(base::size(kTestData) - 1),
-              "invalid range");
-
-class MockSimpleJob : public URLRequestSimpleJob {
- public:
-  MockSimpleJob(URLRequest* request,
-                NetworkDelegate* network_delegate,
-                base::StringPiece data)
-      : URLRequestSimpleJob(request, network_delegate),
-        data_(data.as_string()) {}
-
- protected:
-  // URLRequestSimpleJob implementation:
-  int GetData(std::string* mime_type,
-              std::string* charset,
-              std::string* data,
-              CompletionOnceCallback callback) const override {
-    mime_type->assign("text/plain");
-    charset->assign("US-ASCII");
-    data->assign(data_);
-    return OK;
-  }
-
- private:
-  ~MockSimpleJob() override = default;
-
-  const std::string data_;
-
-  DISALLOW_COPY_AND_ASSIGN(MockSimpleJob);
-};
-
-class CancelAfterFirstReadURLRequestDelegate : public TestDelegate {
- public:
-  CancelAfterFirstReadURLRequestDelegate() : run_loop_(new base::RunLoop) {}
-
-  ~CancelAfterFirstReadURLRequestDelegate() override = default;
-
-  void OnResponseStarted(URLRequest* request, int net_error) override {
-    DCHECK_NE(ERR_IO_PENDING, net_error);
-    // net::TestDelegate will start the first read.
-    TestDelegate::OnResponseStarted(request, net_error);
-    request->Cancel();
-    run_loop_->Quit();
-  }
-
-  void WaitUntilHeadersReceived() const { run_loop_->Run(); }
-
- private:
-  std::unique_ptr<base::RunLoop> run_loop_;
-
-  DISALLOW_COPY_AND_ASSIGN(CancelAfterFirstReadURLRequestDelegate);
-};
-
-class SimpleJobProtocolHandler :
-    public URLRequestJobFactory::ProtocolHandler {
- public:
-  SimpleJobProtocolHandler() = default;
-  URLRequestJob* MaybeCreateJob(
-      URLRequest* request,
-      NetworkDelegate* network_delegate) const override {
-    if (request->url().spec() == "data:empty")
-      return new MockSimpleJob(request, network_delegate, "");
-    return new MockSimpleJob(request, network_delegate, kTestData);
-  }
-
-  ~SimpleJobProtocolHandler() override = default;
-
- private:
-  DISALLOW_COPY_AND_ASSIGN(SimpleJobProtocolHandler);
-};
-
-class URLRequestSimpleJobTest : public TestWithTaskEnvironment {
- public:
-  URLRequestSimpleJobTest() : context_(true) {
-    job_factory_.SetProtocolHandler(
-        "data", std::make_unique<SimpleJobProtocolHandler>());
-    context_.set_job_factory(&job_factory_);
-    context_.Init();
-
-    request_ = context_.CreateRequest(GURL("data:test"), DEFAULT_PRIORITY,
-                                      &delegate_, TRAFFIC_ANNOTATION_FOR_TESTS);
-  }
-
-  void StartRequest(const HttpRequestHeaders* headers) {
-    if (headers)
-      request_->SetExtraRequestHeaders(*headers);
-    request_->Start();
-
-    EXPECT_TRUE(request_->is_pending());
-    delegate_.RunUntilComplete();
-    EXPECT_FALSE(request_->is_pending());
-  }
-
- protected:
-  TestURLRequestContext context_;
-  URLRequestJobFactoryImpl job_factory_;
-  TestDelegate delegate_;
-  std::unique_ptr<URLRequest> request_;
-
- private:
-  DISALLOW_COPY_AND_ASSIGN(URLRequestSimpleJobTest);
-};
-
-}  // namespace
-
-TEST_F(URLRequestSimpleJobTest, SimpleRequest) {
-  StartRequest(nullptr);
-  EXPECT_THAT(delegate_.request_status(), IsOk());
-  EXPECT_EQ(kTestData, delegate_.data_received());
-}
-
-TEST_F(URLRequestSimpleJobTest, RangeRequest) {
-  const std::string kExpectedBody = std::string(
-      kTestData + kRangeFirstPosition, kTestData + kRangeLastPosition + 1);
-  HttpRequestHeaders headers;
-  headers.SetHeader(
-      HttpRequestHeaders::kRange,
-      HttpByteRange::Bounded(kRangeFirstPosition, kRangeLastPosition)
-          .GetHeaderValue());
-
-  StartRequest(&headers);
-
-  EXPECT_THAT(delegate_.request_status(), IsOk());
-  EXPECT_EQ(kExpectedBody, delegate_.data_received());
-}
-
-TEST_F(URLRequestSimpleJobTest, MultipleRangeRequest) {
-  HttpRequestHeaders headers;
-  int middle_pos = (kRangeFirstPosition + kRangeLastPosition)/2;
-  std::string range = base::StringPrintf("bytes=%d-%d,%d-%d",
-                                         kRangeFirstPosition,
-                                         middle_pos,
-                                         middle_pos + 1,
-                                         kRangeLastPosition);
-  headers.SetHeader(HttpRequestHeaders::kRange, range);
-
-  StartRequest(&headers);
-
-  EXPECT_TRUE(delegate_.request_failed());
-  EXPECT_EQ(ERR_REQUEST_RANGE_NOT_SATISFIABLE, delegate_.request_status());
-}
-
-TEST_F(URLRequestSimpleJobTest, InvalidRangeRequest) {
-  HttpRequestHeaders headers;
-  std::string range = base::StringPrintf(
-      "bytes=%d-%d", kRangeLastPosition, kRangeFirstPosition);
-  headers.SetHeader(HttpRequestHeaders::kRange, range);
-
-  StartRequest(&headers);
-
-  EXPECT_THAT(delegate_.request_status(), IsOk());
-  EXPECT_EQ(kTestData, delegate_.data_received());
-}
-
-TEST_F(URLRequestSimpleJobTest, EmptyDataRequest) {
-  request_ = context_.CreateRequest(GURL("data:empty"), DEFAULT_PRIORITY,
-                                    &delegate_, TRAFFIC_ANNOTATION_FOR_TESTS);
-  StartRequest(nullptr);
-  EXPECT_THAT(delegate_.request_status(), IsOk());
-  EXPECT_EQ("", delegate_.data_received());
-}
-
-TEST_F(URLRequestSimpleJobTest, CancelBeforeResponseStarts) {
-  request_ = context_.CreateRequest(GURL("data:cancel"), DEFAULT_PRIORITY,
-                                    &delegate_, TRAFFIC_ANNOTATION_FOR_TESTS);
-  request_->Start();
-  request_->Cancel();
-
-  base::RunLoop().RunUntilIdle();
-  EXPECT_THAT(delegate_.request_status(), IsError(ERR_ABORTED));
-  EXPECT_EQ(1, delegate_.response_started_count());
-}
-
-TEST_F(URLRequestSimpleJobTest, CancelAfterFirstReadStarted) {
-  CancelAfterFirstReadURLRequestDelegate cancel_delegate;
-  request_ =
-      context_.CreateRequest(GURL("data:cancel"), DEFAULT_PRIORITY,
-                             &cancel_delegate, TRAFFIC_ANNOTATION_FOR_TESTS);
-  request_->Start();
-  cancel_delegate.WaitUntilHeadersReceived();
-  base::RunLoop().RunUntilIdle();
-
-  EXPECT_THAT(cancel_delegate.request_status(), IsError(ERR_ABORTED));
-  EXPECT_EQ(1, cancel_delegate.response_started_count());
-  EXPECT_EQ("", cancel_delegate.data_received());
-  // Destroy the request so it doesn't outlive its delegate.
-  request_.reset();
-}
-
-}  // namespace net
diff --git a/chromium/net/url_request/url_request_test_util.cc b/chromium/net/url_request/url_request_test_util.cc
index 5170349b880..7a5c0eb794a 100644
--- a/chromium/net/url_request/url_request_test_util.cc
+++ b/chromium/net/url_request/url_request_test_util.cc
@@ -24,6 +24,7 @@
 #include "net/http/http_server_properties.h"
 #include "net/http/transport_security_state.h"
 #include "net/proxy_resolution/proxy_retry_info.h"
+#include "net/quic/quic_context.h"
 #include "net/url_request/static_http_user_agent_settings.h"
 #include "net/url_request/url_request_job.h"
 #include "net/url_request/url_request_job_factory_impl.h"
@@ -113,6 +114,9 @@ void TestURLRequestContext::Init() {
     context_storage_.set_http_server_properties(
         std::make_unique<HttpServerProperties>());
   }
+  if (!quic_context()) {
+    context_storage_.set_quic_context(std::make_unique<QuicContext>());
+  }
   // In-memory cookie store.
   if (!cookie_store()) {
     context_storage_.set_cookie_store(std::make_unique<CookieMonster>(
@@ -147,6 +151,7 @@ void TestURLRequestContext::Init() {
     session_context.ssl_config_service = ssl_config_service();
     session_context.http_auth_handler_factory = http_auth_handler_factory();
     session_context.http_server_properties = http_server_properties();
+    session_context.quic_context = quic_context();
     session_context.net_log = net_log();
 #if BUILDFLAG(ENABLE_REPORTING)
     session_context.network_error_logging_service =
@@ -164,6 +169,16 @@ void TestURLRequestContext::Init() {
   }
 }
 
+std::unique_ptr<URLRequest> TestURLRequestContext::CreateFirstPartyRequest(
+    const GURL& url,
+    RequestPriority priority,
+    URLRequest::Delegate* delegate,
+    NetworkTrafficAnnotationTag traffic_annotation) const {
+  auto req = CreateRequest(url, priority, delegate, traffic_annotation);
+  req->set_site_for_cookies(url);
+  return req;
+}
+
 TestURLRequestContextGetter::TestURLRequestContextGetter(
     const scoped_refptr<base::SingleThreadTaskRunner>& network_task_runner)
     : network_task_runner_(network_task_runner) {
@@ -269,6 +284,7 @@ void TestDelegate::OnSSLCertificateError(URLRequest* request,
   // cancel the request.
   have_certificate_errors_ = true;
   certificate_errors_are_fatal_ = fatal;
+  certificate_net_error_ = net_error;
   if (allow_certificate_errors_)
     request->ContinueDespiteLastError();
   else
@@ -460,7 +476,8 @@ int TestNetworkDelegate::OnHeadersReceived(
     const HttpResponseHeaders* original_response_headers,
     scoped_refptr<HttpResponseHeaders>* override_response_headers,
     const IPEndPoint& endpoint,
-    GURL* allowed_unsafe_redirect_url) {
+    base::Optional<GURL>* preserve_fragment_on_redirect_url) {
+  EXPECT_FALSE(preserve_fragment_on_redirect_url->has_value());
   int req_id = GetRequestId(request);
   bool is_first_response =
       event_order_[req_id].find("OnHeadersReceived\n") == std::string::npos;
@@ -487,8 +504,8 @@ int TestNetworkDelegate::OnHeadersReceived(
 
     redirect_on_headers_received_url_ = GURL();
 
-    if (!allowed_unsafe_redirect_url_.is_empty())
-      *allowed_unsafe_redirect_url = allowed_unsafe_redirect_url_;
+    // Since both values are base::Optionals, can just copy this over.
+    *preserve_fragment_on_redirect_url = preserve_fragment_on_redirect_url_;
   } else if (add_header_to_first_response_ && is_first_response) {
     *override_response_headers =
         new HttpResponseHeaders(original_response_headers->raw_headers());
diff --git a/chromium/net/url_request/url_request_test_util.h b/chromium/net/url_request/url_request_test_util.h
index aaaf60bd15c..ce3e211a636 100644
--- a/chromium/net/url_request/url_request_test_util.h
+++ b/chromium/net/url_request/url_request_test_util.h
@@ -15,6 +15,7 @@
 
 #include "base/compiler_specific.h"
 #include "base/memory/ref_counted.h"
+#include "base/optional.h"
 #include "base/path_service.h"
 #include "base/single_thread_task_runner.h"
 #include "base/strings/string16.h"
@@ -88,6 +89,14 @@ class TestURLRequestContext : public URLRequestContext {
     create_default_http_user_agent_settings_ = value;
   }
 
+  // Like CreateRequest, but also updates |site_for_cookies| to give the request
+  // a 1st-party context.
+  std::unique_ptr<URLRequest> CreateFirstPartyRequest(
+      const GURL& url,
+      RequestPriority priority,
+      URLRequest::Delegate* delegate,
+      NetworkTrafficAnnotationTag traffic_annotation) const;
+
  private:
   bool initialized_ = false;
 
@@ -188,6 +197,7 @@ class TestDelegate : public URLRequest::Delegate {
   bool certificate_errors_are_fatal() const {
     return certificate_errors_are_fatal_;
   }
+  int certificate_net_error() const { return certificate_net_error_; }
   bool auth_required_called() const { return auth_required_; }
   bool response_completed() const { return response_completed_; }
   int request_status() const { return request_status_; }
@@ -238,6 +248,7 @@ class TestDelegate : public URLRequest::Delegate {
   bool request_failed_ = false;
   bool have_certificate_errors_ = false;
   bool certificate_errors_are_fatal_ = false;
+  int certificate_net_error_ = 0;
   bool auth_required_ = false;
   std::string data_received_;
   bool response_completed_ = false;
@@ -280,8 +291,9 @@ class TestNetworkDelegate : public NetworkDelegateImpl {
     add_header_to_first_response_ = add_header_to_first_response;
   }
 
-  void set_allowed_unsafe_redirect_url(GURL allowed_unsafe_redirect_url) {
-    allowed_unsafe_redirect_url_ = allowed_unsafe_redirect_url;
+  void set_preserve_fragment_on_redirect_url(
+      const base::Optional<GURL>& preserve_fragment_on_redirect_url) {
+    preserve_fragment_on_redirect_url_ = preserve_fragment_on_redirect_url;
   }
 
   void set_cookie_options(int o) {cookie_options_bit_mask_ = o; }
@@ -340,7 +352,7 @@ class TestNetworkDelegate : public NetworkDelegateImpl {
       const HttpResponseHeaders* original_response_headers,
       scoped_refptr<HttpResponseHeaders>* override_response_headers,
       const IPEndPoint& endpoint,
-      GURL* allowed_unsafe_redirect_url) override;
+      base::Optional<GURL>* preserve_fragment_on_redirect_url) override;
   void OnBeforeRedirect(URLRequest* request, const GURL& new_location) override;
   void OnResponseStarted(URLRequest* request, int net_error) override;
   void OnCompleted(URLRequest* request, bool started, int net_error) override;
@@ -365,8 +377,9 @@ class TestNetworkDelegate : public NetworkDelegateImpl {
   int GetRequestId(URLRequest* request);
 
   GURL redirect_on_headers_received_url_;
-  // URL marked as safe for redirection at the onHeadersReceived stage.
-  GURL allowed_unsafe_redirect_url_;
+  // URL to mark as retaining its fragment if redirected to at the
+  // OnHeadersReceived() stage.
+  base::Optional<GURL> preserve_fragment_on_redirect_url_;
 
   int last_error_;
   int error_count_;
diff --git a/chromium/net/url_request/url_request_unittest.cc b/chromium/net/url_request/url_request_unittest.cc
index 20add8ef94a..25b8921af8c 100644
--- a/chromium/net/url_request/url_request_unittest.cc
+++ b/chromium/net/url_request/url_request_unittest.cc
@@ -32,7 +32,7 @@
 #include "base/json/json_reader.h"
 #include "base/location.h"
 #include "base/memory/weak_ptr.h"
-#include "base/message_loop/message_loop.h"
+#include "base/optional.h"
 #include "base/path_service.h"
 #include "base/run_loop.h"
 #include "base/single_thread_task_runner.h"
@@ -49,11 +49,13 @@
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/values.h"
 #include "build/buildflag.h"
+#include "crypto/sha2.h"
 #include "net/base/chunked_upload_data_stream.h"
 #include "net/base/directory_listing.h"
 #include "net/base/elements_upload_data_stream.h"
 #include "net/base/escape.h"
 #include "net/base/features.h"
+#include "net/base/hash_value.h"
 #include "net/base/load_flags.h"
 #include "net/base/load_timing_info.h"
 #include "net/base/load_timing_info_test_util.h"
@@ -66,6 +68,7 @@
 #include "net/base/upload_data_stream.h"
 #include "net/base/upload_file_element_reader.h"
 #include "net/base/url_util.h"
+#include "net/cert/asn1_util.h"
 #include "net/cert/cert_net_fetcher.h"
 #include "net/cert/crl_set.h"
 #include "net/cert/ct_policy_enforcer.h"
@@ -76,10 +79,12 @@
 #include "net/cert/multi_log_ct_verifier.h"
 #include "net/cert/signed_certificate_timestamp_and_status.h"
 #include "net/cert/test_root_certs.h"
-#include "net/cert_net/cert_net_fetcher_impl.h"
+#include "net/cert/x509_util.h"
+#include "net/cert_net/cert_net_fetcher_url_request.h"
 #include "net/cookies/canonical_cookie_test_helpers.h"
 #include "net/cookies/cookie_monster.h"
 #include "net/cookies/cookie_store_test_helpers.h"
+#include "net/cookies/test_cookie_access_delegate.h"
 #include "net/disk_cache/disk_cache.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/http/http_byte_range.h"
@@ -117,12 +122,10 @@
 #include "net/test/url_request/url_request_failed_job.h"
 #include "net/test/url_request/url_request_mock_http_job.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
-#include "net/url_request/data_protocol_handler.h"
 #include "net/url_request/static_http_user_agent_settings.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_filter.h"
 #include "net/url_request/url_request_http_job.h"
-#include "net/url_request/url_request_http_job_histogram.h"
 #include "net/url_request/url_request_intercepting_job_factory.h"
 #include "net/url_request/url_request_interceptor.h"
 #include "net/url_request/url_request_job_factory_impl.h"
@@ -314,6 +317,16 @@ void TestLoadTimingNoHttpResponse(
 }
 #endif
 
+// Less verbose way of running a simple testserver for the tests below.
+class HttpTestServer : public EmbeddedTestServer {
+ public:
+  explicit HttpTestServer(const base::FilePath& document_root) {
+    AddDefaultHandlers(document_root);
+  }
+
+  HttpTestServer() { AddDefaultHandlers(base::FilePath()); }
+};
+
 // Job that allows monitoring of its priority.
 class PriorityMonitoringURLRequestJob : public URLRequestTestJob {
  public:
@@ -440,7 +453,7 @@ class BlockingNetworkDelegate : public TestNetworkDelegate {
       const HttpResponseHeaders* original_response_headers,
       scoped_refptr<HttpResponseHeaders>* override_response_headers,
       const IPEndPoint& endpoint,
-      GURL* allowed_unsafe_redirect_url) override;
+      base::Optional<GURL>* preserve_fragment_on_redirect_url) override;
 
   // Resets the callbacks and |stage_blocked_for_callback_|.
   void Reset();
@@ -546,13 +559,13 @@ int BlockingNetworkDelegate::OnHeadersReceived(
     const HttpResponseHeaders* original_response_headers,
     scoped_refptr<HttpResponseHeaders>* override_response_headers,
     const IPEndPoint& endpoint,
-    GURL* allowed_unsafe_redirect_url) {
+    base::Optional<GURL>* preserve_fragment_on_redirect_url) {
   // TestNetworkDelegate always completes synchronously.
-  CHECK_NE(
-      ERR_IO_PENDING,
-      TestNetworkDelegate::OnHeadersReceived(
-          request, base::NullCallback(), original_response_headers,
-          override_response_headers, endpoint, allowed_unsafe_redirect_url));
+  CHECK_NE(ERR_IO_PENDING,
+           TestNetworkDelegate::OnHeadersReceived(
+               request, base::NullCallback(), original_response_headers,
+               override_response_headers, endpoint,
+               preserve_fragment_on_redirect_url));
 
   return MaybeBlockStage(ON_HEADERS_RECEIVED, std::move(callback));
 }
@@ -699,10 +712,7 @@ class URLRequestTest : public PlatformTest, public WithTaskEnvironment {
 
   void TearDown() override { default_context_.reset(); }
 
-  virtual void SetUpFactory() {
-    job_factory_impl_->SetProtocolHandler(
-        "data", std::make_unique<DataProtocolHandler>());
-  }
+  virtual void SetUpFactory() {}
 
   TestNetworkDelegate* default_network_delegate() {
     return &default_network_delegate_;
@@ -736,7 +746,7 @@ class URLRequestTest : public PlatformTest, public WithTaskEnvironment {
   }
 
  protected:
-  TestNetLog net_log_;
+  RecordingTestNetLog net_log_;
   TestNetworkDelegate default_network_delegate_;  // Must outlive URLRequest.
   URLRequestJobFactoryImpl* job_factory_impl_;
   std::unique_ptr<URLRequestJobFactory> job_factory_;
@@ -764,46 +774,6 @@ TEST_F(URLRequestTest, AboutBlankTest) {
   }
 }
 
-TEST_F(URLRequestTest, DataURLImageTest) {
-  TestDelegate d;
-  {
-    // Use our nice little Chrome logo.
-    std::unique_ptr<URLRequest> r(default_context().CreateRequest(
-        GURL("data:image/png;base64,"
-             "iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAADVklEQVQ4jX2TfUwUB"
-             "BjG3w1y+HGcd9dxhXR8T4awOccJGgOSWclHImznLkTlSw0DDQXkrmgYgbUYnlQTqQ"
-             "xIEVxitD5UMCATRA1CEEg+Qjw3bWDxIauJv/5oumqs39/P827vnucRmYN0gyF01GI"
-             "5MpCVdW0gO7tvNC+vqSEtbZefk5NuLv1jdJ46p/zw0HeH4+PHr3h7c1mjoV2t5rKz"
-             "Mx1+fg9bAgK6zHq9cU5z+LpA3xOtx34+vTeT21onRuzssC3zxbbSwC13d/pFuC7Ck"
-             "IMDxQpF7r/MWq12UctI1dWWm99ypqSYmRUBdKem8MkrO/kgaTt1O7YzlpzE5GIVd0"
-             "WYUqt57yWf2McHTObYPbVD+ZwbtlLTVMZ3BW+TnLyXLaWtmEq6WJVbT3HBh3Svj2H"
-             "QQcm43XwmtoYM6vVKleh0uoWvnzW3v3MpidruPTQPf0bia7sJOtBM0ufTWNvus/nk"
-             "DFHF9ZS+uYVjRUasMeHUmyLYtcklTvzWGFZnNOXczThvpKIzjcahSqIzkvDLayDq6"
-             "D3eOjtBbNUEIZYyqsvj4V4wY92eNJ4IoyhTbxXX1T5xsV9tm9r4TQwHLiZw/pdDZJ"
-             "ea8TKmsmR/K0uLh/GwnCHghTja6lPhphezPfO5/5MrVvMzNaI3+ERHfrFzPKQukrQ"
-             "GI4d/3EFD/3E2mVNYvi4at7CXWREaxZGD+3hg28zD3gVMd6q5c8GdosynKmSeRuGz"
-             "pjyl1/9UDGtPR5HeaKT8Wjo17WXk579BXVUhN64ehF9fhRtq/uxxZKzNiZFGD0wRC"
-             "3NFROZ5mwIPL/96K/rKMMLrIzF9uhHr+/sYH7DAbwlgC4J+R2Z7FUx1qLnV7MGF40"
-             "smVSoJ/jvHRfYhQeUJd/SnYtGWhPHR0Sz+GE2F2yth0B36Vcz2KpnufBJbsysjjW4"
-             "kblBUiIjiURUWqJY65zxbnTy57GQyH58zgy0QBtTQv5gH15XMdKkYu+TGaJMnlm2O"
-             "34uI4b9tflqp1+QEFGzoW/ulmcofcpkZCYJhDfSpme7QcrHa+Xfji8paEQkTkSfmm"
-             "oRWRNZr/F1KfVMjW+IKEnv2FwZfKdzt0BQR6lClcZR0EfEXEfv/G6W9iLiIyCoReV"
-             "5EnhORIBHx+ufPj/gLB/zGI/G4Bk0AAAAASUVORK5CYII="),
-        DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-
-    r->Start();
-    EXPECT_TRUE(r->is_pending());
-
-    d.RunUntilComplete();
-
-    EXPECT_TRUE(!r->is_pending());
-    EXPECT_FALSE(d.received_data_before_response());
-    EXPECT_EQ(d.bytes_received(), 911);
-    EXPECT_TRUE(r->GetResponseRemoteEndpoint().address().empty());
-    EXPECT_EQ(0, r->GetResponseRemoteEndpoint().port());
-  }
-}
-
 TEST_F(URLRequestTest, InvalidUrlTest) {
   TestDelegate d;
   {
@@ -835,6 +805,178 @@ TEST_F(URLRequestTest, InvalidReferrerTest) {
   EXPECT_TRUE(d.request_failed());
 }
 
+TEST_F(URLRequestTest, RecordsSameOriginReferrerHistogram) {
+  TestURLRequestContext context;
+  TestNetworkDelegate network_delegate;
+  network_delegate.set_cancel_request_with_policy_violating_referrer(false);
+  context.set_network_delegate(&network_delegate);
+  TestDelegate d;
+  std::unique_ptr<URLRequest> req(
+      context.CreateRequest(GURL("http://google.com/"), DEFAULT_PRIORITY, &d,
+                            TRAFFIC_ANNOTATION_FOR_TESTS));
+  req->SetReferrer("http://google.com");
+  req->set_referrer_policy(URLRequest::NEVER_CLEAR_REFERRER);
+
+  base::HistogramTester histograms;
+
+  req->Start();
+  d.RunUntilComplete();
+  histograms.ExpectUniqueSample(
+      "Net.URLRequest.ReferrerPolicyForRequest.SameOrigin",
+      static_cast<int>(URLRequest::NEVER_CLEAR_REFERRER), 1);
+}
+
+TEST_F(URLRequestTest, RecordsCrossOriginReferrerHistogram) {
+  TestURLRequestContext context;
+  TestNetworkDelegate network_delegate;
+  context.set_network_delegate(&network_delegate);
+  TestDelegate d;
+  std::unique_ptr<URLRequest> req(
+      context.CreateRequest(GURL("http://google.com/"), DEFAULT_PRIORITY, &d,
+                            TRAFFIC_ANNOTATION_FOR_TESTS));
+  req->SetReferrer("http://origin.com");
+
+  // Set a different policy just to make sure we aren't always logging the same
+  // policy.
+  req->set_referrer_policy(
+      URLRequest::CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE);
+
+  base::HistogramTester histograms;
+
+  req->Start();
+  d.RunUntilComplete();
+  histograms.ExpectUniqueSample(
+      "Net.URLRequest.ReferrerPolicyForRequest.CrossOrigin",
+      static_cast<int>(
+          URLRequest::CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE),
+      1);
+}
+
+TEST_F(URLRequestTest, RecordsReferrerHistogramAgainOnRedirect) {
+  TestURLRequestContext context;
+  BlockingNetworkDelegate network_delegate(
+      BlockingNetworkDelegate::SYNCHRONOUS);
+  network_delegate.set_redirect_url(GURL("http://redirect.com/"));
+  context.set_network_delegate(&network_delegate);
+  TestDelegate d;
+  std::unique_ptr<URLRequest> req(
+      context.CreateRequest(GURL("http://google.com/"), DEFAULT_PRIORITY, &d,
+                            TRAFFIC_ANNOTATION_FOR_TESTS));
+  req->SetReferrer("http://google.com");
+
+  req->set_referrer_policy(
+      URLRequest::CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE);
+
+  base::HistogramTester histograms;
+
+  req->Start();
+  d.RunUntilRedirect();
+  histograms.ExpectUniqueSample(
+      "Net.URLRequest.ReferrerPolicyForRequest.SameOrigin",
+      static_cast<int>(
+          URLRequest::CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE),
+      1);
+  req->FollowDeferredRedirect(/*removed_headers=*/base::nullopt,
+                              /*modified_headers=*/base::nullopt);
+  d.RunUntilComplete();
+  histograms.ExpectUniqueSample(
+      "Net.URLRequest.ReferrerPolicyForRequest.CrossOrigin",
+      static_cast<int>(
+          URLRequest::CLEAR_REFERRER_ON_TRANSITION_FROM_SECURE_TO_INSECURE),
+      1);
+}
+
+TEST_F(URLRequestTest, RecordsReferrrerWithInformativePath) {
+  TestURLRequestContext context;
+  BlockingNetworkDelegate network_delegate(
+      BlockingNetworkDelegate::SYNCHRONOUS);
+  network_delegate.set_cancel_request_with_policy_violating_referrer(true);
+  context.set_network_delegate(&network_delegate);
+  network_delegate.set_redirect_url(GURL("http://redirect.com/"));
+  TestDelegate d;
+  std::unique_ptr<URLRequest> req(
+      context.CreateRequest(GURL("http://google.com/"), DEFAULT_PRIORITY, &d,
+                            TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  // Since this referrer is much more informative than the initiating origin,
+  // we should see the histograms' true buckets populated.
+  req->SetReferrer("http://google.com/very-informative-path");
+
+  base::HistogramTester histograms;
+
+  req->Start();
+  d.RunUntilRedirect();
+  histograms.ExpectUniqueSample(
+      "Net.URLRequest.ReferrerHasInformativePath.SameOrigin",
+      /* Check the count of the "true" bucket in the boolean histogram. */ true,
+      1);
+  req->FollowDeferredRedirect(/*removed_headers=*/base::nullopt,
+                              /*modified_headers=*/base::nullopt);
+  d.RunUntilComplete();
+  histograms.ExpectUniqueSample(
+      "Net.URLRequest.ReferrerHasInformativePath.CrossOrigin", true, 1);
+}
+
+TEST_F(URLRequestTest, RecordsReferrerWithInformativeQuery) {
+  TestURLRequestContext context;
+  BlockingNetworkDelegate network_delegate(
+      BlockingNetworkDelegate::SYNCHRONOUS);
+  network_delegate.set_cancel_request_with_policy_violating_referrer(true);
+  context.set_network_delegate(&network_delegate);
+  network_delegate.set_redirect_url(GURL("http://redirect.com/"));
+  TestDelegate d;
+  std::unique_ptr<URLRequest> req(
+      context.CreateRequest(GURL("http://google.com/"), DEFAULT_PRIORITY, &d,
+                            TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  // Since this referrer is much more informative than the initiating origin,
+  // we should see the histograms' true buckets populated.
+  req->SetReferrer("http://google.com/?very-informative-query");
+
+  base::HistogramTester histograms;
+
+  req->Start();
+  d.RunUntilRedirect();
+  histograms.ExpectUniqueSample(
+      "Net.URLRequest.ReferrerHasInformativePath.SameOrigin",
+      /* Check the count of the "true" bucket in the boolean histogram. */ true,
+      1);
+  req->FollowDeferredRedirect(/*removed_headers=*/base::nullopt,
+                              /*modified_headers=*/base::nullopt);
+  d.RunUntilComplete();
+  histograms.ExpectUniqueSample(
+      "Net.URLRequest.ReferrerHasInformativePath.CrossOrigin", true, 1);
+}
+
+TEST_F(URLRequestTest, RecordsReferrerWithoutInformativePathOrQuery) {
+  TestURLRequestContext context;
+  BlockingNetworkDelegate network_delegate(
+      BlockingNetworkDelegate::SYNCHRONOUS);
+  network_delegate.set_cancel_request_with_policy_violating_referrer(false);
+  context.set_network_delegate(&network_delegate);
+  network_delegate.set_redirect_url(GURL("http://origin.com/"));
+  TestDelegate d;
+  std::unique_ptr<URLRequest> req(
+      context.CreateRequest(GURL("http://google.com/"), DEFAULT_PRIORITY, &d,
+                            TRAFFIC_ANNOTATION_FOR_TESTS));
+
+  // Since this referrer _isn't_ more informative than the initiating origin,
+  // we should see the histograms' false buckets populated.
+  req->SetReferrer("http://origin.com");
+
+  base::HistogramTester histograms;
+
+  req->Start();
+  d.RunUntilRedirect();
+  histograms.ExpectUniqueSample(
+      "Net.URLRequest.ReferrerHasInformativePath.CrossOrigin", false, 1);
+  req->FollowDeferredRedirect(/*removed_headers=*/base::nullopt,
+                              /*modified_headers=*/base::nullopt);
+  d.RunUntilComplete();
+  histograms.ExpectUniqueSample(
+      "Net.URLRequest.ReferrerHasInformativePath.SameOrigin", false, 1);
+}
+
 // An Interceptor for use with interceptor tests.
 class MockURLRequestInterceptor : public URLRequestInterceptor {
  public:
@@ -1271,11 +1413,17 @@ TEST_F(URLRequestTest, SkipSecureDnsEnabled) {
 // Make sure that NetworkDelegate::NotifyCompleted is called if
 // content is empty.
 TEST_F(URLRequestTest, RequestCompletionForEmptyResponse) {
+  HttpTestServer test_server;
+  ASSERT_TRUE(test_server.Start());
+
   TestDelegate d;
   std::unique_ptr<URLRequest> req(default_context().CreateRequest(
-      GURL("data:,"), DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+      test_server.GetURL("/nocontent"), DEFAULT_PRIORITY, &d,
+      TRAFFIC_ANNOTATION_FOR_TESTS));
   req->Start();
   d.RunUntilComplete();
+  EXPECT_THAT(d.request_status(), IsOk());
+  EXPECT_EQ(204, req->GetResponseCode());
   EXPECT_EQ("", d.data_received());
   EXPECT_EQ(1, default_network_delegate_.completed_requests());
 }
@@ -1367,20 +1515,6 @@ TEST_F(URLRequestTest, PriorityIgnoreLimits) {
   EXPECT_EQ(MAXIMUM_PRIORITY, job_priority);
 }
 
-namespace {
-
-// Less verbose way of running a simple testserver for the tests below.
-class HttpTestServer : public EmbeddedTestServer {
- public:
-  explicit HttpTestServer(const base::FilePath& document_root) {
-    AddDefaultHandlers(document_root);
-  }
-
-  HttpTestServer() { AddDefaultHandlers(base::FilePath()); }
-};
-
-}  // namespace
-
 TEST_F(URLRequestTest, DelayedCookieCallback) {
   HttpTestServer test_server;
   ASSERT_TRUE(test_server.Start());
@@ -1394,7 +1528,7 @@ TEST_F(URLRequestTest, DelayedCookieCallback) {
     TestNetworkDelegate network_delegate;
     context.set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(context.CreateRequest(
+    std::unique_ptr<URLRequest> req(context.CreateFirstPartyRequest(
         test_server.GetURL("/set-cookie?CookieToNotSend=1"), DEFAULT_PRIORITY,
         &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1409,7 +1543,7 @@ TEST_F(URLRequestTest, DelayedCookieCallback) {
     TestNetworkDelegate network_delegate;
     context.set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(context.CreateRequest(
+    std::unique_ptr<URLRequest> req(context.CreateFirstPartyRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1533,12 +1667,13 @@ TEST_F(URLRequestTest, DelayedCookieCallbackAsync) {
                                          base::Time::Now(),
                                          base::nullopt /* server_time */);
   delayed_cm->SetCanonicalCookieAsync(std::move(cookie1), url.scheme(),
-                                      CookieOptions(),
+                                      net::CookieOptions::MakeAllInclusive(),
                                       CookieStore::SetCookiesCallback());
   auto cookie2 = CanonicalCookie::Create(url, "AlreadySetCookie=1;Secure",
                                          base::Time::Now(),
                                          base::nullopt /* server_time */);
-  cm->SetCanonicalCookieAsync(std::move(cookie2), url.scheme(), CookieOptions(),
+  cm->SetCanonicalCookieAsync(std::move(cookie2), url.scheme(),
+                              net::CookieOptions::MakeAllInclusive(),
                               CookieStore::SetCookiesCallback());
 
   std::vector<std::string> cookie_lines(
@@ -1557,17 +1692,18 @@ TEST_F(URLRequestTest, DelayedCookieCallbackAsync) {
   for (auto first_cookie_line : cookie_lines) {
     for (auto second_cookie_line : cookie_lines) {
       // Run with the delayed cookie monster.
-      std::unique_ptr<URLRequest> request = async_context.CreateRequest(
-          test_server.GetURL("/set-cookie?" + first_cookie_line + "&" +
-                             second_cookie_line),
-          DEFAULT_PRIORITY, &async_delegate, TRAFFIC_ANNOTATION_FOR_TESTS);
+      std::unique_ptr<URLRequest> request =
+          async_context.CreateFirstPartyRequest(
+              test_server.GetURL("/set-cookie?" + first_cookie_line + "&" +
+                                 second_cookie_line),
+              DEFAULT_PRIORITY, &async_delegate, TRAFFIC_ANNOTATION_FOR_TESTS);
 
       request->Start();
       async_delegate.RunUntilComplete();
       EXPECT_THAT(async_delegate.request_status(), IsOk());
 
       // Run with the regular cookie monster.
-      request = sync_context.CreateRequest(
+      request = sync_context.CreateFirstPartyRequest(
           test_server.GetURL("/set-cookie?" + first_cookie_line + "&" +
                              second_cookie_line),
           DEFAULT_PRIORITY, &sync_delegate, TRAFFIC_ANNOTATION_FOR_TESTS);
@@ -1616,7 +1752,7 @@ TEST_F(URLRequestTest, DoNotSendCookies) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/set-cookie?CookieToNotSend=1"), DEFAULT_PRIORITY,
         &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1630,7 +1766,7 @@ TEST_F(URLRequestTest, DoNotSendCookies) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1647,7 +1783,7 @@ TEST_F(URLRequestTest, DoNotSendCookies) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->SetLoadFlags(LOAD_DO_NOT_SEND_COOKIES);
@@ -1672,7 +1808,7 @@ TEST_F(URLRequestTest, DoNotSaveCookies) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/set-cookie?CookieToNotUpdate=2"), DEFAULT_PRIORITY,
         &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1688,7 +1824,7 @@ TEST_F(URLRequestTest, DoNotSaveCookies) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/set-cookie?CookieToNotSave=1&CookieToNotUpdate=1"),
         DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->SetLoadFlags(LOAD_DO_NOT_SAVE_COOKIES);
@@ -1707,7 +1843,7 @@ TEST_F(URLRequestTest, DoNotSaveCookies) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1733,7 +1869,7 @@ TEST_F(URLRequestTest, DoNotSendCookies_ViaPolicy) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/set-cookie?CookieToNotSend=1"), DEFAULT_PRIORITY,
         &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1748,7 +1884,7 @@ TEST_F(URLRequestTest, DoNotSendCookies_ViaPolicy) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1772,7 +1908,7 @@ TEST_F(URLRequestTest, DoNotSendCookies_ViaPolicy) {
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
     network_delegate.set_cookie_options(TestNetworkDelegate::NO_GET_COOKIES);
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1805,7 +1941,7 @@ TEST_F(URLRequestTest, DoNotSaveCookies_ViaPolicy) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/set-cookie?CookieToNotUpdate=2"), DEFAULT_PRIORITY,
         &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1826,7 +1962,7 @@ TEST_F(URLRequestTest, DoNotSaveCookies_ViaPolicy) {
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
     network_delegate.set_cookie_options(TestNetworkDelegate::NO_SET_COOKIE);
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/set-cookie?CookieToNotSave=1&CookieToNotUpdate=1"),
         DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1846,7 +1982,7 @@ TEST_F(URLRequestTest, DoNotSaveCookies_ViaPolicy) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1871,7 +2007,7 @@ TEST_F(URLRequestTest, DoNotSaveEmptyCookies) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/set-cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1892,7 +2028,7 @@ TEST_F(URLRequestTest, DoNotSendCookies_ViaPolicy_Async) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/set-cookie?CookieToNotSend=1"), DEFAULT_PRIORITY,
         &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1907,7 +2043,7 @@ TEST_F(URLRequestTest, DoNotSendCookies_ViaPolicy_Async) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1926,7 +2062,7 @@ TEST_F(URLRequestTest, DoNotSendCookies_ViaPolicy_Async) {
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
     network_delegate.set_cookie_options(TestNetworkDelegate::NO_GET_COOKIES);
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1949,7 +2085,7 @@ TEST_F(URLRequestTest, DoNotSaveCookies_ViaPolicy_Async) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/set-cookie?CookieToNotUpdate=2"), DEFAULT_PRIORITY,
         &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1965,7 +2101,7 @@ TEST_F(URLRequestTest, DoNotSaveCookies_ViaPolicy_Async) {
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
     network_delegate.set_cookie_options(TestNetworkDelegate::NO_SET_COOKIE);
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/set-cookie?CookieToNotSave=1&CookieToNotUpdate=1"),
         DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -1981,7 +2117,7 @@ TEST_F(URLRequestTest, DoNotSaveCookies_ViaPolicy_Async) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -2271,6 +2407,93 @@ TEST_F(URLRequestTest, SettingSameSiteCookies) {
   }
 }
 
+// Tests special chrome:// scheme that is supposed to always attach SameSite
+// cookies if the requested site is secure.
+TEST_F(URLRequestTest, SameSiteCookiesSpecialScheme) {
+  EmbeddedTestServer https_test_server(EmbeddedTestServer::TYPE_HTTPS);
+  https_test_server.AddDefaultHandlers(base::FilePath());
+  ASSERT_TRUE(https_test_server.Start());
+  EmbeddedTestServer http_test_server(EmbeddedTestServer::TYPE_HTTP);
+  http_test_server.AddDefaultHandlers(base::FilePath());
+  // Ensure they are on different ports.
+  ASSERT_TRUE(http_test_server.Start(https_test_server.port() + 1));
+  // Both hostnames should be 127.0.0.1 (so that we can use the same set of
+  // cookies on both, for convenience).
+  ASSERT_EQ(https_test_server.host_port_pair().host(),
+            http_test_server.host_port_pair().host());
+
+  // Set up special schemes
+  auto cad = std::make_unique<TestCookieAccessDelegate>();
+  cad->SetIgnoreSameSiteRestrictionsScheme("chrome", true);
+
+  CookieMonster cm(nullptr, nullptr);
+  cm.SetCookieAccessDelegate(std::move(cad));
+
+  TestURLRequestContext context(true);
+  context.set_cookie_store(&cm);
+  context.Init();
+
+  // SameSite cookies are not set for 'chrome' scheme if requested origin is not
+  // secure.
+  {
+    TestDelegate d;
+    std::unique_ptr<URLRequest> req(context.CreateRequest(
+        http_test_server.GetURL(
+            "/set-cookie?StrictSameSiteCookie=1;SameSite=Strict&"
+            "LaxSameSiteCookie=1;SameSite=Lax"),
+        DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->set_site_for_cookies(GURL("chrome://whatever/"));
+    req->Start();
+    d.RunUntilComplete();
+    EXPECT_EQ(0u, GetAllCookies(&context).size());
+  }
+
+  // But they are set for 'chrome' scheme if the requested origin is secure.
+  {
+    TestDelegate d;
+    std::unique_ptr<URLRequest> req(context.CreateRequest(
+        https_test_server.GetURL(
+            "/set-cookie?StrictSameSiteCookie=1;SameSite=Strict&"
+            "LaxSameSiteCookie=1;SameSite=Lax"),
+        DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->set_site_for_cookies(GURL("chrome://whatever/"));
+    req->Start();
+    d.RunUntilComplete();
+    CookieList cookies = GetAllCookies(&context);
+    EXPECT_EQ(2u, cookies.size());
+  }
+
+  // Verify that they are both sent when the site_for_cookies scheme is
+  // 'chrome' and the requested origin is secure.
+  {
+    TestDelegate d;
+    std::unique_ptr<URLRequest> req(context.CreateRequest(
+        https_test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
+        TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->set_site_for_cookies(GURL("chrome://whatever/"));
+    req->Start();
+    d.RunUntilComplete();
+    EXPECT_NE(std::string::npos,
+              d.data_received().find("StrictSameSiteCookie=1"));
+    EXPECT_NE(std::string::npos, d.data_received().find("LaxSameSiteCookie=1"));
+  }
+
+  // Verify that they are not sent when the site_for_cookies scheme is
+  // 'chrome' and the requested origin is not secure.
+  {
+    TestDelegate d;
+    std::unique_ptr<URLRequest> req(context.CreateRequest(
+        http_test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
+        TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->set_site_for_cookies(GURL("chrome://whatever/"));
+    req->Start();
+    d.RunUntilComplete();
+    EXPECT_EQ(std::string::npos,
+              d.data_received().find("StrictSameSiteCookie"));
+    EXPECT_EQ(std::string::npos, d.data_received().find("LaxSameSiteCookie"));
+  }
+}
+
 // Tests that __Secure- cookies can't be set on non-secure origins.
 TEST_F(URLRequestTest, SecureCookiePrefixOnNonsecureOrigin) {
   EmbeddedTestServer http_server;
@@ -2290,7 +2513,7 @@ TEST_F(URLRequestTest, SecureCookiePrefixOnNonsecureOrigin) {
   // Try to set a Secure __Secure- cookie.
   {
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(context.CreateRequest(
+    std::unique_ptr<URLRequest> req(context.CreateFirstPartyRequest(
         http_server.GetURL("/set-cookie?__Secure-nonsecure-origin=1;Secure"),
         DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -2302,7 +2525,7 @@ TEST_F(URLRequestTest, SecureCookiePrefixOnNonsecureOrigin) {
   // Verify that the cookie is not set.
   {
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(context.CreateRequest(
+    std::unique_ptr<URLRequest> req(context.CreateFirstPartyRequest(
         https_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -2329,7 +2552,7 @@ TEST_F(URLRequestTest, SecureCookiePrefixNonsecure) {
   // Try to set a non-Secure __Secure- cookie.
   {
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(context.CreateRequest(
+    std::unique_ptr<URLRequest> req(context.CreateFirstPartyRequest(
         https_server.GetURL("/set-cookie?__Secure-foo=1"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -2342,7 +2565,7 @@ TEST_F(URLRequestTest, SecureCookiePrefixNonsecure) {
   // Verify that the cookie is not set.
   {
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(context.CreateRequest(
+    std::unique_ptr<URLRequest> req(context.CreateFirstPartyRequest(
         https_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -2368,7 +2591,7 @@ TEST_F(URLRequestTest, SecureCookiePrefixSecure) {
   // Try to set a Secure __Secure- cookie.
   {
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(context.CreateRequest(
+    std::unique_ptr<URLRequest> req(context.CreateFirstPartyRequest(
         https_server.GetURL("/set-cookie?__Secure-bar=1;Secure"),
         DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -2380,7 +2603,7 @@ TEST_F(URLRequestTest, SecureCookiePrefixSecure) {
   // Verify that the cookie is set.
   {
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(context.CreateRequest(
+    std::unique_ptr<URLRequest> req(context.CreateFirstPartyRequest(
         https_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -2412,7 +2635,7 @@ TEST_F(URLRequestTest, StrictSecureCookiesOnNonsecureOrigin) {
   // Try to set a Secure cookie, with experimental features enabled.
   {
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(context.CreateRequest(
+    std::unique_ptr<URLRequest> req(context.CreateFirstPartyRequest(
         http_server.GetURL("/set-cookie?nonsecure-origin=1;Secure"),
         DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -2424,7 +2647,7 @@ TEST_F(URLRequestTest, StrictSecureCookiesOnNonsecureOrigin) {
   // Verify that the cookie is not set.
   {
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(context.CreateRequest(
+    std::unique_ptr<URLRequest> req(context.CreateFirstPartyRequest(
         https_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -2436,476 +2659,6 @@ TEST_F(URLRequestTest, StrictSecureCookiesOnNonsecureOrigin) {
   }
 }
 
-// The parameter is true for same-site and false for cross-site requests.
-class URLRequestTestParameterizedSameSite
-    : public URLRequestTest,
-      public ::testing::WithParamInterface<bool> {
- protected:
-  URLRequestTestParameterizedSameSite() {
-    auto params = std::make_unique<HttpNetworkSession::Params>();
-    params->ignore_certificate_errors = true;
-    context_.set_http_network_session_params(std::move(params));
-    context_.set_network_delegate(&network_delegate_);
-    https_server_.AddDefaultHandlers(
-        base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
-    EXPECT_TRUE(https_server_.Start());
-  }
-
-  // To be called after configuration of |context_| has been finalized.
-  void InitContext() { context_.Init(); }
-
-  const std::string kHost_ = "example.test";
-  const std::string kCrossHost_ = "cross-site.test";
-  TestURLRequestContext context_{true};
-  TestNetworkDelegate network_delegate_;
-  base::HistogramTester histograms_;
-  EmbeddedTestServer https_server_{EmbeddedTestServer::TYPE_HTTPS};
-};
-
-INSTANTIATE_TEST_SUITE_P(URLRequestTest,
-                         URLRequestTestParameterizedSameSite,
-                         ::testing::Bool());
-
-TEST_P(URLRequestTestParameterizedSameSite, CookieAgeMetrics) {
-  const bool same_site = GetParam();
-  const std::string kInitiatingHost = same_site ? kHost_ : kCrossHost_;
-  InitContext();
-
-  EmbeddedTestServer http_server;
-  http_server.AddDefaultHandlers(
-      base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
-  ASSERT_TRUE(http_server.Start());
-
-  // Set two test cookies.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        http_server.GetURL(kHost_, "/set-cookie?cookie=value&cookie2=value2"),
-        DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->Start();
-    d.RunUntilComplete();
-    ASSERT_EQ(2, network_delegate_.set_cookie_count());
-    histograms_.ExpectTotalCount("Cookie.AgeForNonSecureCrossSiteRequest", 0);
-    histograms_.ExpectTotalCount("Cookie.AgeForNonSecureSameSiteRequest", 0);
-    histograms_.ExpectTotalCount("Cookie.AgeForSecureCrossSiteRequest", 0);
-    histograms_.ExpectTotalCount("Cookie.AgeForSecureSameSiteRequest", 0);
-    histograms_.ExpectTotalCount("Cookie.AllAgesForNonSecureCrossSiteRequest",
-                                 0);
-    histograms_.ExpectTotalCount("Cookie.AllAgesForNonSecureSameSiteRequest",
-                                 0);
-    histograms_.ExpectTotalCount("Cookie.AllAgesForSecureCrossSiteRequest", 0);
-    histograms_.ExpectTotalCount("Cookie.AllAgesForSecureSameSiteRequest", 0);
-  }
-
-  // Make a secure request.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_, "/echoheader?Cookie"), DEFAULT_PRIORITY,
-        &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->set_site_for_cookies(https_server_.GetURL(kInitiatingHost, "/"));
-    req->set_initiator(
-        url::Origin::Create(https_server_.GetURL(kInitiatingHost, "/")));
-    req->Start();
-    d.RunUntilComplete();
-    histograms_.ExpectTotalCount("Cookie.AgeForNonSecureCrossSiteRequest", 0);
-    histograms_.ExpectTotalCount("Cookie.AgeForNonSecureSameSiteRequest", 0);
-    histograms_.ExpectTotalCount("Cookie.AgeForSecureCrossSiteRequest",
-                                 !same_site);
-    histograms_.ExpectTotalCount("Cookie.AgeForSecureSameSiteRequest",
-                                 same_site);
-    histograms_.ExpectTotalCount("Cookie.AllAgesForNonSecureCrossSiteRequest",
-                                 0);
-    histograms_.ExpectTotalCount("Cookie.AllAgesForNonSecureSameSiteRequest",
-                                 0);
-    histograms_.ExpectTotalCount("Cookie.AllAgesForSecureCrossSiteRequest",
-                                 same_site ? 0 : 2);
-    histograms_.ExpectTotalCount("Cookie.AllAgesForSecureSameSiteRequest",
-                                 same_site ? 2 : 0);
-    EXPECT_TRUE(d.data_received().find("cookie=value") != std::string::npos);
-    EXPECT_TRUE(d.data_received().find("cookie2=value2") != std::string::npos);
-  }
-
-  // Make a non-secure request.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        http_server.GetURL(kHost_, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
-        TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->set_site_for_cookies(http_server.GetURL(kInitiatingHost, "/"));
-    req->set_initiator(
-        url::Origin::Create(http_server.GetURL(kInitiatingHost, "/")));
-    req->Start();
-    d.RunUntilComplete();
-    histograms_.ExpectTotalCount("Cookie.AgeForNonSecureCrossSiteRequest",
-                                 !same_site);
-    histograms_.ExpectTotalCount("Cookie.AgeForNonSecureSameSiteRequest",
-                                 same_site);
-    histograms_.ExpectTotalCount("Cookie.AgeForSecureCrossSiteRequest",
-                                 !same_site);
-    histograms_.ExpectTotalCount("Cookie.AgeForSecureSameSiteRequest",
-                                 same_site);
-    histograms_.ExpectTotalCount("Cookie.AllAgesForNonSecureCrossSiteRequest",
-                                 same_site ? 0 : 2);
-    histograms_.ExpectTotalCount("Cookie.AllAgesForNonSecureSameSiteRequest",
-                                 same_site ? 2 : 0);
-    histograms_.ExpectTotalCount("Cookie.AllAgesForSecureCrossSiteRequest",
-                                 same_site ? 0 : 2);
-    histograms_.ExpectTotalCount("Cookie.AllAgesForSecureSameSiteRequest",
-                                 same_site ? 2 : 0);
-    EXPECT_TRUE(d.data_received().find("cookie=value") != std::string::npos);
-    EXPECT_TRUE(d.data_received().find("cookie2=value2") != std::string::npos);
-  }
-}
-
-// Cookies with secure attribute (no HSTS) --> k1pSecureAttribute
-TEST_P(URLRequestTestParameterizedSameSite,
-       CookieNetworkSecurityMetricSecureAttribute) {
-  const bool same_site = GetParam();
-  const std::string kInitiatingHost = same_site ? kHost_ : kCrossHost_;
-  InitContext();
-
-  // Set cookies.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_,
-                             "/set-cookie?session-cookie=value;Secure&"
-                             "longlived-cookie=value;Secure;domain=" +
-                                 kHost_ + ";Max-Age=360000"),
-        DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->Start();
-    d.RunUntilComplete();
-    ASSERT_EQ(2, network_delegate_.set_cookie_count());
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 0);
-  }
-
-  // Verify that the cookies fall into the correct metrics bucket.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_, "/echoheader?Cookie"), DEFAULT_PRIORITY,
-        &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->set_site_for_cookies(https_server_.GetURL(kInitiatingHost, "/"));
-    req->set_initiator(url::Origin::Create(https_server_.GetURL(kHost_, "/")));
-    req->Start();
-    d.RunUntilComplete();
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 2);
-    // Static cast of boolean required for MSVC 1911.
-    histograms_.ExpectBucketCount(
-        "Cookie.NetworkSecurity",
-        static_cast<int>(CookieNetworkSecurity::k1pSecureAttribute) |
-            static_cast<int>(!same_site),
-        2);
-  }
-}
-
-// Short-lived host cookie --> k1pHSTSHostCookie
-TEST_P(URLRequestTestParameterizedSameSite,
-       CookieNetworkSecurityMetricShortlivedHostCookie) {
-  const bool same_site = GetParam();
-  const std::string kInitiatingHost = same_site ? kHost_ : kCrossHost_;
-
-  TransportSecurityState transport_security_state;
-  transport_security_state.AddHSTS(
-      kHost_, base::Time::Now() + base::TimeDelta::FromHours(10),
-      false /* include_subdomains */);
-  context_.set_transport_security_state(&transport_security_state);
-  InitContext();
-
-  // Set cookie.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_, "/set-cookie?cookie=value;Max-Age=3600"),
-        DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->Start();
-    d.RunUntilComplete();
-    ASSERT_EQ(1, network_delegate_.set_cookie_count());
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 0);
-  }
-
-  // Verify that the cookie falls into the correct metrics bucket.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_, "/echoheader?Cookie"), DEFAULT_PRIORITY,
-        &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->set_site_for_cookies(https_server_.GetURL(kInitiatingHost, "/"));
-    req->set_initiator(url::Origin::Create(https_server_.GetURL(kHost_, "/")));
-    req->Start();
-    d.RunUntilComplete();
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 1);
-    // Static cast of boolean required for MSVC 1911.
-    histograms_.ExpectBucketCount(
-        "Cookie.NetworkSecurity",
-        static_cast<int>(CookieNetworkSecurity::k1pHSTSHostCookie) |
-            static_cast<int>(!same_site),
-        1);
-  }
-}
-
-// Long-lived (either due to expiry or due to being a session cookie) host
-// cookies --> k1pExpiringHSTSHostCookie
-TEST_P(URLRequestTestParameterizedSameSite,
-       CookieNetworkSecurityMetricLonglivedHostCookie) {
-  const bool same_site = GetParam();
-  const std::string kInitiatingHost = same_site ? kHost_ : kCrossHost_;
-
-  TransportSecurityState transport_security_state;
-  transport_security_state.AddHSTS(
-      kHost_, base::Time::Now() + base::TimeDelta::FromHours(10),
-      false /* include_subdomains */);
-  context_.set_transport_security_state(&transport_security_state);
-  InitContext();
-
-  // Set cookies.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_,
-                             "/set-cookie?session-cookie=value&"
-                             "longlived-cookie=value;Max-Age=360000"),
-        DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->Start();
-    d.RunUntilComplete();
-    ASSERT_EQ(2, network_delegate_.set_cookie_count());
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 0);
-  }
-
-  // Verify that the cookies fall into the correct metrics bucket.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_, "/echoheader?Cookie"), DEFAULT_PRIORITY,
-        &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->set_site_for_cookies(https_server_.GetURL(kInitiatingHost, "/"));
-    req->set_initiator(url::Origin::Create(https_server_.GetURL(kHost_, "/")));
-    req->Start();
-    d.RunUntilComplete();
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 2);
-    // Static cast of boolean required for MSVC 1911.
-    histograms_.ExpectBucketCount(
-        "Cookie.NetworkSecurity",
-        static_cast<int>(CookieNetworkSecurity::k1pExpiringHSTSHostCookie) |
-            static_cast<int>(!same_site),
-        2);
-  }
-}
-
-// Domain cookie with HSTS subdomains with cookie expiry before HSTS expiry -->
-// k1pHSTSSubdomainsIncluded
-TEST_P(URLRequestTestParameterizedSameSite,
-       CookieNetworkSecurityMetricShortlivedDomainCookie) {
-  const bool same_site = GetParam();
-  const std::string kInitiatingHost = same_site ? kHost_ : kCrossHost_;
-
-  TransportSecurityState transport_security_state;
-  transport_security_state.AddHSTS(
-      kHost_, base::Time::Now() + base::TimeDelta::FromHours(10),
-      true /* include_subdomains */);
-  context_.set_transport_security_state(&transport_security_state);
-  InitContext();
-
-  // Set cookie.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_, "/set-cookie?cookie=value;domain=" +
-                                         kHost_ + ";Max-Age=3600"),
-        DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->Start();
-    d.RunUntilComplete();
-    ASSERT_EQ(1, network_delegate_.set_cookie_count());
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 0);
-  }
-
-  // Verify that the cookie falls into the correct metrics bucket.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_, "/echoheader?Cookie"), DEFAULT_PRIORITY,
-        &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->set_site_for_cookies(https_server_.GetURL(kInitiatingHost, "/"));
-    req->set_initiator(url::Origin::Create(https_server_.GetURL(kHost_, "/")));
-    req->Start();
-    d.RunUntilComplete();
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 1);
-    // Static cast of boolean required for MSVC 1911.
-    histograms_.ExpectBucketCount(
-        "Cookie.NetworkSecurity",
-        static_cast<int>(CookieNetworkSecurity::k1pHSTSSubdomainsIncluded) |
-            static_cast<int>(!same_site),
-        1);
-  }
-}
-
-// Long-lived (either due to expiry or due to being a session cookie) domain
-// cookies with HSTS subdomains --> k1pExpiringHSTSSubdomainsIncluded
-TEST_P(URLRequestTestParameterizedSameSite,
-       CookieNetworkSecurityMetricLonglivedDomainCookie) {
-  const bool same_site = GetParam();
-  const std::string kInitiatingHost = same_site ? kHost_ : kCrossHost_;
-
-  TransportSecurityState transport_security_state;
-  transport_security_state.AddHSTS(
-      kHost_, base::Time::Now() + base::TimeDelta::FromHours(10),
-      true /* include_subdomains */);
-  context_.set_transport_security_state(&transport_security_state);
-  InitContext();
-
-  // Set cookies.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(
-            kHost_, "/set-cookie?session-cookie=value;domain=" + kHost_ + "&" +
-                        "longlived-cookie=value;domain=" + kHost_ +
-                        ";Max-Age=360000"),
-        DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->Start();
-    d.RunUntilComplete();
-    ASSERT_EQ(2, network_delegate_.set_cookie_count());
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 0);
-  }
-
-  // Verify that the cookies fall into the correct metrics bucket.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_, "/echoheader?Cookie"), DEFAULT_PRIORITY,
-        &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->set_site_for_cookies(https_server_.GetURL(kInitiatingHost, "/"));
-    req->set_initiator(url::Origin::Create(https_server_.GetURL(kHost_, "/")));
-    req->Start();
-    d.RunUntilComplete();
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 2);
-    // Static cast of boolean required for MSVC 1911.
-    histograms_.ExpectBucketCount(
-        "Cookie.NetworkSecurity",
-        static_cast<int>(
-            CookieNetworkSecurity::k1pExpiringHSTSSubdomainsIncluded) |
-            static_cast<int>(!same_site),
-        2);
-  }
-}
-
-// Domain cookie with HSTS subdomains not included --> k1pHSTSSpoofable
-TEST_P(URLRequestTestParameterizedSameSite,
-       CookieNetworkSecurityMetricSpoofableDomainCookie) {
-  const bool same_site = GetParam();
-  const std::string kInitiatingHost = same_site ? kHost_ : kCrossHost_;
-
-  TransportSecurityState transport_security_state;
-  transport_security_state.AddHSTS(
-      kHost_, base::Time::Now() + base::TimeDelta::FromHours(10),
-      false /* include_subdomains */);
-  context_.set_transport_security_state(&transport_security_state);
-  InitContext();
-
-  // Set cookie.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_, "/set-cookie?cookie=value;domain=" +
-                                         kHost_ + ";Max-Age=3600"),
-        DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->Start();
-    d.RunUntilComplete();
-    ASSERT_EQ(1, network_delegate_.set_cookie_count());
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 0);
-  }
-
-  // Verify that the cookie falls into the correct metrics bucket.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_, "/echoheader?Cookie"), DEFAULT_PRIORITY,
-        &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->set_site_for_cookies(https_server_.GetURL(kInitiatingHost, "/"));
-    req->set_initiator(url::Origin::Create(https_server_.GetURL(kHost_, "/")));
-    req->Start();
-    d.RunUntilComplete();
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 1);
-    // Static cast of boolean required for MSVC 1911.
-    histograms_.ExpectBucketCount(
-        "Cookie.NetworkSecurity",
-        static_cast<int>(CookieNetworkSecurity::k1pHSTSSpoofable) |
-            static_cast<int>(!same_site),
-        1);
-  }
-}
-
-// Cookie without HSTS --> k1p(Non)SecureConnection
-TEST_P(URLRequestTestParameterizedSameSite, CookieNetworkSecurityMetricNoHSTS) {
-  const bool same_site = GetParam();
-  const std::string kInitiatingHost = same_site ? kHost_ : kCrossHost_;
-  InitContext();
-
-  EmbeddedTestServer http_server;
-  http_server.AddDefaultHandlers(
-      base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
-  ASSERT_TRUE(http_server.Start());
-
-  // Set cookies.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_,
-                             "/set-cookie?cookie=value;domain=" + kHost_ +
-                                 ";Max-Age=3600&host-cookie=value"),
-        DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->Start();
-    d.RunUntilComplete();
-    ASSERT_EQ(2, network_delegate_.set_cookie_count());
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 0);
-  }
-
-  // Verify that the cookie falls into the correct metrics bucket.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        https_server_.GetURL(kHost_, "/echoheader?Cookie"), DEFAULT_PRIORITY,
-        &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->set_site_for_cookies(https_server_.GetURL(kInitiatingHost, "/"));
-    req->set_initiator(url::Origin::Create(https_server_.GetURL(kHost_, "/")));
-    req->Start();
-    d.RunUntilComplete();
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 2);
-    // Static cast of boolean required for MSVC 1911.
-    histograms_.ExpectBucketCount(
-        "Cookie.NetworkSecurity",
-        static_cast<int>(CookieNetworkSecurity::k1pSecureConnection) |
-            static_cast<int>(!same_site),
-        2);
-  }
-
-  // Verify that the cookie falls into the correct metrics bucket.
-  {
-    TestDelegate d;
-    std::unique_ptr<URLRequest> req(context_.CreateRequest(
-        http_server.GetURL(kHost_, "/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
-        TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->set_site_for_cookies(https_server_.GetURL(kInitiatingHost, "/"));
-    req->set_initiator(url::Origin::Create(https_server_.GetURL(kHost_, "/")));
-    req->Start();
-    d.RunUntilComplete();
-    histograms_.ExpectTotalCount("Cookie.NetworkSecurity", 4);
-    // Static cast of boolean required for MSVC 1911.
-    histograms_.ExpectBucketCount(
-        "Cookie.NetworkSecurity",
-        static_cast<int>(CookieNetworkSecurity::k1pSecureConnection) |
-            static_cast<int>(!same_site),
-        2);
-    // Static cast of boolean required for MSVC 1911.
-    histograms_.ExpectBucketCount(
-        "Cookie.NetworkSecurity",
-        static_cast<int>(CookieNetworkSecurity::k1pNonsecureConnection) |
-            static_cast<int>(!same_site),
-        2);
-  }
-}
-
 // FixedDateNetworkDelegate swaps out the server's HTTP Date response header
 // value for the |fixed_date| argument given to the constructor.
 class FixedDateNetworkDelegate : public TestNetworkDelegate {
@@ -2921,7 +2674,7 @@ class FixedDateNetworkDelegate : public TestNetworkDelegate {
       const HttpResponseHeaders* original_response_headers,
       scoped_refptr<HttpResponseHeaders>* override_response_headers,
       const IPEndPoint& endpoint,
-      GURL* allowed_unsafe_redirect_url) override;
+      base::Optional<GURL>* preserve_fragment_on_redirect_url) override;
 
  private:
   std::string fixed_date_;
@@ -2935,7 +2688,7 @@ int FixedDateNetworkDelegate::OnHeadersReceived(
     const HttpResponseHeaders* original_response_headers,
     scoped_refptr<HttpResponseHeaders>* override_response_headers,
     const IPEndPoint& endpoint,
-    GURL* allowed_unsafe_redirect_url) {
+    base::Optional<GURL>* preserve_fragment_on_redirect_url) {
   HttpResponseHeaders* new_response_headers =
       new HttpResponseHeaders(original_response_headers->raw_headers());
 
@@ -2945,7 +2698,7 @@ int FixedDateNetworkDelegate::OnHeadersReceived(
   *override_response_headers = new_response_headers;
   return TestNetworkDelegate::OnHeadersReceived(
       request, std::move(callback), original_response_headers,
-      override_response_headers, endpoint, allowed_unsafe_redirect_url);
+      override_response_headers, endpoint, preserve_fragment_on_redirect_url);
 }
 
 // Test that cookie expiration times are adjusted for server/client clock
@@ -2960,7 +2713,7 @@ TEST_F(URLRequestTest, AcceptClockSkewCookieWithWrongDateTimezone) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL(
             "/set-cookie?StillGood=1;expires=Mon,18-Apr-1977,22:50:13,GMT"),
         DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
@@ -2972,7 +2725,7 @@ TEST_F(URLRequestTest, AcceptClockSkewCookieWithWrongDateTimezone) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -2985,7 +2738,7 @@ TEST_F(URLRequestTest, AcceptClockSkewCookieWithWrongDateTimezone) {
     FixedDateNetworkDelegate network_delegate("18-Apr-1977 22:49:13 UTC");
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL(
             "/set-cookie?StillGood=1;expires=Mon,18-Apr-1977,22:50:13,GMT"),
         DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
@@ -2997,7 +2750,7 @@ TEST_F(URLRequestTest, AcceptClockSkewCookieWithWrongDateTimezone) {
     TestNetworkDelegate network_delegate;
     default_context().set_network_delegate(&network_delegate);
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         test_server.GetURL("/echoheader?Cookie"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     req->Start();
@@ -3055,9 +2808,50 @@ TEST_F(URLRequestTest, DoNotOverrideReferrer) {
 
 class URLRequestTestHTTP : public URLRequestTest {
  public:
-  URLRequestTestHTTP() : test_server_(base::FilePath(kTestFilePath)) {}
+  const url::Origin origin1_;
+  const url::Origin origin2_;
+  const NetworkIsolationKey network_isolation_key1_;
+  const NetworkIsolationKey network_isolation_key2_;
+
+  URLRequestTestHTTP()
+      : origin1_(url::Origin::Create(GURL("https://foo.test/"))),
+        origin2_(url::Origin::Create(GURL("https://bar.test/"))),
+        network_isolation_key1_(NetworkIsolationKey(origin1_, origin1_)),
+        network_isolation_key2_(NetworkIsolationKey(origin2_, origin2_)),
+        test_server_(base::FilePath(kTestFilePath)) {}
 
  protected:
+  // ProtocolHandler for the scheme that's unsafe to redirect to.
+  class NET_EXPORT UnsafeRedirectProtocolHandler
+      : public URLRequestJobFactory::ProtocolHandler {
+   public:
+    UnsafeRedirectProtocolHandler() = default;
+    ~UnsafeRedirectProtocolHandler() override = default;
+
+    // URLRequestJobFactory::ProtocolHandler implementation:
+
+    URLRequestJob* MaybeCreateJob(
+        URLRequest* request,
+        NetworkDelegate* network_delegate) const override {
+      NOTREACHED();
+      return nullptr;
+    }
+
+    bool IsSafeRedirectTarget(const GURL& location) const override {
+      return false;
+    }
+
+   private:
+    DISALLOW_COPY_AND_ASSIGN(UnsafeRedirectProtocolHandler);
+  };
+
+  // URLRequestTest interface:
+  void SetUpFactory() override {
+    // Add FTP support to the default URLRequestContext.
+    job_factory_impl_->SetProtocolHandler(
+        "unsafe", std::make_unique<UnsafeRedirectProtocolHandler>());
+  }
+
   // Requests |redirect_url|, which must return a HTTP 3xx redirect.
   // |request_method| is the method to use for the initial request.
   // |redirect_method| is the method that is expected to be used for the second
@@ -3071,7 +2865,7 @@ class URLRequestTestHTTP : public URLRequestTest {
                               bool include_data) {
     static const char kData[] = "hello world";
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         redirect_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->set_method(request_method);
     if (include_data) {
@@ -3117,7 +2911,7 @@ class URLRequestTestHTTP : public URLRequestTest {
                                     const std::string& redirect_method,
                                     const std::string& expected_origin_value) {
     TestDelegate d;
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> req(default_context().CreateFirstPartyRequest(
         redirect_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     req->set_method(request_method);
     req->SetExtraRequestHeaderByName(HttpRequestHeaders::kOrigin,
@@ -3187,7 +2981,7 @@ class URLRequestTestHTTP : public URLRequestTest {
 
   bool DoManyCookiesRequest(int num_cookies) {
     TestDelegate d;
-    std::unique_ptr<URLRequest> r(default_context().CreateRequest(
+    std::unique_ptr<URLRequest> r(default_context().CreateFirstPartyRequest(
         test_server_.GetURL("/set-many-cookies?" +
                             base::NumberToString(num_cookies)),
         DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
@@ -4343,13 +4137,13 @@ class AsyncLoggingNetworkDelegate : public TestNetworkDelegate {
       const HttpResponseHeaders* original_response_headers,
       scoped_refptr<HttpResponseHeaders>* override_response_headers,
       const IPEndPoint& endpoint,
-      GURL* allowed_unsafe_redirect_url) override {
+      base::Optional<GURL>* preserve_fragment_on_redirect_url) override {
     // TestNetworkDelegate always completes synchronously.
-    CHECK_NE(
-        ERR_IO_PENDING,
-        TestNetworkDelegate::OnHeadersReceived(
-            request, base::NullCallback(), original_response_headers,
-            override_response_headers, endpoint, allowed_unsafe_redirect_url));
+    CHECK_NE(ERR_IO_PENDING,
+             TestNetworkDelegate::OnHeadersReceived(
+                 request, base::NullCallback(), original_response_headers,
+                 override_response_headers, endpoint,
+                 preserve_fragment_on_redirect_url));
     return RunCallbackAsynchronously(request, std::move(callback));
   }
 
@@ -4743,7 +4537,7 @@ TEST_F(URLRequestTestHTTP, URLRequestDelegateOnRedirectCancelled) {
 
   for (auto cancel_stage : kCancelStages) {
     AsyncLoggingUrlRequestDelegate request_delegate(cancel_stage);
-    TestNetLog net_log;
+    RecordingTestNetLog net_log;
     TestURLRequestContext context(true);
     context.set_network_delegate(nullptr);
     context.set_net_log(&net_log);
@@ -5796,6 +5590,7 @@ TEST_F(URLRequestTestHTTP, NetworkErrorLogging_DontReportIfNetworkNotAccessed) {
   TestDelegate d;
   std::unique_ptr<URLRequest> request(context.CreateRequest(
       request_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+  request->set_network_isolation_key(network_isolation_key1_);
   request->Start();
   d.RunUntilComplete();
 
@@ -5808,6 +5603,7 @@ TEST_F(URLRequestTestHTTP, NetworkErrorLogging_DontReportIfNetworkNotAccessed) {
 
   request = context.CreateRequest(request_url, DEFAULT_PRIORITY, &d,
                                   TRAFFIC_ANNOTATION_FOR_TESTS);
+  request->set_network_isolation_key(network_isolation_key1_);
   request->Start();
   d.RunUntilComplete();
 
@@ -5975,6 +5771,7 @@ TEST_F(URLRequestTestHTTP, NetworkErrorLogging_304Response) {
     d.set_credentials(AuthCredentials(kUser, kSecret));
     std::unique_ptr<URLRequest> r(context.CreateRequest(
         request_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+    r->set_network_isolation_key(network_isolation_key1_);
     r->Start();
     d.RunUntilComplete();
   }
@@ -5999,6 +5796,7 @@ TEST_F(URLRequestTestHTTP, NetworkErrorLogging_304Response) {
     std::unique_ptr<URLRequest> r(context.CreateRequest(
         request_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
     r->SetLoadFlags(LOAD_VALIDATE_CACHE);
+    r->set_network_isolation_key(network_isolation_key1_);
     r->Start();
     d.RunUntilComplete();
 
@@ -6119,17 +5917,7 @@ TEST_F(URLRequestTestHTTP, ContentTypeNormalizationTest) {
   req->Cancel();
 }
 
-TEST_F(URLRequestTestHTTP, ProtocolHandlerAndFactoryRestrictDataRedirects) {
-  // Test URLRequestJobFactory::ProtocolHandler::IsSafeRedirectTarget().
-  GURL data_url("data:,foo");
-  DataProtocolHandler data_protocol_handler;
-  EXPECT_FALSE(data_protocol_handler.IsSafeRedirectTarget(data_url));
-
-  // Test URLRequestJobFactoryImpl::IsSafeRedirectTarget().
-  EXPECT_FALSE(job_factory_->IsSafeRedirectTarget(data_url));
-}
-
-TEST_F(URLRequestTestHTTP, RestrictFileRedirects) {
+TEST_F(URLRequestTestHTTP, FileRedirect) {
   ASSERT_TRUE(http_test_server()->Start());
 
   TestDelegate d;
@@ -6143,7 +5931,7 @@ TEST_F(URLRequestTestHTTP, RestrictFileRedirects) {
   EXPECT_EQ(1, d.received_redirect_count());
 }
 
-TEST_F(URLRequestTestHTTP, RestrictDataRedirects) {
+TEST_F(URLRequestTestHTTP, DataRedirect) {
   ASSERT_TRUE(http_test_server()->Start());
 
   TestDelegate d;
@@ -6153,6 +5941,21 @@ TEST_F(URLRequestTestHTTP, RestrictDataRedirects) {
   req->Start();
   d.RunUntilComplete();
 
+  EXPECT_EQ(ERR_UNKNOWN_URL_SCHEME, d.request_status());
+  EXPECT_EQ(1, d.received_redirect_count());
+}
+
+TEST_F(URLRequestTestHTTP, RestrictUnsafeRedirect) {
+  ASSERT_TRUE(http_test_server()->Start());
+
+  TestDelegate d;
+  std::unique_ptr<URLRequest> req(default_context().CreateRequest(
+      http_test_server()->GetURL(
+          "/server-redirect?unsafe://here-there-be-dragons"),
+      DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+  req->Start();
+  d.RunUntilComplete();
+
   EXPECT_EQ(ERR_UNSAFE_REDIRECT, d.request_status());
 
   // The redirect should have been rejected before reporting it to the
@@ -6189,6 +5992,7 @@ TEST_F(URLRequestTestHTTP, CacheRedirect) {
     TestDelegate d;
     std::unique_ptr<URLRequest> req(default_context().CreateRequest(
         redirect_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->set_network_isolation_key(network_isolation_key1_);
     req->Start();
     d.RunUntilComplete();
     EXPECT_EQ(OK, d.request_status());
@@ -6200,6 +6004,7 @@ TEST_F(URLRequestTestHTTP, CacheRedirect) {
     TestDelegate d;
     std::unique_ptr<URLRequest> req(default_context().CreateRequest(
         redirect_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->set_network_isolation_key(network_isolation_key1_);
     req->Start();
     d.RunUntilRedirect();
 
@@ -6254,69 +6059,17 @@ TEST_F(URLRequestTestHTTP, NoCacheOnNetworkDelegateRedirect) {
   }
 }
 
-// Tests that redirection to an unsafe URL is allowed when it has been marked as
-// safe.
-TEST_F(URLRequestTestHTTP, UnsafeRedirectToAllowedUnsafeURL) {
-  ASSERT_TRUE(http_test_server()->Start());
-
-  GURL unsafe_url("data:text/html,this-is-considered-an-unsafe-url");
-  default_network_delegate_.set_redirect_on_headers_received_url(unsafe_url);
-  default_network_delegate_.set_allowed_unsafe_redirect_url(unsafe_url);
-
-  TestDelegate d;
-  {
-    std::unique_ptr<URLRequest> r(default_context().CreateRequest(
-        http_test_server()->GetURL("/whatever"), DEFAULT_PRIORITY, &d,
-        TRAFFIC_ANNOTATION_FOR_TESTS));
-
-    r->Start();
-    d.RunUntilComplete();
-
-    EXPECT_EQ(OK, d.request_status());
-    EXPECT_EQ(2U, r->url_chain().size());
-    EXPECT_EQ(unsafe_url, r->url());
-    EXPECT_EQ("this-is-considered-an-unsafe-url", d.data_received());
-  }
-}
-
-// Tests that a redirect to a different unsafe URL is blocked, even after adding
-// some other URL to the allowlist.
-TEST_F(URLRequestTestHTTP, UnsafeRedirectToDifferentUnsafeURL) {
-  ASSERT_TRUE(http_test_server()->Start());
-
-  GURL unsafe_url("data:text/html,something");
-  GURL different_unsafe_url("data:text/html,something-else");
-  default_network_delegate_.set_redirect_on_headers_received_url(unsafe_url);
-  default_network_delegate_.set_allowed_unsafe_redirect_url(
-      different_unsafe_url);
-
-  TestDelegate d;
-  {
-    std::unique_ptr<URLRequest> r(default_context().CreateRequest(
-        http_test_server()->GetURL("/whatever"), DEFAULT_PRIORITY, &d,
-        TRAFFIC_ANNOTATION_FOR_TESTS));
-
-    r->Start();
-    d.RunUntilComplete();
-
-    EXPECT_EQ(ERR_UNSAFE_REDIRECT, d.request_status());
-
-    // The redirect should have been rejected before reporting it to the caller.
-    EXPECT_EQ(0, d.received_redirect_count());
-  }
-}
-
-// Redirects from an URL with fragment to an unsafe URL with fragment should
-// be allowed, and the reference fragment of the target URL should be preserved.
-TEST_F(URLRequestTestHTTP, UnsafeRedirectWithDifferentReferenceFragment) {
+// Check that |preserve_fragment_on_redirect_url| is respected.
+TEST_F(URLRequestTestHTTP, PreserveFragmentOnRedirectUrl) {
   ASSERT_TRUE(http_test_server()->Start());
 
   GURL original_url(http_test_server()->GetURL("/original#fragment1"));
-  GURL unsafe_url("data:,url-marked-safe-and-used-in-redirect#fragment2");
-  GURL expected_url("data:,url-marked-safe-and-used-in-redirect#fragment2");
+  GURL preserve_fragement_url(http_test_server()->GetURL("/echo"));
 
-  default_network_delegate_.set_redirect_on_headers_received_url(unsafe_url);
-  default_network_delegate_.set_allowed_unsafe_redirect_url(unsafe_url);
+  default_network_delegate_.set_redirect_on_headers_received_url(
+      preserve_fragement_url);
+  default_network_delegate_.set_preserve_fragment_on_redirect_url(
+      preserve_fragement_url);
 
   TestDelegate d;
   {
@@ -6329,51 +6082,23 @@ TEST_F(URLRequestTestHTTP, UnsafeRedirectWithDifferentReferenceFragment) {
     EXPECT_EQ(2U, r->url_chain().size());
     EXPECT_EQ(OK, d.request_status());
     EXPECT_EQ(original_url, r->original_url());
-    EXPECT_EQ(expected_url, r->url());
+    EXPECT_EQ(preserve_fragement_url, r->url());
   }
 }
 
-// When a delegate has specified a safe redirect URL, but it does not match the
-// redirect target, then do not prevent the reference fragment from being added.
-TEST_F(URLRequestTestHTTP, RedirectWithReferenceFragmentAndUnrelatedUnsafeUrl) {
+// Check that |preserve_fragment_on_redirect_url| has no effect when it doesn't
+// match the URL being redirected to.
+TEST_F(URLRequestTestHTTP, PreserveFragmentOnRedirectUrlMismatch) {
   ASSERT_TRUE(http_test_server()->Start());
 
-  GURL original_url(http_test_server()->GetURL("/original#expected-fragment"));
-  GURL unsafe_url("data:text/html,this-url-does-not-match-redirect-url");
-  GURL redirect_url(http_test_server()->GetURL("/target"));
-  GURL expected_redirect_url(
-      http_test_server()->GetURL("/target#expected-fragment"));
-
-  default_network_delegate_.set_redirect_on_headers_received_url(redirect_url);
-  default_network_delegate_.set_allowed_unsafe_redirect_url(unsafe_url);
-
-  TestDelegate d;
-  {
-    std::unique_ptr<URLRequest> r(default_context().CreateRequest(
-        original_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-
-    r->Start();
-    d.RunUntilComplete();
-
-    EXPECT_EQ(2U, r->url_chain().size());
-    EXPECT_EQ(OK, d.request_status());
-    EXPECT_EQ(original_url, r->original_url());
-    EXPECT_EQ(expected_redirect_url, r->url());
-  }
-}
-
-// When a delegate has specified a safe redirect URL, assume that the redirect
-// URL should not be changed. In particular, the reference fragment should not
-// be modified.
-TEST_F(URLRequestTestHTTP, RedirectWithReferenceFragment) {
-  ASSERT_TRUE(http_test_server()->Start());
-
-  GURL original_url(
-      http_test_server()->GetURL("/original#should-not-be-appended"));
-  GURL redirect_url("data:text/html,expect-no-reference-fragment");
+  GURL original_url(http_test_server()->GetURL("/original#fragment1"));
+  GURL preserve_fragement_url(http_test_server()->GetURL("/echo#fragment2"));
+  GURL redirect_url(http_test_server()->GetURL("/echo"));
+  GURL expected_url(http_test_server()->GetURL("/echo#fragment1"));
 
   default_network_delegate_.set_redirect_on_headers_received_url(redirect_url);
-  default_network_delegate_.set_allowed_unsafe_redirect_url(redirect_url);
+  default_network_delegate_.set_preserve_fragment_on_redirect_url(
+      preserve_fragement_url);
 
   TestDelegate d;
   {
@@ -6386,7 +6111,7 @@ TEST_F(URLRequestTestHTTP, RedirectWithReferenceFragment) {
     EXPECT_EQ(2U, r->url_chain().size());
     EXPECT_EQ(OK, d.request_status());
     EXPECT_EQ(original_url, r->original_url());
-    EXPECT_EQ(redirect_url, r->url());
+    EXPECT_EQ(expected_url, r->url());
   }
 }
 
@@ -6474,113 +6199,52 @@ TEST_F(URLRequestTestHTTP, EmptyReferrerAfterValidReferrer) {
   EXPECT_EQ(std::string("None"), d.data_received());
 }
 
-TEST_F(URLRequestTestHTTP, CapRefererDisabled) {
+TEST_F(URLRequestTestHTTP, CapRefererHeaderLength) {
   ASSERT_TRUE(http_test_server()->Start());
 
-  // Create a string, and pad it out to ~10k with a very exciting path.
-  std::string long_referer_header = "http://foo.com/";
-  long_referer_header.resize(10000, 'a');
-
-  // If the feature isn't enabled, a long `referer` will remain long.
-  TestDelegate d;
-  base::test::ScopedFeatureList feature_list;
-  feature_list.InitAndDisableFeature(features::kCapRefererHeaderLength);
-  std::unique_ptr<URLRequest> req(default_context().CreateRequest(
-      http_test_server()->GetURL("/echoheader?Referer"), DEFAULT_PRIORITY, &d,
-      TRAFFIC_ANNOTATION_FOR_TESTS));
-  req->SetReferrer(long_referer_header);
-  req->Start();
-  d.RunUntilComplete();
-
-  EXPECT_EQ(long_referer_header, d.data_received());
-}
-
-TEST_F(URLRequestTestHTTP, CapRefererHeaderLengthEnabled) {
-  ASSERT_TRUE(http_test_server()->Start());
-
-  // Create a string, and pad it out to ~10k with a very exciting path.
-  std::string long_referer_header = "http://foo.com/";
-  long_referer_header.resize(10000, 'a');
-
-  // If the feature is enabled without params, a `referer` longer than 4096
-  // bytes will be shortened.
+  // Verify that referrers over 4k are stripped to an origin, and referrers at
+  // or under 4k are unmodified.
   {
-    TestDelegate d;
-    base::test::ScopedFeatureList feature_list;
-    feature_list.InitAndEnableFeature(features::kCapRefererHeaderLength);
-
-    std::unique_ptr<URLRequest> req(default_context().CreateRequest(
-        http_test_server()->GetURL("/echoheader?Referer"), DEFAULT_PRIORITY, &d,
-        TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->SetReferrer(long_referer_header);
-    req->Start();
-    d.RunUntilComplete();
-
-    EXPECT_EQ("http://foo.com/", d.data_received());
-  }
+    std::string original_header = "http://example.com/";
+    original_header.resize(4097, 'a');
 
-  // If the feature is enabled with params, they will govern the shortening
-  // behavior as expected. The following three tests verify behavior for a
-  // param larger than the referrer length, exactly the same as the string
-  // length, and shorter than the string length.
-  {
     TestDelegate d;
-    std::map<std::string, std::string> params;
-    params["MaxRefererHeaderLength"] =
-        base::NumberToString(long_referer_header.length() + 1);
-
-    base::test::ScopedFeatureList feature_list;
-    feature_list.InitAndEnableFeatureWithParameters(
-        features::kCapRefererHeaderLength, params);
-
     std::unique_ptr<URLRequest> req(default_context().CreateRequest(
         http_test_server()->GetURL("/echoheader?Referer"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->SetReferrer(long_referer_header);
+    req->SetReferrer(original_header);
     req->Start();
     d.RunUntilComplete();
 
-    EXPECT_EQ(long_referer_header, d.data_received());
+    EXPECT_EQ("http://example.com/", d.data_received());
   }
-
   {
-    TestDelegate d;
-    std::map<std::string, std::string> params;
-    params["MaxRefererHeaderLength"] =
-        base::NumberToString(long_referer_header.length());
-
-    base::test::ScopedFeatureList feature_list;
-    feature_list.InitAndEnableFeatureWithParameters(
-        features::kCapRefererHeaderLength, params);
+    std::string original_header = "http://example.com/";
+    original_header.resize(4096, 'a');
 
+    TestDelegate d;
     std::unique_ptr<URLRequest> req(default_context().CreateRequest(
         http_test_server()->GetURL("/echoheader?Referer"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->SetReferrer(long_referer_header);
+    req->SetReferrer(original_header);
     req->Start();
     d.RunUntilComplete();
 
-    EXPECT_EQ(long_referer_header, d.data_received());
+    EXPECT_EQ(original_header, d.data_received());
   }
-
   {
-    TestDelegate d;
-    std::map<std::string, std::string> params;
-    params["MaxRefererHeaderLength"] =
-        base::NumberToString(long_referer_header.length() - 1);
-
-    base::test::ScopedFeatureList feature_list;
-    feature_list.InitAndEnableFeatureWithParameters(
-        features::kCapRefererHeaderLength, params);
+    std::string original_header = "http://example.com/";
+    original_header.resize(4095, 'a');
 
+    TestDelegate d;
     std::unique_ptr<URLRequest> req(default_context().CreateRequest(
         http_test_server()->GetURL("/echoheader?Referer"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
-    req->SetReferrer(long_referer_header);
+    req->SetReferrer(original_header);
     req->Start();
     d.RunUntilComplete();
 
-    EXPECT_EQ("http://foo.com/", d.data_received());
+    EXPECT_EQ(original_header, d.data_received());
   }
 }
 
@@ -6769,6 +6433,7 @@ TEST_F(URLRequestTestHTTP, VaryHeader) {
     HttpRequestHeaders headers;
     headers.SetHeader("foo", "1");
     req->SetExtraRequestHeaders(headers);
+    req->set_network_isolation_key(network_isolation_key1_);
     req->Start();
     d.RunUntilComplete();
 
@@ -6786,6 +6451,7 @@ TEST_F(URLRequestTestHTTP, VaryHeader) {
     HttpRequestHeaders headers;
     headers.SetHeader("foo", "1");
     req->SetExtraRequestHeaders(headers);
+    req->set_network_isolation_key(network_isolation_key1_);
     req->Start();
     d.RunUntilComplete();
 
@@ -6805,6 +6471,7 @@ TEST_F(URLRequestTestHTTP, VaryHeader) {
     HttpRequestHeaders headers;
     headers.SetHeader("foo", "2");
     req->SetExtraRequestHeaders(headers);
+    req->set_network_isolation_key(network_isolation_key1_);
     req->Start();
     d.RunUntilComplete();
 
@@ -6827,6 +6494,7 @@ TEST_F(URLRequestTestHTTP, BasicAuth) {
     std::unique_ptr<URLRequest> r(default_context().CreateRequest(
         http_test_server()->GetURL("/auth-basic"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
+    r->set_network_isolation_key(network_isolation_key1_);
     r->Start();
 
     d.RunUntilComplete();
@@ -6845,6 +6513,7 @@ TEST_F(URLRequestTestHTTP, BasicAuth) {
         http_test_server()->GetURL("/auth-basic"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     r->SetLoadFlags(LOAD_VALIDATE_CACHE);
+    r->set_network_isolation_key(network_isolation_key1_);
     r->Start();
 
     d.RunUntilComplete();
@@ -6965,6 +6634,71 @@ TEST_F(URLRequestTestHTTP, BasicAuthWithCookiesCancelAuth) {
   EXPECT_EQ(1, network_delegate.set_cookie_count());
 }
 
+// Tests that |key_auth_cache_by_network_isolation_key| is respected.
+TEST_F(URLRequestTestHTTP, AuthWithNetworkIsolationKey) {
+  ASSERT_TRUE(http_test_server()->Start());
+
+  for (bool key_auth_cache_by_network_isolation_key : {false, true}) {
+    TestURLRequestContext url_request_context(true /* delay_initialization */);
+    std::unique_ptr<HttpNetworkSession::Params> http_network_session_params =
+        std::make_unique<HttpNetworkSession::Params>();
+    http_network_session_params
+        ->key_auth_cache_server_entries_by_network_isolation_key =
+        key_auth_cache_by_network_isolation_key;
+    url_request_context.set_http_network_session_params(
+        std::move(http_network_session_params));
+    url_request_context.Init();
+
+    // Populate the auth cache using one NetworkIsolationKey.
+    {
+      TestDelegate d;
+      GURL url(base::StringPrintf(
+          "http://%s:%s@%s/auth-basic", base::UTF16ToASCII(kUser).c_str(),
+          base::UTF16ToASCII(kSecret).c_str(),
+          http_test_server()->host_port_pair().ToString().c_str()));
+
+      std::unique_ptr<URLRequest> r(url_request_context.CreateRequest(
+          url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+      r->SetLoadFlags(LOAD_BYPASS_CACHE);
+      r->set_network_isolation_key(network_isolation_key1_);
+      r->Start();
+
+      d.RunUntilComplete();
+      EXPECT_THAT(d.request_status(), IsOk());
+      ASSERT_TRUE(r->response_headers());
+      EXPECT_EQ(200, r->response_headers()->response_code());
+      EXPECT_TRUE(d.data_received().find("user/secret") != std::string::npos);
+    }
+
+    // Make a request with another NetworkIsolationKey. This may or may not use
+    // the cached auth credentials, depending on whether or not the
+    // HttpAuthCache is configured to respect the NetworkIsolationKey.
+    {
+      TestDelegate d;
+
+      std::unique_ptr<URLRequest> r(url_request_context.CreateRequest(
+          http_test_server()->GetURL("/auth-basic"), DEFAULT_PRIORITY, &d,
+          TRAFFIC_ANNOTATION_FOR_TESTS));
+      r->SetLoadFlags(LOAD_BYPASS_CACHE);
+      r->set_network_isolation_key(network_isolation_key2_);
+      r->Start();
+
+      d.RunUntilComplete();
+
+      EXPECT_THAT(d.request_status(), IsOk());
+      ASSERT_TRUE(r->response_headers());
+      if (key_auth_cache_by_network_isolation_key) {
+        EXPECT_EQ(401, r->response_headers()->response_code());
+      } else {
+        EXPECT_EQ(200, r->response_headers()->response_code());
+      }
+
+      EXPECT_EQ(!key_auth_cache_by_network_isolation_key,
+                d.data_received().find("user/secret") != std::string::npos);
+    }
+  }
+}
+
 TEST_F(URLRequestTest, ReportCookieActivity) {
   HttpTestServer test_server;
   ASSERT_TRUE(test_server.Start());
@@ -6972,7 +6706,7 @@ TEST_F(URLRequestTest, ReportCookieActivity) {
   FilteringTestNetworkDelegate network_delegate;
   network_delegate.SetCookieFilter("not_stored_cookie");
   network_delegate.set_block_get_cookies();
-  TestNetLog net_log;
+  RecordingTestNetLog net_log;
   TestURLRequestContext context(true);
   context.set_network_delegate(&network_delegate);
   context.set_net_log(&net_log);
@@ -7117,6 +6851,180 @@ TEST_F(URLRequestTest, ReportCookieActivity) {
   }
 }
 
+// Test that the SameSite-by-default CookieInclusionStatus warnings do not get
+// set if the cookie would have been rejected for other reasons.
+// Regression test for https://crbug.com/1027318.
+TEST_F(URLRequestTest, NoCookieInclusionStatusWarningIfWouldBeExcludedAnyway) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(features::kSameSiteByDefaultCookies);
+  HttpTestServer test_server;
+  ASSERT_TRUE(test_server.Start());
+
+  FilteringTestNetworkDelegate network_delegate;
+  network_delegate.SetCookieFilter("blockeduserpreference");
+  CookieMonster cm(nullptr, nullptr);
+  TestURLRequestContext context(true);
+  context.set_cookie_store(&cm);
+  context.set_network_delegate(&network_delegate);
+  context.Init();
+
+  // Set cookies
+  {
+    // Attempt to set some cookies in a cross-site context without a SameSite
+    // attribute. They should all be blocked. Only the one that would have been
+    // included had it not been for the new SameSite features should have a
+    // warning attached.
+    TestDelegate d;
+    GURL test_url = test_server.GetURL(
+        "/set-cookie?blockeduserpreference=true&"
+        "unspecifiedsamesite=1&"
+        "invalidsecure=1;Secure");
+    GURL cross_site_url = test_server.GetURL("other.example", "/");
+    std::unique_ptr<URLRequest> req(context.CreateRequest(
+        test_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->set_site_for_cookies(cross_site_url);  // cross-site context
+    req->Start();
+    d.RunUntilComplete();
+
+    ASSERT_EQ(3u, req->maybe_stored_cookies().size());
+
+    // Cookie blocked by user preferences is not warned about.
+    EXPECT_EQ("blockeduserpreference",
+              req->maybe_stored_cookies()[0].cookie->Name());
+    // It doesn't pick up the EXCLUDE_UNSPECIFIED_TREATED_AS_LAX because it
+    // doesn't even make it to the cookie store (it is filtered out beforehand).
+    EXPECT_TRUE(req->maybe_stored_cookies()[0]
+                    .status.HasExactlyExclusionReasonsForTesting(
+                        {CanonicalCookie::CookieInclusionStatus::
+                             EXCLUDE_USER_PREFERENCES}));
+    EXPECT_EQ(CanonicalCookie::CookieInclusionStatus::DO_NOT_WARN,
+              req->maybe_stored_cookies()[0].status.warning());
+
+    // Cookie that would be included had it not been for the new SameSite rules
+    // is warned about.
+    EXPECT_EQ("unspecifiedsamesite",
+              req->maybe_stored_cookies()[1].cookie->Name());
+    EXPECT_TRUE(req->maybe_stored_cookies()[1]
+                    .status.HasExactlyExclusionReasonsForTesting(
+                        {CanonicalCookie::CookieInclusionStatus::
+                             EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX}));
+    EXPECT_EQ(CanonicalCookie::CookieInclusionStatus::
+                  WARN_SAMESITE_UNSPECIFIED_CROSS_SITE_CONTEXT,
+              req->maybe_stored_cookies()[1].status.warning());
+
+    // Cookie that is blocked because of invalid Secure attribute is not warned
+    // about.
+    EXPECT_EQ("invalidsecure", req->maybe_stored_cookies()[2].cookie->Name());
+    EXPECT_TRUE(
+        req->maybe_stored_cookies()[2]
+            .status.HasExactlyExclusionReasonsForTesting(
+                {CanonicalCookie::CookieInclusionStatus::EXCLUDE_SECURE_ONLY,
+                 CanonicalCookie::CookieInclusionStatus::
+                     EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX}));
+    EXPECT_EQ(CanonicalCookie::CookieInclusionStatus::DO_NOT_WARN,
+              req->maybe_stored_cookies()[2].status.warning());
+  }
+
+  // Get cookies (blocked by user preference)
+  network_delegate.set_block_get_cookies();
+  {
+    GURL url = test_server.GetURL("/");
+    auto cookie1 = CanonicalCookie::Create(url, "cookienosamesite=1",
+                                           base::Time::Now(), base::nullopt);
+    base::RunLoop run_loop;
+    CanonicalCookie::CookieInclusionStatus status;
+    cm.SetCanonicalCookieAsync(
+        std::move(cookie1), url.scheme(), CookieOptions::MakeAllInclusive(),
+        base::BindLambdaForTesting(
+            [&](CanonicalCookie::CookieInclusionStatus result) {
+              status = result;
+              run_loop.Quit();
+            }));
+    run_loop.Run();
+    EXPECT_TRUE(status.IsInclude());
+
+    TestDelegate d;
+    GURL test_url = test_server.GetURL("/echoheader?Cookie");
+    std::unique_ptr<URLRequest> req(context.CreateRequest(
+        test_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+    GURL cross_site_url = test_server.GetURL("other.example", "/");
+    req->set_site_for_cookies(cross_site_url);  // cross-site context
+    req->Start();
+    d.RunUntilComplete();
+
+    // No cookies were sent with the request because getting cookies is blocked.
+    EXPECT_EQ("None", d.data_received());
+    ASSERT_EQ(1u, req->maybe_sent_cookies().size());
+    EXPECT_EQ("cookienosamesite", req->maybe_sent_cookies()[0].cookie.Name());
+    EXPECT_TRUE(req->maybe_sent_cookies()[0]
+                    .status.HasExactlyExclusionReasonsForTesting(
+                        {CanonicalCookie::CookieInclusionStatus::
+                             EXCLUDE_USER_PREFERENCES,
+                         CanonicalCookie::CookieInclusionStatus::
+                             EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX}));
+    // Cookie should not be warned about because it was blocked because of user
+    // preferences.
+    EXPECT_EQ(CanonicalCookie::CookieInclusionStatus::DO_NOT_WARN,
+              req->maybe_sent_cookies()[0].status.warning());
+  }
+  network_delegate.unset_block_get_cookies();
+
+  // Get cookies
+  {
+    GURL url = test_server.GetURL("/");
+    auto cookie2 = CanonicalCookie::Create(url, "cookiewithpath=1;path=/foo",
+                                           base::Time::Now(), base::nullopt);
+    base::RunLoop run_loop;
+    // Note: cookie1 from the previous testcase is still in the cookie store.
+    CanonicalCookie::CookieInclusionStatus status;
+    cm.SetCanonicalCookieAsync(
+        std::move(cookie2), url.scheme(), CookieOptions::MakeAllInclusive(),
+        base::BindLambdaForTesting(
+            [&](CanonicalCookie::CookieInclusionStatus result) {
+              status = result;
+              run_loop.Quit();
+            }));
+    run_loop.Run();
+    EXPECT_TRUE(status.IsInclude());
+
+    TestDelegate d;
+    GURL test_url = test_server.GetURL("/echoheader?Cookie");
+    std::unique_ptr<URLRequest> req(context.CreateRequest(
+        test_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+    GURL cross_site_url = test_server.GetURL("other.example", "/");
+    req->set_site_for_cookies(cross_site_url);  // cross-site context
+    req->Start();
+    d.RunUntilComplete();
+
+    // No cookies were sent with the request because they don't specify SameSite
+    // and the request is cross-site.
+    EXPECT_EQ("None", d.data_received());
+    ASSERT_EQ(2u, req->maybe_sent_cookies().size());
+    // Cookie excluded for other reasons is not warned about.
+    // Note: this cookie is first because the cookies are sorted by path length
+    // with longest first. See CookieSorter() in cookie_monster.cc.
+    EXPECT_EQ("cookiewithpath", req->maybe_sent_cookies()[0].cookie.Name());
+    EXPECT_TRUE(
+        req->maybe_sent_cookies()[0]
+            .status.HasExactlyExclusionReasonsForTesting(
+                {CanonicalCookie::CookieInclusionStatus::EXCLUDE_NOT_ON_PATH,
+                 CanonicalCookie::CookieInclusionStatus::
+                     EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX}));
+    EXPECT_EQ(CanonicalCookie::CookieInclusionStatus::DO_NOT_WARN,
+              req->maybe_sent_cookies()[0].status.warning());
+    // Cookie that was only blocked because of unspecified SameSite should be
+    // warned about.
+    EXPECT_EQ("cookienosamesite", req->maybe_sent_cookies()[1].cookie.Name());
+    EXPECT_TRUE(req->maybe_sent_cookies()[1]
+                    .status.HasExactlyExclusionReasonsForTesting(
+                        {CanonicalCookie::CookieInclusionStatus::
+                             EXCLUDE_SAMESITE_UNSPECIFIED_TREATED_AS_LAX}));
+    EXPECT_EQ(CanonicalCookie::CookieInclusionStatus::
+                  WARN_SAMESITE_UNSPECIFIED_CROSS_SITE_CONTEXT,
+              req->maybe_sent_cookies()[1].status.warning());
+  }
+}
+
 TEST_F(URLRequestTestHTTP, AuthChallengeCancelCookieCollect) {
   ASSERT_TRUE(http_test_server()->Start());
   GURL url_requiring_auth =
@@ -7214,9 +7122,10 @@ TEST_F(URLRequestTestHTTP, AuthChallengeWithFilteredCookies) {
     auto another_cookie = CanonicalCookie::Create(
         url_requiring_auth_wo_cookies, "another_cookie=true", base::Time::Now(),
         base::nullopt /* server_time */);
-    cm->SetCanonicalCookieAsync(
-        std::move(another_cookie), url_requiring_auth_wo_cookies.scheme(),
-        CookieOptions(), CookieStore::SetCookiesCallback());
+    cm->SetCanonicalCookieAsync(std::move(another_cookie),
+                                url_requiring_auth_wo_cookies.scheme(),
+                                net::CookieOptions::MakeAllInclusive(),
+                                CookieStore::SetCookiesCallback());
     context.set_cookie_store(cm.get());
     context.Init();
 
@@ -7246,9 +7155,10 @@ TEST_F(URLRequestTestHTTP, AuthChallengeWithFilteredCookies) {
     auto one_more_cookie = CanonicalCookie::Create(
         url_requiring_auth_wo_cookies, "one_more_cookie=true",
         base::Time::Now(), base::nullopt /* server_time */);
-    cm->SetCanonicalCookieAsync(
-        std::move(one_more_cookie), url_requiring_auth_wo_cookies.scheme(),
-        CookieOptions(), CookieStore::SetCookiesCallback());
+    cm->SetCanonicalCookieAsync(std::move(one_more_cookie),
+                                url_requiring_auth_wo_cookies.scheme(),
+                                net::CookieOptions::MakeAllInclusive(),
+                                CookieStore::SetCookiesCallback());
 
     request->SetAuth(AuthCredentials(kUser, kSecret));
     delegate.RunUntilComplete();
@@ -7287,6 +7197,7 @@ TEST_F(URLRequestTestHTTP, BasicAuthLoadTiming) {
     std::unique_ptr<URLRequest> r(default_context().CreateRequest(
         http_test_server()->GetURL("/auth-basic"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
+    r->set_network_isolation_key(network_isolation_key1_);
     r->Start();
     d.RunUntilAuthRequired();
 
@@ -7321,6 +7232,7 @@ TEST_F(URLRequestTestHTTP, BasicAuthLoadTiming) {
         http_test_server()->GetURL("/auth-basic"), DEFAULT_PRIORITY, &d,
         TRAFFIC_ANNOTATION_FOR_TESTS));
     r->SetLoadFlags(LOAD_VALIDATE_CACHE);
+    r->set_network_isolation_key(network_isolation_key1_);
     r->Start();
 
     d.RunUntilComplete();
@@ -7624,7 +7536,8 @@ TEST_F(URLRequestTestHTTP, RedirectWithFilteredCookies) {
         original_url, "another_cookie=true", base::Time::Now(),
         base::nullopt /* server_time */);
     cm->SetCanonicalCookieAsync(std::move(another_cookie),
-                                original_url.scheme(), CookieOptions(),
+                                original_url.scheme(),
+                                net::CookieOptions::MakeAllInclusive(),
                                 CookieStore::SetCookiesCallback());
     context.set_cookie_store(cm.get());
     context.Init();
@@ -7654,9 +7567,10 @@ TEST_F(URLRequestTestHTTP, RedirectWithFilteredCookies) {
     auto one_more_cookie = CanonicalCookie::Create(
         original_url_wo_cookie, "one_more_cookie=true", base::Time::Now(),
         base::nullopt /* server_time */);
-    cm->SetCanonicalCookieAsync(
-        std::move(one_more_cookie), original_url_wo_cookie.scheme(),
-        CookieOptions(), CookieStore::SetCookiesCallback());
+    cm->SetCanonicalCookieAsync(std::move(one_more_cookie),
+                                original_url_wo_cookie.scheme(),
+                                net::CookieOptions::MakeAllInclusive(),
+                                CookieStore::SetCookiesCallback());
 
     request->FollowDeferredRedirect(base::nullopt, base::nullopt);
     delegate.RunUntilComplete();
@@ -8103,6 +8017,7 @@ TEST_F(URLRequestTestHTTP, NetworkAccessedClearOnCachedResponse) {
   std::unique_ptr<URLRequest> req(default_context().CreateRequest(
       http_test_server()->GetURL("/cachetime"), DEFAULT_PRIORITY, &d,
       TRAFFIC_ANNOTATION_FOR_TESTS));
+  req->set_network_isolation_key(network_isolation_key1_);
   req->Start();
   d.RunUntilComplete();
 
@@ -8113,6 +8028,7 @@ TEST_F(URLRequestTestHTTP, NetworkAccessedClearOnCachedResponse) {
   req = default_context().CreateRequest(
       http_test_server()->GetURL("/cachetime"), DEFAULT_PRIORITY, &d,
       TRAFFIC_ANNOTATION_FOR_TESTS);
+  req->set_network_isolation_key(network_isolation_key1_);
   req->Start();
   d.RunUntilComplete();
 
@@ -9405,6 +9321,7 @@ TEST_F(HTTPSRequestTest, SSLSessionCacheShardTest) {
       default_context_.http_auth_handler_factory();
   session_context.http_server_properties =
       default_context_.http_server_properties();
+  session_context.quic_context = default_context_.quic_context();
 
   HttpNetworkSession network_session(HttpNetworkSession::Params(),
                                      session_context);
@@ -9665,7 +9582,7 @@ class HTTPSOCSPTest : public HTTPSRequestTest {
   }
 
   void SetUp() override {
-    cert_net_fetcher_ = base::MakeRefCounted<CertNetFetcherImpl>();
+    cert_net_fetcher_ = base::MakeRefCounted<CertNetFetcherURLRequest>();
     cert_verifier_ = CertVerifier::CreateDefault(cert_net_fetcher_);
     context_.set_cert_verifier(cert_verifier_.get());
     context_.SetCTPolicyEnforcer(std::make_unique<DefaultCTPolicyEnforcer>());
@@ -9741,7 +9658,7 @@ class HTTPSOCSPTest : public HTTPSRequestTest {
 
   std::unique_ptr<ScopedTestRoot> test_root_;
   std::unique_ptr<TestSSLConfigService> ssl_config_service_;
-  scoped_refptr<CertNetFetcherImpl> cert_net_fetcher_;
+  scoped_refptr<CertNetFetcherURLRequest> cert_net_fetcher_;
   std::unique_ptr<CertVerifier> cert_verifier_;
   TestURLRequestContext context_;
   std::unique_ptr<ScopedTestEVPolicy> ev_test_policy_;
@@ -9813,6 +9730,16 @@ static bool SystemSupportsOCSPStapling() {
 #endif
 }
 
+static bool SystemSupportsCRLSets() {
+  if (UsingBuiltinCertVerifier())
+    return true;
+#if defined(OS_ANDROID)
+  return false;
+#else
+  return true;
+#endif
+}
+
 TEST_F(HTTPSOCSPTest, Valid) {
   if (!SystemSupportsOCSP()) {
     LOG(WARNING) << "Skipping test because system doesn't support OCSP";
@@ -10638,10 +10565,10 @@ TEST_F(HTTPSCRLSetTest, ExpiredCRLSetAndRevoked) {
 }
 
 TEST_F(HTTPSCRLSetTest, CRLSetRevoked) {
-#if defined(OS_ANDROID)
-  LOG(WARNING) << "Skipping test because system doesn't support CRLSets";
-  return;
-#endif
+  if (!SystemSupportsCRLSets()) {
+    LOG(WARNING) << "Skipping test because system doesn't support CRLSets";
+    return;
+  }
 
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_AUTO);
@@ -10664,10 +10591,10 @@ TEST_F(HTTPSCRLSetTest, CRLSetRevoked) {
 }
 
 TEST_F(HTTPSCRLSetTest, CRLSetRevokedBySubject) {
-#if defined(OS_ANDROID)
-  LOG(WARNING) << "Skipping test because system doesn't support CRLSets";
-  return;
-#endif
+  if (!SystemSupportsCRLSets()) {
+    LOG(WARNING) << "Skipping test because system doesn't support CRLSets";
+    return;
+  }
 
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_AUTO);
@@ -10714,6 +10641,218 @@ TEST_F(HTTPSCRLSetTest, CRLSetRevokedBySubject) {
     EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS);
   }
 }
+
+using HTTPSLocalCRLSetTest = TestWithTaskEnvironment;
+
+// Use a real CertVerifier to attempt to connect to the TestServer, and ensure
+// that when a CRLSet is provided that marks a given SPKI (the TestServer's
+// root SPKI) as known for interception, that it's adequately flagged.
+TEST_F(HTTPSLocalCRLSetTest, KnownInterceptionBlocked) {
+  // Configure the initial context.
+  std::unique_ptr<CertVerifier> cert_verifier =
+      CertVerifier::CreateDefault(/*cert_net_fetcher=*/nullptr);
+
+  TestURLRequestContext context(/*delay_initialization=*/true);
+  context.set_cert_verifier(cert_verifier.get());
+  context.Init();
+
+  // Verify the connection succeeds without being flagged.
+  EmbeddedTestServer https_server(EmbeddedTestServer::TYPE_HTTPS);
+  https_server.AddDefaultHandlers(
+      base::FilePath(FILE_PATH_LITERAL("net/data/ssl")));
+  https_server.SetSSLConfig(EmbeddedTestServer::CERT_OK_BY_INTERMEDIATE);
+  ASSERT_TRUE(https_server.Start());
+
+  {
+    TestDelegate d;
+    std::unique_ptr<URLRequest> req(
+        context.CreateRequest(https_server.GetURL("/"), DEFAULT_PRIORITY, &d,
+                              TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->Start();
+    d.RunUntilComplete();
+
+    EXPECT_EQ(1, d.response_started_count());
+    EXPECT_FALSE(d.request_failed());
+    EXPECT_FALSE(d.have_certificate_errors());
+    EXPECT_FALSE(req->ssl_info().cert_status &
+                 CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED);
+  }
+
+  // Configure a CRL that will mark |root_ca_cert| as a blocked interception
+  // root.
+  std::string crl_set_bytes;
+  scoped_refptr<CRLSet> crl_set;
+  ASSERT_TRUE(
+      base::ReadFileToString(GetTestCertsDirectory().AppendASCII(
+                                 "crlset_blocked_interception_by_root.raw"),
+                             &crl_set_bytes));
+  ASSERT_TRUE(CRLSet::Parse(crl_set_bytes, &crl_set));
+
+  CertVerifier::Config config_with_crlset;
+  config_with_crlset.crl_set = crl_set;
+  context.cert_verifier()->SetConfig(config_with_crlset);
+
+  // Verify the connection fails as being a known interception root.
+  {
+    TestDelegate d;
+    d.set_allow_certificate_errors(true);
+    std::unique_ptr<URLRequest> req(
+        context.CreateRequest(https_server.GetURL("/"), DEFAULT_PRIORITY, &d,
+                              TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->Start();
+    d.RunUntilComplete();
+
+    EXPECT_EQ(1, d.response_started_count());
+    EXPECT_FALSE(d.request_failed());
+    if (SystemSupportsCRLSets()) {
+      EXPECT_TRUE(d.have_certificate_errors());
+      EXPECT_FALSE(d.certificate_errors_are_fatal());
+      EXPECT_EQ(ERR_CERT_KNOWN_INTERCEPTION_BLOCKED, d.certificate_net_error());
+      EXPECT_TRUE(req->ssl_info().cert_status &
+                  CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED);
+    } else {
+      EXPECT_FALSE(d.have_certificate_errors());
+      EXPECT_TRUE(req->ssl_info().cert_status &
+                  CERT_STATUS_KNOWN_INTERCEPTION_DETECTED);
+    }
+  }
+}
+
+TEST_F(HTTPSLocalCRLSetTest, InterceptionBlockedAllowOverrideOnHSTS) {
+  constexpr char kHSTSHost[] = "include-subdomains-hsts-preloaded.test";
+  constexpr char kHSTSSubdomainWithKnownInterception[] =
+      "www.include-subdomains-hsts-preloaded.test";
+
+  EmbeddedTestServer https_server(net::EmbeddedTestServer::TYPE_HTTPS);
+  https_server.SetSSLConfig(net::EmbeddedTestServer::CERT_OK_BY_INTERMEDIATE);
+  https_server.ServeFilesFromSourceDirectory(base::FilePath(kTestFilePath));
+  ASSERT_TRUE(https_server.Start());
+
+  // Enable preloaded HSTS for |kHSTSHost|.
+  TransportSecurityState security_state;
+  security_state.EnableStaticPinsForTesting();
+  SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
+
+  // Configure the CertVerifier to simulate:
+  //   - For the test server host, that the certificate is issued by an
+  //     unknown authority; this SHOULD NOT be a fatal error when signaled
+  //     to the delegate.
+  //   - For |kHSTSHost|, that the certificate is issued by an unknown
+  //     authority; this SHOULD be a fatal error.
+  // Combined, these two states represent the baseline: non-fatal for non-HSTS
+  // hosts, fatal for HSTS host.
+  //   - For |kHSTSSubdomainWithKnownInterception|, that the certificate is
+  //     issued by a known interception cert. This SHOULD be an error, but
+  //     SHOULD NOT be a fatal error
+  MockCertVerifier cert_verifier;
+
+  scoped_refptr<X509Certificate> cert = https_server.GetCertificate();
+  ASSERT_TRUE(cert);
+
+  HashValue filler_hash;
+  ASSERT_TRUE(filler_hash.FromString(
+      "sha256/3333333333333333333333333333333333333333333="));
+
+  CertVerifyResult fake_result;
+  fake_result.verified_cert = cert;
+  fake_result.is_issued_by_known_root = false;
+
+  // Configure for the test server's default host.
+  CertVerifyResult test_result = fake_result;
+  test_result.public_key_hashes.push_back(filler_hash);
+  test_result.cert_status |= CERT_STATUS_AUTHORITY_INVALID;
+  cert_verifier.AddResultForCertAndHost(
+      cert.get(), https_server.host_port_pair().host(), test_result,
+      ERR_CERT_AUTHORITY_INVALID);
+
+  // Configure for kHSTSHost.
+  CertVerifyResult sts_base_result = fake_result;
+  sts_base_result.public_key_hashes.push_back(filler_hash);
+  sts_base_result.cert_status |= CERT_STATUS_AUTHORITY_INVALID;
+  cert_verifier.AddResultForCertAndHost(cert.get(), kHSTSHost, sts_base_result,
+                                        ERR_CERT_AUTHORITY_INVALID);
+
+  // Configure for kHSTSSubdomainWithKnownInterception
+  CertVerifyResult sts_sub_result = fake_result;
+  // Compute the root cert's hash on the fly, to avoid hardcoding it within
+  // tests.
+  scoped_refptr<X509Certificate> root_cert =
+      ImportCertFromFile(GetTestCertsDirectory(), "root_ca_cert.pem");
+  ASSERT_TRUE(root_cert);
+  base::StringPiece root_spki;
+  ASSERT_TRUE(asn1::ExtractSPKIFromDERCert(
+      x509_util::CryptoBufferAsStringPiece(root_cert->cert_buffer()),
+      &root_spki));
+  SHA256HashValue root_hash;
+  crypto::SHA256HashString(root_spki, &root_hash, sizeof(root_hash));
+  sts_sub_result.public_key_hashes.push_back(HashValue(root_hash));
+  sts_sub_result.cert_status |=
+      CERT_STATUS_REVOKED | CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED;
+  cert_verifier.AddResultForCertAndHost(
+      cert.get(), kHSTSSubdomainWithKnownInterception, sts_sub_result,
+      ERR_CERT_KNOWN_INTERCEPTION_BLOCKED);
+
+  // Configure the initial context.
+  TestURLRequestContext context(true);
+  context.set_transport_security_state(&security_state);
+  context.set_cert_verifier(&cert_verifier);
+  context.Init();
+
+  // Connect to the test server and see the certificate error flagged, but
+  // not fatal.
+  {
+    TestDelegate d;
+    std::unique_ptr<URLRequest> req(
+        context.CreateRequest(https_server.GetURL("/"), DEFAULT_PRIORITY, &d,
+                              TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->Start();
+    d.RunUntilComplete();
+
+    EXPECT_EQ(1, d.response_started_count());
+    EXPECT_TRUE(d.request_failed());
+    EXPECT_TRUE(d.have_certificate_errors());
+    EXPECT_FALSE(d.certificate_errors_are_fatal());
+    EXPECT_FALSE(req->ssl_info().cert_status &
+                 CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED);
+  }
+
+  // Connect to kHSTSHost and see the certificate errors are flagged, and are
+  // fatal.
+  {
+    TestDelegate d;
+    std::unique_ptr<URLRequest> req(context.CreateRequest(
+        https_server.GetURL(kHSTSHost, "/"), DEFAULT_PRIORITY, &d,
+        TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->Start();
+    d.RunUntilComplete();
+
+    EXPECT_EQ(1, d.response_started_count());
+    EXPECT_TRUE(d.request_failed());
+    EXPECT_TRUE(d.have_certificate_errors());
+    EXPECT_TRUE(d.certificate_errors_are_fatal());
+    EXPECT_FALSE(req->ssl_info().cert_status &
+                 CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED);
+  }
+
+  // Verify the connection fails as being a known interception root.
+  {
+    TestDelegate d;
+    d.set_allow_certificate_errors(true);
+    std::unique_ptr<URLRequest> req(context.CreateRequest(
+        https_server.GetURL(kHSTSSubdomainWithKnownInterception, "/"),
+        DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
+    req->Start();
+    d.RunUntilComplete();
+
+    EXPECT_EQ(1, d.response_started_count());
+    EXPECT_FALSE(d.request_failed());
+    EXPECT_TRUE(d.have_certificate_errors());
+    EXPECT_FALSE(d.certificate_errors_are_fatal());
+    EXPECT_EQ(ERR_CERT_KNOWN_INTERCEPTION_BLOCKED, d.certificate_net_error());
+    EXPECT_TRUE(req->ssl_info().cert_status &
+                CERT_STATUS_KNOWN_INTERCEPTION_BLOCKED);
+  }
+}
 #endif  // !defined(OS_IOS)
 
 #if !BUILDFLAG(DISABLE_FTP_SUPPORT) && !defined(OS_ANDROID) && \
@@ -11114,20 +11253,6 @@ TEST_F(URLRequestTestFTPOverHttpProxy, Fails) {
 
 #endif  // !BUILDFLAG(DISABLE_FTP_SUPPORT)
 
-TEST_F(URLRequestTest, NetworkAccessedClearOnDataRequest) {
-  TestDelegate d;
-  std::unique_ptr<URLRequest> req(default_context().CreateRequest(
-      GURL("data:,"), DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-
-  EXPECT_FALSE(req->response_info().network_accessed);
-
-  req->Start();
-  d.RunUntilComplete();
-
-  EXPECT_EQ(1, default_network_delegate_.completed_requests());
-  EXPECT_FALSE(req->response_info().network_accessed);
-}
-
 TEST_F(URLRequestTest, NetworkAccessedSetOnHostResolutionFailure) {
   MockHostResolver host_resolver;
   TestNetworkDelegate network_delegate;  // Must outlive URLRequest.
@@ -11191,6 +11316,7 @@ TEST_F(URLRequestTestHTTP, HeadersCallbacks) {
         [](scoped_refptr<const HttpResponseHeaders>* left,
            scoped_refptr<const HttpResponseHeaders> right) { *left = right; },
         base::Unretained(&raw_resp_headers)));
+    r->set_network_isolation_key(network_isolation_key1_);
     r->Start();
     while (!delegate.response_started_count())
       base::RunLoop().RunUntilIdle();
@@ -11216,6 +11342,7 @@ TEST_F(URLRequestTestHTTP, HeadersCallbacks) {
         base::Bind([](scoped_refptr<const HttpResponseHeaders>) {
           FAIL() << "Callback should not be called unless request is sent";
         }));
+    r->set_network_isolation_key(network_isolation_key1_);
     r->Start();
     delegate.RunUntilComplete();
     EXPECT_TRUE(r->was_cached());
@@ -11323,6 +11450,7 @@ TEST_F(URLRequestTestHTTP, HeadersCallbacksAuthRetry) {
   r->SetExtraRequestHeaders(extra_headers);
   r->SetRequestHeadersCallback(req_headers_callback);
   r->SetResponseHeadersCallback(resp_headers_callback);
+  r->set_network_isolation_key(network_isolation_key1_);
   r->Start();
   delegate.RunUntilComplete();
   EXPECT_FALSE(r->is_pending());
@@ -11346,6 +11474,7 @@ TEST_F(URLRequestTestHTTP, HeadersCallbacksAuthRetry) {
   r2->SetRequestHeadersCallback(req_headers_callback);
   r2->SetResponseHeadersCallback(resp_headers_callback);
   r2->SetLoadFlags(LOAD_VALIDATE_CACHE);
+  r2->set_network_isolation_key(network_isolation_key1_);
   r2->Start();
   delegate.RunUntilComplete();
   EXPECT_FALSE(r2->is_pending());
@@ -11357,23 +11486,6 @@ TEST_F(URLRequestTestHTTP, HeadersCallbacksAuthRetry) {
   EXPECT_EQ("Not Modified", raw_resp_headers[2]->GetStatusText());
 }
 
-TEST_F(URLRequestTest, HeadersCallbacksNonHTTP) {
-  GURL data_url("data:text/html,<html><body>Hello!</body></html>");
-  TestDelegate d;
-  std::unique_ptr<URLRequest> r(default_context().CreateRequest(
-      data_url, DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
-  r->SetRequestHeadersCallback(base::Bind([](net::HttpRawRequestHeaders) {
-    FAIL() << "Callback should not be called for non-HTTP schemes";
-  }));
-  r->SetResponseHeadersCallback(
-      base::Bind([](scoped_refptr<const net::HttpResponseHeaders>) {
-        FAIL() << "Callback should not be called for non-HTTP schemes";
-      }));
-  r->Start();
-  d.RunUntilComplete();
-  EXPECT_FALSE(r->is_pending());
-}
-
 TEST_F(URLRequestTest, UpgradeIfInsecureFlagSet) {
   TestDelegate d;
   BlockingNetworkDelegate network_delegate(
@@ -11522,7 +11634,7 @@ class ZeroRTTResponse : public test_server::BasicHttpResponse {
   ~ZeroRTTResponse() override {}
 
   void SendResponse(const test_server::SendBytesCallback& send,
-                    const test_server::SendCompleteCallback& done) override {
+                    test_server::SendCompleteCallback done) override {
     AddCustomHeader("Vary", "Early-Data");
     set_content_type("text/plain");
     AddCustomHeader("Cache-Control", "no-cache");
@@ -11602,8 +11714,15 @@ class HTTPSEarlyDataTest : public TestWithTaskEnvironment {
   EmbeddedTestServer test_server_;
 };
 
+// Flaky on iOS, crbug.com/1021021
+#if defined(OS_IOS)
+#define MAYBE_TLSEarlyDataTest DISABLED_TLSEarlyDataTest
+#else
+#define MAYBE_TLSEarlyDataTest TLSEarlyDataTest
+#endif
+
 // TLSEarlyDataTest tests that we handle early data correctly.
-TEST_F(HTTPSEarlyDataTest, TLSEarlyDataTest) {
+TEST_F(HTTPSEarlyDataTest, MAYBE_TLSEarlyDataTest) {
   ASSERT_TRUE(test_server_.Start());
   context_.http_transaction_factory()->GetSession()->ClearSSLSessionCache();
 
@@ -11724,8 +11843,15 @@ std::unique_ptr<test_server::HttpResponse> HandleTooEarly(
   return std::make_unique<ZeroRTTResponse>(zero_rtt, true);
 }
 
+// Flaky on iOS, crbug.com/1021021
+#if defined(OS_IOS)
+#define MAYBE_TLSEarlyDataTooEarlyTest DISABLED_TLSEarlyDataTooEarlyTest
+#else
+#define MAYBE_TLSEarlyDataTooEarlyTest TLSEarlyDataTooEarlyTest
+#endif
+
 // Test that we handle 425 (Too Early) correctly.
-TEST_F(HTTPSEarlyDataTest, TLSEarlyDataTooEarlyTest) {
+TEST_F(HTTPSEarlyDataTest, MAYBE_TLSEarlyDataTooEarlyTest) {
   bool sent_425 = false;
   test_server_.RegisterRequestHandler(
       base::BindRepeating(&HandleTooEarly, base::Unretained(&sent_425)));
diff --git a/chromium/net/websockets/websocket_basic_stream_adapters.cc b/chromium/net/websockets/websocket_basic_stream_adapters.cc
index 789804f0eb7..5513a5d75a0 100644
--- a/chromium/net/websockets/websocket_basic_stream_adapters.cc
+++ b/chromium/net/websockets/websocket_basic_stream_adapters.cc
@@ -182,6 +182,10 @@ void WebSocketSpdyStreamAdapter::OnClose(int status) {
   }
 }
 
+bool WebSocketSpdyStreamAdapter::CanGreaseFrameType() const {
+  return false;
+}
+
 NetLogSource WebSocketSpdyStreamAdapter::source_dependency() const {
   return net_log_.source();
 }
diff --git a/chromium/net/websockets/websocket_basic_stream_adapters.h b/chromium/net/websockets/websocket_basic_stream_adapters.h
index 6c2ee1f3b1f..0e4fed1d67c 100644
--- a/chromium/net/websockets/websocket_basic_stream_adapters.h
+++ b/chromium/net/websockets/websocket_basic_stream_adapters.h
@@ -101,6 +101,7 @@ class NET_EXPORT_PRIVATE WebSocketSpdyStreamAdapter
   void OnDataSent() override;
   void OnTrailers(const spdy::SpdyHeaderBlock& trailers) override;
   void OnClose(int status) override;
+  bool CanGreaseFrameType() const override;
   NetLogSource source_dependency() const override;
 
  private:
diff --git a/chromium/net/websockets/websocket_channel.cc b/chromium/net/websockets/websocket_channel.cc
index a9be7da5110..110ca0df9ee 100644
--- a/chromium/net/websockets/websocket_channel.cc
+++ b/chromium/net/websockets/websocket_channel.cc
@@ -265,10 +265,12 @@ void WebSocketChannel::SendAddChannelRequest(
     const std::vector<std::string>& requested_subprotocols,
     const url::Origin& origin,
     const GURL& site_for_cookies,
+    const net::NetworkIsolationKey& network_isolation_key,
     const HttpRequestHeaders& additional_headers) {
   SendAddChannelRequestWithSuppliedCallback(
       socket_url, requested_subprotocols, origin, site_for_cookies,
-      additional_headers, base::Bind(&WebSocketStream::CreateAndConnectStream));
+      network_isolation_key, additional_headers,
+      base::Bind(&WebSocketStream::CreateAndConnectStream));
 }
 
 void WebSocketChannel::SetState(State new_state) {
@@ -407,11 +409,12 @@ void WebSocketChannel::SendAddChannelRequestForTesting(
     const std::vector<std::string>& requested_subprotocols,
     const url::Origin& origin,
     const GURL& site_for_cookies,
+    const net::NetworkIsolationKey& network_isolation_key,
     const HttpRequestHeaders& additional_headers,
     const WebSocketStreamRequestCreationCallback& callback) {
-  SendAddChannelRequestWithSuppliedCallback(socket_url, requested_subprotocols,
-                                            origin, site_for_cookies,
-                                            additional_headers, callback);
+  SendAddChannelRequestWithSuppliedCallback(
+      socket_url, requested_subprotocols, origin, site_for_cookies,
+      network_isolation_key, additional_headers, callback);
 }
 
 void WebSocketChannel::SetClosingHandshakeTimeoutForTesting(
@@ -429,6 +432,7 @@ void WebSocketChannel::SendAddChannelRequestWithSuppliedCallback(
     const std::vector<std::string>& requested_subprotocols,
     const url::Origin& origin,
     const GURL& site_for_cookies,
+    const net::NetworkIsolationKey& network_isolation_key,
     const HttpRequestHeaders& additional_headers,
     const WebSocketStreamRequestCreationCallback& callback) {
   DCHECK_EQ(FRESHLY_CONSTRUCTED, state_);
@@ -441,10 +445,10 @@ void WebSocketChannel::SendAddChannelRequestWithSuppliedCallback(
   }
   socket_url_ = socket_url;
   auto connect_delegate = std::make_unique<ConnectDelegate>(this);
-  stream_request_ =
-      callback.Run(socket_url_, requested_subprotocols, origin,
-                   site_for_cookies, additional_headers, url_request_context_,
-                   NetLogWithSource(), std::move(connect_delegate));
+  stream_request_ = callback.Run(
+      socket_url_, requested_subprotocols, origin, site_for_cookies,
+      network_isolation_key, additional_headers, url_request_context_,
+      NetLogWithSource(), std::move(connect_delegate));
   SetState(CONNECTING);
 }
 
@@ -461,18 +465,16 @@ void WebSocketChannel::OnConnectSuccess(
 
   SetState(CONNECTED);
 
-  event_interface_->OnAddChannelResponse(stream_->GetSubProtocol(),
-                                         stream_->GetExtensions());
+  // |stream_request_| is not used once the connection has succeeded.
+  stream_request_.reset();
 
   // TODO(ricea): Get flow control information from the WebSocketStream once we
   // have a multiplexing WebSocketStream.
   current_send_quota_ = send_quota_high_water_mark_;
-  event_interface_->OnSendFlowControlQuotaAdded(send_quota_high_water_mark_);
-
-  // |stream_request_| is not used once the connection has succeeded.
-  stream_request_.reset();
-
-  // |this| may have been deleted.
+  event_interface_->OnAddChannelResponse(stream_->GetSubProtocol(),
+                                         stream_->GetExtensions(),
+                                         send_quota_high_water_mark_);
+  // |this| may have been deleted after OnAddChannelResponse.
 }
 
 void WebSocketChannel::OnConnectFailure(const std::string& message) {
diff --git a/chromium/net/websockets/websocket_channel.h b/chromium/net/websockets/websocket_channel.h
index b62c50a993d..e8105b45ea5 100644
--- a/chromium/net/websockets/websocket_channel.h
+++ b/chromium/net/websockets/websocket_channel.h
@@ -55,6 +55,7 @@ class NET_EXPORT WebSocketChannel {
       const std::vector<std::string>&,
       const url::Origin&,
       const GURL&,
+      const net::NetworkIsolationKey&,
       const HttpRequestHeaders&,
       URLRequestContext*,
       const NetLogWithSource&,
@@ -79,6 +80,7 @@ class NET_EXPORT WebSocketChannel {
       const std::vector<std::string>& requested_protocols,
       const url::Origin& origin,
       const GURL& site_for_cookies,
+      const net::NetworkIsolationKey& network_isolation_key,
       const HttpRequestHeaders& additional_headers);
 
   // Sends a data frame to the remote side. It is the responsibility of the
@@ -127,6 +129,7 @@ class NET_EXPORT WebSocketChannel {
       const std::vector<std::string>& requested_protocols,
       const url::Origin& origin,
       const GURL& site_for_cookies,
+      const net::NetworkIsolationKey& network_isolation_key,
       const HttpRequestHeaders& additional_headers,
       const WebSocketStreamRequestCreationCallback& callback);
 
@@ -193,6 +196,7 @@ class NET_EXPORT WebSocketChannel {
       const std::vector<std::string>& requested_protocols,
       const url::Origin& origin,
       const GURL& site_for_cookies,
+      const net::NetworkIsolationKey& network_isolation_key,
       const HttpRequestHeaders& additional_headers,
       const WebSocketStreamRequestCreationCallback& callback);
 
diff --git a/chromium/net/websockets/websocket_channel_test.cc b/chromium/net/websockets/websocket_channel_test.cc
index e3d00767fc7..97f55244e86 100644
--- a/chromium/net/websockets/websocket_channel_test.cc
+++ b/chromium/net/websockets/websocket_channel_test.cc
@@ -167,9 +167,10 @@ class MockWebSocketEventInterface : public WebSocketEventInterface {
   }
 
   MOCK_METHOD1(OnCreateURLRequest, void(URLRequest*));
-  MOCK_METHOD2(OnAddChannelResponse,
+  MOCK_METHOD3(OnAddChannelResponse,
                void(const std::string&,
-                    const std::string&));  // NOLINT
+                    const std::string&,
+                    int64_t));  // NOLINT
   MOCK_METHOD3(OnDataFrameVector,
                void(bool,
                     WebSocketMessageType,
@@ -226,7 +227,8 @@ class MockWebSocketEventInterface : public WebSocketEventInterface {
 class FakeWebSocketEventInterface : public WebSocketEventInterface {
   void OnCreateURLRequest(URLRequest* request) override {}
   void OnAddChannelResponse(const std::string& selected_protocol,
-                            const std::string& extensions) override {}
+                            const std::string& extensions,
+                            int64_t send_flow_control_quota) override {}
   void OnDataFrame(bool fin,
                    WebSocketMessageType type,
                    base::span<const char> data_span) override {}
@@ -756,6 +758,7 @@ struct WebSocketStreamCreationCallbackArgumentSaver {
       const std::vector<std::string>& requested_subprotocols,
       const url::Origin& origin,
       const GURL& site_for_cookies,
+      const net::NetworkIsolationKey& network_isolation_key,
       const HttpRequestHeaders& additional_headers,
       URLRequestContext* url_request_context,
       const NetLogWithSource& net_log,
@@ -763,6 +766,7 @@ struct WebSocketStreamCreationCallbackArgumentSaver {
     this->socket_url = socket_url;
     this->origin = origin;
     this->site_for_cookies = site_for_cookies;
+    this->network_isolation_key = network_isolation_key;
     this->url_request_context = url_request_context;
     this->connect_delegate = std::move(connect_delegate);
     return std::make_unique<MockWebSocketStreamRequest>();
@@ -771,6 +775,7 @@ struct WebSocketStreamCreationCallbackArgumentSaver {
   GURL socket_url;
   url::Origin origin;
   GURL site_for_cookies;
+  net::NetworkIsolationKey network_isolation_key;
   URLRequestContext* url_request_context;
   std::unique_ptr<WebSocketStream::ConnectDelegate> connect_delegate;
 };
@@ -808,7 +813,7 @@ class WebSocketChannelTest : public TestWithTaskEnvironment {
     channel_->SendAddChannelRequestForTesting(
         connect_data_.socket_url, connect_data_.requested_subprotocols,
         connect_data_.origin, connect_data_.site_for_cookies,
-        HttpRequestHeaders(),
+        connect_data_.network_isolation_key, HttpRequestHeaders(),
         base::Bind(&WebSocketStreamCreationCallbackArgumentSaver::Create,
                    base::Unretained(&connect_data_.argument_saver)));
   }
@@ -843,7 +848,11 @@ class WebSocketChannelTest : public TestWithTaskEnvironment {
     ConnectData()
         : socket_url("ws://ws/"),
           origin(url::Origin::Create(GURL("http://ws"))),
-          site_for_cookies("http://ws/") {}
+          site_for_cookies("http://ws/") {
+      url::Origin top_frame_origin = url::Origin::Create(GURL("http://ws-1"));
+      this->network_isolation_key =
+          net::NetworkIsolationKey(top_frame_origin, origin);
+    }
 
     // URLRequestContext object.
     URLRequestContext url_request_context;
@@ -856,6 +865,8 @@ class WebSocketChannelTest : public TestWithTaskEnvironment {
     url::Origin origin;
     // First party for cookies for the request.
     GURL site_for_cookies;
+    // NetworkIsolationKey created from the origin of the top level frame.
+    net::NetworkIsolationKey network_isolation_key;
 
     WebSocketStreamCreationCallbackArgumentSaver argument_saver;
   };
@@ -922,9 +933,7 @@ class WebSocketChannelStreamTest : public WebSocketChannelEventInterfaceTest {
     // whether these methods are called or not.
     EXPECT_CALL(*mock_stream_, GetSubProtocol()).Times(AnyNumber());
     EXPECT_CALL(*mock_stream_, GetExtensions()).Times(AnyNumber());
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _))
-        .Times(AnyNumber());
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_))
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _))
         .Times(AnyNumber());
     EXPECT_CALL(*event_interface_, OnDataFrameVector(_, _, _))
         .Times(AnyNumber());
@@ -955,9 +964,7 @@ class WebSocketChannelSendUtf8Test
     set_stream(std::make_unique<WriteableFakeWebSocketStream>());
     // For the purpose of the tests using this fixture, it doesn't matter
     // whether these methods are called or not.
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _))
-        .Times(AnyNumber());
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_))
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _))
         .Times(AnyNumber());
   }
 };
@@ -979,6 +986,10 @@ TEST_F(WebSocketChannelTest, EverythingIsPassedToTheCreatorFunction) {
   connect_data_.socket_url = GURL("ws://example.com/test");
   connect_data_.origin = url::Origin::Create(GURL("http://example.com"));
   connect_data_.site_for_cookies = GURL("http://example.com/");
+  url::Origin top_frame_origin =
+      url::Origin::Create(GURL("http://example-1.com"));
+  connect_data_.network_isolation_key =
+      net::NetworkIsolationKey(top_frame_origin, connect_data_.origin);
   connect_data_.requested_subprotocols.push_back("Sinbad");
 
   CreateChannelAndConnect();
@@ -991,14 +1002,12 @@ TEST_F(WebSocketChannelTest, EverythingIsPassedToTheCreatorFunction) {
   EXPECT_EQ(connect_data_.socket_url, actual.socket_url);
   EXPECT_EQ(connect_data_.origin.Serialize(), actual.origin.Serialize());
   EXPECT_EQ(connect_data_.site_for_cookies, actual.site_for_cookies);
+  EXPECT_EQ(connect_data_.network_isolation_key, actual.network_isolation_key);
 }
 
 TEST_F(WebSocketChannelEventInterfaceTest, ConnectSuccessReported) {
   // false means success.
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse("", ""));
-  // OnSendFlowControlQuotaAdded is always called immediately after connect to
-  // provide initial quota to the renderer.
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse("", "", _));
 
   CreateChannelAndConnect();
 
@@ -1021,8 +1030,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, NonWebSocketSchemeRejected) {
 }
 
 TEST_F(WebSocketChannelEventInterfaceTest, ProtocolPassed) {
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse("Bob", ""));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse("Bob", "", _));
 
   CreateChannelAndConnect();
 
@@ -1033,8 +1041,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ProtocolPassed) {
 
 TEST_F(WebSocketChannelEventInterfaceTest, ExtensionsPassed) {
   EXPECT_CALL(*event_interface_,
-              OnAddChannelResponse("", "extension1, extension2"));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+              OnAddChannelResponse("", "extension1, extension2", _));
 
   CreateChannelAndConnect();
 
@@ -1054,8 +1061,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, DataLeftFromHandshake) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(true, WebSocketFrameHeader::kOpCodeText,
                                   AsVector("HELLO")));
@@ -1077,8 +1083,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, CloseAfterHandshake) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_, OnClosingHandshake());
     EXPECT_CALL(
         *event_interface_,
@@ -1102,8 +1107,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ShouldCloseWhileNoDataFrames) {
   Checkpoint checkpoint;
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_, HasPendingDataFrames())
         .WillOnce(Return(false))
         .WillOnce(Return(true))
@@ -1133,8 +1137,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ConnectionCloseAfterHandshake) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_,
                 OnDropChannel(false, kWebSocketErrorAbnormalClosure, _));
   }
@@ -1153,8 +1156,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, NormalAsyncRead) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(checkpoint, Call(1));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(true, WebSocketFrameHeader::kOpCodeText,
@@ -1181,8 +1183,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, AsyncThenSyncRead) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(true, WebSocketFrameHeader::kOpCodeText,
                                   AsVector("HELLO")));
@@ -1220,8 +1221,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, FragmentedMessage) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(false, WebSocketFrameHeader::kOpCodeText,
                                   AsVector("THREE")));
@@ -1254,8 +1254,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, NullMessage) {
       {FINAL_FRAME, WebSocketFrameHeader::kOpCodeText, NOT_MASKED, nullptr}};
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
   EXPECT_CALL(
       *event_interface_,
       OnDataFrameVector(true, WebSocketFrameHeader::kOpCodeText, AsVector("")));
@@ -1270,8 +1269,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, AsyncAbnormalClosure) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_,
                 OnDropChannel(false, kWebSocketErrorAbnormalClosure, _));
   }
@@ -1288,8 +1286,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ConnectionReset) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_,
                 OnDropChannel(false, kWebSocketErrorAbnormalClosure, _));
   }
@@ -1308,8 +1305,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, MaskedFramesAreRejected) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(
         *event_interface_,
         OnFailChannel(
@@ -1330,8 +1326,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, UnknownOpCodeIsRejected) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_,
                 OnFailChannel("Unrecognized frame opcode: 4"));
   }
@@ -1360,8 +1355,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ControlFrameInDataMessage) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(false, WebSocketFrameHeader::kOpCodeText,
                                   AsVector("SPLIT ")));
@@ -1383,8 +1377,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, PongWithNullData) {
       {FINAL_FRAME, WebSocketFrameHeader::kOpCodePong, NOT_MASKED, nullptr}};
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::ASYNC, OK, frames);
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
 
   CreateChannelAndConnectSuccessfully();
   base::RunLoop().RunUntilIdle();
@@ -1402,8 +1395,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, FrameAfterInvalidFrame) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(
         *event_interface_,
         OnFailChannel(
@@ -1420,8 +1412,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, SmallWriteDoesntUpdateQuota) {
   set_stream(std::make_unique<WriteableFakeWebSocketStream>());
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
   }
 
   CreateChannelAndConnectSuccessfully();
@@ -1438,8 +1429,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, LargeWriteUpdatesQuota) {
   Checkpoint checkpoint;
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(checkpoint, Call(1));
     EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(checkpoint, Call(2));
@@ -1459,8 +1449,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, QuotaReallyIsRefreshed) {
   Checkpoint checkpoint;
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(checkpoint, Call(1));
     EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
     EXPECT_CALL(checkpoint, Call(2));
@@ -1489,9 +1478,8 @@ TEST_F(WebSocketChannelEventInterfaceTest, WriteOverQuotaIsRejected) {
   set_stream(std::make_unique<WriteableFakeWebSocketStream>());
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
     EXPECT_CALL(*event_interface_,
-                OnSendFlowControlQuotaAdded(kDefaultInitialQuota));
+                OnAddChannelResponse(_, _, kDefaultInitialQuota));
     EXPECT_CALL(*event_interface_, OnFailChannel("Send quota exceeded"));
   }
 
@@ -1507,8 +1495,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, FailedWrite) {
   Checkpoint checkpoint;
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(checkpoint, Call(1));
     EXPECT_CALL(*event_interface_,
                 OnDropChannel(false, kWebSocketErrorAbnormalClosure, _));
@@ -1528,8 +1515,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, SendCloseDropsChannel) {
   set_stream(std::make_unique<EchoeyFakeWebSocketStream>());
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_,
                 OnDropChannel(true, kWebSocketNormalClosure, "Fred"));
   }
@@ -1556,8 +1542,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, CloseDuringConnection) {
 // connection reset.
 TEST_F(WebSocketChannelEventInterfaceTest, OnDropChannelCalledOnce) {
   set_stream(std::make_unique<ResetOnWriteFakeWebSocketStream>());
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
 
   EXPECT_CALL(*event_interface_,
               OnDropChannel(false, kWebSocketErrorAbnormalClosure, ""))
@@ -1580,8 +1565,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, CloseWithNoPayloadGivesStatus1005) {
   stream->PrepareReadFramesError(ReadableFakeWebSocketStream::SYNC,
                                  ERR_CONNECTION_CLOSED);
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
   EXPECT_CALL(*event_interface_, OnClosingHandshake());
   EXPECT_CALL(*event_interface_,
               OnDropChannel(true, kWebSocketErrorNoStatusReceived, _));
@@ -1599,8 +1583,7 @@ TEST_F(WebSocketChannelEventInterfaceTest,
   stream->PrepareReadFramesError(ReadableFakeWebSocketStream::SYNC,
                                  ERR_CONNECTION_CLOSED);
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
   EXPECT_CALL(*event_interface_, OnClosingHandshake());
   EXPECT_CALL(*event_interface_,
               OnDropChannel(true, kWebSocketErrorNoStatusReceived, _));
@@ -1615,8 +1598,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, SyncProtocolErrorGivesStatus1002) {
   stream->PrepareReadFramesError(ReadableFakeWebSocketStream::SYNC,
                                  ERR_WS_PROTOCOL_ERROR);
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
 
   EXPECT_CALL(*event_interface_, OnFailChannel("Invalid frame header"));
 
@@ -1629,8 +1611,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, AsyncProtocolErrorGivesStatus1002) {
   stream->PrepareReadFramesError(ReadableFakeWebSocketStream::ASYNC,
                                  ERR_WS_PROTOCOL_ERROR);
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
   EXPECT_CALL(*event_interface_, OnFailChannel("Invalid frame header"));
 
   CreateChannelAndConnectSuccessfully();
@@ -1640,8 +1621,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, AsyncProtocolErrorGivesStatus1002) {
 TEST_F(WebSocketChannelEventInterfaceTest, StartHandshakeRequest) {
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_, OnStartOpeningHandshakeCalled());
   }
 
@@ -1658,8 +1638,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, StartHandshakeRequest) {
 TEST_F(WebSocketChannelEventInterfaceTest, FinishHandshakeRequest) {
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_, OnFinishOpeningHandshakeCalled());
   }
 
@@ -1711,8 +1690,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, DataAfterCloseIsRejected) {
       {FINAL_FRAME, WebSocketFrameHeader::kOpCodeText, NOT_MASKED, "Payload"}};
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
 
   {
     InSequence s;
@@ -1732,8 +1710,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, OneByteClosePayloadMessage) {
       {FINAL_FRAME, WebSocketFrameHeader::kOpCodeClose, NOT_MASKED, "\x03"}};
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
   EXPECT_CALL(
       *event_interface_,
       OnFailChannel(
@@ -1751,8 +1728,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ClosePayloadReservedStatusMessage) {
        NOT_MASKED,  CLOSE_DATA(ABNORMAL_CLOSURE, "Not valid on wire")}};
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
   EXPECT_CALL(
       *event_interface_,
       OnFailChannel(
@@ -1770,8 +1746,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ClosePayloadInvalidReason) {
        NOT_MASKED,  CLOSE_DATA(NORMAL_CLOSURE, "\xFF")}};
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
   EXPECT_CALL(
       *event_interface_,
       OnFailChannel(
@@ -1795,8 +1770,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ReservedBitsMustNotBeSet) {
   stream->PrepareRawReadFrames(ReadableFakeWebSocketStream::SYNC, OK,
                                std::move(raw_frames));
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
   EXPECT_CALL(*event_interface_,
               OnFailChannel(
                   "One or more reserved bits are on: reserved1 = 1, "
@@ -1813,8 +1787,7 @@ TEST_F(WebSocketChannelEventInterfaceTest,
   stream->PrepareReadFramesError(ReadableFakeWebSocketStream::SYNC,
                                  ERR_IO_PENDING);
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
   // This checkpoint object verifies that the OnDropChannel message comes after
   // the timeout.
   Checkpoint checkpoint;
@@ -1850,8 +1823,7 @@ TEST_F(WebSocketChannelEventInterfaceTest,
        NOT_MASKED,  CLOSE_DATA(NORMAL_CLOSURE, "OK")}};
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::ASYNC, OK, frames);
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
   Checkpoint checkpoint;
   TestClosure completion;
   {
@@ -1910,8 +1882,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, SingleFrameMessage) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(true, WebSocketFrameHeader::kOpCodeText,
                                   AsVector("FOUR")));
@@ -1933,8 +1904,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, EmptyMessage) {
   set_stream(std::move(stream));
   {
     InSequence s;
-    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-    EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+    EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
     EXPECT_CALL(*event_interface_,
                 OnDataFrameVector(true, WebSocketFrameHeader::kOpCodeText,
                                   AsVector("FIRST MESSAGE")));
@@ -1968,8 +1938,7 @@ TEST_F(WebSocketChannelEventInterfaceTest,
   set_stream(std::move(stream));
   Checkpoint checkpoint;
   InSequence s;
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
   EXPECT_CALL(*event_interface_, HasPendingDataFrames()).WillOnce(Return(true));
   EXPECT_CALL(checkpoint, Call(1));
   EXPECT_CALL(*event_interface_, HasPendingDataFrames())
@@ -2369,8 +2338,7 @@ TEST_F(WebSocketChannelEventInterfaceTest, ReadBinaryFramesAre8BitClean) {
   stream->PrepareRawReadFrames(ReadableFakeWebSocketStream::SYNC, OK,
                                std::move(frames));
   set_stream(std::move(stream));
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
-  EXPECT_CALL(*event_interface_, OnSendFlowControlQuotaAdded(_));
+  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _, _));
   EXPECT_CALL(
       *event_interface_,
       OnDataFrameVector(
@@ -2485,9 +2453,8 @@ TEST_F(WebSocketChannelEventInterfaceTest, ReceivedInvalidUtf8) {
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
 
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
   EXPECT_CALL(*event_interface_,
-              OnSendFlowControlQuotaAdded(kDefaultInitialQuota));
+              OnAddChannelResponse(_, _, kDefaultInitialQuota));
   EXPECT_CALL(*event_interface_,
               OnFailChannel("Could not decode a text frame as UTF-8."));
 
@@ -2675,9 +2642,8 @@ TEST_F(WebSocketChannelEventInterfaceTest, BogusContinuation) {
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
 
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
   EXPECT_CALL(*event_interface_,
-              OnSendFlowControlQuotaAdded(kDefaultInitialQuota));
+              OnAddChannelResponse(_, _, kDefaultInitialQuota));
   EXPECT_CALL(*event_interface_,
               OnDataFrameVector(false, WebSocketFrameHeader::kOpCodeBinary,
                                 AsVector("frame1")));
@@ -2698,9 +2664,8 @@ TEST_F(WebSocketChannelEventInterfaceTest, MessageStartingWithContinuation) {
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
 
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
   EXPECT_CALL(*event_interface_,
-              OnSendFlowControlQuotaAdded(kDefaultInitialQuota));
+              OnAddChannelResponse(_, _, kDefaultInitialQuota));
   EXPECT_CALL(*event_interface_,
               OnFailChannel("Received unexpected continuation frame."));
 
@@ -2719,9 +2684,8 @@ TEST_F(WebSocketChannelEventInterfaceTest, DataFramesNonEmptyOrFinal) {
   stream->PrepareReadFrames(ReadableFakeWebSocketStream::SYNC, OK, frames);
   set_stream(std::move(stream));
 
-  EXPECT_CALL(*event_interface_, OnAddChannelResponse(_, _));
   EXPECT_CALL(*event_interface_,
-              OnSendFlowControlQuotaAdded(kDefaultInitialQuota));
+              OnAddChannelResponse(_, _, kDefaultInitialQuota));
   EXPECT_CALL(
       *event_interface_,
       OnDataFrameVector(true, WebSocketFrameHeader::kOpCodeText, AsVector("")));
diff --git a/chromium/net/websockets/websocket_deflater.cc b/chromium/net/websockets/websocket_deflater.cc
index e79926c7e7e..459b84c0c59 100644
--- a/chromium/net/websockets/websocket_deflater.cc
+++ b/chromium/net/websockets/websocket_deflater.cc
@@ -138,11 +138,12 @@ void WebSocketDeflater::ResetContext() {
 int WebSocketDeflater::Deflate(int flush) {
   int result = Z_OK;
   do {
-    stream_->next_out = reinterpret_cast<Bytef*>(&fixed_buffer_[0]);
+    stream_->next_out = reinterpret_cast<Bytef*>(fixed_buffer_.data());
     stream_->avail_out = fixed_buffer_.size();
     result = deflate(stream_.get(), flush);
     size_t size = fixed_buffer_.size() - stream_->avail_out;
-    buffer_.insert(buffer_.end(), &fixed_buffer_[0], &fixed_buffer_[0] + size);
+    buffer_.insert(buffer_.end(), fixed_buffer_.data(),
+                   fixed_buffer_.data() + size);
   } while (result == Z_OK);
   return result;
 }
diff --git a/chromium/net/websockets/websocket_end_to_end_test.cc b/chromium/net/websockets/websocket_end_to_end_test.cc
index 4f29a1d1b62..d45f572985a 100644
--- a/chromium/net/websockets/websocket_end_to_end_test.cc
+++ b/chromium/net/websockets/websocket_end_to_end_test.cc
@@ -97,7 +97,8 @@ class ConnectTestingEventInterface : public WebSocketEventInterface {
   void OnCreateURLRequest(URLRequest* request) override {}
 
   void OnAddChannelResponse(const std::string& selected_subprotocol,
-                            const std::string& extensions) override;
+                            const std::string& extensions,
+                            int64_t send_flow_control_quota) override;
 
   void OnDataFrame(bool fin,
                    WebSocketMessageType type,
@@ -168,7 +169,8 @@ std::string ConnectTestingEventInterface::extensions() const {
 
 void ConnectTestingEventInterface::OnAddChannelResponse(
     const std::string& selected_subprotocol,
-    const std::string& extensions) {
+    const std::string& extensions,
+    int64_t send_flow_control_quota) {
   selected_subprotocol_ = selected_subprotocol;
   extensions_ = extensions;
   QuitNestedEventLoop();
@@ -293,11 +295,13 @@ class WebSocketEndToEndTest : public TestWithTaskEnvironment {
     }
     url::Origin origin = url::Origin::Create(GURL("http://localhost"));
     GURL site_for_cookies("http://localhost/");
+    net::NetworkIsolationKey network_isolation_key(origin, origin);
     event_interface_ = new ConnectTestingEventInterface();
     channel_ = std::make_unique<WebSocketChannel>(
         base::WrapUnique(event_interface_), &context_);
     channel_->SendAddChannelRequest(GURL(socket_url), sub_protocols_, origin,
-                                    site_for_cookies, HttpRequestHeaders());
+                                    site_for_cookies, network_isolation_key,
+                                    HttpRequestHeaders());
     event_interface_->WaitForResponse();
     return !event_interface_->failed();
   }
@@ -461,10 +465,9 @@ TEST_F(WebSocketEndToEndTest, MAYBE_ProxyPacUsed) {
   proxy_config.set_pac_mandatory(true);
   auto proxy_config_service = std::make_unique<ProxyConfigServiceFixed>(
       ProxyConfigWithAnnotation(proxy_config, TRAFFIC_ANNOTATION_FOR_TESTS));
-  NetLog net_log;
   std::unique_ptr<ProxyResolutionService> proxy_resolution_service(
       ProxyResolutionService::CreateUsingSystemProxyResolver(
-          std::move(proxy_config_service), &net_log));
+          std::move(proxy_config_service), NetLog::Get()));
   ASSERT_EQ(ws_server.host_port_pair().host(), "127.0.0.1");
   context_.set_proxy_resolution_service(proxy_resolution_service.get());
   InitialiseContext();
diff --git a/chromium/net/websockets/websocket_event_interface.h b/chromium/net/websockets/websocket_event_interface.h
index 39f60c828a7..107b0a13386 100644
--- a/chromium/net/websockets/websocket_event_interface.h
+++ b/chromium/net/websockets/websocket_event_interface.h
@@ -46,7 +46,8 @@ class NET_EXPORT WebSocketEventInterface {
   // Called in response to an AddChannelRequest. This means that a response has
   // been received from the remote server.
   virtual void OnAddChannelResponse(const std::string& selected_subprotocol,
-                                    const std::string& extensions) = 0;
+                                    const std::string& extensions,
+                                    int64_t send_flow_control_quota) = 0;
 
   // Called when a data frame has been received from the remote host and needs
   // to be forwarded to the renderer process.
diff --git a/chromium/net/websockets/websocket_frame_parser_test.cc b/chromium/net/websockets/websocket_frame_parser_test.cc
index 2ae986b3fe1..32eba4b4f0b 100644
--- a/chromium/net/websockets/websocket_frame_parser_test.cc
+++ b/chromium/net/websockets/websocket_frame_parser_test.cc
@@ -141,7 +141,7 @@ TEST(WebSocketFrameParserTest, DecodeManyFrames) {
   WebSocketFrameParser parser;
 
   std::vector<std::unique_ptr<WebSocketFrameChunk>> frames;
-  EXPECT_TRUE(parser.Decode(&input.front(), input.size(), &frames));
+  EXPECT_TRUE(parser.Decode(input.data(), input.size(), &frames));
   EXPECT_EQ(kWebSocketNormalClosure, parser.websocket_error());
   ASSERT_EQ(static_cast<size_t>(kNumInputs), frames.size());
 
@@ -333,7 +333,7 @@ TEST(WebSocketFrameParserTest, DecodeFramesOfVariousLengths) {
 
     std::vector<std::unique_ptr<WebSocketFrameChunk>> frames;
     EXPECT_EQ(kFrameHeaderTests[i].error_code == kWebSocketNormalClosure,
-              parser.Decode(&input.front(), input.size(), &frames));
+              parser.Decode(input.data(), input.size(), &frames));
     EXPECT_EQ(kFrameHeaderTests[i].error_code, parser.websocket_error());
     if (kFrameHeaderTests[i].error_code != kWebSocketNormalClosure) {
       EXPECT_EQ(0u, frames.size());
diff --git a/chromium/net/websockets/websocket_frame_perftest.cc b/chromium/net/websockets/websocket_frame_perftest.cc
index 7321046b16f..5c31b1c1fd1 100644
--- a/chromium/net/websockets/websocket_frame_perftest.cc
+++ b/chromium/net/websockets/websocket_frame_perftest.cc
@@ -47,8 +47,8 @@ class WebSocketFrameTestMaskBenchmark : public ::testing::Test {
     auto reporter = SetUpWebSocketFrameMaskReporter(story);
     base::ElapsedTimer timer;
     for (int x = 0; x < kIterations; ++x) {
-      MaskWebSocketFramePayload(
-          masking_key, x % size, &scratch.front(), scratch.size());
+      MaskWebSocketFramePayload(masking_key, x % size, scratch.data(),
+                                scratch.size());
     }
     reporter.AddResult(kMetricMaskTimeMs, timer.Elapsed().InMillisecondsF());
   }
@@ -61,7 +61,7 @@ TEST_F(WebSocketFrameTestMaskBenchmark, BenchmarkMaskShortPayload) {
 
 TEST_F(WebSocketFrameTestMaskBenchmark, BenchmarkMaskLongPayload) {
   std::vector<char> payload(kLongPayloadSize, 'a');
-  Benchmark("long_payload", &payload.front(), payload.size());
+  Benchmark("long_payload", payload.data(), payload.size());
 }
 
 // A 31-byte payload is guaranteed to do 7 byte mask operations and 3 vector
@@ -69,7 +69,7 @@ TEST_F(WebSocketFrameTestMaskBenchmark, BenchmarkMaskLongPayload) {
 // back to the byte-only code path and do 31 byte mask operations.
 TEST_F(WebSocketFrameTestMaskBenchmark, Benchmark31BytePayload) {
   std::vector<char> payload(31, 'a');
-  Benchmark("31_payload", &payload.front(), payload.size());
+  Benchmark("31_payload", payload.data(), payload.size());
 }
 
 }  // namespace
diff --git a/chromium/net/websockets/websocket_frame_test.cc b/chromium/net/websockets/websocket_frame_test.cc
index 918415540b9..d2cf0feab2d 100644
--- a/chromium/net/websockets/websocket_frame_test.cc
+++ b/chromium/net/websockets/websocket_frame_test.cc
@@ -44,7 +44,7 @@ TEST(WebSocketFrameHeaderTest, FrameLengths) {
         kTests[i].frame_header + kTests[i].frame_header_length);
     std::vector<char> output(expected_output.size());
     EXPECT_EQ(static_cast<int>(expected_output.size()),
-              WriteWebSocketFrameHeader(header, nullptr, &output.front(),
+              WriteWebSocketFrameHeader(header, nullptr, output.data(),
                                         output.size()));
     EXPECT_EQ(expected_output, output);
   }
@@ -89,8 +89,8 @@ TEST(WebSocketFrameHeaderTest, FrameLengthsWithMasking) {
         kTests[i].frame_header + kTests[i].frame_header_length);
     std::vector<char> output(expected_output.size());
     EXPECT_EQ(static_cast<int>(expected_output.size()),
-              WriteWebSocketFrameHeader(
-                  header, &masking_key, &output.front(), output.size()));
+              WriteWebSocketFrameHeader(header, &masking_key, output.data(),
+                                        output.size()));
     EXPECT_EQ(expected_output, output);
   }
 }
@@ -132,7 +132,7 @@ TEST(WebSocketFrameHeaderTest, FrameOpCodes) {
         kTests[i].frame_header + kTests[i].frame_header_length);
     std::vector<char> output(expected_output.size());
     EXPECT_EQ(static_cast<int>(expected_output.size()),
-              WriteWebSocketFrameHeader(header, nullptr, &output.front(),
+              WriteWebSocketFrameHeader(header, nullptr, output.data(),
                                         output.size()));
     EXPECT_EQ(expected_output, output);
   }
@@ -171,7 +171,7 @@ TEST(WebSocketFrameHeaderTest, FinalBitAndReservedBits) {
         kTests[i].frame_header + kTests[i].frame_header_length);
     std::vector<char> output(expected_output.size());
     EXPECT_EQ(static_cast<int>(expected_output.size()),
-              WriteWebSocketFrameHeader(header, nullptr, &output.front(),
+              WriteWebSocketFrameHeader(header, nullptr, output.data(),
                                         output.size()));
     EXPECT_EQ(expected_output, output);
   }
@@ -246,9 +246,9 @@ TEST(WebSocketFrameTest, MaskPayload) {
                                  kTests[i].input + kTests[i].data_length);
     std::vector<char> expected_output(kTests[i].output,
                                       kTests[i].output + kTests[i].data_length);
-    MaskWebSocketFramePayload(
-        masking_key, kTests[i].frame_offset,
-        frame_data.empty() ? nullptr : &frame_data.front(), frame_data.size());
+    MaskWebSocketFramePayload(masking_key, kTests[i].frame_offset,
+                              frame_data.empty() ? nullptr : frame_data.data(),
+                              frame_data.size());
     EXPECT_EQ(expected_output, frame_data);
   }
 }
diff --git a/chromium/net/websockets/websocket_handshake_stream_create_helper_test.cc b/chromium/net/websockets/websocket_handshake_stream_create_helper_test.cc
index 9ab35ee2ea1..3423b38a409 100644
--- a/chromium/net/websockets/websocket_handshake_stream_create_helper_test.cc
+++ b/chromium/net/websockets/websocket_handshake_stream_create_helper_test.cc
@@ -300,7 +300,7 @@ class WebSocketHandshakeStreamCreateHelperTest
   WebSocketEndpointLockManager websocket_endpoint_lock_manager_;
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          WebSocketHandshakeStreamCreateHelperTest,
                          Values(BASIC_HANDSHAKE_STREAM,
                                 HTTP2_HANDSHAKE_STREAM));
diff --git a/chromium/net/websockets/websocket_inflater_test.cc b/chromium/net/websockets/websocket_inflater_test.cc
index 75c74edc40e..29c92c000e8 100644
--- a/chromium/net/websockets/websocket_inflater_test.cc
+++ b/chromium/net/websockets/websocket_inflater_test.cc
@@ -195,7 +195,7 @@ TEST(WebSocketInflaterTest, LargeRandomDeflateInflate) {
   for (size_t i = 0; i < size; ++i)
     input.push_back(static_cast<char>(generator.Generate()));
 
-  ASSERT_TRUE(deflater.AddBytes(&input[0], input.size()));
+  ASSERT_TRUE(deflater.AddBytes(input.data(), input.size()));
   ASSERT_TRUE(deflater.Finish());
 
   compressed = deflater.GetOutput(deflater.CurrentOutputSize());
diff --git a/chromium/net/websockets/websocket_stream.cc b/chromium/net/websockets/websocket_stream.cc
index a92bcccf3dd..a40c60da15b 100644
--- a/chromium/net/websockets/websocket_stream.cc
+++ b/chromium/net/websockets/websocket_stream.cc
@@ -114,6 +114,7 @@ class WebSocketStreamRequestImpl : public WebSocketStreamRequestAPI {
       const URLRequestContext* context,
       const url::Origin& origin,
       const GURL& site_for_cookies,
+      const net::NetworkIsolationKey& network_isolation_key,
       const HttpRequestHeaders& additional_headers,
       std::unique_ptr<WebSocketStream::ConnectDelegate> connect_delegate,
       std::unique_ptr<WebSocketStreamRequestAPI> api_delegate)
@@ -140,6 +141,7 @@ class WebSocketStreamRequestImpl : public WebSocketStreamRequestAPI {
     url_request_->SetExtraRequestHeaders(headers);
     url_request_->set_initiator(origin);
     url_request_->set_site_for_cookies(site_for_cookies);
+    url_request_->set_network_isolation_key(network_isolation_key);
 
     auto create_helper = std::make_unique<WebSocketHandshakeStreamCreateHelper>(
         connect_delegate_.get(), requested_subprotocols, this);
@@ -470,14 +472,15 @@ std::unique_ptr<WebSocketStreamRequest> WebSocketStream::CreateAndConnectStream(
     const std::vector<std::string>& requested_subprotocols,
     const url::Origin& origin,
     const GURL& site_for_cookies,
+    const net::NetworkIsolationKey& network_isolation_key,
     const HttpRequestHeaders& additional_headers,
     URLRequestContext* url_request_context,
     const NetLogWithSource& net_log,
     std::unique_ptr<ConnectDelegate> connect_delegate) {
   auto request = std::make_unique<WebSocketStreamRequestImpl>(
       socket_url, requested_subprotocols, url_request_context, origin,
-      site_for_cookies, additional_headers, std::move(connect_delegate),
-      nullptr);
+      site_for_cookies, network_isolation_key, additional_headers,
+      std::move(connect_delegate), nullptr);
   request->Start(std::make_unique<base::OneShotTimer>());
   return std::move(request);
 }
@@ -488,6 +491,7 @@ WebSocketStream::CreateAndConnectStreamForTesting(
     const std::vector<std::string>& requested_subprotocols,
     const url::Origin& origin,
     const GURL& site_for_cookies,
+    const net::NetworkIsolationKey& network_isolation_key,
     const HttpRequestHeaders& additional_headers,
     URLRequestContext* url_request_context,
     const NetLogWithSource& net_log,
@@ -496,8 +500,8 @@ WebSocketStream::CreateAndConnectStreamForTesting(
     std::unique_ptr<WebSocketStreamRequestAPI> api_delegate) {
   auto request = std::make_unique<WebSocketStreamRequestImpl>(
       socket_url, requested_subprotocols, url_request_context, origin,
-      site_for_cookies, additional_headers, std::move(connect_delegate),
-      std::move(api_delegate));
+      site_for_cookies, network_isolation_key, additional_headers,
+      std::move(connect_delegate), std::move(api_delegate));
   request->Start(std::move(timer));
   return std::move(request);
 }
diff --git a/chromium/net/websockets/websocket_stream.h b/chromium/net/websockets/websocket_stream.h
index e3fdfef892e..6cc0c146795 100644
--- a/chromium/net/websockets/websocket_stream.h
+++ b/chromium/net/websockets/websocket_stream.h
@@ -16,6 +16,7 @@
 #include "base/time/time.h"
 #include "net/base/completion_once_callback.h"
 #include "net/base/net_export.h"
+#include "net/base/network_isolation_key.h"
 #include "net/websockets/websocket_event_interface.h"
 #include "net/websockets/websocket_handshake_request_info.h"
 #include "net/websockets/websocket_handshake_response_info.h"
@@ -154,6 +155,7 @@ class NET_EXPORT_PRIVATE WebSocketStream {
       const std::vector<std::string>& requested_subprotocols,
       const url::Origin& origin,
       const GURL& site_for_cookies,
+      const net::NetworkIsolationKey& network_isolation_key,
       const HttpRequestHeaders& additional_headers,
       URLRequestContext* url_request_context,
       const NetLogWithSource& net_log,
@@ -169,6 +171,7 @@ class NET_EXPORT_PRIVATE WebSocketStream {
       const std::vector<std::string>& requested_subprotocols,
       const url::Origin& origin,
       const GURL& site_for_cookies,
+      const net::NetworkIsolationKey& network_isolation_key,
       const HttpRequestHeaders& additional_headers,
       URLRequestContext* url_request_context,
       const NetLogWithSource& net_log,
diff --git a/chromium/net/websockets/websocket_stream_cookie_test.cc b/chromium/net/websockets/websocket_stream_cookie_test.cc
index 463883978bc..b5b5727c6b5 100644
--- a/chromium/net/websockets/websocket_stream_cookie_test.cc
+++ b/chromium/net/websockets/websocket_stream_cookie_test.cc
@@ -38,6 +38,7 @@ class TestBase : public WebSocketStreamCreateTestBase {
   void CreateAndConnect(const GURL& url,
                         const url::Origin& origin,
                         const GURL& site_for_cookies,
+                        const net::NetworkIsolationKey& network_isolation_key,
                         const std::string& cookie_header,
                         const std::string& response_body) {
     // We assume cookie_header ends with CRLF if not empty, as
@@ -52,7 +53,8 @@ class TestBase : public WebSocketStreamCreateTestBase {
                                             std::string()),
         response_body);
     CreateAndConnectStream(url, NoSubProtocols(), origin, site_for_cookies,
-                           HttpRequestHeaders(), nullptr);
+                           network_isolation_key, HttpRequestHeaders(),
+                           nullptr);
   }
 
   std::string AddCRLFIfNotEmpty(const std::string& s) {
@@ -141,6 +143,7 @@ TEST_P(WebSocketStreamClientUseCookieTest, ClientUseCookie) {
   const url::Origin origin =
       url::Origin::Create(GURL("http://www.example.com"));
   const GURL site_for_cookies("http://www.example.com/");
+  const net::NetworkIsolationKey network_isolation_key(origin, origin);
   const std::string cookie_line(GetParam().cookie_line);
   const std::string cookie_header(AddCRLFIfNotEmpty(GetParam().cookie_header));
 
@@ -154,7 +157,8 @@ TEST_P(WebSocketStreamClientUseCookieTest, ClientUseCookie) {
       CanonicalCookie::Create(cookie_url, cookie_line, base::Time::Now(),
                               base::nullopt /* server_time */);
   store->SetCanonicalCookieAsync(
-      std::move(cookie), cookie_url.scheme(), CookieOptions(),
+      std::move(cookie), cookie_url.scheme(),
+      net::CookieOptions::MakeAllInclusive(),
       base::BindOnce(&SetCookieHelperFunction, run_loop.QuitClosure(),
                      weak_is_called.GetWeakPtr(),
                      weak_set_cookie_result.GetWeakPtr()));
@@ -162,8 +166,8 @@ TEST_P(WebSocketStreamClientUseCookieTest, ClientUseCookie) {
   ASSERT_TRUE(is_called);
   ASSERT_TRUE(set_cookie_result);
 
-  CreateAndConnect(url, origin, site_for_cookies, cookie_header,
-                   WebSocketStandardResponse(""));
+  CreateAndConnect(url, origin, site_for_cookies, network_isolation_key,
+                   cookie_header, WebSocketStandardResponse(""));
   WaitUntilConnectDone();
   EXPECT_FALSE(has_failed());
 }
@@ -178,6 +182,7 @@ TEST_P(WebSocketStreamServerSetCookieTest, ServerSetCookie) {
   const url::Origin origin =
       url::Origin::Create(GURL("http://www.example.com"));
   const GURL site_for_cookies("http://www.example.com/");
+  const net::NetworkIsolationKey network_isolation_key(origin, origin);
   const std::string cookie_line(GetParam().cookie_line);
   const std::string cookie_header(AddCRLFIfNotEmpty(GetParam().cookie_header));
 
@@ -193,7 +198,8 @@ TEST_P(WebSocketStreamServerSetCookieTest, ServerSetCookie) {
   CookieStore* store =
       url_request_context_host_.GetURLRequestContext()->cookie_store();
 
-  CreateAndConnect(url, origin, site_for_cookies, "", response);
+  CreateAndConnect(url, origin, site_for_cookies, network_isolation_key, "",
+                   response);
   WaitUntilConnectDone();
   EXPECT_FALSE(has_failed());
 
@@ -204,7 +210,7 @@ TEST_P(WebSocketStreamServerSetCookieTest, ServerSetCookie) {
       &get_cookie_list_result);
   base::RunLoop run_loop;
   store->GetCookieListWithOptionsAsync(
-      cookie_url, CookieOptions(),
+      cookie_url, net::CookieOptions::MakeAllInclusive(),
       base::BindOnce(&GetCookieListHelperFunction, run_loop.QuitClosure(),
                      weak_is_called.GetWeakPtr(),
                      weak_get_cookie_list_result.GetWeakPtr()));
diff --git a/chromium/net/websockets/websocket_stream_create_test_base.cc b/chromium/net/websockets/websocket_stream_create_test_base.cc
index dd5aaa9564c..ac22e69b245 100644
--- a/chromium/net/websockets/websocket_stream_create_test_base.cc
+++ b/chromium/net/websockets/websocket_stream_create_test_base.cc
@@ -98,13 +98,15 @@ void WebSocketStreamCreateTestBase::CreateAndConnectStream(
     const std::vector<std::string>& sub_protocols,
     const url::Origin& origin,
     const GURL& site_for_cookies,
+    const net::NetworkIsolationKey& network_isolation_key,
     const HttpRequestHeaders& additional_headers,
     std::unique_ptr<base::OneShotTimer> timer) {
   auto connect_delegate = std::make_unique<TestConnectDelegate>(
       this, connect_run_loop_.QuitClosure());
   auto api_delegate = std::make_unique<TestWebSocketStreamRequestAPI>();
   stream_request_ = WebSocketStream::CreateAndConnectStreamForTesting(
-      socket_url, sub_protocols, origin, site_for_cookies, additional_headers,
+      socket_url, sub_protocols, origin, site_for_cookies,
+      network_isolation_key, additional_headers,
       url_request_context_host_.GetURLRequestContext(), NetLogWithSource(),
       std::move(connect_delegate),
       timer ? std::move(timer) : std::make_unique<base::OneShotTimer>(),
diff --git a/chromium/net/websockets/websocket_stream_create_test_base.h b/chromium/net/websockets/websocket_stream_create_test_base.h
index c799ba0f766..6ceee89c172 100644
--- a/chromium/net/websockets/websocket_stream_create_test_base.h
+++ b/chromium/net/websockets/websocket_stream_create_test_base.h
@@ -40,12 +40,14 @@ class WebSocketStreamCreateTestBase : public WithTaskEnvironment {
 
   // A wrapper for CreateAndConnectStreamForTesting that knows about our default
   // parameters.
-  void CreateAndConnectStream(const GURL& socket_url,
-                              const std::vector<std::string>& sub_protocols,
-                              const url::Origin& origin,
-                              const GURL& site_for_cookies,
-                              const HttpRequestHeaders& additional_headers,
-                              std::unique_ptr<base::OneShotTimer> timer);
+  void CreateAndConnectStream(
+      const GURL& socket_url,
+      const std::vector<std::string>& sub_protocols,
+      const url::Origin& origin,
+      const GURL& site_for_cookies,
+      const net::NetworkIsolationKey& network_isolation_key,
+      const HttpRequestHeaders& additional_headers,
+      std::unique_ptr<base::OneShotTimer> timer);
 
   static std::vector<HeaderKeyValuePair> RequestHeadersToVector(
       const HttpRequestHeaders& headers);
diff --git a/chromium/net/websockets/websocket_stream_test.cc b/chromium/net/websockets/websocket_stream_test.cc
index 1b77f05d462..573c4e925b4 100644
--- a/chromium/net/websockets/websocket_stream_test.cc
+++ b/chromium/net/websockets/websocket_stream_test.cc
@@ -86,7 +86,14 @@ static url::Origin Origin() {
 }
 
 static GURL SiteForCookies() {
-  return GURL("http://www.example.org/foobar");
+  return GURL(kOrigin);
+}
+
+static net::NetworkIsolationKey CreateNetworkIsolationKey() {
+  // Top frame origin can be different but currently not testing in a
+  // third-party context so using the same kOrigin.
+  url::Origin top_frame_origin = url::Origin::Create(GURL(kOrigin));
+  return net::NetworkIsolationKey(top_frame_origin, Origin());
 }
 
 class WebSocketStreamCreateTest : public TestWithParam<HandshakeStreamType>,
@@ -158,7 +165,7 @@ class WebSocketStreamCreateTest : public TestWithParam<HandshakeStreamType>,
               WebSocketExtraHeadersToString(extra_response_headers)) +
               additional_data_);
       CreateAndConnectStream(socket_url, sub_protocols, Origin(),
-                             SiteForCookies(),
+                             SiteForCookies(), CreateNetworkIsolationKey(),
                              WebSocketExtraHeadersToHttpRequestHeaders(
                                  send_additional_request_headers),
                              std::move(timer_));
@@ -190,6 +197,8 @@ class WebSocketStreamCreateTest : public TestWithParam<HandshakeStreamType>,
     write_settings[spdy::SETTINGS_MAX_CONCURRENT_STREAMS] =
         kSpdyMaxConcurrentPushedStreams;
     write_settings[spdy::SETTINGS_INITIAL_WINDOW_SIZE] = 6 * 1024 * 1024;
+    write_settings[spdy::SETTINGS_MAX_HEADER_LIST_SIZE] =
+        kSpdyMaxHeaderListSize;
     frames_.push_back(spdy_util_.ConstructSpdySettings(write_settings));
     AddWrite(&frames_.back());
 
@@ -291,7 +300,7 @@ class WebSocketStreamCreateTest : public TestWithParam<HandshakeStreamType>,
     EXPECT_FALSE(request->is_pending());
 
     CreateAndConnectStream(socket_url, sub_protocols, Origin(),
-                           SiteForCookies(),
+                           SiteForCookies(), CreateNetworkIsolationKey(),
                            WebSocketExtraHeadersToHttpRequestHeaders(
                                send_additional_request_headers),
                            std::move(timer_));
@@ -318,7 +327,7 @@ class WebSocketStreamCreateTest : public TestWithParam<HandshakeStreamType>,
             WebSocketExtraHeadersToString(extra_request_headers)),
         response_body);
     CreateAndConnectStream(socket_url, sub_protocols, Origin(),
-                           SiteForCookies(),
+                           SiteForCookies(), CreateNetworkIsolationKey(),
                            WebSocketExtraHeadersToHttpRequestHeaders(
                                send_additional_request_headers),
                            nullptr);
@@ -341,7 +350,8 @@ class WebSocketStreamCreateTest : public TestWithParam<HandshakeStreamType>,
         WebSocketStandardRequest(socket_path, socket_host, Origin(), "", ""),
         WebSocketStandardResponse(extra_response_headers));
     CreateAndConnectStream(socket_url, sub_protocols, Origin(),
-                           SiteForCookies(), HttpRequestHeaders(), nullptr);
+                           SiteForCookies(), CreateNetworkIsolationKey(),
+                           HttpRequestHeaders(), nullptr);
   }
 
   // Like CreateAndConnectStandard(), but take raw mock data.
@@ -354,7 +364,8 @@ class WebSocketStreamCreateTest : public TestWithParam<HandshakeStreamType>,
 
     AddRawExpectations(std::move(socket_data));
     CreateAndConnectStream(GURL(url), sub_protocols, Origin(), SiteForCookies(),
-                           additional_headers, std::move(timer_));
+                           CreateNetworkIsolationKey(), additional_headers,
+                           std::move(timer_));
   }
 
  private:
@@ -389,13 +400,13 @@ class WebSocketStreamCreateTest : public TestWithParam<HandshakeStreamType>,
   std::vector<MockWrite> writes_;
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          WebSocketStreamCreateTest,
                          Values(BASIC_HANDSHAKE_STREAM));
 
 using WebSocketMultiProtocolStreamCreateTest = WebSocketStreamCreateTest;
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          WebSocketMultiProtocolStreamCreateTest,
                          Values(BASIC_HANDSHAKE_STREAM,
                                 HTTP2_HANDSHAKE_STREAM));
@@ -418,7 +429,7 @@ class WebSocketStreamCreateExtensionTest
   }
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          WebSocketStreamCreateExtensionTest,
                          Values(BASIC_HANDSHAKE_STREAM,
                                 HTTP2_HANDSHAKE_STREAM));
@@ -500,7 +511,7 @@ class WebSocketStreamCreateBasicAuthTest : public WebSocketStreamCreateTest {
   CommonAuthTestHelper helper_;
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          WebSocketStreamCreateBasicAuthTest,
                          Values(BASIC_HANDSHAKE_STREAM));
 
@@ -512,7 +523,7 @@ class WebSocketStreamCreateDigestAuthTest : public WebSocketStreamCreateTest {
   CommonAuthTestHelper helper_;
 };
 
-INSTANTIATE_TEST_SUITE_P(,
+INSTANTIATE_TEST_SUITE_P(All,
                          WebSocketStreamCreateDigestAuthTest,
                          Values(BASIC_HANDSHAKE_STREAM));
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-03-11 11:32:04 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2020-03-18 13:40:17 +0000
commit	31ccca0778db85c159634478b4ec7997f6704860 (patch)
tree	3d33fc3afd9d5ec95541e1bbe074a9cf8da12a0e /chromium/net
parent	248b70b82a40964d5594eb04feca0fa36716185d (diff)
download	qtwebengine-chromium-31ccca0778db85c159634478b4ec7997f6704860.tar.gz